Redback-Ipservices Configuration Guide

Corporate Headquarters
Redback Networks Inc.

100 Headquarters Drive
San J ose, CA 95134-1362
USA
http://www.redback.com
Tel: +1 408 750 5000

IP Services and Security Configuration Guide
SmartEdge OS
Release Number 6.1.4
Part Number 220-0829-01
1996 to 2008, Redback Networks Inc. All rights reserved.
Redback Networks
Redback and SmartEdge are trademarks registered at the U.S. Patent & Trademark Office and in other countries. AOS, NetOp, SMS, and User Intelligent Networks are
trademarks or service marks of Redback Networks Inc. All other products or services mentioned are the trademarks, service marks, registered trademarks or registered service
marks of their respective owners. All rights in copyright arereserved to the copyright owner. Company and product names are trademarks or registered trademarks of their
respective owners. Neither the name of any third party software developer nor the names of its contributors may beused to endorse or promote products derived fromthis
software without specific prior written permission of such third party.
Rights and Restrictions
All statements, specifications, recommendations, and technical information contained are current or planned as of the date of publication of this document. They are reliableas of
the timeof this writing and are presented without warranty of any kind, expressed or implied. In aneffort to continuously improvethe product and add features, Redback
Networks Inc. (Redback) reserves the right to changeany specifications contained in this document without prior notice of any kind.
Redback shall not be liable for technical or editorial errors or omissions which may occur in this document. Redback shall not be liable for any indirect, special, incidental or
consequential damages resulting fromthe furnishing, performance, or use of this document.
Third Party Software
The following third party software may be included with this Software and portions of the Software are subject to the following terms and conditions and copyright notices:
Licensed under the Apache License, Version 2.0; you may not use this fileexcept in compliance with the license. You may obtain a copy of the license at
http://www.apache.org/licenses/LICENSE-2.0; Copyright 1996 - 2008, Daniel Stenberg, <daniel@haxx.se>.; Copyright 2002 by NETAPHOR SOFTWARE INC.; portions of
the Software were written by Gary Watson and obtained under the Creative Commons Attribution-Share Alike 3.0 License; EMANATE/LiteSNMP Research International
Inc.; OpenSymphony Software License, Version 1.1 2001-2004 The OpenSymphony Group; Copyright <year>The FreeType Project (www.freetype.org), all rights
reserved; 1995-1998 by The Regents of the University of Michigan, all rights reserved. Copyright 1995-2002 J ean-loup Gailly and Mark Adler; Copyright 2000-2003
Intel Corporation; Copyright 1998-2003 Daniel Veillard; Copyright 2001-2002 Daniel Veillard; Copyright 2001-2002 Thomas Broyer, CharlieBozeman and Daniel
Veillard; Copyright 1998-2000 The OpenSSL Project; Copyright 1990, RSA Data Security, Inc.; Copyright 1989 Carnegie Mellon University; Copyright 1995 Eric
Rosenquist, Strata Software Limited; Copyright 1991 Gregory M. Christy; Copyright 1997-2005 University of Cambridge; Copyright 1996-2005, The PostgreSQL Global
Development Group; Copyright 1994, The Regents of the University of California; Copyright 2001, Dr. Brian Gladman; <brg@gladman.uk.net>, Worcester, UK; Copyright
1998-2003 Carnegie Mellon University; portions of this work are fromthe Free Software Foundation, more information can be found at www.gnu.org/software/libiconv;
portions of the codeare fromopenSSH, www.openssh.com; OpenSSL 1998-2003 The OpenSSL Project; NuSoap Web Services Toolkit for PHP 2002 NuSphere
Corporation; portions of this material may bedistributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (thelatest version is
presently available at http://www.opencontent.org/openpub/; Point-to-Point Protocol (PPP) 1989 Carnegie-Mellon University; Copyright 1992, 1993, 1994, 1997 Henry
Spencer; Copyright 1989, 1991, 1999 Free Software Foundation, Inc.; portions of the Software are subject to the Mozilla Public License Version 1.1 (the "License"); you may
not use this file except in compliance with the License. You may obtain a copy of the License at http://www.mozilla.org/MPL/ Ginger Alliance; libpng library 1995-2004;
FreeType library 1996-2000; J ava 2003-2008 Sun Microsystems; ISC Dhcpd 3.0p12 1995-1999 Internet Software Consortium- DHCP; Ip Filter 2003 Darren Reed;
Perl Kit 1989-1999 Larry Wall; VxWorks 1984-2000, Wind River Systems Inc.; Dynamic Host Configuration Protocol (DHCP) 1997-1998 The Internet Software
Consortium; portions of the Redback SmartEdge Operating Systemuse cyrptographic software written by Eric Young (eay@cyrptosoft.com); Redback adaptation and
implementation of UDP and TCP protocols developed by the University of California Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system
1982, 1986, 1988, 1990, 1993, 1995 The Regents of the University of California. All advertising materials mentioning features or use of this Software must display the following
acknowledgement: "This product includes software developed by the University of California, Berkeley and its contributors."
This Software includes software developed by Sun Microsystems, Inc. Internet Software Consortium, Larry Wall, the Appache Software Foundation, the Free Software
Foundation, their contributors and other third parties. All such software is provided "AS IS," without any warranty of any kind. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MECHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT ARE HEREBY EXCLUDED. LICENSOR AND ITS CONTRIBUTORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY
LICENSEE AS A RESULT OF USING, MODIFYING, OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL LICENSOR OR ITS
CONTRIBUTORS BE LIABLE FOR ANY LOST REVENUE, LOST PROFIT, OR LOST DATA, OR FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL OR
PUNTITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OR INABILITY TO USE THE
SOFTWARE, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This Softwareconsists of voluntary contributions made by many
individuals on behalf of the Apache Software Foundation. Portions of this Software are based upon public domain software originally written at the National Center for
Supercomputing Applications, University of Illinois, Urbana-Champaign. The portions of this Software developed by Larry Wall and/or the Free Software Foundation may be
distributed and are subject to the GNU General Public Licenseas published by the Free Software Foundation.
FCC Notice
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference
to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference
at their own expense:
1. MODIFICATIONSTheFCC requires the user to be notified that any changes or modifications made to this device that are not expressly approved by Redback could void
the users authority to operate the equipment.
2. CABLESConnection to this devicemust be madewith shielded cables with metallic RFI/EMI connector hoods to maintain compliance with FCC Rules and Regulations.
(This statement only applies to copper cables, Ethernet, DS-3, E1, T1, and so forth. It does not apply to fiber cables.)`
3. POWER CORD SET REQUIREMENTSThe power cord set used with the Systemmust meet the requirements of the country, whether it is 100-120 or 220-264 VAC. For
the U.S. and Canada, the cord set must be UL Listed and CSA Certified and suitable for the input current of the system.
VCCI Class A Statement
European Community Mark
The marking on this product signifies that it meets all relevant European Union directives.
China RoHS Information
All Redback Networks products built on or after March 1, 2007 conformto the Peoples Republic of Chinas Management Methods for Controlling Pollution by Electronic
Information Products (Ministry of Information Industry Order #39), also known as China RoHS.
As required by China RoHS, the following tables summarize which of the 6 regulated substances are found in Redback Networks products and their location.
China RoHS also requires that manufacturers determine an Environmental Protection Use Period (EPUP), which has been defined as the termduring which toxic and hazardous
substances or elements contained in electronic information products will not leak out or mutate.
Redback Networks has determined that the EPUP for this product is 25 years fromthe date of manufactureand indicates this period on the product and/or packaging with the logo
shown below.
The date of manufacture can be found on the product packaging label, or determined fromthe product serial number. The week and year of manufacture can be determined from
the 6th though 9th digits of the 14 digit product serial number, xxxxxWWYYxxxxx, where WW represents the week of the year (01 =first week of year) and YY represents the
year (07=2007). For example, 0207 means that the unit was manufactured in the 2nd week of J anuary 2007.
WEEE Policy
Redback Networks products are fully compliant with Directive 2002/96/EC on Waste Electrical and Electronic Equipment (WEEE) for all applicable geographies in the European
Union. In accordance with the requirements of the WEEE Directive, Redback Networks has since August 13, 2005 labeled products placed on the market with the WEEE symbol,
a crossed-out wheelie bin symbol with a black rectangle underneath, as shown below.
The presence of the WEEE symbol on a product or on its packaging indicates that you must not dispose of that itemin the normal unsorted municipal waste stream. Instead, it is
your responsibility to dispose of that product by returning it to a collection point that is designated for the recycling of electrical and electronic equipment waste.
Contact the reseller where the product was originally purchased and provide details of the product in question. The reseller will confirmwhether the product is within the scope
of the recycling programand then arrange for shipment of the product to the designated recycling location for proper recycling/disposal.
If you are unable to locate the original reseller or need additional information, please contact Redback Networks at weee-info@redback.com. Additional information on the
Redback Networks WEEE policy is available at http://www.redback.com.
Safety Notices
Redback equipment has the following safety notices.
Laser Equipment
Class 1 Laser ProductProduct is certified by the manufacturer to comply with DHHS Rule 21 Subchapter J .
Caution! Use of controls or adjustments of performance or procedures other than those specified herein may result in hazardous radiation exposure.
Caution! Invisible laser radiation when an optical interface is open.
Lithium Battery Warnings
It is recommended that, when required, Redback replace the lithiumbattery.
Warning! Do not mutilate, puncture, or dispose of batteries in fire. The batteries can burst or explode, releasing hazardous chemicals. Discard used batteries according to the
manufacturers instructions and in accordancewith your local regulations.
Warning Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type as recommended by themanufacturers instructions.
Varning Eksplosionsfara vid felaktigt batteribyte. Anvnd samma batterityp eller en ekvivalent typ somrekommenderas av apparattillverkaren. Kassera anvnt batteri enligt
fabrikantens instruktion.
Advarsel! LithiumbatteriEksplosionsfare ved fejlagtig hndtering. Udskiftning m kun ske med batteri af sammefabrikat og type. Levr det brugte batteri tilbage
tilleverandren.
Variotus Paristo voi rjht, jos seon virheellisesti asennettu. Vaihda paristo ainoastaan valmistajan suosittelemaan tyyppiin. Hvit kytetty paristo valmistajan ohjeiden
mikaisesti.
Advarsel Eksplosjonsfare ved feilaktig skifteav batteri. Benytt samme batteritype eller en tilsvarende type anbefait av apparatfabrikanten. Brukte batterier kasseres i henhold til
fabrikantens instruksjoner.
Waarschwing! Bij dit produkt zijn batterijen geleverd. Wanneer deze leeg zijn, moet u ze niet weggooien maar inleveren als KCA.
Contents vii
Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxviii
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxviii
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Command Modes and Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Task Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Online Navigation Aids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Ordering Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Order Additional Copies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii
Complete the Online Redback Networks Documentation Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii
Provide Direct Feedback on Specific Product Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii
Part 1: Introduction
Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
SmartEdge OS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
IP Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Neighbor Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
Access Node Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
HTTP Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Hotlining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Mobile IP (Wireless) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Conditional ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Dynamic ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
viii IP Services and Security Configuration Guide
IP Service Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Forward Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Network Address Translation Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Service Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Classification, Marking, and Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Priority Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Policy Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
QoS Policing and Metering Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Queue Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Priority Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Enhanced Deficit Round Robin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Modified Deficit Round Robin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Asynchronous Transfer Mode Weighted Fair Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Priority Weighted Fair Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Hierarchical Nodes and Node Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Congestion Management and Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Flow Admission Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Authentication, Authorization, and Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Remote Authentication Dial-In User Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Terminal Access Controller Access Control System Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Key Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Lawful Intercept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Command Mode Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Part 2: IP Service Protocols
Chapter 2: ARP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Enable ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Enable Secured ARP (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Enable Proxy ARP (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Configure Static Entries in the ARP Table (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configure the Automatic Deletion of ARP Entries (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Set a Maximum Number of Incomplete ARP Entries (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configure ARP Policy to Prevent DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
arp rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
ip arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
iparp arpa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
iparpdelete-expired . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
iparpmaximumincomplete-entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
ip arp proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
iparp secured-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
ip arp timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
ip subscriber arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Contents ix
Chapter 3: ND Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7
ns-retry-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8
preferred-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10
prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-12
ra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
reachable-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16
router nd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18
valid-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-19
Chapter 4: NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1
Configure the NTP Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Configure NTP Peer Associations (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Configure Slowsync (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3
ntpmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-4
ntppeer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-5
ntpserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-7
slowsync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-9
Chapter 5: DHCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1
ARP and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-2
CLIPS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-2
RADIUS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-3
Configure an Internal DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-4
Configure an External DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5
Configure a Context for an External DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-6
Configure an Interface for an External DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-6
Configure Subscriber Hosts for DHCP Address Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7
Configure a Traffic Card to Prevent DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7
DHCP Internal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-8
DHCP Proxy and Maximum Address Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-9
Subscriber Bindings to DHCP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-10
Using Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-10
Using RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-14
DHCP Proxy Through Dynamic Subscriber Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-16
DHCP Proxy Through Static Interface Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-18
DHCP Proxy Through RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-19
Loopback Interface as DHCP Source Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-21
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-21
allow-duplicate-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-22
bootp-enable-auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-23
bootp-filename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-24
x IP Services and Security Configuration Guide
bootp-siaddr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
broadcast-discover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26
default-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27
dhcpmax-addrs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
dhcpproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30
dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32
dhcp relay option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34
dhcprelayserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36
dhcprelayserver retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38
dhcprelaysuppress-nak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39
dhcpserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
dhcpserver policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42
forward-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43
ip interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44
mac-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46
max-hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47
max-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-48
min-wait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49
offer-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-50
option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51
option-82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-57
range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59
rate-adjust dhcp pwfq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61
rate-limit dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-63
server-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-65
standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-66
subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-67
threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-69
user-class-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-71
vendor-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-73
vendor-class-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-75
Chapter 6: ANCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
ANCP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Configure the ANCP Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Configure an ANCP Neighbor Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Map an 802.1Q PVC to a DSL Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Map an 802.1Q Tunnel to a DSL Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Configure a Subscriber Record for ANCP Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
access-lineadjust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
access-lineagent-circuit-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
access-lineaccess-node-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12
access-linerate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
keepalive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
neighbor profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
peer id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
peer ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21
router ancp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
system-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Contents xi
tcp-port local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-24
tcp-port remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-25
Part 3: Mobile IP Services
Chapter 7: Mobile IP Foreign Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Mobile IP Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Mobile Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Home Agent Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Foreign Agent Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-3
Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-3
Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-4
Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-5
Home Agent Without Overlapping IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Some Home Agents Use Private IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Any Home Agent Can Use Private IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Home Agents Can Be Grouped for Each Mobile IP Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
SmartEdge Router Provides Wholesale Mobile IP Services for Other Providers . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7
Mobile IP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8
Create the Contexts and Interfaces for Mobile IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8
Configure a Key Chain Authentication Between a FA and HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-9
Configure an FA Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-9
Configure an HA Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-10
Configure a Mobile IP Interface for MN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-11
Configure the MN Access to an FA Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-11
Configure the Mobile IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Enable or Disable an FA Instance, an HA Peer, or MN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Single FA Instance and HA Peer with IP-in-IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Single FA Instance with Multiple HA Peers and IP-in-IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-13
advertisemax-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-16
advertisemax-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-17
advertisemin-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18
advertisetunnel-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-19
authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20
care-of-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-22
clear-df (dynamic tunnel) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-23
dynamic-tunnel-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-24
foreign-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-27
forwardingscheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-28
forwardingtraffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-29
gre mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
hold-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-31
home-agent-peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
ipip mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-34
llc-xid-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-35
max-pending-registrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-36
xii IP Services and Security Configuration Guide
registrationmax-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37
revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-38
router mobile-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-40
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-41
time-out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-43
vpn-context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-44
Chapter 8: Mobile IP Home Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Mobile IP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Create the Contexts and Interfaces for Mobile IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Configure a Key Chain for FA-HA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Configure an HA Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Configure an FA Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
Configure an MN Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
Configure AAA for MN Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
Configure the Mobile IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Enable or Disable an HA Instance or FA Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
dynamic-tunnel-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
foreign-agent-peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
home-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
local-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
registrationmax-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
replay-tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
router mobile-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24
tunnel-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
Part 4: IP Services
Chapter 9: HTTP Redirect Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Configure Subscriber Authentication and Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Configure an IP ACL and Apply It to Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Configure the HTTP Server on the Active Controller Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Configure and Attach an HTTP Redirect Profile to Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Configure a Policy ACL That Classifies HTTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Configure and Attach a Forward Policy to Redirect HTTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
encrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
http-redirect profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
http-redirect server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Contents xiii
port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-12
redirect destinationlocal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-13
url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-15
Chapter 10: Hotlining Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3
Configure the Local HTTP Server on the Active Controller Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3
Configure a RADIUS Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Configure a Policy ACL That Classifies HTTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Configure a Forward Policy to Redirect HTTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Configure Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5
Hotlining Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5
RADIUS Entry Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-6
Chapter 11: DNS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-1
Configure DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-2
Enable DNS to Establish Subscriber Sessions (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-2
Configure Static Hostname-to-IP Address Mappings (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-3
dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-4
ip domain-lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-5
ip domain-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-6
ip host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-7
ip name-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-8
ipv6 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-9
ipv6name-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-10
Chapter 12: ACL Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-1
IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-1
IP ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-2
IP ACL Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-2
IP ACL Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-3
Dynamic IP Filter ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-3
Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-3
Policy ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
Dynamic Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
Policy ACL Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
Policy ACL Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-5
Static IP and Policy ACL Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-5
IP ACL Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-6
Policy ACL Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-6
Guidelines for RADIUS-Guided Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-7
VSA 164 Guidelines for Dynamic Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-7
Configure an IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-8
Apply an IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-8
Enable ACL Counters or Logging for a Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-9
xiv IP Services and Security Configuration Guide
Modify IP ACL Conditions in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
Configure a Policy ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
Apply a Policy ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Modify Policy ACL Conditions in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Configure an ACL Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Add an ACL Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Resequence ACL Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Configure an Absolute Time Condition Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
Configure a Periodic Time Condition Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
Configure an IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13
Configure a Policy ACL Associated with a Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13
Configure a Policy ACL Associated with a NAT Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13
Configure a Policy ACL Associated with a QoS Policing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15
absolute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18
access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
admin-access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-23
condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-25
deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-27
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-37
ipaccess-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-38
ipaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-40
modifyipaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-42
modifypolicyaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-44
periodic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-46
permit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48
policyaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-58
resequenceipaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-60
resequencepolicyaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-61
Part 5: IP Service Policies
Chapter 13: NAT Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
Dynamic Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Destination IP Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
NAT DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Session Limit Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5
Configure a NAT Policy with Static Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Configure a NAT Policy with a DMZ Host Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Configure a NAT Policy with Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Apply a Policy ACL to a NAT Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-8
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
NAT Policy with Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
NAT Policy with Static NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
NAT Policy with Static Translation and a DMZ Host Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
Contents xv
NAT Policy with Dynamic Translation and an Ignore Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-10
NAT Policy with Dynamic NAPT and a Drop Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-11
NAT Policy with Static and Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-11
NAT Policy with DNAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-12
NAT Policy with Session Limit Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-12
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-13
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-14
admission-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-16
connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-18
destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-20
drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-22
ignore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-23
ipdmz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-24
ipnat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-25
ipnat pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-26
ipstaticin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-27
ipstaticout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-29
nat policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-31
nat policy-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-33
pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-34
timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-35
Chapter 14: Forward Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-1
Circuit-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-2
Class-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-2
Circuit- and Class-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-2
Configure a Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-3
Apply a Policy ACL to a Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-3
Traffic Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-4
Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-6
Traffic Drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-8
Combination of Traffic Mirror, Redirect, and Drop in One Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-10
drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-14
forwardoutput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-16
forward policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-18
forwardpolicy in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-19
forward policy out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-21
mirror destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-23
redirect destinationcircuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-25
redirect destinationnext-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-26
Chapter 15: Service Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-1
Configure a Service Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-2
Attach a Service Policy to Subscriber Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-2
xvi IP Services and Security Configuration Guide
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4
allow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5
deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7
service-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-9
Part 6: IP Quality of Service Policies
Chapter 16: QoS Rate- and Class-Limiting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
Priority Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
Policy Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
QoS Policing and Metering Class Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
Circuit-Based Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
Circuit-Based Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
Class-Based Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Class-Based Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Circuit-Based and Class-Based Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Single Rate Three-Color Markers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5
Policy Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6
Mapping a Child Policy Class to a Parent Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8
Policy Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9
Configure a Metering Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9
Configure a Policing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-11
Apply a Policy ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-12
Customize Classification Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-13
Circuit-Based Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14
Circuit-Based Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14
Class-Based and Circuit-Based Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14
class-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-17
conformmark dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-19
conformmark precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-22
conformmark priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-24
conformno-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-27
exceeddrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-28
exceedmark dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-30
exceedmark precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-33
exceedmark priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-35
exceedno-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-38
mapping-schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-40
mark dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-45
mark precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-47
mark priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-49
parent-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-52
qosclass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-54
qosclass-definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-56
qosclass-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-57
qospolicymetering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-59
qospolicypolicing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-61
rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-63
Contents xvii
rate-calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-66
ratepercentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-67
violatedrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-69
violatemark dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-71
violatemark precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-74
violatemark priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-76
violateno-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-79
Chapter 17: QoS Scheduling Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-2
Queue Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-2
Priority Queuing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-3
Enhanced Deficit Round-Robin Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-3
Modified Deficit Round-Robin Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-4
Asynchronous Transfer Mode Weighted Fair Queuing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-5
Priority Weighted Fair Queuing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-5
Congestion Management and Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-6
Random Early Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-6
Early Packet Discard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-7
Multidrop Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-7
Congestion Avoidance Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-7
Queue Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-8
Queue Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-8
Overhead Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-8
Configure a Queue Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-9
Configure a Congestion Avoidance Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-9
Configure an ATMWFQ Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-10
Configure an EDRR Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-11
Configure an MDRR Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-12
Configure a PQ Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-12
Configure a PWFQ Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-13
Configure an Overhead Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-13
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-14
Queue Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-14
Congestion Avoidance Map for Multidrop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-15
ATMWFQ Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-15
EDRR Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-16
MDRR Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-16
PQ Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-16
RED Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-16
Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-17
Backbone Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
PWFQ Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
Strict Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-19
Normal Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-19
Strict +Normal Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-19
Strict +Normal Priority with Maximum Priority-Group Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-20
Strict +Normal Priority with Maximum and Minimum Bandwidths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-20
Overhead Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-21
congestion-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-22
encaps-access-line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-23
num-queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-26
xviii IP Services and Security Configuration Guide
qoscongestion-avoidance-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-28
qosmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-30
qospolicyatmwfq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-31
qospolicyedrr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-33
qospolicymdrr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-35
qospolicypq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-37
qospolicypwfq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-39
qosprofileoverhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-40
qosqueue-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-41
queue0mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-43
queuecongestionepd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-44
queuedepth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-46
queueexponential-weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-48
queue-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-50
queuepriority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-51
queuepriority-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-54
queuerate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-56
queuered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-57
queueweight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-62
rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-64
rate-factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-66
reserved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-68
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-70
weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-72
Chapter 18: QoS Circuit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2
Circuit Configuration with QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2
Circuit Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-4
Hierarchical Configuration for Traffic-Managed Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Hierarchical Nodes and Node Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Propagation of QoS Across Layer 3 and Layer 2 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-6
Propagation of QoS from IP to ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-7
Propagation of QoS Between IP and Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-8
Propagation of QoS Between IP and MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-9
Propagation of QoS Between IP and L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-10
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-11
Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-12
Configure an ATM PVC for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-13
Configure a PVC on a First-Generation ATM OC Traffic Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-13
Configure a PVC on an ATM DS-3 or Second-Generation ATM OC Traffic Card . . . . . . . . . . . . . . . . . . . . . 18-13
Configure an Ethernet Circuit for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-14
Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for QoS . . . . . . . . . . . . 18-14
Configure a Traffic-Managed Port for Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-15
Configure a Traffic-Managed Port for Hierarchical Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-16
Configure a PDH Circuit for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-17
Configure a POS Circuit for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-17
Configure Cross-Connected Circuits for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-18
Configure a Subscriber Circuit for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-18
Configure QoS Propagation (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-19
Configure L2TP for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-20
Contents xix
Configure MPLS for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-21
Propagate QoS Using DSCP Bits and MPLS EXP Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-21
Propagate QoS Using DSCP Bits Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-21
Attach QoS Policies to a Circuit Group and Assign Members to the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-22
Attaching Rate- and Class-Limiting Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-23
PVC Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-23
Cross-Connected Circuit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-23
Subscriber Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-24
Attaching Scheduling Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-24
Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-24
PVC Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-24
Overhead Profile Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-25
PWFQ Policy and Hierarchical Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-25
PWFQ Policy and Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-25
Propagating QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-25
Attaching QoS Policies to Circuit Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-26
atmtoqos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-28
atm use-ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-30
atmuse-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-32
clpbit propagate qos from atm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-34
clpbit propagate qos to atm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-36
egressprefer dscp-qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-38
ethernet toqos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-39
ethernet use-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-41
ip to qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-43
mpls to qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-45
mplsuse-ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-47
mplsuse-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-49
propagateqosfromethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-51
propagateqosfromip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-53
propagateqosfroml2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-55
propagateqosfrommpls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-57
propagateqosfromsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-59
propagateqos toethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-61
propagateqostoip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-62
propagateqos tol2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-63
propagateqostompls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-65
propagateqostransport use-vlan-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-67
propagateqosuse-vlan-ethertype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-68
propagateqosuse-vlan-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-70
qoshierarchical modestrict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-71
qosmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-73
qosnode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-75
qosnode-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-77
qosnode-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-78
qospolicymetering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-79
qospolicypolicing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-83
qos policy (protocol-rate-limit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-87
qospolicyqueuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-89
qospriority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-92
qosprofileoverhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-94
qosrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-96
xx IP Services and Security Configuration Guide
qostoatm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-98
qostoethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-100
qostoip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-102
qostompls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-104
qosuse-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-106
qosweight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-108
ratecircuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-110
Chapter 19: Flow Admission Control Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1
Circuit Flow State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-2
Flow Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-2
Maximum Flows Per Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-3
Burst Flow Creation Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-3
Sustained Flow Creation Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-3
Configuring a FAC Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-5
Creating a FAC Profile Name and Entering the Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Configuring a Maximum Flows Per Circuit Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Configuring a Burst Creation Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Configuring a Sustained Creation Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Applying a FAC Profile to the Current Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Enabling a FAC Profile on a Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
burst-creation-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-8
flow admission-control profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-9
flow apply admission-control profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-10
flow enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-11
flow monitor circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-12
max-flows-per-circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-13
sustained-creation-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-14
Part 7: IP Security
Chapter 20: AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1
Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-2
Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-2
Authorization and Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-4
CLI Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-4
Dynamic Subscriber Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-4
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-5
CLI Commands Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-5
Administrator Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-5
Subscriber Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-5
L2TP Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-6
Configure Global AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-7
Limit the Number of Active Administrator Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-7
Limit the Number of Active Subscriber Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-7
Enable a Direct Connection for Subscriber Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-7
Contents xxi
Define Structured Username Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Require Username for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Configure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Configure Administrator Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Configure Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-9
Disable Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-11
Configure Authorization and Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-12
Configure CLI Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-12
Configure L2TP Peer Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-12
Configure Dynamic Subscriber Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-12
Configure Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-13
Configure CLI Commands Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-14
Configure Administrator Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-14
Configure Subscriber Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-14
Configure L2TP Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-16
Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-17
Subscriber Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-18
aaaaccountingadministrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-20
aaaaccountingcommands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-22
aaaaccountingevent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-24
aaaaccountingl2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-26
aaaaccountingreauthorizationsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-29
aaaaccountingsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-31
aaaaccountingsuppress-acct-on-fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-34
aaaauthenticationadministrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-36
aaaauthenticationsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-40
aaaauthorizationcommands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-43
aaaauthorizationtunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-45
aaadouble-authenticationsubscriber radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-46
aaaencrypted-passworddefault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-48
aaaglobal accountingevent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-49
aaaglobal accountingl2tp-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-51
aaaglobal accountingreauthorizationsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-53
aaaglobal accountingsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-55
aaaglobal authenticationsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-57
aaaglobal maximumsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-59
aaaglobal reject empty-username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-61
aaaglobal session-id-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-62
aaaglobal updatesubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-64
aaahint ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-66
aaaip-pool allocation first-available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-68
aaalast-resort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-69
aaamaximumsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-71
aaapassword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-73
aaaprovisionbinding-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-75
aaaprovisionroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-77
aaarate-report-factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-78
aaareauthorizationbulk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-80
aaaupdatesubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-82
aaausername-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-84
session-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-86
xxii IP Services and Security Configuration Guide
Chapter 21: RADIUS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-1
RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-2
RADIUS Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-2
Accounting and Service Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-3
Configure the Server IP Address or Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-5
Configure an IP Source Address (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-5
Configure Load Balancing Between RADIUS Servers (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-6
Modify RADIUS Connection Parameters (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-6
Send Accounting On and Off Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-6
Modify RADIUS Timeout Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-6
Strip the Domain Portion of Structured Usernames (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-8
Change or Ignore the Server Source Port Value (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-8
Configure and Assign a RADIUS Policy to a Context (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-8
Configure and Send Attributes in RADIUS Packets (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-9
Configure RADIUS-Guided Services (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-10
Configure the RADIUS-Guided Policies for the Service Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-10
Configure a RADIUS-Guided Service Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-10
Configure the Subscriber Profile or Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-11
Remap Account Termination Codes (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-11
RADIUS Secret Key, Retry, and Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-12
RADIUS Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-12
Custom RADIUS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-12
Dynamic RADIUS Profile and Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-13
accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-16
attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-18
foreach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-23
parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-25
radiusaccountingalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-28
radiusaccountingdeadtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-29
radiusaccountingmax-outstanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-31
radiusaccountingmax-retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-32
radiusaccountingsend-acct-on-off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-33
radiusaccountingserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-35
radiusaccountingserver-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-37
radiusaccountingtimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-38
radiusalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-39
radiusattributeacct-delay-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-40
radiusattributeacct-session-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-42
radiusattributeacct-terminate-causeremap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-43
radiusattributeacct-tunnel-connection l2tp-call-serial-num . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-44
radiusattributecalling-station-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-46
radiusattributefilter-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-50
radiusattributenas-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-52
radiusattributenas-ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-53
radiusattributenas-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-54
radiusattributenas-port-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-58
radiusattributenas-port-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-61
radiusattributevendor-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-63
radiuscoaserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-64
radiusdeadtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-67
Contents xxiii
radiusmax-outstanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-69
radiusmax-retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-70
radiuspolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-71
radiusserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-73
radiusserver-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-75
radiusserviceprofile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-76
radiussource-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-77
radiusstrip-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-79
radiustimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-80
rbak-term-ec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-81
Chapter 22: TACACS+ Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-1
tacacs+deadtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-5
tacacs+identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-7
tacacs+max-retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-8
tacacs+server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-10
tacacs+strip-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-12
tacacs+timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-13
Chapter 23: Lawful Intercept Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-1
Enable or Disable LI Features and Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-3
Configure an LI Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-3
Configure an LI Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-3
Configure Circuits for LI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-4
Start or Stop an Intercept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-4
command-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-8
header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-10
lawful-intercept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-12
li-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-13
pending . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-14
transport gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-15
transport udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-16
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-18
Chapter 24: Key Chain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-1
Configure a Key Chain Name and Description (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-2
Configure a Key Chain Name and ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-2
Configure a Security Parameter Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-2
Configure a Key String . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-3
Limit the Lifespan of a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-3
Enable Key Chain Authentication with Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-3
Enable Key Chain Authentication with Mobile IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-3
xxiv IP Services and Security Configuration Guide
accept-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-5
key-chaindescription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-7
key-chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-8
key-string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-10
send-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-11
spi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-13
Part 8: Appendixes
Appendix A: RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
RADIUS Packet Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Packet Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
RADIUS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
RADIUS Dictionary File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
RADIUS Clients Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Subscriber Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Supported Standard RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Standard RADIUS Attributes in Access and Account Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Standard RADIUS Attributes in CoA and Disconnect Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11
Standard RADIUS Attributes That Can Be Reauthorized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12
Redback VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-13
Redback VSAs in Access and Account Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-13
Redback VSAs in CoA and Disconnect Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-32
Redback VSAs That Can Be Reauthorized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-34
VSA 164 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-35
VSA 196 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-39
Redback VSA Support for CCOD Multiencapsulated PVCs in 802.1Q Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-40
Other VSAs Supported by the SmartEdgeOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41
Service Attributes Supported by the SmartEdgeOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41
RADIUS Attributes Supported by Mobile IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42
Standard RADIUS Attributes and Mobile IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42
3GPP2 RADIUS VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-43
3GPP2 RADIUS VSAs That Can Be Reauthorized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-43
WiMax Forum RADIUS VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-44
WiMax Forum RADIUS VSAs in the CoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-45
Motorola VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-46
Appendix B: TACACS+ Attribute-Value Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
TACACS+Authentication and Authorization AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
TACACS+Administrator Accounting AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
TACACS+Command Accounting AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Index of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Index of Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Guide xxv
About This Guide
This guide describes the tasks and commands used to configure SmartEdge
OS IP services and security

features.
The following features are described in this guide:
Address Resolution Protocol (ARP)
Neighbor Discovery (ND) protocol for IPv6 routers
Network Time Protocol (NTP)
Dynamic Host Configuration Protocol (DHCP)
Access Node Control Protocol (ANCP)
Domain Name System (DNS)
HTTP redirect, access control lists (ACLs)
Hotlining
Forward policies
Network Address Translation (NAT) policies
Mobile IP services
Service policies
Quality of service (QoS) policies
Flow admission control (FAC) profiles
Authentication, authorization, and accounting (AAA)
Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller Access Control System Plus (TACACS+)
Key chains
Lawful intercept (LI)
This preface contains the following sections:
Related Publications
Intended Audience
xxvi IP Services and Security Configuration Guide
Organization
Conventions
Ordering Documentation
In parallel with this guide, use the IP Services and Security Operations Guide for the SmartEdgeOS which
describes the tasks and commands used to monitor, administer, and troubleshoot IP services and security
features.
Use these guides in conjunction with the following publications:
Basic System Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following SmartEdge OS features: how to use
the SmartEdge command-line interface (CLI), configuration file management, access to the system;
basic system parameters; contexts, interfaces, and subscribers; and system-wide management features,
such as logging facilities.
IP Services and Security Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following SmartEdge OS features: Address
Resolution Protocol (ARP), Neighbor Discovery (ND) protocol for IPv6 routers, Network Time
Protocol (NTP), Dynamic Host Configuration Protocol (DHCP), Access Node Control Protocol
(ANCP), Domain Name System (DNS), HTTP redirect, hotlining, access control lists (ACLs), forward
policies, Network Address Translation (NAT) policies, Mobile IP services, service policies, quality of
service (QoS) policies, flow admission control (FAC) profiles, authentication, authorization, and
accounting (AAA), Remote Authentication Dial-In User Service (RADIUS), Terminal Access
Controller Access Control System Plus (TACACS+), key chains, and lawful intercept (LI).
Network Management Guide for the SmartEdge OS
Describes the tasks and commands used to configure, monitor, administer, and troubleshoot the
following SmartEdge OS: system-wide management features, including bulk statistics (bulkstats),
Simple Network Management Protocol (SNMP), Remote Monitoring (RMON) functions, and detailed
information about notifications and object identifiers (OIDs) for Redback
Networks Enterprise MIBs.

Commands include show commands and commands used to configure bulkstats, SNMP, and RMON
features.
Ports, Circuits, and Tunnels Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following SmartEdge OS features: cards;
ports; channels; Automatic Protection Switching (APS); circuits, including permanent virtual circuits
(PVCs); Link Aggregation Control Protocol (LACP) features; clientless IP service selection (CLIPS)
circuits; Point-to-Point Protocol (PPP) and PPP over Ethernet (PPPoE) information; link aggregation;
bridging; cross-connections between circuits; IP-in-IP tunnels, overlay tunnels (IPv6 over IP Version 4
[IPv4]), Generic Routing Encapsulation (GRE) tunnels (including IP Version 6 [IPv6] over GRE
tunnels), Layer 2 Tunneling Protocol (L2TP) tunnels; static and dynamic bindings between ports,
channels, subchannels, and circuits to interfaces, either directly or indirectly.
About This Guide xxvii
RFlow Guide for the SmartEdge OS
Describes the commands and procedures used to configure, monitor, administer, and troubleshoot
RFlow on the SmartEdge OS.
Routing Protocols Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following SmartEdge OS features: static IP
routing; dynamically verified static routing (DVSR); Virtual Router Redundancy Protocol (VRRP);
Routing Information Protocol (RIP) and RIP next generation (RIPng); Open Shortest Path First (OSPF)
and OSPF Version 3 (OSPFv3); Border Gateway Protocol (BGP); BGP/Multiprotocol Label Switching
Virtual Private Networks (BGP/MPLS VPNs); Intermediate System-to-Intermediate System (IS-IS);
Bidirectional Forwarding Detection (BFD); IP multicast, including Internet Group Management
Protocol (IGMP), Multicast Source Discovery Protocol (MSDP), and Protocol Independent Multicast
(PIM); routing policies; MPLS; Layer 2 Virtual Private Networks (L2VPNs); Virtual Private LAN
Services (VPLS); and Label Distribution Protocol (LDP). BGP, OSPFv3, RIPng, and routing policies
include tasks and commands that provide limited support for IPv6 routing.
Session Border Controller Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following Session Border Controller (SBC)
features and services on the SmartEdge OS: unified SBC features and services include number analysis,
call routing, registration routing, adjacencies, media IP and authentication, authorization, and
accounting (AAA) subscriber record; distributed SBC features and services include media gateway
timers, media gateway attributes, media gateway controllers, and media IP.
Basic System Operations Guide for the SmartEdge OS
Describes the tasks and commands used to monitor, administer, and troubleshoot the SmartEdge OS
features described in the Basic System Configuration Guide; commands include all clear, debug,
monitor, process, and show commands that monitor and test system-wide functions and features, such
as software processes.
IP Services and Security Operations Guide for the SmartEdge OS
features described in the IP Services and Security Configuration Guide; commands include all clear,
debug, and show commands, along with other operations-based commands.
Ports, Circuits, and Tunnels Operations Guide for the SmartEdge OS
features described in the Ports, Circuits, and Tunnels Configuration Guide; commands include all
clear, debug, monitor, and show commands, along with other operations-based commands, such as
device management and on-demand diagnostics.
Routing Protocols Operations Guide for the SmartEdge OS
features described in the Routing Protocols Configuration Guide; commands include all clear, debug,
monitor, process, and show commands, along with other operations-based commands.
Session Border Controller Operations Guide for the SmartEdge OS
Describes the tasks and commands used to monitor, administer, and troubleshoot the Session Border
Controller (SBC) features and services on the SmartEdge OS that are described in the Session Border
Controller Configuration Guide; commands include all clear, debug, and show commands, along with
other operations-based commands.
Intended Audience
xxviii IP Services and Security Configuration Guide
SmartEdge 100 Router Hardware Guide
Describes the SmartEdge 100 hardware and provides site preparation information and installation,
monitoring, and maintenance procedures for the chassis and media interface cards (MICs).
SmartEdge400 Router Hardware Guide
monitoring, and maintenance procedures for the chassis and cards.
Intended Audience
This guide is intended for system and network administrators experienced in access and internetwork
administration.
Organization
This guide is organized as follows:
Part 1, Introduction
Describes the SmartEdge OS IP services and security features.
Part 2, IP Service Protocols
Describes the tasks and commands used to configure ARP, the ND protocol, NTP, DHCP, and ANCP.
Part 3, Mobile IP Services
Describes the tasks and commands used to configure Mobile IP services.
Part 4, IP Services
Describes the tasks and commands used to configure HTTP redirect, hotlining, DNS, and ACLs for IP
services and policies.
Part 4, IP Services
Describes the tasks and commands used to configure NAT policies, forward policies, and service
policies.
Part 6, IP Quality of Service Policies
Describes the tasks and commands used to configure QoS policies, ports, channels, circuits, and
applications for QoS functions, and FAC profiles.
Conventions
About This Guide xxix
Part 7, IP Security
Describes the tasks and commands used to configure security features, including AAA, RADIUS,
TACACS+, lawful intercepts, and key chains.
Part 8, Appendixes
Describes attributes used with RADIUS and attribute-value pairs (AVPs) used with TACACS+.
Conventions
This guide uses special conventions for the following elements:
Command Modes and Privilege Levels
Command Syntax
Examples
Task Tables
Online Navigation Aids
Command Modes and Privilege Levels
Commands are entered in exec mode or in one of many configuration modes. By default, the majority of
commands in exec mode have a privilege level of 3, while commands in any configuration mode have a
privilege level of 10. Exceptions are noted in parentheses ( ) in the Command Mode section in any
command description; for example, exec (15).
For a list of command modes and a figure displaying the command mode hierarchy, see the Command
Mode Hierarchy section in Chapter 1, Overview.
For detailed information about command modes and privilege levels, see the User Interface section (in
the Overview chapter) in the Basic System Configuration Guide for the SmartEdgeOS.
Command Syntax
Table1 lists the descriptions of the elements used in a command syntax statement.
Note This guide has three indexes: an index of tasks and features, an index of commands, and an
index of command modes.
Table 1 Command Syntax Terminology
Syntax Element Definition Example Fragment
Argument An item for which you must supply a value. slot
Construct A combination of:
A keyword and its argument.
Two or more keywords that cannot be specified independently.
Two or more arguments that cannot be specified independently.
:
min-wait seconds
line fdl ansi
src src-wildcard
Conventions
xxx IP Services and Security Configuration Guide
Table2 describes separator characters used in command syntax statements.
The following guidelines apply to separator characters in Table2:
The separator character between the prefix and suffix names in a structured username is configurable;
the @ character is the default and is used in command syntax throughout this guide.
Separator characters act as one-character keywords; therefore, they are always shown in bold.
Table3 lists the characters and formats used in command syntax statements.
Examples
Examples use the following conventions:
Keyword An optional or a required item that must be entered exactly as
shown.
all
Table 2 Separator Characters in Command Syntax
Character Use Example Fragment
@ Separates a prefix name from a suffix name. sub-name@ctx-name
/ Separates a slot from a port, an IP address from a prefix length, and fields in URLs. slot[/port]
{ip-addr | /prefix-length}
/device[/directory]/filename.ext
: Separates a port from a channel and a channel from a subchannel. port[:chan-num]
ds3-chan-num[:ds1-chan-num]
- Separates a starting value from an ending value. start-end
| Separates output modifiers from keywords and arguments in show commands.
1
1. For more information about the use of the pipe ( | ) character, see the Using the CLIchapter in the Basic System Configuration Guide for the SmartEdge OS.
showconfiguration | include port
Table 3 Text Formats and Characters in Command Syntax
Convention Example
Commands and keywords are indicated in bold. no ip unnumbered
Arguments for which you must supply values are indicated in italics. banner login delimited-text
Square brackets ([ ]) indicate optional arguments, keywords, and
constructs within scripts or commands.
show clock [universal]
enable [level]
Alternative arguments, keywords, and constructs within commands are
separated by the pipe character ( | ).
public-key {DSA | RSA}[after-key existing-key | position
key-position] {new-key | ftp url}
Alternative but required arguments, keywords, and constructs are
shown within grouped braces ({}) and are separated by the pipe
character ( | ).
debug ssh {all | ssh-general | sshd-detail | sshd-general}
ipaddress ip-addr {netmask | /prefix-length}[secondary]
Optional and required arguments, keywords, and constructs can be
nested with grouped braces and square brackets, where the syntax
requires such format.
enable authentication {none | method [method [method]]}
Table 1 Command Syntax Terminology (continued)
Syntax Element Definition Example Fragment
Conventions
About This Guide xxxi
System prompts are of the form [ cont ext ] host name( mode) #, [ cont ext ] host name#, or
[ cont ext ] host name>.
In this case, cont ext indicates the current context, host name represents the configured name of the
SmartEdge system, and mode indicates the string for the current configuration mode, if applicable.
Whether the prompt includes the #or the >symbol depends on the privilege level. For further
information on privilege levels, see the User Interface section (in the Overview chapter) in the
Basic System Configuration Guide for the SmartEdgeOS.
For example, the prompt in the l ocal context on the Redback system in cont ext configuration
mode is:
[ l ocal ] Redback( conf i g- ct x) #
Information displayed by the system is in Courier font.
Information that you enter is in Courier bold font.
Task Tables
Tasks to configure features are described in task tables under the Configuration Tasks section in each
chapter. The command syntax displays only the root command, which is hyperlinked to the location where
the complete command syntax is described in the Command Descriptions section of each chapter.
Table4 shows an example of a configuration task table.
Online Navigation Aids
To aid in accessing information in the online format for this guide, the following types of cross-references
are hyperlinks:
Cross-references to chapters, sections, tables, and figures in the text
Lists of section headings within a chapter or an appendix
Commands listed in the Related Commands section at the end of each command description
Entries in the table of contents
Entries in indexes
Table 4 Configuration Task Table Example
Task Root Command Notes
Assign a priority group. qos priority The QoS bit setting for packets traveling across the ingress
circuit is not changed by the priority group assignment.
Attach a policing policy. qos policy policing
Attach a metering policy. qos policy metering
Attach a scheduling policy. qos policy queuing Policy types include EDRR and PQ.
Optional. Modify the mode of an EDRR
policy algorithm.
qos mode By default, the mode is normal. Only one mode type is
supported on a single port.
xxxii IP Services and Security Configuration Guide
Redback documentation is available on a CD-ROM that ships with the following Redback products:
SMS products
SmartEdge router products
NetOp Element Management System [EMS] and NetOp Policy Manager [PM] products
The following sections describe how to order additional copies and provide feedback:
Order Additional Copies
Complete the Online Redback Networks Documentation Survey
Provide Direct Feedback on Specific Product Documentation
We appreciate your comments.
Order Additional Copies
To order additional copies of the documentation CD-ROM or printed and bound books, perform the
following steps:
1. Log on to the Redback Networks Support web site at http://support.redback.com, enter a username and
password, and click Login.
If you do not have a username and password, consult your Redback Networks support representative,
or send an e-mail to supportlogin@redback.com with a copy of the show hardware command output,
your contact name, company name, address, and telephone number.
2. Click one of the Redback products at the bottom of the web page, click Documentation on the
navigation bar, then click To Order Books on the navigation bar.
Complete the Online Redback Networks Documentation Survey
To complete the online Redback Networks Documentation Survey, perform the following steps:
1. On the Documentation web page, click Feedback on the navigation bar.
2. Complete and submit the feedback form.
3. Documentation on the navigation bar, then click To Order Books on the navigation bar.
Provide Direct Feedback on Specific Product Documentation
To provide feedback on a documentation issue related to the SmartEdgeOS send e-mail to
seos-router-docs@redback.com.
Note Hyperlinks in PDF files appear the same as regular text; however, your cursor changes from
an open hand icon to a pointing finger icon when you move your cursor over a hyperlink.
P a r t 1
Introduction
This part describes SmartEdge
OS IP services and security features and consists of:

Chapter 1, Overview
Overview 1-1
C h a p t e r 1
Overview
This chapter provides an overview of SmartEdge
OS IP services and security features and lists the relevant

command-line interface (CLI) modes in the following sections:
SmartEdge OS Architecture
IP Protocols
IP Services
IP Service Policies
Quality of Service
Security
Command Mode Hierarchy
The SmartEdge OS is based on a general-purpose operating system that works in conjunction with the
ASIC-based SmartEdge hardware products to provide a scalable and robust multiservice platform. The
SmartEdge OS performs the route processing and other control functions, and runs on the controller card.
The packet forwarding function is performed by Packet Processing ASICs (PPAs) on the individual traffic
cards. Each major system component (see Table1-1) runs as a separate process in the system.
Note In the following descriptions, the term, controller card, applies to the Cross-Connect Route
Processor (XCRP) or the XCRP Version 3 (XCRP3) Controller card, unless otherwise noted.
The terms, traffic-managed circuit and traffic-managed port, refer to a circuit and port,
respectively, on Fast Ethernet-Gigabit Ethernet (FE-GE), Gigabit Ethernet 3 (GE3) and
Gigabit Ethernet 1020 (GE1020) traffic cards, or Gigabit Ethernet media interface cards (GE
MICs).
Table 1-1 SmartEdge OS Components
System Component Function
Authentication, authorization, and
accounting (AAA)
Forces all authentication requests and accounting updates to a single
set of Remote Authentication Dial-In User Service (RADIUS) servers.
NetBSD kernel Provides a lean and stable base for the SmartEdge OS.
1-2 IP Services and Security Configuration Guide
Figure1-1 illustrates the SmartEdge OS architecture.
Figure 1-1 SmartEdge OS Architecture
Process Manager (PM) Monitors and controls the operation of the other processes in the
system.
Router Configuration Manager (RCM) Controls all system configurations using a transaction-oriented
database.
Interface and Circuit State Manager (ISM) Monitors and disseminates the state of all interfaces, ports, and
circuits in the system.
Routing protocols Run as an independent processes, maintaining independent Routing
Information Bases (RIBs). The routing processes send the routing
information to the central RIB.
RIB Downloads forwarding tables to the traffic cards.
Feature modules Run as independent processes, each in its own protected address
space.
Traffic card Includes the PPA ASICs, which contain the Forwarding Information
Base (FIB) and forwarding code.
Table 1-1 SmartEdge OS Components (continued)
System Component Function
IP Protocols
Overview 1-3
IP Protocols
The SmartEdge OS provides the IP protocols described in the following sections:
Address Resolution Protocol
Neighbor Discovery Protocol
Network Time Protocol
Dynamic Host Configuration Protocol
Access Node Control Protocol
Address Resolution Protocol
The SmartEdge OS implementation of the Address Resolution Protocol (ARP) is consistent with RFC 826,
An Ethernet Address Resolution Protocol, also called Converting Network Protocol Addresses to 48.bit
Ethernet Address for Transmission on Ethernet Hardware. In addition, the SmartEdge OS provides a
configurable ARP entry-age timer and the option to automatically delete expired dynamic ARP entries.
Neighbor Discovery Protocol
SmartEdge routers use the Neighbor Discovery (ND) protocol for IP Version 6 (IPv6) to determine the
link-layer addresses for neighbors known to reside on attached links and to quickly purge cached values
that become invalid. The IPv6 ND protocol corresponds to a combination of the IPv4 ARP and Internet
Control Message Protocol (ICMP) Router Discovery. The ND protocol is described in RFC 2461, Neighbor
Discovery for IP Version 6 (IPv6).
IPv6 is a new version of the Internet Protocol, designed as the successor to IP Version 4 (IPv4). IPv6 is fully
described in RFC 2460, Internet Protocol, Version 6 (IPv6) Specification. The changes from IPv4 to IPv6
include:
Increase in address size from 32 bits to 128 bits
Simplified header
Extensible header with optional extension headers
Designed to co-exist with IPv4
Uses multicast addresses instead of broadcast addresses
For a description of IPv6 addressing and the types of IPv6 addresses, see RFC 3513, Internet Protocol
Version 6 (IPv6) Addressing Architecture.
Note When IPv6 addresses are not referenced or explicitly specified, the term, IP address, can refer
generally to IPv4 addresses, IPv6 addresses, or IP addressing. In instances where IPv6
addresses are referenced or explicitly specified, the term, IP address, refers only to IPv4
addresses.
IP Protocols
Network Time Protocol
The SmartEdge OS supports versions 1, 2, and 3 of the Network Time Protocol (NTP). On the SmartEdge
router, NTP operates in client mode only, meaning that the router can be synchronized by a remote NTP
server, but the remote server cannot be synchronized by the router.
Dynamic Host Configuration Protocol
The SmartEdge router provides three types of Dynamic Host Configuration Protocol (DHCP) support:
External DHCP relay server
In relay mode, the SmartEdge router acts as an intermediary between the DHCP server and the
subscriber. The router forwards requests from the subscribers PC to the DHCP server and relays the
servers responses back to the subscribers PC.
External DHCP proxy server
In proxy mode, the SmartEdge router provides responses directly to the subscriber requests. Each
subscriber sees the router as the DHCP server, and as such, sends all DHCP negotiations, including
IP address release and renewal, to the router, which then relays the information to the DHCP server.
Essentially, the proxy feature enables the router to track IP address lease times and other DHCP
information more closely. With Remote Authentication Dial-In User Service (RADIUS) authentication,
an accounting record is sent from the SmartEdge router to RADIUS every time an IP address is assigned
or released.
Internal DHCP server
The SmartEdge router provides the functions of the DHCP server; no communications are sent to an
external DHCP server.
Access Node Control Protocol
The ANCP is a communications control protocol that allows the SmartEdge router to communicate with
an access node and gather information about the parameters for the individual access lines on the access
node.
The ANCP is an out-of-band control protocol that does not interfere with the subscriber sessions that are
carried on the access lines. Beneath the ANCP the SmartEdge router uses the General Switch Management
Protocol (GSMP) version3 (GSMPv3) to communicate with the ANCP neighbor peers; GSMPv3
messages are encapsulated using the Transmission Control Protocol (TCP).
Note Before using NTP, the SmartEdge router must first be configured with the IP address of one
or multiple NTP servers.
Note Before using an external DHCP server, the SmartEdge OS must first be configured with the
IP address or hostname of one or multiple external DHCP servers. DHCP servers are
configured on a per-context basis, with a limit of one server per context.
IP Services
Overview 1-5
IP Services
The SmartEdge OS provides the IP services described in the following sections:
Domain Name System
HTTP Redirect
Hotlining
Mobile IP (Wireless)
Access Control Lists
Domain Name System
The Domain Name System (DNS) enables subscribers to access devices using hostnames, instead of
IP addresses. When a command refers to a hostname, the SmartEdgeOS consults the local host table for
mappings. If the information is not in the table, the router generates a DNS query to resolve the hostname.
DNS is enabled on a per-context basis, with one domain name allowed per context.
HTTP Redirect
HTTP redirect enables service providers to interrupt subscriber HTTP sessions and to redirect them to a
preconfigured URL. Applications include the ability to require customer registration, to direct customers
to web sites for downloading virus protection software, and to advertise new services or software updates.
An HTTP redirect profile containing a redirect URL is attached to subscriber records, and a forward policy
redirects HTTP traffic to the lightweight HTTP server on the controller card attached to the subscriber
circuit. The forward policy that performs the redirection is removed through a subscriber reauthorization
mechanism.
Hotlining
Hotlining allows WiMAX operators to redirect subscribers to a portal controlled by a service provider. This
portal can be used for service registration, updates, and service advertisements, and to address issues that
require immediate attention, such as virus attacks and missed payments. When hotlining is complete, the
subscriber is released from the hotlined state (released from the portal) and directed to the original
destination.
Mobile IP (Wireless)
Mobile IP services allow the SmartEdge router to act as one or more foreign agents (FAs). Each
communicates with its associated home-agent (HA) peers that support the mobile subscribers, which are
referred to as mobile nodes (MNs). Each FA has a care-of address (CoA) that the system uses as the
termination address for the tunnel to an HA peer.
The MNs connect to the FA through one or more base transceiver stations (BTSs) using Ethernet circuits.
MNs can move to different BTSs, depending on their locations.
IP Services
MNs communicate with the SmartEdge router (the FA) over Ethernet-based circuits, using a context that
you configure for the FA. The system routes the MN traffic to each external HA peer using a Generic
Routing Encapsulation (GRE) tunnel circuit or an IP-in-IP tunnel. Each HA peer uses a different tunnel.
Traffic from an HA peer is routed back to the MNs associated with that HA peer using the same tunnel
circuit.
Access Control Lists
The SmartEdge OS supports IP access control lists (ACLs) and policy ACLs as described in the following
sections:
IP ACLs
Policy ACLs
Conditional ACLs
Dynamic ACLs
IP ACLs
IP ACLs are lists of packet filters. Based on the criteria specified in the IP ACLs associated with the packet,
the SmartEdge OS decides whether the packet should be forwarded or dropped. IP ACLs filter packets
through the use of deny and permit, or seq deny and seq permit statements. IP ACLs are applied interfaces
and contexts and affect packets on all circuits bound to the interface or all administrative packets on a
context.
Policy ACLs
Policy ACLs are lists of packet filters, packet classifications, or both. Based on criteria specified in the
policy ACLs associated with the packet, the SmartEdge OS decides whether the packet should be
forwarded, dropped, or assigned a class name. Policy ACLs filter packets, classify packets, or perform both
actions, through the use of permit and seq permit statements. Policy ACLs can be applied to forward
policies, to NAT policies, and to quality of service (QoS) metering and policing policies.
Conditional ACLs
You can configure both IP ACLs and policy ACLs with time-based conditions that filter or classify packets
for a specified time period. In addition, you can modify time-based conditions in real-time, without
modifying the configuration file for the SmartEdgeOS.
Dynamic ACLs
Dynamic ACLs allow the SmartEdgeOS to apply an IP or policy ACL sent from a RADIUS server using
vendor-specific attributes (VSAs) 242 and 164 to a circuit or policy.
IP Service Policies
Overview 1-7
IP Service Policies
The SmartEdge OS provides the IP service policies described in the following sections:
Forward Policies
Network Address Translation Policies
Service Policies
Forward Policies
Forward policies support IP traffic mirroring, redirect, and drop. IP traffic mirroring copies packets
traveling across a circuit and forwards the duplicated packets to a designated outgoing port. IP traffic
redirect forwards IP packets to IP addresses that are different than their original destination. IP traffic drop
determines which particular packets should be dropped, rather than forwarded.
Network Address Translation Policies
Through Network Address Translation (NAT) policies, hosts using unregistered IP addresses on private
networks can connect to hosts on the Internet and vice versa. NAT translates the private (not globally
unique) addresses in the internal network into legal addresses before packets are forwarded onto another
network.
Service Policies
Service policies determine the context, or contexts that Point-to-Point Protocol (PPP)- and PPP over
Ethernet (PPPoE) subscribers can access by verifying the domain or context name associated with
subscriber records.
A service policy can be attached to any PPP- or PPPoE-encapsulated subscriber circuit, including
PPP-encapsulated Layer 2 Tunneling Protocol (L2TP) tunnels.
Quality of Service
The SmartEdgeOS provides the QoS features described in the following sections:
Classification, Marking, and Rate-Limiting
Scheduling
Flow Admission Control
Quality of Service
Classification, Marking, and Rate-Limiting
The SmartEdge OS classifies, marks, and rate-limits incoming packets as described in these sections:
Priority Groups
Policy Access Control Lists
QoS Policing and Metering Policies
Priority Groups
A priority group number assignment enables you to classify all traffic, including non-IP traffic, on an
ingress circuit. A priority group is an internal value used by the SmartEdge router to determine into which
egress queue the inbound packet should be placed. The type of service (ToS) value, Differentiated Services
Code Point (DSCP) value, and Multiprotocol Label Switching (MPLS) experimental (EXP) bits are not
changed by this command. The actual queue depends upon the number of queues configured on the circuit.
A classification filter is configured through a policy ACL. Each policy ACL supports up to eight unique
classes. Packets can be classified according to IP precedence value, protocol number, IP source and
destination address, ICMP attributes, Internet Group Management Protocol (IGMP) attributes,
Transmission Control Protocol (TCP) attributes, and User Datagram Protocol (UDP) attributes.
A policy ACL can be applied to incoming or outgoing packets on a port, circuit, or for a subscriber profile.
A policy ACL is applied to incoming packets through a QoS policing policy and to outgoing packets
through a QoS metering policy.
QoS Policing and Metering Policies
A QoS policing policy marks, rate-limits, or performs both actions on incoming packets, while a QoS
metering policy does the same for outgoing packets. Both types of policies can be applied at one of two
levels or at both levels simultaneously. One level of application applies to all packets on a particular circuit.
Another level of application applies to only a particular class of packets traveling across the circuit. The
class is configured through a policy ACL.
Scheduling
After classification, marking, and rate-limiting occurs on an incoming packet, the packet is placed into an
output queue for servicing by an egress traffic cards scheduler. The SmartEdge OS supports up to eight
queues per circuit. Queues are serviced according to a queue map scheme, a QoS scheduling policy, or both,
as described in the following sections:
Queue Maps
Priority Queuing
Enhanced Deficit Round Robin
Modified Deficit Round Robin
Asynchronous Transfer Mode Weighted Fair Queuing
Quality of Service
Overview 1-9
Priority Weighted Fair Queuing
Hierarchical Scheduling
Hierarchical Nodes and Node Groups
Congestion Management and Avoidance
Queue Maps
The SmartEdge OS assigns factory preset, or default, mapping of a priority group to a particular egress
queue, according to the number of queues configured on a circuit. You can configure queue maps to
override the default mapping of packets into egress queues. You can apply queue maps along with any of
the four QoS scheduling policies.
Priority Queuing
With a priority queuing (PQ) scheduling policy, the output queues on a circuit are serviced in strict priority
order; that is, packets waiting in the highest-priority queue (queue 0) are serviced until that queue is empty,
then packets waiting in the second-highest priority queue are serviced (queue 1), and so on. Under
congestion, PQ allows the highest priority traffic to get through, at the expense of lower-priority traffic.
Enhanced Deficit Round Robin
The enhanced deficit round-robin (EDRR) scheduling policy can operate in one of three modes: normal,
strict, or alternate. In normal mode, queue 0 is treated like all other queues on a circuit. Each queue receives
its share of the circuits bandwidth according to the weight assigned to the queue. In strict mode, queue 0
always has priority over all other queues configured on a circuit. In alternate mode, in every other round,
either queue0 or one of the other queues on the circuit is served, in alternating fashion.
Modified Deficit Round Robin
Like the EDRR scheduling policy, the modified deficit round-robin (MDRR) scheduling policy can operate
in one of three modes: EDRR normal and strict modes and PQ strict priority queuing mode. For the EDRR
modes, MDRR supports circuit rate limits; for the PQ strict priority queuing mode, MDRR supports two,
four, or eight queues on a circuit.
Asynchronous Transfer Mode Weighted Fair Queuing
The Asynchronous Transfer Mode weighted fair queuing (ATMWFQ) scheduling policy can operate in one
of two modes: alternate or strict. In either mode, an MDRR algorithm is used to implement class-based
WFQ.
In alternate mode, the servicing of queues alternates between queue 0 and the remaining queues. Queue 0
is served, then the next queue is served. Queue 0 is served again, and the next queue in turn is served, and
so on. For example, if there are four queues configured, the order of servicing will be q0, q1, q0, q2, q0,
q3, q0, q1, and so on. In strict mode, high-priority queue 0 is serviced immediately and then the other
queues are serviced in a round-robin fashion.
Quality of Service
Priority Weighted Fair Queuing
Priority weighted fair queuing (PWFQ) policies use a priority- and a weight-based algorithm to implement
hierarchical QoS-aware scheduling. Each queue in the policy includes both a priority and a relative weight,
which control how each queue is serviced. Inside the PWFQ policy, priority takes precedence, and for
queues placed at the same priority, the individual configured weight defines how the queue is used in the
scheduling decision.
With PWFQ policies, you can configure different congestion behaviors that depend on the DSCP values of
the packets in a queue; this feature is referred to as multidrop precedence. Multidrop precedence supports
up to three profiles for each queue, and each profile defines a different congestion behavior for one or more
DSCP values.
Hierarchical scheduling provides the means to perform QoS scheduling at the port, 802.1Q tunnel, and
802.1Q permanent virtual circuits (PVC) levels, using PWFQ policies. Hierarchical scheduling operates on
PWFQ queues in either of two modes: strict or WRR. In strict mode, each queue is serviced according to
the priority you assigned to the queue. In WRR mode, each queue is serviced in round-robin order
according to its priority and its traffic share, as determined by the relative weight.
A hierarchical node functions as an individual circuit, such as an 802.1Q PVC; you can assign a traffic rate
and attach a PWFQ policy to it. In addition, you can specify the scheduling mode for the queues defined
by the PWFQ policy, either strict or WRR.
Each node is a member of a node group. You can assign a traffic rate and a scheduling mode (which might
not be the same traffic rate or scheduling mode assigned to any of the nodes within the group) to a node
group. When a subscriber record is assigned to a hierarchical node, all sessions for that subscriber are
governed by the QoS shaping configured for the node and for the node group.
The SmartEdge OS employs the following congestion avoidance features with scheduling policies:
Random Early Detection
Queue Depth
Queue Rates
Note PWFQ policies are supported only for traffic-managed ports and circuits.
Note Hierarchical nodes and node groups are supported only on traffic-managed ports and circuits.
Security
Overview 1-11
With PQ, EDRR, and ATMWFQ policies, you can configure random early detection (RED) parameters to
manage buffer utilization under congestion by signaling to sources of traffic that the network is on the verge
of entering a congested state, rather than waiting until the network is actually congested.
Queue Depth
With EDRR and PQ policies, you can modify the number of packets that are allowed in each queue
configured on a circuit.
Queue Rates
With PQ and EDRR policies, you can configure a rate limit, which specifies a long-term, nominal average
bit rate for the queuing policy and uses a burst tolerance to specify the number of bytes allowed above the
configured rate. In PQ policies, the rate is controlled per individual queue, while in EDRR policies, the rate
is a combined traffic rate for all queues in the policy. A reasonable guideline for burst tolerance is 10 times
the link maximum transmission unit (MTU).
Flow Admission Control
A flow is a unidirectional object that identifies related data packets and enables you to apply a set of
services to a portion of a circuit. Without flows, you could only apply services to entire groups of
subscribers mapped to a specified circuit. All attributes on a flow inherit from the services applied to the
circuit to which the flow applies.
All attributes applied using flow features reside in a flow admission control (FAC) profile, which is the
basic unit of flow configuration. First you create a FAC profile, and then you apply it to an existing circuit
from circuit configuration mode.
Security
The SmartEdge OS provides the security features described in the following sections:
Authentication, Authorization, and Accounting
Remote Authentication Dial-In User Service
Terminal Access Controller Access Control System Plus
Key Chains
Lawful Intercept
Security
Authentication, Authorization, and Accounting
The SmartEdge OS uses authentication, authorization, and accounting (AAA) to authenticate subscribers
through database records kept in one of these locations:
Locally in the SmartEdge OS through subscriber commands
On a RADIUS server or set of servers
The first location is the local database, which is a set of subscriber configuration mode commands entered
through the SmartEdge OS CLI. The local database provides what is known as local authentication. The
second location is the RADIUS servers database, which contains the subscriber records. The SmartEdge
OS, configured with the IP address or hostname of the RADIUS server, relies on the database records of
the server to authenticate subscribers.
Each SmartEdge OS context can use the IP address or hostname of a RADIUS configured within its context
for authenticationthis is known as context-specific RADIUS authentication. Alternatively, a context can
be configured to use the IP address or hostname of the RADIUS server in the local contextthis is known
as global authentication. With global authentication, the RADIUS server is expected to return the
Context-Name vendor-specific attribute (VSA) that indicates the particular context to which the subscriber
is to be bound. You can also configure the SmartEdge router to try authentication through the RADIUS
server configured in the current context first, with a fallback to the global RADIUS server or to the local
database, in case the RADIUS server in the current context becomes unreachable.
The SmartEdge OS supports subscriber session reauthorization, so that a subscribers attributes can be
updated dynamically, without requiring renegotiation for a current subscriber session and without dropping
the session. The updates to the subscriber record are made immediately without interruption.
Subscriber accounting tracks RADIUS-based messages for subscriber sessions. The data can be sent to a
set of RADIUS servers in the local context, a set of RADIUS servers in another context, or both. This last
case is called two-stage accounting, where, for example, a wholesaler can send a copy of accounting data
to his own RADIUS server and to an upstream service providers RADIUS server, allowing end-of-period
accounting data to be reconciled and validated by both parties.
Remote Authentication Dial-In User Service
RADIUS is based on a client/server architecture. The SmartEdge OS can be configured to act as a RADIUS
client. The use of RADIUS replaces the need for local configuration of user records, although we
recommend a local configuration in case the remote server is unreachable.
If your network topology requires separate RADIUS accounting servers for billing or load-balancing
purposes, you can also configure one or more RADIUS accounting servers, which then take over the
accounting functions from the RADIUS servers. The SmartEdge OS can send RADIUS accounting data to
a global set of RADIUS servers, a context-specific set of RADIUS servers, or both. This last case is referred
to as two-stage accounting.
Note RADIUS servers are context specific, with a limit of five servers for each context.
Overview 1-13
Terminal Access Controller Access Control System Plus
The Terminal Access Controller Access Control System Plus (TACACS+) protocol secures remote access
to networks and network services and is based on a client/server architecture. The SmartEdge router can be
configured to act as a TACACS+client. The use of TACACS+replaces the need for local configuration of
user records, although we recommend a local configuration in case the remote server is unreachable. The
SmartEdge OS supports the TACACS+features of OPIE, S/Key, and secureID.
Key Chains
Key chains allow you to control authentication keys used by various routing protocols in the system.
Currently, the SmartEdge OS supports the use of key chains with the Open Shortest Path First (OSPF),
Intermediate System-to-Intermediate System (IS-IS), and Virtual Router Redundancy Protocol (VRRP)
routing protocols. In the configuration process, you establish a name for each key chain, and an
identification for each key within the key chain.
Lawful Intercept
Lawful intercept (LI) enables service providers to mirror subscriber packets and send them to a mediation
system, which can be anywhere in the network. The SmartEdge OS can mirror packets from any circuit in
the system, at the ingress or egress point, and send the mirrored packets to the mediation system using a
User Datagram Protocol (UDP)/IP session.
Command modes exist in a hierarchy; that is, you must access the higher-level command mode before you
can access a lower-level command mode in the same chain.
Note Before using TACACS+, the SmartEdge router must first be configured with the IP address
or hostname of one or multiple TACACS+servers. TACACS+servers are configured on a
per-context basis, with a limit of six servers per context.
Note For modes relevant to basic system features, see the Overview chapter in the Basic System
Configuration Guide for the SmartEdgeOS. For modes relevant to configuring ports, circuits,
and tunnels, see the Overview chapter in the Ports, Circuits, and Tunnels Configuration
Guide for the SmartEdgeOS. For modes relevant to routing protocol features, see the
Overview chapter in the Routing Protocols Configuration Guide for the SmartEdgeOS.
Table1-2 lists the command modes (in alphabetical order) that are relevant to IP services and security
features. It includes the commands to access each mode and the command-line prompt for each mode.
Table 1-2 Command Modes and Prompts
Mode Name Commands Used to Access Command-Line Prompt
exec (user logon) #or >
ANCP router ancp command from context configuration mode (config-ancp)#
ANCP neighbor ancp neighbor command from ANCP configuration mode (config-ancp-neighbor)#
access control list ip access-list and policy access-list commands from context
configuration mode
(config-access-list)#
ACL condition condition time-range command from access control list configuration
mode
(config-acl-condition)#
administrator administrator command from context configuration mode (config-administrator)#
ATM DS-3 port atm command from global configuration mode (config-atm-ds3)#
ATM OC port atm command from global configuration mode (config-atm-oc)#
ATM profile atm profile command from global configuration mode (config-atm-profile)#
ATM PVC atm pvc command from ATM OC and ATM DS-3 configuration modes (config-atm-pvc)#
ATMWFQ policy qos policy atmwfq command from global configuration mode (config-policy-atmwfq)#
card card command from global configuration mode (config-card)#
CLIPS PVC clips pvc command from ATM PVC, dot1q PVC, and port configuration
modes
(config-clips-pvc)#
congestion map qos congestion-avoidance-map command from global configuration
mode
(config-congestion-map)#
context context command from global configuration mode (config-ctx)#
DHCP giaddr dhcp relay or dhcp proxy command from interface configuration mode (config-dhcp-giaddr)#
DHCP relay server dhcp relay server command from context configuration mode (config-dhcp-relay)#
DHCP server dhcp server command from context configuration mode (config-dhcp-server)#
DHCP subnet subnet command from context configuration mode (config-dhcp-subnet)#
dynamic tunnel profile dynamic tunnel profile command from Mobile IP configuration mode (config-mip-dyn-tun1-profile)#
dot1q profile dot1q profile command from global configuration mode (config-dot1q-profile)#
dot1q PVC dot1q pvc command from port configuration mode (config-dot1q-pvc)#
DS-0 group port ds0s command from global configuration mode (config-ds0-group)#
DS-1 port ds1 command from global configuration mode (config-ds1)#
DS-3 port channelized-ds3 and port ds3 commands from global configuration
mode
(config-ds3)#
E1 port e1 command from global configuration mode (config-e1)#
E3 port e3 command from global configuration mode (config-e3)#
EDRR policy qos policy edrr command from global configuration mode (config-policy-edrr)#
FA foreign-agent command from Mobile IP configuration mode (config-fa)#
Overview 1-15
flow flow admission-control profile command from global configuration mode (config-ac-profile)#
forward policy forward policy command from global configuration mode (config-policy-frwd)#
Frame Relay PVC frame-relay pvc command from DS-0 group, DS-1, DS-3, E1, E3, and
port configuration modes
(config-fr-pvc)#
global configure command from exec mode (config)#
GRE tunnel gre-tunnel command from tunnel map configuration mode (config-gre-tunnel)#
HA peer home-agent-peer command from FA configuration mode (config-ha-peer)#
hierarchical node group hierarchical node-group command from port configuration mode (config-h-node)#
hierarchical node
1
hierarchical qos node command from hierarchical node group
configuration mode
(config-h-node)#
HTTP redirect profile http-redirect profile command from context configuration mode (config-hr-profile)#
HTTP redirect server http-redirect server command from global configuration mode (config-hr-server)#
interface interface command from context configuration mode (config-if)#
key chain key-chain command from context configuration mode (config-key-chain)#
L2TP peer l2tp-peer command from context configuration mode (config-l2tp)#
link group link-group command from global configuration mode (config-link-group)#
LI profile li-profile command from global configuration mode (config-liprofile)#
MDRR policy qos policy mdrr command from global configuration mode (config-policy-mdrr)#
metering policy qos policy metering command from global configuration mode (config-policy-metering)#
Mobile IP router mobile-ip command from context configuration mode (config-mip)#
Mobile IP interface interface command from Mobile IP configuration mode (config-mip-if)#
MPLS router router mpls command from context configuration mode (config-mpls)#
NAT policy nat policy command from context configuration mode (config-policy-nat)#
NAT pool ip nat pool command from context configuration mode (config-nat-pool)#
ND router router nd command from context configuration mode (config-nd)#
ND router interface interface command from ND router configuration mode (config-nd-if)#
NTP ntp mode command from global configuration mode (config-ntp)#
num-queues num-queue command from queue map configuration mode (config-num-queues)#
overhead profile qos profile overhead command from global configuration mode (config-profile-overhead)#
overhead type type command from the overhead profile configuration mode (config-type-overhead)#
parameter array loop foreach command from service profile configuration mode (config-param-array-loop)#
policing policy qos policy policing command from global configuration mode (config-policy-policing)#
policy group access-group command from forward policy, NAT policy, metering policy,
and policing policy configuration modes
(config-policy-group)#
policy group class class command from policy group configuration mode (config-policy-group-class)#
Table 1-2 Command Modes and Prompts (continued)
Figure1-2 shows the hierarchy of the command modes that are used to configure IP services and security
features.
policy class rate rate command from policy group class configuration mode (config-policy-class-rate)#
policy rate rate command from metering policy and policing policy configuration
modes
(config-policy-rate)#
port port channelized-OC12, port ethernet, and port pos commands from
global configuration mode
(config-port)#
PQ policy qos policy pq command from global configuration mode (config-policy-pq)#
protocol policy qos policy (protocol-rate-limit) command from global configuration mode (config-policy-protocol)#
PWFQ policy qos policy pwfq command from global configuration mode (config-policy-pwfq)#
queue map qos queue-map command from global configuration mode (config-queue-map)#
RADIUS policy radius policy command from global configuration mode (config-rad-policy)#
radius service profile radius service profile command from context configuration mode (config-service-profile)#
service policy service-policy command from global configuration mode (config-policy-svc)#
software license software license command from global configuration mode (config-license)#
subscriber subscriber command from context configuration mode (config-sub)#
terminate error cause radius attribute acct-terminate-cause remap command in global
configuration mode
(config-term-ec)#
tunnel map tunnel map command from global configuration mode (config-tunnel-map)#
1. The prompt for this configuration mode is identical to the prompt for the hierarchical node group configuration mode.
Table 1-2 Command Modes and Prompts (continued)
Overview 1-17
Figure 1-2 Command Modes Related to IP Services and Security Features
P a r t 2
IP Service Protocols
This part describes the tasks and commands used to configure Address Resolution Protocol (ARP), the
Neighbor Discovery (ND) protocol, Network Time Protocol (NTP), Dynamic Host Configuration Protocol
(DHCP), and Access Node Control Protocol (ANCP). It consists of the following chapters:
Chapter 2, ARP Configuration
Chapter 3, ND Configuration
Chapter 4, NTP Configuration
Chapter 5, DHCP Configuration
Chapter 6, ANCP Configuration
ARP Configuration 2-1
C h a p t e r 2
ARP Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS Address Resolution
Protocol (ARP) features.
For information about the tasks and commands used to monitor, troubleshoot, and administer ARP features,
see the ARP Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
The SmartEdge OS supports RFC 826, An Ethernet Address Resolution Protocol, also called, Converting
Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. In
addition, the SmartEdge OS supports the following features:
A configurable ARP entry age timer
The option to enable automatic deletion of dynamic ARP entries (as opposed to automatic refresh of the
ARP table)
The static IP ARP entry mapping of a unicast IP address to a multicast medium access control (MAC)
address
Configuration Tasks
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
To configure ARP, perform the tasks described in the following sections:
Enable ARP
Enable Secured ARP (Optional)
Enable Proxy ARP (Optional)
Configure Static Entries in the ARP Table (Optional)
Configure the Automatic Deletion of ARP Entries (Optional)
Set a Maximum Number of Incomplete ARP Entries (Optional)
Configure ARP Policy to Prevent DoS Attacks
Enable ARP
To enable ARP, perform the task described in Table2-1.
Enable Secured ARP (Optional)
To enable secured ARP, perform the task described in Table2-2. You can enable either secured ARP or
proxy ARP on an interface.
Enable Proxy ARP (Optional)
To enable proxy ARP, perform the task described in Table2-3. You can enable either secured ARP or proxy
ARP on an interface.
Table 2-1 Enable ARP
Enable ARP. iparp arpa Enter this command in interface configuration mode.
By default, ARP is already enabled. Use the no form of this command to disable ARP.
Table 2-2 Enable Secured ARP (Optional)
Enable secured ARP. iparp secured-arp Enter this command in interface configuration mode.
ARP must be enabled before you can enable secured ARP.
Table 2-3 Enable Proxy ARP (Optional)
Enable proxy ARP. ip arp proxy-arp Enter this command in interface configuration mode.
ARP must be enabled before you can enable proxy ARP.
Configuration Tasks
Configure Static Entries in the ARP Table (Optional)
To configure static entries in the ARP table, perform the appropriate task described in Table2-4. If you use
both commands to specify the same IP address and MAC address, the most recently updated command
takes precedence.
Configure the Automatic Deletion of ARP Entries (Optional)
To configure the automatic deletion of ARP table entries, perform the tasks described in Table2-5; enter
all commands in interface configuration mode.
Set a Maximum Number of Incomplete ARP Entries (Optional)
When requesting the MAC address that corresponds to a particular IP address for a subscriber circuit, the
SmartEdge OS creates an incomplete entry in the ARP table and sends an ARP request packet. On reply,
the entry is updated and completed. By default, the maximum number of incomplete entries that are
allowed in the ARP table is 4,294,967,295.
To set a maximum allowable number of incomplete entries, perform the task described in Table2-6.
Configure ARP Policy to Prevent DoS Attacks
To configure a subscriber circuit or port to prevent denial of service (DoS) attacks, perform the tasks
described in Table2-7.
Table 2-4 Configure Static Entries in the ARP Table (Optional)
Configure an entry in the ARP table for a subscriber
whose host cannot (or is not configured to) respond to
ARP requests.
ip subscriber arp Enter this command in subscriber configuration mode.
Configure an entry in the ARP table. ip arp Enter this command in context configuration mode.
Table 2-5 Configure the Automatic Deletion of ARP Entries
Configure the automatic deletion of ARP
entries.
iparpdelete-expired
Modify the length of time entries remain in the
ARP table before being automatically deleted.
ip arp timeout Optional. When you enable the ip arp delete-expired
command, entries are deleted after 60 minutes by default.
Table 2-6 Set a Maximum Number of Incomplete ARP Entries (Optional)
Set a maximum allowable number of
incomplete ARP entries.
iparpmaximumincomplete-entries Enter this command in context configuration mode.
The following example enables secured ARP on the interface, i nt f - 1:
[ l ocal ] Redback( conf i g- ct x) #interface intf-1
[ l ocal ] Redback( conf i g- i f ) #ip arp secured-arp
The following example creates a static entry in the ARP table for IP address, 31. 22. 213. 124, and
associates the IP address with the MAC address, 43: 3: 23: 32: 12: 82. After 4 minutes (240 seconds),
any ARP entry associated with the i nt f - 2 interface is deleted from the ARP table:
[ l ocal ] Redback( conf i g- ct x) #ip arp 31.22.213.124 43:32:23:32:12:82
[ l ocal ] Redback( conf i g- ct x) #interface intf-2
[ l ocal ] Redback( conf i g- i f ) #ip arp delete-expired
[ l ocal ] Redback( conf i g- i f ) #ip arp timeout 240
Table 2-7 Configure a Subscriber Circuit or Circuits or Port to Prevent DoS ARP Attacks
# Task Root Command Notes
1. Enter protocol policy configuration mode qos policy (protocol-rate-limit) Global configuration mode
2. Create a rate limit and burst threshold on
incoming ARP packets.
arp rate Protocol policy configuration mode
3. To configure a port for prevention of DoS ARP
attacks, enter the port configuration mode.
port Global configuration mode
Apply ARP policy to port. qos policy (protocol-rate-limit) Port configuration mode
4. To configure a subscriber circuit or circuits for
prevention of DoS ARP attacks, enter the
configuration mode for the default subscriber
profile, a named subscriber profile, or an
individual subscriber record.
subscriber Context configuration mode
See the Basic System Configuration
Guide for information on this
command.
Apply ARP policy to subscriber profile or
individual subscriber record.
qos policy (protocol-rate-limit) Subscriber configuration mode
5. To configure a 802.1Q PVC for prevention of DoS
ARP, enter the Dot1Q PVC configuration mode.
port
encapsulation
dot1q pvc
Enter the encapsulation command
with the dot1q keyword.
Apply ARP policy to 802.1Q PVC. qos policy (protocol-rate-limit) Dot1Q PVC configuration mode
6. To configure an access link group or aggregated
802.1Q pseudocircuit in an access link group for
prevention of DoS ARP, enter the access link
group configuration mode or link PVC
configuration mode within the link group.
link-group
encapsulation
dot1q pvc
Enter the link-group command with the
access keyword.
Enter the encapsulation command
with the dot1q keyword.
Apply ARP policy to access link group or
aggregated 802.1Q pseudocircuit.
qos policy (protocol-rate-limit) Access link-group configuration mode
or aggregated link PVC configuration
mode.
This section describes the syntax and usage guidelines for the commands used to configure ARP features.
The commands are presented in alphabetical order:
arp rate
ip arp
ip arp arpa
ip arp delete-expired
ip arp maximum incomplete-entries
ip arp proxy-arp
ip arp secured-arp
ip arp timeout
ip subscriber arp
arp rate
arp rate pps burst packets
Purpose
Creates a rate limit and burst threshold on incoming ARP packets.
Command Mode
protocol policy
Syntax Description
Default
No ARP rate limit.
Usage Guidelines
The arp rate command creates a rate limit and burst threshold on ARP packets.
Examples
The following example shows the use of the arp rate command to rate-limit incoming ARP packets from
Ethernet port 5/ 1:
[ l ocal ] Redback( conf i g) #qos policy ARPDOS protocol-rate-limit
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #arp rate 5000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #exit
[ l ocal ] Redback( conf i g) #port ether 5/1
[ l ocal ] Redback( conf i g- por t ) #qos policy protocol-rate-limit ARPDOS
default subscriber circuits:
[ l ocal ] Redback( conf i g) #subscriber default
[ l ocal ] Redback( conf i g- sub) #qos policy protocol-rate-limit ARPDOS
Related Commands
None
pps Rate in packets per second. The range of values is 1 to 2,500,000.
burst packets Burst tolerance in packets. The range of values is 1 to 25,000,000.
ip arp
ip arp ip-addr mac-addr [alias]
no ip arp ip-addr mac-addr [alias]
Purpose
Associates an IP address with a medium access control (MAC) address and creates a corresponding entry
in the Address Resolution Protocol (ARP) table.
Command Mode
context configuration
Syntax Description
Default
No entry is created in the ARP table.
Usage Guidelines
Use the ip arp command to associate an IP address with a MAC address and create a corresponding entry
in the ARP table.
Use the no form of this command to remove an entry from the configuration and from the ARP table.
Examples
The following example associates IP address, 31. 22. 213. 124, with the MAC address,
00: 30: 23: 32: 12: 82, and creates a corresponding entry in the ARP table:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #ip arp 31.22.213.124 00:30:23:32:12:82
ip-addr Host IP address in the form A.B.C.D.
mac-addr MAC address of the host in the form hh:hh:hh:hh:hh:hh.
alias Optional. Configures the system to respond to ARP requests for the IP
address.
Note If you enter both this command and the ip subscriber arp command (in subscriber
configuration mode) and specify the same IP address and MAC address, the most recently
updated command takes precedence. Only the circuit and interface are updated in the ARP
table.
Related Commands
ip subscriber arp
ip arp arpa
ip arp arpa
{no | default}ip arp arpa
Purpose
Enables the standard Address Resolution Protocol (ARP) on this interface.
Command Mode
interface configuration
Syntax Description
This command has no keywords or arguments.
Default
Standard ARP is enabled.
Usage Guidelines
Use the ip arp arpa command to enable standard ARP on this interface.
Use the no form of this command to disable standard ARP on this interface.
Use the default form of this command to enable standard ARP on this interface.
Examples
The following example disables standard ARP on the t oTor ont o interface at IP address, 10. 20. 1. 1:
[ l ocal ] Redback( conf i g- ct x) #interface toToronto
[ l ocal ] Redback( conf i g- i f ) #ip address 10.20.1.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #no ip arp arpa
Related Commands
ip arp
{no | default}ip arp delete-expired
Purpose
Enables the automatic deletion of expired dynamic Address Resolution Protocol (ARP) entries associated
with this interface from the ARP table.
Command Mode
Syntax Description
Default
Automatic deletion is disabled.
Usage Guidelines
Use the ip arp delete-expired command to enable the automatic deletion of expired dynamic ARP entries
associated with this interface from the ARP table. Entries are deleted after they have been in the ARP table
for the amount of time specified by the ip arp timeout command (in interface configuration mode). If the
ip arp timeout command is not configured, the default value of 3,600 seconds (60 minutes) is used.
If you do not enable automatic deletion of expired dynamic ARP entries, expired entries are treated
differently depending on the value of the seconds argument in theip arp timeout command. If the value
of the seconds argument is greater than 70, an ARP entry is refreshed unless no ARP reply is received in
response to the refresh request packet. In that case, the entry is removed from the cache. If the value of the
seconds argument is less than 70, expired entries are removed from the cache.
Use the no or default form of this command to disable the automatic deletion of expired entries.
Examples
The following example configures the system to automatically delete expired dynamic ARP entries on the
toBoston interface at IP address, 10. 30. 2. 1:
[ l ocal ] Redback( conf i g- ct x) #interface toBoston
Related Commands
ip arp maximum incomplete-entries ip arp timeout
ip arp maximum incomplete-entries
ip arp maximum incomplete-entries num-entries
{no | default}ip arp maximum incomplete-entries
Purpose
Sets a maximum allowable number of incomplete entries for subscriber circuits that can exist in the
Address Resolution Protocol (ARP) table for the context.
Command Mode
Syntax Description
Default
The maximum number of incomplete entries for subscriber circuits in the ARP table is 4,294,967,295.
Usage Guidelines
Use the ip arp maximum incomplete-entries command to set a maximum allowable number of
incomplete entries for subscriber circuits that can exist in the ARP table for the context.
When requesting the medium access control (MAC) address that corresponds to a particular IP address, the
SmartEdge OS creates an incomplete entry in the ARP table and sends an ARP request packet. On reply,
the entry is updated and complete.
Use the no or default form of this command to return to the default setting of a maximum of 4,294,967,295
incomplete entries for subscriber circuits in the ARP table.
Examples
The following example limits the number of incomplete entries in the ARP table to 250 for the l ocal
context:
[ l ocal ] Redback( conf i g- ct x) #ip arp maximum 250
Related Commands
num-entries Maximum number of incomplete entries in the ARP table. The range of
values is 1 to 4,294,967,295; the default value is 4,294,967,295.
ip arp timeout
ip arp proxy-arp
ip arp proxy-arp [always]
{no | default}ip arp proxy-arp
Purpose
Enables the proxy Address Resolution Protocol (ARP) on this interface.
Command Mode
Syntax Description
Default
Proxy ARP is disabled.
Usage Guidelines
Use the ip arp proxy-arp command to enable proxy ARP on this interface. When enabled, the SmartEdge
router acts as an ARP proxy for hosts that are not on the same interface as the ARP request sender.
Proxy ARP and secured ARP are mutually exclusive services for an interface; enabling either service for
an interface automatically disables the other service for that interface.
Use the always keyword to enable proxy ARP for multiple hosts that reside on the same circuit; if not
specified, this capability is limited to hosts on individual circuits.
Use the no or default form of this command to disable proxy ARP on this interface.
Examples
The following example enables proxy ARP on the f r omBost on interface at IP address, 10. 2. 3. 4, for
all hosts on the circuit:
[ l ocal ] Redback( conf i g- ct x) #interface fromBoston
[ l ocal ] Redback( conf i g- i f ) #ip arp proxy-arp always
always Optional. Indicates that proxy ARP must be functional for multiple hosts on the same
circuit.
Note You must enable standard ARP on this interface before you can enable proxy ARP; by default,
standard ARP is enabled.
Note To disable only the support for multiple hosts on the same circuit, you must first disable proxy
ARP, and then enable it without the always keyword.
Related Commands
ip arp arpa
ip arp secured-arp
ip arp secured-arp [always]
{no | default} ip arp secured-arp
Purpose
Enables the secured Address Resolution Protocol (ARP) on a specified interface.
Command Mode
Syntax Description
Default
Secured ARP is disabled.
Usage Guidelines
Use the ip arp secured-arp command to enable secured ARP on a specified interface.
Secured ARP and proxy ARP are mutually exclusive services for an interface; enabling either service for
an interface automatically disables the other service for the same interface.
Use the always keyword to enable secured ARP for multiple hosts that reside on the same circuit; if not
specified, this capability is limited to hosts on individual circuits.
When secured ARP is enabled, ARP requests received on an interface are not answered unless the request
comes from the circuit known to contain the requesting host. ARP requests are sent by the interface only
on the circuit known to contain the target host, and are not flooded to all circuits bound to an interface.
Use the no or default form of this command to disable secured ARP on this interface.
always Optional. Indicates that proxy ARP must be functional for multiple hosts on the same
circuit.
Note You must enable standard ARP on this interface before you can enable secured ARP; by
default, standard ARP is enabled.
Note To disable only the support for multiple hosts on the same circuit, you must first disable
secured ARP, and then enable it without the always keyword.
Examples
The following example enables secured ARP on the interface, sec- ar p, at IP address, 10. 1. 1. 1, for all
hosts on the circuit:
[ l ocal ] Redback( conf i g- ct x) #interface sec-arp
[ l ocal ] Redback( conf i g- i f ) #ip arp secured-arp always
Related Commands
ip arp arpa
ip arp timeout
ip arp timeout seconds
{no | default}ip arp timeout
Purpose
Configures how long Address Resolution Protocol (ARP) entries remain in the ARP table before automatic
deletion (if configured).
Command Mode
Syntax Description
Default
ARP entries remain in the table for 3,600 seconds (one hour).
Usage Guidelines
Use the ip arp timeout command to specify how long ARP entries remain in the ARP table.
If you do not use the ip arp delete-expired command (in interface configuration mode) to enable the
automatic deletion of expired dynamic ARP entries, expired entries are treated differently depending on the
value of the seconds argument in theip arp timeout command. If the value of the seconds argument is
greater than 70, an ARP entry is refreshed unless no ARP reply is received in response to the refresh request
packet. In that case, the entry is removed from the cache. If the value of the seconds argument is less than
70, expired entries are removed from the cache.
Use the no or default form of this command to restore the timeout setting to its default value of 3,600
seconds.
Examples
The following example sets the ARP timeout value for the t oTor ont o interface at IP address,
10. 30. 2. 1, to two hours (7200 seconds):
[ l ocal ] Redback( conf i g- ct x) #interface toToronto
Related Commands
seconds Number of seconds after which an ARP entry is deleted from the ARP table.
The range of values is 0 to 4,294,967; the default value is 3,600.
ip arp arpa
ip arp proxy-arp
ip subscriber arp
ip subscriber arp ip-addr mac-addr
no ip subscriber arp ip-addr
Purpose
Creates an entry in the Address Resolution Protocol (ARP) cache for a subscriber whose host cannot (or is
not configured to) respond to ARP requests.
Command Mode
subscriber configuration
Syntax Description
Default
None
Usage Guidelines
Use theip subscriber arp command to create an entry in the ARP cache for a subscriber whose host cannot
(or is not configured to) respond to ARP requests.
Use the no form of this command to remove the specified entry.
Examples
The following example configures an ARP cache entry for a host with IP address, 10. 1. 1. 1, and
hardware address, d3: 9f : 23: 46: 77: 13, for the NoGr okARPs subscriber. The entry is installed into the
ARP cache of the appropriate interface when the circuit is brought up:
[ l ocal ] Redback( conf i g- ct x) #subscriber name NoGrokARPs
ip-addr IP address of the subscribers host.
mac-addr Medium access control (MAC) address of the subscribers host.
Note This command is available only if you are configuring a named subscriber record and is only
relevant for circuits with RFC 1483 bridged-encapsulation.
Note If you enter both the ip subscriber arp and the ip arp commands (in subscriber and context
configuration modes, respectively), and specify the same IP address and MAC address, the
most recently updated command takes precedence. Only the circuit and interface are updated
in the ARP table.
[ l ocal ] Redback( conf i g- sub) #ip address 10.1.1.1
[ l ocal ] Redback( conf i g- sub) #ip subscriber arp 10.1.1.1 d3:9f:23:46:77:13
Related Commands
ip arp
ND Configuration 3-1
C h a p t e r 3
ND Configuration
The SmartEdge
routers use the Neighbor Discovery (ND) protocol for IP Version 6 (IPv6) to determine
the link-layer addresses for neighbors known to reside on attached links and to quickly purge cached values
that become invalid. This chapter describes the tasks and commands used to configure the ND protocol
through the SmartEdge OS.
For information about the tasks and commands used to monitor, troubleshoot, and administer the ND
protocol, see the NDOperations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
Overview
Configuration Tasks
Overview
The IPv6 ND protocol for the SmartEdge OS corresponds to a combination of the IPv4 Address Resolution
Protocol (ARP) and Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDP). The
ND protocol is described in RFC 2461, Neighbor Discovery for IP Version 6 (IPv6).
The ND protocol provides many improvements over the IPv4 set of protocols, some of which are included
here:
Router advertisement messages carry link-layer addresses; no additional packet exchange is needed to
resolve the router's link-layer address.
Note When IPv6 addresses are not referenced or explicitly specified, the term, IP address, can refer
generally to IP Version 4 (IPv4) addresses, IPv6 addresses, or IP addressing. In instances
where IPv6 addresses are referenced or explicitly specified, the term, IP address, refers only
to IPv4 addresses. For a description of IPv6 addressing and the types of IPv6 addresses, see
RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture.
Configuration Tasks
Router advertisement messages carry prefixes for a link; there is no need to have a separate mechanism
to configure the netmask.
Router advertisement messages enable address autoconfiguration.
Routers can advertise an maximum transmission unit (MTU) for use on the link, ensuring that all nodes
use the same MTU value on links that lack a well-defined MTU.
Address resolution multicasts are spread over 4 billion (2^32) multicast addresses, greatly reducing
address resolution related interrupts on nodes other than the target node. Moreover, non-IPv6 routers
should not be interrupted at all.
Multiple prefixes can be associated with the same link. Routers can be configured to omit some or all
prefixes from Router Advertisement messages. In such cases, hosts assume that destinations are off-link
and send traffic to routers.
Neighbor Unreachability Detection is part of the base protocol, significantly improving the robustness
of packet delivery in the presence of failing routers, partially failing or partitioned links, and nodes that
change their link-layer addresses.
Unlike ARP, ND detects half-link failures (using Neighbor Unreachability Detection) and avoids
sending traffic to neighbors with which two-way connectivity is absent.
Unlike in IPv4 Router Discovery, the Router Advertisement messages do not contain a preference field.
The preference field is not needed to handle routers of different stability; the Neighbor Unreachability
Detection detects a dead router and switches to a working one.
Requiring the hop limit to be equal to 255 makes ND immune to off-link senders that accidentally or
intentionally send ND messages. In IPv4, off-link senders can send Router Advertisement messages.
Placing address resolution at the ICMP layer makes the ND protocol more media-independent than
ARP and makes it possible to use standard IP authentication and security mechanisms as appropriate.
Configuration Tasks
To configure an ND router, perform the tasks described in Table3-1; enter all commands in ND router
configuration mode, unless otherwise noted. For more information about the context, interface, and ipv6
address commands (in global, context, and interface configuration modes, respectively), see the Context
Configuration and Interface Configuration chapters in the Basic System Configuration Guide for the
SmartEdgeOS.
Configuration Tasks
To configure an interface for an ND router, perform the tasks described in Table3-2; enter all commands
in ND router interface configuration mode, unless otherwise noted.
Table 3-1 Configure an ND Router
1. Create or select the context for the ND router. context Enter this command in global
configuration mode.
2. Create the interface for the ND router. interface Enter this command in context
configuration mode.
3. Specify an IPv6 IP address for the interface. ipv6 address Enter this command in interface
configuration mode.
4. Create the ND router and access ND router configuration
mode.
router nd Enter this command in context
configuration mode.
5. Optional. Configure global settings for the ND router using one
or more of the following tasks, in any order:
Specify the value for the Retrans Timer field. ns-retry-interval
Specify the value for the Preferred Lifetime field. preferred-lifetime
Configure RA messages. ra You can enter this command multiple
times to configure different parameters.
Specify the value for the Reachable Time field. reachable-time
Specify the value for the Valid Lifetime field. valid-lifetime
Table 3-2 Configure an ND Router Interface
1. Select the context for the ND router. context Enter this command in global
configuration mode.
2. Select the ND router and access ND router configuration
mode.
router nd Enter this command in context
configuration mode.
3. Select an existing interface and access ND router interface
configuration mode.
interface Enter this command in ND router
configuration mode.
4. Optional Configure the settings for this interface using one or
more of the following tasks, in any order:
Unspecified settings default to the ND
router global settings.
Specify the value for the Retrans Timer field. ns-retry-interval
Specify the value for the Preferred Lifetime field. preferred-lifetime
Configure RA messages. ra You can enter this command multiple
times to configure different parameters.
Specify the value for the Reachable Time field. reachable-time
Specify the value for the Valid Lifetime field. valid-lifetime
5. Specify a static neighbor for this interface. neighbor You can enter this command multiple
times.
6. Configure a prefix to be advertised for this interface. prefix You can enter this command multiple
times.
The following example configures an ND router in the l ocal context and the i nt 1 interface for the ND
router:
! Cr eat e or sel ect t he cont ext
! Cr eat e t he i nt er f ace wi t h an I Pv6 I P addr ess
[ l ocal ] Redback( conf i g- ct x) #interface int1
[ l ocal ] Redback( conf i g- i f ) #ipv6 address 2005::1/64
[ l ocal ] Redback( conf i g- i f ) #exit
! Cr eat e t he ND r out er ; speci f y gl obal par amet er s f or al l ND i nt er f aces i n t hi s cont ext
! The gl obal set t i ngs over r i de t he def aul t set t i ngs
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 100
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 43200
[ l ocal ] Redback( conf i g- nd) #ra interval 60
[ l ocal ] Redback( conf i g- nd) #ra lifetime 360
[ l ocal ] Redback( conf i g- nd- i f ) #reachable-time 1800
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 43200
! Sel ect an i nt er f ace
[ l ocal ] Redback( conf i g- nd) #interface int1
! Speci f y i nt er f ace- speci f i c par amet er s; t he i nt er f ace set t i ngs over r i de t he gl obal
set t i ngs
[ l ocal ] Redback( conf i g- nd- i f ) #ra suppress
! Speci f y one or mor e st at i c nei ghbor s f or t hi s i nt er f ace
[ l ocal ] Redback( conf i g- nd- i f ) #neighbor 2006::1/64 00:30:88:00:0a:30
! Speci f y one or mor e pr ef i xes and t hei r par amet er s; t he pr ef i x set t i ngs over r i de t he
i nt er f ace set t i ngs
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 2006::1/64 no-autoconfig no-onlink
preferred-lifetime 360 valid-lifetime 360
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 2007::/112
This section describes the syntax and usage guidelines for the commands used to configure the ND
protocol. The commands are presented in alphabetical order:
interface
neighbor
ns-retry-interval
preferred-lifetime
prefix
ra
reachable-time
router nd
valid-lifetime
interface
interface if-name [disable-on-address-collision]
no interface if-name
Purpose
Selects the interface to be configured for the Neighbor Discovery (ND) protocol and accesses ND router
interface configuration mode.
Command Mode
ND router configuration
Syntax Description
Default
None
Usage Guidelines
Use the interface command to select the interface to be configured for the ND router protocol and access
ND router interface configuration mode.
You must have already created the interface with the interface command (in context configuration mode).
You must also have assigned an IPv6 IP address to it with the ipv6 address command (in interface
configuration mode). Both commands are described in the Interface Configuration chapter in the Basic
System Configuration Guide for the SmartEdgeOS.
The interface inherits the default ND parameters and any global ND parameters that you have configured
for the ND router. To configure an ND parameter specific to this interface, enter the appropriate command
in ND router interface configuration mode.
Use the disable-on-address-collision keyword to shut down the interface if an IP address collision occurs.
The system brings up the interface after the collision is no longer detected.
Use the no form of this command to delete the ND router configuration for the specified interface.
Examples
The following example selects the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g- nd- i f ) #
if-name Name of the ND router interface.
disable-on-address-collision Optional. Shuts down the interface if an IP address collision occurs.
The default is not to shut down the interface.
Related Commands
neighbor
preferred-lifetime
prefix
ra
reachable-time
router nd
valid-lifetime
neighbor
neighbor ipv6-addr mac-addr
no neighbor ipv6-addr mac-addr
Purpose
Specifies a static neighbor for this Neighbor Discovery (ND) router interface.
Command Mode
ND router interface configuration
Syntax Description
Default
No static neighbors are specified for any interface.
Usage Guidelines
Use the neighbor command to specify a static neighbor for this ND router interface. Enter this command
multiple times to configure more than one neighbor.
Use the no form of this command to delete the neighbor from the configuration for this ND router interface.
Examples
The following example specifies a neighbor with IPv6 address, 2006: : 1/ 112, and MAC address,
00: 30: 88: 00: 0a: 30, for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g- nd- i f ) #neighbor 2006::1/112 00:30:88:00:0a:30
Related Commands
ipv6-addr IPv6 address for this neighbor in the format A:B:C:D:E:F:G:H.
mac-addr Medium access control (MAC) address for this neighbor.
prefix
ra
reachable-time
ns-retry-interval
ns-retry-interval retrans-timer
{no | default} ns-retry-interval
Purpose
Specifies the value for the Retrans Timer field.
Command Mode
Syntax Description
Default
The Retrans Timer field is 0 (unspecified).
Usage Guidelines
Use the ns-retry-interval command to specify the value for the Retrans Timer field. In ND router
configuration mode, this command specifies the global value for all interfaces; in ND router interface
mode, it specifies the value for this Neighbor Discovery (ND) router interface. If specified, the setting for
the interface overrides the global setting.
Use the no or default form of this command to specify the default value for the Retrans Timer field.
Examples
The following example specifies 100 milliseconds for the Retrans Timer field for the ND router:
The following example specifies 20 milliseconds for the Retrans Timer field for the ND router interface,
i nt 1, which overrides the global setting:
retrans-timer Value for the Retrans Timer field (in milliseconds). The range of values is
0to 4,294,967,295; the default value is 0.
Related Commands
None
preferred-lifetime
preferred-lifetime preferred-lifetime
{no | default} preferred-lifetime
Purpose
Specifies the value for the Preferred Lifetime field.
Command Mode
Syntax Description
Default
The preferred lifetime is seven days.
Usage Guidelines
Use the preferred-lifetime command to specify the value for the Preferred Lifetime field. In ND router
configuration mode, this command specifies the global value for all interfaces; in ND router interface
mode, it specifies the value for this Neighbor Discovery (ND) router interface. If specified, the setting for
the interface overrides the global setting.
Use the no or default form of this command to specify the default value.
Examples
The following example specifies a preferred lifetime of 43200 seconds (12 hours) for all interfaces for this
ND router:
The following example specifies a preferred lifetime of 2880 seconds (48 minutes) for the i nt 1 ND router
interface, which overrides the global setting:
preferred-lifetime Value for the Preferred Lifetime field (in seconds). The range of values is 0to
4,294,967,295; the default value is 604,800 seconds (7 days).
Related Commands
prefix
valid-lifetime
prefix
prefix ipv6-prefix/length [no-autoconfig] [no-onlink] [preferred-lifetime preferred-lifetime]
[valid-lifetime valid-lifetime]
{no | default} prefix ipv6-prefix/length
Purpose
Configures a prefix to be advertised for this Neighbor Discovery (ND) router interface.
Command Mode
Syntax Description
Default
No prefix is configured for any ND router interface.
Usage Guidelines
Use the prefix command to configure a prefix to be advertised for this ND router interface. Enter this
command multiple times to configure more than one prefix.
Use the optional keywords and constructs to define the fields in the Prefix Information option for this
prefix:
no-autoconfigSets the autonomous address configuration flag in the Prefix Information option to
FALSE.
no-onlinkSets the on-link flag to FALSE.
preferred-lifetimeSpecifies the value for the Preferred Lifetime field.
ipv6-prefix Prefix for the IPv6 address for this ND router interface in the
format A:B:C:D:E:F:G:H.
length Number of prefix bits. The range of values is 0 to 128.
no-autoconfig Optional. Sets the autonomous address configuration flag to not
use this prefix for automatic configuration; this is the default.
no-onlink Optional. Sets the on-link flag to not use this prefix for on-link
determination; this is the default.
preferred-lifetime preferred-lifetime Optional. Preferred lifetime for this prefix (in seconds). The
range of values is 0to 4,294,967,295; the default value is
604,800 seconds (7 days).
valid-lifetime valid-lifetime Optional. Valid lifetime for this prefix (in seconds). The range
of values is 0to 4,294,967,295; the default value is 2,592,000
seconds (30 days).
valid-lifetimeSpecifies the value for the Valid Lifetime field.
The values for the preferred-lifetime preferred-lifetime and valid-lifetime valid-lifetime constructs
override the values for the interface that you specified with the preferred-lifetime and valid-lifetime
commands (in ND router interface configuration mode).
Use the no or default form of this command to delete the specified prefix from this interface configuration.
Examples
The following example configures the 5555: bbbb: : 22/ 64 prefix for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 5555:bbbb::22/64 no-autoconfig no-onlink
preferred-lifetime 360 valid-lifetime 360
Related Commands
preferred-lifetime
ra
valid-lifetime
ra
When entered in ND router configuration mode, the syntax is:
ra {interval ra-interval | lifetime ra-lifetime | managed-config | other-config | suppress}
{no | default}ra {interval | lifetime | managed-config | other-config | suppress}
When entered in ND router interface configuration mode, the syntax is:
ra {enable | interval ra-interval | lifetime ra-lifetime | managed-config | other-config | suppress}
{no | default}ra {enable | interval | lifetime | managed-config | other-config | suppress}
Purpose
Configures options and settings for router advertisement (RA) messages.
Command Mode
Syntax Description
Default
RA messages are not configured for any ND router or ND router interface.
Usage Guidelines
Use the ra command to configure options and settings for RA messages. In ND router configuration mode,
this command configures RA for all interfaces; in ND router interface mode, it configures RA for this ND
router interface. If specified, the interface parameters override the global parameters. Enter this command
multiple times to configure more than one parameter.
enable Enables the sending of RA messages for this Neighbor Discovery (ND)
router interface. This keyword is not available in ND router configuration
mode.
interval ra-interval Optional. RA interval between transmissions (in seconds). The range of
values is 5 to 600; the default value is 200 seconds.
lifetime ra-lifetime Optional. RA lifetime (in seconds). The range of values is 30 to 36,000; the
default value is 1,800 seconds.
managed-config Optional. Sets the managed-address configuration flag in RA messages to
TRUE; the default value is not set (FALSE).
other-config Optional. Sets the other-stateful configuration flag in RA messages to TRUE;
the default value is not set (FALSE).
suppress Optional. Specifies that RA messages be suppressed; the default value is not
suppressed.
Use the no or default form of this command to remove RA messages from the configuration for this ND
router or ND router interface.
Examples
The following example configures RA for this ND router with a retransmission interval of 60 seconds and
a lifetime of six minutes (360 seconds):
[ l ocal ] Redback( conf i g- nd) #ra interval 60
[ l ocal ] Redback( conf i g- nd) #ra lifetime 360
The following example suppresses RA for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g- nd- i f ) #ra suppress
Related Commands
prefix
reachable-time
reachable-time
reachable-time duration
{no | default} reachable-time
Purpose
Specifies the value for the Reachable Time field in Router Advertisement (RA) messages.
Command Mode
Syntax Description
Default
The duration is unspecified in any RA messages.
Usage Guidelines
Use the reachable-time command to specify the value for the Reachable Time field in RA messages. This
value is the time this Neighbor Discovery (ND) router or ND router interface assumes that a neighbor is
reachable. In ND router configuration mode, this command specifies the global value for all interfaces; in
ND router interface mode, it specifies the value for this ND router interface. If specified, the parameters for
an interface override the global parameters.
Use the no or default form of this command to specify the default duration.
Examples
The following example specifies a reachable time of 1800 milliseconds for all interfaces for the ND router:
The following example specifies a reachable time of 3600 milliseconds for the i nt 1 ND router interface:
duration Value for the Reachable Time field (in milliseconds). The range of values is 0 to
3,600,000; the default value is 0 (unspecified).
Related Commands
neighbor
ra
router nd
router nd
no router nd
Purpose
Creates or selects a Neighbor Discovery (ND) router and accesses ND router configuration mode.
Command Mode
Syntax Description
Default
No ND router is created.
Usage Guidelines
Use the router nd command to create or select an ND router and access ND router configuration mode.
You can create a single ND router in each context.
Use the no form of this command to remove the ND router from the configuration; the no form also
removes the ND-specific configuration from any interfaces in this context.
Examples
The following example creates an ND router in the l ocal context:
Related Commands
interface
valid-lifetime
valid-lifetime lifetime
{no | default} valid-lifetime
Purpose
Specifies the value for the Valid Lifetime field in the Prefix Information option.
Command Mode
Syntax Description
Default
The valid lifetime is 30 days.
Usage Guidelines
Use the valid-lifetime command to specify the value for the Valid Lifetime field in the Prefix Information
option. In ND router configuration mode, this command specifies the global value for all interfaces; in ND
router interface mode, it specifies the value for this ND router interface. If specified, the setting for the
interface overrides the global setting.
Use the no or default form of this command to specify the default condition.
Examples
The following example specifies a valid lifetime of 43200 seconds (12 hours) for all interfaces for this ND
router:
The following example specifies a valid lifetime of 2880 seconds (48 minutes) for the i nt 1 ND router
interface, which overrides the global setting:
lifetime Value for the Valid Lifetime field (in seconds). The range of values is 0to
4,294,967,295; the default value is 2,592,000 seconds (30 days).
Related Commands
preferred-lifetime
prefix
NTP Configuration 4-1
C h a p t e r 4
NTP Configuration
OS Network Time Protocol

(NTP) features.
For information about the task and commands used to monitor, troubleshoot, and administer NTP features,
see the NTP Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Overview
Configuration Tasks
Overview
NTP exchanges timekeeping information between servers and clients via the Internet to synchronize
clocks. NTP makes estimates based on several variables, including network delay, dispersion of packet
exchanges, and clock offset. Extremely reliable sources, such as radio clocks and Global Positioning
System (GPS) satellite timing receivers, act as primary servers. Company or campus servers can act as
secondary time servers. To reduce overhead, secondary servers distribute time to attached local hosts.
The SmartEdge OS supports NTP as described in RFC 1305, Network Time Protocol. Although the default
version is Version 3, the SmartEdge OS also supports versions 1 and 2. On a SmartEdge router, NTP
operates in client mode only. The SmartEdge router can be synchronized by a remote NTP server, but the
remote server cannot be synchronized by the SmartEdge router.
Configuration Tasks
To configure NTP, perform the tasks described in the following sections:
Configure the NTP Server IP Address
Configure NTP Peer Associations (Optional)
Configure Slowsync (Optional)
Configure the NTP Server IP Address
To configure the NTP server IP address, perform the task described in Table4-1.
Configure NTP Peer Associations (Optional)
To configure NTP peer associations, perform the task described in Table4-2.
Configure Slowsync (Optional)
To configure the SmartEdge router to slowly adjust its local clock rate to compensate for differences with
a remote NTP clock source, perform the tasks described in Table4-3.
The following example configures the NTP client on the SmartEdge router to synchronize with a remote
NTP server at IP address 10. 1. 1. 1:
[ l ocal ] Redback( conf i g) #ntp server 10.1.1.1
Table 4-1 Configure the NTP Server IP Address
Configure the SmartEdge router to synchronize to a remote
NTP server.
ntpserver Enter this command in global configuration mode.
Table 4-2 Configure NTP Peer Associations
Configure the peer association for symmetric
synchronization of the SmartEdge router time and remote
NTP peer time.
ntppeer Enter this command in global configuration mode.
Table 4-3 Configure Slowsync
1. Access NTP configuration mode. ntpmode Enter this command in global configuration mode.
2. Configure slowsync. slowsync Enter this command in NTP configuration mode.
The following commands configure the NTP client on the SmartEdge router to use multiple remote NTP
servers as synchronization sources. In this case, the preferred server is at IP address, 20. 1. 1. 1.
Symmetric synchronization is also enabled, using the NTP peer with IP address, 155. 53. 32. 75:
[ l ocal ] Redback#config
[ l ocal ] Redback( conf i g) #ntp server 10.1.1.1
[ l ocal ] Redback( conf i g) #ntp server 20.1.1.1 prefer
[ l ocal ] Redback( conf i g) #ntp peer 155.53.32.75
This section describes the syntax and usage guidelines for the commands used to configure NTP. The
commands are presented in alphabetical order:
ntp mode
ntp peer
ntp server
slowsync
ntp mode
ntp mode
Purpose
Enters NTP configuration mode.
Command Mode
global configuration
Syntax Description
Default
None
Usage Guidelines
Use the ntp mode command to enter NTP configuration mode.
Examples
The following example changes the mode from global configuration to NTP configuration:
[ l ocal ] Redback( conf i g) #ntp mode
[ l ocal ] Redback( conf i g- nt p) #
Related Commands
slowsync
ntp peer
ntp peer ip-addr [context ctx-name] [prefer] [source if-name] [version ver-num]
no ntp peer [ip-addr]
Purpose
Configures peer association for symmetric synchronization of the SmartEdge router time and remote
Network Time Protocol (NTP) peer time.
Command Mode
Syntax Description
Default
The context for the NTP peer is the local context. The NTP version is Version 3.
Usage Guidelines
Use the ntp peer command to configure a peer association for symmetric synchronization of the
SmartEdge router time and remote NTP peer time.
Use the no form of this command to disable NTP services on the peer device.
Examples
The following example configures the SmartEdge router to symmetrically synchronize with the remote
NTP peer at IP address, 155. 53. 32. 75. The peer is also marked as the preferred peer:
[ l ocal ] Redback( conf i g) #ntp peer 155.53.32.75 prefer
ip-addr IP address of the remote NTP peer. Optional when used with the no form of
this command.
context ctx-name Optional. Context in which the destination address is reachable. This
construct is used when the NTP peer must be reached through a context other
than local.
prefer Optional. Marks the NTP peer as the preferred peer when multiple NTP peers
are configured.
source if-name Optional. SmartEdge interface that is to be used for NTP traffic.
version ver-num Optional. NTP version. Version options are 1, 2, and 3; the default value is 3.
Caution Risk of data loss. If you use the no form without specifying the IP address of a specific peer,
all existing NTP peer associations are removed. To reduce the risk, of losing NTP peer
associations, always specify the IP address when using the no form.
Related Commands
ntp server
slowsync
ntp server
ntp server ip-addr [context ctx-name] [prefer] [source if-name] [version ver-num]
no ntp server [ip-addr]
Purpose
Configures the SmartEdge router to synchronize to a remote Network Time Protocol (NTP) server.
Command Mode
Syntax Description
Default
NTP is disabled.
Usage Guidelines
Use the ntp server command to start the NTP daemon and configure the SmartEdge router to synchronize
to a remote NTP server.
Use the no form of this command to disable NTP services on the device. If you use the no form without
specifying the IP address of a specific server, all existing NTP server associations are removed.
Examples
The following example configures the NTP client to synchronize with an NTP remote server at IP address,
155. 53. 12. 12, and makes it the preferred server:
[ l ocal ] Redback( conf i g) #ntp server 155.53.12.12 prefer
ip-addr IP address of the remote NTP server. Optional when used with the no form of
this command.
context ctx-name Optional. Context in which the destination address is reachable. This construct
is used when the NTP server must be reached through a context other than
local.
prefer Optional. Marks the NTP server as the preferred server when multiple NTP
servers are configured.
source if-name Optional. SmartEdge interface that is to be used for NTP traffic.
version ver-num Optional. NTP version. Version options are 1, 2, and 3; the default value is 3.
Note A remote NTP client cannot synchronize with the SmartEdge router.
Related Commands
ntp peer
slowsync
slowsync
slowsync
{no | default} slowsync
Purpose
Configures the SmartEdge router to slowly adjust its local clock rate to compensate for differences with a
remote Network Time Protocol (NTP) clock source.
Command Mode
NTP configuration
Syntax Description
Default
Gradual adjustment of the local clock rate is disabled.
Usage Guidelines
Use the slowsync command to configure the SmartEdge router to slowly adjust its local clock rate to
compensate for differences with a remote NTP clock source.
This command changes the rate of the SmartEdge OS clock so that it gradually converges with the NTP
server clockprovided the initial difference in time between the two clocks is less than 16minutes. If the
time difference is more than 16 minutes, synchronization does not occur.
The NTP daemon adjusts the SmartEdge router clock within a few minutes if the difference between the
SmartEdge router clock and the remote NTP server is greater than 5seconds (and less than 16 minutes).
This adjustment occurs within the first five minutes after the NTP daemon is started.
Use the no or default form of this command to disable gradual adjustment of the local clock rate.
Examples
The following example enables the gradual adjustment of the local clock rate:
[ l ocal ] Redback( conf i g- nt p) #slowsync
Related Commands
ntp peer
ntp server
DHCP Configuration 5-1
C h a p t e r 5
DHCP Configuration
OS Dynamic Host
Configuration Protocol (DHCP) features.
For information about the commands used to monitor, troubleshoot, and administer DHCP features, see the
DHCP Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS
Overview
Configuration Tasks
Overview
DHCP dynamically configures IP address information for subscriber hosts. The SmartEdge OS provides
three types of DHCP support:
DHCP relay server
The SmartEdge router acts as an intermediary between an external DHCP server and the subscriber
(client). The router forwards requests from the subscriber to the DHCP server and relays the servers
responses back to the subscriber.
DHCP proxy server
The SmartEdge router provides responses directly to subscriber requests. Each subscriber sees the
router as the DHCP server, and as such, sends all DHCP negotiations, including IP address release and
renewal, to the router, which then relays the information to the external DHCP server. The proxy feature
enables the router to maintain IP address lease timers.
DHCP internal
The SmartEdge router provides the functions of the DHCP server; no communications are sent to an
external DHCP server.
DHCP is described in the following RFCs:
RFC 2131Dynamic Host Configuration Protocol
Overview
RFC 2132DHCP Options and BOOTP Vendor Extensions
RFC 3004The User Class Option for DHCP
For more information about RADIUS, see Chapter 21, RADIUS Configuration. For information about
Redback
VSAs, see Chapter A, RADIUS Attributes.

The DCHP features are described in the following sections:
ARP and DHCP
CLIPS and DHCP
RADIUS and DHCP
ARP and DHCP
For every valid DHCP response received from or transmitted to a subscriber, an entry is created in the
Address Resolution Protocol (ARP) table. The entry includes the IP address that is assigned to the
requesting medium access control (MAC) address and the incoming circuit on which the DHCP request is
received. All entries are secured ARP entries. Because entries are cached in the ARP table, the SmartEdge
router can route downstream packets to the correct outgoing interface. For more information about ARP,
see Chapter 2, ARP Configuration.
CLIPS and DHCP
Clientless IP service selection (CLIPS) exclusion allows you to configure DHCP sessions on ports and
PVCs that you have also configured for dynamic CLIPS sessions. With CLIPS exclusion, you can specify
which sessions are DHCP hosts; all other sessions are dynamic CLIPS sessions. CLIPS exclusion applies
only the DCHP proxy and internal servers. For more information about configuring CLIPS exclusion, see
the CLIPS Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS
The SmartEdge router supports residential gateways (RGs) with DHCP relay capability to be used as
dynamic CLIPS clients. These RGs can then function as DHCP relay agents for the home network devices
connected to the RG. (An RG connects network-enabled devices on a home network to the Internet.)
Without this function, you must configure each RG by manually assigning it an IP address enabling it to be
used as a DHCP relay agent.
The following must occur before the SmartEdge router can support RGs with DHCP relay capability to be
used as dynamic CLIPS clients:
1. You must configure the RG as a DHCP client.
2. After the RG is assigned an IP address from a DHCP server, the RG must then operate as a DHCP relay
agent.
After the CLIPS session of an RG is established, the home network devices can establish their own CLIPS
sessions using the DHCP relay agent. The CLIPS sessions for the home network devices are independent
of the CLIPS session for the RG.
Note DHCP, in all modes, maintains host entries only for multibind interfaces.
Configuration Tasks
To configure the SmartEdge router to support an RG as a dynamic CLIPS client, configure dynamic CLIPS
circuits on the SmartEdge router. For instructions on how to configure dynamic CLIPS circuits on the
SmartEdge router, follow the steps in the Configuring Dynamic CLIPS Circuits section in the CLIPS
Configuration chapter of the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS
The SmartEdge router supports DHCP discovery with duplicate MAC addresses for CLIPS subscribers.
This enables different CLIPS subscribers to use the same MAC address, if the DHCP discover packet
contains a unique GIADDR address. In general, DHCP determines the uniqueness of a subscriber based on
both the MAC and GIADDR addresses instead of just the MAC address.
RADIUS and DHCP
When Remote Authentication Dial-In User Service (RADIUS) authentication is enabled, the SmartEdge
router sends an accounting record to a RADIUS server each time an IP address is assigned or released.
If the SmartEdge router is acting as a DHCP proxy or internal server for CLIPS subscribers, the vendor
class identifier that is received in the DHCP discover packet for the CLIPS session is sent in the RADIUS
Access-Request and Accounting-Request packets to the RADIUS server, using Redback vendor-specific
attribute (VSA) 125.
Configuration Tasks
To configure DHCP features, perform the tasks described in the following sections:
Configure an Internal DHCP Server
Configure an External DHCP Server
Configure a Context for an External DHCP Server
Configure an Interface for an External DHCP Server
Configure Subscriber Hosts for DHCP Address Functions
Configure a Traffic Card to Prevent DoS Attacks
Note In this configuration, the DHCP server assigns the IP addresses to the RG and the home
network devices on the same subnet.
Configuration Tasks
Configure an Internal DHCP Server
To configure the SmartEdge OS to act as an internal DHCP server, perform the tasks described in Table5-1.
Table 5-1 Configure an Internal DHCP Server
1. Create or select the context for the DHCP internal
server and access context configuration mode.
context Enter this command in global configuration
mode. This command is documented in the
Context Configuration chapter in the Basic
System Configuration Guide for the
SmartEdge OS
2. Create or select the interface for the DHCP internal
server and access interface configuration mode.
interface Enter this command in context configuration
mode. Specify the multibind keyword.
This command is documented in the Interface
Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS
3. Assign one or more IP addresses to this interface. ip address Enter this command in interface configuration
mode.
This command is documented in the Interface
4. Enable this interface for internal DHCP server
support and assign an IP address for its support.
dhcpserver Enter this command in interface configuration
mode.
5. Enable internal DHCP server functions in this
context and access DHCP server configuration
mode.
dhcpserver policy Enter this command in context configuration
mode.
6. Specify global settings for the DHCP server and all
its subnets, using one or more of the following tasks:
Enter these commands in DHCP server
configuration mode.
Specify the default lease time. default-lease-time
Specify the maximum lease time. max-lease-time
Specify the offer lease time. offer-lease-time
Enable the monitoring and reporting of available
DCHP leases at the context level for minimum and
maximum threshold values.
threshold
Enable DHCP clients with the same MAC address to
be assigned IP addresses on different circuits.
allow-duplicate-mac
Specify one or more DHCP options. option Enter this command multiple times to specify as
many options as you require.
Specify the filename of the boot loader image file. bootp-filename
Specify the IP address that the boot loader client
uses to download the boot loader image file.
bootp-siaddr
Create a static mapping between a subnet and the
specified vendor class ID.
vendor-class
7. Create a subnet for the DHCP server and access
DHCP subnet configuration mode.
subnet Enter this command in DHCP server
configuration mode.
Configuration Tasks
Configure an External DHCP Server
To configure an external DHCP relay or proxy server, perform the tasks described in Table5-2; enter all
commands in DHCP relay server configuration mode, unless otherwise noted.
8. Optional. Configure this subnet, using one or more
of the following tasks:
Enter all commands in DHCP subnet
configuration mode.
Assign a range of IP addresses to this subnet. range
Create a static mapping between a MAC address
and an IP address in this subnet.
mac-address
Create a static mapping between the agent circuit id
subfield or the agent remote id subfield in the option
82 field and an IP address.
option-82
Specify the maximum number of IP addresses
allowed for an agent circuit id.
option-82
Specify the default lease time for this subnet. default-lease-time These settings override the global settings for
this subnet.
Specify the maximum lease time for this subnet. max-lease-time
Specify the offer lease time for this subnet. offer-lease-time
Specify one or more DHCP options for this subnet. option Enter this command multiple times to specify as
many options as you require.
Table 5-2 Configure an External DHCP Server
1. Configure an external DHCP server, and enter
DHCP relay server configuration mode.
dhcprelayserver Enter this command in context configuration
mode.
You can configure only one DHCP server IP
address in a single context.
2. Configure the maximum hop count allowed for
DHCP requests.
max-hops
3. Configure the interval, in seconds, to wait before
forwarding requests to the DHCP server.
min-wait
4. Assign the DHCP server to a DHCP server group. server-group
5. Specify forwarding for DCHP messages, using one
of the following tasks:
Forward packets to all other DHCP servers in the
DHCP server group.
forward-all
Forward DHCP discover packets to other configured
servers in the DHCP server group.
broadcast-discover
Forward packets to a standby DHCP server. standby
Table 5-1 Configure an Internal DHCP Server (continued)
Configuration Tasks
Configure a Context for an External DHCP Server
To configure a context for an external DHCP relay or proxy server, perform the tasks described in
Table5-3; enter all commands in context configuration mode.
Configure an Interface for an External DHCP Server
To configure an interface for an external DHCP relay or proxy server, perform the tasks described in
Table5-4; enter all commands in interface configuration mode, unless otherwise noted.
Table 5-3 Configure a Context for an External DHCP Server
Specify the number of attempts and the interval to
wait for each attempt when trying to reach an
external DHCP server before it is marked
unreachable.
dhcprelayserver retries
Disable the sending of a DHCPNAK message if the
SmartEdge OS receives a DHCPREQUEST
message for which it does not have an entry.
dhcprelaysuppress-nak
Optional. Add the DHCP relay information option to
packets.
dhcp relay option The DHCP relay information option is described in
RFC 3046, DHCP Relay Agent Information Option.
Table 5-4 Configure an Interface for an External DHCP Server
1. Enable the interface for an external DHCP
server, using one of the following tasks:
Enable the interface to relay DHCP messages
to an external DHCP server, and access DHCP
giaddr configuration mode.
dhcp relay These commands are mutually exclusive. If you are
configuring CLIPS, you must use the dhcp proxy
command.
The value for the max-dhcp-addrs argument used with
these commands works in conjunction with the
max-sub-addrs value specified in the dhcp max-addr
command (in subscriber configuration mode); see the
Configure Subscriber Hosts for DHCP Address
Functions section.
Enable the interface to act as a proxy between
subscribers and an external DHCP server, and
access DHCP giaddr configuration mode.
dhcpproxy
2. Optional. Configure an IP source address. ipsource-address The interface address that you specify with this
command must be reachable by the external DHCP
server. You must specify the dhcp-server keyword.
For more information about this command, see the
Interface Configuration chapter in the Basic System
3. Specify an IP address for the giaddr field for
DHCP packets that match the specified
vendor-class-id.
vendor-class-id Enter this command in DHCP giaddr configuration
mode. You can enter either of these commands
multiple times to specify multiple vendor-class IDs.
Note By default, the IP address of the interface on which DHCP messages are transmitted is sent
in DHCP packets. To not publish this IP address, configure an interface (typically loopback)
to appear to be the source address for DHCP packets.
Configure Subscriber Hosts for DHCP Address Functions
To configure subscriber hosts for DHCP address functions, perform the tasks described in Table5-5; enter
all commands in subscriber configuration mode.
Configure a Traffic Card to Prevent DoS Attacks
To configure a traffic card to prevent denial of service (DoS) attacks, perform the task described in
Table5-6; enter the command in card configuration mode.
This following sections provide DHCP configuration examples:
DHCP Internal Server
DHCP Proxy and Maximum Address Support
Subscriber Bindings to DHCP Interfaces
DHCP Proxy Through Dynamic Subscriber Bindings
DHCP Proxy Through Static Interface Bindings
DHCP Proxy Through RADIUS
Loopback Interface as DHCP Source Address
Table 5-5 Configure Subscriber Hosts for DHCP Address Functions
Optional. Configure hosts to use DHCP to
dynamically acquire address information for a
subscriber circuit and set a maximum number of IP
addresses that can be assigned to hosts associated
with the circuit.
dhcpmax-addrs You can also configure this information in the subscriber
record through the RADIUS database instead of through this
command. Use Redback VSA 3, DHCP-Max-Leases, for the
maximum number of IP addresses; see Chapter A,
RADIUS Attributes.
Optional. Configure hosts to use a specific DHCP
interface to acquire address information for a
subscriber circuit.
ip interface You must configure the subscriber record or profile with the
dhcp max-addrs command.
You must enable the specified interface for DHCP proxy or
DHCP relay; see the Configure an Interface for an External
DHCP Server section.
You can also configure this information in the subscriber
record through the RADIUS database instead of through this
command. Use Redback VSA 104, IP-Interface-Name; see
Chapter A, RADIUS Attributes.
Table 5-6 Configure a Traffic Card to Prevent DoS Attacks
Optional. Enable rate limiting and specify the rate
and burst limits for DHCP or PADI packets to
prevent DoS attacks.
rate-limit dhcp
DHCP Internal Server
The following example configures an internal DHCP server and two subnets:
! Cr eat e t he cont ext and t he i nt er f ace.
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #interface dhcp-if multibind
! Assi gn t wo subnet s t o t he i nt er f ace
[ l ocal ] Redback( conf i g- i f ) #ip address 12.1.1.0/24
[ l ocal ] Redback( conf i g- i f ) #ip address 13.1.1.0/24 secondary
! Enabl e t he i nt er f ace f or i nt er nal DHCP f unct i ons and assi gn an I P addr ess t o i t .
[ l ocal ] Redback( conf i g- i f ) #dhcp server 12.1.1.1
! Enabl e t he cont ext f or i nt er nal DHCP ser ver f unct i ons.
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
! Speci f y gl obal set t i ngs f or t he i nt er nal DHCP ser ver and al l i t s subnet s.
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #allow-duplicate-mac
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #default-lease-time 14400
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #maximum-lease-time 172800
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #offer-lease-time 300
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #option domain-name redback.com
! Speci f y t he boot l oader i mage f i l e and t he ser ver I P addr ess wher e i t can be f ound
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-filename of1267.bin
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-siaddr 200.1.1.0
! Cr eat e an unnamed subnet and conf i gur e i t .
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 13.1.1.1/24
[ l ocal ] Redback( conf i g- dhcp- subnet ) #range 13.1.1.50 13.1.1.99
! Over r i de t he gl obal set t i ngs f or t hese opt i ons.
[ l ocal ] Redback( conf i g- dhcp- subnet ) #default-lease-time 3600
[ l ocal ] Redback( conf i g- dhcp- subnet ) #maximum-lease-time 14400
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option domain-name cool.com
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option domain-name-servers 12.1.1.254
[ l ocal ] Redback( conf i g- dhcp- subnet ) #exit
! Cr eat e a named subnet and conf i gur e i t .
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 13.1.1.100/24 name sub2
! Cr eat e st at i c mappi ngs f or t hi s named subnet
[ l ocal ] Redback( conf i g- dhcp- subnet ) #mac-address 02:12:34:56:78:90 ip-address 13.1.1.2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option-82 circuit-id 4:1 vlan 102 offset 3
ip-address 13.1.1.3
max-addresses 10
! Over r i de t he gl obal set t i ng f or t hi s opt i on.
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option domain-name hot.com
[ l ocal ] Redback( conf i g- dhcp- subnet ) #exit
! Cr eat e a st at i c mappi ng f or t hi s named subnet
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #vendor-class abc-client offset 5 subnet sub2
DHCP Proxy and Maximum Address Support
The following example illustrates how the value for the max-sub-addr argument for the dhcp max-addr
command (in subscriber configuration mode) works in conjunction with the value for the max-dhcp-addr
argument for the dhcp proxy command (in interface configuration mode). In this example, the number of
DHCP clients that can be supported on the DHCP proxy multibind interface at IP address, 120. 1. 1. 1, is
restricted to 10, with the dhcp proxy command. The first four subscribers, each with a value of 1 for
max-sub-addrs, can be authenticated and a circuit can be brought up for each of them. However, subscriber
sub5 cannot be authenticated because its max-sub-addr value is 10, which exceeds the remaining number
of addresses available on the interface, which is now 6:
[ l ocal ] Redback( conf i g- ct x) #interface subscriber multibind
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 10
[ l ocal ] Redback( conf i g- ct x) #interface to-dhcp-server
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub1
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- Ct x) #subscriber name sub3
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 100.1.1.156
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option
Subscriber Bindings to DHCP Interfaces
Two examples of binding subscribers to DHCP interfaces are described in the following sections:
Using Local Authentication
Using RADIUS Authentication
Using Local Authentication
The following example binds subscribers to DHCP interfaces using the ip interface command (in
subscriber configuration mode) with local authentication:
[ l ocal ] Redback( conf i g) #context atm_subs
[ l ocal ] Redback( conf i g- ct x) #interface bronze multibind
[ l ocal ] Redback( conf i g- ct x) #interface gold multibind
[ l ocal ] Redback( conf i g- ct x) #interface silver multibind
[ l ocal ] Redback( conf i g- ct x) #subscriber profile gold
[ l ocal ] Redback( conf i g- sub) #ip interface name gold
[ l ocal ] Redback( conf i g- ct x) #subscriber profile silver
[ l ocal ] Redback( conf i g- sub) #ip interface name silver
[ l ocal ] Redback( conf i g- ct x) #subscriber profile bronze
[ l ocal ] Redback( conf i g- sub) #ip interface name bronze
[ l ocal ] Redback( conf i g- sub) #profile gold
[ l ocal ] Redback( conf i g- sub) #profile silver
[ l ocal ] Redback( conf i g- sub) #profile bronze
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #port atm 1/4
[ l ocal ] Redback( conf i g- at m- oc) #no shutdown
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 101 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub1@atm_subs
[ l ocal ] Redback( conf i g- at m- pvc) #exit
The following example displays information about these subscriber circuits:
[ at m_subs] Redback>show subscribers active
sub1@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 101
I nt er nal Ci r cui t 1/ 4: 1: 63/ 1/ 2/ 24579
Cur r ent por t - l i mi t unl i mi t ed
pr of i l e gol d ( appl i ed)
dhcp max- addr s 10 ( appl i ed)
i p i nt er f ace gol d ( appl i ed)
sub2@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 102
pr of i l e si l ver ( appl i ed)
i p i nt er f ace si l ver ( appl i ed)
sub3@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 103
pr of i l e br onze ( appl i ed)
i p i nt er f ace br onze ( appl i ed)
The following example displays information about the DHCP hosts after they have been established on the
active subscriber circuits:
[ at m_subs] Redback>show subscribers active
sub1@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 101
pr of i l e gol d ( appl i ed)
i p i nt er f ace gol d ( appl i ed)
I P host ent r i es i nst al l ed by DHCP: ( max_addr 10 cur _ent i es 10)
120. 1. 1. 199 00: dd: 00: 00: 00: 0a
120. 1. 1. 191 00: dd: 00: 00: 00: 09
120. 1. 1. 192 00: dd: 00: 00: 00: 08
120. 1. 1. 200 00: dd: 00: 00: 00: 07
120. 1. 1. 194 00: dd: 00: 00: 00: 05
120. 1. 1. 193 00: dd: 00: 00: 00: 06
120. 1. 1. 196 00: dd: 00: 00: 00: 03
120. 1. 1. 195 00: dd: 00: 00: 00: 04
120. 1. 1. 197 00: dd: 00: 00: 00: 02
120. 1. 1. 198 00: dd: 00: 00: 00: 01
sub2@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 102
pr of i l e si l ver ( appl i ed)
i p i nt er f ace si l ver ( appl i ed)
120. 1. 2. 191 00: dd: 00: 00: 00: 14
120. 1. 2. 192 00: dd: 00: 00: 00: 13
120. 1. 2. 193 00: dd: 00: 00: 00: 12
120. 1. 2. 194 00: dd: 00: 00: 00: 11
120. 1. 2. 195 00: dd: 00: 00: 00: 10
120. 1. 2. 196 00: dd: 00: 00: 00: 0f
120. 1. 2. 197 00: dd: 00: 00: 00: 0e
120. 1. 2. 198 00: dd: 00: 00: 00: 0d
120. 1. 2. 199 00: dd: 00: 00: 00: 0c
120. 1. 2. 200 00: dd: 00: 00: 00: 0b
sub3@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 103
pr of i l e br onze ( appl i ed)
i p i nt er f ace br onze ( appl i ed)
120. 1. 3. 191 00: dd: 00: 00: 00: 1e
120. 1. 3. 192 00: dd: 00: 00: 00: 1d
120. 1. 3. 193 00: dd: 00: 00: 00: 1c
120. 1. 3. 194 00: dd: 00: 00: 00: 1b
120. 1. 3. 195 00: dd: 00: 00: 00: 1a
120. 1. 3. 196 00: dd: 00: 00: 00: 19
120. 1. 3. 197 00: dd: 00: 00: 00: 18
120. 1. 3. 198 00: dd: 00: 00: 00: 17
120. 1. 3. 199 00: dd: 00: 00: 00: 16
120. 1. 3. 200 00: dd: 00: 00: 00: 15
The following example displays DHCP relay host information for this configuration:
[ at m_subs] Redback>show dhcp relay hosts
Ci r cui t Host Har dwar e addr ess
Lease Tt l Ti mest amp Rel ay/ Pr oxy Cont ext
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 198 00: dd: 00: 00: 00: 01
1800 1709 Thu Nov 8 09: 16: 21 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 197 00: dd: 00: 00: 00: 02
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 195 00: dd: 00: 00: 00: 04
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 196 00: dd: 00: 00: 00: 03
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 193 00: dd: 00: 00: 00: 06
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 194 00: dd: 00: 00: 00: 05
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 200 00: dd: 00: 00: 00: 07
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 192 00: dd: 00: 00: 00: 08
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 191 00: dd: 00: 00: 00: 09
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 199 00: dd: 00: 00: 00: 0a
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 197 00: dd: 00: 00: 00: 0e
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 200 00: dd: 00: 00: 00: 0b
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 199 00: dd: 00: 00: 00: 0c
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 198 00: dd: 00: 00: 00: 0d
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 196 00: dd: 00: 00: 00: 0f
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 195 00: dd: 00: 00: 00: 10
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 194 00: dd: 00: 00: 00: 11
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 193 00: dd: 00: 00: 00: 12
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 192 00: dd: 00: 00: 00: 13
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 191 00: dd: 00: 00: 00: 14
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 200 00: dd: 00: 00: 00: 15
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 199 00: dd: 00: 00: 00: 16
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 198 00: dd: 00: 00: 00: 17
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 197 00: dd: 00: 00: 00: 18
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 196 00: dd: 00: 00: 00: 19
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 195 00: dd: 00: 00: 00: 1a
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 194 00: dd: 00: 00: 00: 1b
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 193 00: dd: 00: 00: 00: 1c
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 192 00: dd: 00: 00: 00: 1d
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 191 00: dd: 00: 00: 00: 1e
Using RADIUS Authentication
The following example binds subscribers to DHCP interfaces, using the ip interface command (in
subscriber configuration mode) with RADIUS authentication:
[ l ocal ] Redback( conf i g) #context atm_subs
[ l ocal ] Redback( conf i g- ct x) #interface bronze multibind
[ l ocal ] Redback( conf i g- ct x) #interface gold multibind
[ l ocal ] Redback( conf i g- ct x) #interface silver multibind
[ l ocal ] Redback( conf i g- ct x) #interface to-linux-server
[ l ocal ] Redback( conf i g- ct x) #interface to-sms-server
[ l ocal ] Redback( conf i g- ct x) #radius server 108.1.1.157 key mpls4
[ l ocal ] Redback( conf i g- ct x) #radius max-retries 5
[ l ocal ] Redback( conf i g- ct x) #radius timeout 5
[ l ocal ] Redback( conf i g- ct x) #radius algorithm round-robin
[ l ocal ] Redback( conf i g- ct x) #radius accounting algorithm round-robin
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber radius
[ l ocal ] Redback( conf i g- ct x) #aaa accounting subscriber radius
[ l ocal ] Redback( conf i g- ct x) #aaa accounting event dhcp
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 108.1.1.157 key mpls4
[ l ocal ] Redback( conf i g- ct x) #subscriber profile gold
[ l ocal ] Redback( conf i g- sub) #ip interface name gold
[ l ocal ] Redback( conf i g- ct x) #subscriber profile silver
[ l ocal ] Redback( conf i g- sub) #ip interface name silver
[ l ocal ] Redback( conf i g- ct x) #subscriber profile bronze
[ l ocal ] Redback( conf i g- sub) #ip interface name bronze
[ l ocal ] Redback( conf i g) #card atm-oc3-4-port 1
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub1@atm_subs password test
The following example displays the RADIUS subscriber files:
sub1@at m_subs Passwor d = "t est "
Ser vi ce- Type = Fr amed- User ,
RB- I P- I nt er f ace- Name = gol d,
RB- DHCP- Max- Leases = 10,
RB- Cont ext - Name = at m_subs
RB- I P- I nt er f ace- Name = si l ver ,
RB- I P- I nt er f ace- Name = br onze,
In the RADIUS dictionary, the relevant attribute is:
VENDORATTR 2352 RB- I P- I nt er f ace- Name 104 st r i ng
One of the sample Accounting-Alive packets with the RADIUS IP interface attribute is:
Code: Account i ng- Request
I dent i f i er : 38
Aut hent i c: ' l <199>[ <151><142><192>@<0><15><175>KCO}<163>
At t r i but es:
User - Name = " sub3@at m_subs"
Acct - St at us- Type = Al i ve
Acct - Sessi on- I d = " 0003003F3000601C- 40757C65"
Ser vi ce- Type = Fr amed- User
NAS- I dent i f i er = " mpl s4"
NAS- Por t = 17039424
NAS- Por t - Type = Sync
NAS- Por t - I d = " 1/ 4 vpi - vci 0 103"
Connect - I nf o = " a1"
RB- Pl at f or m- I D = Smar t Edge
Acct - Aut hent i c = RADI US
RB- I P- I nt er f ace- Name = " br onze"
RB- DHCP- Max- Leases = 10
Acct - Sessi on- Ti me = 105
Acct - I nput - Packet s = 32
Acct - Out put - Packet s = 26
Acct - I nput - Oct et s = 7733
Acct - Out put - Oct et s = 5388
Acct - I nput - Gi gawor ds = 0
Acct - Out put - Gi gawor ds = 0
RB- Acct - I nput - Packet s- 64 = 0x20
RB- Acct - Out put - Packet s- 64 = 0x1a
RB- Acct - I nput - Oct et s- 64 = 0x1e35
DHCP Proxy Through Dynamic Subscriber Bindings
The following example configures DHCP proxy through dynamic subscriber bindings:
[ l ocal ] Redback( conf i g) #context dyn-sub-bindings
[ l ocal ] Redback( conf i g- ct x) #interface dyn-sub-if multibind
[ l ocal ] Redback( conf i g- sub) #password test
[ l ocal ] Redback( conf i g) #atm profile a1
[ l ocal ] Redback( conf i g- at m- pr of i l e) #shaping ubr
[ l ocal ] Redback( conf i g- at m- pr of i l e) #exit
[ l ocal ] Redback( conf i g) #card atm-oc3-4-port 5
[ l ocal ] Redback( conf i g- car d) #exit
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub101@subscriber password test
[ l ocal ] Redback( conf i g- at m- oc) #exit
[ l ocal ] Redback( conf i g) #port ethernet 9/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface to-dhcp-server subscriber
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 21
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub21@subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- dot 1q- vc) #exit
DHCP Proxy Through Static Interface Bindings
The following example configures DHCP proxy through static interface bindings:
[ l ocal ] Redback( conf i g) #context non-subscriber
[ l ocal ] Redback( conf i g- ct x) #interface non-subscriber multibind
[ l ocal ] Redback( conf i g- ct x) #interface vlan.1 multibind
[ l ocal ] Redback( conf i g- ct x) #interface vlan.10 multibind
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface vlan.1 non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface vlan.10 non-subscriber
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 11 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
DHCP Proxy Through RADIUS
The following example configures DHCP proxy through RADIUS:
[ l ocal ] Redback( conf i g) #no service multiple-contexts
[ l ocal ] RedBeck( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface loop1 loopback
[ l ocal ] Redback( conf i g- i f ) #ip source-address dhcp-server
[ l ocal ] Redback( conf i g- ct x) #interface subscriber multibind
[ l ocal ] Redback( conf i g- ct x) #interface to-cisco-dhcp-server
[ l ocal ] Redback( conf i g- ct x) #radius server 108.1.1.157 key dhcp
[ l ocal ] Redback( conf i g) #card ether-12-port 9
[ l ocal ] Redback( conf i g- car d) #exit
[ l ocal ] Redback( conf i g- por t ) #bind interface to-cisco-dhcp-server local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub1@local password test
The following output displays sample content from the RADIUS server file used in this example:
sub1@l ocal Passwor d = "t est "
DHCP_Max_Leases = 1
DHCP_Max_Leases = 1
DHCP_Max_Leases = 1
DHCP_Max_Leases = 1
Loopback Interface as DHCP Source Address
The following example shows that the IP address of the interface connected to the external DHCP server
is 108. 1. 1. 1; however, a loopback interface is configured with another IP address, which is sent to the
DHCP server as the source IP address for DHCP packets:
[ l ocal ] Redback( conf i g- i f ) #ip source-address dhcp-server
This section describes the syntax and usage guidelines for the commands used to configure DHCP features.
The commands are presented in alphabetical order.:
allow-duplicate-mac
bootp-enable-auto
bootp-filename
bootp-siaddr
broadcast-discover
default-lease-time
dhcp max-addrs
dhcp proxy
dhcp relay
dhcp relay option
dhcp relay server
dhcp relay server retries
dhcp relay suppress-nak
dhcp server
dhcp server policy
forward-all
ip interface
mac-address
max-hops
max-lease-time
min-wait
offer-lease-time
option
option-82
range
rate-adjust dhcp pwfq
rate-limit dhcp
server-group
standby
subnet
threshold
user-class-id
vendor-class
vendor-class-id
allow-duplicate-mac
allow-duplicate-mac
no allow-duplicate-mac
Purpose
Allows Dynamic Host Control Protocol (DHCP) server subscribers and a clientless IP service selection
(CLIPS) subscriber to share the same medium access control (MAC) address.
Command Mode
DHCP server configuration
Syntax Description
Default
Duplicate MAC addresses are not allowed.
Usage Guidelines
Use the allow-duplicate-mac command to allow DHCP server subscribers and a CLIPS subscriber to share
the same MAC address.
Use the no form of this command to specify the default condition.
Examples
The following example enables DHCP clients with the same MAC address to be assigned IP addresses on
different circuits for the DHCP internal server in the dhcp context:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #allow-duplicate-mac
Related Commands
None
bootp-enable-auto
bootp-enable-auto
no bootp-enable-auto
Purpose
Enables the assignment of IP addresses from subnet ranges.
Command Mode
Syntax Description
Default
The assignment of IP addresses from subnet ranges is not enabled.
Usage Guidelines
Use the bootp-enable-auto command to enable the assignment of IP addresses from subnet ranges.
If you do not enter this command, then you must enter the mac-address command (in DHCP subnet
configuration mode); it is required for the DHCP server to assign IP addresses for BOOTP clients. If you
enter this command, then you need not enter the mac-address command.
Examples
The following example specifies the boot loader image file for the SmartEdge router:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-enable-auto
Related Commands
Note The Bootstrap Protocol (BOOTP) allows certain systems to automatically discover network
configuration information and boot information. The Dynamic Host Configuration Protocol
(DHCP) is an extension of BOOTP that defines a protocol for passing configuration
information to hosts on a Transmission Control Protocol (TCP)/IP network. For more
information about BOOTP and DHCP, see RFC 2131, Dynamic Host Configuration Protocol.
mac-address
bootp-filename
bootp-filename bootfile-name
no bootp-filename bootfile-name
Purpose
Specifies the filename of the boot loader image file.
Command Mode
Syntax Description
Default
No boot loader image is specified.
Usage Guidelines
Use the bootp-filename command to specify the filename of the boot loader image file. The boot loader
image file is run when the system is reloaded or powered on.
Examples
The following example specifies the boot loader image file for the SmartEdge router:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-filename of1267.bin
Related Commands
bootfile-name Name of the boot loader image file.
information to hosts on a Transmission Control Protocol (TCP)/IP network. For more
information about BOOTP and DHCP, see RFC 2131, Dynamic Host Configuration Protocol.
bootp-siaddr
bootp-siaddr
bootp-siaddr ip-addr
no bootp-siaddr ip-addr
Purpose
Specifies the IP address that the boot loader client uses to download the boot loader image file.
Command Mode
Syntax Description
Default
No IP address is specified.
Usage Guidelines
Use the bootp-siaddr command to specify the IP address that the boot loader client uses to download the
boot loader image file.
Examples
The following example specifies the IP address for the SmartEdge router with the boot loader image file:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-siaddr 200.1.1.0
Related Commands
ip-addr IP address the boot loader client uses.
information to hosts on a Transmission Control Protocol (TCP)/IP network. The servers IP
address (SIADDR) field in the DHCP packet specifies the address of the server to use in the
next step of the client's bootstrap process. For more information about BOOTP, DHCP, and
SIADDR see RFC 2131, Dynamic Host Configuration Protocol.
bootp-filename
broadcast-discover
broadcast-discover
no broadcast-discover
Purpose
Sends Dynamic Host Configuration Protocol (DHCP) discover packets to other configured servers in a
DHCP server group.
Command Mode
DHCP relay server configuration
Syntax Description
Default
The DHCP client sends discover packets only to the DHCP server in the server group that last responded
to the client.
Usage Guidelines
Use the broadcast-discover command to send DHCP discover packets to other configured servers in a
DHCP server group.
The DHCP relay server always sends initial DHCP discover packets to all DHCP servers in a DHCP server
group. By default, it sends subsequent discover packets only to the server that last responded. Servers
configured with this command also receive subsequent DHCP discover packets from all clients that have
existing sessions with other servers in the group. If the server that last responded to the client is unavailable,
another server in the group can respond.
Use the no form of this command to revert to the default behavior.
Examples
The following example configures the DHCP relay server, cor p1, to send DHCP discover packets to all
configured servers in the DHCP server group:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server corp1
[ l ocal ] Redback( conf i g- dhcp- r el ay) #broadcast-discover
Related Commands
dhcp relay server
forward-all
default-lease-time
default-lease-time seconds
no default-lease-time
Purpose
Specifies the default lease time for this Dynamic Host Configuration Protocol (DHCP) server or one of its
subnets.
Command Mode
DHCP subnet configuration
Syntax Description
Default
The default length of time is two hours.
Usage Guidelines
Use the default-lease-time command to specify the default lease time for the DHCP server or one of its
subnets. In DHCP server configuration mode, this command specifies the default lease time for all subnets;
in DHCP subnet configuration mode, it specifies the default lease time for that subnet. The value you
specify for a subnet overrides the global value for the server.
Use the no form of this command to specify the default value.
Examples
The following example specifies a default lease time of 4 hours (14000) for the DHCP server and all its
subnets:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #default-lease-time 14400
Related Commands
seconds Length of time for the default lease. The range of values is 900 (15 minutes) to
31,536,000 (one year).
max-lease-time
offer-lease-time
subnet
threshold
dhcp max-addrs
dhcp max-addrs max-sub-addrs
no dhcp max-addrs
Purpose
Indicates that associated hosts are to use Dynamic Host Configuration Protocol (DHCP) to dynamically
acquire address information for the subscribers circuit, and sets a maximum number of IP addresses that
the SmartEdge OS expects the external DHCP server to assign to hosts associated with the circuit.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the dhcp max-addrs command to indicate that associated hosts are to use DHCP to dynamically
acquire address information for the subscribers circuit, and to set a maximum number of IP addresses that
the SmartEdge OS expects the external DHCP server to assign to hosts associated with the circuit.
For non-CLIPS subscribers, the SmartEdge OS deducts the value of the max-sub-addrs argument from the
value for the max-dhcp-addrs argument that you configured for a DHCP proxy or DHCP relay interface,
using the dhcp proxy or dhcp relay commands (in interface configuration mode), available at the time a
subscriber is bound to a circuit. When the value for the max-dhcp-addrs argument for a DHCP proxy or
DHCP relay interface reaches 0, that interface is no longer available for subscriber bindings.
For dynamic CLIPS subscribers, you must configure the subscriber record or profile with no IP address and
specify 1 as the value for the max-sub-addrs argument; for information about CLIPS, see the CLIPS
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS
Use the no form of this command to disable the use of DHCP for the subscribers circuit.
max-sub-addrs Maximum number of unique IP addresses the SmartEdge OS expects the external
DHCP server to assign to hosts associated with a given subscriber circuit. The range of
values is 1 to 100.
For dynamic clientless IP service selection (CLIPS) subscribers, the value for the
max-sub-addrs argument must be 1.
Examples
The following example configures the subscriber, dhcp- t est , to expect a total of 8 IP addresses that can
be assigned at any time:
[ l ocal ] Redback( conf i g- ct x) #subscriber name dhcp-test
Related Commands
Note If you configure a subscriber record with a dhcp max-addrs command and with one or more
static IP host addresses, using the ip address command (in interface configuration mode), the
static IP addresses always take precedence; the associated circuit is bound to an interface on
the basis of the static IP addresses. If you configure the record with a dhcp max-addrs
command, and you do not configure any static addresses for it, the associated circuit is bound
to the first available interface with capacity for this subscriber.
dhcp proxy
dhcp relay
dhcp relay server
dhcp proxy
dhcp proxy max-dhcp-addrs [server-group name]
no dhcp proxy
Purpose
Enables this interface to act as proxy between subscribers and an external Dynamic Host Configuration
Protocol (DHCP) server, and access DHCP giaddr configuration mode.
Command Mode
Syntax Description
Default
DHCP proxy is disabled.
Usage Guidelines
Use the dhcp proxy command to enable this interface to act as a proxy between subscribers and an external
DHCP server, and access DHCP giaddr configuration mode.
When you enable DHCP proxy, the interface relays all DHCP packets, including the release and renewal
of IP addresses for subscriber sessions, between the DHCP server and the subscriber. To the subscriber, the
SmartEdge router appears to be the DHCP server.
The SmartEdge OS uses the value for the max-dhcp-addrs argument to load balance between IP addresses
from multiple pools. When you configure the SmartEdge OS for subscriber DHCP proxy, the value of the
max-dhcp-addrs argument indicates the total number of subscriber requests that will be forwarded on the
interface.
The SmartEdge OS deducts the max-sub-addrs value for the dhcp max-addrs command (in subscriber
configuration mode) from the current value for max-dhcp-addrs argument for the DHCP proxy interface at
the time a subscriber is bound to a circuit using that interface. When the value of max-dhcp-addrs for a
DHCP proxy interface reaches 0, that interface is no longer available for subscriber bindings.
Use the no form of this command to disable DHCP proxy on the interface.
max-dhcp-addrs Maximum number of IP addresses available on the interface. The range of values
is 1 to 65,535.
server-group name Optional. DHCP server group. Forwards all DHCP requests received on the
interface to all DHCP servers in the specified server group.
Note You can configure an interface to act as either a DHCP relay or a DHCP proxy; the dhcp relay
and dhcp proxy commands are mutually exclusive.
Examples
The following example enables the pr oxy1 interface to act as a DHCP proxy for the DHCP server at
IP address, 10. 30. 40. 50:
[ l ocal ] Redback( conf i g- ct x) #interface proxy1
Related Commands
Note For the dhcp proxy command to take effect, you must configure an external DCHP server,
using the dhcp relay server command in the context in which the interface is configured.
dhcp max-addrs
dhcp relay
dhcp relay server
dhcp relay
dhcp relay max-dhcp-addrs [server-group group-name]
no dhcp relay
Purpose
Enables this interface to relay Dynamic Host Configuration Protocol (DHCP) messages to an external
DHCP server, and access DHCP giaddr configuration mode.
Command Mode
Syntax Description
Default
DHCP relay is disabled.
Usage Guidelines
Use the dhcp relay command to enable this interface to relay DHCP messages to an external DHCP server,
and access DHCP giaddr configuration mode.
The SmartEdge OS uses the value for the max-dhcp-addrs argument to load balance between IP addresses
from multiple pools. When you configure the SmartEdge OS for subscriber DHCP relay, the value of the
max-dhcp-addrs argument indicates the total number of subscriber requests that can be forwarded on the
interface.
The value of the max-sub-addrs argument for the dhcp max-addrs command (in subscriber configuration
mode) is deducted from the max-dhcp-addrs value configured for a DHCP relay interface available at the
time a subscriber is bound to a circuit on that interface. When the value of max-dhcp-addrs for a DHCP
relay interface reaches 0, that interface is no longer available for subscriber bindings.
Use the no form of this command to disable DHCP relay on the interface.
max-dhcp-addrs Maximum number of IP addresses available on the interface. The range
of values is 0 to 65,535.
server-group group-name Optional. DHCP server group. Forwards all DHCP requests received on
the interface to all DHCP servers in the specified server group.
Note You can configure an interface to act as either a DHCP relay or a DHCP proxy; the dhcp relay
and dhcp proxy commands are mutually exclusive.
Note For the dhcp relay command to take effect, you must configure an external DCHP server,
using the dhcp relay server command in the context in which the interface is configured.
Examples
The following example enables DHCP relay on interface et h1, which is configured with a total of 253 IP
addresses that can be allocated by the DHCP server at any time from the 10. 1. 1. 0 subnet:
[ l ocal ] Redback( conf i g- ct x) #interface eth1
[ l ocal ] Redback( conf i g- i f ) #dhcp relay 253
[ l ocal ] Redback( conf i g- dhcp- gi addr ) #
Related Commands
dhcp max-addrs
dhcp proxy
dhcp relay server
dhcp relay option
dhcp relay option [hostname [separator character]]
no dhcp relay option [hostname [separator character]]
Purpose
Enables the sending of Dynamic Host Configuration Protocol (DHCP) options in DHCP packets relayed
by the interfaces in the specified context.
Command Mode
Syntax Description
Default
DHCP options are not sent.
Usage Guidelines
Use the dhcp relay option command to enable the sending of DHCP options in all DHCP packets that are
relayed by the interfaces in the specified context.
On some networks, DHCP is used to dynamically configure IP address information for subscriber hosts.
The SmartEdge router can act as a relay or as a proxy for DHCP servers. DHCP is typically used with
RFC 1483 bridge-encapsulated circuits, as opposed to Point-to-Point Protocol (PPP) circuits.
The SmartEdge OS can use DHCP relay options to help track DHCP requests. Some options can also
enhance the DHCP servers function. The DHCP relay options are described in RFC 3046, DHCP Relay
Agent Information Option.
In order for relay options to take effect, you must enable DHCP relay for the context, using the
dhcp relay server command (in context configuration mode), and for an interface, using the dhcp relay
or dhcp proxy command (in interface configuration mode). You must also configure subscriber records,
using the dhcp max-addrs command (in subscriber configuration mode) to indicate that associated hosts
are to use DHCP relay to dynamically acquire address information.
Use the no form of this command to disable the sending of DHCP options.
hostname Optional. Prepends the SmartEdge router hostname to the agent circuit id
field of DHCP option 82. The SmartEdge OS uses the hostname that you
have configured using the system hostname command (in context
configuration mode). If you have not configured the hostname, the
SmartEdge OS uses the default hostname of Redback.
separator character Optional. Character that separates the elements of the attribute string.
Changes the character that separates the hostname from the circuit id field of
DCHP option 82. The default separator character is the colon (:).
Examples
The following example enables the sending of DHCP relay options:
The following example prepends the system hostname, SE800, to the agent circuit id field of DHCP option
82 and, by default, uses the colon (:) to separate the hostname from the circuit id field:
[ l ocal ] Redback( conf i g) #server hostname SE800
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option hostname
The DHCP servers lease log for this configuration would be similar to the following example:
l ease 120. 1. 3. 191 {
st ar t s 2 2005/ 11/ 08 10: 05: 21;
ends 2 2005/ 11/ 08 10: 35: 21;
bi ndi ng st at e act i ve
net x bi ndi ng st at e f r ee
har dwar e et her net 00: dd: 00: 00: 00: 1e;
ui d \ 001\ 006\ 000\ 335\ 000\ 000\ 000\ 036;
opt i on agent . ci r cui t - i d SE800: 1/ 4 vpi - vci 0 103;
}
Related Commands
dhcp proxy
dhcp relay
dhcp relay server
dhcp relay server
dhcp relay server {ip-addr | hostname} [max-hops count] [min-wait interval]
no dhcp relay server {ip-addr | hostname} [max-hops count] [min-wait interval]
Purpose
Configures an external Dynamic Host Configuration Protocol (DHCP) server and enters DHCP relay server
configuration mode.
Command Mode
Syntax Description
Default
Disabled
Usage Guidelines
Use the dhcp relay server command to configure an external DHCP server and enter DHCP relay server
configuration mode. You can configure up to five external DHCP servers in each context.
If you have configured Remote Authentication Dial-In User Service (RADIUS) authentication, the
SmartEdge OS sends an accounting record to RADIUS every time DCHP assigns or releases an IP address.
To indicate that associated hosts are to use DHCP relay to dynamically acquire address information, you
must configure the subscriber default profile, a named profile, or subscriber records with the
dhcp max-addrs command (in subscriber configuration mode).
Use the no form of this command to disable the DHCP server.
ip-addr IP address of the DHCP server.
hostname Hostname of the DHCP server.
max-hops count Optional. Maximum number of hops allowed for requests. The range of
values for the count argument is 1 to 16.
min-wait interval Optional. Minimum time, in seconds, to wait before forwarding requests to
the DHCP server. The range of values for the interval argument is 0 to 60.
Note For the dhcp relay server command to take effect, you must also enable DHCP relay or
DHCP proxy on an interface in the same context, using the dhcp proxy or dhcp relay
command (in interface configuration mode).
Examples
The following example configures an external DHCP server at IP address, 10. 30. 40. 50, and enters
DHCP relay server configuration mode:
[ l ocal ] Redback( conf i g- dhcp- r el ay) #
Related Commands
broadcast-discover
dhcp max-addrs
dhcp proxy
dhcp relay
max-hops
min-wait
server-group
standby
dhcp relay server retries count timeout interval
no dhcp relay server retries count timeout interval
Purpose
Specifies the number of attempts and the interval to wait for each attempt when trying to reach an external
Dynamic Host Configuration Protocol (DHCP) server before it is marked unreachable.
Command Mode
Syntax Description
Default
Up to three attempts are made to reach a DHCP server, with a wait interval of 30 seconds for each attempt.
Usage Guidelines
Use the dhcp relay server retries command to specify the number of attempts and the interval to wait for
each attempt when trying to reach an external DHCP server before it is marked unreachable.
If the interval expires without receiving a reply from the DHCP server, another DHCP request is sent to the
DHCP server until the maximum consecutive number of attempts has been reached. If the interval expires
after the last attempt without reaching the DHCP server, then the DHCP server is marked unreachable.
Use the no form of this command to specify the default conditions.
Examples
The following example configures the SmartEdge router to make up to 5 attempts to reach a DHCP server,
with a wait interval of 15 seconds for each attempt:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server retries 5 timeout 15
Related Commands
count Maximum consecutive number of times to attempt reaching the DHCP
server; the default value is3.
timeout interval Interval, in seconds, to wait for a reply after a DHCP request packet is sent.
The default value for the interval argument is 30.
dhcp relay server
no dhcp relay suppress-nak
Purpose
Disables the sending of a DHCPNAK message when the SmartEdge OS receives a DHCPREQUEST
message for which it does not have an entry.
Command Mode
Syntax Description
Default
A DHCPNAK message is always sent.
Usage Guidelines
Use the dhcp relay suppress-nak command to disable the sending of a DHCPNAK message when the
SmartEdge OS receives a DHCPREQUEST message for which it does not have an entry. In this case, the
request is dropped.
Use the no form of this command to enable the default condition.
Examples
The following example disables the sending of a DHCPNAK message:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay suppress-nak
Related Commands
None
dhcp server
dhcp server {interface | ip-addr}
no dhcp server {interface | ip-addr}
Purpose
Enables this interface for internal Dynamic Host Configuration Protocol (DHCP) server support and
assigns the IP address to be used for this support.
Command Mode
Syntax Description
Default
No internal DHCP servers are created.
Usage Guidelines
Use the dhcp server command to enable this interface for internal DHCP server support and assign the IP
address to be used for this support.
For information about the context command (in global configuration mode), the interface command (in
context configuration mode), and the ip address command (in interface configuration mode), see the
Context Configuration and Interface Configuration chapters, respectively, in the Basic System
Configuration Guide for the SmartEdgeOS
Use the no form of this command to delete the internal DHCP server.
interface Assigns the primary IP address of the interface to the DHCP server.
ip-addr One of the secondary IP addresses assigned to the interface.
Note The actual choice of an IP address for the internal DHCP server is made by authentication,
authorization, and accounting (AAA), subject to any static mappings, subnets, and ranges that
you have configured for the server.
Note IP pools on an interface can be used to provide addresses for the DHCP server. If there is no
range of values specified on a DHCP subnet, the DHCP server takes the IP addresses from the
IP pool defined in the interface command. This IP pool can also be used by the DHCP server
and PPP subscribers on the same interface.
Examples
The following example creates an internal DHCP server using the secondary IP address for the dhcp- i f
interface in the dhcp context:
[ l ocal ] Redback( conf i g- ct x) #interface dhcp-if multibind
Related Commands
dhcp server policy
dhcp server policy
dhcp server policy
no dhcp server policy
Purpose
Enables internal Dynamic Host Configuration Protocol (DHCP) server functions in this context and
accesses DHCP server configuration mode.
Command Mode
Syntax Description
Default
Internal DHCP server functions are disabled for this context.
Usage Guidelines
Use the dhcp server policy command to enable internal DHCP server functions in this context and access
DHCP server configuration mode.
Use the no form of this command to disable internal DHCP server functions.
Examples
The following example enables DHCP server functions in the dhcp context:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #
Related Commands
Note IP pools on an interface can be used to provide addresses for the DHCP server. If there is no
range of values specified on a DHCP subnet, the DHCP server takes the IP addresses from the
IP pool defined in the interface command. This IP pool can also be used by the DHCP server
and PPP subscribers on the same interface.
dhcp server
forward-all
forward-all
no forward-all
Purpose
Forwards packets to all other external Dynamic Host Configuration Protocol (DHCP) servers in a DHCP
server group.
Command Mode
Syntax Description
Default
Packets are not forwarded to the other DHCP servers in the DHCP server group.
Usage Guidelines
When a DHCP server is unreachable, DHCP request packets can be forwarded to all other DHCP servers
in its DHCP server group. Use the forward-all command to forward packets to all other DHCP servers in
a server group.
Use the no form of this command to disable the forward all option.
Examples
The following example forwards packets to all other DHCP servers in DHCP server group, i nt - gr p,
when the DHCP server, 10. 30. 40. 50, is unreachable:
[ l ocal ] Redback( conf i g- dhcp- r el ay) #server-group int-grp
[ l ocal ] Redback( conf i g- dhcp- r el ay) #forward-all
Related Commands
Note When the DHCP server is unreachable, you can either forward packets to all other DHCP
servers in its DHCP server group or forward packets to its standby DHCP server, but not both;
the forward-all and standby commands are mutually exclusive.
broadcast-discover
dhcp relay server
server-group
standby
ip interface
ip interface name if-name
no ip interface name if-name
Purpose
Configure hosts to use a specific Dynamic Host Configuration Protocol (DHCP) interface to acquire
address information for a subscribers circuit.
Command Mode
Syntax Description
Default
The subscriber is bound to the first available DHCP interface.
Usage Guidelines
Use the ip interface command to configure hosts to use a specific DHCP interface to acquire address
information for a subscribers circuit.
You must enable the specified interface for DHCP proxy or DHCP relay using the dhcp proxy or
dhcp relay command (in interface configuration mode), respectively.
You must use the dhcp max-addr command (in subscriber configuration mode) to enable hosts to acquire
address information for the subscribers circuit.
Use the no form of this command to restore the default condition where the subscriber is bound to the first
available DHCP interface.
Examples
The following example creates an interface and specifies that hosts use the DHCP i f - dhcp interface to
acquire address information for the circuit used by the sub- dhcp subscriber:
[ l ocal ] Redback( conf i g- ct x) #interface name if-dhcp
[ l ocal ] Redback( conf i g- i f ) #dhcp relay
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub-dhcp
[ l ocal ] Redback( conf i g- sub) #dhcp max-addr 3
[ l ocal ] Redback( conf i g- sub) #ip interface name if-dhcp
name if-name DHCP interface name.
Related Commands
None
mac-address
mac-address mac-addr ip-address ip-addr
no mac-address mac-addr ip-address ip-addr
Purpose
Creates a static mapping between a medium access control (MAC) address and an IP address in this subnet.
Command Mode
Syntax Description
Default
No mapping exists between the MAC address and an IP address.
Usage Guidelines
Use the mac-address command to create a static mapping between a MAC address and an IP address in
this subnet.
The value for the ip-addr argument must be an IP address within this subnet, but not within any range of
IP addresses that you have specified using the range command (in DHCP subnet configuration mode).
Examples
The following example creates a static mapping between a MAC address and an IP address:
Related Commands
mac-addr MAC address for the subnet.
ip-addressip-addr IP address to which the MAC address is to be mapped.
range
subnet
max-hops
max-hops count
{no | default} max-hops count
Purpose
Configures the maximum hop count allowed for Dynamic Host Configuration Protocol (DHCP) requests.
Command Mode
Syntax Description
Default
The maximum hop count is four.
Usage Guidelines
Use the max-hops command to configure the maximum hop count allowed for DHCP requests.
Use the no or default form of this command to return to the default DHCP relay server maximum hop count
of four.
Examples
The following example configures a maximum of 12 hops allowed for DHCP requests to DHCP server,
10. 30. 40. 50:
[ l ocal ] Redback( conf i g- dhcp- r el ay) #max-hops 12
Related Commands
count Hop count. The range of values is 1 to 16.
dhcp max-addrs
dhcp proxy
dhcp relay
dhcp relay server
forward-all
min-wait
server-group
standby
max-lease-time
max-lease-time seconds
no max-lease-time seconds
Purpose
Specifies the maximum allowed time for the lease for this internal Dynamic Host Configuration Protocol
(DHCP) server or one of its subnets.
Command Mode
Syntax Description
Default
The maximum lease time is 24 hours.
Usage Guidelines
Use the max-lease-time command to specify the maximum allowed lease time for this internal DHCP
server or one of its subnets. Enter this command in DHCP server configuration mode to specify the
maximum allowed lease time for all subnets; enter it in DHCP subnet configuration mode to specify the
maximum allowed lease time for that subnet. The value that you specify for a subnet overrides the global
value for the server.
Use the no form of this command to specify the default value for the maximum allowed lease time.
Examples
The following example specifies a maximum allowed lease time of 48 hours (172800) for the DHCP
server and all its subnets:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #maximum-lease-time 172800
Related Commands
seconds Maximum allowed time for the lease (in seconds). The range of values is 900
(15minutes) to 31,536,000 (one year).
default-lease-time
offer-lease-time
subnet
threshold
min-wait
min-wait interval
{no | default} min-wait interval
Purpose
Configures the interval, in seconds, to wait before forwarding requests to the Dynamic Host Configuration
Protocol (DHCP) server.
Command Mode
Syntax Description
Default
The wait interval is 0 seconds.
Usage Guidelines
Use the min-wait command to configure the interval, in seconds, to wait before forwarding requests to the
DHCP server.
Use the no or default form of this command to return to the default DHCP relay server minimum wait
interval of 0 seconds.
Examples
The following example configures a wait interval of 45 seconds for DHCP relay server, 10. 30. 40. 50:
[ l ocal ] Redback( conf i g- dhcp- r el ay) #min-wait 45
Related Commands
interval Wait interval in seconds. The range of values is 0 to 60.
dhcp relay server
forward-all
max-hops
server-group
standby
offer-lease-time
offer-lease-time seconds
no offer-lease-time seconds
Purpose
Specifies the offer lease time for this internal Dynamic Host Configuration Protocol (DHCP) server or one
of its subnets.
Command Mode
Syntax Description
Default
The default value for the offer lease time is two minutes.
Usage Guidelines
Use the offer-lease-time command to specify the offer lease time for the DHCP server or one of its subnets.
When entered in DHCP server configuration mode, specifies the offer lease time for the server and all its
subnets; when entered in DHCP subnet configuration mode, specifies offer lease time for that subnet. The
value specified for a subnet overrides the global value for the server.
Use the no form of this command to specify the default value for the offer lease time.
Examples
The following example specifies an offer lease time of 5 minutes (300) for the DHCP server and all its
subnets:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #offer-lease-time 300
Related Commands
seconds Length of time for the default lease. The range of values is 60 (one minute) to 360
(one hour).
default-lease-time
max-lease-time
subnet
threshold
option
option {opt-num | opt-name} opt-arg1 [opt-arg2 [opt-arg3 [opt-arg4]]]
no option {opt-num | opt-name}
Purpose
Specifies an option for this internal Dynamic Host Configuration Protocol (DHCP) server or one of its
subnets.
Command Mode
Syntax Description
Default
No DHCP options are specified for the DHCP server or for any of its subnets.
Usage Guidelines
Use the option command to specify an option for this internal DHCP server or for one of its subnets. When
you enter this command in DHCP server configuration mode, it specifies the DHCP option for the server
and all its subnets; when you enter it in DHCP subnet configuration mode, it specifies the option for that
subnet. The value specified for a subnet overrides the global value for the server.
You can enter this command multiple times to specify as many different DHCP options as you require.
Succeeding entries for the same DHCP option overwrite any previously entered value.
You can specify up to four IP addresses for a DHCP option that requires an IP address. If the DHCP option
also requires an netmask argument in addition to the IP address, you can specify up to two IP addresses and
their netmask arguments.
RFC 2132, DHCP Options and BOOTP Vendor Extensions, Section 3 through Section 9 describe the option
numbers, names, and arguments. Table5-7 to Table5-13 list this data for the options in each section;
options are listed by code within each table.
Use the no form of this command to remove the option from the internal DHCP server or subnet
configuration.
opt-num DHCP option number; the range of values is 1 to 125. Table5-7 to Table5-13
list the option numbers.
opt-name DHCP option name. Table5-7 to Table5-13 list the option names.
opt-arg1 First argument for the DHCP option. Table5-7 to Table5-13 list the arguments
for the DHCP options.
opt-arg2 ... opt-arg4 Optional. Additional values for a DHCP option with an IP address argument. If
opt-arg1 is an IP address, you can specify up to three additional IP addresses.
Note DHCP can send RADIUS-specified vendor-encapsulated options to the DHCP client.
RADIUS sends the vendor-encapsulated options using the Redback vendor-specific attribute
(VSA) 127 (DHCP-Vendor-Encap-Options). For more information about the format for VSA
127, see TableA-7 in Chapter A, RADIUS Attributes.
Table 5-7 RFC 1497 Vendor Extensions
Option
Code Name Argument Argument Description Option Description
1 subnet-mask netmask Netmask in the format E.F.G.H. Configure the subnet mask supplied to
the client.
2 time-offset seconds Signed integer; the range of values is
2,147,483,648 to +2,147,483,648.
Configure the time offset value.
3 router ip-addr IP address in the format A.B.C.D. Configure the router that the client can
use.
4 time-server ip-addr IP address in the format A.B.C.D. Configure the time server.
5 ien116-name-server ip-addr IP address in the format A.B.C.D. Configure the IEN116 name server.
6 domain-name-server ip-addr IP address in the format A.B.C.D. Configure the domain name server.
7 log-server ip-addr IP address in the format A.B.C.D. Configure the log server.
8 cookie-server ip-addr IP address in the format A.B.C.D. Configure the cookie server.
9 lpr-server ip-addr IP address in the format A.B.C.D. Configure the line printer (LPR) server.
10 impress-server ip-addr IP address in the format A.B.C.D. Configure the impress server.
11 resource-location-server ip-addr IP address in the format A.B.C.D. Configure the resource location server.
12 host-name name Name of the host. Configure the hostname, which can
include its domain name.
13 boot-size size File size in 512-octet blocks; the
range of values is 0 to 65,535.
Configure the size of the boot file.
14 merit-dump path Path, including the filename. Configure the path to the merit dump file.
15 domain-name dom-name Domain name; must be
redback.com (without quotes).
Configure the domain name.
16 swap-server ip-addr IP address in the format A.B.C.D. Configure the swap server.
17 root-path path Path to the root disk. Configure the path to the root disk.
18 extensions-path path Path to the extensions. Configure the extensions path.
Table 5-8 IP Layer Parameters for a Host
Option
Num Name Argument Argument Description Option Description
19 ip-forwarding boolean-flag 0Disables IP layer for forwarding.
1Enables IP layer for forwarding.
Configure IP forwarding.
20 non-local-source-routing boolean-flag 0Disables forwarding of datagrams
with nonlocal source routes.
1Enables forwarding of datagrams
with nonlocal source routes.
Configure non-local source
routing.
21 policy-filter ip-addr
netmask
IP address in the format A.B.C.D.
Netmask in the format E.F.G.H.
Configure a policy filter.
22 max-dgram-reassembly max-size Maximum size of any datagram that needs
reassembly; the range of values is 0 to
65,535.
Configure the maximum size for
datagram reassembly.
23 default-ip-ttl seconds The range of values is 0 to 255. Configure the default IP
time-to-live value.
24 path-mtu-aging-timeout seconds The range of values is 0 to 4,294,967,295. Configure the timeout value to
use when aging path maximum
transmission units (MTUs).
25 path-mtu-plateau-table mtu The range of values is 0 to 65,535. Configure the table of MTU sizes
for use when performing Path
MTU discovery.
Table 5-9 IP Layer Parameters for an Interface
Option
Num Name Argument Argument Description Description
26 interface-mtu mtu The range of values is 0 to 65,535. Configure the interface
MTU.
27 all-subnets-local boolean-flag 0Some subnets can have smaller MTUs.
1All subnets share the same MTU.
Configure all subnets are
local.
28 broadcast-address ip-addr IP address in the format A.B.C.D. Configure the broadcast IP
address.
29 perform-mask-discovery boolean-flag 0Client does not perform mask discovery.
1Client performs mask discovery.
Configure mask discovery.
30 mask-supplier boolean-flag 0Client should not respond.
1Client should respond.
Configure the mask supplier.
31 router-discovery boolean-flag 0Client should perform router discovery.
1Client should not perform router discovery.
Configure router discovery.
32 router-solicitation-address ip-addr IP address in the format A.B.C.D. Configure the router
solicitation IP address.
33 static-route ip-addr
netmask
IP address in the format A.B.C.D.
Netmask in the format E.F.G.H.
Configure the static route.
Table 5-10 Link Layer Parameters for an Interface
Option
34 trailer-encapsulation boolean-flag 0Client should not attempt to use trailers.
1Client should attempt to use trailers.
Configure trailer encapsulation.
Table 5-8 IP Layer Parameters for a Host (continued)
Option
Num Name Argument Argument Description Option Description
35 arp-cache-timeout seconds The range of values is 0 to 4,294,967,295. Configure the Address Resolution
Protocol (ARP) cache timeout.
36 ieee802-3-encapsulation boolean-flag 0Client should use Ethernet version 2
encapsulation (RFC 894
1
).
1Client should use Ethernet IEEE 802.3
encapsulation (RFC 1042
2
).
Specify Ethernet encapsulation.
1. RFC 894, Standard for the Transmission of IP Datagrams over Ethernet Networks
2. RFC 1042, Standard for the Transmission of IP Datagrams over IEEE 802 Ethernet Networks
Table 5-11 TCP Parameters
Option
37 default-tcp-ttl seconds The range of values is 0 to 255. Configure the default Transmission
Control Protocol (TCP) time-to-live
value.
38 tcp-keepalive-interval seconds The range of values is 0 to 4,294,967,295. Configure the TCP keepalive interval.
39 tcp-keepalive-garbage boolean-flag 0Client should not send garbage octet.
1Client should send garbage octet.
Configure the use of a TCP keepalive
garbage octet.
Table 5-12 Application and Service Parameters
Option
40 nis-domain dom-name NIS domain. Configure the Network Information
Server (NIS) domain.
41 nis-server ip-addr IP address in the format
A.B.C.D.
Configure the NIS server.
42 ntp-server ip-addr IP address in the format
A.B.C.D.
Configure the Network Time Protocol
(NTP) server.
43 vendor-encapsulated-options Can be:
numeric num
string name
:
numOption number.
nameOption name.
Configure a vendor-encapsulated option.
44 netbios-name-server ip-addr IP address in the format
A.B.C.D.
Configure the NetBIOS name server.
45 netbios-dd-server ip-addr IP address in the format
A.B.C.D.
Configure the NetBIOS datagram
distribution (DD) server.
46 netbios-node-type type The range of values is 0 to
255.
Configure the NetBIOS node type.
47 netbios-scope scope NetBIOS scope parameter. Configure the NetBIOS scope parameter,
as specified in RFCs 1001
1
and 1002
2
.
48 font-server ip-addr IP address in the format
A.B.C.D.
Configure the font server.
49 x-display-manager ip-addr IP address in the format
A.B.C.D.
Configure the X window system display
manager.
Table 5-10 Link Layer Parameters for an Interface (continued)
Option
Examples
The following example specifies the options for an internal DHCP server (and its subnets), which are
overridden by the options for the sub2 subnet:
! Speci f y gl obal opt i ons ( t hese appl y t o al l subnet s)
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #option domain-name redback.com
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #option domain-name-server 10.1.1.254
! Cr eat e a subnet ; speci f y opt i ons f or t hi s subnet , whi ch over r i de t he gl obal set t i ngs
64 nisplus-domain dom-name NIS+domain. Configure the NIS+domain.
65 nisplus-server ip-addr IP address in the format
A.B.C.D.
Configure the NIS+server.
68 mobile-ip-home-agent ip-addr IP address in the format
A.B.C.D.
Configure the mobile IP home agent.
69 smtp-server ip-addr IP address in the format
A.B.C.D.
Configure the Simple Mail Transport
Protocol (SMTP) server.
70 pop-server ip-addr IP address in the format
A.B.C.D.
Configure the Post Office Protocol
(POP3) server.
71 nntp-server ip-addr IP address in the format
A.B.C.D.
Configure the Network News Transport
Protocol (NNTP) server.
72 www-server ip-addr IP address in the format
A.B.C.D.
Configure the WWW server.
73 finger-server ip-addr IP address in the format
A.B.C.D.
Configure the finger server.
74 irc-server ip-addr IP address in the format
A.B.C.D.
Configure the default Internet Relay Chat
(IRC) server.
75 streettalk-server ip-addr IP address in the format
A.B.C.D.
Configure the StreetTalk server.
76 streettalk-directory-assistance-
server
ip-addr IP address in the format
A.B.C.D.
Configure the StreetTalk directory
assistance (STDA) server.
1. RFC 1001, Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods
2. RFC 1002, Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Detailed Specifications
Table 5-13 DHCP Extension Parameters
Option
66 tftp-server-name name TFTP server name. Configure the Trivial File Transfer Protocol
(TFTP) server.
67 bootfile-name name Boot filename. Configure the name of the boot loader image
file.
Table 5-12 Application and Service Parameters (continued)
Option
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option router 10.1.1.1
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option domain-name hot.com
The following example adds a second IP address for the r out er option in the sub2 subnet configuration
and includes option 21 (policy-filter) with two IP addresses and their netmasks:
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option router 10.1.1.1 10.1.1.2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option 21 10.1.1.23 255.255.255.255 10.1.1.33
255.255.255.255
Related Commands
subnet
option-82
To specify the circuit agent ID, the syntax is:
option-82 circuit-id string [offset position] {ip-address ip-addr | max-addresses num-addr}
no option-82 circuit-id string [offset position] {ip-address ip-addr | max-addresses num-addr}
To specify the remote agent ID, the syntax is:
option-82 remote-id string [offset position] ip-address ip-addr
no option-82 remote-id string
Purpose
Creates a static mapping between the Agent-Circuit-Id subfield or the Agent-Remote-Id subfield in the
option 82 field and an IP address.
Command Mode
Syntax Description
Default
No static mapping is created between an option 82 subfield and any IP address.
circuit-id string Circuit agent ID. A text string, with up to 255 printable characters; enclose
the string in quotation marks ( ) if the string includes spaces.
remote-id string Remote agent ID. A text string, with up to 255 printable characters; enclose
the string in quotation marks ( ) if the string includes spaces.
offset position Optional. Position of the starting octet in the option 82 subfield which is to
be matched with the specified string argument, according to one of the
following formats:
+n or nStarting octet is the nth octet in the received Id. The matching
operation is performed on the nth and succeeding octets for the length of
the string specified by the value of the string argument.
nStarting octet is the last octet in the received Id minus the previous
(n1) octets. The matching operation is performed on the succeeding
octets for the length of the string specified by the value of the string
argument.
The default value is 1 (the first octet). You can also specify the first octet
with a value of 0.
ip-address ip-addr IP address to which the option 82 subfield is to be mapped.
max-addresses
num-addr
Maximum number of IP addresses permitted for the specified circuit agent
ID.
Usage Guidelines
Use the option-82 command to create a static mapping between the Agent-Circuit-Id subfield or the
Agent-Remote-Id subfield in the option 82 field and an IP address. The option 82 field is sent in the DHCP
discover packet.
The value for the ip-addr argument must be an IP address within this subnet, but not within any range of
IP addresses that you have specified using the range command (in DHCP subnet configuration mode).
You can specify the remote agent ID and the circuit agent ID in Redback vendor-specific attributes (VSAs)
96 and 97, respectively, using the radius attribute calling-station-id and radius attribute nas-port-id
commands (in context configuration mode). Redback VSAs are described in AppendixA, RADIUS
Attributes.
Use the no form of this command to delete the static mapping.
Examples
The following example creates a static mapping between option 82 Agent-Circuit-Id subfield,
4: 1 vl an 102, and the 12. 1. 1. 11 IP address:
ip-address 12.1.1.11
Related Commands
mac-address
radius attribute acct-tunnel-connection l2tp-call-serial-num
radius attribute nas-port-id
range
range
range start-ip-addr end-ip-addr [threshold [falling min-threshold] [rising max-threshold] [trap]
[log]]
no range start-ip-addr end-ip-addr
Purpose
Assigns a range of IP addresses to this Dynamic Host Configuration Protocol (DHCP) subnet.
Command Mode
Syntax Description
Default
No range of IP addresses is assigned to any subnet.
Usage Guidelines
Use the range command to assign a range of IP addresses to this DHCP subnet.
The values of the start-ip-addr and end-ip-addr arguments must be within the subnet of IP addresses that
you have assigned to this subnet using the subnet command (in DHCP server configuration mode).
Use the optional threshold keyword to enable the monitoring and reporting of available leases at the range
level and specify rising and falling values that can trigger an SNMP trap and log message.
You can enter either or both of the falling min-threshold and rising max-threshold constructs in any order.
You can enter either or both of the trap and log keywords in any order for either construct.
Use the no form of this command to delete the range from the subnet configuration.
start-ip-addr Starting IP address of the range.
end-ip-addr Ending IP address of the range.
threshold Optional. Enables threshold monitoring and reporting at the range level.
falling min-threshold Optional. Threshold for the minimum falling number of available leases at
which point a trap or a log message is sent if configured.
rising max-threshold Optional. Threshold for the maximum rising number of available leases.
trap Optional. Sends a Simple Network Management Protocol (SNMP) trap on
reaching the threshold value.
log Optional. Sends a log message on reaching the threshold value.
Examples
The following example assigns a range of IP addresses to the sub2 subnet; it also enables the monitoring
and reporting of available leases for this subnet and triggers an SNMP trap when the number of available
leases is decreasing and reaches 100:
[ l ocal ] Redback( conf i g- dhcp- subnet ) #range 13.1.1.50 13.1.1.100 threshold falling 100
trap
Related Commands
subnet
threshold
rate-adjust dhcp pwfq
rate-adjust dhcp pwfq kbps priority-group group-num
no rate-adjust dhcp pwfq kbps priority-group group-num
Purpose
Adjusts the enforcement of a priority weighted fair queuing (PWFQ) policy on a circuit based on whether
the subscriber is granted a Dynamic Host Configuration Protocol (DHCP) lease.
Command Mode
Syntax Description
Default
No DHCP-based rate adjustments are applied to the subscriber.
Usage Guidelines
Use the rate-adjust dhcp pwfq command to adjust how a PWFQ policy is enforced on a circuit based on
whether the subscriber is granted a DHCP lease. When a lease request is granted to a device on a circuit
that has this attribute applied, the enforced bandwidth for the specified priority group rate is decremented
by the specified amount in (kilobits per second) kbps. If there is no priority group rate configured for the
policy, the rate is less than the minimal enforceable value (64 kbps), or the rate adjustment is not applied
to the subscriber.
Once applied, the rate adjustment persists until the DHCP lease is released or expires. At this time, the rate
enforced is restored to its full configured value.
This command might be useful for an IPTV in which Remote Multicast Replication (RMR) is being used.
When a set-top box (STB) configured as a static subscriber on an 802.1q VLAN comes online and requests
an IP address, the PWFQ policy enforced on the VLAN can be adjusted to account for the multicast
bandwidth required for IPTV traffic.
Use the no form to remove currently configured DHCP rate adjustment commands and return the
subscriber record to the default state (no rate adjustments will be made in response to DHCP lease events).
kbps Rate in kilobits per second. The range of values is 1 to 1000000.
group-num Priority group number. The range of values is 0 to 7.
Note To use this command, you must have a quality of service (QoS) PWFQ policy bound to the
subscriber session circuit. The policy must include an absolute rate value configured for the
specified priority group. You cannot use percentage to specify the rate. For information about
the qos policy pwfq and queue priority-group commands, see the QoS Scheduling
Configuration chapter in the IP Services and Security Configuration Guide.
Examples
The following example shows how to adjust a PWFQ policy for subscriber st b1:
[ l ocal ] Redback( conf i g- ct x) #subscriber name stb1
[ l ocal ] Redback( conf i g- sub) #password pass
[ l ocal ] Redback( conf i g- sub) #dhcp max-addr 1
[ l ocal ] Redback( conf i g- sub) #rate-adjust dhcp pwfq 3000 priority-group 3
Related Commands
qos policy pwfq queue priority-group
rate-limit dhcp
rate-limit dhcp rate-limit burst burst-limit
{no | default} rate-limit {padi | dhcp}
Purpose
Enables rate limiting and specifies the rate and burst limits for Dynamic Host Configuration Protocol
(DHCP) packets that arrive at the SmartEdge router.
Command Mode
card configuration
Syntax Description
Default
Rate limiting for packets is enabled using the default rate and burst values.
Usage Guidelines
Use the rate-limit command to enable rate limiting and specify the rate and burst limits for DHCP packets
that arrive at the SmartEdge router. By specifying the rate and burst limit values, you can establish finer
control over the rate of these kinds of subscriber sessions.
Use the show rate-limit card command (in any mode) to display the current configuration of rate limiting.
This command is described in the Ports, Circuits, and Tunnels Operations Guide for the SmartEdge OS.
Table5-14 shows the traffic cards supported for the rate-limit dhcp command.
rate-limit Maximum rate in packets per second (pps) at which the packets can be
received. The range of values is 0 to 4294967295 pps; the default value is
4294967295 pps.
burst burst-limit Maximum number of packets that can be received during a short burst. The
range of values is 0 to 4294967295 pps; the default value is 4294967295 pps.
Note You cannot configure the rate limit and burst limit values independently.
Table 5-14 Traffic Cards Supported for the rate-limit dhcp Command
Type Traffic Cards Supported
ATM ATM OC-12c/STM-4c IR (1-port)
Enhanced ATM OC-12c/STM-4c IR (1-port)
ATM OC-3c/STM-1c IR (2-port and 4-port)
ATM DS-3 (12-port)
1
Use the no form of this command to disable rate limiting.
Use the default form of this command to set the rate and burst limits to default values.
Examples
The following example configures the rate limit for DHCP packets to 500 and the burst limit to 999:
[ l ocal ] Redback( conf i g- car d) #rate-limit dhcp 500 burst 999
Related Commands
None
Ethernet Gigabit Ethernet (4-port)
Advanced Gigabit Ethernet (4-port)
Gigabit Ethernet 3 (4-port)
Gigabit Ethernet 1020 (10-port and 20-port)
10 Gigabit Ethernet (1-port,10-Gbps)
1. The ATM DS-3 traffic card is not supported on the SmartEdge 800s chassis.
Table 5-14 Traffic Cards Supported for the rate-limit dhcp Command (continued)
Type Traffic Cards Supported
server-group
server-group group-name
no server-group
Purpose
Assigns a Dynamic Host Configuration Protocol (DHCP) server to a DHCP server group.
Command Mode
Syntax Description
Default
DHCP servers are assigned to the default DHCP server group.
Usage Guidelines
Use the server-group command to assign a DHCP server to a DHCP server group.
Use the no form of this command to assign a DHCP server to the default server group.
Examples
The following example assigns DHCP server, dser ver 7, to the i nt - gr p DHCP server group:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server dserver7
[ l ocal ] Redback( conf i g- dhcp- r el ay) #server-group int-grp
Related Commands
group-name DHCP server group name.
dhcp relay server
forward-all
standby
standby
standby {ip-addr | hostname}
no standby {ip-addr | hostname}
Purpose
Configures the IP address or hostname of a standby Dynamic Host Configuration Protocol (DHCP) server.
Command Mode
Syntax Description
Default
No standby DHCP server is assigned.
Usage Guidelines
Use the standby command to configure the IP address or hostname of a standby DHCP server.
Use the no form of this command to remove the assignment of the standby DHCP server.
Examples
The following example configures 10. 30. 40. 55 as the IP address for the standby DHCP server, where
192. 168. 1. 10 is the IP address for the associated primary DHCP server:
[ l ocal ] Redback( conf i g- dhcp- r el ay) #standby 10.30.40.55
Related Commands
ip-addr IP address of the standby DHCP server.
hostname Hostname of the standby DHCP server.
Note When a DHCP server is unreachable, you either forward packets to its standby DHCP server,
or forward packets to all other DHCP servers in a DHCP server group, but not both; the
standby and forward-all commands are mutually exclusive.
dhcp relay server
forward-all
server-group
subnet
subnet ip-addr/subnet-mask [name subnet-name]
no subnet ip-addr/subnet-mask [name subnet-name]
Purpose
Creates a subnet for this internal Dynamic Host Configuration Protocol (DHCP) server and accesses DHCP
subnet configuration mode.
Command Mode
Syntax Description
Default
No subnets are created for any DHCP server.
Usage Guidelines
Use the subnet command to create a subnet for this internal DHCP server and access DHCP subnet
configuration mode.
The value of the ip-addr and subnet-mask arguments must match the value of one of the ip-addr and
subnet-mask arguments that you specified, using the ip address command (in interface configuration
mode), for the interface that you enabled for this DHCP server, using the dhcp server command (in
interface configuration mode). For more information about the ip address command, see the Interface
Configuration chapter in the Basic System Configuration Guide for the SmartEdgeOS
Use the name subnet-name construct to assign a unique name to this subnet.
Use the no form of this command to delete the subnet from the DHCP server configuration.
Examples
The following example creates the sub2 subnet:
[ l ocal ] Redback( conf i g- ct x) #dhcp-if multibind
ip-addr/subnet-mask IP address and subnet mask for this subnet.
name subnet-name Optional. Name of the subnet; it must be unique.
[ l ocal ] Redback( conf i g- dhcp- subnet ) #
Related Commands
default-lease-time
mac-address
max-lease-time
offer-lease-time
option
option-82
range
vendor-class
threshold
threshold [falling min-threshold [trap] [log]] [rising max-threshold [trap] [log]]
no threshold
Purpose
Enables the monitoring and reporting of available Dynamic Host Configuration Protocol (DHCP) leases at
the context level for minimum and maximum threshold values.
Command Mode
Syntax Description
Default
Monitoring and reporting of available DHCP leases at the context level is disabled.
Usage Guidelines
Use the threshold command to enable the monitoring and reporting of available DHCP leases at the context
level for minimum and maximum threshold values.
You can enter either or both of the falling min-threshold and rising max-threshold constructs in any order.
You can enter either or both of the trap and log keywords in any order for either construct.
Use the no form of this command to disable monitoring and reporting of available DHCP leases at the
context level.
Examples
The following example enables the monitoring and reporting of available leases at the context level and
triggers an SNMP trap when the number of available leases is decreasing and reaches 400:
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #threshold falling 400 trap
falling min-threshold Optional. Threshold for the minimum number of available leases at which
point a trap or a log message is sent if configured.
rising max-threshold Optional. Threshold for the maximum number of available leases.
trap Optional. Sends a Simple Network Management Protocol (SNMP) trap on
reaching the threshold value.
log Optional. Sends a log message on reaching the threshold value.
Related Commands
range
user-class-id
user-class-id user-class-id [offset position] giaddr ip-addr
no user-class-id user-class-id
Purpose
Specifies an IP address for the giaddr field in the header of Dynamic Host Configuration Protocol (DHCP)
packets for the specified user class ID (option 77) field.
Command Mode
DHCP giaddr configuration
Syntax Description
Default
The giaddr field is set to the primary IP address of the interface.
Usage Guidelines
Use the user-class-id command to specify the IP address for the giaddr field in the header of DHCP packets
for the specified user class ID (option 77) field. Option 77 is described in RFC 3004, The User Class Option
for DHCP.
When the SmartEdge router receives a DHCP discover packet, the SmartEdge OS performs a matching
operation, comparing the contents of the option 77 field, starting at the octet within the field, as specified
by the value of the position argument, with the string specified by the value of the user-class-id argument.
user-class-id Identifier to be matched against the contents of the DHCP option 77 ID field in
DHCP discover packets, in one of the formats given in the Usage Guidelines
section, for which this IP address is intended.
offset position Optional. Position of the starting octet in the option 77 field which is to be matched
with the specified user-class-id argument, according to one of the following
formats:
+n or nStarting octet is the nth octet in the received ID. The matching
operation is performed on the nth and succeeding octets for the length of the
string specified by the value of the user-class-id argument.
nStarting octet is the last octet in the received ID minus the previous (n1)
octets. The matching operation is performed on the succeeding octets for the
length of the string specified by the value of the user-class-id argument.
The default value is 1 (the first octet). You can also specify the first octet with a
value of 0.
giaddr ip-addr IP address to be inserted in the giaddr field in the header of DHCP packets for the
specified user class ID.
If more than one user class ID field is present in the option 77 field in the DHCP discover packet, the system
uses only the first user class ID field to make the comparison for setting the giaddr field. The remaining
user class ID fields are ignored.
If there is a match, the system inserts the specified IP address in the giaddr field in the header of DHCP
packets to this client. If there is no match, the system inserts the primary IP address that you have
configured for this interface.
Possible formats for the user-class-id argument are:
Alphanumeric string, enclosed in quotation marks ( ); for example, ABCD1234
Alphanumeric string, not enclosed in quotation marks; for example, redback1
Hex numeric string, not enclosed in quotation marks and prefaced with 0x or 0X; for example,
0Xabcd1234
Use the giaddr ip-addr construct to specify an IP address for the specified user-class-id argument. This IP
address must be one of the secondary IP addresses that you have configured for the interface. You can
specify the same IP address or different IP addresses for multiple values of the user-class-id argument.
Use the no form of this command to delete the giaddr IP address for the specified user-class-id argument.
Examples
The following example specifies secondary IP addresses for the interface in which the DHCP proxy server
is configured, and then specifies one of them as the IP address for the giaddr field for the net wor k user
class ID:
[ l ocal ] Redback( conf i g- ct x) #interface voip multibind
[ l ocal ] Redback( conf i g- dhcp- gi addr ) #user-class-id network giaddr 200.1.2.1
Related Commands
Note If you delete this DHCP proxy or relay from the configuration, using the no form of the dhcp
proxy or dhcp relay command (in interface configuration mode), you also delete all
user-class-id commands for that DHCP proxy or relay.
dhcp proxy
dhcp relay
vendor-class
vendor-class vendor-class-id [offset position] subnet-name subnet-name
no vendor-class vendor-class-id
Purpose
Creates a static mapping between a subnet and the specified vendor class ID.
Command Mode
Syntax Description
Default
No static mapping is created between a subnet and any vendor class ID.
Usage Guidelines
Use the vendor-class command to create a static mapping between a subnet and the specified vendor class
ID.
Use the no form of this command to delete the static mapping between the vendor class ID and the subnet.
Examples
The following example specifies the f or - subs subnet as the subnet for the 123456 vendor class ID:
vendor-class-id Vendor class ID for which a static mapping is to be created.
offset position Optional. Position of the starting octet in the option 60 field which is to be
matched with the specified vendor-class-id argument, according to one of
the following formats:
operation is performed on the nth and succeeding octets for the length
of the string specified by the value of the vendor-class-id argument.
nStarting octet is the last octet in the received ID minus the previous
(n1) octets. The matching operation is performed on the succeeding
octets for the length of the string specified by the value of the
vendor-class-id argument.
The default value is 1 (the first octet). You can also specify the first octet
with a value of 0.
subnet-name subnet-name Subnet name for the specified vendor class ID.
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #vendor-class 123456 offset 1 subnet-name for-subs
Related Commands
subnet
vendor-class-id
vendor-class-id
vendor-class-id vendor-class-id [offset position] giaddr ip-addr
no vendor-class-id vendor-class-id
Purpose
Specifies an IP address for the giaddr field in the header in Dynamic Host Configuration Protocol (DHCP)
packets for the specified vendor class ID (option 60) field.
Command Mode
DHCP giaddr configuration
Syntax Description
Default
The giaddr field is set to the primary IP address of the interface.
Usage Guidelines
Use the vendor-class-id command to specify the IP address for the giaddr field in DHCP packets for the
specified vendor class ID (option 60) field. option 60 is described in RFC 2131, DHCP Options and BootP
Vendor Extensions.
vendor-class-id Identifier to be matched against the contents of the DHCP option 60 ID field in
DHCP discover packets, in one of the formats given in the Usage Guidelines
section, for which this IP address is intended.
offset position Optional. Position of the starting octet in the option 60 field which is to be matched
with the specified vendor-class-id argument, according to one of the following
formats:
operation is performed on the nth and succeeding octets for the length of the
string specified by the value of the vendor-class-id argument.
nStarting octet is the last octet in the received ID minus the previous (n1)
octets. The matching operation is performed on the succeeding octets for the
length of the string specified by the value of the vendor-class-id argument.
The default value is 1 (the first octet). You can also specify the first octet with a
value of 0.
giaddr ip-addr IP address to be inserted in the giaddr field in the header of DHCP packets for the
specified vendor class ID.
When the SmartEdge router receives a DHCP discover packet, the SmartEdge OS performs a matching
operation, comparing the contents of the option 60 field, starting at the octet within the field, as specified
by the value of the position argument, with the string specified by the value of the vendor-class-id
argument.
If there is a match, the system inserts the specified IP address in the giaddr field in the header of DHCP
packets to this client. If there is no match, the system inserts the primary IP address that you have
configured for this interface.
Possible formats for the vendor-class-id argument are:
Alphanumeric string, enclosed in quotation marks ( ); for example, ABCD1234
Alphanumeric string, not enclosed in quotation marks; for example, redback1
Hex numeric string, not enclosed in quotation marks and prefaced with 0x or 0X; for example,
0Xabcd1234
Use the giaddr ip-addr construct to specify an IP address for the specified vendor-class-id argument. This
IP address must be one of the secondary IP addresses that you have configured for the interface. You can
specify the same IP address or different IP addresses for multiple values of the vendor-class-id argument.
Use the no form of this command to delete the giaddr IP address for the specified vendor-class-id argument.
Examples
The following example specifies secondary IP addresses for the interface in which the DHCP proxy server
is configured, and then specifies one of them as the IP address for the giaddr field for the r edback vendor
class ID:
[ l ocal ] Redback( conf i g- ct x) #interface voip multibind
[ l ocal ] Redback( conf i g- dhcp- gi addr ) #vendor-class-id redback offset -17 giaddr 200.1.2.1
Related Commands
Note If you delete this DHCP proxy or relay from the configuration, using the no form of the dhcp
proxy or dhcp relay command (in interface configuration mode), you also delete all
vendor-class-id commands for that DHCP proxy or relay.
dhcp proxy
dhcp relay
ANCP Configuration 6-1
C h a p t e r 6
ANCP Configuration
OS Access Node Control

Protocol (ANCP) features.
For information about the tasks and commands used to monitor, administer, and troubleshoot ANCP
features, see the ANCP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
Overview
Configuration Tasks
Overview
The ANCP is a communications control protocol that allows the SmartEdge router to communicate with an
access node device and gather information about the parameters for the individual access lines on the access
node.
The ANCP is an out-of-band control protocol that is compared to the subscriber sessions that are carried
on the access lines. Beneath the ANCP, the SmartEdge router uses the General Switch Management
Protocol (GSMP) version3 (GSMPv3) to communicate with the ANCP neighbor peers; GSMPv3
messages are encapsulated using the Transmission Control Protocol (TCP).
Figure6-1 shows the information flow from the individual subscribers to the SmartEdge router. In the
network, the SmartEdge router, which is labeled Aggregation Router, acts as a broadband remote access
server (BRAS) with Ethernet aggregation capability.
Note In this chapter, access lines are also referred to as digital subscriber lines (DSLs) and access
nodes are referred to as DSL access multiplexers (DSLAMs) or ANCP neighbor peers.
Overview
The ANCP control information for individual subscriber access lines is stored on the SmartEdge router,
along with other subscriber session information, and sent to Remote Authentication Dial-In User Service
(RADIUS) servers during the subscriber authentication and accounting process. Other sources from which
the SmartEdgeOS can learn access-line information are a Dynamic Host Control Protocol (DHCP) option
82 tag and a Point-to-Point Protocol (PPP) over Ethernet (PPPoE) tag.
Figure 6-1 Access Node to SmartEdge Router Information Flow
The SmartEdgeOS can adjust the performance of the subscriber sessions from access-line information by
modifying the quality of service (QoS) policy attached to the subscriber session or its parent 802.1Q
permanent virtual circuit (PVC). The SmartEdgeOS can also adjust the performance of 802.1Q tunnels.
You configure all ANCP functions under the umbrella of the ANCP router, which you create in the local
context. The ANCP router is characterized by a system ID, which identifies the SmartEdge router to an
ANCP neighbor peer; a TCP port, on which the SmartEdge router listens for incoming ANCP sessions; and
a keepalive timer, which is used by the SmartEdge router to maintain communication with its ANCP
neighbor peers. If the SmartEdge router does not receive keepalive messages from an ANCP neighbor peer,
the router disconnects the session. Each of these attributes has a default value that the SmartEdge routers
uses if you do not specify values.SmartEdgeOS.
Configuration Tasks
For security, incoming sessions are validated against an ANCP neighbor profile to limit the peers that can
connect to the SmartEdge router. If an incoming ANCP neighbor peer does not match the attributes
specified by the profile, the connection is rejected. The profile can specify a peer ID, a peer IP address, the
TCP port on which an ANCP neighbor peer sends and receives ANCP sessions (GSMP messages), and the
interface to which you bind the circuit on which the ANCP sessions are transmitted and received. All these
attributes are optional; if you leave an attribute unspecified, it acts as a wild card and accepts any value for
the attribute.
You can modify the configuration of each subscriber record, profile, or the default subscriber profile to
allow the learned access-line rates to override the rates specified by the QoS policies attached to the
subscriber session or its 802.1Q PVC.
The circuit agent ID is used as a unique key to map ANCP information to specific subscriber sessions or to
its 802.1Q parent PVC; it identifies the access line that is transmitting and receiving traffic on that 802.1Q
PVC. The SmartEdgeOS can learn the subscribers circuit agent ID dynamically from DHCP option 82
information or from the PPPoE vendor tag; you can also configure it statically for the subscribers parent
802.1Q PVC.
ANCP features comply with the standards found in the draft-wadhwa-gsmp-l2control-configuration-02,
GSMP Extensions for Layer 2 Control (L2C) Topology Discovery and Line Configuration document.
The SmartEdge router supports dynamic learning of access-line information and agent circuit ID as
described in the DSL Forum TR-101, Migration to Ethernet-Based DSL Aggregation document.
Configuration Tasks
To configure ANCP features, perform the tasks described in the following sections:
ANCP Configuration Guidelines
Configure the ANCP Router
Configure an ANCP Neighbor Profile
Map an 802.1Q PVC to a DSL Line
Map an 802.1Q Tunnel to a DSL Line
Configure a Subscriber Record for ANCP Sessions
Configuration Tasks
ANCP Configuration Guidelines
This section includes configuration guidelines for ANCP features which affect more than one command or
a combination of commands:
You must configure the ANCP router in the local context.
You must create the interface to which you bind the circuits that carry ANCP sessions in the local
context.
ANCP sessions are supported on any type of circuit.
Configure the ANCP Router
To configure the ANCP router, perform the tasks described in Table6-1; enter all commands in ANCP
configuration mode, unless otherwise noted.
Configure an ANCP Neighbor Profile
To configure an ANCP neighbor profile, perform the tasks described in Table6-2; enter all commands in
ANCP neighbor configuration mode, unless otherwise noted.
Table 6-1 Configure the ANCP Router
1. Create the ANCP router in the local context and access
ANCP configuration mode.
router ancp Enter this command in context configuration
mode.
2. Optional. Assign an ID to identify the SmartEdge router in
ANCP sessions transmitted to an ANCP neighbor peer.
system-id
3. Optional. Assign a TCP port on which the SmartEdge router
listens for ANCP sessions.
tcp-port local
4. Optional. Configure the parameters for the sending and
receiving of keepalive messages to and from ANCP neighbor
peers.
keepalive
Table 6-2 Configure an ANCP Neighbor Profile
1. Optional. Create an empty ANCP profile for an ANCP
neighbor peer and access ANCP neighbor configuration
mode.
neighbor profile Enter this command in ANCP configuration
mode.
2. Optional. Filter incoming new neighbor connections using
the sender name of an ANCP neighbor peer.
peer id
the IP address of an ANCP neighbor peer.
peer ip-address
the TCP port on which the SmartEdge router receives the
GSMP messages from an ANCP neighbor peer.
tcp-port remote
5. Optional. Filter the incoming new neighbor connections
using the interface on which ANCP sessions are
transmitted and received for this ANCP neighbor profile.
interface
Configuration Tasks
Map an 802.1Q PVC to a DSL Line
To map an 802.1Q PVC to a DSL line, perform the task described in Table6-3; enter the command in dot1q
PVC configuration mode. Configure only one of the commands.
Map an 802.1Q Tunnel to a DSL Line
To map an 802.1Q tunnel to a DSL line, perform the task described in Table6-4; enter the command in
dot1q PVC configuration mode and specify the encapsulation 1qtunnel keywords with the dot1q pvc
command. Configure only one of the commands.
Configure a Subscriber Record for ANCP Sessions
To configure a subscriber record for ANCP sessions, perform one of the tasks described in Table6-5; enter
the command in subscriber configuration mode.
Table 6-3 Map an 802.1Q PVC to a DSL Line
Specify the agent circuit ID that the system uses to match an ANCP
message to a circuit, thereby mapping a DSL line to a circuit.
access-lineagent-circuit-id The access-line
agent-circuit-id command is an
alternative to the access-line
access-node-id command.
access-lineaccess-node-id The access-line
access-node-id command is an
agent-circuit-id command.
Table 6-4 Map an 802.1Q Tunnel to a DSL Line
access-lineagent-circuit-id The access-line
agent-circuit-id command is an
access-node-id command.
access-lineaccess-node-id The access-line
access-node-id command is an
agent-circuit-id command.
Table 6-5 Configure a Subscriber Record for ANCP Sessions
Override the rates specified by the QoS policies attached to this subscriber
record with the actual rates.
access-linerate
Override the rates specified by the QoS policies attached to this subscriber
record with the rates learned from the DSLAM.
access-lineagent-circuit-id
The following examples show how to configure the ANCP router, an ANCP neighbor profile, an 802.1Q
tunnel for ANCP sessions, and an 802.1Q PVC to map to a DSL line:
! Cr eat e t he i nt er f ace and ANCP r out er i n t he l ocal cont ext
[ l ocal ] Redback( conf i g- ct x) #interface ancp multibind
[ l ocal ] Redback( conf i g- ct x) #interface untagged
[ l ocal ] Redback( conf i g- ct x) #router ancp
! Conf i gur e t he ANCP r out er
[ l ocal ] Redback( conf i g- ancp) #system-id 12:34:56:78:9a:bc
[ l ocal ] Redback( conf i g- ancp) #tcp-port local 6070
[ l ocal ] Redback( conf i g- ancp) #keepalive interval 5 retries 5
! Conf i gur e an ANCP pr of i l e f or t he ANCP nei ghbor peer ( DSLAM)
[ l ocal ] Redback( conf i g- ancp) #neighbor profile ancp-profile
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #peer id 01:02:03:04:05:06
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #peer ip-address 30.100.1.20
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #tcp-port remote 7070
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #interface ancp
! Conf i gur e an Et her net por t f or t he DSLAM and DSL
[ l ocal ] Redback( conf i g- ct x) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #bind interface untagged local
! Conf i gur e an 802. 1Q t unnel t o car r y t he ANCP pr ot ocol messages f or out - of - band f or t he
ANCP sessi on t r af f i c ( t o and f r omt he DSLAM)
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 1 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface ancp local
! Conf i gur e an 802. 1Q PVC f or t he subscr i ber t r af f i c
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 1:1 encapsulation pppoe
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind authentication chap
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line agent-circuit-id abc-2.1:1:1
! Conf i gur e t he def aul t subscr i ber pr of i l e t o al l ow t he l ear ned r at e of t he DSL t o
over r i de t he r at e speci f i ed i n a QoS pol i cy at t ached t o t he subscr i ber ci r cui t or i t s
par ent ci r cui t i n t he out bound di r ect i on.
[ l ocal ] Redback( conf i g) #context subscribers
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #access-line rate out ancp
The following examples show how to configure the ANCP router, an ANCP neighbor profile, an 802.1Q
tunnel for ANCP sessions, and an 802.1Q tunnel to map to a DSL line:
! Cr eat e t he i nt er f ace and ANCP r out er i n t he l ocal cont ext
[ l ocal ] Redback( conf i g- ct x) #interface ancp multibind
[ l ocal ] Redback( conf i g- ct x) #interface untagged
! Conf i gur e t he ANCP r out er
! Conf i gur e an ANCP pr of i l e f or t he ANCP nei ghbor peer ( DSLAM)
! Conf i gur e an Et her net por t f or t he DSLAM and DSL
[ l ocal ] Redback( conf i g- ct x) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #bind interface untagged local
! Conf i gur e an 802. 1Q pr of i l e t o al l ow t he l ear ned r at e of t he DSL t o over r i de t he r at e
speci f i ed i n a QoS pol i cy at t ached t o t he ci r cui t i n t he i nbound and out bound di r ect i on.
[ l ocal ] Redback( conf i g) #dot1q profile pwfq
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #access-line rate in
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #access-line rate out
! Map an 802. 1Q t unnel ( ci r cui t ) t o a DSL l i ne by speci f yi ng t he agent ci r cui t I D t hat
t he syst emuses t o mat ch an ANCP message t o a ci r cui t . Thi s conf i gur at i on al so al l ows
t he l ear ned r at e of t he DSL l i ne t o over r i de t he r at e speci f i ed i n t he QoS pol i cy
at t ached t o t he 802. 1Q t unnel ( ci r cui t ) f or t he VLL and t he VPLS i nst ances.
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #port ether 3/3
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 3 profile pwfq encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line access-node-id "2.2.2.2/3.3.3.3" slot
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line access-node-id "2.2.2.2/3.3.3.3" slot-port
"10/0"
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing triple-play
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 3:1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #l2vpn local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 3:2
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bridge profile access-bp1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface cust1 vpls1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #end
This section describes the syntax and usage guidelines for the commands used to configure ANCP features.
access-line adjust
access-line access-node-id
access-line agent-circuit-id
access-line rate
interface
keepalive
neighbor profile
peer id
peer ip-address
router ancp
system-id
tcp-port local
tcp-port remote
access-line adjust
access-line adjust {cvlan | subscriber}
no access-line adjust {cvlan | subscriber}
Purpose
Overrides the rates specified by the quality of service (QoS) policies attached to this subscriber record,
named profile, or the default profile with the rates learned from the digital subscriber line (DSL) access
multiplexer (DSLAM).
Command Mode
Syntax Description
Default
The rate learned from the DSLAM is applied to the subscriber circuit.
Usage Guidelines
Use the access-line adjust command to override the rates specified by the QoS policies attached to this
subscriber record, named profile, or the default profile with the rates learned from the DSLAM. The system
applies the DSLAM rate.
Examples
The following example overrides the rate specified by any QoS policy attached to the def aul t subscriber
profile:
[ l ocal ] Redback( conf i g) #context isp2
[ l ocal ] Redback( conf i g- sub) #access-line adjust subscriber
Related Commands
cvlan Applies the rate learned from the DSLAM to the port, 802.1Q tunnel, or 802.1Q
permanent virtual circuit (PVC) to which the QoS policy is attached.
subscriber Applies rate information learned from the DSLAM to the subscriber circuit. This is the
default.
access-line rate
access-line agent-circuit-id string
no access-line agent-circuit-id string
Purpose
Specifies the agent circuit ID that the system uses to match an incoming ANCP message to a circuit.
Command Mode
dot1q PVC configuration
Syntax Description
Default
No agent circuit ID is specified for a DSL on this circuit. The SmartEdgeOS can learn this information
from a Point-to-Point Protocol (PPP) over Ethernet (PPPoE) tag or a Dynamic Host Control Protocol
(DHCP) option 82 tag.
Usage Guidelines
Use the access-line agent-circuit-id command to specify the agent circuit ID that the system uses to match
an ANCP message to a circuit, which can be either an 802.1Q PVC or 802.1Q tunnel. An incoming ANCP
message contains an agent circuit ID. The data contained in this message is applied to the circuit that
matches that agent circuit ID. The agent circuit ID received from the DSL access multiplexer (DSLAM)
must match the text string exactly.
If the value learned from a subscriber session on this DSL differs from the configured value for the string
argument, the system generates an error log message and uses the configured value.
Examples
The following example specifies the agent circuit ID for all subscriber sessions:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line agent-circuit-id
dslam-10.1.1.1 dot1q 2/1:1:1
string Agent circuit ID. A text string with up to 63 printable characters; enclose the string in
quotation marks ( ) if the string includes spaces.
Note For a more flexible approach to matching an ANCP message to a circuit, use the
access-line access-node-id command (in dot1q PVC configuration mode).
The following example shows how to specify the agent circuit ID for the circuit tagged as pvc 100 with
the profile pwf q. The PVC is a tunnel indicated by the specification of encapsulation 1qtunnel:
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 100 profile pwfq encapsulation
1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line agent-circuit-id 10.2.1.1
eth 3/1:100
Related Commands
access-line rate
access-line access-node-id ani slotport slot/port
no access-line
Purpose
Specifies the agent circuit ID that the system uses to match an incoming Access Node Control Protocol
(ANCP) message to a digital subscriber line (DSL).
Command Mode
Syntax Description
Default
No agent circuit ID is specified for the circuit.
Usage Guidelines
Use the access-line access-node-id command to specify the agent circuit ID that the system uses to match
an incoming ANCP message to a DSL. This command identifies a unique configured agent circuit ID to be
associated with an 802.1Q PVC or 802.1Q tunnel. The data contained in the message is applied to the
circuit that matches the specified agent circuit ID. The agent circuit ID received from the DSLAM is either
unformatted (a blind string) or it can conform to one of the formats specified in DSL Forum Specification
TR-101, R-124, as follows:
For ATM DSLsANI atm slot/port:vpi.vci
For Ethernet DSLsANI eth slot/port[:vlan-id]
In the formatted version, the ANI field is always a blind string that identifies the DSLAM ANI; the
SmartEdgeOS stores but does not process this string; it only searches for a space that terminates the string.
The slot/port field is also a blind string; the SmartEdgeOS searches for a colon (:) that terminates the field,
discards the colon and the remaining text, and stores the remaining string.
Use the ani argument to specify the DSLAM ANI portion of the agent circuit ID to which the incoming
DSLAM ANIs are matched; use the slotport slot/port construct to specify the DSLAM slot and port. To
match incoming agent circuit IDs, duplicate the incoming format used by the DSLAM.
The total number of characters in the values for the ani and slotport fields must be fewer than 63.
ani Access node identifier (ANI). Alphanumeric string.
slotport
slot/port
Slot and port of the DSL access multiplexer (DSLAM). This string must not include any
spaces.
Examples
The following example specifies an agent circuit ID to which incoming DSLAM messages are matched:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 1:1 encapsulation pppoe
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line access-node-id 10.101.90.4/0.0.0.0
slotport 3/2
The following examples of incoming DSLAM messages match:
10. 101. 90. 4/ 0. 0. 0. 0 at m3/ 2: 2. 3
10. 101. 90. 4/ 0. 0. 0. 0 et h 3/ 2: 7
The following examples of incoming DSLAM messages do not match; the reason is provided:
The following example specifies the agent circuit ID for the circuit tagged as pvc 200 with the profile
pwf q. The PVC is a tunnel indicated by the specification of encapsulation 1qtunnel keywords with the
doct1q pvc command:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 200 profile pwfq encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line access-node-id 10.101.80.3/0.0.0.0
slotport 3/2
Related Commands
10. 101. 90. 4/ 0. 0. 0. 0 f oo 3/ 2: bar Invalid line type foo
10. 101. 90. 4/ 0. 0. 0. 0 at mxx 3/ 2: 2. 3 Invalid line type atmxx
10. 101. 90. 4/ 0. 0. 0. 0at m3/ 2: 2. 3 No space before atm
10. 101. 90. 4/ 0. 0. 0. 0- at m3/ 2: 2. 3 - instead of space before atm
10. 101. 90. 4/ 0. 0. 0. 0 at m3/ 2#2. 3 #instead of colon after the port
10. 101. 90. 4/ 0. 0. 0. 0 at m3/ 2 2. 3 Space instead of colon after the port
10. 101. 90. 4/ 0. 0. 0. 0 at m3/ 22 Wrong port number
access-line rate
access-line rate {in | out} [ancp]
no access-line rate {in | out} [ancp]
Purpose
Overrides the rates specified by the quality of service (QoS) policies attached to a subscriber record, a
named subscriber profile, the default subscriber profile, or the default dot1q profile, with the rates learned
from the Access Node Control Protocol (ANCP) neighbor peer (DSLAM).
Command Mode
dot1q profile configuration
Syntax Description
Default
The system does not use the learned rates to override the rates specified by the attached QoS policies
Usage Guidelines
In the subscriber configuration, use the access-line rate command to override the rates specified by the
QoS policies attached to this subscriber record, named profile, or the default profile, with the rates learned
from the ANCP neighbor peer (DSLAM).
In dot1q profile configuration mode, use the access-line rate command to override the rates specified by
the QoS policies attached to a circuit that is configured with the bind interface command, bind bypass
command, or L2VPN bindings and a dot1q profile. This command overrides the rates specified by the QoS
policies with the learned rates from the ANCP neighbor peer (DSLAM).
in Applies the inbound rate to the QoS policing policy attached to the named subscriber
record, the named subscriber profile, the default subscriber profile, or the default dot1q
profile.
out Applies the outbound rate to the QoS policies attached to the named subscriber record,
the named subscriber profile, the default subscriber profile, or the default dot1q profile,
in the outbound direction (QoS metering, queuing, or both policies).
ancp Optional. Applies rate information learned from the ANCP session to the named
subscriber record, the named subscriber profile, the default subscriber profile, or the
default dot1q profile, using the associated circuit agent ID.
If the subscriber circuit does not have a QoS policy attached to it, but the parent circuit has a QoS policy
with the inherit keyword configured attached to it, then the learned rate is applied to the QoS policy
attached to the parent circuit.
If there are multiple subscriber circuits running on a parent circuit that has a QoS policy configured with
the inherit keyword attached to it, and only one of the subscriber circuits has the access-line rate command
configured for it, then all subscriber circuits on that parent circuit appear to have the access-line rate
command configured for them. Otherwise, the learned rate is applied to the circuit with the associated
circuit agent ID.
Examples
The following example shows how to enable the system to override the rates in the out direction for the
i sp1 subscriber profile in the access7 context, but only if the rate is learned from the ANCP session:
[ l ocal ] Redback( conf i g) #context access7
[ l ocal ] Redback( conf i g- ct x) #subscriber profile isp1
[ l ocal ] Redback( conf i g- sub) #access-line rate out ancp
The following example shows how to enable the system to override the rates in both the i n and out
directions for the dot1q profile named pwf q:
[ l ocal ] Redback( conf i g- ct x) #dot1q profile pwfq
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #access-line rate in
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #access-line rate out
Related Commands
Note The SmartEdgeOS learns the rate to be applied from the Actual-Data-Rate-Downstream in
the General Switch Management Protocol (GSMP) port-up message or from the
Point-to-Point Protocol over Ethernet (PPPoE) or Dynamic Host Configuration Protocol
(DHCP) option according to TR-101. If the ancp keyword is specified with the access-line
rate command, the SmartEdge OS learns the rate from ANCP. Otherwise, the SmartEdge OS
learns the rate from the Point-to-Point Protocol over Ethernet (PPPoE) or Dynamic Host
Configuration Protocol (DHCP) option.
Note Queuing policies are inherited by default; policing and metering policies must be configured
with the inherit keyword. For more information about configuring QoS policies, see the QoS
Circuit Configuration chapter.
interface
interface if-name
no interface
Purpose
Filters incoming new neighbor connections using the interface on which Access Node Control Protocol
(ANCP) sessions are transmitted and received for this ANCP neighbor profile.
Command Mode
ANCP neighbor configuration
Syntax Description
Default
ANCP sessions using this profile can arrive on any interface.
Usage Guidelines
Use the interface command to filter incoming new neighbor connections using the interface on which
ANCP sessions are transmitted and received. The incoming session is matched against the circuit on which
it is first connected.
ANCP sessions can arrive on any type of circuit that you have bound to this interface using the bind
interface command (in various configuration modes). For information about the bind interface command,
see the Bindings Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
All packets for ANCP sessions defined in this neighbor profile must arrive on this interface; otherwise, they
are discarded.
Examples
The following example specifies the ancp interface for the circuit on which ANCP sessions are transmitted
and received:
Related Commands
if-name Name of the interface; an alphanumeric string with up to 127 characters.
peer id
tcp-port remote
keepalive
keepalive interval seconds retry retry-num
{no | default} keepalive
Purpose
Configures the parameters for sending and receiving keepalive messages to and from Access Node Control
Protocol (ANCP) neighbor peers.
Command Mode
ANCP configuration
Syntax Description
Default
The interval value is 10 seconds; the retry value is 3.
Usage Guidelines
Use the keepalive command to configure the parameters for sending and receiving keepalive messages to
and from ANCP neighbor peers.
The SmartEdge router keeps track of the number of missing keepalive messages from each ANCP neighbor
peer. If the number missing messages exceeds that specified by the retry retry-num construct, it disconnects
the session for that peer.
Examples
In the following example, the SmartEdge router sends keepalive messages to ANCP neighbor peers every
5 seconds. It disconnects the session to an ANCP neighbor peer if it does not receive 10 keepalive
messages from that peer:
interval seconds Number of seconds between keepalive messages sent to ANCP neighbor peers.
The range of values is 1 to 25; the default value is 10 seconds.
retry retry-num Number of missing keepalive messages permitted from an ANCP neighbor peer
before the session is disconnected. The range of values is 1 to 10; the default value
is 3.
Caution Risk of performance loss. When the system has many active General Switch Management
Protocol (GSMP) peer sessions and the value of the seconds argument in the keepalive
command syntax is less than 10, the system might incur a loss of performance. To minimize
the risk under these conditions, change the value of the seconds argument to 10 or greater.
Related Commands
peer id
neighbor profile
neighbor profile prof-name
no neighbor profile prof-name
Purpose
Creates an empty Access Node Control Protocol (ANCP) profile for an ANCP neighbor peer, and accesses
ANCP neighbor configuration mode.
Command Mode
ANCP configuration
Syntax Description
Default
No ANCP neighbor profile exists.
Usage Guidelines
Use the neighbor profile command to create an ANCP neighbor profile and access ANCP neighbor
configuration mode.
The SmartEdgeOS listens for incoming ANCP sessions, using the Transmission Control Protocol (TCP)
local port that you have configured with the tcp-port local command (in ANCP configuration mode).
When an ANCP session is received, its attributes must match the attributes you have configured for one of
the ANCP neighbor profiles. This means that the session must match each attribute that you have
configured for the profile. If an attribute is not configured, then any value for that attribute is accepted. For
example, if the remote TCP port is not configured, then the incoming session can have any source port
number, as long as the other items match. An empty neighbor profile with no attributes configured allows
all incoming connections.
Use the no form of this command to delete this ANCP neighbor profile.
Examples
The following example creates the ancp- pr of i l e ANCP neighbor profile and accesses ANCP neighbor
configuration mode:
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #
Related Commands
None
prof-name ANCP neighbor profile name.
peer id
peer id peer-name
no peer id peer-name
Purpose
Filters incoming new neighbor connections using the sender name of the incoming Access Node Control
Protocol (ANCP) neighbor peer.
Command Mode
Syntax Description
Default
If a peer name is not specified for this profile, there is no restriction on the sender name in a received
General Switch Management Protocol (GSMP) adjacency protocol message from an ANCP neighbor peer.
Usage Guidelines
Use the peer id command to filter incoming new neighbor connections using the sender name of the
incoming ANCP neighbor peer. The sender name is in the GSMP adjacency protocol message from the
ANCP neighbor peer.
Examples
The following example specifies a name for an ANCP neighbor peer:
Related Commands
peer-name Name of an ANCP neighbor peer.
interface
tcp-port remote
peer ip-address
peer ip-address ip-addr
no peer ip-address ip-addr
Purpose
Filter incoming new neighbor connections using the IP address of the incoming Access Node Control
Protocol (ANCP) neighbor peer.
Command Mode
Syntax Description
Default
If an IP address is not specified for this profile, there is no restriction on the IP address in a received General
Switch Management Protocol (GSMP) adjacency protocol message from an ANCP neighbor peer.
Usage Guidelines
Use the peer ip-address command to filter incoming new neighbor connections using the IP address of the
incoming ANCP neighbor peer. The incoming IP address is matched against the specified IP address and
the connection rejected if there is no match.
Examples
The following example specifies IP address for an ANCP neighbor peer:
Related Commands
ip-addr IP address of an ANCP neighbor peer.
interface
tcp-port remote
router ancp
router ancp
no router ancp
Purpose
Creates the Access Node Control Protocol (ANCP) router and accesses ANCP configuration mode.
Command Mode
Syntax Description
Default
The ANCP router does not exist.
Usage Guidelines
Use the router ancp command to create the ANCP router and access ANCP configuration mode. The
ANCP router is always created in the l ocal context.
Use the no form of this command to delete the ANCP router and close all ANCP sessions; however, digital
subscriber line (DSL) information learned from the sessions is not removed.
Examples
The following example creates the ANCP router in the l ocal context and accesses ANCP configuration
mode:
[ l ocal ] Redback( conf i g- ancp) #
Related Commands
interface
keepalive
neighbor profile
system-id
tcp-port local
system-id
system-id name
{no | default} system-id
Purpose
Assign an ID to identify the SmartEdge router in Access Node Control Protocol (ANCP) sessions
transmitted to an ANCP neighbor peer.
Command Mode
ANCP configuration
Syntax Description
Default
The ID is set to the medium access control (MAC) address of the Ethernet management port or to
CA:FE:18:07:29:09 if the system cannot read the MAC address of the Ethernet management port.
Usage Guidelines
Use the system-id command to assign an ID to identify the ANCP sessions transmitted by the
SmartEdgerouter. If you configure the system ID, it is included as the sender name in adjacency packets
sent by the SmartEdge router. If you do not configure it, the system uses one of the following alternatives:
If the SmartEdge router has received the MAC address of the port on which the ANCP neighbor is
connected, it uses that MAC address.
Otherwise, the SmartEdge router uses either the MAC address of the Ethernet management port or
CA:FE:18:07:29:09, depending on whether the MAC address of the Ethernet management port is
readable.
Examples
The following example specifies 12: 34: 56: 78: 9a: bc as the SmartEdge router ID for ANCP sessions:
Related Commands
name ID used for the ANCP sessions. The format is a 6-byte hexadecimal string in the form
hh:hh:hh:hh:hh:hh.
interface
keepalive
router ancp
tcp-port local
tcp-port local
tcp-port local loc-port
{no | default} tcp-port local
Purpose
Assign a Transmission Control Protocol (TCP) port on which the SmartEdge router listens for Access Node
Control Protocol (ANCP) sessions.
Command Mode
ANCP configuration
Syntax Description
Default
The default TCP port, 6,068, is assigned as the local port.
Usage Guidelines
Use the tcp-port local command to specify the TCP port on which theSmartEdge router listens for ANCP
sessions.
Examples
The following example specifies 6070 as the port number for the local TCP port:
Related Commands
loc-port TCP port number. The range of values is 6,068 to 10,000; the default value is 6,068.
tcp-port remote
tcp-port remote
tcp-port remote remote-port
no tcp-port remote
Purpose
Filter incoming new neighbor connections using the Transmission Control Protocol (TCP) port on which
the SmartEdge router receives the General Switch Management Protocol (GSMP) messages from an
Access Node Control Protocol (ANCP) neighbor peer.
Command Mode
Syntax Description
Default
If a TCP remote port number is not specified for this profile, there is no restriction on the TCP remote port
number in a received GSMP adjacency protocol message from an ANCP neighbor.
Usage Guidelines
Use the tcp-port remote command to filter incoming new neighbor connections using the TCP port
number on which the SmartEdge router receives the GSMP messages from an ANCP neighbor peer.
Examples
The following example specifies 7070 as the port number for a remote TCP port:
Related Commands
remote-port TCP port number. The range of values is 1,024 to 5,000.
interface
peer id
tcp-port local
P a r t 3
Mobile IP Services
This part describes the tasks and commands used to configure SmartEdge
OS Mobile IP services and

consists of the following chapters:
Chapter 7, Mobile IP Foreign Agent Configuration
Chapter 8, Mobile IP Home Agent Configuration
Mobile IP Foreign Agent Configuration 7-1
C h a p t e r 7
Mobile IP Foreign Agent Configuration
OS Mobile IP (wireless)
services for foreign agent (FA) instances on the SmartEdge router and their home-agent (HA) peers.
For information about the tasks and commands used to monitor, administer, and troubleshoot Mobile IP
services, see the Mobile IP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
You configure IP-in-IP tunnels and, optionally, Generic Routing Encapsulation (GRE) tunnels on the
SmartEdge router to support the connections from FA instances to their HA peers. For information about
configuring the IP-in-IP and GRE tunnels, see the Single-Tunnel Circuit Configuration chapter in the
Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
For information about configuring Ethernet, Fast Ethernet-Gigabit Ethernet, and Gigabit Ethernet ports and
circuits to support mobile subscribers, see the ATM, Ethernet, and POS Port Configuration and Circuit
Configuration chapters in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
Overview
Configuration Tasks
Note The terms FA instance and HA instance refer to the FAs and HAs, respectively, that you
configure on the SmartEdge router.
The terms FA peers and HA peers refer to FAs and HAs that exist on other equipment in the
network.
The term Mobile IP binding refers to the association between a mobile node (MN) and its HA
instance on the SmartEdge router. The term visitor or visiting MN refers to the association
between an MN and an FA instance when that MN is communicating with its HA through the
FA instance on the SmartEdgerouter.
FA and HA tunnels can be used with Mobile IP services and non-mobile IP services traffic.
Overview
Overview
This section includes the following topics:
Mobile IP Components
Traffic Flow
Deployment Scenarios
Restrictions
Supported Standards
Mobile IP Components
Mobile IP allows MNs to retain their IP addresses when they roam across multiple networks. Doing so
enables MNs to maintain their existing IP sessions.
Mobile IP consists of the following components:
Mobile Nodes
Home Agent Peer
Foreign Agent Instance
Registration
Mobile Nodes
The MN is a IP devicefor example, a laptop computer or personal digital assistant (PDA)whose point
of attachment (POA) to the Internet can frequently change. The MN maintains its connections using its
home IP address.
Home Agent Peer
The HA peer, a router on the MN home network, is the anchor component in Mobile IP network that
provides seamless mobility to the MN. When an MN is attached to its home network, it does not use Mobile
IP services because it communicates directly using normal IP routing. When an MN is roaming and is not
connected to its home network, its HA peer does the following:
Tracks the MN current POA to the Internet.
Tunnels datagrams destined to the MN current POA.
Authenticates the MN (usually with the user ID and password) and verifies that IP Mobile services
should be provided. It optionally assigns the MN a home address (HoA) on its home network. When
the MN roams outside its home network, it retains its home address to prevent losing existing IP
sessions.
Overview
Foreign Agent Instance
MNs listen for FA instance advertisements to determine if they are attached to a home or foreign network.
An FA instance is a router on a foreign network that provides routing services to visiting MNs. When the
MN visits a foreign network with whom its HA peer has service agreements and is authenticated by its HA
peer, the MN can obtain Mobile IP services while visiting this network. During the visit, the MN listens for
Internet Control Message Protocol (ICMP) Router Advertisements (RAs) from an FA instance. The RAs
allow the MN to learn which FA instances are available and what Mobile IP services they have to provide.
The FA instance does the following:
Allows the MN to maintain its existing sessions when it visits the foreign network.
Terminates the tunnels from HAs peers corresponding to visiting MNs.
Decapsulates packets destined for the MN and delivers them locally.
Reverse-tunnels traffic from the MN to other Internet nodes. This is often required to satisfy ingress
filtering (as described in RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks),
and facilitate accurate billing and accounting.
If the MN does not hear RAs from any FAs, the MN sends an ICMP Router Solicitation requesting that any
FA instances on the foreign network reply with an RA.
Registration
When the MN discovers a foreign agent (FA) instance with whom its HA peer has a service agreement, it
sends a Mobile IP registration request to the FA instance. The FA instance validates the request and
forwards it to the corresponding HA peer. The registration request does the following:
Requests Mobile IP services for the MN from the FA instance when it is visiting one of its foreign
networks. For successful registrations, the FA instance maintains the state of the visitor such as the
lifetime of the registration.
Informs the HA peer of the MN current POA to the Internet. This is normally the FA instance
care-of-address (CoA), which is also the termination point of the tunnel between the HA peer and FA
instance.
For new registrations, the HA peer creates a binding that maintains the MN location and other related
information, such as the lifetime of the registration. For existing registrations, the HA peer and FA
instance renews the registration lifetime in their respective binding and visitor entries.
Optionally, deregisters the MN when it returns to its home network or no longer requires Mobile IP
services.
The MN registration request includes the FA instance CoA and the IP address of its HA peer. It may include
the MN assigned home address (HoA) and the MN user identity as described in RFC 2794, Mobile IP
Network Access Identifier Extension for IPv4s.
The MN sends the registration request to the HA peer so that the HA peer knows where the MN is located.
When the MN is successfully authenticated, the HA peer sends a Mobile IP registration reply to the FA
instance and the FA instance, in turn, forwards it to the MN.
The HA peer and FA instance also set up forwarding so that all packets destined for the MN home address
are forwarded to the MN through the tunnel between the HA peer and the FA instance. The FA instance sets
up forwarding so that packets from the MN are reverse tunneled to back over the same tunnel to the HA
peer. Packets originating from an MN are always reverse tunneled.
Overview
The MN uses it HoA as the source of all packets it sends when it is attached to its home network or visits
a foreign network through a FA instance. MN authentication is always performed on the HA peer. The
SmartEdge router HA peer uses the MN's user identifier (included in the registration request) to
authenticate mobile IP services using AAA protocols with a RADIUS server.
Optionally, the MN can acquire a collocated care-of address (CCoA) on the foreign network and perform
Mobile IP services without, or with minimal interaction, with the FA instance. The SmartEdge router does
not support this mode of operation.
Traffic Flow
Mobile IP services enables the SmartEdge router to act as one or more FA instances. Each FA instance
communicates with HA peers that support its mobile subscribers, which are referred to as mobile nodes
(MNs). Each FA instance has a care-of address (CoA) that the system uses as the termination address for
the tunnel to an HA peer.
In a typical deployment, MNs connect wirelessly to Base Transceiver Stations (BTSs), which connect to
the SmartEdge router FA instance through Ethernet. In this topology, each MN is represented by a separate
Ethernet circuit and MNs can move between BTSs. The FA instance communicates with a SmartEdge HA
peer through a tunnel endpoint (a local address of an HA instance). The SmartEdge router routes the MN
traffic to the HA peer using an IP-in-IP tunnel or GRE tunnel. Each HA peer uses a different tunnel. Traffic
for the MNs is routed from the FA instance to the HA peer using the same tunnel.
MNs communicate with the SmartEdge router (the FA instance) over Ethernet-based circuits using a
context where you configure the FA instance. The system routes the MN traffic to each external HA peer
using an IP-in-IP tunnel or a GRE tunnel. Each HA peer uses a different tunnel. Traffic from an HA peer
is routed back to the MNs associated with that HA peer using the same tunnel.
Figure7-1 illustrates the physical network for MNs, BTS, HA peers, and an FA instance.
Note Because the tunnels described in this chapter each support a single tunnel circuit, the term
tunnel refers to the tunnel and its circuit. For information about configuring the IP-in-IP and
GRE tunnels, see the Single-Tunnel Circuit Configuration in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdgeOS.
Overview
Figure 7-1 Physical Network of MNs, BTSs, HA Peers, and an FA Instance
The Mobile IP services implementation can use the multiple context support that the SmartEdgeOS
provides. The contexts that Mobile IP services can use in different deployment scenarios include:
CoA context
The CoA interface resides in the CoA context. The CoA interface provides an endpoint for a tunnel to
a home-agent peer. The CoA context is typically the local context, but other contexts can be used as
well. Each CoA interface can be in a different CoA context independent of other CoA interfaces.
FA context
The FA context provides one or more interfaces to the MN and defines the set of HA peers for the FA
instance. Each FA instance configured on the SmartEdge router has its own FA context.
HoA VPN context
The home address (HoA) Virtual Private Network (VPN) context includes the interfaces that terminate
the tunnels to the HA peers. Each HA peer that uses private HoAs has its own context. HA peers that
use nonoverlapping HoAs can share a single context. Each HA peer that has an overlapping HoA must
have its own HoA VPN context.
These contexts allow the SmartEdgeOS to support various deployment scenarios, which are described in
the following sections:
Home Agent Without Overlapping IP Addresses
Some Home Agents Use Private IP Addresses
Any Home Agent Can Use Private IP Addresses
Overview
Home Agents Can Be Grouped for Each Mobile IP Service Provider
SmartEdge Router Provides Wholesale Mobile IP Services for Other Providers
Home Agent Without Overlapping IP Addresses
In the most basic deployment, a single FA instance provides connectivity to all MNs while interfacing with
all the HA peers. The MN HoAs do not overlap; that is, each MN has a public HoA. In this case, the
configuration is simplified to make use of a single context, the FA context.
Some Home Agents Use Private IP Addresses
A few HA peers can allocate HoAs from a private address space while providing Internet connectivity using
Network Address Translation (NAT). If so, the IP addresses of the MNs can overlap.
To configure the SmartEdgeOS for this deployment, use a single context for the FA instances, HA peers,
and CoAs, but exclude the HA peers that use private IP addresses. Use a separate context for each HA peer
that uses a private address space.
Any Home Agent Can Use Private IP Addresses
Each HA peer is independent and can use private IP addresses. For this deployment scenario, each HA peer
uses a separate context. The CoA and FA contexts can be the same.
Home Agents Can Be Grouped for Each Mobile IP Service Provider
In this scenario, an FA instance provides services to multiple mobile Internet service providers (ISPs). Each
ISP owns a set of HA peers and the HoAs that belong to the same ISP do not overlap. Each ISP may use
private IP addresses.
To configure this scenario, each ISP uses a use a separate HA VPN context; that is, all HA peers belonging
to an ISP use the same HA VPN context. The CoA and FA contexts can be the same for each ISP.
SmartEdge Router Provides Wholesale Mobile IP Services for Other Providers
In this scenario, the SmartEdgeOS can separate MN, FA, and HA peer networks for each mobile ISP. Each
ISP is like an enterprise VPN, ISP contexts are as follows::
A separate FA context is used for each ISP.
The CoA context for each ISP can be the same as its FA context; this is more appropriate than using the
local context because the ISP can choose to use private IP addresses for the tunnel endpoints.
The FA context can also serve as the HA VPN context, assuming that no HoAs overlap within the same
ISP. If HoAs overlap, then a separate HA VPN context is used for each HA peer.
If the backbone links are not within a nonlocal context, then the backbone connectivity is through the local
context.
Configuration Tasks
Restrictions
Mobile IP services has the following restrictions:
Mobile IP services is currently supported only for unicast traffic; broadcast and multicast traffic are not
supported.
Mobile IP services is supported only on PPA2 line cards. Do not have any PPA1-based line cards on the
chassis when enabling Mobile IP Services.
Supported Standards
Mobile IP services comply with the standards found in the following documents:
RFC 2794Mobile IP Network Access Identifier Extension for IPv4
RFC 3024Reverse Tunneling for Mobile IP, revised
RFC 3344IP Mobility Support for IPv4
RFC 3543Registration Revocation in Mobile IPv4
Configuration Tasks
To configure FA instances on the SmartEdge router and their home-agent (HA) peers, use the configuration
guidelines and perform the tasks described in the following sections:
Mobile IP Configuration Guidelines
Create the Contexts and Interfaces for Mobile IP Services
Configure a Key Chain Authentication Between a FA and HA
Configure an FA Instance
Configure an HA Peer
Configure a Mobile IP Interface for MN Access
Configure the MN Access to an FA Instance
Configure the Mobile IP Tunnels
Enable or Disable an FA Instance, an HA Peer, or MN Access
Configuration Tasks
The following configuration guidelines apply when configuring Mobile IP services for an FA instance:
Within a given context, the SmartEdge router can act as an FA instance.
HA peers that use public IP addresses can share an HoA VPN context.
If an HA peer uses private IP addresses, it can share an HoA VPN context with other HA peers if their
IP addresses do not overlap; otherwise, HA peers cannot share a HoA VPN context.
MNs can have overlapping IP addresses if they are registered with different HA peers.
You must configure IP-in-IP tunnels to HA peers; optionally, you can configure and use GRE tunnels
in addition to the IP-in-IP tunnels.
Configure the tunnel to an HA peer in the HoA VPN context for that peer if it exists; otherwise,
configure the tunnel in the FA context (the default for the HoA VPN context for that peer).
To prevent Mobile IP tunnels from shutting down because of circuit problems, create the interfaces for
the IP-in-IP and GRE tunnels as loopback interfaces. Loopback interfaces are always up.
When you configure the Ethernet circuits that provide access for all MNs, create a single interface in
the FA context for all the Ethernet circuits or create a separate interface in the FA context for each
802.1Q permanent virtual circuit (VLAN).
To create the contexts and interfaces for Mobile IP services, perform the tasks described in Table7-1. These
contexts and interfaces are used in subsequent configuration tasks for the FA instances, HA peers, and
Mobile IP tunnels.
Table 7-1 Create the Contexts and Interfaces for Mobile IP Services
1. Optional. Create the context for the CoA interface and access
context configuration mode.
mode. You can use the local context instead
of performing this step. For information
about the context command (in global
configuration mode), see the Basic System
Configuration Guide for the SmartEdge OS.
2. Create the CoA interface and access interface configuration
mode.
mode. For information about the interface
command (in context configuration mode),
see the Basic System Configuration Guide
for the SmartEdge OS.
3. Optional. Create an FA context for an FA instance and access
of performing this step.
4. Create the interface for the Ethernet ports and 802.1Q VLANs
that BTS MNs use to access this FA instance and access
mode.
Configuration Tasks
Configure a Key Chain Authentication Between a FA and HA
To configure a key chain between a foreign-agent (FA) instance and home-agent (HA) peer, perform the
tasks described in Table7-2. For more information about configuring key chains, see Chapter 24, Key
Chain Configuration. Enter all commands in key chain configuration mode, unless otherwise noted.
Configure an FA Instance
To configure an FA instance, perform the tasks described in Table7-3; enter all commands in FA
5. Optional. Create an HA VPN context for the terminating
interfaces for the IP-in IP tunnel and, optionally, a GRE tunnel
for one or more HA peers and access context configuration
mode.
of performing this step, but only HA peers
that use public IP addresses or
nonoverlapping private IP addresses can
share a single context.
6. Create an interface for an IP-in-IP tunnel and, optionally, an
interface for a GRE tunnel, to the HA peer and access
mode. Consider making this interface a
loopback interface.
Table 7-2 Configure a Key Chain
1. Select the context for the FA instance and access context
configuration mode.
context Enter this command in global
configuration mode.
2. Create the key chain and access key chain configuration
mode.
key-chain Enter this command in context
configuration mode.
3. Configure a key string. key-string
4. Specify the security parameter index (SPI) for this key chain. spi
Table 7-3 Configure an FA Instance
1. Select the context for the FA instance and access context
configuration mode.
configuration mode.
2. Enable Mobile IP services in this context and access Mobile
IP configuration mode.
router mobile-ip Enter this command in context
configuration mode.
3. Optional. Create a dynamic tunnel profile and enter Dynamic
Tunnel Profile configuration mode.
dynamic-tunnel-profile Enter this command in Mobile IP
configuration mode.
4. Optional. Clear the IP header DF flag in all packets that are
transmitted on an IP-in-IP or a GRE tunnel.
clear-df (dynamic
tunnel)
Enter this command in Dynamic Tunnel
Profile configuration mode.
5. Optional. Set the MTU for packets sent to GRE tunnels. gre mtu Enter this command in Dynamic Tunnel
Table 7-1 Create the Contexts and Interfaces for Mobile IP Services (continued)
Configuration Tasks
Configure an HA Peer
To configure an HA peer, perform the tasks described in Table7-4; enter all commands in HA peer
6. Optional. Specify the number of seconds for the router to wait
before it brings down a dynamic tunnel that has no active
bindings or visitors.
hold-time Enter this command in Dynamic Tunnel
7. Optional. Set the MTU for packets sent to IP-in-IP tunnels. ipip mtu Enter this command in Dynamic Tunnel
8. Optional. Specify the number of seconds for the router to wait
for a dynamic tunnel to be established before bringing the
current subscriber or visitor down.
time-out Enter this command in Dynamic Tunnel
9. Create or select the FA instance in this context and access
FA configuration mode.
foreign-agent
10. Optional. Reference an existing dynamic tunnel profile. The
dynamic tunnel attributes defined in this profile are applied to
the dynamic tunnels that are used by this FA instance.
dynamic-tunnel-profile
11. Specify the interface for the CoA advertised by this FA
instance.
care-of-address This is the interface that you created for
the tunnel for this FA instance.
12. Optional. Specify the GRE tunnel type to advertise. advertisetunnel-type The default is not to advertise optional
tunnel types.
13. Optional. Configure registration revocation. revocation The default is to not configure
revocation support.
14. Optional. Configure the default authentication for this FA
instance.
authentication This is the default authentication for all
HA peers for this FA instance.
15. Optional. Enable (the default condition) or disable the
forwarding of non-Mobile IP traffic for this FA instance.
forwardingtraffic
16. Optional. Specifies the means by which the forwarding
address for an MN is determined.
forwardingscheme
17. Optional. Enable or disable MN access interface change
detection using logical link control (LLC) exchange ID (XID)
messages received on a circuit.
llc-xid-processing Enable is the default.
Table 7-4 Configure an HA Peer
1. Select the context for the FA instance for this HA
peer and access context configuration mode.
mode.
2. Enable Mobile IP services in this context and
access Mobile IP configuration mode.
router mobile-ip Enter this command in context configuration
mode.
3. Select the FA instance in this context for the HA
peer and access FA configuration mode.
foreign-agent Enter this command in Mobile IP configuration
mode.
4. Create or select the HA peer and access HA peer
configuration mode.
home-agent-peer Enter this command in FA configuration mode.
5. Optional. Apply a dynamic tunnel profile. dynamic-tunnel-profile
Table 7-3 Configure an FA Instance (continued)
Configuration Tasks
Configure a Mobile IP Interface for MN Access
To configure a Mobile IP interface for MN access, perform the tasks described in Table7-5; enter all
commands in Mobile IP interface configuration mode, unless otherwise noted.
Configure the MN Access to an FA Instance
To configure the MN access to an FA instance, perform the tasks described in Table7-6.
6. Optional. Specify the maximum number of pending
registrations for this HA peer.
max-pending-registrations
7. Optional. Specify the HoA VPN context for this HA
peer.
vpn-context
8. Optional. Configure the authentication for the HA
peer.
authentication This authentication overrides the default
authentication configured for the FA instance.
Table 7-5 Configure a Mobile IP Interface for MN Access
1. Select the context for the FA instance and access
mode.
mode.
3. Select an existing interface, enable it for Mobile IP
services, and access Mobile IP interface
configuration mode.
interface This interface is the one you created for the
Ethernet circuits in step 4 in Table 7-1.
4. Optional. Specify the maximum lifetime registration
for an MN on this interface.
registrationmax-lifetime
5. Optional. Specify the maximum interval between
advertisement messages.
advertisemax-interval
6. Optional. Specify the maximum lifetime of
advertisemax-lifetime
7. Optional. Specify the minimum interval between
advertisemin-interval
Table 7-6 Configure MN Access to the FA Instance
1. Configure the Ethernet ports and circuits on
which the MNs access an FA instance.
For information about configuring Ethernet circuits, see the
ATM, Ethernet, and POS Port Configuration and the
Circuit Configuration chapters in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdge OS.
2. Bind the Ethernet ports and circuits to the
interfaces created for MN access in the FA
context.
bind interface For information about binding circuits to interfaces, see the
Bindings Configuration chapter in the Ports, Circuits, and
Table 7-4 Configure an HA Peer (continued)
You must configure an IP-in-IP tunnel to each HA peer. You can also configure a GRE tunnel to each HA
peer. To configure the Mobile IP tunnels, perform the tasks described in Table7-7.
Enable or Disable an FA Instance, an HA Peer, or MN Access
To enable or disable an FA instance, an HA peer, or MN access to the SmartEdge router, perform the task
The following examples show configurations for:
Single FA Instance and HA Peer with IP-in-IP Tunnels
Single FA Instance with Multiple HA Peers and IP-in-IP Tunnels
Single FA Instance and HA Peer with IP-in-IP Tunnels
The following example creates an IP-in-IP tunnel and the interfaces to support an FA instance and a single
HA peer, all in the local context. The interface for the IP-in-IP tunnel is unnumbered; it borrows its IP
address from the CoA interface. Traffic to and from the MNs is carried on GE port 2/ 1:
! Cr eat e t he i nt er f aces f or t he CoA, t he MN access, and t he I P- i n- I P t unnel t o t he HA
peer , al l i n t he l ocal cont ext
[ l ocal ] Redback( conf i g- ct x) #interface coa loopback
Table 7-7 Configure the Mobile IP Tunnels
1. Configure the IP-in-IP tunnels to the HA peers. For information about configuring IP-in-IP
tunnels, see the Single-Tunnel Circuit
Configuration chapter in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdge
OS.
2. Optional. Configure the GRE tunnels to the HA peers. For information about configuring GRE tunnels,
see the Single-Tunnel Circuit Configuration
chapter in the Ports, Circuits, and Tunnels
Table 7-8 Enable or Disable an FA Instance, an HA Peer, or MN Access to the SmartEdge Router
Optional. Disable or enable an FA instance, an HA
peer, or MN access to the SmartEdge router
shutdown Enter this command in FA, HA peer, or Mobile IP
Use the no form of this command to enable an FA
instance, an HA peer, or MN access to the SmartEdge
router
[ l ocal ] Redback( conf i g- ct x) #interface mn-access
[ l ocal ] Redback( conf i g- ct x) #interface toHA-peer
[ l ocal ] Redback( conf i g- i f ) #ip unnumbered coa
! Enabl e t he l ocal cont ext and t he mn- access i nt er f ace f or Mobi l e I P ser vi ces
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #exit
! Cr eat e t he f or ei gn agent , speci f y t he CoA i nt er f ace and cr eat e a home agent peer
l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #end
! Conf i gur e t he GE por t f or MN t r af f i c and bi nd i t t o t he MN access i nt er f ace
[ l ocal ] Redback( conf i g- por t ) #bind interface mn-access local
! Conf i gur e t he I P- i n- I P t unnel t o t he HA peer usi ng t he CoA as t he l ocal endpoi nt
! Bi nd i t t o t he HA peer i nt er f ace i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #tunnel ipip HApeerTnl
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 172.16.1.1 remote 172.16.2.1
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHA-peer local
[ l ocal ] Redback( conf i g- t unnel ) #end
Single FA Instance with Multiple HA Peers and IP-in-IP Tunnels
The following example creates an IP-in-IP tunnel and the interfaces to support an FA instance and two HA
peers with overlapping IP addresses. The FA instance and tunnels are configured in the local context; each
HA peer has its own VPN context. Traffic to and from the MNs is carried on the GE port 2/ 1:
! Cr eat e t he i nt er f aces f or t he CoA and t he MN access i nt er f ace i n t he l ocal cont ext
[ l ocal ] Redback( conf i g- ct x) #interface coa loopback
! Cr eat e t he cont ext s and t unnel i nt er f aces f or t he HA peer s ( HA- VPN 1 and HA- VPN 2)
[ l ocal ] Redback( conf i g) #context ha-vpn1
! Cr eat e t he i nt er f ace f or t he I P- i n- I P t unnel endpoi nt f or t he HA peer 1
[ l ocal ] Redback( conf i g- ct x) #interface toHApeer1
! Use t he CoA I P addr ess f or t he i nt er f ace
[ l ocal ] Redback( conf i g- i f ) #ip 20.1.1.1/24
[ l ocal ] Redback( conf i g) #context ha-vpn2
! Cr eat e t he i nt er f ace f or t he I P- i n- I P t unnel endpoi nt f or t he HA peer 2
[ l ocal ] Redback( conf i g- ct x) #interface toHApeer2
! Use t he CoA I P addr ess f or t he i nt er f ace
[ l ocal ] Redback( conf i g- i f ) #ip 20.1.1.1/24
! Enabl e t he l ocal cont ext and t he MN access i nt er f ace f or Mobi l e I P vi si t or s
[ l ocal ] Redback( conf i g- mi p- i f ) #exit
! Cr eat e t he f or ei gn agent and speci f y t he car e of i nt er f ace
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa
! Cr eat e t he f i r st home- agent peer and speci f y i t s cont ext
[ l ocal ] Redback( conf i g- mi p- hapeer ) #vpn-context ha-vpn1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #exit
! Cr eat e t he second home- agent peer and speci f y i t s cont ext
! Conf i gur e t he GE por t f or MN t r af f i c and bi nd i t t o t he MN access i nt er f ace
[ l ocal ] Redback( conf i g- por t ) #bind interface mn-access local
[ l ocal ] Redback( conf i g- por t ) #bind interface toHApeer1 ha-vpn1
[ l ocal ] Redback( conf i g- por t ) #bind interface toHApeer2 ha-vpn2
! Conf i gur e t he I P- i n- I P t unnel s t o t he HA peer s
! Bi nd t hemt o t hei r i nt er f aces i n t he HA peer VPN cont ext s
! Cr eat e t he I P- i n- I P t unnel t o t he HA- 1 peer , usi ng t he CoA f or t he l ocal end
[ l ocal ] Redback( conf i g) #tunnel ipip HApeer1Tnl
[ l ocal ] Redback( conf i g- t unnel ) #description IP-in-IP tunnel circuit to HA-VPN 1 peer
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1/24 remote 172.16.2.1
context local
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHApeer1 ha-vpn1
[ l ocal ] Redback( conf i g- t unnel ) #no shutdown
[ l ocal ] Redback( conf i g- t unnel ) #exit
! Cr eat e t he I P- i n- I P t unnel t o t he HA- 2 peer ; use t he CoA f or t he l ocal end
[ l ocal ] Redback( conf i g) #tunnel ipip HApeer2Tnl
[ l ocal ] Redback( conf i g- t unnel ) #description IP-in-IP tunnel circuit to HA-VPN 2 peer
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1/24 remote 172.16.2.2
context local
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHApeer2 ha-vpn2
[ l ocal ] Redback( conf i g- t unnel ) #no shutdown
[ l ocal ] Redback( conf i g- t unnel ) #exit
This section describes the syntax and usage guidelines for the commands used to configure Mobile IP FA
features. The commands are presented in alphabetical order:
advertise max-interval
advertise max-lifetime
advertise min-interval
advertise tunnel-type
authentication
care-of-address
clear-df (dynamic tunnel)
foreign-agent
forwarding scheme
gre mtu
forwarding traffic
hold-time
home-agent-peer
interface
ipip mtu
llc-xid-processing
registration max-lifetime
revocation
router mobile-ip
shutdown
time-out
vpn-context
advertise max-interval max-int
no advertise max-interval max-int
Purpose
Specifies the maximum interval between advertisement messages sent by the foreign-agent (FA) instance
to the mobile nodes (MNs).
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The maximum interval between advertisement messages is 600 seconds.
Usage Guidelines
Use the advertise max-interval command specify the maximum interval between advertisement messages
sent by the FA instance or HA instance to the mobile nodes.
Examples
The following example specifies 300 seconds as the maximum interval between advertisement messages:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise max-interval 300
Related Commands
max-int Maximum interval (in seconds) between advertisement messages. The range of values
is 4 to 1800 seconds; the default value is 600 seconds (10 minutes).
interface
advertise max-lifetime max-life
no advertise max-lifetime max-life
Purpose
Specifies the maximum amount of time that an advertisement message sent by the foreign-agent (FA)
instance to the mobile node (MN) is valid in the absence of further advertisement messages.
Command Mode
Syntax Description
Default
The maximum advertisement lifetime is three times the value of the max-int argument set by the advertise
max-interval command.
Usage Guidelines
Use the advertise max-lifetime command to specify the maximum amount of time that an advertisement
message sent by the FA instance or HA instance to the mobile node is valid in the absence of further
Examples
The following example specifies 900 seconds as the maximum lifetime of an advertisement message:
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise max-lifetime 900
Related Commands
max-lifetime max-life Amount of time (in seconds) that an advertisement message is valid in the
absence of further advertisement messages. The minimum value equals the
value of the max-int argument set by the advertise max-interval command
(in Mobile IP interface configuration mode); the maximum value is 9000
seconds (150 minutes). The default value is three times the value of the
max-int argument set by the advertise max-interval command.
interface
advertise min-interval min-int
no advertise min-interval min-int
Purpose
Specifies the minimum interval between advertisement messages sent by the foreign-agent (FA) instance
to the mobile node (MN).
Command Mode
Syntax Description
Default
The minimum advertisement interval is 0.75 times the value of the max-int argument for the advertise
max-interval command.
Usage Guidelines
Use the advertise min-interval command to specify the minimum interval between advertisement
messages sent by the FA instance or HA instance to the mobile node.
Examples
The following example specifies 200 seconds as the minimum interval between advertisement messages:
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise min-interval 200
Related Commands
min-int Minimum interval (in seconds) between advertisement messages. The range of values
is 3 to 1800 seconds; the default value is 0.75 times the value of the max-int argument
for the advertise max-interval command (in Mobile IP interface configuration
mode).
interface
advertise tunnel-type
advertise tunnel-type gre
no advertise tunnel-type gre
Purpose
Advertises Generic Routing Encapsulation (GRE) tunnel types sent by the foreign-agent (FA) instance to
mobile nodes (MNs).
Command Mode
FA configuration
Syntax Description
Default
IP-in-IP tunnels are advertised implicitly; no GRE tunnel types are advertised.
Usage Guidelines
Use the advertise tunnel-type command to advertise GRE tunnel types in the mobility agent advertisement
extension in the ICMP Router Advertisement (RA) message.
Examples
The following example advertises the GRE tunnel type:
[ l ocal ] Redback( conf i g- mi p- f a) #advertise tunnel-type gre
Related Commands
gre Specifies that Generic Routing Encapsulation (GRE) tunnels are advertised to
mobile nodes.
interface
authentication
authentication hmac-md5 {key-chain-name | dynamic-key wimax proprietary}
no authentication hmac-md5
Purpose
Configures authentication between this foreign-agent (FA) instance and all its home-agent (HA) peers or
between this FA instance and a specific HA peer.
Command Mode
FA configuration
HA peer configuration
Syntax Description
Default
No authentication is configured for any FA instance or HA peer.
Usage Guidelines
Use the authentication command to configure authentication between this FA instance and its HA peers
or between this FA instance and a specific HA peer.
In FA configuration mode, this command configures the default authentication between the FA instance and
all its HA peers; in HA peer configuration, this command configures the authentication between the FA
instance and the relevant HA peer.
Use the no form of this command to remove the authentication configuration for this FA instance or HA
peer.
hmac-md5 Specifies the Hash-based Message Authentication Code (HMAC)-
Message Digest 5 (MD5) algorithm.
key-chain-name Name of an existing key chain, which you must have configured in
the context in which you have configured the HA peer.
dynamic-key wimax proprietary Specifies to use the Motorola FA-HA key Vendor Specific Attribute
(VSA) for FA-HA authentication. The Motorola FA-HA-Key VSA
ID is 26/161/67. The Motorola WiMax solution provides this VSA
to the FA. For more information about supported WiMax Attributes,
see TableA-22 in AppendixA, RADIUS Attributes.
Examples
The following example configures the key- ha key chain for key 100 and an security parameter index
(SPI) of 256 for incoming traffic and then specifies it when configuring the default authentication between
an FA instance and its HA peers:
[ l ocal ] Redback( conf i g- ct x) #key-chain key-ha key-id 100
[ l ocal ] Redback( conf i g- keychai n) #spi 256
[ l ocal ] Redback( conf i g- keychai n) #key-string hex 0xfeedaceedeadbeef
[ l ocal ] Redback( conf i g- keychai n) #exit
[ l ocal ] Redback( conf i g- mi p- f a) #authentication hmac-md5 key-ha
The following example configures dynamic keys between an FA instance and its HA peers:
[ l ocal ] Redback( conf i g- mi p- f a) #authentication hmac-md5 dynamic-keys wimax
proprietary
Related Commands
foreign-agent
home-agent-peer
key-chain
spi
care-of-address
care-of-address if-name [ctx-name]
no care-of-address if-name [ctx-name]
Purpose
Specifies the interface used for the care-of-address (CoA) advertised by this foreign-agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
The interface used for the CoA is not specified in advertisement messages.
Usage Guidelines
Use the care-of-address command to specify the interface used for the CoA advertised by this FA instance.
Enter this command multiple times to specify multiple CoA interfaces. This command specifies an existing
interface as the CoA interface; you must first create that interface using the interface command (in context
configuration mode).
Examples
The following example creates the coa interface in the l ocal context and specifies it as the CoA interface
for the FA instance:
[ l ocal ] Redback( conf i g- ct x) #interface coa
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa local
Related Commands
if-name Name of the interface for the CoA.
ctx-name Optional. Context name in which the interface exists. If the interface exists in
a context other than the one you are currently in, you must specify the context
name.
foreign-agent
clear-df
{no | default}clear-df
Purpose
Clears the IP header Dont Fragment (DF) flag in all packets that are transmitted on an IP-in-IP or a Generic
Routing Encapsulation (GRE) tunnel.
Command Mode
Dynamic Tunnel Profile
Syntax Description
Default
The IP header DF flag is not cleared.
Usage Guidelines
Use the clear-df command to clear the IP header DF flag in all packets that are transmitted on an IP-in-IP
or a GRE tunnel. If the IP packet length exceeds the tunnel interface maximum transmission unit (MTU),
the packet is fragmented.
Use the no or default form of this command to honor the DF flag in inbound packets.
Examples
The following example shows how to specify that the DF flag in all transmitted packets be cleared in the
GRE and IP-in-IP tunnels:
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
gre mtu
hold-time
ipip mtu
time-out
dynamic-tunnel-profile profile
no dynamic-tunnel-profile profile
Purpose
In Mobile IP configuration mode, creates a dynamic tunnel profile and enters Dynamic Tunnel Profile
configuration mode.
In Foreign Agent configuration mode, applies the dynamic tunnel profile to an FA instance.
In HA peer configuration mode, applies a dynamic tunnel profile to an HA peer.
Command Mode
Mobile IP configuration
Foreign Agent configuration
Syntax Description
Default
The following are the defaults for the dynamic tunnel profile:
clear-dfDisabled.
gre mtu mtu1468 bytes
hold-time seconds30 seconds
ipip mtu mtu1480 bytes
time-out seconds3 seconds
Usage Guidelines
Use the dynamic-tunnel-profile command in Mobile IP configuration mode to create a dynamic tunnel
profile and enter Dynamic Tunnel Profile configuration mode. Dynamic Tunnel mode allows you configure
dynamic tunnel profile attributes.
Use the dynamic-tunnel-profile command in Foreign Agent Configuration mode to apply a dynamic
tunnel profile to a foreign-agent instance.
Use the dynamic-tunnel-profile command HA peer configuration mode to apply a dynamic tunnel profile
to a home-agent peers.
Configured static tunnels take precedence over dynamic tunnels. If a dynamic tunnel profile is not applied
to an HA peer, the peer inherits the dynamic tunnel profile specified in the FA instance. If there is no profile
configured in this mode, the HA peer inherits the default dynamic tunnel profile values. If you delete a
referenced dynamic tunnel profile, the references to this profile are also deleted by the FA instance and HA
profile Name of dynamic tunnel profile.
peer. When these references are deleted, the FA instance and HA peers use the default dynamic tunnel
profile values. For information about applying a dynamic tunnel profile to a HA instance or FA peer, see
the dynamic-tunnel-profile section on page8-12.
Use the no form of this command to delete a dynamic tunnel profile.
Examples
The following example creates a last resort interface and dynamic tunnel profile, pr of 1, (in Dynamic
tunnel configuration mode) and then applies the profile to an FA instance:
! Cr eat e a dynami c t unnel pr of i l e mode.
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
! Appl y dynami c t unnel pr of i l e pr of 1 t o t he FA i nst ance.
[ l ocal ] Redback( conf i g- mi p- f a) #dynamic-tunnel-profile prof1
! Cr eat e a l ast r esor t i nt er f ace wi t h an I P unnumber ed i nt er f ace.
[ l ocal ] Redback( conf i g- ct x) #interface loop loopback
l ocal ] Redback( conf i g- ct x) #interface mip2 multibind lastresort
[ l ocal ] Redback( conf i g- i f ) ip unnumbered loop
The following example creates a last resort interface, two dynamic tunnel profiles, pr of 1 and pr of 2, and
then applies profile pr of 1 to an FA instance and pr of i l e pr of 2 to an HA peer 1. 1. 1. 2. HA peer
3. 1. 1. 2 inherits the dynamic tunnel profile pr of 1 specified in FA configuration mode because no
dynamic tunnel profiles are applied in HA peer level:
! Cr eat e dynami c t unnel pr of i l e pr of 1.
Note You must configure a last-resort interface within the same context (FA context or VPN
context) to use a dynamic tunnel profile. The last-resort interface must borrow an IP address
using an unnumbered interface. For information about configuring last resort interfaces, see
theBasic System Configuration Guide.
! Cr eat e a l ast r esor t i nt er f ace.
! Appl y t he dynami c t unnel pr of i l e t o t he FA i nst ance.
[ l ocal ] Redback( conf i g- mi p- f a) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- f a) #tunnel-type gre
[ l ocal ] Redback( conf i g- f a) #authentication none
[ l ocal ] Redback( conf i g- f a) #local-address to_fa
! Appl y t he dynami c t unnel pr of i l e t o t he HA peer 1. 1. 1. 2.
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #end
! HA peer 3. 1. 1. 2 i nher i t s dynami c t unnel pr of i l e pr of 1 ( used by t he FA
i nst ance) si nce no dynami c pr of i l e i s conf i gur ed i n HA peer
conf i gur at i on mode.
[ l ocal ] Redback( conf i g- ) #home-agent-peer 3.1.1.2
Related Commands
foreign-agent
gre mtu
hold-time
home-agent-peer
ipip mtu
time-out
foreign-agent
foreign-agent
no foreign-agent
Purpose
Creates or selects a foreign-agent (FA) instance in this context and accesses FA configuration mode.
Command Mode
Syntax Description
Default
No FAs are created.
Usage Guidelines
Use the foreign-agent command to create or select an FA instance in this context and access FA
configuration mode. You can only create one FA instance in a context. You can also apply a dynamic tunnel
profile.
Use the no form of this command to delete the FA instance in this context.
Examples
The following example creates an FA instance in the f a context:
[ l ocal ] Redback( conf i g- mi p- f a) #
Related Commands
care-of-address
home-agent-peer
interface
shutdown
forwarding scheme
forwarding scheme {source-mac}
{no | default} forwarding scheme
Purpose
Specifies how the IP route used for packet forwarding for a mobile node (MN) is determined.
Command Mode
FA configuration
Syntax Description
Default
The forwarding scheme uses the source MAC address.
Usage Guidelines
Use the forwarding scheme command to specify the means by which IP route used for packet forwarding
for a MN is determined.
Examples
The following example specifies forwarding based on the source MAC address:
[ l ocal ] Redback( conf i g- mi p- f a) #forwarding scheme source-mac
Related Commands
source-mac Use the source medium access control (MAC) address to look up the IP route.
foreign-agent
forwarding traffic
forwarding traffic routed-ip
no forwarding traffic routed-ip
Purpose
Enables the forwarding of non-Mobile IP traffic for this foreign-agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
Routing of non-Mobile IP traffic is enabled.
Usage Guidelines
Use the forwarding traffic command to enable the forwarding of non-Mobile IP traffic for this
foreign-agent (FA) instance. Non-Mobile IP traffic is routed IP traffic received on an interface that is
enabled for Mobile IP services.
Use the no form of this command to disable the forwarding of non-Mobile IP traffic.
Examples
The following example disables the forwarding of non-Mobile IP traffic:
[ l ocal ] Redback( conf i g- mi p- f a) #no forwarding traffic routed-ip
Related Commands
routed-ip Forward routed IP (non-Mobile IP) traffic.
foreign-agent
gre mtu
gre mtu bytes
no gre mtu
Purpose
Sets the Maximum Transmission Unit (MTU) for packets sent on GRE tunnels.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
1468 bytes
Usage Guidelines
Use the gre mtu command to set the MTU for packets sent in GRE tunnels. If an IP packet exceeds the
MTU, the system fragments that packet.
A tunnel uses the MTU size for the interface to which the tunnel is bound to compute the tunnel MTU size,
unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel,
the system determines the effective MTU by comparing the configured MTU with the interface MTU and
selecting the lesser of the two values.
Use the no form of this command to delete the configured MTU and use the interface MTU.
Examples
The following example shows how to set the maximum IP packet size for GRE tunnels for pr of 1 to 1200
bytes:
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #gre mtu 1200
Related Commands
bytes MTU size in bytes. The range of values is 256 through 1468 bytes.
hold-time
ipip mtu
time-out
hold-time
hold-time seconds
{no | default}hold-time
Purpose
Specify the number of seconds for the router to wait before it brings down a dynamic tunnel that has no
active bindings or visitors.
Command Mode
Syntax Description
Default
30 seconds
Usage Guidelines
Use the hold-time command to specify the number of seconds for the router to wait before it brings down
a dynamic tunnel that has no active bindings or visitors
Use the no or default form of this command to restore the setting to its default value of 30 seconds.
Examples
The following example shows how to set the router to wait to 10 seconds before it brings down a dynamic
tunnel that has no active bindings or visitors for the pr of 1:
Related Commands
seconds Number of seconds for the router to wait before it brings down a dynamic
tunnel that has no active bindings or visitors. The range of values is 0 through
3600 seconds.
gre mtu
ipip mtu
time-out
home-agent-peer
home-agent-peer ip-addr
no home-agent-peer ip-addr
Purpose
Creates or selects a home-agent (HA) peer for this foreign-agent (FA) instance and accesses HA peer
configuration mode.
Command Mode
FA configuration
Syntax Description
Default
No HA peers are created.
Usage Guidelines
Use the home-agent-peer command to create or select an HA peer for this FA instance and access HA peer
configuration mode. If a Mobile IP registration is received for a Home Agent peer that isn't configured, one
is created dynamically. FA and HA authentication and dynamic tunnel configuration are inherited from the
FA instance.
Use the no form of this command to delete the HA peer with the specified IP address.
Examples
The following example creates an HA peer with IP address 172. 16. 2. 1 for the FA instance in the f a
context:
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #
Related Commands
ip-addr IP address for this HA peer.
shutdown
vpn-context
interface
interface if-name
no interface if-name
Purpose
Selects an existing interface, enables it for Mobile IP services, and accesses Mobile IP interface
configuration mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the interface command to select an existing interface, enable it for Mobile IP services, and access
Mobile IP interface configuration mode. Use this command to specify the interfaces supporting IPv4
Mobility as defined in RFC 3344, IP Mobility Support for IPv4.
Use the no form of this command to disable the interface for Mobile IP services.
Examples
The following example creates the mn- access interface in the f a context, selects it, and accesses Mobile
IP interface configuration mode:
Related Commands
if-name Name of an existing interface.
shutdown
ipip mtu
ipip mtu bytes
no ipip mtu
Purpose
Sets the Maximum Transmission Unit (MTU) for packets sent on IP-in-IP tunnels.
Command Mode
Syntax Description
Default
1480 bytes
Usage Guidelines
Use the ipip mtu command to set the MTU for packets for IP-in-IP tunnels. If an IP packet exceeds the
MTU, the system fragments that packet.
A tunnel uses the MTU size for the interface to which the tunnel is bound to compute the tunnel MTU size,
unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel,
the system determines the effective MTU by comparing the configured MTU with the interface MTU and
selecting the lesser of the two values.
Use the no form of this command to delete the configured MTU and use the interface MTU.
Examples
The following example shows how to set the maximum IP packet size for IP-in-IP tunnels for pr of 1 to
1200 bytes:
Related Commands
bytes MTU size in bytes. The range of values is 256 through 1480 bytes.
gre mtu
hold-time
time-out
llc-xid-processing
llc-xid-processing
no llc-xid-processing
Purpose
Enables the SmartEdge OS to detect the access interface change of a mobile node (MN) based on logical
link control (LLC) exchange ID (XID) messages received on a circuit.
Command Mode
FA configuration
Syntax Description
Default
The detection of access interface changes of a MN based on LLC XID messages received on a circuit is
enabled.
Usage Guidelines
Use the llc-xid-processing command to enable SmartEdge OS to detect the access interface changes of a
MN based on LLC XID messages received on a circuit.
When XID is enabled, the SmartEdgeOS uses the received LLC XID frame to change the access interface
and circuit associated with the MN and transmits traffic to the MN over the new circuit. This feature allows
for a quick traffic switchover if the relocation of an MN remains in the same FA instance.
If you disable XID, the SmartEdgeOS must process a Mobile IP registration message on the new interface
before the MN can be moved to a new access interface.
Use the no form of this command to disable LLC XID message processing.
Examples
The following example disables LLC XID message processing:
[ l ocal ] Redback( conf i g- mi p- f a) #no llc-xid-processing
Related Commands
foreign-agent
max-pending-registrations maximum
no max-pending-registrations maximum
Purpose
Specifies the maximum number of pending registrations permitted for this home-agent (HA) peer.
Command Mode
Syntax Description
Default
Pending registrations are unlimited.
Usage Guidelines
Use the max-pending-registrations command to specify maximum number of pending registrations
permitted for this HA peer.
Examples
The following example specifies that a maximum of 10 pending registrations are permitted for this HA
peer:
[ l ocal ] Redback( conf i g- mi p- hapeer ) #max-pending-registrations 10
Related Commands
maximum Maximum number of pending registrations permitted for this HA peer. The range of
values is 1 to 65535.
home-agent-peer foreign-agent
registration max-lifetime seconds
no registration max-lifetime
Purpose
Specifies the maximum lifetime registration for any mobile node (MN) that uses this foreign agent (FA)
instance.
Command Mode
Syntax Description
Default
The maximum lifetime registration is 1800 seconds (30 minutes).
Usage Guidelines
Use the registration max-lifetime command to specify the maximum lifetime registration for any MN that
uses this FA instance.
Examples
The following example specifies a maximum registration lifetime of 60 minutes (3600 seconds) with the
FA instance in this context:
[ l ocal ] Redback( conf i g- mi p- i f ) #registration max-lifetime 3600
Related Commands
seconds Maximum lifetime registration. The range of values is 1 to 65535 seconds. The default
value is 1800 seconds (30 minutes).
interface
revocation
revocation [mobile-notify condition] [timeout seconds] [retransmit num]
no revocation [mobile-notify condition] [timeout seconds] [retransmit num]
Purpose
Configures registration revocation for this foreign agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
Registration revocation is not configured for any FA instance.
Usage Guidelines
Use the revocation command to configure registration revocation for this FA instance. For more
information, see RFC 3543, Registration Revocation in Mobile IPv4.
Use the no form of this command to remove the registration from the configuration for this FA instance.
Examples
The following example configures this FA instance to al ways notify the MNs when service is revoked:
[ l ocal ] Redback( conf i g- mi p- f a) #revocation mobile-notify always
mobile-notify condition Optional. Specifies the conditions for which the SmartEdgeOS notifies
mobile nodes (MNs) that their Mobile IP service has been revoked, according
to one of the following keywords:
alwaysAlways notify the MNs.
neverNever notify the MNs.
home-dictateNotify the MNs based on the home-agent (HA) preference
specified by the setting I-bit in received registration revocation requests
and replies. This is the default.
timeout seconds Number of seconds between registration revocation messages. The range of
values is 1 to 100; the default value is 7.
retransmit num Number of times the SmartEdgeOS transmits registration revocation
messages. The range of values is 1 to 100; the default value is 3.
Related Commands
foreign-agent
router mobile-ip
router mobile-ip
no router mobile-ip
Purpose
Enables Mobile IP services in this context and accesses Mobile IP configuration mode.
Command Mode
Syntax Description
Default
Mobile IP services are not enabled in any context.
Usage Guidelines
Use the router mobile-ip command to enable Mobile IP services in this context and access Mobile IP
configuration mode.
Use the no form of this command to disable Mobile IP services in this context.
Examples
The following example enables Mobile IP services in the f a context:
[ l ocal ] Redback( conf i g- mi p) #
Related Commands
foreign-agent
home-agent-peer
interface
shutdown
shutdown
no shutdown
Purpose
Disables or enables the foreign-agent (FA) instance, home-agent (HA) peer, or mobile node (MN) access
to the SmartEdge router for an FA instance.
Command Mode
FA configuration
Syntax Description
Default
All FA instances, HA peers, and Mobile IP interfaces are enabled.
Usage Guidelines
Use the shutdown command to disable the FA instance, the HA peer, or the MN interface for an FA
instance.
Use the no form of this command to enable the FA instance, the HA peer, or the MN interface for an FA
instance.
Examples
The following example disables an FA instance:
[ l ocal ] Redback( conf i g- mi p- f a) #shutdown
The following example disables an HA peer:
[ l ocal ] Redback( conf i g- mi p- hapeer ) #shutdown
The following example disables the MN interface for an FA instance:
[ l ocal ] Redback( conf i g- mi p- i f ) #shutdown
Related Commands
foreign-agent
home-agent-peer
interface
time-out
time-out seconds
{no | default} timeout
Purpose
Specifies the number of seconds for the router to wait for a dynamic tunnel to be established before bringing
the current subscriber or visitor down.
Command Mode
Syntax Description
Default
3 seconds
Usage Guidelines
Use the time-out command to specify the number of seconds for the router to wait for a dynamic tunnel to
be established before bringing the current subscriber or visitor down.
Use the no or default form of this command to restore the setting to its default value of 3 seconds.
Examples
The following example shows how to set the timeout for pr of 1 to 10 seconds:
Related Commands
seconds Number of seconds for the router to wait for a dynamic tunnel to be established before
bringing the current subscriber or visitor down. The range of values is 2 through 10
seconds.
gre mtu
hold-time
ipip mtu
vpn-context
vpn-context ctx-name
no vpn-context ctx-name
Purpose
Specifies the context in which the IP-in-IP tunnel or Generic Routing Encapsulation (GRE) tunnel to this
home agent (HA) peer is terminated.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the vpn-context command to specify the context in which the IP-in-IP tunnel or GRE tunnel to this
HA peer is terminated. The HA peers can share a context if they use public IP addresses or if their private
IP addresses do not overlap. HA peers with overlapping private IP addresses must each have their own
context.
Examples
The following example specifies the ha- vpn1 context for the MNs associated with this HA peer:
[ l ocal ] Redback( conf i g- mi p- f a) #ha-peer 172.16.2.1
Related Commands
ctx-name Context in which the IP-in-IP tunnel or GRE tunnel to this HA peer is terminated and in
which the IP routes are added for the mobile nodes (MNs) that are registered with this
HA peer.
home-agent-peer
Mobile IP Home Agent Configuration 8-1
C h a p t e r 8
Mobile IP Home Agent Configuration
OS Mobile IP wireless
services for home-agent (HA) instances on the SmartEdge router and their foreign-agent (FA) peers.
For information about the tasks and commands used to configure FA instances and their HA peers, see
Chapter 7, Mobile IP Foreign Agent Configuration.
You configure IP-in-IP and, optionally, Generic Routing Encapsulation (GRE) tunnels on the SmartEdge
router to support the connections from FA instances to their HA peers and from HA instances to their FA
peers. For information about configuring the IP-in-IP and GRE tunnels, see the Single-Circuit Tunnel
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
For information about the tasks and commands used to monitor, administer, and troubleshoot Mobile IP
services, see the Mobile IP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
For information about configuring Ethernet, Fast Ethernet-Gigabit Ethernet, and Gigabit Ethernet ports and
circuits to support mobile subscribers, see the ATM, Ethernet, and POS Port Configuration and the
Circuit Configuration chapters in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
Overview
Configuration Tasks
Note The terms FA instance and HA instance, each refer to the FAs and HAs, respectively, that you
configure on the SmartEdge router.
The terms FA peer and HA peer refer to FAs and HAs that exist on other equipment in the
network.
The term Mobile IP binding refers to the association between a mobile node (MN) and its HA
instance on the SmartEdge router. The term visitor or visiting MN refers to the association
between an MN and an FA instance when that MN is communicating with its HA through the
FA instance on the SmartEdgerouter.
HA tunnels can be used with Mobile IP services and non-Mobile IP services traffic.
Overview
Overview
The following section provides an overview of Mobile IP services of the HA instance. This section includes
the following topics:
Traffic Flow
Supported Standards
Restrictions
Traffic Flow
Mobile IP services allows MNs to retain their IP addresses, and therefore maintain their existing IP
sessions, when they roam across multiple networks.
Mobile IP consists of the following components:
MNs
HA instance
FA peer
The HA instance, a router on the MN home network, is the anchor component in Mobile IP network that
provides seamless mobility to the MN. When an MN is attached to its home network, it does not use Mobile
IP services because it communicates directly using normal IP routing. When a MN is roaming and is not
connected to its home network, its HA instance provides the following services:
Tracks the MN current point of attachment (POA) to the Internet.
Tunnels datagrams destined to the MN current POA. HA tunnels can be used with Mobile IP services
and non-Mobile IP services traffic.
Authenticates the MN (usually with the user ID and password) and verifies that IP Mobile services
should be provided. It optionally assigns the MN a home address (HoA) on its home network. When
the MN roams outside its home network, it retains its home address so that active IP sessions remain up.
Receives reverse-tunneled packets from the FA peer and forwards them based on the IP packet sent by
MN.
Mobile IP services enable the SmartEdge router to act as one or more HA instances. Each instance
communicates with its mobile subscribers (MNs). When an MN moves outside the network for the HA
instance, it connects to the HA instance through an FA peer, which then communicates with the HA
instance. Each HA instance has a local address that the system uses as the termination address for its MNs
and FA peers.
Mobile IP subscribers are assigned a home slot where their corresponding subscriber circuit is anchored for
the purposes of accounting and other circuit based features. When selecting a home slot, preference is given
to the line card with the current HA-FA tunnel egress circuit. When a subscriber re-registers and the
subscriber's home slot is not on the same line card as the tunnel egress, an attempt will be may to
re-optimize the subscriber's home slot.
Overview
In a typical deployment, MNs connect wirelessly to Base Transceiver Stations (BTSs), which connect to
the SmartEdge router FA peer through Ethernet. In this topology, each MN is represented by a separate
Ethernet circuit and MNs can move between BTSs. The FA instance communicates with a SmartEdge HA
instance through a tunnel endpoint (a local address of an HA instance). The SmartEdge router routes the
MN traffic to the FA peer using an IP-in-IP tunnel or GRE tunnel. Each FA peer uses a different tunnel.
Traffic for the MNs is routed from the HA instance to the FA peer using the same tunnel
Figure8-1 illustrates the physical network of MNs, BTS, FA peers, and an HA instance.
Figure 8-1 Physical network of MNs, BTS, FA peers, and an HA instance.
The Mobile IP services implementation can use the SmartEdge OS multiple context support. For the HA,
all home addresses (HoAs) are allocated from the HA context address space. The HA local address
interfaces can be in the same context or in different contexts. This allows IP-in-IP or GRE tunnels to FA
peers to terminate in other contexts. For example, an FA peer tunnel could terminate in the local context
that is providing connectivity to the Internet backbone.
Note Because the tunnels described in this chapter each support a single tunnel circuit, the term
tunnel refers to the tunnel and its circuit. For information about configuring the IP-in-IP and
GRE tunnels, see the Single-Circuit Tunnel Configuration in the Ports, Circuits, and
Configuration Tasks
Restrictions
Mobile IP services has the following restrictions:
Mobile IP services is currently supported only for unicast traffic; broadcast and multicast traffic are not
supported.
Mobile IP services is supported only on PPA2 line cards. Do not have any PPA1-based line cards on the
chassis when enabling Mobile IP Services.
Supported Standards
Mobile IP services comply with the standards found in the following documents:
RFC 2794Mobile IP Network Access Identifier Extension for IPv4
RFC 3024Reverse Tunneling for Mobile IP, revised
RFC 3344IP Mobility Support for IPv4
RFC 3543Registration Revocation in Mobile IPv4
X.S0011-001-C v3.0, cdma2000 Wireless IP Network Standard: Introduction
Configuration Tasks
To configure HA Mobile IP features, perform the tasks described in the following sections:
Configure a Key Chain for FA-HA Authentication
Configure an HA Instance
Configure an FA Peer
Configure an MN Subscriber
Configure AAA for MN Subscribers
Enable or Disable an HA Instance or FA Peer
Configuration Tasks
The following HA configuration guidelines apply when configuring Mobile IP services for an HA instance:
Within a given context, the SmartEdge router can act as an HA instance or an FA instance; it cannot
perform both roles. For information about configuring it as an FA instance, see Chapter 7, Mobile IP
Foreign Agent Configuration.
You must configure IP-in-IP tunnels to FA peers; optionally, you can configure and use GRE tunnels in
addition to the IP-in-IP tunnels.
Configure the tunnel to an FA peer in the HA context for that peer.
MNs do not connect directly with an HA instance; instead they reach that HA instance through its FA
peers. If the SmartEdge router is also acting as an FA instance (in another context), the MNs can connect
to that FA instance as described in Chapter 7, Mobile IP Foreign Agent Configuration.
To prevent Mobile IP tunnels from shutting down because of circuit problems, create the interfaces for
the IP-in-IP and GRE tunnels as loopback interfaces. Loopback interfaces are always up.
When using GRE tunnels to connect FA peers, a separate GRE tunnel is required for each FA peer. GRE
keys are not supported.
To create the contexts and interfaces for Mobile IP services, perform the tasks described in Table8-1. These
contexts and interfaces are used in subsequent configuration tasks for the HA instances and FA peers.
Table 8-1 Create the Contexts and Interfaces for Mobile IP Services
1. Optional. Create the context for the HA instance and
access context configuration mode.
context Enter this command in global configuration mode.
You can use the local context instead of
performing this step.
2. Create an interface for the FA peers to connect to the
HA instance (using tunnels) using the HA local address
and access interface configuration mode.
mode.
3. Optional. Create an FA context for an FA peer and
access context configuration mode.
You can use the HA instance context for all FA
peers instead of performing this step.
Note For information about the context command (in global configuration mode) and the interface
command (in context configuration mode), and the various commands to configure contexts
and interfaces, see the Basic System Configuration Guide for the SmartEdgeOS.
Configuration Tasks
Configure a Key Chain for FA-HA Authentication
To configure a key chain authentication for the FA and HA, perform the tasks described in Table8-2. For
more information about configuring key chains, see Chapter 24, Key Chain Configuration.
Configure an HA Instance
To configure an HA instance, perform the tasks described in Table8-3; enter all commands in HA
Table 8-2 Configure a Key Chain
1. Select the context for the HA instance and access context
configuration mode.
configuration mode.
2. Create the key chain and access key chain configuration mode. key-chain Enter this command in context
configuration mode.
3. Configure a key string. key-string Enter this command in key chain
configuration mode.
4. Specify the security parameter index (SPI) for this key chain. spi Enter this command in key chain
configuration mode.
Table 8-3 Configure an HA Instance
1. Select the context for the HA instance and access
configuration mode.
2. Enable Mobile IP services in this context and access
Mobile IP configuration mode.
router mobile-ip Enter this command in context
configuration mode.
3. Create or select the HA instance and access HA
configuration mode.
home-agent Enter this command in Mobile IP
configuration mode.
4. Apply a dynamic tunnel profile to an HA instance. dynamic-tunnel-profile Enter this command in HA configuration
mode.
5. Specify the interface for the HA local address. local-address This is the interface that you created for
the tunnels for this HA instance.
6. Optional. Enable the optional tunnel type. tunnel-type The default is not to enable optional
tunnel types.
7. Optional. Configure the default authentication for this
HA instance.
authentication This is the default authentication for all FA
peers for this HA instance.
8. Optional. Configure the registration maximum lifetime
for MN registrations using this HA instance.
registrationmax-lifetime The default is 1800 seconds.
9. Optional. Configure the tolerance for timestamp-based
replay protection between an MN and its HA instance.
replay-tolerance The default is 7 seconds.
10. Optional. Configure registration revocation support for
this HA instance.
revocation The default is that registration revocation
is not enabled.
Configuration Tasks
Configure an FA Peer
To configure an FA peer, perform the tasks described in Table8-4.
Configure an MN Subscriber
To configure an MN subscriber record, profile, or default profile, perform the task described in Table8-5.
Configure AAA for MN Subscribers
You can configure authentication, authorization, and accounting (AAA) features and Remote
Authentication Dial-In User Service (RADIUS) servers for MN subscribers. For information about
configuring AAA features, see Chapter 20, AAA Configuration and Chapter 21, RADIUS
Configuration, respectively.
Table 8-4 Configure an FA Peer
1. Select the context for the HA instance for this FA
peer and access context configuration mode.
mode.
3. Select the HA instance for the FA peer and access
HA configuration mode.
home-agent Enter this command in Mobile IP configuration
mode.
4. Create or select the FA peer and access FA peer
configuration mode.
foreign-agent-peer Enter this command in HA configuration mode.
5. Optional. Apply a dynamic tunnel profile to an FA
peer.
dynamic-tunnel-profile Enter this command in FA peer configuration
mode. The dynamic tunnel profile is created in
Mobile IP configuration and Dynamic Tunnel
6. Optional. Configure the authentication for the FA
peer.
authentication Enter this command in FA peer configuration
mode. This authentication overrides the default
authentication for all FA peers for this HA instance.
Table 8-5 Configure an MN Subscriber Record, Profile, or Default Profile
1. Configure the subscriber record, profile, or default
profile.
subscriber For information about configuring
subscribers and their attributes, see the
Basic System Configuration Guide for
the SmartEdge OS.
You must configure an IP-in-IP tunnel to each FA peer. You can also configure a GRE tunnel to each FA
peer. To configure the Mobile IP tunnels, perform the tasks described in Table8-6.
Enable or Disable an HA Instance or FA Peer
To enable or disable an HA instance or an FA peer, perform the task described in Table8-7.
The following example creates an IP-in-IP tunnel and the interfaces to support an HA instance and an FA
peer, all in the local context. Traffic is carried on two Ethernet ports:
[ l ocal ] Redback( conf i g) #context
! Cr eat e t he i nt er f aces f or t he I P- i n- I P t unnel s t o t he FA peer s and f or t he MNs
[ l ocal ] Redback( conf i g- ct x) #interface tun1
[ l ocal ] Redback( conf i g- ct x) #interface loc-addr
! Enabl e t he l ocal cont ext f or Mobi l e I P ser vi ces
Table 8-6 Configure the Mobile IP Tunnels
1. Configure the IP-in-IP tunnels to the FA peers. For information about creating IP-in-IP tunnels
and GRE tunnels, see the Ports, Circuits, and
Tunnels Configuration Guide for the
SmartEdge OS.
2. Optional. Configure the GRE tunnels to the FA peers. For information about creating IP-in-IP tunnels
and GRE tunnels, see the Ports, Circuits, and
SmartEdge OS.
Table 8-7 Enable or Disable an FA, an HA Peer, or MN Access to the SmartEdge Router
Optional. Disable or enable an HA instance or an
FA peer.
shutdown Enter this command in HA instance or FA peer interface
configuration mode.
Use the no form of this command to enable an HA
instance or an FA peer.
! Cr eat e t he home agent i nst ance, speci f y t he l ocal addr ess i nt er f ace and cr eat e a
f or ei gn agent peer
l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- f a) #local-address loc-addr
[ l ocal ] Redback( conf i g- mi p- f a) #foreign-agent-peer 20.1.1.2
! Conf i gur e t he Et her net ci r cui t s ( bi nd t hemt o t he MN access and l ocal addr ess
i nt er f aces)
[ l ocal ] Redback#conf i g
[ l ocal ] Redback( conf i g- por t ) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #bind interface loc-addr local
! Conf i gur e t he I P- i n- I P t unnel ( bi nd i t t o t he t unnel i nt er f ace i n t he l ocal cont ext )
[ l ocal ] Redback( conf i g) #tunnel ipip tun1
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1 remote 20.1.1.2
[ l ocal ] Redback( conf i g- t unnel ) #bind interface tun1 local
[ l ocal ] Redback( conf i g- t unnel ) #end
This section describes the syntax and usage guidelines for the commands used to configure HA instances
and their FA peers. The commands are presented in alphabetical order:
authentication
foreign-agent-peer
home-agent
local-address
replay-tolerance
revocation
router mobile-ip
shutdown
tunnel-type
authentication
authentication hmac-md5 {key-chain-name | dynamic-key wimax}
no authentication hmac-md5
Purpose
Configures authentication between this home agent (HA) instance and its foreign agent (FA) peers or
between the HA instance and a specific FA peer.
Command Mode
HA configuration
FA peer configuration
Syntax Description
Default
No authentication is configured for any HA instance or FA peer.
Usage Guidelines
Use the authentication command to configure authentication between this HA instance and its FA peers
or between the HA instance and a specific FA peer.
In HA configuration mode, this command configures the default authentication between the HA instance
and all its FA peers; in FA peer configuration, this command configures the authentication specifically
between the HA instance and the FA peer.
Use the no form of this command to remove the authentication configuration for this HA instance or FA
peer.
hmac-md5 Specifies the Hash-based Message Authentication Code (HMAC)-
Message Digest 5 (MD5) algorithm.
key-chain-name Name of an existing key chain, which you must have configured in the
context in which you have configured the HA instance or FA peer.
dynamic-key wimax Specifies to dynamically compute FA-HA keys using the WiMAX AAA
HA-RK-Key Vendor Specific Attribute (VSA).The WiMAX HA-RK-Key
VSA ID is 26/24757/15. Configured static key chains take precedence over
dynamic keys. For more information about supported WiMax Attributes,
see the RADIUS Attributes Supported by Mobile IP Services section in
AppendixA, RADIUS Attributes.
Examples
The following example configures the key- ha key chain for key 100 and an security parameter index
(SPI) of 256 for incoming traffic and then specifies it when configuring the default authentication between
an HA instance and its FA peers:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #key-chain key-ha key-id 100
[ l ocal ] Redback( conf i g- keychai n) #spi 256
[ l ocal ] Redback( conf i g- keychai n) #key-string hex 0xfeedaceedeadbeef
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi b- ha) #authentication hmac-md5 key-ha
The following example configures dynamic keys between an HA instance and its FA peers:
[ l ocal ] Redback( conf i g- mi b- ha) #authentication hmac-md5 dynamic-key wimax
Related Commands
home-agent
foreign-agent-peer
key-chain
spi
dynamic-tunnel-profile profile
no dynamic-tunnel-profile profile
Purpose
In Home Agent configuration mode, applies a dynamic tunnel profile to a home-agent (HA) instance.
In FA Peer configuration mode, applies a dynamic tunnel profile to a foreign-agent (FA) peer.
Command Mode
Home Agent configuration
FA Peer configuration
Syntax Description
Default
The following are the defaults for the dynamic tunnel profile:
clear-dfDisabled.
gre mtu mtu1468 bytes
hold-time seconds30 seconds
ipip mtu mtu1480 bytes
time-out seconds3 seconds
Usage Guidelines
Use the dynamic-tunnel-profile command (in Home Agent configuration mode) to apply a dynamic
tunnel profile to an HA instance.
Use the dynamic-tunnel-profile command (in FA Peer configuration mode) to apply a dynamic tunnel
profile to a FA peer.
You first create a dynamic tunnel profile (in Mobile IP configuration mode and configure its attributes in
Dynamic Tunnel Profile configuration mode). You then apply the profile to the HA instance (in Home
Agent configuration mode) and its FA peers (in FA Peer configuration mode). Configured static tunnels
take precedence over dynamic tunnels. When the dynamic tunnel profile is not applied to an FA peer, the
peer inherits the profile specified in HA configuration mode. If you delete a referenced dynamic tunnel
profile, the references to this profile are also deleted for the HA instance and FA peers. When this happens,
the HA instance and FA peers use the default dynamic tunnel profile values. For information about how to
create a dynamic tunnel profile, see the dynamic-tunnel-profile section on page7-24.
profile Name of dynamic tunnel profile.
Use the no form of this command to delete the dynamic tunneling profile.
Examples
The following example creates a last-resort interface, two dynamic tunnel profiles ( pr of 1 and pr of 2),
and then applies these profiles to a HA instance and FA peer:
! Cr eat e dynami c t unnel pr of i l e pr of 2
! Cr eat e l ast r esor t i nt er f ace.
! Appl y dynami c t unnel pr of i l e pr of 1 t o HA i nst ance.
[ l ocal ] Redback( conf i g- mi p- ha) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- f a) #tunnel-type gre
[ l ocal ] Redback( conf i g- f a) #authentication none
[ l ocal ] Redback( conf i g- f a) #local-address to_fa
! Appl y dynami c t unnel pr of i l e pr of 2 t o FA peer 1. 1. 1. 2.
[ l ocal ] Redback( conf i g- mi p- ha) #foreign-agent-peer 1.1.1.2
Note You must configure a last-resort interface within the same context to use a dynamic tunnel
profile. For information about configuring last-resort interfaces, see theBasic System
Configuration Guide.
[ l ocal ] Redback( conf i g- mi p- ha- f apeer ) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- f a- f apeer ) #end
! The FA peer 3. 1. 1. 2 i nher i t s dynami c t unnel pr of i l e pr of 1 ( whi ch i s
speci f i ed i n HA conf i gur at i on mode) because no dynami c pr of i l e i s
appl i ed at t he FA peer l evel .
[ l ocal ] Redback( conf i g- ) #foreign-agent-peer 3.1.1.2
Related Commands
home-agent
foreign-agent-peer
foreign-agent-peer
foreign-agent-peer ip-addr
no foreign-agent-peer ip-addr
Purpose
Creates or selects a foreign-agent (FA) peer for this home-agent (HA) instance and accesses FA peer
configuration mode.
Command Mode
HA configuration
Syntax Description
Default
No FA peers are created.
Usage Guidelines
Use the foreign-agent-peer command to create or select an FA peer for this HA instance and access FA
peer configuration mode. If a Mobile IP registration is received from an FA peer that isn't configured, one
is created dynamically. FA and HA authentication and dynamic tunnel configuration are inherited from the
HA instance.
Use the no form of this command to delete the FA peer with the specified IP address.
Examples
The following example creates an FA peer with IP address 172. 16. 2. 1 for the HA instance in the ha
context:
[ l ocal ] Redback( conf i g- ha) #foreign-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- f apeer ) #
Related Commands
ip-addr IP address for this FA peer.
authentication
shutdown
home-agent
home-agent
no home-agent
Purpose
Creates or selects a home-agent (HA) instance in this context and accesses HA configuration mode.
Command Mode
Syntax Description
Default
No HA instances are created.
Usage Guidelines
Use the home-agent command to create or select an HA instance in this context and access HA
configuration mode.
Use the no form of this command to delete the HA instance in this context.
Examples
The following example creates an HA instance in the ha context:
[ l ocal ] Redback( conf i g- ha) #
Related Commands
authentication
foreign-agent-peer
local-address
shutdown
local-address
local-address if-name [ctx-name]
no local-address if-name [ctx-name]
Purpose
Specifies the interface for the home agent (HA) local address used by remote foreign agent (FA) peers for
this HA instance.
Command Mode
HA configuration
Syntax Description
Default
None
Usage Guidelines
Use the local-address command to specify the interface for the HA local address used by FA peers for this
HA instance. Enter this command multiple times to specify multiple HA interfaces. This command
specifies an existing interface as the HA interface; you must first create that interface using the interface
command in context configuration mode.
Use the no form of this command to remove the HA local address.
Examples
The following example creates the local address interface in a context called ha and specifies it as the local
address interface for the HA instance:
[ l ocal ] Redback( conf i g- ct x) #interface ha
[ l ocal ] Redback( conf i g- ha) #local-address ha
if-name Name of the interface for the HA.
ctx-name Optional. Context name in which the interface exists. If the interface exists in
a context other than the one you are currently in, you must specify the context
name.
Related Commands
home-agent
registration max-lifetime seconds
no registration max-lifetime
Purpose
Specifies the registration maximum lifetime for any mobile node (MN) that uses this home agent (HA)
instance.
Command Mode
HA configuration
Syntax Description
Default
The registration maximum lifetime default is 1800 seconds (30 minutes).
Usage Guidelines
Use the registration max-lifetime command to specify the registration maximum lifetime for any MN that
uses this HA instance.
Use the no form of this command to specify the default.
Examples
The following example specifies a registration maximum lifetime of 60 minutes (3600 seconds) for the
HA instance in this context:
[ l ocal ] Redback( conf i g- mi p- ha) #registration max-lifetime 3600
Related Commands
seconds Registration maximum lifetime. The range of values is 1 to 65535 seconds.
home-agent
replay-tolerance
replay-tolerance seconds
no replay-tolerance
Purpose
Configures the tolerance for timestamp-based replay protection used between the home agent (HA)
instance and the registering mobile nodes (MN).
Command Mode
HA configuration
Syntax Description
Default
The default for tolerance for timestamp-based replay protection is 7 seconds.
Usage Guidelines
Use the replay-tolerance command to configure the tolerance for timestamp-based replay protection used
between the HA instance and the registering MN. Thereplay-tolerance command specifies the number of
seconds that the HA instance timestamp and MN timestamp can be different. When the HA instance
discovers that this difference is greater than the number of seconds specified, it rejects the MN registration.
Use the no form of this command to specify the default.
Examples
The following example configures a timestamp-based replay tolerance of 10 seconds for this HA instance:
[ l ocal ] Redback( conf i g- mi p- ha) #replay-tolerance 10
Related Commands
seconds Tolerance for timestamp-based replay protection used between the HA instance and
registering MNs. The range of values is 4 to 255 seconds.
authentication
revocation
revocation [mobile-notify {always | never | foreign-dictate}] [timeout seconds] [retransmit num]
no revocation [mobile-notify condition] [timeout seconds] [retransmit num]
Purpose
Configures registration revocation as described in RFC 3543, Registration Revocation in Mobile IPv4, for
this home agent (HA) instance. Registration revocation is negotiated between the HA instance and its
foreign agent (FA) peers.
Command Mode
HA configuration
Syntax Description
Default
Registration revocation is not configured for any HA instance.
Usage Guidelines
Use the revocation command to configure registration revocation, as described in RFC 3543, Registration
Revocation in Mobile IPv4, for this HA instance. Registration revocation is negotiated between the HA
instance and its FA peers.
mobile-notify condition Optional. Specifies the conditions for which the HA instance negotiates I-bit
support with its FA peers when the mobile node (MN) registers, according to
one of the following keywords:
alwaysAlways notify the MN when Mobile IP services have been
revoked, except when the MN is no longer receiving service from the FA
peer. This is the default.
neverNever notify the MN that Mobile IP services have been revoked.
foreign-dictateDoes not negotiate I-bit support with the FA peer when the
MN registers. The FA peer determines whether or not to notify the MN.
timeout seconds Number of seconds between registration revocation retransmissions. A
registration revocation request is retransmitted to the FA peer when an
acknowledgement is not received. The range of values is 1 to 100; the default
value is 7.
retransmit num Number of times the SmartEdgeOS retries transmission registration
revocation messages. The range of values is 1 to 100; the default value is 3.
Use the no form of this command to disable support for registration revocation for the HA instance.
Examples
The following example enables registration revocation support for the HA instance. Registration
revocation I-bit support is negotiated with the FA peer and the MN is never notified that Mobile IP services
have been revoked:
[ l ocal ] Redback( conf i g- mi p- ha) #revocation mobile-notify never
Related Commands
Note To use registration revocation, you must configure authentication with the revocation
command. If authentication is not enabled for the FA peer, registration revocation is not
negotiated for registrations received from that peer. For more information about
authentication, see the authentication command (in HA configuration or FA peer
authentication
home-agent
router mobile-ip
router mobile-ip
no router mobile-ip
Purpose
Enables mobile services in this context and accesses Mobile IP configuration mode.
Command Mode
Syntax Description
Default
Mobile IP services are not enabled in any context.
Usage Guidelines
Use the router mobile-ip command to enable Mobile IP services in this context and access Mobile IP
configuration mode.
Use the no form of this command to disable Mobile IP services in this context.
Examples
The following example enables Mobile IP services in the ha context:
[ l ocal ] Redback( conf i g- mi p) #
Related Commands
foreign-agent-peer
home-agent
local-address
shutdown
shutdown
no shutdown
Purpose
Disables or enables the home-agent (HA) instance or foreign-agent (FA) peer.
Command Mode
FA peer configuration
HA configuration
Syntax Description
Default
HA instances and FA peers are all enabled.
Usage Guidelines
Use the shutdown command to disable the HA instance or FA peer.
Use the no form of this command to enable HA instance or FA peer.
Examples
The following example disables an HA instance:
[ l ocal ] Redback( conf i g- ha) #shutdown
The following example disables an FA peer:
[ l ocal ] Redback( conf i g- ha) #foreign-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- f apeer ) #shutdown
Related Commands
foreign-agent-peer
home-agent
local-address
tunnel-type
tunnel-type gre
no tunnel-type gre
Purpose
Enables use of Generic Routing Encapsulation (GRE) tunnel types by mobile nodes (MN).
Command Mode
HA configuration
Syntax Description
Default
IP-in-IP tunnels are enabled implicitly; no optional tunnel types are enabled.
Usage Guidelines
Use the tunnel-type command to use of GRE tunnel types by MNs.
Examples
The following example enables the GRE tunnel type:
[ l ocal ] Redback( conf i g- mi p- ha) #tunnel-type gre
Related Commands
gre Specifies Generic Routing Encapsulation tunnels.
local-address
P a r t 4
IP Services
This part describes the tasks and commands used to configure HTTP redirect, Domain Name System
(DNS), and access control lists (ACLs) for IP services and policies. It consists of the following chapters:
Chapter 9, HTTP Redirect Configuration
Chapter 10, Hotlining Configuration
Chapter 11, DNS Configuration
Chapter 12, ACL Configuration
HTTP Redirect Configuration 9-1
C h a p t e r 9
HTTP Redirect Configuration
OS HTTP redirect features.

For information about tasks and commands used to monitor, troubleshoot, and administer HTTP redirect
features, see the HTTP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
Overview
Configuration Tasks
Overview
HTTP redirect enables service providers to interrupt subscriber HTTP sessions and to redirect them to a
preconfigured URL. There is an option to provide the subscribers identity attributes along with the URL
and encrypt this data. Applications include the ability to require customer registration, to direct customers
to web sites for downloading virus protection software, and to advertise new services or software updates.
The SmartEdge router provides a lightweight HTTP server on its controller card. When a subscriber
initiates an HTTP session, authentication triggers an HTTP redirect when two conditions are in place: an
HTTP redirect profile containing a new URL is attached to the subscriber record, and a forward policy that
redirects HTTP traffic to the HTTP server on the controller card is attached to the subscriber circuit. HTTP
packets must be permitted to pass through to the external HTTP server that hosts the redirect URL. The
subscriber session opens to the web page indicated by the redirect URL. The forward policy that performs
the redirection is removed through the subscriber reauthorization mechanism.
Configuration Tasks
Configuration Tasks
To configure HTTP redirect features, perform the tasks described in the following sections:
Configure Subscriber Authentication and Reauthorization
Configure an IP ACL and Apply It to Subscribers
Configure the HTTP Server on the Active Controller Card
Configure and Attach an HTTP Redirect Profile to Subscribers
Configure a Policy ACL That Classifies HTTP Packets
Configure and Attach a Forward Policy to Redirect HTTP Packets
Configure Subscriber Authentication and Reauthorization
To configure subscriber authentication and reauthorization, see the Configure Subscriber Authentication
and Configure Dynamic Subscriber Reauthorization sections in Chapter 20, AAA Configuration.
Configure an IP ACL and Apply It to Subscribers
To redirect subscriber traffic to the new web page to which subscriber circuits are to be redirected, you
configure an IP access control list (ACL) that permits access to that web page and apply it to the subscriber
circuits (their records or profiles) that are to be redirected. To configure and apply an IP ACL, see the
Configure an IP ACL and Apply an IP ACL sections in Chapter 12, ACL Configuration.
Configure the HTTP Server on the Active Controller Card
To configure the HTTP server on the active controller card, perform the tasks described in Table9-1.
Table 9-1 Configure the HTTP Server on the Controller Card
1. Enable the HTTP server on the controller card and
access HTTP redirect server configuration mode.
http-redirect server Enter this command in global configuration mode.
2. Optional. Select the port on which HTTP server
listens.
port Enter this command in HTTP redirect server
configuration mode.
Configuration Tasks
Configure and Attach an HTTP Redirect Profile to Subscribers
To configure and attach an HTTP redirect profile to subscribers, perform the tasks described in Table9-2.
The SmartEdge OS applies an HTTP profile in the following order of precedence:
1. Uses the Redback
vendor-specific attribute (VSA) 107, HTTP-Redirect-Profile-Name, in the

subscriber record returned by the Remote Authentication Dial-In User Service (RADIUS) server in
Access-Accept packets for the subscriber.
2. If the RADIUS server does not return an HTTP profile name, it uses the HTTP profile attached to the
named subscriber configured in the context.
3. If the named subscriber does not have an HTTP profile attached to it, it uses the HTTP profile attached
to the named subscriber profile configured in the context.
4. If the subscriber profile does not have an HTTP profile attached to it, it uses the HTTP profile attached
to the default subscriber profile configured in the context.
To configure a policy access control list (ACL) that classifies HTTP packets for the forward policy that
redirects HTTP packets, perform the tasks described in Table9-3.
Table 9-2 Configure and Attach an HTTP Redirect Profile to Subscribers
1. Configure an HTTP redirect profile and access
HTTP redirect profile configuration mode.
http-redirect profile Enter this command in context configuration mode.
2. Configure the URL to which subscriber sessions
are to be redirected.
url Enter this command in HTTP redirect profile
configuration mode.
3. Attach the HTTP redirect profile to a subscriber
record, a named subscriber profile, or the default
subscriber profile.
http-redirect profile Enter this command in subscriber configuration
mode.
Caution Risk of redirect loop. Redirect can recur until an IP ACL that permits access to the new web
page is applied to the subscriber record or profile. To reduce the risk, before modifying an
existing URL, ensure that the subscriber record includes an IP ACL that permits access to the
new URL.
Table 9-3 Configure a Policy ACL That Classifies HTTP Packets
1. Create or select the policy ACL and enter
access control list configuration mode.
policyaccess-list Enter this command in context configuration mode.
2. Assign HTTP packets that are destined to
the web server hosting the URL to a
separate class.
permit Enter this command in access control list configuration mode.
Use the following construct:
permit tcp any hostip-addr eq www class class-name
where the ip-addr argument is the IP address of the web server
hosting the URL that you configured in step 2 in Table 9-2.
Configure and Attach a Forward Policy to Redirect HTTP Packets
To configure a forward policy to redirect HTTP packets and attach it to a circuit or subscriber, perform the
tasks described in Table9-4.
The following example provides a simple HTTP redirect configuration:
! Fi r st enabl e t he HTTP r edi r ect ser ver on t he cont r ol l er car d:
[ l ocal ] Redback( conf i g) #http-redirect server
[ l ocal ] Redback( conf i g- hr - ser ver ) #port 80 8080
[ l ocal ] Redback( conf i g- hr - ser ver ) #exit
! Conf i gur e t he HTTP r edi r ect pr of i l e and ur l :
[ l ocal ] Redback( conf i g- ct x) #http-redirect profile Redirect
[ l ocal ] Redback( conf i g- hr - pr of i l e) #url http://www.Redirect.com
[ l ocal ] Redback( conf i g- hr - pr of i l e) #exit
3. Assign all other HTTP packets to a
different class.
permit tcp any any eq www class class-name
where the class-name argument is distinct from the one you
configured in step 2.
Table 9-4 Configure and Attach a Forward Policy to Redirect HTTP Packets
1. Create or select the forward policy and
access forward policy configuration mode.
forward policy Enter this command in global configuration mode.
For more information about forward policies, see
Chapter 14, Forward Policy Configuration.
2. Apply the policy ACL that you configured
in Table 9-3 to the forward policy and
access policy ACL configuration mode.
access-group Enter this command in forward policy configuration
mode.
3. Specify all HTTP packets and access
policy ACL class configuration mode.
class Enter this command in policy ACL configuration mode.
Use the class-name argument that you specified in
step 3 in Table 9-3.
4. Redirect HTTP packets to the HTTP
server on the controller card.
redirect destinationlocal Enter this command in policy ACL class configuration
mode.
5. Attach the forward policy to a circuit, a
subscriber record, named subscriber
profile, or default subscriber profile.
forwardpolicy in Enter this command in ATM DS-3, ATM OC, ATMPVC,
dot1q PVC, DS-0 group, DS-1, DS-3, Frame Relay
PVC, port, or subscriber configuration mode.
Table 9-3 Configure a Policy ACL That Classifies HTTP Packets (continued)
! At t ach t he HTTP r edi r ect pr of i l e t o t he def aul t subscr i ber pr of i l e:
[ l ocal ] Redback( conf i g- sub) #http-redirect profile Redirect
! Cr eat e a pol i cy ACL:
[ l ocal ] Redback( conf i g- ct x) #policy access-list http-packets
! Cr eat e cl ass abc f or HTTP packet s t hat ar e dest i ned t o t he web ser ver wi t h t he new URL:
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any host 10.1.1.1 eq www class abc
! Cr eat e cl ass xyz f or al l ot her HTTP packet s t o be r edi r ect ed usi ng t he f or war d pol i cy:
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq www class xyz
! Cr eat e t he f or war d pol i cy:
[ l ocal ] Redback( conf i g) #forward policy www-redirect
! Appl y t he pol i cy ACL t hat cl assi f i es HTTP packet s:
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group http-packets local
! Redi r ect al l HTTP packet s except t hose dest i ned t o t he web ser ver ( cl ass xyz) :
! t o t he HTTP ser ver on t he cont r ol l er car d:
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class xyz
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #redirect destination local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exi t
! Packet s t hat ar e dest i ned t o t he web ser ver ( cl ass abc) use nor mal r out i ng ( no act i on) .
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class abc
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #exit
! At t ach t he f or war d pol i cy t o i ncomi ng packet s on ATM PVC 3 5:
[ l ocal ] Redback( conf i g- at m) #no shutdown
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 3 5 profile atm-pro encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #forward policy www-redirect in
! Bi nd t he appr opr i at e subscr i ber r ecor d t o t he ATM PVC:
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber joe@local
This section describes the syntax and usage guidelines for the commands used to configure HTTP redirect
features. The commands are presented in alphabetical order.:
encrypt
http-redirect profile
http-redirect server
port
redirect destination local
url
encrypt
encrypt sharedkey delimiter character
no encrypt sharedkey delimiter character
Purpose
Encrypts the identity attributes associated with the redirected subscriber HTTP session.
Command Mode
HTTP redirect profile configuration
Syntax Description
Default
The identity attributes associated with the redirected subscriber HTTP session are redirected in plain text.
Usage Guidelines
Use the encrypt command to encrypt the identity attributes associated with the redirected subscriber HTTP
session. The encryption ensures the confidentiality of the identity attributes.
Use the no form of this command to remove the specified encrypt command from the HTTP redirect
profile.
To encrypt the identity attributes associated with a redirected subscriber HTTP session, the SmartEdge
router performs an Exclusive Or (XOR) operation. The router takes the variable representing each identity
attribute and then applies the XOR operator to each character using a shared key. The identity attributes and
sharedkey are all in ASCII text. The XOR operation on the ASCII text produces binary text. Because it is
required that the URL be transmitted in ASCII text, the binary text is encoded to a two-character
hexidecimal value. To decrypt the string of hexidecimal values, map each two-character hexidecimal value
to its ASCII value and apply the XOR operation to it using the same shared key.
If the shared key is shorter than the combined string of identity attributes, the shared key is repeated within
the XOR equation so that each ASCII value that represents a value for the identity attribute is paired with
a value from the shared key. For instance, here are sample identity attributes and a shared key to encrypt:
Username portion of the subscriber name. For example, joe.
Domain portion of the subscriber name. For example, example.com.
IP address of the subscriber session. For example, 10.1.11.22.
Shared key. For example, abcd.
sharedkey Shared key used to encrypt the identity attributes associated with the
redirected subscriber HTTP session.
delimiter character Character that marks when the encrypted data starts and ends. The delimiter
character is not displayed as part of the redirected subscriber HTTP session.
Here is what the XOR equation looks like using this data:
j oe@exampl e. com10. 1. 11. 22
abcdabcdabcdabcdabcdabcda
Here is an example of a redirected HTTP session that is encrypted:
ht t p: / / exampl e. com/ 061413144a57515658514a50514f 504f / i ndex. ht ml
where 061413144a57515658514a50514f504f is the encrypted data.
Examples
See the Configuration Examples on page9-4.
Related Commands
None
http-redirect profile {default | prof-name} [temporary]
no http-redirect profile {default | prof-name} [temporary]
Purpose
In context configuration mode, configures an HTTP redirect profile and enters HTTP redirect profile
configuration mode.
In subscriber configuration mode, applies an HTTP redirect profile to a subscriber record, a named
subscriber profile, or the default subscriber profile.
Command Mode
Syntax Description
Default
An HTTP redirect profile is not preconfigured.
Usage Guidelines
Use the http-redirect profile command in context configuration mode to configure an HTTP redirect
profile and to enter HTTP redirect profile configuration mode. To specify the default HTTP redirect profile,
use the keyword default.
Use the http-redirect profile command in subscriber configuration mode to apply an HTTP redirect profile
to a subscriber record, a named subscriber profile, or the default subscriber profile. To specify that the
HTTP redirect profile applied to a subscriber profile is to be temporary, use the keyword temporary.
default Specifies the default HTTP redirect profile name.
prof-name Specifies the HTTP redirect profile name.
temporary Optional. Specifies that the HTTP redirect profile to apply to the subscriber
profile is temporary. After the HTTP redirect is processed, the HTTP redirect
profile is removed from the subscriber profile.
Note It is within the default HTTP redirect profile that a shared key is configured. This key is used
to encrypt identity attributes associated with a redirected subscriber HTTP session, if VSA
165 is configured in RADIUS.
Use the no form of this command to do the following:
In context configuration mode, delete an HTTP redirect profile.
In subscriber configuration mode, remove an HTTP redirect profile from a subscriber record, a named
subscriber profile, or the default subscriber profile.
Examples
The following example configures the HTTP profile, Redi r ect , and enters HTTP redirect profile
configuration mode:
[ l ocal ] Redback( conf i g- hr - pr of i l e) #
The following example applies the HTTP profile, Redi r ect , to the def aul t subscriber record in the
l ocal context:
[ l ocal ] Redback( conf i g- sub) #http-redirect profile Redirect
The following example shows how to configure the HTTP redirect profile, Redi r ect , to be a temporary
HTTP redirect policy, and to apply it to the def aul t subscriber record in the l ocal context:
[ l ocal ] Redback( conf i g- sub) #http-redirect profile Redirect temporary
Related Commands
None
no http-redirect server
Purpose
Enables an HTTP server on the controller card and accesses HTTP redirect server configuration mode.
Command Mode
Syntax Description
Default
The HTTP server is disabled on the controller card.
Usage Guidelines
Use the http-redirect server command to enable an HTTP server on the controller card and access HTTP
redirect server configuration mode.
Use the no form of this command to disable the HTTP server on the controller card.
Examples
The following example enables the HTTP server on the controller card and enters HTTP redirect server
configuration mode:
[ l ocal ] Redback( conf i g- hr - ser ver ) #
Related Commands
port
url
port
port [80] [port-number]
Purpose
Selects the port or ports on which the HTTP server on the controller card listens.
Command Mode
HTTP redirect server configuration
Syntax Description
Default
The HTTP server listens on port 80.
Usage Guidelines
Use the port command to select the port (or ports) on which the HTTP server on the controller card listens.
By default, the HTTP server listens on port 80. You can configure the HTTP server to listen on any port or
ports (up to 10) ranging from 1025 to 51000. Including port 80, the total number of ports to which the HTTP
server can listen is 11.
Examples
The following example configures the HTTP server to listen on ports 80, 8080, 1025, 45000, and 50000:
[ l ocal ] Redback( conf i g- hr - ser ver ) #port 80 8080 1025 45000 50000
Related Commands
80 Optional. Configures the HTTP server to listen on port 80. This is the default
port.
port-number Optional. Configures the HTTP server to listen to the specified port or ports. The
supported ports range from 1025 to 51000.
no redirect destination
Purpose
In forward policy configuration mode, redirects packets not associated with a class to the HTTP server on
the controller card.
In policy ACL configuration mode, redirects only packets associated with a class to the HTTP server on
the controller card.
Command Mode
forward policy configuration
policy ACL class configuration
Syntax Description
Default
Packets are not redirected.
Usage Guidelines
In forward policy configuration mode, use the redirect destination local command to redirect packets not
associated with a class to the HTTP server on the controller card. In policy ACL configuration mode, use
the redirect destination local command to redirect only packets associated with a class to the HTTP server
on the controller card.
Use the no form of this command to disable the redirecting of packets.
Examples
The following example configures the forward policy, Busi ness- Redi r ect , which redirects packets
associated with the class, Redi r ect , to the HTTP server on the controller card:
[ l ocal ] Redback( conf i g) #forward policy Business-Redirect
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #redirect destination local
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group bus-redirect local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Redirect
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #redirect destination local
Related Commands
redirect destination circuit
redirect destination next-hop
url
url url
no url url
Purpose
Configures the URL to which the current subscriber HTTP session is to be redirected.
Command Mode
HTTP redirect profile configuration
Syntax Description
Default
An HTTP redirect URL is not configured.
Usage Guidelines
Use the url command to configure the URL to which the current subscriber session is to be redirected.
url URL to which the subscriber HTTP session is to be redirected. You can add a
backslash at the end of the URL followed by any of these variables to personalize the
URL:
%cCalling-station-ID of the subscriber session.
%dDomain portion of the subscriber name.
%iIP address of the subscriber session.
%nNAS-port-ID of the subscriber session.
%tTime stamp (in seconds) indicating when the HTTP redirection is applied to
the subscriber.
%uUsername portion of the subscriber name.
%UEntire subscriber name used in Point-to-Point Protocol (PPP) authentication.
Caution Risk of redirect loop. Risk of redirect loop. Redirect can recur until an IP ACL that permits
access to the new web page is applied to the subscriber record or profile. To reduce the risk,
before modifying an existing URL, ensure that the subscriber record includes an IP ACL that
permits access to the new URL.
Note If the URL contains a question mark (?), press the Escape (Esc) key before you enter
the? character. Otherwise, the SmartEdge OS command-line interface (CLI) interprets the?
character as a request for help and does not allow you to complete the URL.
Use the no form of this command to delete the URL from the HTTP redirect profile.
Examples
The following example configures the URL, www. Redi r ect . com:
[ l ocal ] Redback( conf i g- hr - pr of i l e) #url http://www.Redirect.com
Related Commands
Hotlining Configuration 10-1
C h a p t e r 1 0
Hotlining Configuration
OS hotlining features.
For information about tasks and commands used to monitor, troubleshoot, and administer hotlining
features, see the HTTP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
Overview
Configuration Tasks
Overview
Hotlining allows WiMAX operators to efficiently redirect subscribers to a portal controlled by a service
provider for service registration, updates, service advertisements, and address issues that require immediate
attention, such as virus attacks and missed payments. When hotlining is complete, the subscriber is released
from the hotlined state (released from the portal) and to the original destination.
For example, if a subscriber has a mobile device that is locked to a subscription with a service provider,
that subscriber can be hotlined to a subscription server then the device is turned on. No other traffic is
allowed. The subscription server provides subscription options that the subscriber can choose from. When
the subscriber completes the subscription process, the subscriber is removed from the hotlined state.
When a hotlining session is activated, the HA receives the WiMAX Forum RADIUS VSA,
Hotline-Profile-ID (the hotlining profile identifier attribute), and Hotline-Indicator attribute (an attribute
that enables hotlining) from the AAA server in a RADIUS Access-accept or change of authorization
message (CoA). These attributes enable hotlining.The hotlining profile identifier selects a preconfigured
Note Hotlining is WiMAX feature that supports only WiMAX subscribers.
There will be accounting discrepancies of a few bytes per packet when the home agent (HA)
receives packets containing IP and GRE field values.
If the shared-key is configured using thesubscriber default mobile-ip shared-key
command, the SmartEdge OS treats the subscriber as a 3GPP2 user.
Overview
profile during the session. The RADIUS server or CoA sends the WiMax Forum RADIUS VSA
Hotline-Indicator attribute in the Access-Accept or COA-Request message, which is reported in the session
and hotlining accounting records. For information on hotlining RADIUS attributes (Hotline-Profile-ID and
Hotline-Indicator), see the WiMax Forum RADIUS VSAs and WiMax Forum RADIUS VSAs in the
CoA sections in AppendixA, RADIUS Attributes.
The following are key accounting attributes in SmartEdge router RADIUS accounting records that
distinguish hotline accounting records from session accounting records and start records from stop records:
(A) SESSION-ACCT-START
Acct - St at us- Type = St ar t
( no Hot l i ne- I ndi cat or )
Acct - Sessi on- I D = <gener at ed- i d- 2
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
( no count er s)
(B) SESSION-ACCT-STOP (session stop, hotlining begin)
Acct - St at us- Type = St op
Acct - Sessi on- I D = <gener at ed- i d- 2>
( no Acct - Ter mi nat e- Cause)
Count er s
(C) SESSION-ACCT-STOP (regular session down)
Acct - Ter mi nat e- Cause = <some cause code)
Count er s
(D) HOTLINE-ACCT-START
Acct - St at us- Type = St ar t
Hot l i ne- I ndi cat or = <hl - i nd- 1> ( f r omAAA ser ver )
( no count er s)
(E) HOTLINE-ACCT-STOP (hotline stop, begin regular session)
Hot l i ne- I ndi cat or = <hl - i nd- 1>
( no Acct - Ter mi nat e- Cause)
( no count er s)
Configuration Tasks
(F) HOTLINE-ACCT-STOP (session down from hotlining)
Hot l i ne- I ndi cat or = <hl - i nd- 1>
Acct - Ter mi nat e- Cause = <some cause code>
( no count er s)
For information about the Acct-Terminate-Cause attribute, see AppendixA, RADIUS Attributes.
Configuration Tasks
To configure hotlining, perform the tasks described in the following sections:
Configure the Local HTTP Server on the Active Controller Card
Configure a RADIUS Server Profile
Configure a Forward Policy to Redirect HTTP Packets
Configure Accounting Server
Configure the Local HTTP Server on the Active Controller Card
To configure the HTTP server on the active controller card, perform the tasks described in Table10-1.
Descriptions section on page9-6 in Chapter 9, HTTP Redirect Configuration.
Note Hotlining is a WiMAX feature that supports only WiMax subscribers.
Hotlining does not support IP and GRE header field values in packets
Table 10-1 Configure the HTTP Server on the Controller Card
1. Enable the HTTP server on the controller card and
access HTTP redirect server configuration mode.
http-redirect server Enter this command in global configuration mode.
2. Optional. Select the port on which the HTTP
server listens.
port Enter this command in HTTP redirect server
configuration mode.
Configuration Tasks
Configure a RADIUS Server Profile
To configure a RADIUS server profile, perform the task described in Table10-2.
To configure a policy access control list (ACL) that classifies HTTP packets for the forward policy that
redirects HTTP packets, perform the tasks described in Table10-3.
Configure a Forward Policy to Redirect HTTP Packets
To configure a forward policy to redirect HTTP packets, perform the tasks described in Table10-4.
Table 10-2 Configure and Attach an HTTP Redirect Profile to Subscribers
1. Create or select RADIUS-guided service profile
and accesses service profile configuration mode.
radiusserviceprofile Enter this command in context configuration mode.
For more information about RADIUS configuration,
see Chapter 21, RADIUS Configuration.
Table 10-3 Configure a Policy ACL That Classifies HTTP Packets
1. Create or select the policy ACL and enter
policyaccess-list Enter this command in context configuration mode.This profile
is the one selected by the value of the WiMAX attribute
Hotline-Profile-Id. For more information about ACLs, see
Chapter 12, ACL Configuration.
2. Assign HTTP packets that are destined to
the web server hosting the URL to a
separate class.
permit tcp any hostip-addr eq www class class-name
Where the ip-addr argument is the IP address of the web
server hosting the URL that you configured in step 2 in
Table 10-2.
3. Assign all other HTTP packets to a
different class.
permit tcp any any eq www class class-name
Where the class-name argument is distinct from the one that
you configured in step 2.
forward policy Enter this command in global configuration mode.
2. Apply the policy ACL that you configured
in Table 10-3 to the forward policy and
access policy ACL configuration mode.
access-group Enter this command in forward policy configuration
mode.
3. Specify all HTTP packets and access
policy ACL class configuration mode.
class Enter this command in policy ACL configuration mode.
Use the class-name argument that you specified in
step 3 in Table 10-3.
Configure Accounting Server
To configure an accounting server, perform the tasks described in Table10-4.
The following section includes the following topics:
Hotlining Configuration Example
RADIUS Entry Example
Hotlining Configuration Example
The following example shows a HTTP redirect configuration:
! Fi r st enabl e t he HTTP r edi r ect ser ver on t he cont r ol l er car d.
[ l ocal ] Redback( conf i g- hr - ser ver ) #port 80
[ l ocal ] Redback( conf i g- hr - ser ver ) #exit
! Conf i gur e t he RADI US pr of i l e:
[ l ocal ] Redback( conf i g- ct x) #radius service profile wimax-h1-prof-3
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #accounting in circuit
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #accounting out circuit
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #at t r i but e f or war d- pol i cy f wd- pol - 1
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #at t r i but e ht t p- r edi r ect - ur l
" ht t p: / / my- r edi r - ur l . f unky. com"
[ l ocal ] Redback( conf i g- hr - pr of i l e) #exit
! Conf i gur e t he ACL pol i cy.
[ l ocal ] Redback( conf i g- ct x) #policy access-list http-packets-1
! cl ass PORTAL al l ows HTTP f r omany t o t he r edi r ect ed web ser ver at 10. 1. 1. 1
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any host 10.1.1.1 eq www class PORTAL
4. Redirect HTTP packets to the HTTP
server on the controller card.
redirect destinationlocal Enter this command in policy ACL class configuration
mode.
radiusaccountingserver Enter this command in context configuration mode. For
more information about RADIUS configuration, see
Chapter 21, RADIUS Configuration.
Table 10-4 Configure and Attach a Forward Policy to Redirect HTTP Packets (continued)
! Speci f y t hat packet s t hat ar e not par t of t he PORTAL cl ass get r edi r ect ed t o t he l ocal
HTTP.
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq www class REDIRECT
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq www CATCH-ALL
! Cr eat e t he f or war d pol i cy.
[ l ocal ] Redback( conf i g) #forward policy www-redirect-1
! Appl y t he ACL pol i cy t hat cl assi f i es HTTP packet s.
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group http-packets-1 local
! Redi r ect al l REDI RECT cl ass packet s t o t he l ocal HTTP ser ver on t he Smar t Edge r out er .
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class REDIRECT
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exi t
! Cl ass PORTAL packet s dest i ned f or t he r edi r ect ed web ser ver t ypi cal l y get r out ed t o t he
por t al .
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class PORTAL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CATCH-ALL
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exi t
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #exit
! Conf i gur e a RADI US account i ng ser ver I P addr ess of 10. 3. 3. 3 wi t h t he key, secr et , usi ng
por t 4445 f or account i ng.
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 10.3.3.3 key secret port 4445
RADIUS Entry Example
The following RADIUS entry applies the forward policy at hotline activation time by referring to it from
the RADIUS service profile configured on the SmartEdge router.
WiMAX-Hotline-Profile-ID="wimax-hl-prof-3",
WiMAX-Hotline-Indicator="ABCDEF",
WiMAX-Capability ="\002\003\001"
DNS Configuration 11-1
C h a p t e r 1 1
DNS Configuration
OS Domain Name System

(DNS) features.
For information about the tasks and commands used to monitor, troubleshoot, and administer DNS features,
see the DNSOperations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Overview
Configuration Tasks
Overview
DNS maps hostnames to IP addresses. When a command refers to a hostname, the SmartEdge OS consults
the host table for mappings to IP addresses. If the information is not in the table, the SmartEdge OS
generates a DNS query to resolve the hostname. DNS is enabled on a per-context basis, with one domain
name allowed per context.
Note When IP Version 6 (IPv6) addresses are not referenced or explicitly specified, the term, IP
address, can refer generally to IP Version 4 (IPv4) addresses, IPv6 addresses, or IP addressing.
In instances where IPv6 addresses are referenced or explicitly specified, the term, IP address,
refers only to IPv4 addresses. For a description of IPv6 addressing and the types of IPv6
addresses, see RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture.
Configuration Tasks
Configuration Tasks
To configure DNS, perform the tasks described in the following sections:
Configure DNS
Enable DNS to Establish Subscriber Sessions (Optional)
Configure Static Hostname-to-IP Address Mappings (Optional)
Configure DNS
To configure DNS, perform the tasks described in Table11-1; enter all commands in context configuration
mode.
Enable DNS to Establish Subscriber Sessions (Optional)
To enable subscriber sessions to be established using DNS, perform the task described in Table11-2.
Table 11-1 Configure DNS
Specify a domain name (or alias) for the context. ip domain-name You can create up to six domain names per
context.
Specify the IP address of a primary (and, optionally,
secondary) DNS server with one of the following tasks:
For DNS resolution to function, there must be
an IP route to the DNS server.
Specify IPv4 addresses. ip name-servers
Specify IPv6 addresses. ipv6name-servers
Enable the SmartEdge OS to use DNS resolution to look up
hostname-to-IP address mappings.
ip domain-lookup For DNS resolution to function, you must
configure domain-name lookup.
Table 11-2 Enable DNS to Establish Subscriber Sessions (Optional)
Configure the IP address of a primary or secondary DNS
server that a subscriber should use.
dns Enter this command in subscriber configuration mode.
Configure Static Hostname-to-IP Address Mappings (Optional)
In addition to having DNS perform dynamic resolution, you can configure static hostname-to-IP address
mappings. To do so, perform the task described in Table11-3; enter all commands in context configuration
mode.
The following example configures the r edback. comdomain for the l ocal context and configures a
connection to a remote DNS server at IP address, 155. 53. 130. 200. The ip domain-lookup command
enables DNS resolution:
[ l ocal ] Redback( conf i g- ct x) #ip domain-lookup
[ l ocal ] Redback( conf i g- ct x) #ip domain-name redback.com
[ l ocal ] Redback( conf i g- ct x) #ip name-servers 155.53.130.200
This section describes the syntax and usage guidelines for the commands used to configure DNS features.
Table 11-3 Configure Static Hostname-to-IP Address Mappings
Create static hostname-to-IP address mappings in
the host table with one of the following tasks:
The SmartEdge OS always consults the host table prior to
generating a DNS lookup query. You can create up to 64
static entries in the host table.
Create a mapping with an IPv4 address. ip host
Create a mapping with an IPv6 address. ipv6 host
dns
ip domain-lookup
ip domain-name
ip host
ip name-servers
ipv6 host
ipv6 name-servers
dns
dns {primary | secondary} ip-addr
no dns {primary | secondary} ip-addr
Purpose
Configures the IP address of a primary (and, optionally, secondary) Domain Name System (DNS) server
for a subscriber.
Command Mode
Syntax Description
Default
No preconfigured DNS servers are preconfigured.
Usage Guidelines
Use the dns command to configure the IP address of a primary (and, optionally, secondary) DNS server for
a subscriber.
Use the no form of this command to remove the DNS server information from a subscriber record.
Examples
The following example configures a primary DNS server address of 10. 2. 3. 4 for subscriber, kenny:
[ l ocal ] Redback( conf i g- ct x) #subscriber name kenny
[ l ocal ] Redback( conf i g- sub) #dns primary 10.2.3.4
Related Commands
primary Configures the IP address of a primary DNS server.
secondary Configures the IP address of a secondary DNS server.
ip-addr DNS server IP address.
ip domain-lookup
ip domain-name
ip host
ip name-servers
ipv6 host
ipv6 name-servers
ip domain-lookup
ip domain-lookup
no ip domain-lookup
Purpose
Enables the SmartEdge OS to use Domain Name System (DNS) resolution to look up
hostname-to-IP address mappings in the host table for the context.
Command Mode
Syntax Description
Default
DNS lookup is disabled.
Usage Guidelines
Use the ip domain-lookup command to enable the SmartEdge OS to use DNS resolution to look up
hostname-to-IP address mappings in the host table for the context.
This command allows a user to ping or Telnet to a host using a hostname, instead of having to know the
hosts specific IP address. When a command references a hostname, the SmartEdge OS consults the local
host table to obtain the hostname-to-IP address mapping. If the information is not in the local host table,
the SmartEdge OS generates a DNS query to resolve the hostname.
For DNS resolution to function, one or more DNS servers must be specified using the ip name-servers
command. Hostnames that are statically entered into the local host table using the ip host command are
also used for DNS resolution.
Use the no form of this command to disable DNS resolution lookup.
Examples
The following example enables DNS resolution:
[ l ocal ] Redback( conf i g- ct x) #ip domain-lookup
Related Commands
dns
ip domain-name
ip host
ip name-servers
ipv6 host
ipv6 name-servers
ip domain-name
ip domain-name name
no ip domain-name name
Purpose
Creates a Domain Name System (DNS) name (or alias) for the context.
Command Mode
Syntax Description
Default
No domain names are created for the context.
Usage Guidelines
Use the ip domain-name command to create a domain name (or alias) for the context.
You can create up to six domain names for each context.
Use the no form of this command to remove the domain name (or alias) from the configuration.
Examples
The following example creates a domain name for the l ocal context, r edback. com:
[ l ocal ] Redback( conf i g- ct x) #ip domain-name redback.com
Related Commands
name Name (or alias) of the domain for the context.
dns
ip domain-lookup
ip host
ip name-servers
ipv6 host
ipv6 name-servers
ip host
ip host hostname ip-addr
no ip host hostname ip-addr
Purpose
Creates a static hostname-to-Internet Protocol version 4 (IPv4) address Domain Name System (DNS)
mapping in the host table for the context.
Command Mode
Syntax Description
Default
No static mappings are preconfigured.
Usage Guidelines
Use the ip host command to create a static hostname-to-IPv4 address DNS mapping in the host table for
the context.
You can create up to 64 static entries in the host table. The SmartEdge OS always consults the host table
prior to generating a DNS lookup query.
Use the no form of this command to remove the specified static entry. Specifying a new IPv4 address for
an existing hostname removes the previously specified IPv4 address.
Examples
The following example statically maps the hostname, hamachi , to the IPv4 address, 192. 168. 42. 105:
[ l ocal ] Redback( conf i g- ct x) #ip host hamachi 192.168.42.105
Related Commands
hostname Name of the host.
ip-addr IPv4 address of the host.
dns
ip domain-lookup
ip domain-name
ip name-servers
ip name-servers
ip name-servers primary-ip-addr [secondary-ip-addr]
no ip name-servers
Purpose
Specifies the Internet Protocol version 4 (IPv4) address of a primary (and, optionally, a secondary) Domain
Name System (DNS) server.
Command Mode
Syntax Description
Default
No DNS server IPv4 addresses are preconfigured.
Usage Guidelines
Use the ip name-servers command to specify the IPv4 address of a primary (and, optionally, a secondary)
DNSserver.
For DNS resolution to function, you must configure domain-name lookup using the ip domain-lookup
command (in context configuration mode), and there must be an IP route to the DNS servers.
Use the no form of this command to remove the specified DNS server association. If you delete the primary
DNS server, any configured secondary DNS server becomes the primary server.
Examples
The following command configures an association with a primary DNS server at IPv4address,
128. 215. 33. 47, and a secondary server at IPv4 address, 196. 145. 92. 33:
[ l ocal ] Redback( conf i g- ct x) #ip name-servers 128.215.33.47 196.145.92.33
The following command removes the primary DNS server, making the server that was previously the
secondary into the primary:
[ l ocal ] Redback( conf i g- ct x) #no ip name-servers 128.215.33.47
Related Commands
primary-ip-addr IPv4 address of the primary DNS server.
secondary-ip-addr Optional. IPv4 address of the secondary DNS server.
dns
ip domain-lookup
ip domain-name
ip host
ipv6 host
ipv6 host hostname ipv6-addr
no ipv6 host hostname ipv6-addr
Purpose
Creates a static hostname-to-IP Version 6 (IPv6) address Domain Name System (DNS) mapping in the host
table for the context.
Command Mode
Syntax Description
Default
No static mappings are preconfigured.
Usage Guidelines
Use the ipv6 host command to create a static hostname-to-IPv6 address DNS mapping in the host table for
the context.
You can create up to 64 static entries in the host table. The SmartEdge OS always consults the host table
prior to generating a DNS lookup query.
Use the no form of this command to remove the specified static entry. Specifying a new IPv6 address for
an existing hostname removes the previously specified IPv6 address.
Examples
The following example statically maps the hostname, hamachi , to the IPv6 address, 2007: : 1:
[ l ocal ] Redback( conf i g- ct x) #ipv6 host hamachi 2007::1
Related Commands
hostname Name of the host.
ipv6-addr IPv6 address of the host.
dns
ip domain-lookup
ip domain-name
ipv6 name-servers
ipv6 name-servers
ipv6 name-servers primary-ipv6-addr [secondary-ipv6-addr]
no ipv6 name-servers
Purpose
Specifies the IP Version 6 (IPv6) address of a primary (and, optionally, a secondary) Domain Name System
(DNS) server.
Command Mode
Syntax Description
Default
No DNS server IPv6 addresses are preconfigured.
Usage Guidelines
Use the ipv6 name-servers command to specify the IPv6 address of a primary (and, optionally, a
secondary) DNSserver.
For DNS resolution to function, you must configure the domain name lookup using the ip domain-lookup
command (in context configuration mode), and there must be an IPv6 route to the DNS servers.
Use the no form of this command to remove the specified DNS server association. If you delete the primary
DNS server, any configured secondary DNS server becomes the primary server.
Examples
The following command configures an association with a primary DNS server at IPv6address, 2007: :
1, and a secondary server at IPv6 address, 2007: : 2:
[ l ocal ] Redback( conf i g- ct x) #ipv6 name-servers 2007::1 2007::
The following command removes the primary DNS server, making the server that was previously the
secondary into the primary:
[ l ocal ] Redback( conf i g- ct x) #no ipv6 name-servers 2007::1
Related Commands
primary-ipv6-addr IPv6 address of the primary DNS server.
secondary-ipv6-addr Optional. IPv6 address of the secondary DNS server.
dns
ip domain-lookup
ip domain-name
ipv6 host
ACL Configuration 12-1
C h a p t e r 1 2
ACL Configuration
OS access control lists

(ACLs).
For information about the tasks and commands used to monitor, troubleshoot, and administer ACLs, see
the ACL Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Overview
Configuration Tasks
Overview
SmartEdge OS ACLs are described in the following subsections:
IP ACLs
Policy ACLs
IP ACLs
IP ACLs are lists of packet filters used to control the type of service that packets should receive. All IP
ACLs are defined within a context. The following sections describe IP ACLs:
IP ACL Applications
IP ACL Statements
IP ACL Packet Filtering
Dynamic IP Filter ACL
Overview
IP ACL Applications
Using an IP ACL, you can filter traffic on traffic card circuits, the Ethernet management port, and
subscriber circuits, and administrative traffic, as described in the following subsections:
Traffic Card Circuits
Ethernet Management Port
Subscriber Circuits
Administrative
Traffic Card Circuits
To filter packets in either the inbound or outbound direction on traffic card circuits, you apply an IP ACL
to the interface to which the circuits are bound.
Ethernet Management Port
To filter packets in either the inbound or outbound direction on the Ethernet management port on the active
controller card, you apply an IP ACL to the interface to which the management port is bound. Both inbound
and outbound filters are supported.
Subscriber Circuits
To filter packets in either the inbound or outbound direction for a subscriber circuit, you apply an IP ACL
to the subscriber record, a named subscriber profile, or the default subscriber profile. Both inbound and
outbound filters are supported.
Administrative
To filter inbound packets that are delivered to the kernel, you apply an IP ACL to a context. These ACLs
are independent of the interface and circuit on which they were received.
IP ACL Statements
In IP ACL each statement (referred to as a rule) defines the action, either permit or deny, to be taken for a
packet if the packet satisfies the rule. A permit statement causes any packet matching the criteria to be
accepted. A deny statement causes any packet matching the criteria to be dropped. A packet that does not
match the criteria of the first statement is subjected to the criteria of the second statement, and so on, until
the end of the IP ACL is reached; at which point, the packet is dropped due to an implicit deny any any
statement at the end of every IP ACL.
You can use the optional seq seq-num construct with any permit or deny command to establish a sequence
number for the statement you are creating. If you do not use the seq seq-num construct, the system
automatically assigns sequence numbers to the statements that you enter, in increments of 10.
Note To ensure that all inbound packets are filtered before being delivered to the kernel, you must
apply an IP ACL to each and every context that you have configured.
Overview
The first statement that you enter is assigned the sequence number of 10, the second is assigned the number
20, and so on. This allows room to assign intermediate sequence numbers to statements that you might want
to add later. The assigned sequence numbers for the various statements are displayed in the output of the
show configuration acl and show ip access-list commands.
If manually assigned sequence numbers leave no room for insertion of additional entries in the IP ACL,
you can use the resequence ip access-list command (in context configuration mode) to reassign the
sequence numbers so that they are in increments of 10. The no seq seq-num construct removes an
individual statement from the IPACL.
IP ACL Packet Filtering
Based on the rules specified in the ACLs associated with the packet, the SmartEdge OS decides whether
the packet is forwarded or dropped. Statement criteria include all Internet protocols and can be specified by
the protocol numbers established in RFC 1700, Assigned Numbers. A subset of these options can also be
specified by keyword.
All packets that are permitted or dropped as a result of an IP ACL can be counted and logged (denied
packets only) if you enable the count and log functions when you apply an IP ACL. By default, the counting
and logging of packets is disabled because these functions have an impact on system performance. We
recommend that you only enable logging or counting when required for diagnostic purposes.
The SmartEdge router uses IP ACLs to filter packets in the following order:
1. ACLs applied to interfaces for inbound traffic on traffic card circuits and the Ethernet management port.
2. ACLs applied to subscriber records and profiles for inbound traffic on subscriber circuits.
3. ACLs applied to contexts for administrators (inbound only).
4. ACLs applied to outbound traffic on traffic card circuits and the Ethernet management port.
5. ACLs applied to subscriber records and profiles for outbound traffic on subscriber circuits.
Dynamic IP Filter ACL
Dynamic IP filter ACLs allow IP ACL packet filtering to be downloaded from a Remote Authentication
Dial-In User Service (RADIUS) server. A dynamic IP filter ACL consists of a set of rules, each of which
is contained in an RFC vendor-specific attribute (VSA) 242 instance.
For more information about VSA 242, see the Other VSAs Supported by the SmartEdgeOS section in
AppendixA, RADIUS Attributes.
Policy ACLs
A policy ACL is a list of packet filters (rules), each of which defines a class of packets. A policy ACL,
unlike an IP ACL, does not define the action for each rule; instead, the action for each class is determined
by the policy to which the policy ACL is applied. All policy ACLs are defined within a context.
The following subsections describe policy ACLs:
Policy ACL Applications
Dynamic Policy ACLs
Overview
Policy ACL Statements
Policy ACL Packet Filtering
Policy ACL Applications
You can apply a policy ACL to class-based forwarding, Network Address Translation (NAT), or quality of
service (QoS) policies to filter packets. When applied to a class-based policy, a policy ACL allows different
actions to be applied to different classes of packets.
For information about forward policies, see Chapter 14, Forward Policy Configuration. For information
about NAT policies, see Chapter 13, NAT Policy Configuration. For information about QoS policing and
metering policies, see Chapter 16, QoS Rate- and Class-Limiting Configuration.
Dynamic Policy ACLs
Dynamic policy ACLs allow a class-based policy to be governed by a policy ACL that is downloaded from
a RADIUS server. A dynamic policy ACL consists of a set of classification rules, each of which is
contained in a Redback
vendor-specific attribute (VSA) 164 instance. All rules in all dynamic policy
ACLs are downloaded in a single RADIUS message. You do not apply a dynamic policy ACL to a
class-based policy; instead, the SmartEdgeOS applies the dynamic policy ACL from the VSA 164
instance. Class-based policies configured with dynamic ACLs are referred to as RADIUS-guided policies.
Traditional policy ACLs and class-based policies are referred to as static policy ACLs and static policies,
respectively.
Policy ACL Statements
A policy ACL uses permit statements to define how packets are assigned to classes. A packet that does not
match the criteria of the first statement is subjected to the criteria of the second statement, and so on, until
the end of the policy ACL is reached; at which point, the packet is assigned to the default class.
You can use the optional seq seq-num construct with any permit statement to establish a sequence number
for the statement. If you do not use the seq seq-num construct, the system automatically assigns sequence
numbers to the statements that you enter, in increments of 10. The first statement you enter is assigned the
sequence number of 10, the second is assigned the number 20, and so on. This allows room to assign
intermediate sequence numbers to statements that you might want to add later. The assigned sequence
numbers for the various statements are displayed in the output of the show configuration acl, show
configuration policy, and show policy access-list commands.
If manually assigned sequence numbers leave no room for insertion of additional entries in the policy ACL,
you can use the resequence policy access-list command (in context configuration mode) to reassign the
sequence numbers so they are in increments of 10. The no seq seq-num construct removes an individual
statement from the policyACL.
Policy ACL Packet Filtering
Statement criteria for filtering includes all Internet protocols, which can be specified by the protocol
numbers established in RFC 1700, Assigned Numbers. A subset of these options can also be specified by
keyword. Based on classification, a class-based policy defines the type of action to be performed on the
packets in a particular class. All packets that match the criteria can be counted by the statement if you
Configuration Tasks
enable the count when you apply a policy ACL. By default, the counting of packets is disabled because this
function has an impact on system performance. Redback recommends that you enable counting only when
required for diagnostic purposes.
Configuration Tasks
To configure ACLs, perform the tasks described in the following sections:
Configuration Guidelines
Configure an IP ACL
Apply an IP ACL
Enable ACL Counters or Logging for a Subscriber
Modify IP ACL Conditions in Real Time
Configure a Policy ACL
Apply a Policy ACL
Modify Policy ACL Conditions in Real Time
Guidelines for configuring IP and policy ACLs are described in the following sections:
Static IP and Policy ACL Guidelines
IP ACL Guidelines
Policy ACL Guidelines
Guidelines for RADIUS-Guided Policies
VSA 164 Guidelines for Dynamic Policy ACLs
Static IP and Policy ACL Guidelines
The following guidelines apply to the configuration of static IP and policy ACLs:
The optional construct, seq seq-num, for permit and deny commands, allows you to assign a sequence
number to a particular statement, affecting where it is located within a series of statements in an ACL.
If you do not use this construct, the SmartEdgeOS automatically assigns sequence numbers in
increments of 10. The first statement you enter is assigned the sequence number of 10, the second is
assigned the number 20, and so on.
Configuration Tasks
You cannot modify static IP ACL and policy ACL statements that do not reference time range
conditions in real time unless you modify or remove the statements themselves, because the actions
(permit or deny) and the resulting class names are constant. However, you can modify statements that
reference time-range conditions, because their actions or the resulting class names depend on the
current date and time as defined in the corresponding condition statement.
ACL conditions redefine the rules action or the rules class name based on specified date and time
ranges. You can configure any combination of up to seven absolute (one specific time interval) or
periodic (recurring time interval) statements in an ACL condition. When an IP ACL rule or a policy
ACL rule references an ACL condition, the rules action (permit/deny) or the rules class name is
determined by the action and the class name defined in the condition.
ACL conditions are configured with individual IDs to make them unique. The cond-id argument used
with the condition command must match the condition ID specified in the ACL rule.
An IP or policy ACL can contain multiple entries; the order is significant. Each entry is processed in
the order it appears in the configuration file. As soon as an entry matches, the corresponding action is
taken and no further processing takes place.
IP ACL Guidelines
The following filtering rules apply to IP ACLs:
Each IP ACL has an implicit deny any any statement at the end. If a packet does not match any explicit
filter statement in the list, it is dropped. Unlike the explicit statements in the ACL, this implicit final
statement is not displayed in the output of the show configuration acl or show ip access-list command
(in any mode).
You apply IP ACLs to interfaces, subscriber records, and contexts. Administrative access control is
context-specific. To ensure that all inbound packets are filtered before being delivered to the kernel, you
must apply an IP ACL to each and every configured context.
If you apply an IP ACL to a multibind interface, it does not affect the IP traffic on the subscriber
sessions that are bound to that interface; the ACL is applied only to the IP traffic on circuits that are
statically bound to the interface using the bind interface command (in the circuits configuration
mode).
If a nonexistent IP ACL is applied to an interface, all packets are forwarded with no filtering.
If a nonexistent IP ACL is applied to a subscriber record, the subscriber session will not come up; this
restriction also applies if a nonexistent ACL is applied to a Remote Authentication Dial-In User Service
(RADIUS) attribute.
Policy ACL Guidelines
The following rules apply to static and dynamic policy ACLs:
If a packet does not match any classifying rule, it is considered to belong to the default class.
If a nonexistent policy ACL is applied to a forward policy, NAT policy, a QoS metering policy, or a QoS
policing policy, it is ignored and packets are forwarded according to a policy action with no
classification.
Configuration Tasks
Guidelines for RADIUS-Guided Policies
Configuration guidelines for RADIUS-guided policies include:
You can configure any class-based policy to allow a dynamic policy ACL to govern it. Class-based
policies include forward, NAT, and QoS policies.
Dynamic policy ACLs are not supported for NAT policies in the outgoing direction.
You cannot change the type of a class-based policy from static to RADIUS-guided or from
RADIUS-guided to static; you must delete the policy and recreate it.
You can configure a class-based policy with a static policy ACL in addition to allowing a dynamic
policy ACL, but the static policy ACL takes precedence. That is, the dynamic policy ACL classifies
only those packets that are not already classified by the static policy ACL.
You can apply any combination of static and dynamic policy ACLs to a RADIUS-guided policy.
You cannot apply a dynamic policy ACL to a static class-based policy.
RADIUS-guided policies can be attached only to subscriber profiles (named and default) and records.
You do not attach a RADIUS-guided policy with a dynamic policy ACL; instead, it is attached by the
SmartEdgeOS.
A RADIUS-guided policy must exist before the SmartEdgeOS can apply a dynamic policy ACL to it.
If you add a class to an existing RADIUS-guided policy and that class is governed by a dynamic policy
ACL, then that class is immediately active on all circuits to which the RADIUS-guided policy is
attached. If the class is not included in the dynamic policy ACL, it is dormant until the dynamic policy
ACL is changed to include the class.
If you delete a class from an existing RADIUS-guided policy, the change takes effect immediately on
all circuits to which the policy is attached. If you delete a dormant class, traffic is unaffected.
You can delete all classes from a RADIUS-guided policy that is already attached to subscriber circuits.
You can modify class parameters in a RADIUS-guided policy at any time.
If you delete a RADIUS-guided policy, it is removed from all subscriber circuits to which it was
attached. The subscriber circuits remain up, but the show subscribers command (in any mode) with the
active keyword might not display current information.
VSA 164 Guidelines for Dynamic Policy ACLs
The following guidelines govern the use of Redback VSAs for dynamic policy ACLs::
Dynamic policy ACLs are defined on a RADIUS server and downloaded using one or more instances
of VSA 164.
Each downloaded VSA 164 instance contains one classification rule.
A subscriber profile or record can contain multiple VSA 164 instances.
All VSA 164 instances that have the same service (forward, NAT, or QoS) and the same direction are
considered to be rules of a dynamic policy ACL for that service.
The rules in a dynamic policy ACL are sequenced by the order in which VSA 164 instances appear in
a subscriber record.
Configuration Tasks
Configure an IP ACL
To configure an IP ACL, perform the tasks described in Table12-1; enter all commands in access control
list configuration mode, unless otherwise noted.
Apply an IP ACL
To apply an IP ACL to packets associated with a context, an interface, or a subscriber record, named profile,
or default profile, perform the appropriate task described in Table12-2.
Note For more information about Redback VSAs, see the Redback VSAs section in Chapter A,
RADIUS Attributes.
Table 12-1 Configure an IP ACL
1. Create or select an ACL and enter access control
list configuration mode.
ipaccess-list Enter this command in context configuration
mode.
2. Optional. Associate a description with an IP ACL. description
3. Optional. Create ACL statements using either or
both of the following tasks:
4. Create an ACL statement using permit conditions. permit There is an implicit deny any any statement
at the end of any permit statement.
5. Create an ACL statement using deny conditions. deny
6. Optional. Create an ACL condition using a unique
ID and access ACL condition configuration mode.
condition Enter the following commands in ACL
condition configuration mode.
7. Optional. Configure absolute time condition
statements.
absolute An absolute time ACL statement redefines
an ACL rules action for only one specific
time interval.
8. Optional. Configure periodic time condition
statements.
periodic A periodic time ACL statement redefines the
ACL rule action for a recurring time interval.
9. Optional. Resequence statements in an IP ACL. resequenceipaccess-list Enter this command in context configuration
mode.
Table 12-2 Apply an IP ACL
Apply an IP ACL to an interface or to a subscriber record,
named profile, or default profile.
ipaccess-group Enter this command in either interface or
subscriber configuration mode.
Apply an IP ACL to a context. admin-access-group Enter this command in context configuration
mode.
Configuration Tasks
Enable ACL Counters or Logging for a Subscriber
To enable ACL counters or logging for a subscriber through the subscriber record, the default subscriber
profile, or a named subscriber profile, perform the task described in Table12-3.
Modify IP ACL Conditions in Real Time
To modify the action for an IP ACL condition, in real time, without requiring the reconfiguration of the
ACL condition statements, perform the task described in Table12-4.
Configure a Policy ACL
To configure a static policy ACL, perform the tasks described in Table12-5; enter all commands in access
control list configuration mode, unless otherwise noted.
Table 12-3 Enable ACL Counters or Logging for a Subscriber
Enable ACL counters or logging for a subscriber record, the
default subscriber profile, or a named subscriber profile.
access-list Enter this command in subscriber configuration mode.
Table 12-4 Modify IP ACL Condition Actions in Real Time
Modify the action for a condition referenced by an IP ACL. modifyipaccess-list Enter this command in exec mode.
Table 12-5 Configure a Policy ACL
1. Create or select a policy ACL and enter
policyaccess-list Enter this command in context configuration
mode.
2. Optional. Associate a description with a
policy ACL.
description
3. Optional. Create policy ACL statements to
allow packets that meet the specified criteria.
permit Enter this command multiple times to specify
multiple classes.
4. Optional. Create a policy ACL condition
using a unique ID and access ACL condition
configuration mode.
condition Enter the following commands in ACL
condition configuration mode. You can create
up to seven conditions in a policy ACL.
5. Optional. Configure absolute time condition
statements.
absolute An absolute time ACL condition statement
applies an ACL rule for only one specific time
interval.
6. Optional. Configure periodic time condition
statements.
periodic A periodic time ACL statement applies an
ACL rule for a recurring time interval.
7. Optional. Resequence statements in a policy
ACL.
resequencepolicyaccess-list Enter this command in context configuration
mode.
Apply a Policy ACL
To apply a policy ACL to packets associated with a forward policy, a NAT policy, or a QoS metering or
policing policy, and complete the configuration of the policy, perform the tasks described in Chapter 13,
Forward Policy Configuration, Chapter 12, NAT Policy Configuration, and Chapter 15, QoS Rate-
and Class-Limiting Configuration, respectively.
Modify Policy ACL Conditions in Real Time
To modify the class name for a policy ACL condition, in real time, without requiring the reconfiguration
of the ACL condition statements, perform the task described in Table12-6.
This section provides ACL configuration examples as described in the following subsections:
Configure an ACL Statement
Add an ACL Statement
Resequence ACL Statements
Configure an Absolute Time Condition Statement
Configure a Periodic Time Condition Statement
Configure an IP ACL
Configure a Policy ACL Associated with a Forward Policy
Configure a Policy ACL Associated with a NAT Policy
Configure a Policy ACL Associated with a QoS Policing Policy
Configure an ACL Statement
The following example configures a policy ACL to prioritize web and voice-over-IP (VOI P) traffic:
[ l ocal ] Redback( conf i g- ct x) #policy access-list QoSACL-1
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq 80 class Web
[ l ocal ] Redback( conf i g- access- l i st ) #permit udp any any eq 1000 class VOIP
[ l ocal ] Redback( conf i g- access- l i st ) #permit any any class default
The following example uses a policy ACL to define classes of traffic to be mirrored:
[ l ocal ] Redback( conf i g- ct x) #policy access-list PBR_ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit tcp any eq www any class WEB
Table 12-6 Modify Policy ACL Condition Actions in Real Time
Modify the action for a class name referenced by a policy
ACL.
modifypolicyaccess-list Enter this command in exec mode.
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq www class WEB
[ l ocal ] Redback( conf i g- access- l i st ) #seq 30 permit udp any class UDP
[ l ocal ] Redback( conf i g- access- l i st ) #seq 40 permit ip any class IP
The following example specifies that all IP traffic to destination host 10. 25. 1. 1 is to be denied, and all
other traffic on subnet 10.25.1/24 is to be permitted:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect201
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip any host 10.25.1.1
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any 10.25.1.0 0.0.0.255
Add an ACL Statement
The following example shows how to use the seq keyword to modify the existing t c1 ACL, adding a
statement between the statements with sequence numbers 20 and 30:
[ l ocal ] Redback#configure
[ l ocal ] Redback( conf i g- ct x) #ip access-list tc1
[ l ocal ] Redback( conf i g- access- l i st ) #seq 25 deny tcp 10.10.10.4 0.0.0.0 any eq 80
The output of the show configuration acl command now includes the new statement, with sequence
number 25:
!
i p access- l i st t c1
descr i pt i on Thi s i s a sampl e access cont r ol l i st
seq 10 deny i p host 10. 10. 10. 2 host 10. 10. 20. 2
seq 20 deny t cp host 10. 10. 10. 3 any eq www
seq 30 deny udp host 10. 10. 10. 3 any
seq 40 deny i p host 10. 10. 10. 4 any
seq 60 per mi t i p any any
Resequence ACL Statements
The following example displays the current sequencing of an IP ACL:
[ l ocal ] Redback#show configuration acl
Bui l di ng conf i gur at i on. . .
!
seq 20 deny t cp host 10. 10. 10. 5 any eq t el net
The following example resequences the statements in the IP ACL to increments of 10 and displays the new
sequence of statements:
[ l ocal ] Redback( conf i g- ct x) #resequence ip access-list tc1
[ l ocal ] Redback#show configuration
Bui l di ng conf i gur at i on. . .
Cur r ent conf i gur at i on:
cont ext l ocal
seq 20 deny t cp host 10. 10. 10. 5 any eq t el net
Configure an Absolute Time Condition Statement
The following example creates an absolute time ACL condition statement for ACL condition 342, which
is defined in the IP ACL, i p- acl - 1. The absolute time ACL condition applies a deny action to all IP
ACL statements that reference the ACL condition for the time interval beginning on December 15, 2003 at
9:00 p.m. (21: 00) and ending on the same day at 11:00 p.m (23: 00):
[ l ocal ] Redback( conf i g- ct x) #ip access-list ip-acl-1
[ l ocal ] Redback( conf i g- access- l i st ) #condition 342 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2003:12:15:21:00 end
2003:12:15:23:00 deny
Configure a Periodic Time Condition Statement
The following example creates an periodic ACL condition statement for the ACL condition 101, which is
referenced by the IP ACL, i p- acl - 2, such that all packets traveling between 9 a.m. and 5 p.m. (9:00 to
17:00 in 24-hour format) on weekdays are permitted:
[ l ocal ] Redback( conf i g- ct x) #ip access-list ip-acl-2
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic weekdays 9:00 to 17:00 permit
The following example creates a periodic ACL condition statement for the ACL condition 342, which is
referenced by the policy ACL pol i cy_acl _1, such that all packets traveling every weekday (Monday to
Friday) from 9:00p.m. to 11:00 p.m (9:00 to 23:00 in 24-hour format) are permitted:
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy_acl_1
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic weekdays 21:00 to 23:00 permit
Configure an IP ACL
The following example creates an IP ACL, t c1, and applies the list to an interface, oc1:
[ l ocal ] Redback( conf i g- ct x) #ip access-list tc1
[ l ocal ] Redback( conf i g- access- l i st ) #description This is a sample access control list
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.2 0.0.0.0 10.10.20.2 0.0.0.0
[ l ocal ] Redback( conf i g- access- l i st ) #deny tcp 10.10.10.3 0.0.0.0 any eq 80
[ l ocal ] Redback( conf i g- access- l i st ) #deny udp 10.10.10.3 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.4 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.5 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any any
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface oc1
[ l ocal ] Redback( conf i g- i f ) #ip access-group tc1 in log
Configure a Policy ACL Associated with a Forward Policy
The policy ACL and forward policy configuration is as follows:
[ l ocal ] Redback( conf i g- ct x) #policy access-list PBR_Drop_ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit icmp host 51.1.1.2 class ICMP
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit pim any class PIM
[ l ocal ] Redback( conf i g) #forward policy DropPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_Drop_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class ICMP
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class PIM
The following configuration applies the forward policy to the i ncomi ng_t r af f i c interface:
[ l ocal ] Redback( conf i g) #port pos 9/1
[ l ocal ] Redback( conf i g- por t ) #bind interface incoming_traffic local
[ l ocal ] Redback( conf i g- por t ) #forward policy DropPolicy in
Configure a Policy ACL Associated with a NAT Policy
The following example creates a policy ACL and applies it to a NAT policy with dynamic translations in
which all packets except those classified as CLASS3 are ignored (that is, the NAT policy is not applied to
them). All source IP addresses for incoming packets classified as CLASS3 are translated using IP addresses
from the pool _dyn pool:
! Cr eat e t he NAT pool
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn
[ l ocal ] Redback( conf i g- nat - pool ) #address 11.11.11.0/24
[ l ocal ] Redback( conf i g- nat - pool ) #exit
! Cr eat e t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #policy access-list NAT-ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip 10.10.10.0 0.0.0.255 class CLASS3
! Cr eat e t he NAT pol i cy and appl y t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- nat - pool ) #ignore
[ l ocal ] Redback( conf i g- nat - pool ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn local
Configure a Policy ACL Associated with a QoS Policing Policy
The following example applies the conditions set by the ACL qos created for any circuit to which the QoS
policing policy, cl ass, is attached. Packets are classified into three classes: web, voice over IP (VOI P),
and def aul t :
[ l ocal ] Redback( conf i g- ct x) #policy access-list qos
[ l ocal ] Redback( conf i g) #qos policy class policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group qos local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #rate 5000 burst 1000
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #conform mark dscp AF11
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class voip
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp ef
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class default
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp df
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g- por t ) #bind interface eth1 local
[ l ocal ] Redback( conf i g- por t ) #qos policy policing class
Web t r af f i c t hat conf or ms t o t he t r af f i c r at e of 5000 kbps i s mar ked wi t h
a Di f f er ent i at ed Ser vi ces Code Poi nt ( DSCP) val ue of AF11. Web t r af f i c
exceedi ng t hat r at e i s dr opped by def aul t . Packet s cl assi f i ed as VOI P
ar e pr i or i t i zed over bot h web and def aul t t r af f i c t hr ough t he DSCP
set t i ng of ef , or expedi t ed f or war di ng. Packet s cl assi f i ed as def aul t
ar e set t o t he DSCP val ue of df , or def aul t .
This section describes the syntax and usage guidelines for the commands used to configure ACLs. The
commands are presented in alphabetical order.:
absolute
access-group
access-list
admin-access-group
class
condition
deny
description
ip access-group
ip access-list
modify ip access-list
modify policy access-list
periodic
permit
policy access-list
resequence ip access-list
resequence policy access-list
absolute
absolute start yyyy:mm:dd:hh:mm end yyyy:mm:dd:hh:mm [:ss] {{permit | deny} | class class-name}
no absolute start yyyy:mm:dd:hh:mm end yyyy:mm:dd:hh:mm
Purpose
Creates an absolute time access control list (ACL) condition statement.
Command Mode
ACL condition configuration
Syntax Description
Default
No ACL condition statements are configured.
start yyyy:mm:dd:hh:mm [:ss] Date and time to start the ACL condition. Arguments are defined as
follows:
yyyyYear.
mmMonth. The range of values is 1 to 12.
ddDay. The range of values is 1 to 31.
hhHour in 24-hour format. The range of values is 0 to 23.
mmMinutes. The range of values is 0 to 59.
ssSeconds. Optional. The range of values is 0 to 60.
end yyyy:mm:dd:hh:mm [:ss] Date and time to stop the ACL condition. Arguments are defined as
follows:
yyyyYear.
mmMonth. The range of values is 1 to 12.
ddDay. The range of values is 1 to 31.
hhHour 24-hour format. The range of values is 0 to 23.
mmMinutes. The range of values is 0 to 59.
ssSeconds. Optional. The range of values is 0 to 60.
permit Applies a permit action to packets processed during the specified
time range.
deny Applies a deny action to packets processed during the specified time
range. Used only with IP ACLs.
class class-name Name of the class assigned to policy ACL statements that reference
the ACL condition. Used only with policy ACLs.
Usage Guidelines
Use the absolute command to create an absolute time ACL condition statement that, when referenced in
an IP ACL statement, permits or denies packets, based on specific date and time ranges. Use this command
to create an absolute time ACL conditional statement that, when referenced in a policy ACL statement,
assigns a class name to packets.
Use the no form of this command to delete the absolute time ACL condition statement.
Examples
The following example creates an absolute time ACL condition statement for the ACL condition 500,
which is referenced in the policy ACL, pol i cy- acl - f or war d. The absolute time ACL condition applies
the Bar 003 class name to all policy ACL statements that reference the ACL condition during the time
interval beginning on December 15, 2003 at 9:00 p.m. (21: 00) and ending on the same day at 11:00 p.m
(23: 00):
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy-acl-forward
2003:12:15:23:00 class Bar003
Related Commands
condition
deny
ip access-list
periodic
permit
policy access-list
access-group
access-group [acl-name] [ctx-name]
no access-group [acl-name] [ctx-name]
Purpose
Applies a policy access control list (ACL) to a class-based policy (forward policy, Network Address
Translation [NAT] policy, or quality of service [QoS] policy) and enters policy group configuration mode.
Command Mode
metering policy configuration
NAT policy configuration
policing policy configuration
Syntax Description
Default
None
Usage Guidelines
Use the access-group command to apply a policy ACL to a class-based policy (forward policy, NAT policy,
or QoS policy) and enter policy group configuration mode.
If the class-based policy is Remote Authentication Dial-In User Service (RADIUS)-guided, the policy ACL
can be dynamic or static:
A dynamic policy ACL is one that the SmartEdgeOS applies to the class-based policy using the rules
specified in an instance of vendor-specific attribute (VSA) 164 that has been downloaded from the
RADIUS server. In this case, use this command without specifying the name of the policy ACL.
A static policy ACL is one that you apply to the class-based policy. In this case, you must specify the
name of the policy ACL.
If you include the acl-name argument, you must also include the ctx-name argument when you apply a
static policy ACL to a forward policy or QoS policy. For a NAT policy, you need only enter the acl-name
argument; the context defaults to the context of the NAT policy.
You can apply a dynamic policy ACL in addition to a static policy ACL. However, the static policy ACL
takes precedence over the dynamic policy ACL.
acl-name Optional. Name of the policy ACL created using the policy access-list command (in
context configuration mode); required to apply or remove a static policy ACL.
ctx-name Optional. Name of the context in which the policy ACL was created; required to apply
or remove a static policy ACL to or from a forward or QoS policy. For a NAT policy,
the context defaults to the context of the NAT policy.
Use the no form of this command to remove a static policy ACL from a specified policy.
To remove a policy ACL from a RADIUS-guided policy, you must delete the RADIUS-guided policy and
then recreate it.
Examples
The following example applies the myacl policy ACL to the GE- i n QoS policing policy. The myacl ACL
has one class, voi p, and packets in this class are marked with the Differentiated Service Code Point
(DSCP) code af 13:
[ l ocal ] Redback( conf i g) #qos policy GE-in policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group myacl local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp af13
The following example applies the forward policy, Redi r ect Pol i cy, as specified by the rules in the
policy ACL PBR_Redi r ect _ACL. The PBR_Redi r ect _ACL access group has one class, Web, and
packets in this class are redirected to the next hop in the route at IP address 100. 1. 1. 0:
[ l ocal ] Redback( conf i g) #forward policy RedirectPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_Redirect_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #redirect destination next-hop 100.1.1.0
Related Commands
Note The names of the IP and policy ACLs in the output of the show access-group command (in
any mode) include a prefix: ADF for dynamic IP ACLs and DPF for dynamic policy
ACLs.
class
conform mark dscp
policy access-list
access-list
access-list {count counter-type | log ip}
no access-list {count counter-type | log ip}
Purpose
Enables access control list (ACL) counters or logging for the default subscriber profile, this named
subscriber profile, or this named subscriber record.
Command Mode
Syntax Description
Default
ACL counters are not enabled for any subscriber records or profiles.
Usage Guidelines
Use the access-list command to enable ACL counters or logging for the default subscriber profile, this
named subscriber profile, or this named subscriber record.
Use the no form of this command to disable ACL counters for the default subscriber profile, this named
subscriber profile, or this named subscriber record.
Examples
The following example enables ACL IP counters for the default subscriber profile:
[ l ocal ] Redback( conf i g- sub) #access-list count ip
Related Commands
None
count counter-type ACL counter type, according to one of the following keywords:
ipSpecifies IP ACL counters.
policySpecifies policy ACL counters.
log ip Enables logging of dropped counters for IP ACL.
admin-access-group
admin-access-group acl-name1 acl-name2 acl-name3... in [count] [log]
no admin-access-group { | acl-name1 acl-name2 acl-name3...}in [count] [log]
Purpose
Applies access control to all inbound packets delivered to the kernel, regardless of the interface through
which packets are received.
Command Mode
Syntax Description
Default
No administrative access control is applied.
Usage Guidelines
Use the admin-access-group command to apply access control to all inbound packets delivered to the
kernel, regardless of the interface through which packets are received. This is referred to as administrative
access control and is used with IP ACLs only.
If you configure multiple ACLs in an IP access group, the SmartEdge OS applies the ACLs in the order
they appear within the access group to produce a specific filtering behavior. The SmartEdge OS appends
an implicit deny ip any any rule after all configured rules are applied.
acl-name Name of the IP ACL being applied. You can configure up to ten
ACL names in one administrative access group list. You must
enclose multiple ACL names in quotation marks and separate
ACL names with one or more spaces.
Each IP ACL name can be up to 39 alphanumeric characters
long. However, ensure that the total number of characters for all
ACL names referenced in the access group does not exceed 255.
If you want to use ten ACLs, create names that are 24 or fewer
characters long. A colon (:) is not allowed in ACL names.
in Specifies that the IP ACL is to be applied to incoming packets.
count Optional. Enables ACL packet counting.
log Optional. Enables ACL packet logging.
Caution Risk of security breach. Administrative access control is context-specific. To ensure that all
inbound packets are filtered before being delivered to the kernel, you must apply an
administrative ACL to each and every context that is configured.
When you use the count keyword, the system keeps track of the number of packet matches that occur.
When you use the log keyword, the system keeps track of the number of packets that were denied as a result
of the ACL. Count and log information is displayed in the output of the show access-group command.
Use the no form of this command to remove the application of an ACL to traffic inbound to the kernel.
Enter empty quotations marks ( ) to remove all associated ACL names. If you want to delete one or more
(but not all) ACLs, enter their names in quotation marks.
Examples
The following example applies the t est _2 and f i l t er _3 ACLs to inbound traffic for the l ocal
context:
[ l ocal ] Redback( conf i g- ct x) #admin-access-group test_2 filter_3 in count
log
The following example removes all ACLs from the administrative access group for the local context:
[ l ocal ] Redback( conf i g- ct x) #no admin-access-group in count log
The following example removes the ACL kt r af f i c from the administrative access group for the local
context:
[ l ocal ] Redback( conf i g- ct x) #no admin-access-group ktraffic in
Related Commands
Caution Risk of system performance impact. By default, counting and logging of packets is disabled
because these functions have an impact on system performance. To reduce the risk, we
recommend that you only enable logging or counting when required for diagnostic purposes.
ip access-group
ip access-list
class
class class-name
no class class-name
Purpose
Creates a class in a class-based policy and accesses policy group class configuration mode.
Command Mode
policy group configuration
Syntax Description
Default
None
Usage Guidelines
Use the class command to create a class in a class-based policy and access policy group class configuration
mode. This command allows a forward policy, a Network Address Translation (NAT) policy, or a quality
of service (QoS) policy to apply a different action to different sets (classes) of packets that are defined in
the applied policy access control list (ACL).
If the class-name argument matches a class-name argument in a rule in the policy ACL, the class-based
policy processes packets of that type as specified by the class-based policy. If a rule for the class-name
argument is not specified in the policy ACL, the class-based policy considers the class to be dormant and
takes no action. If a rule for the class-name argument is specified in the ACL, but you do not include the
class in the policy (using this command), the SmartEdge OS considers those packets to be in the default
class.
Use the no form of this command to delete the specified class.
Examples
The following example applies the QoSACL- 1 policy ACL to a QoS policing policy that prioritizes
incoming packets in the Web class using a Differentiated Service Code Point (DSCP) value of DF. For the
VOI P class, incoming traffic packets are prioritized with a DSCP value of AF11:
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group QoSACL-1 local
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #exceed mark dscp DF
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class VOIP
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp AF11
class-name Class name for a class of traffic packets to which the policy applies an action.
The following example applies the PBR_ACL policy ACL to the Mi r r or Pol i cy forward policy, which
mirrors all traffic packets in the Web class to the mirror output destination, WebTr af f i c:
[ l ocal ] Redback( conf i g) #forward policy MirrorPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mirror destination WebTraffic all
Related Commands
access-group
permit
policy access-list
condition
condition cond-id time-range
no condition cond-id
Purpose
Creates an access control list (ACL) condition and enters ACL condition configuration mode.
Command Mode
access control list configuration
Syntax Description
Default
None
Usage Guidelines
Use the condition command to create an ACL condition, and to enter ACL condition configuration mode.
An ACL condition is comprised of up to seven ACL condition statements (using any combination of the
absolute and periodic commands in ACL condition configuration mode). When an ACL statement
references an ACL condition, the ACL condition statements apply those time-dependent rules to the
referencing IP ACL or policy ACL statement.
Use the no form of this command to delete an ACL condition.
Examples
The following example creates the time range condition identified as 342 for the IP ACL, pr ot ect , and
enters ACL condition configuration mode:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect
[ l ocal ] Redback( conf i g- acl - condi t i on) #
The following example creates the time range condition identified as 10. 1. 2. 3 for the policy ACL,
cont r ol , and enters ACL condition configuration mode:
[ l ocal ] Redback( conf i g- ct x) #policy access-list control
[ l ocal ] Redback( conf i g- access- l i st ) #condition 10.1.2.3 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #
cond-id Condition ID in integer or IP address format. The ID range of values is 1 to
4294967295.
time-range Specifies a time range condition type.
Related Commands
absolute
ip access-list
periodic
policy access-list
deny
[seq seq-num] deny [protocol] {src src-wildcard | any | host src} [cond port | range port end-port]
[dest dest-wildcard | any | host dest] [cond port | range port end-port] [length {cond length |
range length end-length}] [icmp-type icmp-type [icmp-code icmp-code]] [igmp-type igmp-type]
[dscp eq dscp-value] [established] [precedence prec-value] [tos tos-value] [condition cond-id]
no seq seq-num
Purpose
Creates an IP access control list (ACL) statement that denies packets that meet the specified criteria.
Command Mode
Syntax Description
seq seq-num Optional. Sequence number for the statement. The range of values is 1to
4,294,967,295.
protocol Optional. Number indicating a protocol as specified in RFC 1700, Assigned
Numbers. The range of values is 0 to 255 or one of the keywords listed in
Table12-7.
src Source address to be included in the permit or deny criteria. An IP address in
the form A.B.C.D.
src-wildcard Indication of which bits in the src argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the src-wildcard argument mean that the corresponding bits in the
src argument must match; one-bits in the src-wildcard argument mean that the
corresponding bits in the src argument are ignored.
any Specifies a completely wildcard source or destination IP address indicating
that IP traffic to or from all IP addresses is to be included in the permit or
deny criteria. Identical to 0.0.0.0 255.255.255.255.
host src Address of a single-host source with no wild-carded address bits. The
host source construct is identical to the src src-wildcard construct if the
wildcard address indicates that all bits should be matched (0.0.0.0).
cond Optional. Matching condition for the port or length argument, according to
one of the keywords listed in Table12-8.
port Optional. TCP or UDP source or destination port. This argument is only
available if you specified TCP or UDP as the protocol. The range of values is
1 to 65,535 or one of the keywords listed in Table12-9 and Table12-10.
range port end-port Optional. Beginning and ending TCP or UDP source or destination ports that
define a range of port numbers. A packets port must fall within the specified
range to match the criteria. This construct is only available if you specified
TCP or UDP as the protocol. The range of values is 1 to 65,535 or one of the
keywords listed in Table12-9 and Table12-10.
dest Optional. Destination address to be included in the permit or deny criteria. An
IP address in the form A.B.C.D.
dest-wildcard Indication of which bits in the dest argument are significant for purposes of
Zero-bits in the dest-wildcard argument mean that the corresponding bits in
the dest argument must match; one-bits in the dest-wildcard argument mean
that the corresponding bits in the dest argument are ignored.
host dest Address of a single-host destination with no wildcard address bits. The
host dest construct is identical to the dest dest-wildcard construct, if the
Default
None
Usage Guidelines
Use the deny command to create the IP ACL statement to deny packets that meet the specified criteria.
The cond port and cond length constructs are mutually exclusive with the range port end-port and
range length end-length constructs.
Use the no form of this command to delete the statement with the specified sequence number from the
ACL.
Table12-7 lists the valid keyword substitutions for the protocol argument.
length Optional. Indicates that packet length is to be used as a filter. The packet
length is the length of the network-layer packet, beginning with the IP header.
This is true irrespective of the specified protocol.
length Packet length. The range of values is 20 to 65,535.
range length end-length Packets that fall into the range of specified lengths. Each value (length and
end-length) can be from 20 to 65,535.
icmp-type icmp-type Optional. Type of ICMP packet to be matched. The range of values is 0 to 255
or one of the keywords listed in Table12-11. This argument is only available
if you specify icmp for the protocol argument.
icmp-code icmp-code Optional if you use the icmp-type icmp-type construct. A particular ICMP
message code to be matched. The range of values is 0 to 255. This argument
is only accepted if you specified icmp for the protocol argument.
igmp-type igmp-type Optional. Type of IGMP packet to be matched. This argument is only
accepted if you specified igmp as the protocol argument The range of values
is 0 to 15 or one of the keywords listed in Table12-12.
dscp eq dscp-value Optional. Packets Differentiated Services Code Point (DSCP) value must be
equal to the value specified in the dscp-value argument to match the criteria.
The range of values is 0 to 63 or one of the keywords listed in Table12-13.
established Optional. Specifies that only established connections are to be matched. This
keyword is only available if you specify tcp for the protocol argument.
precedence prec-value Optional. Precedence value of packets to be considered a match. The range of
values is 0 to 7, 7 being the highest precedence, or one of the keywords listed
in Table12-14.
tos tos-value Optional. Type of service (ToS) to be considered a match. The range of values
condition cond-id Optional. ACL condition ID in integer or IP address format. The ID range of
values is 1 to 4,294,967,295.
Table12-8 lists the valid keyword substitutions for the cond argument.
Table12-9 lists the valid keyword substitutions for the port argument when it is used to specify a TCP port.
Table 12-7 Valid Keyword Substitutions for the protocol Argument
Keyword Definition
ahp Specifies Authentication Header Protocol.
esp Specifies Encapsulation Security Payload.
gre Specifies Generic Routing Encapsulation.
host Specifies host source address.
icmp Specifies Internet Control Message Protocol.
igmp Specifies Internet Group Management Protocol.
ip Specifies any IP protocol.
ipinip Specifies IP-in-IP tunneling.
ospf Specifies Open Shortest Path First.
pcp Specifies Payload Compression Protocol.
pim Specifies Protocol Independent Multicast.
tcp Specifies Transmission Control Protocol.
udp Specifies User Datagram Protocol.
Table 12-8 Valid Keyword Substitutions for the cond Argument
Keyword Description
eq Specifies that values must be equal to those specified by the port or length argument.
gt Specifies that values must be greater than those specified by the port or length argument.
lt Specifies that values must be less than those specified by the port or length argument.
neq Specifies that values must not be equal to those specified by the port or length argument.
Table 12-9 Valid Keyword Substitutions for the port Argument (TCP Port)
Keyword Definition Corresponding Port Number
bgp Border Gateway Protocol (BGP) 179
chargen Character generator 19
cmd Remote commands (rcmd) 514
daytime Daytime 13
discard Discard 9
domain Domain Name System 53
echo Echo 7
exec Exec (rsh) 512
Table12-10 lists the valid keyword substitutions for the port argument when it is used to specify a UDP
port.
finger Finger 79
ftp File Transfer Protocol 21
ftp-data FTP data connections (used infrequently) 20
gopher Gopher 70
hostname Network interface card (NIC) hostname server 101
ident Identification protocol 113
irc Internet Relay Chat 194
klogin Kerberos login 543
kshell Kerberos Shell 544
login Login (rlogin) 513
lpd Printer service 515
nntp Network News Transport Protocol 119
pim-auto-rp Protocol Independent Multicast Auto-RP 496
pop2 Post Office Protocol Version 2 109
shell Remote command shell 514
smtp Simple Mail Transport Protocol 25
ssh Secure Shell 22
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control
System
49
talk Talk 517
telnet Telnet 23
time Time 37
uucp UNIX-to-UNIX Copy Program 540
whois Nickname 43
www World Wide Web (HTTP) 80
Table 12-10 Valid Keyword Substitutions for the port Argument (UDP Port)
biff Biff (Mail Notification, Comsat) 512
Table 12-9 Valid Keyword Substitutions for the port Argument (TCP Port) (continued)
Table12-11 lists the valid keyword substitutions for the icmp-type argument.
bootpc Bootstrap Protocol client 68
bootps Bootstrap Protocol server 67
discard Discard 9
dnsix DNSIX Security Protocol Auditing 195
echo Echo 7
isakmp Internet Security Association and Key Management
Protocol (ISAKMP)
500
mobile-ip Mobile IP Registration 434
nameserver IEN116 Name Service (obsolete) 42
netbios-dgm NetBIOS Datagram Service 138
netbios-ns NetBIOS Name Service 137
netbios-ss NetBIOS Session Service 139
ntp Network Time Protocol 123
rip Router Information Protocol (router, in.routed) 520
snmp Simple Network Management Protocol 161
snmptrap SNMP Traps 162
tacacs Terminal Access Controller Access Control System 49
talk Talk 517
tftp Trivial File Transfer Protocol 69
time Time 37
who Who Service (rwho) 513
xdmcp X Display Manager Control Protocol 177
Table 12-11 Valid Keyword Substitutions for the icmp-type Argument
Keyword Description
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
Table 12-10 Valid Keyword Substitutions for the port Argument (UDP Port) (continued)
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
general-parameter-problem General parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for ToS
host-tos-unreachable Host unreachable for ToS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirects
net-redirect Network redirect
net-tos-redirect Network redirect for ToS
net-tos-unreachable Network unreachable for ToS
net-unreachable Network unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
Table 12-11 Valid Keyword Substitutions for the icmp-type Argument (continued)
Keyword Description
Table12-12 lists the valid keyword substitutions for the igmp-type argument.
Table12-13 lists the valid keyword substitutions for the dscp-value argument.
router-advertisement Router discovery advertisement
router-solicitation Router discovery solicitation
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceeded messages
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given type of service (ToS) value
traceroute Traceroute
ttl-exceeded TTL Exceeded
unreachable All unreachables
Table 12-12 Valid Keyword Substitutions for the igmp-type Argument
Keyword Description
dvmrp Specifies Distance-Vector Multicast Routing Protocol.
Host-query Specifies host query.
Host-report Specifies host report.
Table 12-13 Valid Keyword Substitutions for the dscp-value Argument
Keyword Definition
af11 Assured ForwardingClass 1/Drop precedence 1
Keyword Description
Table12-14 lists the valid keyword substitutions for the prec-value argument.
Table12-15 lists the valid keyword substitutions for the tos-value argument.
cs0 Class Selector 0
df Default Forwarding (same as cs0)
ef Expedited Forwarding
Table 12-14 Valid Keyword Substitutions for the prec-value Argument
Keyword Description
tine Specifies routine precedence (value=0).
priority Specifies priority precedence (value=1).
immediate Specifies immediate precedence (value=2).
flash Specifies flash precedence (value=3).
flash-override Specifies flash override precedence (value=4).
critical Specifies critical precedence (value=5).
internet Specifies internetwork control precedence (value=6).
network Specifies network control precedence (value=7).
Table 12-15 Valid Keyword Substitutions for the tos-value Argument
Keyword Description
max-reliability Specifies maximum reliable ToS (value=2).
max-throughput Specifies maximum throughput ToS (value=4).
min-delay Specifies minimum delay ToS (value=8).
min-monetary-cost Specifies minimum monetary cost ToS (value=1).
Table 12-13 Valid Keyword Substitutions for the dscp-value Argument (continued)
Keyword Definition
Examples
The following example specifies that all IP traffic to destination host, 10. 25. 1. 1, is to be denied, and all
other traffic on subnet 10. 25. 1/ 24 is to be permitted:
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip any host 10.25.1.1
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any 10.25.1.0 0.0.0.255
Related Commands
normal Specifies normal ToS (value=0).
ip access-group
ip access-list
permit
Table 12-15 Valid Keyword Substitutions for the tos-value Argument (continued)
Keyword Description
description
description text
no description
Purpose
Associates a text description with an IP access control list (ACL) or a policy ACL.
Command Mode
Syntax Description
Default
No description is associated with the ACL.
Usage Guidelines
Use the description command to associate a text description with the ACL.
You can use a text description to notate what an ACL consists of or how it is to be used. Only one
description can be associated with a single ACL. To revise a description, create a new one, and the old one
is overwritten.
Use the no form of this command to remove the description from an ACL.
Examples
The following example creates a text description to be associated with the IP ACL, r est r i ct ed:
[ l ocal ] Redback( conf i g- ct x) #ip access-list restricted
[ l ocal ] Redback( conf i g- access- l i st ) #description private net
The following example creates a text description to be associated with the policy ACL, t r af f i ci n:
[ l ocal ] Redback( conf i g- ct x) #policy access-list trafficin
[ l ocal ] Redback( conf i g- access- l i st ) #description inbound traffic web
Related Commands
text Alphanumeric text description to be associated with the ACL.
ip access-list
policy access-list
ip access-group
ip access-group acl-name1 acl-name2 acl-name3... {in | out} [count] [log]
no ip access-group { | acl-name1 acl-name2 acl-name3...}{in | out} [count] [log]
Purpose
Applies from one to ten IP access control lists (ACL) to packets associated with an interface or subscriber.
Command Mode
Syntax Description
Default
No ACL is applied.
Usage Guidelines
Use the ip access-group command to apply an IP ACL to packets associated with an interface or subscriber,
restricting the flow of traffic through the SmartEdge router. If you configure multiple ACLs to an IP access
group, the SmartEdge OS combines the ACLs in order of appearance within the IP access group to produce
a specific filtering behavior. If you configure a dynamic filter ACL for a subscriber, the SmartEdge OS
applies the rules of the combined ACL and then the dynamic filter ACL. The SmartEdge OS appends an
implicit deny ip any any rule after all configured rules complete.
The SmartEdge router ignores conditional ACLs referenced in an access group.
acl-name Name of the IP ACL to apply to the interface, which can be up to 39 alphanumeric
characters long. You can configure up to ten ACL names to one IP access-group list.
Enclose multiple ACL names within quotation marks and separate each ACL name with
one or more spaces.
To include ten ACLs in a single ACL, however, you need to ensure that the total number
of characters for the ACL names does not exceed 255 for interface mode and 253 for
subscriber mode (average of 24 characters per name). A colon (:) is not allowed in ACL
names.
in Specifies that the ACL is to be applied to incoming packets.
out Specifies that the ACL is to be applied to outgoing packets.
count Optional. Enables ACL packet counting. Not available in subscriber configuration mode.
log Optional. Enables ACL packet logging. Not available in subscriber configuration mode.
When you use the count keyword, the system keeps track of the number of matches that occur. When you
use the log keyword, the system keeps track of the number of packets that were denied. By default, counting
and logging of packets is disabled.
To disable packet counting or logging, enter the ip access-group command again, omitting the count or
log keyword.
Use theno form of this command to remove an applied IP ACL from association with the interface. Enter
empty quotations marks ( ) to remove all associated ACL names. If you want to delete one or more (but
not all) ACLs, enter their names in quotation marks.
Examples
The following example applies the IP ACLs, WebCacheACL and Smar t Fi l t er , to the interface,
t opgun, and enables both packet counting and logging:
[ l ocal ] Redback( conf i g) #context fighter
[ l ocal ] Redback( conf i g- ct x) #interface topgun
[ l ocal ] Redback( conf i g- i f ) #ip access-group WebCacheACL SmartFilter in
log count
The following example applies the ACLs, WebCacheACL and Smar t Fi l t er , to the subscriber, j oe:
[ l ocal ] Redback( conf i g- ct x) #subscriber name joe
[ l ocal ] Redback( conf i g- sub) #ip access-group WebCacheACL SmartFilter out
Related Commands
Note Applying an ACL to an interface has no effect if the named ACL has not yet been defined.
All packets are permitted as if no restrictions were in place.
If an access group for an interface has multiple ACLs, some of the ACLs can be unconfigured;
however any unconfigured ACLs have no (zero) rules. Only the configured ACLs in the
access group apply to traffic.
Caution Risk of performance loss. Enabling the count and log functions can affect system
performance. To reduce the risk, exercise caution when enabling these features on a
production system.
deny
ip access-list
permit
ip access-list
ip access-list acl-name [ssh-and-telnet-acl]
no ip access-list acl-name [ssh-and-telnet-acl]
Purpose
Configures an IP access control list (ACL) and enters access control list configuration mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the ip access-list command to configure an IP ACL and enter access control list configuration mode,
where you can define statements using the permit and deny commands. All IP ACLs have an implicit
deny any any statement at the end.
When the IP ACL is created and its conditions have been set, you can apply the list to any of these entities:
An interface to restrict the flow of traffic through the SmartEdge router with the ip access-group
command (in interface configuration mode).
Local inbound traffic coming into the SmartEdge kernel with the admin-access-group command (in
context configuration mode).
Inbound SSH and Telnet traffic with the service command (in context configuration mode).
An interface enabled with reverse path forwarding (RPF) to allow packets that fail the RPF check but
match the ACL to pass through with the ip verify unicast source command (in interface configuration
mode).
A reference to an IP ACL that does not exist or does not contain any configured entries implicitly matches
and permits all packets.
Use theno form of this command to remove an ACL from the configuration.
acl-name Name of the ACL. Must be unique within the context.
ssh-and-telnet-acl Optional. Specifies that the ACL applies to Telnet and Secure Shell (SSH)
traffic.
Examples
The following example creates an IP ACL, WebCacheACL:
[ l ocal ] Redback( conf i g- ct x) #ip access-list WebCacheACL
[ l ocal ] Redback( conf i g- access- l i st ) #
Related Commands
admin-access-group
deny
ip access-group
permit
modify ip access-list acl-name condition cond-id {permit | deny}
Purpose
Modifies, in real time, the action for the specified condition referenced by statements in the IP access
control list (ACL), without requiring reconfiguration of the IP ACL.
Command Mode
exec
Syntax Description
Default
None
Usage Guidelines
Use the modify ip access-list command to modify, in real time, the action for the specified condition
referenced by statements in the IP ACL, without requiring reconfiguration of the IP ACL.
For information about the condition and ip access-list commands in context configuration mode, see the
ACL Configuration Commands chapter in the IP Services and Security Command Reference for the
SmartEdgeOS.
Examples
With the following configuration, using the modify ip access-list list_cond condition 200 deny command
changes the action of the ACL condition 200 in statement 20 in the IP ACL l i st _cond from per mi t
to deny. However, using the modify ip access-list list_cond condition 100 permit command does not
affect the deny action of the ACL condition 100 because it has already been configured:
[ l ocal ] Redback( conf i g- ct x) #ip access-list list_cond
acl-name Name of the ACL to be modified.
condition cond-id ACL condition ID in integer or IP address format. The ID range of values is
1to 4,294,967,295.
permit Applies a permit action.
deny Applies a deny action.
Note If the specified condition ID is already configured (using the condition command in access
control list configuration mode), the modify ip access-list command is ignored. If a condition
ID is configured using the condition command and the changes are saved, any condition ID
that may be currently applied using the modify ip access-list command at runtime is
immediately overwritten.
2006:01:01:01:01 permit
[ l ocal ] Redback( conf i g- acl - condi t i on) #exit
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 deny tcp any any eq 80 cond 100
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq 81 cond 200
Related Commands
modify policy access-list acl-name condition cond-id class class-name
Purpose
Modifies, in real time, the action for the specified condition referenced by statements in the policy access
control list (ACL), without requiring reconfiguration of the policy ACL.
Command Mode
exec
Syntax Description
Default
None
Usage Guidelines
Use the modify policy access-list command to modify, in real time, the action for the specified condition
referenced by statements in the policy ACL, without requiring reconfiguration of the policyACL.
Examples
With the following configuration, using the modify policy access-list list_cond condition 200 deny
command will change the action of the ACL condition, 200, in statement 20 in the IP ACL, l i st _cond,
from per mi t to deny. However, using the modify policy access-list list_cond condition 100 permit
command will not affect the deny action of the ACL condition, 100, because it has already been
configured:
[ l ocal ] Redback( conf i g- ct x) #policy access-list list_cond
2006:01:01:01:01 permit
[ l ocal ] Redback( conf i g- acl - condi t i on) #exit
acl-name Name of the ACL to be modified.
condition cond-id ACL condition ID in integer or IP address format. The ID range of values is 1
to 4,294,967,295.
class class-name Class name applied to statements in the policy ACL.
Note If the specified condition ID is already configured (using the condition command in access
control list configuration mode), the modify policy access-list command is ignored. If a
condition ID is configured using the condition command and the changes are saved, any
condition ID that may be currently applied using the modify policy access-list command at
runtime is immediately overwritten.
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 deny tcp any any eq 80 cond 100
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq 81 cond 200
Related Commands
condition
policy access-list
periodic
periodic day... hh:mm to hh:mm {{permit | deny} | class class-name}
no periodic day... hh:mm to hh:mm
Purpose
Creates a periodic time access control list (ACL) condition statement.
Command Mode
ACL condition configuration
Syntax Description
Default
None
Usage Guidelines
Use the periodic command to create a periodic time ACL condition statement that permits or denies
packets, or assigns packets to a class, based on specific date and time ranges. A periodic time ACL
condition is referenced by either an IP ACL statement or a policy ACL statement.
Each ACL condition statement can include up to seven absolute or periodic time statements in any
combination.
Use the no form of this command to delete the periodic time ACL condition statement.
day... One or more days of the week in which the ACL condition is applied.
hh:mm Hour and minute, for each specified day of the week, to start the ACL
condition.
to hh:mm Hour and minute, for each specified day of the week, to stop the ACL
condition.
permit Applies permit action, during the specified time ranges, to all ACL
statements that reference the ACL condition.
deny Applies deny action, during the specified time ranges, to all ACL statements
that reference the ACL condition. Used only with IP ACLs.
class class-name Name of the class assigned to policy ACL statements that reference the ACL
condition. Used only with policy ACLs.
Examples
The following example creates a periodic ACL condition statement for the ACL condition, 55, which is
referenced by the policy ACL, pol i cy_acl _2, such that the Bar 003 class name is applied every
Wednesday from 9:00p.m. to 11:00 p.m (21:00 to 23:00 in 24-hour format) to packets assigned to the
Bar 003 class:
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy_acl_2
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic wednesday 21:00 to 23:00 class Bar003
Related Commands
absolute
condition
ip access-list
policy access-list
permit
[seq seq-num] permit [protocol] {src src-wildcard | any | host src} [{cond port | range port end-port}]
[max-sessions limit] [min-sessions limit] [dest dest-wildcard | any | host dest] [cond port |
range port end-port] [length {cond length | range length end-length}] [icmp-type icmp-type
[icmp-code icmp-code]] [igmp-type igmp-type] [dscp eq dscp-value] [established]
[precedence prec-value] [tos tos-value] [class class-name] [condition cond-id]
no seq seq-num
Purpose
Creates an IP or policy access control list (ACL) statement to allow packets that meet the specified criteria.
Command Mode
Syntax Description
seq seq-num Optional. Sequence number for the statement. The range of values is
1to4,294,967,295.
protocol Optional. Number indicating a protocol as specified in RFC 1700, Assigned
Numbers. The range of values is 0 to 255 or one of the keywords listed in
Table12-16.
src Source address to be included in the permit or deny criteria. An IP address in
the form A.B.C.D.
src-wildcard Indication of which bits in the source argument are significant for purposes of
Zero-bits in the src-wildcard argument mean that the corresponding bits in the
src argument must match; one-bits in the src-wildcard argument mean that the
corresponding bits in the src argument are ignored.
any Specifies a completely wildcarded source or destination IP address indicating
that IP traffic to or from all IP addresses is to be included in the permit or deny
criteria. Identical to 0.0.0.0 255.255.255.255.
host source Address of a single-host source with no wild-carded address bits. The
host source construct is identical to the src src-wildcard construct if the
cond Optional. Matching condition for the port or length argument, according to
one of the keywords listed in Table12-17.
port Optional. Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP) source or destination port. This argument is only available if you
specified TCP or UDP as the protocol. The range of values is 1 to 65,535 or
one of the keywords listed in Table12-18 and Table12-19.
range port end-port Optional. Beginning and ending TCP or UDP source or destination ports that
define a range of port numbers. A packets port must fall within the specified
range to match the criteria. This construct is only available if you specified
TCP or UDP as the protocol. The range of values is 1 to 65,535 or one of the
keywords listed in Table12-18 and Table12-19.
max-sessions limit Optional. Maximum number of sessions allowed for the specified IP address
or IP subnet. This construct is only available for TCP. Use the ip access-list
command with the ssh-and-telnet-acl keyword to apply an IP ACL to packets
associated with an Secured Shell (SSH) or a Telnet server. The range of values
is 1 to 32.
min-sessions limit Optional. Minimum number of sessions allowed for the specified IP address
or IP subnet. This construct is only available if you specify TCP as the
protocol in this command and use the ip access-list command with the
ssh-and-telnet-acl keyword to apply an IP ACL to packets associated with an
SSH or a Telnet server. The range of values is 0 to 32.
The sum of values specified for the min-sessions limit construct for all
specified IP addresses or IP subnets must not exceed 32.
dest Optional. Destination address to be included in the permit or deny criteria. An
IP address in the form A.B.C.D.
dest-wildcard Indication of which bits in the dest argument are significant for purposes of
Zero-bits in the dest-wildcard argument mean that the corresponding bits in
the dest argument must match; one-bits in the dest-wildcard argument mean
that the corresponding bits in the dest argument are ignored.
length Optional. Indicates that packet length is to be used as a filter. The packet
length is the length of the network-layer packet, beginning with the IP header.
This is true irrespective of the specified protocol.
length Packet length. The range of values is 20 to 65,535.
range length end-length Packets that fall into the range of specified lengths. Each value (length and
end-length) can be from 20 to 65,535.
host dest Address of a single-host destination with no wildcarded address bits. The
host dest construct is identical to the dest dest-wildcard construct, if the
icmp-type icmp-type Optional. Type of Internet Control Message Protocol (ICMP) packet to be
matched. The range of values is 0 to 255 or one of the keywords listed in
Table12-20. This argument is only available if you specify the ICMP
protocol.
icmp-code icmp-code Optional if you use the icmp-type icmp-type construct. A particular ICMP
message code to be matched. The range of values is 0 to 255. This argument is
only accepted if you specified icmp as the protocol argument.
igmp-type igmp-type Optional. Type of Internet Group Management Protocol (IGMP) packet to be
matched. This argument is only accepted if you specified igmp as the protocol
argument The range of values is 0 to 15 or one of the keywords listed in
Table12-21.
dscp eq dscp-value Optional. Packets Differentiated Services Code Point (DSCP) value must be
equal to the value specified in the dscp-value argument to match the criteria.
The range of values is 0 to 63 or one of the keywords listed in Table12-22.
established Optional. Specifies that only established connections are to be matched. This
keyword is only available if you specified tcp for the protocol argument.
precedence prec-value Optional. Precedence value of packets to be considered a match. The range of
values is 0 to 7, 7 being the highest precedence, or one of the keywords listed
in Table12-23.
tos tos-value Optional. Type of service (ToS) to be considered a match. The range of values
class class-name Optional. Policy-based class name. Available for policy ACLs only.
condition cond-id Optional. ACL condition ID in integer or IP address format. The ID range of
values is 1 to 4,294,967,295.
Default
None
Usage Guidelines
Use the permit command to create the IP or policy ACL statement to allow packets that meet the specified
criteria.
The cond port and cond length constructs are mutually exclusive with the range port end-port and
range length end-length constructs.
You can use the optional max-sessions limit and min-sessions limit constructs to specify a maximum or
minimum number of simultaneous SSH or Telnet sessions allowed from an IP address or subnet. These
constructs are available if you use the service ssh server or service telnet server commands with the
access-group keyword to enable the SSH or Telnet protocol and apply the ACL. For statements where the
any keyword is specified for both source and destination, only the max-sessions limit construct applies.
If you specify a limit for both an IP address and the related subnet, the limit for the subnet takes precedence.
Similarly, a limit specified for a larger subnet takes precedence over limits specified for related smaller
subnets. From all sources combined, the SmartEdgeOS supports up to 32 active Telnet and SSH sessions.
Use the no form of this command to delete the statement with the specified sequence number from the
ACL.
Table12-16 lists the valid keyword substitutions for the protocol argument.
Note There is an implicit deny any any statement at the end of every ACL.
Table 12-16 Valid Keyword Substitutions for the protocol Argument
Keyword Definition
ahp Specifies Authentication Header Protocol.
esp Specifies Encapsulation Security Payload.
gre Specifies Generic Routing Encapsulation.
host Specifies host source address.
icmp Specifies Internet Control Message Protocol.
igmp Specifies Internet Group Management Protocol.
ip Specifies any IP protocol.
ipinip Specifies IP-in-IP tunneling.
ospf Specifies Open Shortest Path First.
pcp Specifies Payload Compression Protocol.
tcp Specifies Transmission Control Protocol.
udp Specifies User Datagram Protocol.
Table12-17 lists the valid keyword substitutions for the cond argument.
Table12-18 lists the valid keyword substitutions for the port argument when it is used to specify a TCP
port.
Table 12-17 Valid Keyword Substitutions for the cond Argument
Keyword Description
eq Specifies that values must be equal to those specified by the port or length argument.
gt Specifies that values must be greater than those specified by the port or length argument.
lt Specifies that values must be less than those specified by the port or length argument.
neq Specifies that values must not be equal to those specified by the port or length argument.
Table 12-18 Valid Keyword Substitutions for the port Argument (TCP Port)
bgp Border Gateway Protocol (BGP) 179
chargen Character generator 19
cmd Remote commands (rcmd) 514
daytime Daytime 13
discard Discard 9
echo Echo 7
exec Exec (rsh) 512
finger Finger 79
ftp File Transfer Protocol 21
ftp-data FTP data connections (used infrequently) 20
gopher Gopher 70
hostname Network interface card (NIC) hostname server 101
ident Identification protocol 113
irc Internet Relay Chat 194
klogin Kerberos login 543
kshell Kerberos Shell 544
login Login (rlogin) 513
lpd Printer service 515
nntp Network News Transport Protocol 119
Table12-19 lists the valid keyword substitutions for the port argument when it is used to specify a UDP
port.
shell Remote command shell 514
smtp Simple Mail Transport Protocol 25
ssh Secure Shell 22
tacacs Terminal Access Controller Access Control
System
49
talk Talk 517
telnet Telnet 23
time Time 37
uucp UNIX-to-UNIX Copy Program 540
whois Nickname 43
www World Wide Web (HTTP) 80
Table 12-19 Valid Keyword Substitutions for the port Argument (UDP Port)
biff Biff (Mail Notification, Comsat) 512
bootpc Bootstrap Protocol client 68
bootps Bootstrap Protocol server 67
discard Discard 9
dnsix DNSIX Security Protocol Auditing 195
echo Echo 7
isakmp Internet Security Association and Key Management
Protocol (ISAKMP)
500
mobile-ip Mobile IP Registration 434
nameserver IEN116 Name Service (obsolete) 42
netbios-dgm NetBIOS Datagram Service 138
netbios-ns NetBIOS Name Service 137
netbios-ss NetBIOS Session Service 139
ntp Network Time Protocol 123
Table 12-18 Valid Keyword Substitutions for the port Argument (TCP Port) (continued)
Table12-20 lists the valid keyword substitutions for the icmp-type argument.
rip Router Information Protocol (router, in.routed) 520
snmp Simple Network Management Protocol 161
snmptrap SNMP Traps 162
tacacs Terminal Access Controller Access Control System 49
talk Talk 517
tftp Trivial File Transfer Protocol 69
time Time 37
who Who Service (rwho) 513
xdmcp X Display Manager Control Protocol 177
Table 12-20 Valid Keyword Substitutions for the icmp-type Argument
Keyword Description
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
general-parameter-problem General parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for ToS
host-tos-unreachable Host unreachable for ToS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
Table 12-19 Valid Keyword Substitutions for the port Argument (UDP Port) (continued)
Table12-21 lists the valid keyword substitutions for the igmp-type argument.
log-input Log matches against this entry, including input interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirects
net-redirect Network redirect
net-tos-redirect Network redirect for ToS
net-tos-unreachable Network unreachable for ToS
net-unreachable Network unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisement
router-solicitation Router discovery solicitation
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceeded messages
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given type of service (ToS) value
traceroute Traceroute
ttl-exceeded TTL Exceeded
unreachable All unreachables
Keyword Description
Table12-22 lists the valid keyword substitutions for the dscp-value argument.
Table12-23 lists the valid keyword substitutions for the prec-value argument.
Table 12-21 Valid Keyword Substitutions for the igmp-type Argument
Keyword Description
dvmrp Specifies Distance-Vector Multicast Routing Protocol.
Host-query Specifies host query.
Host-report Specifies host report.
Table 12-22 Valid Keyword Substitutions for the dscp-value Argument
Keyword Definition
df Default Forwarding (same as cs0)
ef Expedited Forwarding
Table12-24 lists the valid keyword substitutions for the tos-value argument.
Examples
The following example specifies that all IP traffic from subnet 10.25/16 is to be allowed. All other traffic
is dropped because of the implicit deny any any statement at the end of the ACL:
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip 10.25.0.0 0.0.255.255 any
The following example shows how to use the seq keyword to edit the existing qosacl - 1 ACL, adding
a statement using sequence number 25:
[ l ocal ] Redback#configure
[ l ocal ] Redback( conf i g- ct x) #policy access-list qos-acl-1
[ l ocal ] Redback( conf i g- access- l i st ) #seq 25 permit tcp 10.10.10.4 0.0.0.0 any eq 80
Related Commands
Table 12-23 Valid Keyword Substitutions for the prec-value Argument
Keyword Description
tine Specifies routine precedence (value=0).
priority Specifies priority precedence (value=1).
immediate Specifies immediate precedence (value=2).
flash Specifies flash precedence (value=3).
flash-override Specifies flash override precedence (value=4).
critical Specifies critical precedence (value=5).
internet Specifies internetwork control precedence (value=6).
network Specifies network control precedence (value=7).
Table 12-24 Valid Keyword Substitutions for the tos-value Argument
Keyword Description
max-reliability Specifies maximum reliable ToS (value=2).
max-throughput Specifies maximum throughput ToS (value=4).
min-delay Specifies minimum delay ToS (value=8).
min-monetary-cost Specifies minimum monetary cost ToS (value=1).
normal Specifies normal ToS (value=0).
ip access-list
policy access-list
policy access-list
policy access-list acl-name
no policy access-list acl-name
Purpose
Creates or selects a policy access control list (ACL) and enters access control list configuration mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the policy access-list command to create or select a policy ACL and to enter access control list
configuration mode.
Use the no form of this command to remove the policy ACL.
Examples
The following example creates a policy ACL to define Web and VOI P traffic types on a circuit, and uses
the policy ACL in a QoS metering policy, marking these packet types as DF and AF11, respectively. All
other traffic is marked as DF also:
[ l ocal ] Redback( conf i g- ct x) #policy access-list QoSACL-1
[ l ocal ] Redback( conf i g) #qos policy PolicingAndMarking policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group QoSACL-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp DF
acl-name Policy ACL name.
Note If a forward policy, Network Address Translation (NAT) policy, or quality of service (QoS)
policy references a policy ACL that does not exist, the reference is ignored.
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp AF11
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp DF
[ l ocal ] Redback( conf i g- por t ) #bind interface FromSubscriber local
[ l ocal ] Redback( conf i g- por t ) #qos policy policing PolicingAndMarking
Related Commands
forward policy
nat policy
permit
qos policy metering
qos policy policing
resequence ip access-list acl-name
Purpose
Reassigns sequence numbers to the entries in the specified IP access control list (ACL) to be in increments
of 10.
Command Mode
Syntax Description
Default
No resequencing is performed.
Usage Guidelines
Use the resequence ip access-list command to reassign sequence numbers to the entries in the specified IP
ACL to be in increments of 10. This command is useful if manually assigned sequence numbers have left
no room between entries for additional entries.
Examples
The following example resequences the statements in the ACL, f r emont 1:
[ l ocal ] Redback( conf i g- ct x) #resequence ip access-list fremont1
Related Commands
acl-name Name of the ACL to be resequenced.
ip access-list
resequence policy access-list acl-name
Purpose
Reassigns sequence numbers to the entries in the specified policy access control list (ACL) to be in
increments of 10.
Command Mode
Syntax Description
Default
No resequencing is performed.
Usage Guidelines
Use the resequence policy access-list command to reassign sequence numbers to the entries in the
specified policy ACL to be in increments of 10. This command is useful if manually assigned sequence
numbers have left no room between entries for additional entries.
Examples
The following example resequences the statements in the policy ACL, oakl and2:
[ l ocal ] Redback( conf i g- ct x) #resequence policy access-list oakland2
Related Commands
acl-name Name of the ACL to be resequenced.
policy access-list
P a r t 5
IP Service Policies
This part describes the tasks and commands used to configure Network Address Translation (NAT)
policies, forward policies, and service policies. It consists of the following chapters:
Chapter 13, NAT Policy Configuration
Chapter 14, Forward Policy Configuration
Chapter 15, Service Policy Configuration
NAT Policy Configuration 13-1
C h a p t e r 1 3
NAT Policy Configuration
OS Network Address
Translation (NAT) policy features.
For information about the tasks and commands used to monitor, troubleshoot, and administer NAT policies,
see the NAT Policy Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
Overview
Configuration Tasks
Overview
Through NAT, hosts using unregistered IP addresses on an internal, private network can connect to hosts
on the Internet, and conversely. NAT translates the private (not globally unique) addresses in the internal
network into public IP addresses before packets are forwarded onto another network. Network Address and
Port Translation (NAPT) translates a private network and its Transmission Control Protocol/User Datagram
Protocol (TCP/UDP) port on the internal network into a public address and its TCP/UDP ports. By using
port multiplexing, NAPT enables multiple hosts on a private network to simultaneously access remote
networks through a single IP address.
NAT policies can contain a combination of static and dynamic translation actions as well as drop and ignore
actions, and can be applied to all packets traveling across a circuit, or to a particular class of packets using
policy access control list (ACL). The default NAT policy action is drop.
Figure13-1 illustrates how NAT translates private source IP addresses to public addresses.
Note NAT policies are not supported for subscriber sessions that use the Layer 2 Tunneling
Protocol (L2TP) and that are terminated at the SmartEdge router when it is acting as an L2TP
network server (LNS). If you inadvertently apply a NAT policy to such a subscriber, the
session comes up because the policy has no effect on it.
Overview
Figure 13-1 NAT Process
The SmartEdge OS implementation of NAT supports traditional NAT. In a traditional NAT, sessions are
unidirectional, outbound from the private network. Sessions in the opposite direction may be allowed on
an exception basis, using static address maps for preselected hosts. It is assumed that NAT policies are
applied on private interfaces only because applying them on public interfaces would profoundly affect
performance.
The SmartEdge OS implementation of NAT is described in the following sections:
Static Translation
Dynamic Translation
Destination IP Address Translation
Policy ACLs
NAT DMZ
Session Limit Control
Summary
Static Translation
With static translation, the private source IP addresses and TCP or UDP ports and the NAT addresses and
the ports to which they are translated are fixed numbers.
Note NAT is also known as source NAT or SNAT.
Note In this chapter, the terms, incoming and outgoing, refer to the direction of the packets passing
through the interface. The terms, outbound and inbound, refer to the direction of the packet
flow from the private network to the public network, and from the public network to the
private network, respectively.
Overview
Dynamic Translation
With dynamic translation, the SmartEdgeOS translates the private source IP addresses and TCP or UDP
ports to the NAT addresses and ports. At runtime, the SmartEdgeOS selects the NAT addresses and ports
from a pool of global IP addresses (referred to as a NAT pool). With dynamic translation, you can also
modify the period after which translations time out.
NAPT also supports dynamic translation of subsets of TCP/UDP ports, referred to as port blocks. The port
number space of the TCP/UDP ports is divided into 16 port blocks, numbered 0 to 15; each port block
consists of 4,096 port numbers. Port block granularity allows the sharing of a single IP address between
NAT pools, and thus between NAT policies and traffic cards, with each pool having the IP address with a
unique subset of TCP/UDP port blocks assigned to it.
Policy ACLs
A policy ACL defines classes of packets using classification statements (rules). Each policy ACL supports
up to eight unique classes. You can classify a packet according to its IP precedence value, protocol number,
IP source and destination address, Internet Control Message Protocol (ICMP) attributes, Internet Group
Management Protocol (IGMP) attributes, TCP attributes, and UDP attributes.
When you include the destination, drop, ignore, pool, admission-control, and timeout commands (in
NAT policy configuration mode) in a NAT policy, the specified action is applied to all packets traveling
across the interface or subscriber circuit or, if an ACL is referenced, to packets that do not belong to the
classes specified by the ACL and by the NAT policy. These packets are referred to as belonging to the
default class.
When you include the destination, drop, ignore, pool, admission-control, and timeout commands (in
class configuration mode) in a policy ACL, the specified action is applied only to packets belonging to the
specified class.
To configure class-based actions for a circuit, you apply a policy ACL to a NAT policy, specify the action
for each class that you want the policy to take, and then attach the NAT policy to the circuit. For more
information about policy ACLs, see Chapter 12, ACL Configuration.
Note When just the IP address is translated, static NAT is referred to as basic static NAT. Static NAT
includes both basic static NAT and static NAPT.
Note Static translations require manual configuration of the static IP routes and the static IP ARP
entries for the NAT addresses.
Note When just the IP address is translated, dynamic NAT is referred to as basic dynamic NAT.
Dynamic NAT includes both basic dynamic NAT and dynamic NAPT.
Note The pool and timeout commands apply only to dynamic NAT. The admission-control and
destination commands apply only to dynamic NAPT.
Overview
Destination IP Address Translation
The SmartEdge OS allows you to configure a NAT policy or its class to use a specified destination IP
address instead of the original destination IP address. Using the destination command, you can configure
Destination NAT (DNAT) to redirect traffic destined for the original address to a different specified address.
On the return path, the source address of the incoming traffic is translated to the original destination address
of the outgoing packet, so the returning traffic appears to be sent from the original destination address.
You can enable DNAT with or without the SmartEdge OS having to perform NAT.
You can use DNAT both with and without NAT in the same configuration.
NAT DMZ
The SmartEdge OS also provides support for the demilitarized zone (DMZ) feature in NAT policies. You
can configure a DMZ rule in a NAT policy to translate traffic returning to the SmartEdge router that does
not satisfy any of the conditions for static or dynamic NAT that you have specified in that NAT policy. The
basic NAT specified by the DMZ rule changes the destination IP address of the packet to a fixed private IP
address of a DMZ host server without changing the TCP/UDP port number.
Three types of applications might require a DMZ host server:
You use your own tools to do extensive logging and analysis of the packets that would be dropped by
the NAT policy.
You do not know the exact TCP/UDP port numbers, or there are too many ports, that need to be opened
by static NAPT rules to allow access to applications.
You need a work around for applications that do not work with NAPT, because they use protocols other
than UPD or TCP, or require IP packet fragmentation.
The following differences apply to a private network with a DMZ host server:
A DMZ rule in a NAT policy does not affect non-DMZ hosts on the internal network that use static or
dynamic NAPT, except that returning traffic for dynamic UDP sessions are now subject to source IP
address verification.
Non-DMZ hosts can use basic static or basic dynamic NAT, although such configurations might not
seem practical.
The DMZ host server cannot use basic static NAT, basic dynamic NAT, and dynamic NAPT, but can
still use static NAPT.
Session Limit Control
Session limit control allows you to set session limits independently for TCP, UDP, and ICMP sessions from
the subscriber to the network. The SmartEdge OS does not limit sessions from the network to the
subscriber.
Configuration Tasks
The following restrictions apply to the NAT implementation of session limit control:
Session limit control is a modification of a NAT policy; it applies to any circuit that has that NAT policy
attached.
Session limit control is supported on Ethernet, Gigabit Ethernet, and ATM OC-3 traffic cards.
The SmartEdge OS applies the session limit at the IP level; it is available for LNS circuits, but not when
the SmartEdge router is configured as an L2TP access concentrator (LAC).
You can set a session limit to support up to 65,535 sessions on a circuit.
Summary
The order in which the conditions in a NAT policy are checked to determine the action for a packet is as
follows:
1. The conditions set by the policy static translations.
2. The conditions set by the policy ACL.
3. If the conditions in step1 and step2 are not satisfied, the action for the packet is determined by the
default class action, if the policy ACL exists, or by the NAT policy action.
For more information about NAT, see RFC 3022, Traditional IP Network Address Translator (NAT) and
RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.
Configuration Tasks
Note In this chapter, the terms, session and connection, refer to a request to establish a connection
between a subscriber port (that is, an IP address and port tuple) and a host port (represented
by an IP address and port tuple). These requests can be initiated from a subscriber or from a
host, but you can only enable the SmartEdge OS to limit the requests initiated by the
subscriber or initiated on another system, sent to the subscriber, and accepted by that
subscriber.
When multiple sessions are initiated from the same IP address and port number on the
subscriber side, they are counted as a single connection by the SmartEdgeOS.
Note The sum of the configured session limit control numbers for a traffic card can exceed the
maximum number of sessions (approximately one million) allowed by the amount of memory
on the traffic card. In that case, some circuits might be unable to reach their configured
maximum session limit.
Configuration Tasks
To configure NAT policies, perform the tasks described in the following sections:
Configure a NAT Policy with Static Translations
Configure a NAT Policy with a DMZ Host Server
Configure a NAT Policy with Dynamic Translations
Apply a Policy ACL to a NAT Policy
Configure a NAT Policy with Static Translations
To configure a NAT policy with static translations, perform the tasks described in Table13-1.
Configure a NAT Policy with a DMZ Host Server
To configure a NAT policy with a DMZ host server, perform the tasks described in Table13-2.
Table 13-1 Configure a NAT Policy with Traditional Static Translations
1. Configure a NAT policy name and access
NAT policy configuration mode.
nat policy Enter this command in context configuration mode.
2. Translate the source IP address for
incoming packets on the interface or the
subscriber circuit to which the NAT policy
will be attached in the private network.
ipstaticin Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is translated in
the reverse direction.
Use the optional tcp or udp keyword to translate the source
address and source port number of the TCP/UDP packets.
3. Translate the source IP address for
outgoing packets on the interface or the
subscriber circuit to which the NAT policy
will be attached in the private network.
ipstaticout Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is translated in
the reverse direction.
4. Translate the destination IP address for
those inbound packets (on the interface
or subscriber circuit to which the NAT
policy will be attached) that do not satisfy
any condition for static or dynamic
translation in the policy.
ipdmz Enter this command in NAT policy configuration mode.
The source IP address is translated in the outbound direction.
5. Optional. Apply a policy ACL. See the Apply a Policy ACL to a NAT Policy section.
6. Attach the policy to an interface or
subscriber, using one of the following
tasks:
To an interface. ipnat Enter this command in interface configuration mode.
To a subscriber record, named profile, or
default profile.
nat policy-name Enter this command in subscriber configuration mode.
Note For information about configuring interfaces and subscribers, see the Interface
Configuration chapter and the Subscriber Configuration chapter, respectively, in the Basic
System Configuration Guide for the SmartEdgeOS.
Configuration Tasks
Configure a NAT Policy with Dynamic Translations
To configure a NAT policy with dynamic translations, perform the tasks described in Table13-3; enter all
commands in NAT policy configuration mode, unless otherwise noted.
Table 13-2 Configure a NAT Policy with a DMZ Host Server
1. Configure a NAT policy name and access
NAT policy configuration mode.
2. Translate the destination IP address for
those outgoing packets (on the interface or
subscriber circuit to which the NAT policy will
be attached) that do not satisfy any of the
static or dynamic rules in the policy.
ipdmz Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is
translated in the reverse direction.
3. Attach the policy to an interface or
subscriber, using one of the following tasks:
default profile.
Table 13-3 Configure a NAT Policy with Dynamic Translations
1. Create or select a NAT pool and access NAT
pool configuration mode.
ipnat pool Enter this command in context configuration mode.
Use the napt keyword to indicate that the addresses
associated with the pool will be used for NAPT policies.
Use the multibind keyword to enable the NAT pool to be
applied to multibind interfaces.
2. Configure the IP address, range of IP
addresses, or the IP address with a range of
TCP/UDP port blocks for the NAT pool.
address Enter this command in NAT pool configuration mode.
Enter this command multiple times to configure several IP
addresses, address ranges, and IP addresses with port
blocks for the NAT pool.
3. Create or select a policy and access NAT
policy configuration mode.
4. Optional. Specify the maximum number of
sessions allowed for the specified protocol
for each circuit.
connections
5. Specify the action to take on packets not
associated with a class with one of the
following tasks:
Any of these actions is applied to packets not associated
with a class if a policy ACL is applied to this NAT policy.
Translate the source IP addresses of the
packets using the pool of IP addresses
(created in step 1).
pool
Drop packets. drop
Forward packets without translating their
source IP addresses.
ignore
6. Optional. Modify the period after which
translations time out.
timeout Enter this command only if you have specified the pool
command (in step 5). This timeout is used for packets not
associated with a class, if a policy ACL is applied to this
NAT policy.
Configuration Tasks
Apply a Policy ACL to a NAT Policy
To apply a policy ACL to packets associated with a dynamic NAT policy and complete the configuration
of the policy, perform the tasks described in Table13-4; enter all commands in policy group class
7. Optional. Enable session limit control for the
default class for the specified protocol.
admission-control
8. Optional. Overwrites the destination IP
address.
destination
9. Optional. Apply a policy ACL to this policy. See the Apply a Policy ACL to a NAT Policy section.
10. Attach the NAT or NATP policy to an interface
or subscriber, using one of the following
tasks:
default profile.
Table 13-4 Apply a Policy ACL to a NAT Policy
1. Apply a policy ACL to a dynamic NAT policy and
access policy group configuration mode.
access-group Enter this command in NAT policy configuration
mode.
2. Specify a class and access class configuration
mode.
class Enter this command in policy group configuration
mode.
For a class-based action to occur, the class name
must match one of the class names defined in the
policy ACL.
3. Specify the action to take on packets associated
with the class with one of the following tasks:
Enter any of these commands in policy group class
configuration mode.
Translate the source IP addresses of the packets
using the pool of IP addresses.
pool
Drop packets associated with the class. drop
Forward packets associated with the class without
translating their source IP addresses.
ignore
4. Optional. Modify the period after which translations
time out.
timeout Enter this command only if you have specified the
pool command (in step 3). Enter this command in
policy group class configuration mode.
5. Optional. Enable session limit control for this class
for the specified protocol.
admission-control
6. Optional. Overwrites the destination IP address. destination
Table 13-3 Configure a NAT Policy with Dynamic Translations (continued)
This section provides configuration examples for:
NAT Policy with Static Translation
NAT Policy with Static NAPT
NAT Policy with Static Translation and a DMZ Host Server
NAT Policy with Dynamic Translation and an Ignore Action
NAT Policy with Dynamic NAPT and a Drop Action
NAT Policy with Static and Dynamic Translations
NAT Policy with DNAT
NAT Policy with Session Limit Control
NAT Policy with Static Translation
The following example configures a NAT policy with static translations:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.3 100.1.1.3
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos2
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
NAT Policy with Static NAPT
The following example configures a static NAPT policy:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.1.3 80 100.1.1.3 8080
NAT Policy with Static Translation and a DMZ Host Server
The following example configures a NAT policy with static translation, two internal hosts, and a DMZ host
server:
! Conf i gur e cont ext , NAT pol i cy, and i nt er f ace f or pr i vat e net wor k
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip dmz source 10.1.1.1 100.1.1.1 context local
[ l ocal ] Redback( conf i g- ct x) #interface if-private
l ocal ] Redback( conf i g- ct x) #exit
! Conf i gur e cont ext , NAT pol i cy, and i nt er f ace f or publ i c net wor k
[ l ocal ] Redback( conf i g) #context public
[ l ocal ] Redback( conf i g- ct x) #interface if-public
! Conf i gur e an Et her net por t f or t he pr i vat e net wor k
[ l ocal ] Redback( conf i g- por t ) #bind interface if-private local
! Conf i gur e an Et her net por t f or t he publ i c net wor k
[ l ocal ] Redback( conf i g- por t ) #bind interface if-public public
Figure13-2 illustrates the network configuration for the example.
Figure 13-2 Private Network with NAT DMZ Host Server
NAT Policy with Dynamic Translation and an Ignore Action
The following example creates a policy ACL and applies it to a NAT policy with dynamic translations in
which all packets except those classified as CLASS3 are ignored (that is, the NAT policy is not applied to
them). All source IP addresses for incoming packets classified as CLASS3 are translated using IP addresses
from the pool _dyn pool:
! Cr eat e t he NAT pool
! Cr eat e t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #policy access-list NAT-ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip 10.10.10.0 0.0.0.255 class CLASS3
! Cr eat e t he NAT pol i cy and appl y t he pol i cy ACL
[ l ocal ] Redback( conf i g- nat - pool ) #ignore
[ l ocal ] Redback( conf i g- nat - pool ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn local
NAT Policy with Dynamic NAPT and a Drop Action
The following example configures a NAPT policy with dynamic translations in which all packets, except
those classified as CLASS3, are dropped. Source IP addresses and their TCP/UDP ports for packets
classified as CLASS3 are translated using the IP address and its TCP/UDP port blocks 1 to 15 from the
pool _dyn_napt pool:
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn_napt napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 11.11.11.1/32 port-block 1 to 15
[ l ocal ] Redback( conf i g- pol i cy- nat ) #drop
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT_ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn_napt local
NAT Policy with Static and Dynamic Translations
The following example configures a NAT policy that uses a combination of static and dynamic, basic NAT
and NAPT, and applies a policy ACL:
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn_napt napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 100.1.1.2/32 port-block 1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool pool_dyn local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn_napt local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.1.2 80 100.1.1.2 8080
NAT Policy with DNAT
The following example configures a NAT policy that uses DNAT, both with and without NAT, within a
single NAT policy. A predefined destination address is configured for the NAT- CLASS1 and NAT- CLASS2
classes within the NAT policy NAT- POLI CY. For all packets from class NAT- CLASS1, the destination
address of each packet is replaced by 64. 233. 267. 100 so that all packets from class NAT- CLASS1 are
forwarded to that address. On the return path, a reverse translation from 64. 233. 267. 100 to the original
destination address is performed so that the returning traffic appears to be sent from the original destination
address. For the NAT- CLASS2 class, the destination address of each packet is translated exactly the same
way as for class NAT- CLASS1, but the source address is not translated
[ l ocal ] Redback( conf i g- ct x) #nat pol i cy NAT- POLI CY
! Def aul t cl ass
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT- POOL- DEFAULT l ocal
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access- gr oup NAT- ACL
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS1
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #pool NAT- POOL1 l ocal
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #i gnor e
NAT Policy with Session Limit Control
The following example configures a NAT policy that uses session limit control for both the default class
and a subset of named classes. Assuming that packets are not satisfied by both static rules (those are of
higher priority), the following processing takes place:
Packets classified into CLASS2 are NAT-translated with the use of pool 2 addresses and no session
limit control is applied (the default state).
Packets classified into CLASS3 are unchanged and session limit control is applied to TCP sessions with
a maximum number of TCP sessions set to 100.
All other packets (that is, those of the default class) are translated with the use of pool 1 addresses and
session limit control is applied to TCP sessions with a maximum number of TCP sessions set to 100.
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.3.3 80
100.1.3.3 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.4.3 80
100.1.3.4 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp 100
! Def aul t cl ass
Note Specify the connections command (in NAT policy configuration mode) for the policy; then
specify the admission-control command for each class (including the default one) for which
you want the session limit to be enforced.
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool pool1 local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #timeout tcp
[ l ocal ] Redback( conf i g- pol i cy- nat ) #admission-control tcp
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool2
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #ignore
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #admission-control tcp
This section describes the syntax and usage guidelines for the commands used to configure NAT policies.
address
admission-control
connections
destination
drop
ignore
ip dmz
ip nat
ip nat pool
ip static in
ip static out
nat policy
nat policy-name
pool
timeout
address
address {ip-addr netmask | ip-addr/prefix-length | start-ip-addr to end-ip-addr | ip-addr/32
port-block start-port-block [to end-port-block]}
no address {ip-addr netmask | ip-addr/prefix-length | start-ip-addr to end-ip-addr}
Purpose
Assigns an IP address, a range of IP addresses, or an IP address with one or more blocks of Transmission
Control Protocol/User Datagram Protocol (TCP/UDP) ports to the Network Address Translation (NAT)
pool.
Command Mode
NAT pool configuration
Syntax Description
Default
All TCP/UDP port numbers for the IP address are assigned to the NAT pool.
Usage Guidelines
Use the address command to assign the IP address and subnet mask, a range of IP addresses, or an IP
address with a range of TCP/UDP ports that will be included in the NAT pool. The TCP/UDP port number
space is divided into 16 blocks. Each block contains 4,096 sequential numbers. Blocks are numbered from
0 to 15. If you specify one or more blocks of TCP/UDP ports, you must specify 32 as the prefix length.
You can enter this command multiple times to assign multiple IP addresses, ranges of IP addresses, and an
IP address with TCP/UDP port blocks to a NAT pool.
Use the no form of this command to remove IP addresses from the NAT pool. If you enter the no form with
an IP address that was configured with the port-block keyword, the IP address and all its configured port
blocks are removed from the NAT pool.
ip-addr netmask IP address and subnet mask.
ip-addr/prefix-length IP address and prefix length.
start-ip-addrtoend-ip-addr Starting IP address to ending IP address.
ip-addr/32 IP address and prefix length when specifying one or more blocks of
TCP/UDP port numbers.
port-block start-port-block Starting port block number. The range of values is 0 to 15.
to end-port-block Optional. Ending port-block number. If not entered, assigns only the
TCP/UDP port numbers in the port block specified by the
start-port-block argument. The range of values is 1 to 15.
Examples
The following example configures the NAT pool, NAT- 1, and fills the pool with the IP address,
171. 71. 71. 1, with all its TCP/UDP ports and the IP address, 171. 71. 72. 2, with port blocks 1 to 3:
[ l ocal ] Redback( conf i g) #context ISP
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-1 napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.72.2/32 port-block 1 to 3
Related Commands
ip nat pool
pool
admission-control
admission-control {icmp | tcp | udp}
no admission-control {icmp | tcp | udp}
Purpose
Enables or disables session limit control for the specified protocol.
Command Mode
policy group class configuration
Syntax Description
Default
Session limit control is disabled for this access control list (ACL) class.
Usage Guidelines
Use the admission-control command to enable session limit control for the specified protocol. Session
limit control applies only to this ACL class in this Network Address Translation (NAT) policy. You can use
this command only when the action in the class is either ignore or pool, and the pool is a Network Access
Port Translation (NAPT) pool.
Use the no form of this command to disable session limit control.
Examples
The following example enables TCP session limit control for the default ACL class in this NAT policy:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #admission-control tcp
The following example enables TCP session limit control for CLASS3 in this NAT policy:
icmp Specifies the Internet Control Message Protocol (ICMP) as the protocol for which session
limit control is to be enabled.
tcp Specifies the Transmission Control Protocol (TCP) as the protocol for which session limit
control is to be enabled.
udp Specifies the User Datagram Protocol (UDP) as the protocol for which session limit control is
to be enabled.
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #admission-control tcp
Related Commands
connections
connections
connections {icmp | tcp | udp} maximum max-sess
no connections {icmp | tcp | udp}
Purpose
Specifies the maximum number of sessions allowed for the specified protocol for each circuit.
Command Mode
Syntax Description
Default
The maximum number of sessions is not specified.
Usage Guidelines
Use the connections command to specify the maximum number of sessions allowed for the specified
protocol for each circuit.
The maximum number that you specify applies to all access control list (ACL) classes, including the default
class, for which you have specified admission control using the admission-control command (in NAT
policy configuration mode).
If the maximum number of sessions for a specific protocol is not specified using this command, the
admission control for that protocol, if specified using the admission-control command (in NAT policy or
policy group class configuration mode), is ignored.
Examples
The following example specifies 100 as the maximum number of sessions for each TCP circuit:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp maximum 100
icmp Specifies the Internet Control Message Protocol (ICMP) as the protocol for which
session limit control is to be enabled.
tcp Specifies the Transmission Control Protocol (TCP) as the protocol for which
session limit control is to be enabled.
udp Specifies the User Datagram Protocol (UDP) as the protocol for which session
limit control is to be enabled.
maximum max-sess Maximum number of sessions allowed for this protocol for each circuit to which
you have applied this Network Address Translation (NAT) policy. The range of
values is 1 to 65,535.
Related Commands
admission-control
destination
destination ip-addr [context-name]
Purpose
Configures the Network Address Translation (NAT) policy or its class to use the specified IP address in
destination IP address translation or destination NAT (DNAT).
Command Mode
NAT policy class configuration
Syntax Description
Default
No predefined IP address is configured as a destination IP address.
Usage Guidelines
Use the destination command to configure the NAT policy or its class to use the specified IP address in
DNAT. DNAT replaces the original destination IP addresses of all packets or the packets of a specific class
with a predefined IP address.
When a destination IP address is configured for a given class, the SmartEdge router applies this predefined
IP address to all packets of the class.
You can enable DNAT with or without having to perform NAT.
Configuring DNAT without NAT requires that you configure the destination command with the ignore
command.
Use the destination ip-addrr context-name construct to specify that the configured destination IP address
resides within the specified context. Without the name of the context specified, the configured destination
IP address is assumed to be either in the context in which the NAT pool is defined or, if no NAT pool is
defined, in the context in which the NAT policy is defined.
ip-addr Specifies the IP address to replace the original destination address.
context-name Specifies the name of the context in which the configured destination IP address
resides.
Note If you configure DNAT with NAT, the context name specified in the destination command
must be the same as the context name specified in the pool command.
Examples
The following example shows how to configure DNAT with NAT. A predefined destination address is
configured for the NAT- CLASS1 class within the NAT policy NAT- POLI CY. For all packets from class
NAT- CLASS1, the destination address of each packet is replaced by 64. 233. 267. 100 so that all packets
from class NAT- CLASS1 are forwarded to that address. On the return path, a reverse translation from
64. 233. 267. 100 to the original destination address is performed so that the returning traffic appears to
be sent from the original destination address:
! Def aul t cl ass
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #pool NAT- POOL1 l ocal
The following example shows how to configure DNAT without NAT. A predefined destination address is
configured for the NAT- CLASS2 class within the NAT policy NAT- POLI CY. For the NAT- CLASS2 class
within the NAT policy NAT- POLI CY, the destination address of each packet is replaced by
64. 233. 267. 100 so that all packets from class NAT- CLASS2 are forwarded to that address. In this
example, the source address is not translated.
! Def aul t cl ass
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #i gnor e
Related Commands
admission-control
drop
ignore
pool
timeout
drop
drop
Purpose
Drops all packets or classes of packets associated with the Network Address Translation (NAT) policy.
Command Mode
Syntax Description
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the drop command to drop all packets or classes of packets associated with the NAT policy.
Examples
The following example configures the NAT- 1 policy and applies the NAT- ACL- 1 access control list (ACL)
to it. Packets that are classified as NAT- CLASS- 1 will be dropped. All other packets, except those
explicitly defined by the static rule, will be ignored:
[ l ocal ] Redback( conf i g) #context CUSTOMER
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ignore
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-1
Related Commands
ignore
pool
timeout
ignore
ignore
Purpose
Configures the Network Address Translation (NAT) policy or its class to not translate the source IP address
of all packets, or classes of packets, traveling across circuits attached to the interface or subscriber to which
the NAT policy is applied.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the ignore command to configure the Network Address Translation (NAT) policy or its class to not
translate the source IP address of all packets, or classes of packets, traveling across circuits attached to the
interface or subscriber to which the NAT policy is applied.
Examples
The following example configures the NAT- 2 policy and applies the NAT- ACL- 2 access control list (ACL)
to it. Packets that are classified as NAT- CLASS- 2 are ignored; they are forwarded without translation of
the source IP address. All other packets, except those defined in the static rule, are dropped.
[ l ocal ] Redback( conf i g) #context CUSTOMER
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL-2
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-2
Related Commands
drop
pool
timeout
ip dmz
ip dmz source ip-addr nat-addr context ctx-name
no ip dmz source ip-addr nat-addr context ctx-name
Purpose
Configures the source and Network Address Translation (NAT) IP addresses for a demilitarized zone
(DMZ) host server.
Command Mode
Syntax Description
Default
No DMZ host server is configured.
Usage Guidelines
Use the ip dmz command to configure a DMZ host server.
Use the no form of this command to remove the DMZ host server from the configuration.
Examples
The following example configures a DMZ host server with an internal network address, 10. 1. 1. 1, and
an external network address, 201. 1. 1. 1,which are defined in the l ocal context:
[ l ocal ] Redback( conf i g- ct x) #nat policy policy1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip dmz source 10.1.1.1 201.1.1.1 context local
Related Commands
None
source ip-addr Original source IP address for the DMZ host server on the private network.
nat-addr NAT address. The IP address of the DMZ host server on the public network
to which the source IP address is mapped.
context ctx-name Name of the context in which the NAT address of the DMZ host server is
defined for the interface that is used to forward packets after the source IP
address is translated.
ip nat
ip nat pol-name
no ip nat pol-name
Purpose
Attaches a Network Address Translation (NAT) policy to packets received or transmitted on any circuit
bound to the specified interface.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the ip nat command to attach a NAT policy to packets received or transmitted on any circuit bound to
the specified interface.
Use the no form of this command to remove the NAT policy from the interface.
Examples
The following example translates an IP source address for the p1 NAT policy and applies the policy to
packets traveling across the pos1 interface:
Related Commands
pol-name NAT policy name.
nat policy
nat policy-name
ip nat pool
ip nat pool pool-name [napt [multibind]]
no ip nat pool pool-name [napt [multibind]]
Purpose
Configures a Network Address Translation (NAT) pool name and enters NAT pool configuration mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the ip nat pool command to configure a NAT pool name and to enter NAT pool configuration mode.
Use the no form of this command to remove a NAT pool.
Examples
The following example configures the NAT pool, NAT- POOL- BASI C, with 14 IP addresses
(171. 71. 71. 4 to 171. 71. 71. 7 and 171. 71. 71. 101 to 171. 71. 71. 110):
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-POOL-BASIC
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.4 255.255.255.252
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.101 to 171.71.71.110
Related Commands
pool-name NAT pool name.
napt Optional. Enables support for translation of Transmission Control
Protocol/User Datagram Protocol (TCP/UDP) ports.
multibind Optional. Enables the NAT pool to be applied to multibind interfaces.
address
pool
ip static in
ip static in [{tcp | udp}] source ip-addr [port] nat-addr [nat-port] [context ctx-name]
no ip static in [{tcp | udp}] source ip-addr [port] nat-addr [nat-port] [context ctx-name]
Purpose
Translates the source IP address in the private network, and optionally, Transmission Control Protocol/User
Datagram Protocol (TCP/UDP) ports, of incoming packets on the interface to which the Network Address
Translation (NAT) policy is attached. In the reverse direction, translates the destination IP address, and
optionally, TCP/UDP ports, of outgoing packets on the interface.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the ip static in command to translate the source IP address in the private network, and optionally,
TCP/UDP ports, of incoming packets on the interface to which the NAT policy is attached. In the reverse
direction, this command translates the destination IP address, and optionally, TCP/UDP ports, of outgoing
packets on the interface.
tcp Optional. Indicates a TCP port.
udp Optional. Indicates a UDP port.
source Indicates the source information.
ip-addr Original source IP address.
port Optional. Original TCP or UDP source port number. The range of values is 1
to 65,535. Required when using the tcp or udp keyword.
nat-addr NAT address. The IP address to which the source IP address is mapped in the
address translation table.
nat-port Optional. TCP or UDP port number to which the source port number is
mapped in the address translation table. The range of values is 1 to 65,535.
Required when using the tcp or udp keyword.
context ctx-name Optional. Context name. Required for intercontext forwarding of packets.
Interfaces in the specified context are used to forward packets after addresses
are translated.
Incoming packets with a source IP address that matches the ip-addr argument use the IP address specified
with the nat-addr argument as their source IP address instead. In the opposite direction, outgoing packets
with a destination IP address that matches the nat-addr argument use the ip-addr argument as the
destination IP address.
If the nat-addr argument overlaps an IP address in a Network Access Port Translation (NAPT) pool, the
static translation takes precedence.
Use the no form of this command to disable the translation of the source IP address and TCP/UDP ports.
Examples
The following example translates the source IP address of packets received on the interface, cust omer 1,
to 2. 2. 2. 2 when the original source address of the packets is 1. 1. 1. 1. At the same time, the destination
address of packets sent out the interface are translated to 1. 1. 1. 1 when the original destination address
of the packets is 2. 2. 2. 2:
[ l ocal ] Redback( conf i g- ct x) #interface customer1
Related Commands
ip static out
ip static out
ip static out source ip-addr nat-addr
no ip static out source ip-addr nat-addr
Purpose
Translates the source IP address in the private network of outgoing packets on the interface to which the
Network Address Translation (NAT) policy is applied, and in the reverse direction, translates the
destination IP address of incoming packets on the interface.
Command Mode
Syntax Description
Default
If no action is configured for the NAT policy, packets are dropped.
Usage Guidelines
Use the ip static out command to translate the source IP address in the private network of outgoing packets
on the interface to which the NAT policy is applied, and in the reverse direction, to translate the destination
IP address of incoming packets on the interface.
Outgoing packets with a source IP address that match the ip-addr argument use the IP address specified
with the nat-addr argument as their source IP address instead. In the opposite direction, incoming packets
with a destination IP address that matches the nat-addr argument use the ip-addr argument as the
destination IP address.
Use the no form of this command to disable the translation of the IP address.
Examples
The following example translates the IP source address of packets sent out the interface, pos1, to
10. 30. 40. 50 when the original source address of the packets is 64. 64. 64. 64. At the same time, the
destination address of packets coming into the interface are translated to 64. 64. 64. 64 when the
destination address of the packets is 10. 30. 40. 50:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static out source 64.64.64.64 10.30.40.50
source Indicates the source information.
ip-addr Original source IP address.
nat-addr NAT address. The IP address to which the source IP address is mapped in the
address translation table.
Related Commands
ip static in
nat policy
nat policy pol-name [radius-guided]
no nat policy pol-name
Purpose
Configures a Network Address Translation (NAT) policy name and enters NAT policy configuration mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the nat policy command to configure a NAT policy name and enter NAT policy configuration mode.
Use the radius-guided keyword to specify a RADIUS-guided policy and to allow the policy to be modified
by dynamic ACLs. You cannot remove a dynamic policy ACL from the policy after you have configured
it, nor can you change the policy type from static to RADIUS-guided. To remove a dynamic policy ACL
or change its type, delete the policy and then recreate it as a static policy.
Use the no form of this command to remove the NAT policy.
Examples
The following example translates source addresses for NAT policy, p2, which is applied to packets received
on the pos2 interface:
radius-guided Optional. Specifies a Remote Authentication Dial-In User Service (RADIUS)
guided policy and allows the policy to be modified by dynamic access control
lists (ACLs).
Related Commands
destination
drop
ignore
ip nat
ip static in
ip static out
nat policy-name
pool
timeout
nat policy-name
nat policy-name pol-name
no nat policy-name pol-name
Purpose
Attaches the specified Network Address Translation (NAT) policy name to the subscribers circuit.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the nat policy-name command to attach the specified NAT policy to the subscribers circuit.
Use the no form of this command to remove the NAT policy from the subscribers circuit.
Examples
The following example attaches the NAT policy, nat - pol - 1, to the circuit attached to the nat - sub
subscribers circuit:
[ l ocal ] Redback( conf i g- ct x) #subscriber name nat-sub
[ l ocal ] Redback( conf i g- sub) #nat policy-name nat-pol-1
Related Commands
drop
ignore
ip nat
ip static in
ip static out
nat policy
pool
timeout
pool
pool nat-pool-name ctx-name
Purpose
Configures the Network Address Translation (NAT) policy or its class to use the specified pool of
IP addresses for source IP address translation.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the pool command to configure the NAT policy or class of packets to use the specified pool of IP
addresses for packet translation.
Examples
The following example configures the NAT policy, NAT- POLI CY, to use the pool, NAT- POOL- DEFAULT,
configured in the I SP context, and configures packets classified as NAT- CLASS- BASI C to use the pool,
NAT- POOL- BASI C, configured in the I SP context:
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-POLICY
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT-POOL-DEFAULT ISP
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-BASIC
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool NAT-POOL-BASIC ISP
Related Commands
nat-pool-name NAT pool name.
ctx-name Name of the context in which the NAT pool is configured.
address
drop
ignore
ip nat pool
timeout
timeout
timeout {basic seconds | fin-reset seconds | icmp seconds | syn seconds | tcp seconds | udp seconds}
no timeout {basic | fin-reset | icmp | syn | tcp | udp}
Purpose
Modifies the period after which Network Address Translation NAT times out if no activity occurs.
Command Mode
Syntax Description
Default
For default values, see the Syntax Description section. For the ignore action in a NAT policy, all default
timeouts are 20 seconds.
basic seconds Period, in seconds, after which basic NAT time out. The range of values is 4 to
262,143; the default value is 3,600 (1 hour).
This construct is supported only for basic NAT, not Network Access Port
Translation (NAPT).
fin-reset seconds Period, in seconds, after which NAT for Transmission Control Protocol (TCP)
FINISH and RESET packets time out. The range of values is 4 to 65,535; the default
value is 240.
This construct is supported only by policies using NAPT.
icmp seconds Period, in seconds, after which NAT for Internet Control Message Protocol (ICMP)
packets time out. The range of values is 4 to 65,535; the default value is 60.
syn seconds Period, in seconds, after which NAT for TCP SYN packets time out. The range of
values is 4 to 65,535; the default value is 128.
tcp seconds Period, in seconds, after which NAT for established TCP connections time out. The
range of values is 4 to 262,143. The default value is 86,400 (24hours).
udp seconds Period, in seconds, after which NAT for User Datagram Protocol (UDP) packets
time out. The range of values is 4 to 65,535; the default value is 120.
Usage Guidelines
Use the timeout command to modify the period after which NAT time out if no activity occurs. Timeout
applies only if there is relevant translation.
Use the no form of this command to reset the timeout to its default value.
Examples
The following example configures basic NAT to time out after no activity has occurred for 7200 seconds
(2 hours):
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-POOL
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT-POOL local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #timeout basic 7200
Related Commands
drop
ignore
pool
Forward Policy Configuration 14-1
C h a p t e r 1 4
Forward Policy Configuration
OS forward policy features.

For information about the tasks and commands used to monitor, troubleshoot, and administer forward
policies, see the Forward PolicyOperations chapter in the IP Services and Security Operations Guide for
the SmartEdgeOS.
This chapter includes the following sections:
Overview
Configuration Tasks
Overview
A forward policy applies only to IP traffic. A forward policy can be a combination of three actions:
Mirroring
Mirroring copies packets forwards the duplicated packets to a designated outgoing port. Mirrored traffic
(forwarded, dropped, or both) is typically sent to a packet sniffer (or similar device) so that traffic
patterns can be analyzed. You can mirror all traffic, a sampling of traffic, or mirror only IP packet
headers. You can mirror both incoming and outgoing packets.
Redirect
Redirect forwards packets to IP addresses that are different than their original destination. You can
redirect incoming packets only.
Drop
The drop function specifies that particular packets are dropped, rather than forwarded; you can drop
incoming packets only.
You can apply forward policies at one of two levels or at both levels simultaneously. One level applies to
all packets on a circuit and is referred to as circuit-based forwarding. Another level applies only to a specific
class of packets traveling across a circuit and is referred to as class-based forwarding.
Configuration Tasks
These levels of forward policies are described in the following sections:
Circuit-Based Forwarding
Class-Based Forwarding
Circuit- and Class-Based Forwarding
Circuit-Based Forwarding
When you attach a forward policy that does not include a policy access control list (ACL) to a circuit, all
traffic traveling over the circuit is treated in one manner, that is, it is mirrored, redirected, or dropped.
Class-Based Forwarding
A policy ACL classifies packets using classification statements (rules). Each policy ACL supports up to
eight unique classes. You can classify a packet according to its IP precedence value, protocol number, IP
source and destination address, Internet Control Message Protocol (ICMP) attributes, Internet Group
Management Protocol (IGMP) attributes, Transmission Control Protocol (TCP) attributes, and User
Datagram Protocol (UDP) attributes.
To configure class-based forwarding for a circuit, you apply a policy ACL to a forward policy, specify the
action that you want the policy to take for each class, and then attach the forward policy to the circuit. For
more information about policy ACLs, see Chapter 12, ACL Configuration.
Circuit- and Class-Based Forwarding
You can combine circuit-based and class-based forwarding, so that a class of packets can be treated in one
manner, dependent on a policy ACL, while all remaining packets traveling across the circuit are treated
strictly according to the forward policy conditions.
Configuration Tasks
To configure a forward policy, perform the tasks described in the following sections:
Configure a Forward Policy
Apply a Policy ACL to a Forward Policy
Note If you do not specify an action for a class that is defined in the policy ACL, the SmartEdge
OS considers the class to be the default class.
Configuration Tasks
Configure a Forward Policy
To configure a forward policy for circuit-based forwarding, for class-based forwarding, or for circuit- and
class-based forwarding, perform the tasks described in Table14-1; enter all commands in forward policy
Apply a Policy ACL to a Forward Policy
To apply a policy ACL to a forward policy for class-based forwarding, perform the tasks described in
Table14-2; enter all commands in policy group class configuration mode, unless otherwise noted.
Table 14-1 Configure a Forward Policy
1. Create or select a policy and access
forward policy configuration mode.
forward policy Enter this command in global configuration
mode.
2. Redirect incoming packets not associated
with a class with one of the following tasks:
To the specified output destination. redirect destinationcircuit
To a next-hop IP address. redirect destinationnext-hop
3. Drop incoming packets not associated with
a class.
drop
4. Mirror specified incoming or outgoing
packets not associated with a class to a
specified output destination.
mirror destination
5. Optional. Configure class-based forwarding
for this policy.
See the Apply a Policy ACL to a Forward Policy
section.
6. Specify the destination circuit. forwardoutput Enter this command in ATM PVC, Frame Relay
PVC, GRE tunnel, or port configuration mode.
Select a different circuit from the circuits you
have configured for the traffic being mirrored or
redirected.
7. Attach the policy to a circuit, using one of
the following tasks:
Enter either of these commands in ATM DS-3,
ATM OC, ATM PVC, dot1q PVC, DS-0 group,
DS-1, DS-3, E1, E3, Frame Relay PVC, port, or
subscriber configuration mode.
8. To incoming traffic. forwardpolicy in Only incoming packets can be redirected or
dropped. Both incoming and outgoing packets
can be mirrored.
9. To outgoing traffic. forward policy out
Table 14-2 Apply a Policy ACL to a Forward Policy
1. Apply a policy ACL to the forward policy, and
access policy group configuration mode.
access-group Enter this command in forward policy
configuration mode.
This section provides forward policy configuration examples in the following sections:
Traffic Mirroring
Traffic Redirect
Traffic Drop
Combination of Traffic Mirror, Redirect, and Drop in One Policy
Traffic Mirroring
The following example implements traffic mirroring for:
Web traffic-to-POS port 13/1
Forwarded UDP traffic-to-POS port 13/2
Dropped IP packets-to-Ethernet port 4/1 not more frequently than once every three seconds
Other traffic-to-POS port 13/3
Traffic comes in through the interface, i ncomi ng_t r af f i c, and leaves the router through the interface,
nor mal _t r af f i c.
Figure14-1 displays the network topology for this example.
2. Specify a class and access policy group class
configuration mode.
class Enter this command in policy group
configuration mode.
For class-based forwarding to occur, the
class name must match one of the class
names defined in the policy ACL.
3. Optional. Redirect incoming packets associated
with the class with one of the following tasks:
To the specified output destination. redirect destinationcircuit
To a next-hop IP address. redirect destinationnext-hop
4. Optional. Drop incoming packets associated
with the class.
drop
5. Mirror specified packets associated with the
class to a specified output destination.
mirror destination
Note The redirect destination local command is used only for HTTP redirect and is described in
Chapter 9, HTTP Redirect Configuration.
Table 14-2 Apply a Policy ACL to a Forward Policy (continued)
Figure 14-1 Basic Traffic Mirroring Network Topology
The interface configuration is as follows:
[ l ocal ] Redback( conf i g- ct x) #interface e1
[ l ocal ] Redback( conf i g- ct x) #interface incoming_traffic
[ l ocal ] Redback( conf i g- ct x) #interface normal_traffic
[ l ocal ] Redback( conf i g- ct x) #interface p1
The policy ACL configuration is as follows:
The forward policy configuration is as follows:
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #mirror destination DroppedTraffic dropped sampling
3000
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class WEB
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mirror destination WebTraffic all
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class UDP
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mirror destination UdpTraffic forwarded
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class IP
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mirror destination IpTraffic all
The following configuration attaches the forward policy to incoming circuits and defines the forward
output destinations:
[ l ocal ] Redback( conf i g- por t ) #bind interface e1 local
[ l ocal ] Redback( conf i g- por t ) #forward output DroppedTraffic
[ l ocal ] Redback( conf i g- por t ) #bind interface normal_traffic local
[ l ocal ] Redback( conf i g- por t ) #forward policy MirrorPolicy in
[ l ocal ] Redback( conf i g- por t ) #bind interface p1 local
[ l ocal ] Redback( conf i g- por t ) #forward output WebTraffic
[ l ocal ] Redback( conf i g- por t ) #forward output UdpTraffic
[ l ocal ] Redback( conf i g- por t ) #forward output IpTraffic
Traffic Redirect
The following example implements traffic redirection for:
Web traffic-to-network 100.1.1.0 with load balancing
Forwarded UDP traffic-to-network 100.1.1.0 with load balancing
Other TCP traffic-to-POS port 13/3 (multipath redirect)
Protocol Independent Multicast (PIM) traffic-to-Ethernet port 4/1 (redirect to circuit)
This configuration allows all other traffic flow in the normal path. Traffic comes in through the interface,
i ncomi ng_t r af f i c, and leaves the router through the interface, nor mal _t r af f i c. Figure14-2
displays the network topology for this example.
Figure 14-2 Basic Traffic Redirect Network Topology
[ l ocal ] Redback( conf i g- ct x) #ip route 100.1.1.0/24 21.1.1.2
[ l ocal ] Redback( conf i g- ct x) #policy access-list PBR_Redirect_ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 30 permit tcp any class TCP
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_Redirect_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #redirect destination circuit PIM_OUT
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class TCP
23.1.1.12 23.1.1.13 23.1.1.14
The following configuration attaches the forward policy to an incoming circuit and defines the forward
output destinations:
[ l ocal ] Redback( conf i g- por t ) #forward output PIM_OUT
[ l ocal ] Redback( conf i g- por t ) #forward policy RedirectPolicy in
Traffic Drop
The following example implements traffic dropping for:
ICMP traffic from host 51.1.1.2
PIM packets
This configuration allows all other traffic flow in the normal path.
Traffic comes in through the interface, i ncomi ng_t r af f i c, and leaves the router through the interface,
nor mal _t r af f i c. Figure14-3 displays the network topology for this example.
Figure 14-3 Basic Traffic Drop Network Topology
[ l ocal ] Redback( conf i g- ct x) #policy access-list PBR_Drop_ACL
The following configuration attaches the forward policy to an incoming circuit and binds interfaces to
output ports:
[ l ocal ] Redback( conf i g- por t ) #forward policy DropPolicy in
Combination of Traffic Mirror, Redirect, and Drop in One Policy
The following example implements these functions:
Redirects all web traffic to 100.1.1.2
Mirrors all forwarded UDP traffic to POS port 13/2
Mirrors all dropped IP packets to Ethernet port 4/1 not more frequently than once every three seconds
Drops all ICMP traffic from 50.1.1.2
Drops all PIM traffic
Mirrors all other traffic to POS port 13/3
Traffic comes in through the interface, i ncomi ng_t r af f i c, and leaves the box through the interface,
nor mal _t r af f i c. Figure14-4 displays the network topology for the configuration example with traffic
mirroring, redirect, and drop conditions in one policy.
Figure 14-4 Basic Network Topology for Mirroring, Redirect, and Drop in One Policy
[ l ocal ] Redback( conf i g) #forward policy GeneralPolicy
3000
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mirror destination UdpTraffic forwarded
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class IP
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mirror destination IpTraffic all
The following configuration applies the policy to an incoming circuit and defines the output destinations:
[ l ocal ] Redback( conf i g- por t ) #forward output DroppedTraffic
[ l ocal ] Redback( conf i g- por t ) #forward policy GeneralPolicy in
[ l ocal ] Redback( conf i g- por t ) #forward output UdpTraffic
[ l ocal ] Redback( conf i g- por t ) #forward output IpTraffic
This section describes the syntax and usage guidelines for the commands used to configure forward
policies. The commands are presented in alphabetical order:
drop
forward output
forward policy
forward policy in
forward policy out
mirror destination
drop
drop
no drop
Purpose
Drops incoming packets for this forward policy or this policy access control list (ACL) class.
Command Mode
Syntax Description
Default
Packets are not dropped.
Usage Guidelines
Use the drop command to drop incoming packets according to the applied forward policy.
Use the no form of this command to disable the dropping of packets.
Examples
The following example configures the Dr opPol i cy policy, which drops incoming packets that belong to
the classes I CMP and PI M:
The following example configures the Dr opAl l Pol i cy policy, which drops all incoming packets on the
circuit:
[ l ocal ] Redback( conf i g) #forward policy DropAllPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #drop
Related Commands
forward policy in
forward output
forward output dest-name
no forward output dest-name
Purpose
Specifies a circuit as the output destination for mirrored or redirected traffic.
Command Mode
ATM PVC configuration
Frame Relay PVC configuration
GRE tunnel configuration
port configuration
Syntax Description
Default
No output destination for mirrored or redirected traffic is specified.
Usage Guidelines
Use the forward output command to specify a circuit as an output destination for mirrored or redirected
traffic.
You cannot use the circuit referencing the forward policy as the forward output port. The selected circuit
must be different from the circuit used for the traffic being mirrored or redirected.
Use the mirror destination or redirect destination circuit commands (in forward policy or policy group
class configuration mode) to mirror or redirect traffic to this circuit.
Use the no form of this command to remove the circuit as the output destination for mirrored or redirected
traffic.
Examples
The following example specifies two forward outputs, snoop1 and snoop2, on Ethernet ports, and one
forward output, snoop_gr e, on a GRE tunnel:
[ l ocal ] Redback( conf i g- por t ) #forward output snoop1
dest-name Output destination name for mirrored or redirected traffic.
Note You can specify an Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC),
Ethernet port, Frame Relay PVC, Generic Routing Encapsulation (GRE) tunnel, or Packet
over SONET/SDH (POS) port as the output destination for mirrored or redirected traffic.
[ l ocal ] Redback( conf i g- por t ) #forward output snoop2
[ l ocal ] Redback( conf i g) #tunnel map
[ l ocal ] Redback( conf i g- t unnel - map) #gre-tunnel tunnel01 local key 1
[ l ocal ] Redback( conf i g- gr e- t unnel ) #forward output snoop_gre
Related Commands
forward policy in
forward policy out
mirror destination
forward policy
forward policy name [radius-guided]
no forward policy name
Purpose
Creates or selects a forward policy and access forward policy configuration mode.
Command Mode
Syntax Description
Default
No forward policy is configured.
Usage Guidelines
Use the forward policy command to create or select a forward policy and access forward policy
configuration mode. A forward policy can contain a combination of mirror, redirect, and drop functions.
Use the radius-guided keyword to specify a RADIUS-guided policy and to allow the policy to be modified
by dynamic ACLs. You cannot remove a dynamic policy ACL from the policy after you have configured
it, nor can you change the policy type from static to RADIUS-guided. To remove the dynamic policy ACL
or change its type, delete the policy and then recreate it as a static policy.
Use the no form of this command to remove the forward policy from the configuration.
Examples
The following example creates the forward policy, Mi r r or Pol i cy, and accesses forward policy
configuration mode:
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #
Related Commands
name Forward policy name.
radius-guided Optional. Specifies a Remote Authentication Dial-In User Service (RADIUS)
guided policy and allows the policy to be modified by dynamic access control
lists (ACLs).
drop
mirror destination
forward policy in
forward policy name in [acl-counters]
no forward policy name in [acl-counters]
Purpose
Attaches a forward policy to incoming traffic on a circuit, port, or subscriber record.
Command Mode
ATM DS-3 configuration
ATM OC configuration
DS-0 group configuration
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
port configuration
Syntax Description
Default
No policy is attached.
Usage Guidelines
Use the forward policy in command to attach a forward policy to incoming traffic on a circuit, port, or
subscriber record.
Use the acl-counters keyword to track the number of packets mirrored, redirected, or dropped.
Forward policies are not supported for dynamic 802.1Q permanent virtual circuit (PVC) ranges.
Use the no form of this command to remove a forward policy from a circuit, port, or subscriber record.
acl-counters Optional. Enables per-rule statistics for the policy access control list (ACL).
Examples
The following example attaches the forward policy, Mi r r or Pol i cy, to incoming traffic on a Packet over
SONET/SDH (POS) port:
[ l ocal ] Redback( conf i g- por t ) #forward policy MirrorPolicy in
Related Commands
drop
forward policy out
mirror destination
forward policy out
forward policy name out [acl-counters]
no forward policy name out [acl-counters]
Purpose
Attaches a forward policy that mirrors traffic to outgoing traffic on a circuit, port, or subscriber record.
Command Mode
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
port configuration
Syntax Description
Default
No policy is attached.
Usage Guidelines
Use the forward policy out command to attach a forward policy that mirrors traffic to outgoing traffic on
a circuit, port, or subscriber record.
Forward policies are not supported for dynamic 802.1Q permanent virtual circuit (PVC) ranges.
Use the no form of this command to remove a forward policy from a circuit, port, or subscriber record.
acl-counters Optional. Keeps track of the number of packets that are mirrored when a
policy access control list (ACL) is attached to the forward policy.
Note You can apply a forward policy with redirect or drop functions only to incoming traffic, which
requires that you use the forward policy in command.
Examples
The following example attaches the forward policy, Mi r r or Pol i cy, to outgoing traffic on an
Asynchronous Transfer Mode (ATM) port:
[ l ocal ] Redback( conf i g- at m- oc) #forward policy MirrorPolicy out
Related Commands
drop
forward output
forward policy
forward policy in
mirror destination
mirror destination
mirror destination dest-name {all | dropped | forwarded} [header-only] [sampling interval]
no mirror destination
Purpose
Enables the mirroring of packets to an output destination.
Command Mode
Syntax Description
Default
Packets are not mirrored.
Usage Guidelines
Use the mirror destination command to enable the mirroring of packets to an output destination. The
destination name is the one that you specified for the circuit using the forward output command (in ATM
PVC, Frame Relay PVC, GRE tunnel, or port configuration mode).
Use the no form of this command to disable the mirroring of packets to an output destination.
dest-name Output destination name for mirrored traffic.
all Mirrors all traffic.
dropped Mirrors only dropped packets. Packets dropped by IP checksums or by access
control lists (ACLs) are not mirrored.
forwarded Mirrors only forwarded packets.
header-only Optional. Mirrors only packet headers.
sampling interval Optional. Sampling interval. Periodically (as opposed to continuously)
mirrors traffic. The sampling interval is specified in milliseconds.
Note You can specify an Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC), an
Ethernet port, a Frame Relay PVC, a Generic Routing Encapsulation (GRE) tunnel, or a
Packet over SONET/SDH (POS) port as the output destination for mirrored or redirected
traffic.
Examples
The following example configures a policy, Mi r r or Pol i cy, which mirrors dropped packets every 3
seconds (3000 milliseconds) to the output destination, Dr oppedTr af f i c:
3000
Related Commands
forward output
forward policy in
forward policy out
redirect destination circuit dest-name
Purpose
Redirects packets to an output destination.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the redirect destination circuit command to redirect packets to an output destination.
The destination name is the one that you specified for the circuit using the forward output command (in
ATM PVC, Frame Relay PVC, GRE tunnel, or port configuration mode).
Examples
The following example redirects traffic to the output destination circuit OD15:
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #redirect destination circuit OD15
Related Commands
dest-name Output destination for redirected traffic.
forward output
forward policy in
redirect destination next-hop {ip-addr... | default}
Purpose
Redirects packets to the specified IP address or to the packets default destination IP address according to
the routing table.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the redirect destination next-hop command to redirect packets to the specified IP address or to the
packets default destination IP address according to the routing table.
If an address is unreachable, then the next lower priority address is tried. From time to time, the system will
try to return to the highest priority entry available. The default keyword can be used in the next-hop list
instead of an IP address to indicate that the destination IP address from the packet should be used when all
higher priority next hops are unreachable. The default keyword can be first in the list, which means
redirecting packets only when the normal route is unreachable.
ip-addr... One to eight next-hop IP addresses in order of priority. Each entry in the list
is an IP address in the form A.B.C.D.
default Specifies that the packets destination IP address should be used to forward
the packet according to the routing table. When the default keyword is
active, the packet is routed and not redirected.
Note To modify the list of next hop entries, you must re-enter the entire redirect destination
next-hop command.
Examples
The following example redirects traffic to the next-hop IP address, 10. 1. 1. 1. If that address is
unreachable, the SmartEdge OS redirects traffic to the next-hop IP address, 10. 1. 2. 1. If both addresses
are unreachable, traffic is routed normally:
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #redirect destination next-hop 10.1.1.1 10.1.2.1
default
The following example routes traffic normally. If the route is unavailable, traffic is redirected to the
next-hop IP address, 10. 1. 1. 1:
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #redirect destination next-hop default 10.1.1.1
The following example redirects traffic to the next-hop IP address, 192. 1. 1. 1. If that address is
unreachable, the SmartEdge OS attempts to redirect traffic to the next-hop IP address, 10. 1. 1. 1. If both
addresses are unreachable, traffic is dropped:
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #redirect destination next-hop 192.1.1.1 10.1.1.1
Related Commands
forward output
forward policy in
Service Policy Configuration 15-1
C h a p t e r 1 5
Service Policy Configuration
OS service policy features.

For information about the tasks and commands used to monitor, troubleshoot, and administer forward
policies, see the Service PolicyOperations chapter in the IP Services and Security Operations Guide for
the SmartEdgeOS.
This chapter includes the following sections:
Overview
Configuration Tasks
Overview
Service policies determine the contexts that Point-to-Point Protocol (PPP) and PPP over Ethernet (PPPoE)
subscribers can access by verifying the domain or context name associate with subscriber records. PPP and
PPPoE sessions are established by an authentication, authorization, and accounting (AAA) process. Also,
you can configure a service policy so that the AAA process blocks specified PPPoE contexts and domains.
A service policy can be attached to any PPP- or PPPoE-encapsulated circuit using the bind authentication
command (in ATM PVC, dot1q PVC, port, and protocol configuration mode); for more information, see
the Bindings Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
When the SmartEdge router is configured as a Layer 2 Tunneling Protocol (L2TP) network server (LNS),
a service policy can be attached to subscriber sessions on the L2TP tunnel with the session-auth command
(in L2TP peer configuration mode); for more information, see the L2TP Configuration chapter in the
Configuration Tasks
Configuration Tasks
To configure service policies, perform the tasks described in the following sections:
Configure a Service Policy
Attach a Service Policy to Subscriber Sessions
Configure a Service Policy
To configure a service policy, perform the tasks described in Table15-1.
Attach a Service Policy to Subscriber Sessions
To attach a service policy to subscriber sessions, perform the appropriate task described in Table15-2.
Table 15-1 Configure a Service Policy
1. Configure a service policy name and access
service policy configuration mode.
service-policy Enter this command in global configuration mode.
2. Configure the domain or context to which
subscribers are allowed access.
allow Enter this command in service policy configuration mode.
To specify more than one context or domain, use this
command multiple times. Any context names that are not
specified through this command are implicitly denied.
3. Configure the domain or context to which
subscribers are denied access.
deny Enter this command in service policy configuration mode.
To specify more than one context or domain, use this
command multiple times. Any context names that are not
specified in this command are implicitly allowed.
Table 15-2 Attach a Service Policy to Subscriber Sessions
Attach a service policy to PPP- and
PPPoE-encapsulated subscriber sessions.
bind authentication Enter this command in ATM PVC, dot1q PVC, port, and
protocol configuration modes.
This command is described in the Bindings
Configuration chapter in the Ports, Circuits, and Tunnels
Attach a service policy to PPP-encapsulated
subscriber sessions on L2TP tunnels.
session-auth Enter this command in L2TP peer configuration mode.
This command is described in the L2TP Configuration
chapter in the Ports, Circuits, and Tunnels Configuration
Guide for the SmartEdge OS.
The following example configures the service policy, l ocal - onl y, which allows subscribers access to
the l ocal context only. The service policy is applied to subscriber sessions using the specified
Asynchronous Transfer Mode (ATM) permanent virtual circuit (PVC):
[ l ocal ] Redback( conf i g) #service-policy name local-only
[ l ocal ] Redback( conf i g- pol i cy- svc) #allow context name local
[ l ocal ] Redback( conf i g- pol i cy- svc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 3 5 profile atm1 encapsulation ppp
[ l ocal ] Redback( conf i g- at m- pvc) #bind authentication pap service-policy local-only
The following example restricts all subscribers that originate their session on ATM PVC 0 32 to be
tunneled only to the cor p1 remote peer:
[ l ocal ] Redback( conf i g) #service-policy Corp-One-Permit
[ l ocal ] Redback( conf i g- pol i cy- svc) #allow corp1.com
[ l ocal ] Redback( conf i g- pol i cy- svc) #exit
[ l ocal ] Redback( conf i g) #context corporations
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber none
[ l ocal ] Redback( conf i g- ct x) #domain corp1.com
[ l ocal ] Redback( conf i g- ct x) #l2tp-peer name corp1 media udp-ip remote dns corp1.com local
10.1.1.1
[ l ocal ] Redback( conf i g- l 2t p) #domain corp1.com
[ l ocal ] Redback( conf i g- l 2t p) #exit
10.1.1.2
10.1.1.3
[ l ocal ] Redback( conf i g- sub) #tunnel domain
[ l ocal ] Redback( conf i g- at m) #atm pvc 0 32 profile atm-pro-1 encapsulation pppoe
[ l ocal ] Redback( conf i g- at m- pvc) #bind authentication service-policy Corp-One-Permit
The following example blocks all subscribers using the service policy l ocal - onl y from establishing a
successful PPPoE session to the context ct x_bl ack and domain dmn_bl ack from:
[ l ocal ] Redback( conf i g- pol i cy- svc) #deny context name ctx_black
[ l ocal ] Redback( conf i g- pol i cy- svc) #deny domain name dmn_black
Once you have entered the above commands, you need to bind the settings to a circuit to put them into
effect. The following example binds the l ocal - onl y service policy to the ubr 1 ATM PVC profile:
[ l ocal ] Redback( conf i g- at m- ds3) #atm pvc 0 42 profile ubr1 encapsulation pppoe
[ l ocal ] Redback( conf i g- at m- ds3) #atm pvc 0 43 profile ubr1 encapsulation pppoe
[ l ocal ] Redback( conf i g- at m- pvc) #bind authentication pap service-policy local-only
This section describes the syntax and usage guidelines for the commands used to configure service policies.
allow
deny
service-policy
allow
allow {context name ctx-name | domain name name | pppoe service-name name | dhcp hostname
name}
no allow {context name ctx-name | domain name name | pppoe service-name name | dhcp hostname
name}
Purpose
Allows access to the specified context, Point-to-Point over Ethernet (PPPoE) service, or domain for PPPoE
subscriber sessions that are attached to the service policy. This command also allows a DHCP client host
access to the circuit that is associated with the service policy.
Command Mode
service policy configuration
Syntax Description
Default
None
Usage Guidelines
Use the allow command to allow access to the specified context, PPPoE service, or domain for subscriber
PPPoE sessions that are attached to the service policy. You can also use the allow command to allow a
DHCP client host to access the circuit that is associated with the service policy.
Any DHCP hosts, contexts, PPPoE services, or domains that are not explicitly specified by this command
are implicitly denied. Note that the SmartEdge router does not support both allow and deny in the same
service profile.
Use the no form of this command to remove access to the specified context, PPPoE service, or domain. Or,
you can use the no form of this command to remove a configuration that allows a DHCP client host to
access the circuit that is associated with the service policy.
context name ctx-name Allows subscriber sessions access to the specified context.
domain name name Allows subscriber sessions access to the specified domain.
pppoe service-name name Allows PPPoE Active Discovery Initiation (PADI) or PPPoE Active
Discovery Request (PADR) packets access to the specified PPPoE service.
dhcp hostname name Allows the specified DHCP client host access to the circuit that is
associated with the service policy.
Examples
The following example shows how to create a service policy called l ocal - onl y, which allows
subscribers access to the l ocal context and denies access to all other contexts:
The following example shows how to create a service policy called Al l owVoi ce, which allows the PPPoE
service named voi ce and denies all other PPPoE services:
[ l ocal ] Redback( conf i g) #service-policy name AllowVoice
[ l ocal ] Redback( conf i g- pol i cy- svc) #allow pppoe service-name voice
The following example shows how to create a service policy called allowhost s, which allows the DHCP
client hosts named gr oup2, gr oup3, and gr oup7 to access the circuit that is associated with the
specified service policy and denies all other DHCP client hosts access to the given circuit:
[ l ocal ] Redback( conf i g) #service-policy name allowhosts
[ l ocal ] Redback( conf i g- pol i cy- svc) #allow dhcp hostname group2
Related Commands
deny
service-policy
deny
deny {context name ctx-name | domain name name | pppoe service-name name | dhcp hostname
name}
no deny {context name ctx-name | domain name name | pppoe service-name name | dhcp hostname
name}
Purpose
Denies access to the specified context, Point-to-Point over Ethernet (PPPoE) service, or domain for PPPoE
subscriber sessions that are attached to the service policy. This command also denies a DHCP client host
access to the circuit that is associated with the service policy.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the deny command to deny access to the specified context, PPPoE service, or domain for subscriber
PPPoE sessions that are attached to the service policy. You can also use the deny command to deny a DHCP
client host access to the circuit that is associated with the service policy.
Any DHCP hosts, contexts, PPPoE services, or domains that are not explicitly specified through this
command are implicitly allowed. Note that the SmartEdge router does not support both allow and deny in
the same service profile.
Use the no form of this command to allow access to a prohibited context, PPPoE service, or domain. Or,
you can use the no form of this command to remove a configuration that denies a DHCP client host access
to the circuit that is associated with the service policy.
context name ctx-name Denies subscriber sessions access to the specified context.
domain name name Denies subscriber sessions access to the specified domain.
pppoe service-name name Denies PPPoE Active Discovery Initiation (PADI) or PPPoE Active
discovery Request (PADR) packets access to the specified PPPoE service.
dhcp hostname name Denies the specified DHCP client host access to the circuit that is
associated with the service policy.
Examples
The following example shows how to configure a service policy, l ocal - onl y, which denies subscriber
access to the ct x_bl ack context and dmn_bl ack domain:
[ l ocal ] Redback( conf i g) #ser vi ce- pol i cy name l ocal - onl y
[ l ocal ] Redback( conf i g- pol i cy- svc) #deny cont ext name ct x_bl ack
[ l ocal ] Redback( conf i g- pol i cy- svc) #deny domai n name dmn_bl ack
The following example shows how to create a service policy called Al l owDat a, which denies the PPPoE
service named voi ce and allows all other PPPoE services:
[ l ocal ] Redback( conf i g) #service-policy name AllowData
[ l ocal ] Redback( conf i g- pol i cy- svc) #deny pppoe service-name voice
The following example shows how to create a service policy called denyhost s, which denies the DHCP
client hosts named gr oup1, gr oup4, and gr oup5 access to the circuit that is associated with the
specified service policy and allows all other DHCP client hosts to access the circuit:
[ l ocal ] Redback( conf i g) #service-policy name denyhosts
[ l ocal ] Redback( conf i g- pol i cy- svc) #deny dhcp hostname group1
Related Commands
allow
service-policy
service-policy
service-policy name svc-pol-name
no service-policy name svc-pol-name
Purpose
Configures a service policy name and enters service policy configuration mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the service-policy command to configure a service policy name and enter service policy configuration
mode.
Use the no form of this command to remove a service policy.
Examples
The following example configures a service policy, l ocal - onl y, and allows subscribers access to the
l ocal context only:
Related Commands
name svc-pol-name Service policy name.
allow
deny
P a r t 6
IP Quality of Service Policies
This part describes the tasks and commands used to configure quality of service (QoS) policies, ports,
channels, circuits, and applications for QoS functions, and FAC profiles. It consists of the following
chapters:
Chapter 16, QoS Rate- and Class-Limiting Configuration
Chapter 17, QoS Scheduling Configuration
Chapter 18, QoS Circuit Configuration
Chapter 19, Flow Admission Control Configuration
QoS Rate- and Class-Limiting Configuration 16-1
C h a p t e r 1 6
QoS Rate- and Class-Limiting Configuration
OS quality of service (QoS)

features.
For information about other QoS configuration tasks and commands, see the following chapters:
Chapter 17, QoS Scheduling ConfigurationScheduling features (scheduling policies)
Chapter 18, QoS Circuit ConfigurationPort, channel, and circuit configuration for all QoS policies
and features
For information about the tasks and commands used to monitor, troubleshoot, and administer QoS, see the
QoSOperations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Overview
Configuration Tasks
Note In this chapter, the term, first-generation Asynchronous Transfer Mode (ATM) OC traffic
card, refers to a 2-port ATM OC-3c/STM-1c or ATM OC-12c/STM-4c traffic card; similarly,
the term, second-generation ATM OC traffic card, refers to a 2-port ATM OC-3c/STM-1c
media interface card (MIC), 4-port ATM OC-3c/STM-1c, or Enhanced ATM
OC-12c/STM-4c traffic card.
Overview
Overview
The Internet provides only best-effort service, offering no guarantees on when or whether a packet is
delivered to the receiver. However, the SmartEdge OS differentiates traffic based on the subscriber record,
the traffic type, and the application. QoS policies create and enforce quality of service levels, bandwidth
rates, and prioritize how incoming and outgoing packets are scheduled. The SmartEdge OS classifies,
marks, and rate-limits incoming packets as described in these sections:
Priority Groups
QoS Policing and Metering Class Definitions
Summary
Priority Groups
Incoming packets can be classified by assignment to a priority group. A priority group is an internal value
used by the SmartEdge router to determine into which egress queue the inbound packet should be placed.
The actual queue number depends upon the queue map used and the number of queues configured on the
circuit. The type of service (ToS) value and the IP Differentiated Services Code Point (DSCP) bits are not
changed when assigned to a priority group.
A classification filter is configured by a policy access control list (ACL). Each policy ACL supports up to
eight unique classes. Packets can be classified according to IP precedence value, protocol number,
IP source and destination address, Internet Control Message Protocol (ICMP) attributes, Internet Group
Management Protocol (IGMP) attributes, Transmission Control Protocol (TCP) attributes, and
User Datagram Protocol (UDP) attributes.
A policy ACL can be applied to incoming or outgoing packets on a port, circuit, or for a subscriber record.
A policy ACL is applied to incoming packets through a QoS policing policy and to outgoing packets
through a QoS metering policy. For details about policy ACLs, see Chapter 12, ACL Configuration.
QoS Policing and Metering Class Definitions
A QoS policing policy can classify, mark, rate-limit, or perform all actions on incoming packets; a QoS
metering policy performs the same operations for outgoing packets. You can apply both types of policies
at one of two levels or at both levels, simultaneously. Either type of policy can apply to all packets on a
particular circuit; this application is referred to as a circuit-based action. Alternatively, a policy can apply
to only a particular class of packets traveling across the circuit; the class is configured using a policy ACL
and the application is referred to as a class-based action. These actions (classification, marking, and
rate-limiting) and the types of application are described in the following sections:
Circuit-Based Marking
Circuit-Based Rate-Limiting
Overview
Class-Based Marking
Class-Based Rate-Limiting
Circuit-Based and Class-Based Rate-Limiting
Single Rate Three-Color Markers
Policy Inheritance
Mapping a Child Policy Class to a Parent Class
When a QoS policy is applied to a circuit without a policy ACL, all packets traveling over the circuit are
affected by the QoS policy.
The value of packets traveling over the circuit can be modified by the SmartEdge OS and sent out from the
router with the new value through either the mark dscp or mark precedence command in policing policy
configuration mode (for incoming packets) or in metering policy configuration mode (for outgoing
packets).
Or, packets can be prioritized by the SmartEdge OS for internal flow of traffic through the router only using
the mark priority command in policing policy configuration mode (for incoming packets) or in metering
policy configuration mode (for outgoing packets). In this case, when packets are sent out from the router,
they retain their original value.
When a QoS policy is applied to a circuit without a policy ACL, all packets traveling over the circuit are
affected by the QoS policy.
By default, inbound packets that conform to the policing or metering rate are admitted with no additional
action taken, while packets that exceed the rate are dropped. To modify the action taken by the
SmartEdgeOS, use the conform and exceed commands in policy rate configuration mode; see Figure16-1.
Figure 16-1 Circuit-Based Rate-Limiting
Overview
Class-Based Marking
When a QoS policy is applied to a circuit in conjunction with a policy ACL, only particular classes of
packets traveling over the circuit are affected by the QoS policy. To configure up to eight classes to
prioritize packets differently, use the class command (in policy group configuration mode). For details
about policy ACLs, see Chapter 12, ACL Configuration.
The prioritization for particular classes of packets can be modified and sent out the router with the new
value using the mark dscp or mark precedence command (in policy ACL class configuration mode).
Classes of packets can be also be prioritized for only internal flow of traffic through the router using the
mark priority command (in policy group class configuration mode), so that when packets are sent out from
the router, they retain their original value.
Class-Based Rate-Limiting
When a QoS policy is applied to a circuit in conjunction with a policy ACL or class-definition, only
particular classes of packets traveling over the circuit are affected by the QoS policy.
By default, inbound packets that conform to the QoS policy rate are admitted with no additional action
taken, while packets that exceed the rate are dropped. You can modify the default behavior for classes of
packets using the conform and exceed commands in policy class rate configuration mode; see Figure16-2.
Figure 16-2 Class-Based Rate-Limiting
Circuit-Based and Class-Based Rate-Limiting
A circuit can be rate-limited for an overall bandwidth, while each traffic class on the circuit is assigned a
specific rate. Class-based rate limiting is applied to the packets first; see Figure16-3. Then the circuit rate
limit is applied to all packets, regardless of class and including packets that do not belong to any class (the
default class).
If a class-based traffic rate is less than the circuit rate, that class-based traffic is guaranteed through the
policing or metering policy. However, class-based traffic cannot borrow bandwidth from other classes.
Overview
The default class is allowed to borrow bandwidth, up to the circuit rate, if it is configured without a rate;
however, if the class-based rate is equal to the circuit rate, the class-based traffic can severely limit default
class traffic to the point where no default traffic can be transmitted or received.
Figure 16-3 Circuit-Based and Class-Based Rate-Limiting
Single Rate Three-Color Markers
The single rate three-color marker implementation meters traffic and assigns a color to packets for rate
limiting purposes according to the following three configurable traffic thresholds:
The traffic rate
The burst tolerance
The excess burst tolerance
The traffic rate, burst tolerance, and excess burst tolerance are configurable thresholds that you can use to
specify how packets are dropped or marked. Depending on which thresholds are exceeded, packets are
classified, using one of the following colors:
GreenPackets that do not exceed the traffic rate or the burst tolerance. To configure the rate limiting
action taken for these packets, use one of the conform commands in policy class rate configuration or
policy rate configuration mode.
YellowPackets that exceed the burst tolerance, but do not exceed the excess burst tolerance. To
configure the rate limiting action taken for these packets, use one of the exceed commands in policy
class rate configuration or policy rate configuration mode.
RedPackets that exceed the excess burst tolerance. To configure the rate limiting action taken for
these packets, use one of the violate commands in policy class rate configuration or policy rate
configuration mode.
The SmartEdge OS implementation of a single rate three-color marker conforms to RFC 2697, A Single
Rate Three Color Marker.
Overview
Policy Inheritance
Child circuits can inherit the QoS metering and policing policies attached to the parent circuit on which the
child circuits are configured if the keyword inherit or hierarchical is specified on the parent binding. If you
attach a different metering or policing policy to a child circuit, those policies override the metering or
policing policy attached to the parent circuit unless the parent policy applied is configured with the
keyword hierarchical.
By default, using the optional keyword inherit when configuring a metering or policing policy for a parent
circuit results in all of the children of the parent circuit inheriting the parent circuit policy, unless the
children have a more specific policy configured. In this case, rate limiting is applied collectively to the child
circuit and the parent circuit, which means all circuits to which the parent policy is to be applied are
collectively subject to the rate limitations specified in the parent circuits metering or policing policy.
Using the optional keyword hierarchical when configuring a metering or policing policy for a parent
circuit results in applying both the child circuit policy and the parent circuit policy to the traffic on the child
circuit. With hierarchical metering or policing policy, rate limiting is applied on the packets destined for the
child circuit first using the child policy. If the child metering or policing policy includes a drop policy, then
the SmartEdge router drops the appropriate packets if the traffic rate exceeds the rate limit. Those packets
that were not dropped are processed and rate-limited once again, along with all the other packets destined
for the parent circuit, using the parent policy.
Essentially, the child circuit traffic is processed and rate-limited twice and the parent circuits native traffic
is processed and rate-limited once. With hierarchical metering or policing policy enabled, a child is subject
to its own specified rate limitations and then is collectively subject to the rate limitations specified in the
parent circuit metering or policing policy, along with its parent and peers.
The following types of inheritance are supported:
802.1Q permanent virtual circuit (PVC) or tunnel from a parent Ethernet port
802.1Q PVC from a parent 802.1Q tunnel
Point-to-Point Protocol over Ethernet (PPPoE) sessions from a parent 802.1Q PVC
PPP and PPPoE sessions from a parent ATM PVC
Mapping a Child Policy Class to a Parent Class
Traffic subject to both an individual metering or policing policy and a hierarchical metering or policing
policy configured on the parent circuit cannot be classified twice. However, the metering or policing policy
class to a parent policy class is supported when applying the hierarchical metering or policing policy to
traffic on a child circuit that has its own metering and policing policy.
You can configure the parent-class keyword within the class-level configuration mode within the child
metering or policing policy. The parent-class keyword allows you to map a child class, which is determined
during policy ACL or class-definition map classification, to a parent class. This mapping allows the class
Note Only one level of hierarchical metering or policing can be applied to a circuit. A circuit can
have a maximum of two policing or metering policies applied: one individual or inherited
through the inherit keyword, and one inherited through the hierarchical keyword. If a circuit
is subject to two "hierarchical" parents (for example, a PPPoX session with a hierarchical
metering binding on its 802.1q PVC parent and a hierarchical metering binding on its Ethernet
port grandparent), only the binding on its closest relative (the PVC in this example) applies.
Overview
determination at the child level to also determine the class assignment at the parent level. This mapping
occurs during the second phase of rate limiting that is applied to the child circuit traffic (when enforcing
the parent metering or policing policy). The parent-class keyword configured in the child policy class
specifies the parent class this packet is assigned to.
Here is a summary of the steps that take place when a hierarchical metering or policing policy is configured
along with an ACL class or a class-definition map:
The metering or policing actions specified for the child class (determined during policy ACL or
class-definition map classification) are applied to the packets destined for the child circuit. The child
metering or policing policy is enforced during this step of the rate-limiting process.
The metering or policing actions specified for the parent class to which the child class is mapped are
applied to the packets destined for the child circuit. The parent hierarchical metering or policing policy
is applied during this step of the rate-limiting process.
The metering or policing actions specified for the parent class (determined during policy ACL or
class-definition map classification) are applied to the packets destined for the parent circuit. The parent
metering or policing policy is enforced during this step of the rate-limiting process.
Note that the metering or policing enforcement phase for child circuit traffic and the single metering or
policing enforcement phase for the parent circuit traffic transpires concurrently. The traffic of all the child
circuits subject to the parent policy, and the parent circuit traffic itself, are treated in aggregate for enforcing
any rate limits specified in the policy of the parent circuit.
If the parent-class keyword is specified for a child class, and the specified parent class name does not exist
in the parent hierarchical metering or policing policy, then traffic for the child class is not mapped to any
parent class and is subject only to the metering or policing parameters specified for the parent policy level
rate (if specified) during the second rate-limiting phase to be applied to this traffic.
If the parent-class keyword is not specified for a child class, then traffic for the given child class is not
mapped to any parent class and is only subject to the metering or policing parameters specified for the
parents policy level rate (if specified) during the second rate-limiting phase applied to this traffic.
If the child circuit does not have its own metering or policing policy, then the policy ACL (or
class-definition map) configured on the parent whose hierarchical metering or policing policy is to be
applied is used to classify traffic on the child circuit.
During periods of traffic congestion at the parent circuit level, the rate limiting at the parent circuit level is
processed on a first come, first serve basis. This means any packet destined for either the child circuit or
the parent circuit can be dropped if the SmartEdge router determines that the traffic exceeds the rate limit
threshold specified in the parent hierarchical metering or policing policy.
Note The policy ACL or class-definition map classification for a given child class is only
performed once when hierarchical metering or policing is enabled. This class is then mapped
to a different classa parent class. The policy ACL or class-definition map classification
itself is not performed again when hierarchical metering or policing is enabled.
Overview
Summary
The following provides a high-level view of QoS traffic through the SmartEdge router:
1. (Prioritization) The packet is assigned an internal priority level and an internal drop precedence. Priority
and precedence is determined by a default mapping from a priority specified in the packets protocol
headers, or it can be customized with a class map.
2. (Policing) As the packet enters the SmartEdge router, the packet may be subject to a policing policy
configured on the incoming port, circuit, or subscriber record.:
a. As the packet enters the SmartEdge router, the packet may be subject to a classification filter
configured by a policy ACL or class-definition, identifying the packet as belonging to one of up to
eight defined classes.
b. Packets belonging to each class can be rate-limited, marked or dropped. The per-class traffic can be
treated as follows:
Per-class rate limits may be set, and different marking or dropping actions can be defined for the
traffic, depending on whether it conforms to or exceeds the target rate and burst allowance.
If it is not dropped due to rate-limiting, the packet can have its internal priority or
drop-precedence values modified, or it can be marked by changing its external IP precedence
(DSCP) value.
3. At this point, the SmartEdge OS transports the packet to the appropriate outbound traffic card.
4. (Metering) Before the packet is queued for transmission, the packet may be subject to a metering policy
configured on the outgoing port, circuit, or subscriber record:
a. Before the packet exits the SmartEdge router, the packet may be subject to a classification filter
configured by a policy ACL or class-definition, identifying the packet as belonging to one of up to
eight defined classes.
b. Packets belonging to each class can be rate limited, marked or dropped. The per-class traffic can be
treated as follows:
Per-class rate limits may be set, and different marking or dropping actions can be defined for the
traffic depending on whether it conforms to or exceeds the target rate and burst allowance.
If it is not dropped due to rate-limiting, the packet can have its internal priority and/or
drop-precedence values modified and/or it can be marked by changing its external IP precedence
(DSCP) value.
5. Optionally, the packet's internal priority and drop-precedence value assigned by the SmartEdge OS can
be used as the basis to modify the packet's external priority markings in its protocol headers. This
assignment can use a default mapping or be customized using a class-map.
6. Each outgoing packet is assigned to an egress queue based on the destination circuit and its internal
priority setting. Egress queues on outbound traffic cards have associated scheduling parameters such as
rates, depths, and relative weights. The traffic cards scheduler draws packets from the queues based on
weight, rate, or strict priority:
a. A packet can be dropped when queues back up over a configured discard threshold or because of a
random early detection (RED) parameter setting.
b. If a packet is not dropped, it is scheduled for transmission based on its priority group and its
scheduling policy.
Configuration Tasks
Configuration Tasks
To configure a metering or policing policy, complete the tasks described in the following sections:
Policy Configuration Guidelines
Configure a Metering Policy
Configure a Policing Policy
Apply a Policy ACL
Customize Classification Mappings
Policy Configuration Guidelines
The following guidelines apply to the configuration of QoS metering and policing policies:
You can either mark or establish a rate for packets on a single circuit, port, or subscriber record; these
conditions are mutually exclusive.
Only one marking instruction can be in effect at a time. Any succeeding command supersedes the
previous instruction.
Configure a Metering Policy
To configure a metering policy, perform the tasks described in Table16-1; enter all commands in metering
policy configuration mode, unless otherwise noted.
Table 16-1 Configure a Metering Policy
1. Create or select a metering policy and access metering
qospolicymetering Enter this command in global
configuration mode.
2. Optional. Mark outgoing packets associated with the
policy with one of the following tasks:
Assign a DSCP priority. mark dscp Only one marking instruction can be
in effect at any time.
Assign a drop precedence value. mark precedence
Assign with a priority group number, a drop-precedence
value, or both.
mark priority
3. Set the policy rate for outgoing packets and access
rate
Configuration Tasks
4. Optional. Specify the treatment of outgoing packets that
conform to a set rate with one of the following tasks:
Enter these commands in policy rate
configuration mode.
Specify that no action is taken on packets. conformno-action
Mark packets with a DSCP class. conformmarkdscp Only one marking instruction can be
Mark packets with a drop precedence value. conformmarkprecedence
Mark packets with a priority group number, a
drop-precedence value, or both.
conformmarkpriority
exceed a set rate with one of the following tasks:
configuration mode.
Drop outgoing packets. exceeddrop
Specify that no action is taken on packets. exceedno-action
Mark packets with a DSCP class. exceedmarkdscp Only one marking instruction can be
Mark packets with a drop precedence value. exceedmarkprecedence
exceedmarkpriority
violate a set rate with one of the following tasks:
configuration mode.
Drop outgoing packets. violatedrop
Specify that no action is taken on packets. violateno-action
Mark packets with a DSCP class. violatemark dscp Only one marking instruction can be
Mark packets with a drop precedence value. violatemark precedence
violatemark priority
7. Optional. Apply a policy ACL to this policy. See the Apply a Policy ACL
section.
Table 16-1 Configure a Metering Policy (continued)
Configuration Tasks
Configure a Policing Policy
To configure a policing policy, perform the tasks described in Table16-2; enter all commands in policing
Table 16-2 Configure a Policing Policy
1. Create or select a policing policy and access policing
qospolicypolicing Enter this command in global
configuration mode.
2. Optional. Mark incoming packets associated with the
policy with one of the following tasks:
Assign a DSCP priority. markdscp Only one marking instruction can be
Assign a drop precedence value. markprecedence
Assign a priority group number, a drop-precedence
value, or both.
markpriority
3. Set the policy rate for incoming packets and access
rate
4. Optional. Specify the treatment of incoming packets that
conform to a set rate with one of the following tasks:
Enter these commands in policy
rate configuration mode.
Mark packets with a DSCP class. conformmarkdscp Only one marking instruction can be
conformmarkpriority
exceed a set rate with one of the following tasks:
Drop inbound packets. exceeddrop
Mark packets with a DSCP class. exceedmark dscp Only one marking instruction can be
Mark packets with a drop precedence value. exceedmark precedence
exceedmark priority
violate a set rate with one of the following tasks:
Drop inbound packets. violatedrop
Specify that no action is taken on packets. violateno-action
Mark packets with a DSCP class. violatemarkdscp Only one marking instruction can be
Mark packets with a drop precedence value. violatemarkprecedence
violatemarkpriority
7. Optional. Apply a policy ACL to this policy. See the Apply a Policy ACL
section.
Configuration Tasks
Apply a Policy ACL
To apply a policy ACL to packets associated with a QoS metering or policing policy and complete the
configuration of the policy, perform the tasks described in Table16-3.
Table 16-3 Apply a Policy ACL
1. Apply a policy ACL to a QoS metering policy or a
QoS policing policy, and access policy group
configuration mode.
access-group Enter this command in policing policy or
metering policy configuration mode.
2. Specify a class and access policy group class
configuration mode.
class Enter this command in policy group
configuration mode.
The class name must match the name of a
class specified in a permit command in the
policy ACL.
3. Optional. Specify a mapping of a child class to a
parent class.
parent-class This configuration is only applicable when
the policy is applied to a circuit that is also
subject to a metering policy applied
hierarchically to a parent of the circuit. Enter
this command in the policy group class
configuration mode.
4. Optional. Specify the rate for this class, using one of
Enter these commands in policy group class
configuration mode.
Set the rate and burst tolerance and access policy
class rate configuration mode.
rate
Assign a percentage of the overall policy rate to this
class of traffic and access policy class rate
configuration mode.
ratepercentage
5. Optional. Specify the treatment of packets that
conform to the rate, using one of the following tasks:
Enter these commands in policy class rate
configuration mode.
Mark packets with a DSCP class. conformmarkdscp Only one marking instruction can be in effect
at any time.
conformmarkpriority
exceed a set rate, using one of the following tasks:
configuration mode.
Drop inbound packets. exceeddrop
Mark packets with a DSCP class. exceedmark dscp
Assign a drop precedence value to packets. exceedmark precedence
Assign a priority group number to packets. exceedmark priority
violate a set rate, using one of the following tasks:
configuration mode.
8. Drop inbound packets. violatedrop
9. Specify that no action is taken on packets. violateno-action
Customize Classification Mappings
To customize classification mappings for QoS bits, perform the tasks described in Table16-4.
Examples of rate limiting and class-based marking, using policing policy configurations, are described in
the following sections:
Class-Based and Circuit-Based Rate Limiting
10. Mark packets with a DSCP class. violatemarkdscp
11. Mark packets with a drop precedence value. violatemarkprecedence
12. Mark packets with a priority group number, a
violatemarkpriority
Table 16-4 Customize Classification Mappings
1. Create a classification map and access class map
configuration mode.
qosclass-map Enter this command in global configuration
mode.
2. Optional. Define the default QoS translation schema
to use with a classification map
mapping-schema Enter this command in class map
configuration mode.
3. Optional. Define class definitions to group packets.
Specify a class definition and access policy group
configuration mode.
class-group Enter this command in metering and policing
policy configuration modes.
You can reference class names in this class
definition, and assign actions to perform on
packets assigned to the specified class.
Create or specify a class definition, and access
class definition configuration mode.
qosclass-definition Enter this command in global configuration
mode.
Edit the contents of the specified class definition. qosclass Enter this command in class definition
configuration mode.
Packets with the specified internal packet
descriptor classification value are assigned
to a class name that you can reference in
policing or metering policies
Table 16-3 Apply a Policy ACL (continued)
The following example simply marks all packets on the circuit to which the policy, ci r cui t , is applied
with a DSCP value of ef , which indicates a high priority through expedited forwarding. Packets are not
required to conform to a specific traffic rate:
[ l ocal ] Redback( conf i g) #qos policy circuit policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #mark dscp ef
The following example configures the QoS policy, ci r cui t . Packets conforming to 10000 kbps are
marked with a DSCP value of ef , which indicates a high priority through expedited forwarding. Packets
that exceed the rate are dropped by default. The counters keyword in the rate command records the number
of packets conforming to the rate limit and the number of packets exceeding the rate limit:
[ l ocal ] Redback( conf i g) #qos policy circuit policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 10000 burst 1000 counters
[ l ocal ] Redback( conf i g- pol i cy- r at e) #conform mark dscp ef
Class-Based and Circuit-Based Rate Limiting
The following example creates a policy ACL, qosmet , in the l ocal context and attaches it to the QoS
metering policy, met er . The ACL classifies packets into three classes: pr i or i t y, i mmedi at e, f l ash,
and a default class, def aul t . The QoS policy assigns a different rate to the pr i or i t y, i mmedi at e, and
f l ash classes; packets classified as default are marked with priority 7:
[ l ocal ] Redback( conf i g- ct x) #policy access-list qosmet
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip any precedence priority
class class-1
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit ip any precedence immediate
class class-2
[ l ocal ] Redback( conf i g- access- l i st ) #seq 30 permit ip any precedence flash class class-3
[ l ocal ] Redback( conf i g- access- l i st ) #seq 40 permit ip any any class default
[ l ocal ] Redback( conf i g) #qos policy meter metering
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #rate 1000 burst 50000 excess-burst 200000
counters
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #access-group qosmet local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class class-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #rate 1000 burst 50000 excess-burst 200000
counters
counters
counters
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark priority 7
The following example creates a policy ACL, qos- cl ass, in the l ocal context and attaches it to the QoS
metering policy, sub- r at e. The ACL defines three classes: t cp, voi p, and def aul t :
[ l ocal ] Redback( conf i g- ct x) #policy access-list qos-class
[ l ocal ] Redback( conf i g- access- l i st ) #sequence 10 permit ip precedence tcp any any
class tcp
[ l ocal ] Redback( conf i g- access- l i st ) #sequence 20 permit ip precedence ip any any dscp
equ cs6 class voip
[ l ocal ] Redback( conf i g- access- l i st ) #sequence 30 permit ip any any class default
[ l ocal ] Redback( conf i g) #qos policy sub-rate metering
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #rate 2000 burst 100000 excess-burst 200000
counters
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #access-group qos-class local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class tcp
conform mark priority 3
conform mark priority 0
The following example configures the QoS policing policy, combi ned, which combines circuit-based
rate-limiting and class-based rate-limiting and marking:
[ l ocal ] Redback( conf i g) #qos policy combined policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 10000 burst 5000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #conform mark precedence 2
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group qos local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class web
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #conform mark dscp AF11
This section describes the syntax and usage guidelines for the commands used to configure QoS policies.
class-group
conform mark dscp
conform mark precedence
conform mark priority
conform no-action
exceed drop
exceed mark dscp
exceed mark precedence
exceed mark priority
exceed no-action
mapping-schema
mark dscp
mark precedence
mark priority
parent-class
qos class
qos class-definition
qos class-map
qos policy metering
qos policy policing
rate
rate-calculation
rate percentage
violate drop
violate mark dscp
violate mark precedence
violate mark priority
violate no-action
class-group
class-group class-definition-name
no class-group
Purpose
Specifies a class definition and enters policy group configuration mode.
Command Mode
Syntax Description
Default
No class definition is assigned to a policing or metering policy.
Usage Guidelines
Use the class-group command to specify a class definition and enter policy group configuration mode. A
packet subject to the policing or metering policy being configured is assigned a class according to the
referenced class definition. In policy group configuration mode, you can reference class names defined in
the class definition and assign actions to perform on packets assigned to a class. You can configure any
command or action that is available for policy access control list (ACL) classes or for class-definition
classes.
Class-definition policing or metering is an alternative to ACL policing or metering. For each metering or
policing policy, you can specify either an ACL group or a class group, but not both. Unlike ACL metering
and policing policies, which require access to the packets IP header, you can apply class-definition
metering and policing policies to Layer 2 circuits, such Layer 2 Tunneling Protocol (L2TP) access
concentrator (LAC) sessions, Layer 2 Virtual Private Networks (VPNs) and cross-connections, and bridged
circuits. When you apply policing and metering policies to Layer 2 circuits, you cannot use the mark dscp
and mark precedence commands to mark packets and assign priority because these commands also require
access to the packets IP header. When a packet arrives, the router applies any ingress classification
propagation and mapping to determine a packets initial packet descriptor (PD) value. If you use a class
definition to apply a policing policy, the resulting PD value for the packet determines its class.
You can use class-definition policing or metering to propagate quality of service (QoS) settings without
configuring classification maps.
Use the qos class-definition command (in global configuration mode) to define a class definition to be
referenced by a metering or policing policy.
Use the no form of this command to remove the class group reference.
class-definition-name Class definition name. Alphanumeric string of up to 39 characters.
Related Commands
conform mark dscp
conform mark dscp dscp-class
{no | default} conform mark dscp
Purpose
Marks inbound packets that conform to the configured quality of service (QoS) rate with a Differentiated
Services Code Point (DSCP) value.
Command Mode
policy class rate configuration
policy rate configuration
Syntax Description
Default
No action is taken on packets that conform to the configured rate.
Usage Guidelines
Use the conform mark dscp command to mark inbound packets that conform to the configured rate with
a DSCP value.
You can configure the rate using the rate command (in policy ACL class, metering policy, or policing
policy configuration mode). Only one mark instruction can be in effect at a time. To change the mark
instruction, enter the conform mark dscp command, specifying a new value for the dscp-class argument,
which supersedes the one previously configured.
Table16-5 lists the keywords for the dscp-class argument.
dscp-class Priority with which packets conforming to the rate are marked. Values can be:
An integer from 0 to 63.
One of the keywords listed in Table 16-5.
Table 16-5 DSCP Class Keywords
DSCP Class Keyword DSCP Class Keyword
Assured Forwarding (AF) Class 1/
Drop precedence 1
af11 Class Selector 0
(same as default forwarding)
cs0 (same as df)
AF Class 1/Drop precedence 2 af12 Class Selector 1 cs1
For more information about DSCP values, see RFC 2474, Definition of the Differentiated Services Field
(DS Field) in the IPv4 and IPv6 Headers.
Use the no or default form of this command to return to the default behavior of not taking any action on
packets that conform to the configured rate.
Examples
The following example configures the policing policy, pr ot ect i on1, to mark all packets that conform to
the configured rate with a DSCP value representing a high priority of expedited forwarding (ef ) and, by
default using the conform mark command, to drop all packets that exceed the rate configured for the
policing policy:
[ l ocal ] Redback( conf i g) #qos policy protection1 policing
AF Class 3/Drop precedence 3 af33 Default Forwarding
(same as Class Selector 0)
df (same as cs0)
AF Class 4/Drop precedence 1 af41 Expedited Forwarding ef
AF Class 4/Drop precedence 2 af42
Caution Risk of packet reordering. Packets can be reordered into a different major DSCP class. To
reduce the risk, ensure that the marking of conforming packets and exceeding packets differ
only within a major DSCP class. Major DSCP classes are identified by the Class Selector
code, and include CS0=DF, CS1=AF11, AF12, AF13, CS2=AF21, AF22, AF23, CS3=AF31,
AF32, AF33, CS4=AF41, AF42, AF43, and CS5=EF. For example, if you mark conforming
packets with AF11 and you want to avoid reordering, mark exceeding packets with AF11,
AF12, or AF13 only.
Caution Risk of overriding configurations. The SmartEdge OS checks for and applies marking in a
specific order. To reduce the risk, remember the following guidelines::
Circuit-based marking overrides class-based marking.
Border Gateway Protocol (BGP) destination-based marking, through route maps,
overrides both circuit-based and class-based marking.
Table 16-5 DSCP Class Keywords (continued)
Related Commands
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
conform mark precedence prec-value
{no | default} conform mark precedence
Purpose
Marks inbound packets that conform to the configured quality of service (QoS) rate with a drop precedence
value corresponding to the assured forwarding (AF) class of the packet.
Command Mode
Syntax Description
Default
No action is taken on packets that conform to the configured rate.
Usage Guidelines
Use the conform mark precedence command to mark inbound packets that conform to the configured rate
with a drop precedence value corresponding to the AF class of the packet.
You can configure rate using the rate command (in policy ACL class, metering policy, or policing policy
In general, the level of forwarding assurance of an IP packet is based on: (1) the resources allocated to the
AF class to which the packet belongs, (2) the current load of the AF class, and, in case of congestion within
the class, (3) the drop precedence of the packet. In case of congestion, the drop precedence of a packet
determines the relative importance of the packet within the AF Differentiated Services Code Point (DSCP)
class. Packets with a lower drop precedence value are preferred and protected from being lost, while
packets with a higher drop precedence value are discarded.
With AF classes AF1 (AF11, AF12, AF13), AF2 (AF21, AF22, AF23), AF3 (AF31, AF32, AF33), and
AF4(AF41, AF42, AF43), the second integer represents a drop precedence value. Table16-6 shows how
the AF drop precedence value of an incoming packet is changed when it exits the SmartEdge router after
being tagged with a new drop precedence. (See also RFC 2597, Assured Forwarding PHB Group.)
prec-value Drop precedence value. The range of values is 1 to 3.
Table 16-6 Drop Precedence Values
DSCP Value of an
Incoming Packet
Packet is Tagged with a
Drop Precedence Value
DSCP Value of the
Outgoing Packet
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
1 AF11
AF21
AF31
AF41
Only one mark instruction can be in effect at a time. To change the mark instruction, enter the
conform mark precedence command, specifying a new value for the prec-value argument, which
supersedes the one previously configured.
Use the no or default form of this command to return to the default behavior of not taking any action on
packets that conform to the configured rate.
Examples
The following example configures the policing policy, pr ot ect i on1, to mark all packets that conform to
the configured rate with a drop precedence value of 1 and drops all packets that exceed the rate:
Related Commands
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
2 AF12
AF22
AF32
AF42
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
3 AF13
AF23
AF33
AF43
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
Table 16-6 Drop Precedence Values (continued)
DSCP Value of an
Incoming Packet
DSCP Value of the
Outgoing Packet
conform mark priority {group-num | ignore} [{drop-precedence {group-num | ignore} |
af-drop drop-value}]
{no | default} conform mark priority
Purpose
Marks packets that conform to the configured quality of service (QoS) rate with a priority group number,
a drop-precedence value, or both, while leaving the packets IP header Differentiated Services Code Point
(DSCP) value unmodified.
Command Mode
Syntax Description
Default
No action is taken on packets that conform to the configured rate. Default mapping of priority groups to
queues is listed in Table16-7.
Usage Guidelines
Use the conform mark priority command to mark packets that conform to the configured QoS rate with
a priority group number, a drop-precedence value, or both, while leaving the packets IP header DSCP value
unmodified.
To configure the rate, enter the rate command (in policy ACL class, metering policy, or policing policy
The scale used by this command for packet priority, from 0 (highest
priority) to 7 (lowest priority), is the relative inverse of the scale used by
QoS classification map and classification definition commands.
ignore Specifies that the internal packet descriptor (PD) priority or
drop-precedence value is not modified.
drop-precedence Optional. Enables you to specify a setting for either the drop-precedence
portion of the PD QoS field or the priority group, or both.
af-drop drop-value Optional. Target internal drop-precedence value in two-bit format;
leaves the least significant bit unmodified. The range of values is 1 to 3.
A priority group is an internal value used by the SmartEdge OS to determine into which egress queue the
inbound packet is placed. The type of service (ToS) value, DSCP value, and Multiprotocol Label Switching
(MPLS) experimental (EXP) bits are unchanged by this command. The actual queue number depends on
the number of queues configured on the circuit. For more information, see the num-queues command in
Chapter 17, QoS Scheduling Configuration.
The SmartEdge OS uses the factory preset, or default, mapping of a priority group to queue, according to
the number of queues configured on a circuit; see Table16-7.
conform mark priority command, specifying a new value for the group-num argument. This supersedes
the value previously configured.
Use the no or default form of this command to specify the default behavior.
Examples
The following example configures the policy to mark all packets that conform to the configured rate with
priority group number 3 and drops all packets that exceed the rate:
[ l ocal ] Redback( conf i g- pol i cy- r at e) #conform mark priority 3
Table 16-7 Default Mapping of Priority Groups to Queues
Priority
Group 8 Queues 4 Queues 2 Queues 1 Queue
0 queue 0 queue 0 queue 0 queue 0
Related Commands
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
conform no-action
conform no-action
{no | default} conform no-action
Purpose
Specifies that no marking is made on packets that conform to the configured quality of service (QoS) rate.
Command Mode
Syntax Description
Default
No marking is taken on packets that conform to the configured rate.
Usage Guidelines
Use the conform no-action command to specify that no marking is made on packets that conform to the
configured QoS rate.
Use the no or default form of this command to specify that no marking is made.
Examples
no action:
[ l ocal ] Redback( conf i g- pol i cy- r at e) #conform no-action
Related Commands
conform mark dscp
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
exceed drop
exceed drop [qos-priority group-num]
{no | default} exceed drop [qos-priority group-num]
Purpose
Specifies how packets are dropped when the traffic rate exceeds the quality of service (QoS) rate and burst
tolerance.
Command Mode
Syntax Description
Default
If the excess burst tolerance is not configured, all packets exceeding the QoS burst tolerance are dropped.
If the excess burst tolerance is configured, packets exceeding the QoS burst tolerance are dropped
randomly.
Usage Guidelines
Use the exceed drop command to specify how packets are dropped when the traffic rate exceeds the QoS
rate and burst tolerance. Use this command as part of a policing policy for incoming packets and as part of
a metering policy for outgoing packets.
You can configure the traffic rate, burst tolerance, and excess burst tolerance with the rate command (in
policy ACL class, metering policy, or policing policy configuration mode). The following conditions
determine how packets are dropped:
If the excess burst tolerance is not configured, all packets exceeding the configured burst tolerance are
dropped.
If the excess burst tolerance is configured, and the traffic rate does not exceed the excess burst tolerance,
packets are dropped according to one of the following conditions::
If the qos-priority group-num construct is not configured, packets are dropped randomly.
If the qos-priority group-num construct is configured, only packets with a QoS priority less than
the specified group-num argument are dropped. All other packets are not dropped.
qos-priority group-num Optional. Priority group number. This option is available only if the QoS rate
is configured with an excess burst tolerance. The range of values for the
group-num argument is 0to 7.
Note Use the violate drop commands (in policy class rate and policy rate configuration modes) to
specify how packets are dropped when the traffic rate exceeds the configured excess burst
tolerance.
Examples
The following example drops packets that exceed the traffic rate and burst tolerance:
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed drop
Related Commands
conform mark dscp
conform no-action
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
exceed mark dscp
exceed mark dscp dscp-class
{no | default} exceed mark dscp
Purpose
Marks packets that exceed the configured quality of service (QoS) rate and burst tolerance with a
Differentiated Services Code Point (DSCP) value.
Command Mode
Syntax Description
Default
Packets exceeding the policing rate are dropped.
Usage Guidelines
Use the exceed mark dscp command to mark packets that exceed the configured rate with a DSCP value.
configuration mode). Only one mark instruction can be in effect at a time. To change the mark instruction,
enter the exceed mark dscp command, specifying a new value for the dscp-class argument. This
supersedes the one previously configured.
dscp-class Priority with which packets exceeding the rate are marked. Values can be:
Assured Forwarding (AF) Class 1
/Drop precedence 1
cs0 (same as df)
Use the no or default form of this command to return to the default behavior of dropping packets that
exceed the rate.
Examples
a DSCP value representing a high priority and drops all packets that exceed the rate:
df (same as cs0)
Note RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6
Headers, defines the Class Selector code points.
Caution Risk of packet reordering. To reduce the risk, ensure that the marking of conforming packets
and exceeding packets differ only within a major DSCP class. Major DSCP classes are
identified by the Class Selector code, and include CS0=DF, CS1=AF11, AF12, AF13,
CS2=AF21, AF22, AF23, CS3=AF31, AF32, AF33, CS4=AF41, AF42, AF43, and CS5=EF.
For example, if you mark conforming packets with AF11 and you want to avoid reordering,
mark exceeding packets with AF11, AF12, or AF13 only.
Related Commands
conform mark dscp
conform no-action
exceed drop
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
exceed mark precedence prec-value
{no | default} exceed mark precedence
Purpose
Marks packets that exceed the configured quality of service (QoS) rate with a drop precedence value
corresponding to the assured forwarding (AF) class of the packet.
Command Mode
Syntax Description
Default
Packets exceeding the policy rate are dropped.
Usage Guidelines
Use the exceed mark precedence command to mark packets that exceed the configured rate with a drop
precedence value corresponding to the AF class of the packet.
determines the relative importance of the packet within the AF class. Packets with a lower drop precedence
value are preferred and protected from being lost, while packets with a higher drop precedence value are
discarded.
prec-value Drop precedence bits value. The range of values is 1 to 3.
DSCP Value of an
Incoming Packet
DSCP Value of the
Outgoing Packet
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
1 AF11
AF21
AF31
AF41
Only one mark instruction can be in effect at a time. To change the mark instruction, enter the exceed mark
precedence command, specifying a new value for the prec-value argument, which supersedes the one
previously configured.
exceed the rate.
Examples
an IP precedence value of 3 and uses the conf or mmar k command, which by default, drops all packets
that exceed the rate:
Related Commands
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
2 AF12
AF22
AF32
AF42
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
3 AF13
AF23
AF33
AF43
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
DSCP Value of an
Incoming Packet
DSCP Value of the
Outgoing Packet
exceed mark priority {group-num | ignore} [{drop-precedence {group-num | ignore} | af-drop
drop-value}]
{no | default} exceed mark priority
Purpose
Marks packets that exceed the quality of service (QoS) rate and burst tolerance with a priority group
number, a drop-precedence value, or both, while leaving the packets IP header Differentiated Services
Code Point (DSCP) value unmodified.
Command Mode
Syntax Description
Default
Packets exceeding the rate are dropped.
Usage Guidelines
Use the exceed mark priority command to mark packets that exceed the QoS rate and burst tolerance with
a priority group number, a drop-precedence value, or both, while preserving the packet's IP header. To
configure the rate, enter the rate command (in policy ACL class, metering policy, or policing policy
The scale used by this command for packet priority, from 0
(highest priority) to 7 (lowest priority), is the relative inverse
of the scale used by QoS classification map and classification
definition commands.
drop-precedence Optional. Enables you to specify a setting for either the
drop-precedence portion of the PD QoS field or the priority
group, or both.
af-drop drop-value Optional. Specifies the target internal drop-precedence value in
two-bit format, leaving the least significant bit unmodified.
The range of values is 1 to 3.
A priority group is an internal value used by the SmartEdge router to determine into which egress queue
the inbound packet should be placed. The type of service (ToS) value, Differentiated Services Code Point
(DSCP) value, and Multiprotocol Label Switching (MPLS) experimental (EXP) bits are unchanged by this
command. The actual queue number depends on the number of queues configured on the circuit. For more
information, see the num-queues command in Chapter 17, QoS Scheduling Configuration.
Only one mark instruction can be in effect at a time. To change the mark instruction, enter the exceed mark
priority command, specifying a new value for the group-num argument. This supersedes the value
Use the no or default form of this command to return to the default behavior.
Examples
The following example configures the policy to mark all packets that exceed the configured rate with a
priority group of 3 and uses the exceed mar k command, which by default, drops all packets that exceed
the rate:
Table 16-10 Default Mapping of Priority Groups
Priority
0 Queue 0 Queue 0 Queue 0 Queue 0
specific order. To reduce the risk, remember the following guidelines:
Note By default, the SmartEdge OS assigns a priority group to each egress queue, according to the
number of queues configured on a circuit. You can override the default mapping of packets
into egress queues by creating a customized queue priority map using the qos queue-map
command (in global configuration mode).
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed mark priority 3
Related Commands
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
exceed no-action
exceed no-action
{no | default} exceed no-action
Purpose
Specifies that no action is taken on packets that exceed the configured quality of service (QoS) rate and
burst tolerance.
Command Mode
Syntax Description
Default
Packets exceeding the rate are dropped.
Usage Guidelines
Use the exceed no-action command to specify that no action is taken on packets that exceed the rate.
exceed the rate.
Examples
The following example configures the policy to take no action on packets that exceed the rate:
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed no-action
Related Commands
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
rate
violate drop
violate mark dscp
violate no-action
mapping-schema
mapping-schema {8P0D | 7P1D | 6P2D | 5P3D}
{no | default} mapping-schema {8P0D | 7P1D | 6P2D | 5P3D}
Purpose
Defines the default quality of service (QoS) translation schema to use with a classification map.
Command Mode
class map configuration
Syntax Description
Default
Maps all entries to the default 8P0D values.
Usage Guidelines
Use the mapping-schema command to define the default QoS translation schema to use with a
classification map. This command overrides any existing configuration for the classification map.
8P0D Specifies that 8P0D Ethernet Priority Code Point (PCP) encoding is the default
schema. The 8P0D schema propagates the three Multiprotocol Label Switching
(MPLS) experimental (EXP) or 802.1p bits to the priority bits of the packet
descriptor (PD) QoS value on ingress, and performs the reverse on ingress. The PD
drop-precedence bits are set to zero on ingress, and ignored on egress. For the
default values for 8P0D ingress and egress mappings, see Table16-11 and
Table16-12, respectively.
7P1D Specifies that 7P1D Ethernet PCP is the default schema. The 7P1D schema maps
between the eight possible EXP or 802.1p values and seven different PD QoS
priority levels, one of which includes two levels of drop-precedence. For the default
values for 7P1D ingress and egress mappings, see Table16-13 and Table16-14,
respectively.
between the eight possible EXP or 802.1p values and six different PD QoS priority
levels, two of which include two levels of drop-precedence. For the default values
for 6P2D ingress and egress mappings, see Table16-15 and Table16-16,
respectively.
between the eight possible EXP or 802.1p values and five different PD QoS priority
levels, three of which include two levels of drop-precedence. For the default values
for 5P3D ingress and egress mappings, see Table16-17 and Table16-18,
respectively.
You can use this command to specify default values for all mapping entries, then override that value for a
subset of entries by entering subsequent mapping commands.
Use the no or default form of this command to revert values for all map entries to the default 8P0D values.
Table16-11 lists the default values for 8P0D ingress mappings.
Table16-12 lists the default values for 8P0D egress mappings.
Table 16-11 8P0D Mapping, Ingress from MPLS EXP and Ethernet 802.1p
Ethernet 802.1p MPLS EXP PD Priority PD Drop IP Precedence DSCP
7 7 0 0 7 Network Control
6 6 1 0 6 Reserved
5 5 2 0 5 cs5
4 4 3 0 4 cs4
3 3 4 0 3 cs3
2 2 5 0 2 cs2
1 1 6 0 1 cs1
0 0 7 0 0 DF
Table 16-12 8P0D Mapping, Egress to MPLS EXP and Ethernet 802.1p
PD Priority PD Drop IP Precedence DSCP Ethernet 802.1p MPLS EXP
0 NA 7 Network Control 7 7
1 NA 6 Reserved 6 6
2 NA 5 EF 5 5
3 NA 4 AF4[1,2,.3] 4 4
4 NA 3 AF3[1,2,3] 3 3
5 NA 2 AF2[1,2,3] 2 2
6 NA 1 AF1[1,2,3] 1 1
7 NA 0 DF 0 0
MPLS EXP Ethernet 802.1p
SmartEdge
PD Priority
SmartEdge
PD Drop DSCP IP Precedence
7 7 0 0 Network Control 7
6 6 1 0 Reserved 6
5 5 3 2 AF 4[1] 4
4 4 3 6 AF 4[3] 4
3 3 4 2 AF 3[1] 3
2 2 5 2 AF2[1] 2
1 1 6 2 AF 1[1] 1
0 0 7 0 DF 0
SmartEdge
PD Priority
SmartEdge
PD Drop DSCP IP Precedence MPLS EXP Ethernet 802.1p
0 NA Network Control 7 7 7
1 NA Reserved 6 6 6
2 NA EF 5 5 5
3 0, 1, 2 AF 4[1] 4 5 5
3 <>[0, 1, 2] AF 4[2,3] 4 4 4
4 NA AF3[1,2,3] 3 3 3
5 NA AF2[1,2,3] 2 2 2
6 NA AF1[1,2,3] 1 1 1
7 NA DF 0 0 0
SmartEdge
PD Priority
SmartEdge
7 7 0 0 Network Control 7
6 6 1 0 Reserved 6
5 5 3 2 AF 4[1] 4
4 4 3 6 AF 4[3] 4
3 3 5 2 AF 2[1] 2
2 2 5 6 AF 2[3] 2
1 1 6 2 AF 1[1] 1
0 0 7 0 DF 0
Table 16-13 7P1D Mapping, Ingress from MPLS EXP and Ethernet 802.1p (continued)
SmartEdge
PD Priority
SmartEdge
Table16-17 lists the default values for 5P3D ingress mappings
SmartEdge
PD Priority
SmartEdge
PD Drop DSCP IP Precedence MPLS EXP Ethernet 802.1p
1 NA Reserved 6 6 6
2 NA EF 5 5 5
3 0, 1, 2 AF 4[1] 4 5 5
3 <>[0, 1, 2] AF 4[2,3] 4 4 4
4 0, 1, 2 AF 3[1] 3 3 3
4 <>[0, 1, 2] AF 3[2,3] 3 2 2
5 0, 1, 2 AF 2[1] 2 3 3
5 <>[0, 1, 2] AF 2[2,3] 2 2 2
6 NA AF1[1,2,3] 1 1 1
7 NA DF 0 0 0
SmartEdge PD
Priority
SmartEdge PD
Drop DSCP IP Precedence MPLS EXP
Ethernet
802.1p
0 0 Network Control 7 7 7
1 0 Reserved 6 6 6
3 2 AF 4[1] 4 5 5
3 6 AF 4[3] 4 4 4
3 3 3 3 3 3
5 6 AF 2[3] 2 3 2
7 0 DF 0 1 1
7 6 DF- 0 0 0
SmartEdge PD
Priority
SmartEdge PD
Ethernet
802.1p
1 NA Reserved 6 6 6
2 NA EF 5 5 5
3 0, 1, 2 AF 4[1] 4 5 5
3 <>[0, 1, 2] AF 4[2,3] 4 4 4
Examples
The following example defines the classification map pd- t o- exp for PD values on egress, then defines
the default mapping schema as 6P2D. It overrides the default mapping for PD user priority value af 33 to
MPLS EXP value 4, and specifies the default DSCP-to-EXP mapping for PD value 13:
[ l ocal ] Redback( conf i g) #qos class-map pd-to-exp mpls out
[ l ocal ] Redback( conf i g- cl ass- map) #mapping-schema 6P2D
[ l ocal ] Redback( conf i g- cl ass- map) #qos af33 to mpls 4
[ l ocal ] Redback( conf i g- cl ass- map) #qos 13 use-ip
Related Commands
4 0, 1, 2 AF 3[1] 3 3 3
4 <>[0, 1, 2] AF 3[2,3] 3 2 2
5 0, 1, 2 AF 2[1] 2 3 3
5 <>[0, 1, 2] AF 2[2,3] 2 2 2
6 0, 1, 2 AF 1[1] 1 1 1
6 <>[0, 1, 2] AF 1[2,3] 2 0 0
7 0 DF 0 1 1
7 <>0 DF- 0 0 0
qos class-map
Table 16-18 5P3D Mapping, Egress to MPLS EXP and Ethernet 802.1p (continued)
SmartEdge PD
Priority
SmartEdge PD
Ethernet
802.1p
mark dscp
mark dscp dscp-class
no mark dscp dscp-class
Purpose
Assigns a quality of service (QoS) Differentiated Services Code Point (DSCP) priority to packets.
Command Mode
Syntax Description
Default
Packets are not assigned a DSCP priority.
Usage Guidelines
Use the mark dscp command to assign a QoS DSCP priority to packets.
dscp-class Priority with which packets are marked. Values can be:
Integer from 0 to 63.
Drop precedence 1
cs0 (same as df)
Use the no form of this command to specify the default behavior.
Examples
The following example configures the policy, GE- i n pol i ci ng, to mark all packets within the VOI P
class as high-priority packets, while all packets within the best - ef f or t class are marked as low-priority
packets:
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group myacl cont2
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class best-effort
Related Commands
df (same as cs0)
conform mark dscp
exceed mark dscp
mark precedence
mark precedence
mark precedence prec-value
no mark precedence prec-value
Purpose
Assigns a quality of service (QoS) drop precedence value to packets corresponding to the assured
forwarding (AF) class of the packets.
Command Mode
Syntax Description
Default
Packets are not marked with an explicit drop precedence value.
Usage Guidelines
Use the mark precedence command to assign a QoS drop precedence value to packets.
determines the relative importance of the packet within the assured forwarding (AF) Differentiated
Services Code Point (DSCP) class. Packets with a lower drop precedence value are preferred and protected
from being lost, while packets with a higher drop precedence value are discarded. (For more information
see RFC 2597, Assured Forwarding PHB Group.)
mark precedence command, specifying a new value for the prec-value argument, which supersedes the
one previously configured.
Use the no form of this command to specify the default behavior.
prec-value Drop precedence value. The range of values is 1 to 3.
Examples
The following example configures the policy, GE- i n pol i ci ng, to mark all packets within the VOI P class
as preferred packets, while all packets within the best - ef f or t class are marked as less-preferred
packets:
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark precedence 1
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark precedence 3
Related Commands
mark dscp
mark priority
mark priority {group-num | ignore} [{drop-precedence {group-num | ignore} | af-drop drop-value}]
no mark priority
Purpose
Sets the internal packet descriptor (PD) quality of service (QoS) classification value for specified packets,
while preserving the packets IP header Differentiated Services Code Point (DSCP) value.
Command Mode
Syntax Description
Default
The PD QoS values for a packet are not modified.
Usage Guidelines
Use the mark priority command to set the internal PD QoS classification value for specified packets, while
preserving the packets IP header DSCP value.
inbound packet should be placed. The type of service (ToS) value, DSCP value, and Multiprotocol Label
Switching (MPLS) experimental (EXP) bits are unchanged by this command. The actual queue number
depends on the number of queues configured on the circuit. For more information, see the num-queue
command in Chapter 17, QoS Scheduling Configuration.
The scale used by this command for packet priority, from 0
(highest priority) to 7 (lowest priority), is the relative inverse
of the scale used by QoS classification map and classification
definition commands.
drop-precedence Optional. Enables you to specify a setting for either the
drop-precedence portion of the PD QoS field or the priority
group, or both.
af-drop drop-value Optional. Target internal drop-precedence value in two-bit
format; leaves the least significant bit unmodified. The range
of values is 1 to 3.
The SmartEdge OS uses the factory preset, or default, mapping of a priority group to a queue, according to
mark priority command, specifying a new value for the group-num arguments. This supersedes the value
If neither the drop-precedence nor the af-drop keyword is specified, the priority bits are set to the
specified value and the drop-precedence bits are cleared.
Use the no form of this command to return to the default behavior.
Examples
The following example configures the policy, GE- i n pol i ci ng, to mark all packets within the VOI P class
as high-priority packets, while all packets within the best - ef f or t class are marked as low-priority
packets:
Priority
into egress queues by creating a customized queue priority map through the qos queue-map
Related Commands
qos queue-map
parent-class
parent-class class-name
no parent-class class-name
Purpose
Maps a specific child class to a parent class.
Command Mode
Syntax Description
Default
The mapping of a child class to a parent class is not specified.
Usage Guidelines
Use the parent-class command to map a metering or policing policy class to a class specified in another
metering or policing policy. The class mapping configuration is employed when applying a hierarchical
metering or policing policy to traffic on a child circuit that has its own metering and policing policy. Using
the class mapping, the SmartEdge router determines the parent policy class for treating the child class
traffic when enforcing the parent metering or policing policy. For more information about the mapping of
the ACL class or a class-definition map class to a parent policy class, see the Mapping a Child Policy Class
to a Parent Class section on page16-6.
Use the no form of this command to remove the mapping of the child class to the parent class.
Examples
The following example shows how to map a child class to a parent class. In this example, the child class
voip is mapped to the parent class high and the child class data is mapped to the parent class low:
[ l ocal ] Redback( conf i g) #qos policy child-pol metering
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #access-group child-acl local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #parent-class high
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #class data
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #parent-class low
class-name An alphanumeric string of up to 39 characters that specifies the name of a
parent class.
Related Commands
access-group
class
qos policy metering
qos policy policing
qos class
qos {pd-value | all} class class-name
{no | default} qos {pd-value | all} [class class-name]
Purpose
Assigns an internal packet descriptor (PD) classification value to a class name.
Command Mode
class definition configuration
Syntax Description
Default
The PD value is not assigned to any class.
Usage Guidelines
Use the qos class command to assign an internal PD classification value to a class name. The PD value can
be referenced in policing or metering policies. The SmartEdgeOS creates the class when you assign the
first PD value in the class definition to the class. Subsequent PD values assigned to this class join the
existing class. Removing or modifying the last class-definition entry that references a class deletes the
class. Remove all metering and policing policy references to the class definition before you delete a class.
Each class definition can define up to eight metering or policing classes based on PD classification values.
Multiple class-definition entries can reference the same class.
The SmartEdge OS processes class definitions and assigns packet classes before it applies any metering or
policing policy that references the class definition. Use the qos class-definition command (in global
configuration mode) to create the class definition.
Use the no or default form of this command to return the PD value to the default state.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order bits.
You can enter the value in decimal or hexadecimal format, for example 16 or
0x10. You can also enter a standard Differentiated Services Code Point
(DSCP) marking label as defined in Table16-19 on page16-45.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command.
all Assigns all valid PD values for the source value to the specified class. Any
existing configuration for the class definition is overridden.
class-name An alphanumeric string of up to 39 characters that specifies the class name.
Optional only for the no form of this command.
Related Commands
qos class-definition class-definition-name
no qos class-definition class-definition-name
Purpose
Specifies or creates a class definition and enters class definition configuration mode.
Command Mode
Syntax Description
Default
No class definition is defined.
Usage Guidelines
Use the qos class-definition command to specify or create a class definition and enter class definition
configuration mode. Class definitions define metering and policing classes using internal packet priority
and drop precedence values. You can create up to 15 class definitions; each class definition can define up
to eight metering or policing classes based on packet descriptor (PD) classification values.
Use the qos class command (in class definition configuration mode) to edit the contents of a class
definition.
Use the no form of this command to delete a class definition. Remove all metering and policing policy
references to the class definition before you delete it.
Related Commands
class-definition-name An alphanumeric string of up to 39 characters that specifies the class-
definition name. If a class definition with the specified name does not exist,
it is created.
Note You can use class definitions without configuring classification maps to propagate the QoS
settings.
qos class
qos class-map
qos class-map map-name marking-type {in | out}
no qos class-map map-name marking-type {in | out}
Purpose
Defines a configurable schema for customized packet mappings to and from the SmartEdgeOS internal
packet descriptor (PD) markings, and accesses class map configuration mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the qos class-map command to create and configure customized mappings between internal and
external packet priority and drop precedence values.
You can use the mapping-schema command to define a set of default values for all mapping entries, then
override that value for a subset of entries by entering subsequent mapping commands. The mapping
commands that are available depend on the direction and marking-type values specified by this command.
For example, if you enter the qos class-map command with the my_class_map ethernet out keywords,
map-name Name of the classification map, an alphanumeric string of up to 39
characters. The name must be unique. You can configure up to 128
classification maps for all marking types and directions. If the
classification map does not exist, the SmartEdgeOS creates it.
marking-type Marking type for this classification map, according to one of the
following keywords:
atmCell loss priority (CLP) marking
ethernet802.1p marking
mplsEXP marking
ipDifferentiated Services Code Point (DSCP) marking
in Maps incoming packets as they are received. This type of classification
map can be applied to propagate qos from commands.
out Maps outgoing packets as they are prepared for transmission. This type
of classification map can be applied to propagate qos to commands.
only the mapping-schema, qos to ethernet, and qos use-ip commands are available. The classification
map can then be applied using the propagate qos to ethernet command with the class-map
my_class_map keywords.
A classification map can function either as a primary or secondary classification map, or both. For ingress
mappings, a secondary classification map must have a value of ip for the marking-type argument, and a
value of in specified for the mapping direction. For egress mappings, a secondary classification map must
have the same values for the marking-type argument and mapping direction as the primary classification
map.
The SmartEdgeOS uses primary classification maps during the initial packet inspection. If a secondary
classification map is configured, the SmartEdgeOS performs a second mapping for packets containing the
specified primary value. When configured for the ethernet use-ip or mpls use-ip commands, secondary
classification maps translate Differentiated Services Code Point (DSCP) values to PD priority values.
When configured for the qos use-ip commands, secondary classification maps translate DSCP values to
external Multiprotocol Label Switching (MPLS) experimental (EXP) values or 802.1p priority values.
Use the no form of this command to remove the classification map. Remove all dependent configuration
entries, such as propagation commands and other classification maps, before you remove the classification
map.
Examples
The following example creates a classification map exp- t o- pd that maps MPLS EXP values to quality
of service (QoS) PD values on ingress:
[ l ocal ] Redback( conf i g) #qos class-map exp-to-pd mpls in
Related Commands
ethernet to qos
ethernet use-ip
ip to qos
mapping-schema
mark priority
mpls to qos
mpls use-ip
propagate qos from ethernet
propagate qos from ip
propagate qos from l2tp
propagate qos from mpls
propagate qos from subscriber
propagate qos to ethernet
propagate qos to ip
propagate qos to l2tp
propagate qos to mpls
qos to ethernet
qos to ip
qos to mpls
qos use-ip
qos policy metering
qos policy pol-name metering [radius-guided]
no qos policy pol-name metering
Purpose
Creates or selects a quality of service (QoS) metering policy and enters metering policy configuration
mode.
Command Mode
Syntax Description
Default
No metering policy is created.
Usage Guidelines
Use the qos policy metering command to create or select a metering policy and enter metering policy
configuration mode.
Use the radius-guided keyword to allow a dynamic policy ACL to modify this policy. You cannot remove
a dynamic policy ACL from the policy after you have configured it, nor can you change the type of the
policy from static to RADIUS-guided. To remove the dynamic policy ACL or to change the type of the
policy, delete the policy and then recreate it as a static policy.
Use the no form of this command in global configuration mode to delete a metering policy.
pol-name Name of the metering policy.
radius-guided Optional. Allows this policy to be modified by dynamic access control lists
(ACLs).
Note Link group support for QoS metering policies is limited to Multilink Point-to-Point Protocol
(MP) and Multilink Frame Relay (MFR) bundles.
Note Virtual LAN (VLAN) bridge circuits and Layer 2 Tunneling Protocol (L2TP) Virtual Private
Network (VPN) circuits do not support policy access control lists (ACLs), classes, and actions
within classes. Rate limiting is supported; however, the conform dscp, mark dscp, exceed
dscp, and mark precedence commands (in metering policy configuration mode) are not
allowed.
Examples
The following example creates the metering policy, exampl e2, and attaches it to an Ethernet port:
[ l ocal ] Redback( conf i g) #qos policy example2 metering
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #rate 10000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #exit
Related Commands
qos policy policing
qos policy policing
qos policy pol-name policing [radius-guided]
no qos policy pol-name policing
Purpose
Creates or selects a quality of service (QoS) policing policy and enters policing policy configuration mode.
Command Mode
Syntax Description
Default
No policing policy is created.
Usage Guidelines
Use the qos policy policing command to create or select a policing policy and enter policing policy
configuration mode.
Use the radius-guided keyword to allow a dynamic policy ACL to modify this policy. You cannot remove
a dynamic policy ACL from the policy after you have configured it, nor can you change the type of the
policy from static to RADIUS-guided. To remove the dynamic policy ACL or to change the type of the
policy, delete the policy and then recreate it as a static policy.
Use the no form of this command to delete a policing policy.
Examples
The following example creates the exampl e2 policing policy:
[ l ocal ] Redback( conf i g) #qos policy example2 policing
pol-name Name of the policing policy to be attached.
radius-guided Optional. Allow this policy to be modified by dynamic access control lists (ACLs).
Note Link group support for QoS policing policies is limited to Multilink Point-to-Point Protocol
(MP) and Multilink Frame Relay (MFR) bundles.
Note Virtual LAN (VLAN) bridge circuits and Layer 2 Tunneling Protocol (L2TP) Virtual Private
Network (VPN) circuits do not support policy access control lists (ACLs), classes, and actions
within classes. Rate limiting is supported; however, the conform dscp, mark dscp, exceed
dscp, and mark precedence commands (inpolicing policy configuration mode) are not
allowed.
The following example creates the Whol ePor t policing policy for an Ethernet port and the OneVC
policing policy for an 802.1Q PVC on that port. When the OneVC policy is attached to the PVC, it
supersedes the Whol ePor t policy attached to the port for that PVC; for all the other PVCs on the port, the
policy attached to the port takes effect:
[ l ocal ] Redback( conf i g) #qos policy OneVC policing
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed mark dscp df
[ l ocal ] Redback( conf i g) #qos policy WholePort policing
Related Commands
qos policy metering
rate
rate [informational] kbps {burst bytes | time-burst msec} [{excess-burst bytes |
time-excess-burst msec [counters] [hierarchical-counters]
no rate
Purpose
Sets the rate, burst tolerance, and excess burst tolerance for traffic on the circuit, port, or subscriber record
to which the quality of service (QoS) policy is attached, or for a policy group, policy access control list
(ACL), or class-definition class of traffic for that policy.
Command Mode
Syntax Description
Default
No rate is enforced by default.
informational Optional. Specifies the rate to be used by the system only to calculate a
percentage rate for a policy ACL class when you specify the class rate as a
percentage. The effect is that the overall circuit is not rate limited.
kbps Rate in kilobits per second. The range of values is 5 to 1,000,000.
burst bytes Burst tolerance in bytes. The range of values is 1 to 1,250,000,000.
time-burst msec Time (in milliseconds) to allow for the burst. Can be specified only for
metering policy and policing policies.
excess-burst bytes Optional. Excess burst tolerance in bytes. The range of values is 1 to
1,250,000,000.
time-excess-burst msec Optional. Time (in milliseconds) to allow for the excess burst. Can be
specified only for metering policy and policing policies.
counters Optional. Enables statistics collection for packets that conform to or exceed
the rate.
hierarchical-counters Optional. Enables statistics collection for packets that are dropped on child
circuits subject to this policy due to hierarchical inheritance.
Usage Guidelines
Use the rate command to set the rate, burst tolerance, and excess burst for traffic on the port, circuit, or
subscriber record to which the QoS policy is attached, or for a policy ACL class of traffic for that policy.
If entered in metering or policing policy configuration mode, this command accesses policy rate
configuration mode; if entered in policy group class configuration mode, this command accesses policy
class rate configuration mode.
Use the informational keyword to specify that the policy rate will not be used to enforce an overall circuit
rate limit, but will be used only to calculate the class rate if you specify the rate for an ACL class as a
percentage of the policy rate, using the rate percentage command (in policy group class configuration
mode). This keyword is not available in policy group class configuration mode.
Use the excess-burst bytes construct to optionally configure the excess burst tolerance. The burst tolerance
and excess burst tolerance are thresholds that can be used to determine the traffic rate at which packets can
be dropped or marked. Use the time-burst msec and time-excess-burst msec constructs to specify the burst
and excess burst as time intervals.
For more information about dropping or marking packets when the traffic rate exceeds the burst tolerance,
but does not exceed the excess burst tolerance, see the exceed commands. For more information about
dropping or marking packets when the traffic rate exceeds the excess burst tolerance, see the violate
commands.
Use the counters keyword to log statistics related to packets that conform to or exceed the rate. For a circuit
with a noninherited metering or policing policy (neither the inherit nor hierarchical keyword is specified),
the counters keyword enables statistics collection based on enforcement of this rate at the individual circuit
level. For a parent circuit that propagates a metering or policing policy to its children through the inherit
or hierarchical keyword, the counters option enables statistics collection based on collective metering or
policing policy enforcement at the parent circuit level. In other words, the statistics collected for the parent
circuit (where the policy is configured) reflect the totals for enforcement of this rate on this circuit and all
of its children that are subject to this policy through inheritance.
Use the hierarchical-counters keyword to log statistics related to packets dropped on circuits subject to
this rate due to the policy configured on a parent circuit with the hierarchical keyword specified. The
hierarchical-counters keyword enables counters on each child circuit subject to this rate through
hierarchical inheritance. These counters record the number of drops on the child circuit due to enforcement
of the parent circuit policy rate.
Use the no form of this command to specify the default traffic rate and burst tolerance.
Note The maximum rate set by the qos rate command (in port configuration mode) is the rate at
which the port, 802.1Q tunnel, or 802.1Q PVC operates; any priority queuing (PQ), enhanced
deficit round-robin (EDRR), or circuit with a PQ or an EDRR policy is limited by the rate
specified by that command for the circuit. Also, the sum of all traffic on the port carried by
the queues belonging to the circuits or subscribers is limited to the rate specified by that
command.
For priority weighted fair queuing (PWFQ) queues with a PWFQ policy, the sum of all
priority group rates for a node can oversubscribe the configured global policy rate.
Examples
The following example marks all traffic conforming to the configured policy rate with expedited
forwarding (ef ) and marks traffic that exceeds the policy rate with default forwarding (df ):
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 6000000 burst 10000 counters
By including the counters keyword in the rate command, you can use the show circuit counters command
(in any mode) with the detail keyword to display the number of packets that conform to the rate and the
number of packets that exceed the rate.
Related Commands
conform mark dscp
exceed drop
exceed mark dscp
exceed no-action
qos rate
rate percentage
violate drop
violate mark dscp
violate no-action
rate-calculation
rate-calculation exclude layer-2-overhead
no rate-calculation exclude layer-2-overhead
Purpose
Specifies that rate calculation is to exclude the size of Layer 2 overhead for the Layer 3 circuit on which a
policy is applied.
Command Mode
Syntax Description
Default
Rate calculations consider the size of the entire Layer 2 frame.
Usage Guidelines
Use the rate-calculation command to specify that rate calculation excludes the size of Layer 2 overhead
for Layer 3 circuits on which a rate-limiting policy is applied. In this case, the size of the rate-limited packet
equals the size of the Layer 3 packet.
The rate-calculation command is global across the entire policy, implying that it applies to the overall
circuit level and all classes under the policy.
exclude Sets rate-limit calculation exclusions.
layer-2-overhead Specifies that Layer 2 overhead be excluded when calculating rate-limits.
rate percentage
rate percentage percent-rate [counters]
no rate percentage
Purpose
Assigns a percentage of the overall policy rate to this class of traffic on the circuit, port, or subscriber record
to which the quality of service (QoS) policy is attached and accesses policy class rate configuration mode.
Command Mode
PWFQ policy configuration
Syntax Description
Default
No rate percentage is specified for this class.
Usage Guidelines
Use the rate percentage command to assign a percentage (a relative class rate) of the overall policy rate to
this class of traffic on the circuit, port, or subscriber record to which the QoS policy is attached, and access
policy class rate configuration mode. The percentage applies to the policy rate, burst, and excess burst
values.
Use the no form of this command to remove the rate percentage from this class configuration.
Examples
The following example assigns 25% of the policy rate to the r eal t i me class:
[ l ocal ] Redback( conf i g) #qos policy rate-incoming policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate informational 6000000 burst 10000 counters
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group Class local
percent-rate Relative class rate, as a percentage of the policy rate, for this class.
counters Optional. Logs statistics related to packets that conform to or exceed the rate.
which the port, 802.1Q tunnel, or 802.1Q PVC operates; any priority queuing (PQ), enhanced
deficit round-robin (EDRR), or circuit with a PQ or an EDRR policy is limited by the rate
specified by that command for the circuit. Also, the sum of all traffic on the port carried by
the queues belonging to the circuits or subscribers is limited to the rate specified by that
command.
For priority weighted fair queuing (PWFQ) queues with a PWFQ policy, the sum of all
priority group rates for a node can oversubscribe the configured global policy rate.
[ l ocal ] Redback( conf i g- pol i cy- pol i cy- acl ) #class realtime
[ l ocal ] Redback( conf i g- pol i cy- pol i cy- acl - cl ass) #rate percentage 25
By including the counters keyword in the rate percentage command, you can use the show circuit
counters command (in any mode) with the detail keyword to display the number of packets that conform
to the rate percentage and the number of packets that exceed that rate percentage.
Related Commands
conform mark dscp
exceed drop
exceed mark dscp
exceed no-action
qos rate
rate
violate drop
violate mark dscp
violate no-action
violate drop
violate drop
{no | default} violate drop
Purpose
Drops packets that exceed the configured excess burst tolerance.
Command Mode
Syntax Description
Default
Packets exceeding the configured excess burst tolerance are dropped.
Usage Guidelines
Use the violate drop command to drop packets that exceed the configured excess burst tolerance. Use this
command as part of a policing policy for incoming packets and as part of a metering policy for outgoing
packets.
To configure the excess burst tolerance, enter the rate command (in policy ACL class, metering policy, or
policing policy configuration mode). The following conditions determine how packets are dropped:
If the excess burst tolerance is not configured, all packets exceeding the configured burst tolerance are
dropped.
If the excess burst tolerance is configured, all packets that exceed the excess burst tolerance are
dropped.
Use the no or default form of this command to drop packets that exceed the configured excess-burst
tolerance.
Note Use the exceed drop commands (in policy class rate and policy rate configuration modes) to
specify how packets are dropped when the traffic rate does not exceed the configured excess
burst tolerance.
Examples
The following example drops packets that exceed the excess burst tolerance:
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 10000 burst 100000 excess-burst 120000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #violate drop
Related Commands
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate mark dscp
violate no-action
violate mark dscp
violate mark dscp dscp-class
{no | default} violate mark dscp
Purpose
Marks packets that exceed the configured excess burst tolerance with a Differentiated Services Code Point
(DSCP) value.
Command Mode
Syntax Description
Default
Packets exceeding the configured excess burst tolerance are dropped.
Usage Guidelines
Use the violate mark dscp command to mark packets that exceed the configured excess burst tolerance
with a DSCP value.
policing policy configuration mode). Only one mark instruction can be in effect at a time. To change the
mark instruction, enter the violate mark dscp command, specifying a new value for the dscp-class
argument, which supersedes the one previously configured.
dscp-class Priority with which packets exceeding the rate are marked. Values can be:
/Drop precedence 1
cs0 (same as df)
exceed the excess burst tolerance.
Examples
The following example configures the policy to mark all packets that exceed the excess burst tolerance with
a DSCP value representing a high priority:
[ l ocal ] Redback( conf i g- pol i cy- r at e) #violate mark dscp ef
df (same as cs0)
Caution Risk of packet reordering. To reduce the risk, ensure that the marking of conforming packets
and exceeding packets differ only within a major DSCP class. Major DSCP classes are
identified by the Class Selector code, and include CS0=DF, CS1=AF11, AF12, AF13,
CS2=AF21, AF22, AF23, CS3=AF31, AF32, AF33, CS4=AF41, AF42, AF43, and CS5=EF.
For example, if you mark conforming packets with AF11 and you want to avoid reordering,
mark exceeding packets with AF11, AF12, or AF13 only.
Related Commands
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate no-action
violate mark precedence prec-value
{no | default} violate mark precedence
Purpose
Marks packets that exceed the configured excess burst tolerance with a drop precedence value
corresponding to the assured forwarding (AF) class of the packet.
Command Mode
Syntax Description
Default
Packets exceeding the excess burst tolerance are dropped.
Usage Guidelines
Use the violate mark precedence command to mark packets that exceed the configured excess burst
tolerance with a drop precedence value corresponding to the AF class of the packet.
policing policy configuration mode).
determines the relative importance of the packet within the AF class. Packets with a lower drop precedence
value are preferred and protected from being lost, while packets with a higher drop precedence value are
discarded.
prec-value Drop precedence bits value. The range of values is 1 to 3.
DSCP Value of an
Incoming Packet
DSCP Value of the
Outgoing Packet
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
1 AF11
AF21
AF31
AF41
Only one mark instruction can be in effect at a time. To change the mark instruction, enter the violate mark
precedence command, specifying a new value for the prec-value argument. This supersedes the one
Examples
The following example configures the policy to mark all packets that exceed the configured burst tolerance
with an IP precedence value of 3:
[ l ocal ] Redback( conf i g- pol i cy- r at e) #violate mark precedence 3
Related Commands
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
2 AF12
AF22
AF32
AF42
AF11, AF12, AF13
AF21, AF22, AF23
AF31, AF32, AF33
AF41, AF42, AF43
3 AF13
AF23
AF33
AF43
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
DSCP Value of an
Incoming Packet
DSCP Value of the
Outgoing Packet
violate mark priority {group-num | ignore} [{drop-precedence {group-num | ignore} |
af-drop drop-value}]
{no | default} violate mark priority
Purpose
Marks packets that exceed the excess burst tolerance with a priority group number, a drop-precedence
value, or both, while leaving the packets IP header Differentiated Services Code Point (DSCP) value
unmodified.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the violate mark priority command to mark packets that exceed the excess burst tolerance with a
priority group number, a drop-precedence value, or both, while preserving the packets IP header. To
configure the excess burst tolerance, enter the rate command (in policy ACL class, metering policy, or
inbound packet should be placed. The type of service (ToS) value, Differentiated Services Code Point
(DSCP) value, and Multiprotocol Label Switching (MPLS) experimental (EXP) bits are unchanged by this
command. The actual queue number depends on the number of queues configured on the circuit. For more
information, see the num-queues command in Chapter 17, QoS Scheduling Configuration.
ignore Specifies that the internal packet descriptor (PD) priority or drop-precedence
value is not modified.
drop-precedence Optional. Enables you to specify a setting for either the drop-precedence
portion of the PD quality of service (QoS) field or the priority group, or both.
af-drop drop-value Optional. Target internal drop-precedence value in two-bit format; leaves the
least significant bit unmodified. The range of values is 1 to 3.
Only one mark instruction can be in effect at a time. To change the mark instruction, enter the violate mark
priority command, specifying a new value for the group-num argument. This supersedes the value
Examples
The following example configures the policy to mark all packets that exceed the configured burst tolerance
with a priority group of 3:
[ l ocal ] Redback( conf i g- pol i cy- r at e) #violate mark priority 3
Priority
Note By default, the SmartEdge OS assigns a priority group to each egress queue according to the
into egress queues by creating a customized queue priority map using the qos queue-map
Related Commands
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
violate no-action
violate no-action
violate no-action
{no | default} violate no-action
Purpose
Specifies that no action is taken on packets that exceed the configured excess burst tolerance.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the violate no-action command to specify that no action is taken on packets that exceed the excess
burst tolerance.
Examples
The following example configures the policy to take no action on packets that exceed the configured excess
burst tolerance:
[ l ocal ] Redback( conf i g- pol i cy- r at e) #violate no-action
Related Commands
conform mark dscp
conform no-action
exceed drop
exceed mark dscp
exceed no-action
rate
violate drop
violate mark dscp
QoS Scheduling Configuration 17-1
C h a p t e r 1 7
QoS Scheduling Configuration
OS quality of service (QoS)

scheduling policy features.
Chapter 16, QoS Rate- and Class-Limiting ConfigurationRate- and class-limiting features
(metering and policing policies)
Chapter 18, QoS Circuit ConfigurationPort, channel, and circuit configuration for all QoS policies
and features
Overview
Configuration Tasks
media interface card (MIC), 4-port ATM OC-3c/STM-1c or Enhanced ATM OC-12c/STM-4c
traffic card.
respectively, on Fast Ethernet-Gigabit Ethernet (FE-GE), Gigabit Ethernet 3 (GE3), and
Gigabit Ethernet 1020 (GE1020) traffic cards, and Gigabit Ethernet media interface cards (GE
MICs).
Note
Overview
Overview
QoSscheduling policies create and enforce levels of service and bandwidth rates, and prioritize how
packets are scheduled into egress queues. Incoming queues on outbound traffic cards have associated
scheduling parameters such as rates, depths, and relative weights. The traffic cards scheduler draws
packets from the incoming queues based on weight, rate, or strict priority:
A packet can be dropped when queues back up over a configured discard threshold or because of an
parameter setting.
If a packet is not dropped, it is scheduled into an output queue based on its priority group or its
scheduling policy.
After classification, marking, and rate-limiting occurs on an incoming packet, the packet is placed into an
output queue for servicing by an egress traffic cards scheduler. The SmartEdge OS supports up to eight
queues per circuit. Queues are serviced according to a queue map scheme, a QoS scheduling policy, or both,
as described in the following sections:
Queue Maps
Priority Queuing Policies
Enhanced Deficit Round-Robin Policies
Modified Deficit Round-Robin Policies
Asynchronous Transfer Mode Weighted Fair Queuing Policies
Priority Weighted Fair Queuing Policies
Overhead Profiles
Queue Maps
By default, the SmartEdge OS assigns a priority group number to an egress queue, according to the number
of queues configured on a circuit; see Table17-1.
Table 17-1 Default Mapping of Packets into Queues Using Priority Groups
Priority
Group DSCP Value IP Prec
MPLS
EXP 802.1p 8 Queues 4 Queues 2 Queues 1 Queue
0 Network control 7 7 7 Queue 0 Queue 0 Queue 0 Queue 0
1 Reserved 6 6 6 Queue 1 Queue 1 Queue 1 Queue 0
2 Expedited Forwarding (EF) 5 5 5 Queue 2 Queue 1 Queue 1 Queue 0
3 Assured Forwarding (AF) level 4 4 4 4 Queue 3 Queue 2 Queue 1 Queue 0
4 AF level 3 3 3 3 Queue 4 Queue 2 Queue 1 Queue 0
7 Default Forwarding (DF) 0 0 0 Queue 7 Queue 3 Queue 1 Queue 0
Overview
You can configure a customized queue map and assign it to any scheduling policy. The map overrides the
default mapping of packets into the egress queues of the policy to which it is assigned; see Figure17-1.
When the scheduling policy is attached to a circuit, it overrides the default queue map. You can configure
up to three customized queue maps.
Figure 17-1 Queue Map
Priority Queuing Policies
When a priority queuing (PQ) policy is enabled on a circuit, its output queues are serviced in strict priority
order; that is, packets waiting in the highest-priority queue (queue 0) are serviced until that queue is empty,
then packets waiting in the second-highest priority queue are serviced (queue 1), and so on. Under
congestion, a PQ policy allows the highest priority traffic to get through, at the expense of lower-priority
traffic.
With a PQ policy, the potential exists for a high volume of high-priority traffic to completely starve
low-priority traffic. To prevent such starvation, the SmartEdge OS allows a rate limit to be configured on
each queue, which limits the amount of bandwidth available to a high priority queue. With careful tuning
of the rate limits, you can prevent the lower priority queues from being starved.
Enhanced Deficit Round-Robin Policies
Enhanced deficit round-robin (EDRR) policies can operate in one of three modes: normal, strict, or
alternate:
In normal mode, queue 0 is treated like all other queues on a circuit. Each queue receives its share of
the circuits bandwidth according to the weight assigned to the queue.
In strict mode, queue 0 always has priority over all other queues configured on a circuit.
Note PQ policies are not supported on ATM DS-3 and second-generation ATM OC traffic cards.
Overview
In alternate mode, the servicing of queues alternates between queue 0 and the remaining queues. Queue
0 is served, then the next queue is served. Queue 0 is served again, and the next queue in turn is served,
and so on. For example, if four queues are configured, the order of servicing is q0, q1, q0, q2, q0, q3,
q0, q1, and so on.
With strict mode, queue0 can starve other queues if it always has packets waiting in queue0. To prevent
this, the SmartEdge OS supports alternating mode so that, in every other round, one of the other queues
on the circuit is served.
With EDRR policies, each queue has an associated quantum value and a deficit counter. The quantum value
is derived from the configured weight of the queue. A quantum value is the average number of bytes served
in each round; the deficit counter is initialized to the quantum value. Packets in a queue are served as long
as the deficit counter is greater than zero. Each packet served decreases the deficit counter by a value equal
to its length in bytes. At each new round, each nonempty queues deficit counter is incremented by its
quantum value; see Figure17-2.
Figure 17-2 EDRR Strict Mode Scheduling
Modified Deficit Round-Robin Policies
Modified deficit round-robin (MDRR) policies support the following features:
Three scheduling algorithms: EDRR normal mode (weighted round-robin), EDRR strict mode, and PQ
strict priority queuing
Up to 256 congestion-avoidance maps to specify random early detection (RED) parameters
Two, four, or eight queues
Single level of hierarchy
Circuit rate limits for EDRR scheduling modes
MDDR policies apply to ports that are members of link groups.
Note EDRR policies are not supported on ATM DS-3 and second-generation ATM OC traffic cards.
Overview
For information about EDRR scheduling modes, see the Enhanced Deficit Round-Robin Policies section;
for information about PQ scheduling, see the Priority Queuing Policies section.
When you configure PDRR policies, keep the following limitations in mind:
The MDRR version of the PQ scheduling mode does not support rate limits for queues.
The number of 802.1Q tunnels and PVCs that you can configure on a 10GE traffic card is limited to
1,700.
Asynchronous Transfer Mode Weighted Fair Queuing Policies
Asynchronous Transfer Mode weighted fair queuing (ATMWFQ) policies ensure that queues do not starve
for bandwidth and that traffic obtains predictable service. These policies operate in one of two modes:
alternate and strict. In either mode, the ATM segmentation and reassembly (SAR) uses a class-based WFQ
algorithm to perform QoS priority packet scheduling. In strict mode, queue 0 is serviced immediately and
the other queues are serviced in a round-robin fashion according to their configured weights. In alternate
mode, the servicing of queues alternates between queue 0 and the remaining queues, according to their
configured weights. Queue 0 is served, then the next queue is served. Queue 0 is served again, and the next
queue in turn is served, and so on. For example, if there are four queues configured, the order of servicing
will be q0, q1, q0, q2, q0, q3, q0, q1, and so on.
Priority Weighted Fair Queuing Policies
Priority weighted fair queuing (PWFQ) policies use a priority- and a weight-based algorithm to implement
hierarchical QoS-aware scheduling. Each queue in the policy includes both a priority and a relative weight,
which control how each queue is serviced. Inside the PWFQ policy, priority takes precedence, and for
queues placed at the same priority, the individual configured weight defines how the queue is used in the
scheduling decision. You can attach PWFQ policies to Layer 2 and Layer 3 circuits.
Hierarchical scheduling enables scheduling at the port, 802.1Q tunnel, and 802.1Qpermanent virtual
circuit (PVC) levels, using PWFQ policies. It also enables QoS shaping for subscriber sessions using
PWFQ policies attached to hierarchical nodes and node groups, so that four levels of scheduling are
possible (hierarchical node, 802.1Q PVC, 802.1Q tunnel, and port levels). Scheduling modes include:
StrictEach queue is assigned a unique priority and is serviced according to its priority. The relative
weight does not affect the scheduling.
NormalAll queues are assigned the same priority. Each queue is serviced in round-robin order,
according to the assigned relative weight, which is a percentage of the available bandwidth.
Strict +NormalStrict and normal modes are combined. Multiple queues can be assigned the same
priority (forming a priority group); the queues in each group are serviced in round-robin order with each
queue receiving the percentage of the groups bandwidth assigned to it by the relative weight.
Note ATMWFQ policies are not supported on first-generation ATM OC traffic cards.
Note PWFQ policies and hierarchical scheduling and shaping are supported only for
traffic-managed ports and circuits.
Overview
The SmartEdge OS employs the following congestion avoidance features when processing packets using
the different queuing and scheduling policies:
Early Packet Discard
Multidrop Precedence
Congestion Avoidance Maps
Queue Depth
Queue Rates
With scheduling policies, you can configure random early detection (RED) parameters to manage buffer
congestion by signaling to sources of traffic that the network is on the verge of entering a congested state,
rather than waiting until the network is actually congested. The technique is to drop packets with a
probability that varies as a function of how many packets are waiting in a queue at any particular time, and
the minimum and maximum average queue depth.
When a queue is nearly empty, the probability of dropping a packet is small. As the queues average depth
increases, the likelihood of dropping packets becomes greater; see Figure17-3.
Figure 17-3 Probability of Being Dropped as a Function of Queue Depth
Note For ATM DS-3 and second-generation ATM OC traffic cards, the queue depth value is equal
to the value configured for the maximum threshold.
Overview
Early Packet Discard
With ATMWFQ policies, you can also configure early packet discard (EPD), a congestion avoidance
mechanism that starts dropping packets after queues reach the EPD threshold. When queue buffers are
nearly full (reaching the EPD threshold), the system is signaled that it may become congested. Any packets
trying to enter queues, after the EPD threshold has been met, are dropped.
Multidrop Precedence
With ATMWFQ and PWFQ policies, you can configure different congestion behaviors that depend on the
DSCP values of the packets in a queue; this feature is referred to as multidrop precedence. Multidrop
precedence supports up to three profiles for each queue, and each profile defines a different congestion
behavior for one or more DSCP values. Each profile is also characterized by its RED parameter values. The
DSCP value in the packet is used to select the profile that governs its congestion avoidance behavior.
Figure17-4 shows how the three profiles can be defined with different minimum and maximum thresholds.
Multidrop profiles are available only for ATMWFQ and PWFQ policies and are configured using
congestion avoidance maps.
Figure 17-4 Multidrop Profiles
Congestion Avoidance Maps
A congestion avoidance map specifies how congestion avoidance is managed for a set of queues. Each map
supports eight queues.
For each queue, you define up to three profiles, each of which describes the congestion behavior for one or
more DSCP values. The map specifies RED parameters for every queue. One of the profiles, the default
profile, specifies the default congestion behavior for every DSCP value.
Note Congestion avoidance maps are supported only for ATMWFQ, MDRR, and PWFQ policies.
Overview
When you define either of the other profiles for a queue, the system removes the DSCP values that you
specify from the default profile. If a congestion map is not assigned to an ATMWFQ, MDRR, or PWFQ
policy, packets are dropped only when the maximum queue depth is exceeded.
Queue Depth
With EDRR, PQ, and PWFQ policies, you can modify the number of packets allowed per queue on a
circuit. Queue depth is configured for PWFQ policies with the congestion avoidance map that you assign
to the policy and for EDRR and PQ policies with the queue depth command (in EDRR and PQ policy
configuration mode). For default and maximum queue depth values for various port types, see Table17-14.
Queue Rates
With EDRR, MDRR, and PQ policies, you can configure a rate limit. In PQ policies, the rate is controlled
on each individual queue through the queue rate command (in PQ policy configuration mode). In EDRR
and MDRR policies, the rate is a combined traffic rate for all queues in the policy and is configured through
the rate command (in EDRR policy and MDRR policy configuration modes, respectively). A reasonable
guideline for burst tolerance is to allow one to two seconds of burst time on the defined queue rate.
Overhead Profiles
The SmartEdge OS can take the encapsulation overhead of the access line into consideration so that the rate
of traffic does not exceed the permitted traffic rate on the line. This downstream traffic shaping is controlled
by QoS overhead profiles.
The overhead profile works in conjunction with the PWFQ policy. The PWFQ defines the rate of traffic
flow; the overhead profile defines the encapsulation overhead and the available bandwidth on the access
line. The rate can come from one of the following sources:
Defined in a PWFQ policy
Defined by the rate circuit command
Received from a Remote Authentication Dial-In User Service (RADIUS) vendor-specific attribute
(VSA)
Received from an Access Node Control Protocol (ANCP) configuration
Received from the Point-to-Point Protocol over Ethernet (PPPoE) tag, which also contains the line rate
of the digital subscriber line-access multiplexer (DSLAM) and the encapsulation of the access line
Configuration Tasks
Configuration Tasks
To configure scheduling policies, perform the tasks described in the following sections:
Configure a Queue Map
Configure a Congestion Avoidance Map
Configure an ATMWFQ Policy
Configure an EDRR Policy
Configure an MDRR Policy
Configure a PQ Policy
Configure a PWFQ Policy
Configure an Overhead Profile
Configure a Queue Map
The SmartEdge OS assigns a factory preset, or default, mapping of priority groups to queues, according to
the number of queues configured. You can customize this mapping for the circuits to which any QoS
scheduling policy is attached. To configure a queue map, perform the tasks in Table17-2.
Configure a Congestion Avoidance Map
By default, the SmartEdge OS drops packets at the end of the queue when the number of packets exceeds
the configured maximum depth of the queue. A congestion avoidance map, when attached to an ATMWFQ,
MDRR, or PWFQ scheduling policy, provides congestion management behavior for each queue defined by
the policy.
Table 17-2 Configure a Queue Map
1. Create or select a queue map and access
queue map configuration mode.
qosqueue-map Enter this command in global configuration mode.
2. Specify the number of queues for the
queue map and access num-queues
configuration mode.
1
1. For information about the correlation between the number of ATMWFQ queues configured on a particular traffic card type and the corresponding number of
PVCs allowed (per port and per traffic card), see the Circuit Configurationchapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdge OS.
num-queues Enter this command in queue map configuration mode.
3. Customize the mapping of priority groups
to queues.
queuepriority Enter this command in num-queues configuration mode.
Configuration Tasks
To configure a congestion avoidance map, perform the tasks described in Table17-3; enter all commands
in congestion map configuration mode, unless otherwise noted.
Configure an ATMWFQ Policy
You can configure an ATMWFQ policy with either RED or EPD parameters. To configure an ATMWFQ
policy with RED parameters, using a congestion avoidance map, perform the tasks described in Table17-4;
enter all commands in ATMWFQ policy configuration mode, unless otherwise noted.
To configure an ATMWFQ policy with EPD parameters, perform the tasks described in Table17-5; enter
all commands in ATMWFQ policy configuration mode, unless otherwise noted.
Table 17-3 Configure a Congestion Avoidance Map
1. Create or select a congestion avoidance map
and access congestion map configuration
mode.
qoscongestion-avoidance-map Enter this command in global configuration
mode.
2. Set the RED parameters for each queue in
the map.
queuered Perform this task for each queue in the
map.
3. Set the exponential-weight for each queue in
the map.
queueexponential-weight Enter this command for each queue in the
map.
4. Specify the depth of a queue. queuedepth This command applies only to congestion
avoidance maps for PWFQ policies only.
Enter this command for each queue in the
map.
Table 17-4 Configure an ATMWFQ Policy with RED Parameters
1. Create the policy name and access ATMWFQ
qospolicyatmwfq Enter this command in global configuration mode.
2. Optional. Configure the policy with any or all of
3. Assign a queue map to the policy. queue-map
4. Specify the number of queues for the policy.
1
1. For information about the correlation between the number of queues and the number of VCs, see the Circuit Configurationchapter in the Ports, Circuits, and
num-queues By default, the number of queues is 4.
5. Assign a congestion avoidance map to the
policy.
congestion-map By default, no congestion map is assigned.
6. Define the algorithm for queue 0. queue0mode By default, the queue mode is alternate.
7. Specify the traffic weight for each queue. queueweight By default, the weight is 2.
Table 17-5 Configure an ATMWFQ Policy with EPD Parameters
1. Create the policy name and access ATMWFQ
qospolicyatmwfq Enter this command in global configuration mode.
Configuration Tasks
Configure an EDRR Policy
To configure an EDRR policy, perform the tasks described in Table17-6; enter all commands in EDRR
2. Configure the policy with any or all of the following tasks:
Assign a queue map to the policy. queue-map
Specify the number of queues for the policy.
1
num-queues By default, the number of queues is 4.
Modify congestion parameters for each queue. queuecongestionepd
Define the algorithm for queue 0. queue0mode By default, the queue mode is alternate.
Specify the traffic weight for each queue. queueweight By default, the weight is 2.
1. For information about the correlation between the number of queues and the number of VCs, see the Circuit Configurationchapter in the Ports, Circuits, and
Table 17-6 Configure an EDRR Policy
1. Create the policy name and access EDRR policy
configuration mode.
qospolicyedrr Enter this command in global configuration mode.
Specify the number of queues for the policy. num-queues By default, the number of queues is 8.
Specify the depth of a queue. queuedepth You can enter this command for each queue.
Set RED parameters per queue. queuered By default, RED is disabled.
Specify the traffic weight per queue. queueweight By default, the traffic weight is 0.
Set a rate limit for the policy. rate By default, there is no rate limit.
Table 17-5 Configure an ATMWFQ Policy with EPD Parameters (continued)
Configuration Tasks
Configure an MDRR Policy
To configure an MDRR policy, perform the tasks described in Table17-7; enter all commands in MDRR
Configure a PQ Policy
To configure a PQ policy, perform the tasks described in Table17-8; enter all commands in PQ policy
Table 17-7 Configure an MDRR Policy
1. Create the policy name and access MDRR policy
configuration mode.
qospolicymdrr Enter this command in global configuration mode.
2. Optional. Configure the policy by completing any
or all of the following tasks:
Assign a congestion avoidance map to the policy. congestion-map
Specify the scheduling algorithm. qosmode By default, the mode is normal.
Specify the traffic weight per queue. queueweight By default, the traffic weight is 0.
Set a rate limit for the policy. rate By default, there is no rate limit.
Table 17-8 Configure a PQ Policy
1. Create or select the policy and access PQ
qospolicypq Enter this command in global configuration mode.
Enter these commands in PQ policy configuration mode.
Specify the depth of a queue. queuedepth You can enter this command for each queue.
Set a rate limit per queue. queuerate By default, there is no rate limit.
Set RED parameters per queue. queuered By default, RED is disabled.
Configuration Tasks
Configure a PWFQ Policy
To configure a PWFQ policy, perform the tasks described in Table17-9; enter all commands in PWFQ
Configure an Overhead Profile
To configure an overhead profile, perform the tasks described in Table17-10; enter all commands in
overhead profile configuration mode, unless otherwise noted.
Table 17-9 Configure a PWFQ Policy
1. Create the policy name and access PWFQ policy
configuration mode.
qospolicypwfq Enter this command in global configuration
mode.
2. Optional. Configure the policy with any or all of the
following tasks:
Assign a congestion avoidance map to the policy. congestion-map
Assign a priority and relative weight to each queue. queuepriority Enter this command for each queue that
you specified with the num-queues
command.
Set the maximum and minimum rates for the policy. rate You must enter this command to specify
the maximum rate; the minimum rate is
optional. You cannot set a minimum rate if
you also assign a relative weight to this
policy.
Assign a relative weight to this policy. weight You cannot assign a relative weight if you
also set a minimum rate for this policy.
Set the rate for each priority group. queuepriority-group Enter this command for each priority group.
Table 17-10 Configure an Overhead Profile
1. Create or select a QoS overhead profile. qosprofileoverhead
2. Create a default rate-factor for the overhead
profile.
rate-factor
3. Create a default encapsulation access-line
type for the overhead profile.
encaps-access-line
4. Create a default number of reserved bytes, per
packet.
reserved
5. Configure overhead parameters for the
specified DSL data type in the overhead
profile.
type
The following sections provide examples of QoS scheduling configurations:
Queue Maps
Congestion Avoidance Map for Multidrop Profiles
ATMWFQ Policies
EDRR Policy
MDRR Policy
PQ Policies
PWFQ Policies
Overhead Profiles
Queue Maps
The following example creates three queue maps and assigns a custom mapping of priority groups to
queues, based on the number of queues configured:
[ l ocal ] Redback( conf i g) #qos queue-map Custom2
[ l ocal ] Redback( conf i g- queue- map) #num-queues 2
[ l ocal ] Redback( conf i g- num- queues) #queue 0 priority 0
[ l ocal ] Redback( conf i g- num- queues) #queue 1 priority 1 2 3 4 5 6 7
[ l ocal ] Redback( conf i g- num- queues) #exit
[ l ocal ] Redback( conf i g- num- queues) #queue 1 priority 1 2
[ l ocal ] Redback( conf i g- num- queues) #queue 2 priority 3 4 5 6
6. Define the percentage of bandwidth that is
unavailable to traffic on the circuit, port, or
subscriber record to which the QoS policy is
attached to the overhead profile for a specific
access-line type in the overhead profile.
rate-factor Enter this command in overhead type configuration
mode.
7. Specify an encapsulation type for a specific
access-line type within the overhead profile.
encaps-access-line Enter this command in overhead type configuration
mode.
8. Specify the reserved bytes, per packet, for a
specific access-line type within the overhead
profile.
reserved Enter this command in overhead type configuration
mode.
Table 17-10 Configure an Overhead Profile (continued)
Congestion Avoidance Map for Multidrop Profiles
The following example configures the congestion avoidance map, map- r ed4a, with two profiles for any
ATMWFQ policy:
[ l ocal ] Redback( conf i g) #qos congestion-avoidance-map map-red4a atmwfq
[ l ocal ] Redback( conf i g- congest i on- map) #queue 0 exponential-weight 40
[ l ocal ] Redback( conf i g- congest i on- map) #queue 0 red default min-threshold 30
max-threshold 5200 probability 16
[ l ocal ] Redback( conf i g- congest i on- map) #queue 0 red profile-1 dscp cs7 min-threshold 140
[ l ocal ] Redback( conf i g- congest i on- map) #queue 0 red profile-2 dscp cs3 min-threshold 230
[ l ocal ] Redback( conf i g- congest i on- map) #queue 3 red default max-threshold 5200
[ l ocal ] Redback( conf i g- congest i on- map) #queue 3 red profile-1 dscp af21 min-threshold 100
ATMWFQ Policies
The following example configures the ATMWFQ policy, exampl e2, with the map- r ed4a congestion
avoidance map:
[ l ocal ] Redback( conf i g) #qos policy example2 atmwfq
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #num-queues 4
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #congestion-map map-red4a
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #queue 0 weight 10
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #qos 0 mode strict
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #exit
The following example configures an ATMWFQ policy, exampl e3, with EPD parameters:
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #queue 0 congestion epd max-threshold 5200
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #qos 0 mode strict
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #exit
EDRR Policy
The following example configures the EDRR policy, exampl e1, and gives queue number 3 30% of the
bandwidth of the circuit:
[ l ocal ] Redback( conf i g) #qos policy example1 edrr
[ l ocal ] Redback( conf i g- pol i cy- edr r ) #queue 3 weight 30
[ l ocal ] Redback( conf i g- pol i cy- edr r ) #exit
MDRR Policy
The following example configures the MDRR policy, exampl e4, using strict mode with 4 queues and
divides the bandwidth between the queues according to an approximate 50:30:10:10 ratio during periods
of congestion:
[ l ocal ] Redback( conf i g) #qos policy example4 mdrr
[ l ocal ] Redback( conf i g- pol i cy- mdr r ) #qos mode strict
[ l ocal ] Redback( conf i g- pol i cy- mdr r ) #num-queues 4
[ l ocal ] Redback( conf i g- pol i cy- mdr r ) #queue-map Custom4
[ l ocal ] Redback( conf i g- pol i cy- mdr r ) #congestion-avoidance-map
[ l ocal ] Redback( conf i g- pol i cy- mdr r ) #queue 0 rate 310000 burst 40000
[ l ocal ] Redback( conf i g- pol i cy- mdr r ) #exit
PQ Policies
The following sections provide examples of PQ policies:
RED Parameters
Rate-Limiting
Backbone Application
RED Parameters
The following example creates a PQ policy, r ed, and establishes RED parameters for each of the eight
queues such that higher priority traffic has a lower probability of being dropped, and lower priority traffic
has a higher probability of being dropped:
[ l ocal ] Redback( conf i g) #qos policy red pq
[ l ocal ] Redback( conf i g- pol i cypq) #queue 0 red probability 10 weight 12 min-threshold
1900 max-threshold 5200
[ l ocal ] Redback( conf i g- pol i cypq) #queue 1 red probability 9 weight 12 min-threshold 1850
max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
[ l ocal ] Redback( conf i g- pol i cypq) #exit
Rate-Limiting
The following example configures a PQ policy with 4 queues and divides the bandwidth between the
queues according to an approximate 50:30:10:10 ratio during periods of congestion. This guarantees that
even the lowest priority queue gets a share of bandwidth in the presence of congestion and strict priority
queuing:
[ l ocal ] Redback( conf i g) #qos policy pos-qos pq
[ l ocal ] Redback( conf i g- pol i cypq) #num-queues 4
[ l ocal ] Redback( conf i g- pol i cypq) #queue 0 rate 310000 burst 40000
The following example uses rate-limiting to provide a customer with an access bandwidth that is less than
the port speed; this is accomplished through the no-exceed keyword in the queue 0 rate command. The
port is on an OC-12c/STM-14c traffic card and is configured to a maximum of 100 Mbps (instead of its
port speed of 622 Mbps):
[ l ocal ] Redback( conf i g) #qos policy 100MbpsMaxBw pq
[ l ocal ] Redback( conf i g- pol i cypq) #queue 0 rate 100000 burst 12500 no-exceed
The following example creates a policy, pos- r at e, and rate-limits traffic in queue 0 to 300 Mbps when
there is congestion on the port. When there is no congestion on the port, the limit is not imposed:
[ l ocal ] Redback( conf i g) #qos policy pos-rate pq
Backbone Application
In the following example, the PQ policy has eight priority queues, with DSCP values mapping into those
eight queues toward the backbone (an 2.5-Gbps OC-48 uplink). Strict rate limits, listed in Table17-11, are
placed on the amount of traffic allowed into the backbone for each DSCP value.
The configuration is as follows:
[ l ocal ] Redback( conf i g) #qos policy Diffserv pq
PWFQ Policies
The following examples provide configurations for types of priority scheduling:
Strict Priority
Normal Priority
Strict +Normal Priority
Strict +Normal Priority with Maximum Priority-Group Bandwidth
Strict +Normal Priority with Maximum and Minimum Bandwidths
In these examples, all policies are configured with four queues, a queue map, qpmap1, a congestion
avoidance map, map- r ed4p, and a maximum bandwidth of 50 Mbits (50000) for the policy; each of the
four queues in the policy is assigned a priority and a relative weight, which specifies percentage of the
available bandwidth within its priority group.
Table 17-11 2.5-Gbps OC-48 Rate Limits
Queue
Number DSCP Rate Limit
0 NA None
1 NA None
2 expedited forwarding (EF) 200 Mbps
3 assured forwarding (AF), level 4 200 Mbps
7 default forwarding (DF) None
Strict Priority
The following example configures the st r i ct PWFQ policy for strict priority scheduling. Each queue has
a unique priority and the same relative weight:
[ l ocal ] Redback( conf i g) #qos policy strict pwfq
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #num-queues 4
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #queue-map qpmap1
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #congestion-map map-red4p
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #rate maximum 50000
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #queue 0 priority 0 weight 100
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #exit
Normal Priority
The following example configures the nor mal PWFQ policy for normal priority scheduling. All queues
have the same priority; scheduling is based on the relative weight assigned to each queue. In this example,
queue 0 receives 50% of the available bandwidth (25 Mbits), queue 1 receives 30% (15 Mbits), queue 2
receives 20% (10Mbits), and queue 3 receives 10% (5 Mbits):
[ l ocal ] Redback( conf i g) #qos policy normal pwfq
Strict + Normal Priority
The following example configures the PWFQ policy, pwf q4 with two priority groups, 0 and 1.
Queues0 and 1 have the same priority (group 0) and will be serviced before queues 2 and 3 (assigned to
group 1). Within each priority group the queues are serviced in round-robin order, according to their
assigned relative weights. For example, queue 0 receives 70% and queue 1 receives 30% of the bandwidth
available for the group. Queues 2 and 3 are serviced only when queues 0 and 1 are empty; queue 2 receives
60% and queue 3 receives 40% of the available bandwidth for the group:
[ l ocal ] Redback( conf i g) #qos policy pwfq4 pwfq
Strict + Normal Priority with Maximum Priority-Group Bandwidth
The following example configures the pwf q4 policy as before, but adds a maximum bandwidth limitation
for each priority group. In this case, the combined traffic in group 0 is limited to 10 Mbits (10000), even
when there is no traffic on the queues in priority group 1. Similarly, combined traffic on queues 2 and 3 is
limited to 1Mbit (1000), even when there is no traffic on queues 0 and 1:
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #queue priority-group 0 rate 10000
Strict + Normal Priority with Maximum and Minimum Bandwidths
The following example configures the pwf q4 policy as before, but adds a minimum bandwidth limitation
of 10 Mbits (10000) for the policy. In this configuration, the minimum bandwidth is guaranteed to the
policy only if the next higher level of scheduling (for example, for the scheduling policy applied towards
an 802.1Q PVC) is in strict priority mode. If it is not, then the minimum bandwidth is ignored:
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #rate minimum 10000
Overhead Profiles
The following example configures an overhead profile for exampl e1, and sets the default rate factor to
15, a reserve value to 8, and the encapsulation type to pppoa- l l c. After you set the overhead profile with
default values, you configure adsl 1 and vdsl 1 with custom encapsulation and reserve values:
[ l ocal ] Redback( conf i g) #qos profile example1 overhead
[ l ocal ] Redback( conf i g- pr of i l e- over head) #rate-factor 15
[ l ocal ] Redback( conf i g- pr of i l e- over head) #encaps-access-line pppoa-llc
[ l ocal ] Redback( conf i g- pr of i l e- over head) #reserved 8
[ l ocal ] Redback( conf i g- pr of i l e- over head) #type adsl1
[ l ocal ] Redback( conf i g- t ype- over head) #rate-factor 20
[ l ocal ] Redback( conf i g- t ype- over head) #encaps-access-line pppoa-null
[ l ocal ] Redback( conf i g- t ype- over head) #reserved 16
[ l ocal ] Redback( conf i g- t ype- over head) #exit
[ l ocal ] Redback( conf i g- pr of i l e- over head) #type vdsl1
[ l ocal ] Redback( conf i g- t ype- over head) #encaps-access-line pppoa-null value 22 data-link
ethernet
congestion-map
encaps-access-line
num-queues
qos congestion-avoidance-map
qos mode
qos policy atmwfq
qos policy edrr
qos policy mdrr
qos policy pq
qos policy pwfq
qos profile overhead
qos queue-map
queue 0 mode
queue congestion epd
queue depth
queue exponential-weight
queue-map
queue priority
queue priority-group
queue rate
queue red
queue weight
rate
rate-factor
reserved
type
weight
congestion-map
congestion-map map-name
no congestion-map map-name
Purpose
Assigns a congestion avoidance map to an Asynchronous Transfer Mode (ATM) weighted fair queuing
(ATMWFQ), modified deficit round-robin (MDRR), or priority weighted fair queuing (PWFQ) policy.
Command Mode
ATMWFQ policy configuration
MDRR policy configuration
Syntax Description
Default
No congestion avoidance map is assigned to any ATMWFQ, MDRR, or PWFQ policy; without a
congestion avoidance map assigned, an MDRR or PWFQ policy drops packets from the end of a queue only
when the maximum queue depth is exceeded, the queue depth being that of the circuit to which the policy
is attached. For an ATMWFQ policy, packets are dropped from the end of a queue according the congestion
avoidance specified by the ATM profile assigned to the circuit.
Usage Guidelines
Use the congestion-map command to assign a congestion avoidance map to an ATMWFQ, MDRR, or
PWFQ policy.
To create a congestion avoidance map, enter the qos congestion-avoidance-map command (in global
Use the no form of this command to delete the congestion avoidance map from the policy.
Examples
The following example assigns the congestion avoidance map, map- r ed4p, to the PWFQ policy, pwf q4:
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #
Related Commands
map-name Congestion avoidance map name.
encaps-access-line
encaps-access-line {pppoa-llc | pppoa-null | ipoa-llc | ipoa-null | ether-aal5-llc-fcs | ether-aal5-llc |
ether-aal5-null-fcs | ether-aal5-null | ethernet | value byte-range data-link data-type}
no encaps-access-line {pppoa-llc | pppoa-null | ipoa-llc | ipoa-null | ether-aal5-llc-fcs |
ether-aal5-llc | ether-aal5-null-fcs | ether-aal5-null | ethernet | value byte-range data-link
data-type}
Purpose
Specifies the default encapsulation of an access line.
Command Mode
overhead profile configuration
overhead type configuration
Syntax Description
Default
The size of the overhead is 0 bytes; the data-link type is ATM.
Usage Guidelines
Use the encaps-access-line command to specify the encapsulation size, in bytes, for a specific access-line
type. This command determines the Layer 2 overhead value of the access-line type.
pppoa-llc Specifies the Point-to-Point over Asynchronous Transfer Mode (PPPoA)
Logical Link Control (LLC) encapsulation type.
pppoa-null Specifies the PPPoA NULL encapsulation type.
ipoa-llc Specifies the IP over ATM (IPoA) LLC encapsulation type.
ipoa-null Specifies the IPoA NULL encapsulation type.
ether-aal5-llc-fcs Specifies the Ethernet ATM adaption layer type 5 (AAL5) Logical Link
Control (LLC) with Frame Check Sequence (FCS) encapsulation type.
ether-aal5-llc Specifies the Ethernet over AAL5 LLC without FCS encapsulation type.
ether-aal5-null-fcs Specifies the Ethernet over AAL5 LLC NULL FCS encapsulation factor
encapsulation type.
ether-aal5-null Specifies the Ethernet over AAL5 NULL without FCS encapsulation type.
ethernet Specifies the Ethernet encapsulation type.
value byte-range Value of overhead in bytes. The range of values is 0 to 255; the default value
is 0.
data-link data-type Data link type; valid values for the data-type argument are ATM or Ethernet.
The Layer 2 overhead value is the number of bytes per packet of overhead for the access-line encapsulation
types. Table17-12 lists supported access-line encapsulation types and the number of bytes per packet of
overhead for each. If the encapsulation type is not listed in Table17-12, you can specify number of bytes
of overhead, along with the data-link type (Ethernet or ATM).
Use the no form of this command to specify the default access-line encapsulation type.
Examples
default values, you configure adsl 1 and vdsl 1 with custom encapsulation and reserve values:
[ l ocal ] Redback( conf i g- t ype- over head) #encaps-access-line pppoa-null
Table 17-12 Supported Access-Line Encapsulation Types
Encapsulation Type Bytes of Overhead Overhead Components
pppoa-llc 12 8 bytesAAL5 trailer
3 bytesLLC
1 byteNLPID
pppoa-null 8 8 bytesAAL5 trailer
ipoa-llc 16 8 bytesAAL5 trailer
8 bytesLLC/snap
ipoa-null 8 8 bytesAAL5 trailer
ether-aal5-llc-fcs 36 8 bytesAAL5 trailer
8 bytesLLC/snap
14 bytesEthernet header
4 bytesFCS
2 bytespadding
ether-aal5-llc 32 8 bytesAAL5 trailer
8 bytesLLC/snap
2 bytespadding
ether-aal5-null-fcs 28 8 bytesAAL5 trailer
4 bytesFCS
2 bytespadding
ether-aal5-null 24 8 bytesAAL5 trailer
2 bytespadding
ethernet 18 14 bytesEthernet header
4 bytesFCS
Note RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5, defines the
encapsulation types in more detail.
Related Commands
rate-factor
num-queues
In EDRR, MDRR, PQ, and PWFQ policy configuration modes, the command syntax is:
num-queues {1 | 2 | 4 | 8}
{no | default}num-queues
In ATMWFQ policy and queue map configuration modes, the command syntax is:
num-queues {2 | 4 | 8}
{no | default}num-queues
Purpose
In ATMWFQ, EDRR, MDRR, PQ, or PWFQ policy configuration mode, specifies the number of queues
for the policy.
In queue map configuration mode, specifies the number of queues for the quality of service (QoS) queue
map, and enters num-queues configuration mode.
Command Mode
EDRR policy configuration
PQ policy configuration
queue map configuration
Syntax Description
Default
For queue maps, enhanced deficit round-robin (EDRR), modified deficit round-robin (MDRR), priority
queuing (PQ), and priority weighted fair queuing (PWFQ) policies, the default number of queues is 8. For
Asynchronous Transfer Mode weighted fair queuing (ATMWFQ) policies, the default value is 4.
Usage Guidelines
Use the num-queues command in ATMWFQ policy, EDRR policy, MDRR policy, PQ policy, or PWFQ
policy configuration mode to specify the number of queues to be used for the policy.
1 Specifies that the policy has one queue.
1
1. In EDRR, MDRR, PQ, and PWFQ policy configuration modes
2 Specifies that the policy has two queues.
12
2. In ATMWFQ and queue map configuration modes
4 Specifies that the policy has four queues.
12
8 Specifies that the policy has eight queues.
12
Use the num-queues command in queue map configuration mode to specify number of queues for the
queue map, and to enter num-queues configuration mode.
Use the no or default form of this command to specify the default number of queues.
Examples
The following example configures the PQ policy, f i r st out , to have 4 queues:
[ l ocal ] Redback( conf i g) #qos policy firstout pq
Related Commands
Caution Risk of dropping packets. Modifying the parameters of an ATMWFQ policy will momentarily
interrupt the traffic on all ATM permanent virtual circuits (PVCs) using the policy. To reduce
the risk, use caution when modifying ATMWFQ policy parameters.
Caution Risk of traffic disruption. Modifying the parameters of an MDRR policy momentarily
removes the rate applied to all 10GE circuits using the policy. The rate is restored as soon as
the change is effective. To reduce the risk, use caution when modifying MDRR policy
parameters.
Note For information about the correlation between the number of queues configured on a
particular traffic card type and the corresponding number of virtual circuits (VCs) allowed per
port (and per traffic card), see the Circuit Configuration chapter in the Ports, Circuits, and
qos policy atmwfq
qos policy edrr
qos policy mdrr
qos policy pq
qos policy pwfq
qos queue-map
qos congestion-avoidance-map map-name pol-type
no qos congestion-avoidance-map map-name pol-type
Purpose
Creates a quality of service (QoS) congestion avoidance map and accesses congestion map configuration
mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the qos congestion-avoidance-map command to create a QoS congestion avoidance map and access
congestion map configuration mode.
You can create up to 256 congestion avoidance maps.
Use the queue red command (in congestion map configuration mode to configure the map.
To assign a map to a policy, use the congestion-map command (in ATMWFQ, MDRR, or PWFQ policy
Use the no form of this command to delete the specified map from the configuration.
map-name Name of the congestion avoidance map.
pol-type Policy type to which this congestion avoidance map will be assigned,
according to one of the following keywords:
atmwfqAsynchronous Transfer Mode weighted fair queuing
(ATMWFQ) policy.
mdrrModified deficit round-robin (MDRR) policy.
pwfqPriority weighted fair queuing (PWFQ) policy.
Note If you delete a congestion avoidance map that is assigned to an MDRR or PWFQ policy, the
queue depth reverts to the default; for ATMWFQ policies, queue depth remains as specified
by the ATM profile assigned to the ATM permanent virtual circuit (PVC).
Examples
The following example creates a congestion avoidance map, map- r ed4a:
[ l ocal ] Redback( conf i g) #qos congestion-avoidance-map map-red4a
[ l ocal ] Redback( conf i g- congest i on- map) #
Related Commands
congestion-map
queue red
qos mode
qos mode {priority | strict | wrr}
no qos mode {priority | strict | wrr}
Purpose
Specifies the scheduling algorithm for this modified deficit round-robin (MDRR) policy.
Command Mode
Syntax Description
Default
MDRR policies use the WRR mode scheduling algorithm.
Usage Guidelines
Use the qos mode command to specify the scheduling algorithm for this MDRR policy. The following
restrictions apply when selecting the mode and configuring the policy:
To use the PQ strict priority mode (using the priority keyword), you must first remove all weight
configurations for the policy.
To use the MDRR strict mode (using the strict keyword), you must first remove the queue weight
configuration on queue 0 for the policy.
Use the default queue weight command (in MDRR policy configuration mode) to remove the weight
configurations.
Use the no form of this command to specify the default algorithm.
Examples
The following example specifies the MDRR strict mode as the scheduling algorithm:
[ l ocal ] Redback( conf i g- pol i cy- mdr r ) #qos mode strict
Related Commands
priority Specifies the priority queuing (PQ) strict priority mode.
strict Specifies the MDRR strict mode.
wrr Specifies the MDRR weighted round-robin (WRR) mode.
queue weight
rate
qos policy atmwfq
qos policy pol-name atmwfq
no qos policy pol-name atmwfq
Purpose
Creates or selects a quality of service (QoS) Asynchronous Transfer Mode weighted fair queuing
(ATMWFQ) policy and enters ATMWFQ policy configuration mode.
Command Mode
Syntax Description
Default
No ATMWFQ policy is created.
Usage Guidelines
Use the qos policy atmwfq command to create or select a QoS ATMWFQ policy and enter ATMWFQ
policy configuration mode. An ATMWFQ policy defines QoS for outbound packets on the circuit to which
the policy is attached. Up to eight queues per circuit can be serviced.
To attach an ATMWFQ policy to the circuit, use the qos policy queuing command (in ATM PVC
Use the no form of this command to delete an ATMWFQ policy from the configuration.
pol-name Name of the ATMWFQ policy to be created or selected.
into egress queues by creating a customized queue map through the qos queue-map
Note An ATMWFQ policy is applicable to only ATM permanent virtual circuits (PVCs) (not ports)
on ATM DS-3 and second-generation ATM OC traffic cards. For first-generation ATM OC
traffic cards, you can attach enhanced deficit round-robin (EDRR) or priority queuing (PQ)
policies to both ATM ports and ATM PVCs. In addition, an ATMWFQ policy cannot be
attached to a PVC that is shaped as unspecified bit rate, enhanced (UBRe).
interrupt the traffic on all ATM PVCs using the policy. To reduce the risk, use caution when
modifying ATMWFQ policy parameters.
Examples
The following example creates the ATMWFQ policy, exampl e1, configures 4 queues, and assigns a
congestion map:
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #congestion-map red4
Related Commands
qos policy queuing
qos queue-map
qos policy edrr
qos policy pol-name edrr
no qos policy pol-name edrr
Purpose
Creates or selects a quality of service (QoS) enhanced deficit round-robin (EDRR) policy and enters EDRR
Command Mode
Syntax Description
Default
No EDRR policy is configured.
Usage Guidelines
Use the qos policy edrr command to create a QoS EDRR policy and enter EDRR policy configuration
mode. An EDRR policy defines QoS for outgoing packets on the port or circuit to which the policy is
attached. Up to eight queues per circuit can be serviced.
To attach an EDRR policy, enter the qos policy queuing command (in the appropriate port or circuit
Use the no form of this command to remove an EDRR policy from the configuration.
Examples
The following example configures the EDRR policy, exampl e1, and attaches the policy to an Ethernet
port:
[ l ocal ] Redback( conf i g) #qos policy example1 edrr
pol-name Name of the EDRR policy to be created or selected.
Note To attach an EDRR policy to a circuit, you must also attach the policy at the port level. The
limit on attaching different EDRR policies a single traffic card is 15. EDRR is not supported
on ATM DS-3 or second-generation Asynchronous Transfer Mode (ATM) OC traffic cards.
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing example1
Related Commands
qos mode
qos policy queuing
qos queue-map
qos policy mdrr
qos policy pol-name mdrr
no qos policy pol-name mdrr
Purpose
Creates or selects a quality of service (QoS) modified deficit round-robin (MDRR) policy and enters
MDRR policy configuration mode.
Command Mode
Syntax Description
Default
No MDRR policy is configured.
Usage Guidelines
Use the qos policy mdrr command to create a QoS MDRR policy and enter MDRR policy configuration
mode. An MDRR policy defines QoS for outgoing packets on the port or circuit to which the policy is
attached. Up to eight queues per circuit can be serviced.
To attach an MDRR policy to a port or circuit, enter the qos policy queuing command (in the appropriate
port or circuit configuration mode).
Use the no form of this command to remove an MDRR policy from the configuration.
Examples
The following example configures the MDRR policy, exampl e1, and attaches the policy to a 10 Gigabit
Ethernet (10GE) port:
pol-name Name of the MDRR policy to be created or selected.
Note To attach an MDRR policy to a circuit, you must also attach the policy at the port level. You
can attach up to 15 different MDRR policies to a single traffic card. MDRR is supported only
on 10Gigabit Ethernet (10GE) traffic cards.
Related Commands
qos mode
qos policy queuing
qos queue-map
qos policy pq
qos policy pol-name pq
no qos policy pol-name pq
Purpose
Creates or selects a quality of service (QoS) priority queuing (PQ) policy and enters PQ policy
configuration mode.
Command Mode
Syntax Description
Default
No PQ policy is created.
Usage Guidelines
Use the qos policy pq command to create a PQ policy and enter PQ policy configuration mode.
A PQ policy defines QoS for outgoing packets on the port or circuit to which the policy is attached. Up to
eight queues per circuit can be serviced.
To attach a PQ policy, use the qos policy queuing command (in the appropriate port or circuit configuration
mode).
Use the no form of this command to delete the named policy from the configuration.
pol-name Name of the PQ policy to be configured.
Note PQ is not supported on Asynchronous Transfer Mode (ATM) DS-3 or second-generation
ATM OC traffic cards.
Examples
The following example creates the PQ policy, exampl e1, and attaches the policy to an Ethernet port:
[ l ocal ] Redback( conf i g) #qos policy example1 pq
The following example enables per-virtual LAN (VLAN) queuing on a Gigabit Ethernet port by defining
a PQ policy with a single queue, and then attaching that policy to each VLAN on the port:
[ l ocal ] Redback( conf i g) #qos policy PerVcQueuing pq
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface if_100 local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing PerVcQueuing
Related Commands
qos policy queuing
qos queue-map
qos policy pwfq
qos policy pol-name pwfq
no qos policy pol-name pwfq
Purpose
Creates or selects quality of service (QoS) priority weighted fair queuing (PWFQ) policy and enters PWFQ
Command Mode
Syntax Description
Default
No PWFQ policy is created.
Usage Guidelines
Use the qos policy pwfq command to create a QoS PWFQ policy and enter PWFQ policy configuration
mode.
Use the no form of this command to delete the named QoS PWFQ policy.
Examples
The following example creates a QoS PWFQ policy, ge3, with two queues and attaches the policy to a
Gigabit Ethernet 3 (GE3) port:
[ l ocal ] Redback( conf i g) #qos policy ge3 pwfq
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing ge3
Related Commands
pol-name Name of the policy to be created.
Note PWFQ policies are supported on traffic-managed circuits only.
num-queues
qos policy queuing
qos rate
qos profile profile-name overhead
no qos profile profile-name overhead
Purpose
Creates or selects a quality of service (QoS) overhead profile and enters overhead profile configuration
mode.
Command Mode
Syntax Description
Default
No overhead profile is created.
Usage Guidelines
Use the qos profile overhead command to create or select a QoS overhead profile and enter overhead
profile configuration mode.
Use the no form of this command to delete an overhead profile.
Examples
The following example creates the exampl e1 overhead profile:
Related Commands
qos policy pwfq
rate
qos queue-map
qos queue-map map-name
no qos queue-map map-name
Purpose
Creates a quality of service (QoS) queue map and enters queue map configuration mode.
Command Mode
Syntax Description
Default
The SmartEdge OS assigns priority groups to queues as listed in the Usage Guidelines section.
Usage Guidelines
Use the qos queue-map command to create a QoS queue map and enter queue map configuration mode.
You can create up to three customized queue maps.
By default, the SmartEdge OS maps priority groups, Differentiated Services Code Point (DSCP) classes,
IP precedence values, Multiprotocol Label Switching (MPLS) experimental (EXP) bits, and Ethernet
802.1p bits to the specified number of queues as shown in Table17-13.
map-name Queue map name.
Table 17-13 Default Mapping of Packets into Queues Using Priority Groups
Priority
Group DSCP Value
1
1.For more information about DSCP values, see RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers and
RFC 2475, An Architecture for Differentiated Services.
IP
Prec
MPLS
EXP 802.1p 8 Queues 4 Queues 2 Queues 1 Queue
0 Network control 7 7 7 Queue 0 Queue 0 Queue 0 Queue 0
1 Reserved 6 6 6 Queue 1 Queue 1 Queue 1 Queue 0
2 Expedited Forwarding (EF) 5 5 5 Queue 2 Queue 1 Queue 1 Queue 0
3 Assured Forwarding (AF) level 4 4 4 4 Queue 3 Queue 2 Queue 1 Queue 0
7 Default Forwarding (DF) 0 0 0 Queue 7 Queue 3 Queue 1 Queue 0
Use the num-queues command (in queue map configuration mode) to specify the number of queues for the
queue map, and then use the queue priority command (in num-queues configuration mode) to customize
the mapping of one or more priority groups to each queue. Finally, use the queue-map command (in
ATMWFQ policy, EDRR policy, PQ policy, or PWFQ policy configuration mode) to assign the queue map
to a scheduling policy.
Use the no form of this command to remove the QoS queue map from the configuration.
Examples
The following example configures the QoS queuemap, qmap, and changes the default mapping of priority
groups to queues when 4 queues are configured:
[ l ocal ] Redback( conf i g) #qos queue-map qmap
Related Commands
num-queues
queue-map
queue priority
queue 0 mode
queue 0 mode {alternate | strict}
default queue 0 mode
Purpose
Defines the mode of the Asynchronous Transfer Mode weighted fair queuing (ATMWFQ) algorithm for
queue 0.
Command Mode
Syntax Description
Default
The default mode is alternate.
Usage Guidelines
Use the queue 0 mode command to define the mode of the ATMWFQ policy algorithm for queue 0.
In alternate mode, the servicing of queues alternates between queue 0 and the remaining queues. Queue 0
is served, then the next queue is served. Queue 0 is served again, and the next queue in turn is served, and
so on. For example, if there are 4 queues configured, the order of servicing will be q0, q1, q0, q2, q0, q3,
q0, q1, and so on.
In strict mode, high-priority queue 0 is serviced immediately and other queues are serviced in a round-robin
fashion; in other words, queue 0 always has priority over all other queues configured on the circuit.
Use the default form of this command to return the ATMWFQ algorithm to alternate mode.
Examples
The following example configures the ATMWFQ policy to use st r i ct mode:
[ l ocal ] Redback( conf i g) #qos policy atm-wfq-1 atmwfq
[ l ocal ] Redback( conf i g- pol i cy- at mwf q) #queue 0 mode strict
Related Commands
alternate Services queue 0 and the other queues configured on the circuit in alternating fashion.
strict Indicates that queue 0 always has priority over all other queues configured on the circuit.
num-queues
qos mode
qos policy atmwfq
queue congestion epd
queue queue-num congestion epd threshold max
{no | default}queue queue-num congestion epd
Purpose
Configure early packet discard (EPD) parameters for this quality of service (QoS) Asynchronous Transfer
Mode weighted fair queuing (ATMWFQ) policy.
Command Mode
Syntax Description
Default
Random early discard (RED) is enabled for Asynchronous Transfer Mode (ATM) permanent virtual
circuits (PVCs) (on ATM DS-3 or second-generation ATM OC traffic cards only) that reference the
ATMWFQ policy.
Usage Guidelines
Use the queue congestion epd command to configure EPD parameters for the specified ATMWFQ policy.
With EPD, a threshold is set for the number of packets (equivalent to 6 ATM cells) that can be in the queue
before any new incoming packets begin to be discarded. Incoming packets are broken into cells as they are
being placed in the queue. If there is enough space in the queue to accept the first cell of a packet, the
remaining cells in the packet are admitted. If not, the entire packet is dropped. When an entire packet is
dropped, the queue is placed into EPD mode until enough packets have been sent out such that the number
of packets in the queue is below the threshold max value.
Use the no or default form of this command to use the default EPD value.
Examples
The following example specifies the EPD threshold for the at mwf q- 1 policy for queue 4:
[ l ocal ] Redback( conf i g) #qos policy atmwfq-1 atmwfq
[ l ocal ] Redback( conf i g- pol i cy- at mwf g) #queue 4 congestion epd threshold 5200
queue-num Queue number. The range of values is 0 to 7.
threshold max EPD threshold value. The number of packets (equivalent to six ATM cells) that
can be in the queue before new incoming packets begin to be discarded. The
range of values is 2 to 10,000; the default value is 26.
interrupt the traffic on all ATM PVCs using the policy. To reduce the risk, use caution when
modifying ATMWFQ policy parameters.
Related Commands

qos policy atmwfq
queue depth
queue queue-num depth packets count
{no | default}queue queue-num depth
Purpose
Specifies the depth for the specified queue.
Command Mode
congestion map configuration
Syntax Description
Default
In EDRR and PQ policy configuration modes, if you do not configure a depth, the default value for the port
type is used; see Table17-14. In congestion map configuration mode for a priority weighted fair queuing
(PWFQ) policy, the default value is 4,000.
Usage Guidelines
Use the queue depth command to specify the depth for the specified queue.
The queue that you specify in the queue-num argument is the one to which the depth is applied. You can
enter this command multiple times to set the depth for each queue. Use the num-queues command (in
EDRR policy or PQ policy configuration mode) to specify the number of queues available; the number of
queues is always eight in congestion map configuration mode.
For EDRR and PQ policy configuration modes, the default and maximum allowable values are functions
of the port type to which the policy is attached. The port type, and therefore the default and maximum
allowable values, are not known at the time the queue depth command is entered.
packets count Depth of the queue, expressed as the number of packets. The range of values
depends on the command mode:
In EDRR and PQ policy configuration modes, the range of values is 32 to
32,736 in increments of 32 packets; the default and maximum allowable values
are functions of the port type to which the policy is attached; see Table 17-14.
In congestion map configuration mode, the range of values is 1 to 65,535; the
default value is 4,000.
Note This command is not available if you are configuring a congestion avoidance map and
specified atmwfq keyword for the policy type.
Table17-14 lists the default and maximum queue depth values for the various port types.
Use the no or default form of this command to specify the default value.
Examples
The following example sets the depth for queue 5. The depth is rounded to the nearest increment of 32:
[ l ocal ] Redback( conf i g- pol i cypq) #queue 5 depth packets 550
Related Commands
Table 17-14 Queue Depth Values by Port Type
Port Type
1
1. PQ and EDRR policies are not supported on ATM DS-3 or second-generation ATM OC traffic cards.
Default Depth Value Maximum Depth Value
First-generation ATM OC-3 1,024 4,064
First-generation ATM OC-12 4,064 4,064
DS-0 256 4,064
DS-1 256 4,064
DS-3 1,024 4,064
E1 256 4,064
E3 1,024 4,064
Ethernet 1,024 4,064
Fast Ethernet 4,064 4,064
Gigabit Ethernet (GE) 4,064 4,064
POS OC-3c 1,024 4,064
POS OC-12c 4,064 32,736
POS OC-48c 32,736 32,736
Caution Risk of performance loss. Because some traffic cards queue a maximum of 4,064 packets, it
is possible to configure a depth that is inappropriate for the type of port to which the policy is
later attached. In that case, the system displays a warning message when you attach the policy
to the port. To reduce the risk, consider the queue depth allowed per port type.
num-queues
qos policy edrr
qos policy pq
queue queue-num exponential-weight weight-exp
no queue queue-num exponential-weight
Purpose
Specifies a weight for the specified queue.
Command Mode
Syntax Description
Default
The exponential weight is assigned the default value, depending on the type of congestion map.
Usage Guidelines
Use the queue exponential-weight command to specify a weight for the specified queue. The queue must
be one that you have configured with random early detection (RED) parameters. The weight that you
specify applies to every RED profile (default, profile-1, profile-2) for this queue.
The average queue occupancy is computed as a moving average of the instantaneous queue occupancy. Use
the weight-exp argument to set the inverse of the exponential moving average. The larger the value of the
weight-exp argument, the longer term the average.
The average queue size is based on the previous average and the current size of the queue according to the
following formula:
average =(old_average * (1 - 0.5**w)) +(current_queue_size * **w)
where
w is the value of the weight-exp argument
* is the multiplication operator
** is the exponential operator
Use the no form of this command to specify the default exponential weight for the type of congestion map.
weight-exp Exponent representing the inverse of the exponentially weighted moving average. The
range of values depends on the type of congestion avoidance map:
Asynchronous Transfer Mode weighted fair queuing (ATMWFQ) policyThe
range of values is 2 to 10 the default value is 9.
Priority weighted fair queuing (PWFQ) policyThe range of values is 1 to 15; the
default value is 9.
Examples
The following example specifies the weights for the def aul t profile in the map- r ed8 congestion
avoidance map:
[ l ocal ] Redback( conf i g) #qos congestion-avoidance-map map-red8
[ l ocal ] Redback( conf i g- congest i on- map) #
Related Commands
queue red
queue-map
queue-map map-name
no queue-map map-name
Purpose
Assigns a queue map to the quality of service (QoS) scheduling policy.
Command Mode
Syntax Description
Default
No queue map is assigned to any QoS scheduling policy.
Usage Guidelines
Use the queue-map command to assign a queue map to the specified QoS scheduling policy.
To create a queue map, enter the qos queue-map command (in global configuration mode). To specify the
number of queues for the queue map, enter the num-queues command (in queue map configuration mode).
Use the queue priority command (in num-queues configuration mode) to customize the mapping of a
priority group to each queue.
Use the no form of this command to delete the queue map from the QoS policy.
Examples
The following example assigns the queue map, q- queue- map, to the enhanced deficit round-robin
(EDRR) configuration policy, qos- edr r - t est :
[ l ocal ] Redback( conf i g) #qos policy qos-edrr-test edrr
[ l ocal ] Redback( conf i g- pol i cy- edr r ) #queue-map q-queue-map
Related Commands
map-name Queue map name.
num-queues
qos policy atmwfq
qos policy edrr
qos policy mdrr
qos policy pq
qos policy pwfq
qos queue-map
queue priority
queue priority
In num-queues configuration mode, the syntax is:
queue queue-num priority group-num [group-num2[...]]
no queue queue-num priority
In PWFQ policy configuration mode, the syntax is:
queue queue-num priority group-num weight weight
no queue queue-num priority
Purpose
In num-queues configuration mode, customizes the mapping of quality of service (QoS) priority groups to
the specified queue. In PWFQ policy configuration mode, assigns a priority group number and relative
weight inside the assigned priority group to the specified queue.
Command Mode
num-queues configuration
Syntax Description
Default
In num-queues configuration mode, the SmartEdge OS assigns a preset mapping of priority groups to
queues; for information about the default values, see the qos queue-map command. In PWFQ policy
configuration mode, there is no default.
Usage Guidelines
Use the queue priority command in num-queues configuration mode to customize the mapping of one or
more priority groups to the specified queue. In PWFQ policy configuration mode, use this command to
assign a priority group number and relative weight inside the assigned priority group to the specified queue.
group-num2 group-num3.. Optional. Additional priority group numbers separated by spaces. The
range of values is0 to 7.
weight weight Relative weight that is assigned to this queue for the specified priority
group; available only for queues defined in priority weighted fair queuing
(PWFQ) policies. The range of values is 5 to 100.
Note The relative weights assigned by this command in PWFQ policy configuration mode are
within the specified priority group.
For queue maps:
To apply the customized mapping of priority groups to queues, enter the queue-map command (in
ATMWFQ policy, EDRR policy, PQ policy, or PWFQ policy configuration mode).
In num-queues configuration mode, use the no form of this command to remove the customized
mapping for the specified queue.
For PWFQ policies:
You must enter this command for each queue you have defined for the policy with the num-queues
command (in PWFQ policy configuration mode). The system displays an error message when you
attach the policy to a port, tunnel, or permanent virtual circuit (PVC) if not all defined queues have a
priority and weight assigned.
Use the weight weight construct to specify the traffic share for each queue. The traffic share for each
queue is calculated from the specified weight divided by the sum of the weights specified for all queues
in the same priority group. For an example, see the Examples section.
In PWFQ configuration mode, use the no form of this command to delete the queue.
Examples
The following example defines 4 queues for the PWFQ policy, pwf q4, and assigns them to priority
groups0 and 1 with relative weights 70, 30, 60, 40:
In this example, in priority group 0 queue 0 receives 70% traffic share and queue 1 receives 30% traffic
share; in priority group 1 queue 2 receives 60% traffic share and queue 3 receives 40% traffic share.
Note In num-queues configuration mode, this command determines the relationship between the
priority in the packet (according to the type of service [ToS] or Differentiated Service Code
Point [DSCP] bits) and the queue to which the packed is assigned. In PWFQ policy
configuration mode, this command assigns a queue to a scheduling priority group, which is
not the same as the packet priority and which is used by the PWFQ scheduler to determine
when the packets are scheduled for transmission.
Note Although the mapping of priority to queues is arbitrary, in general, the SmartEdge OS
assumes that there is a correspondence between the queue number and the scheduling priority,
with queue 0 having the highest priority and queue 7 the lowest priority. You could cause
performance problems if you assign a lower priority to queue 0 than the other queues. For
example, internally generated control packets are assigned by default to queue 1; if you have
assigned that queue a priority 7, they could be dropped due to congestion from priority 7
traffic.
The following example configures the queue maps, Cust om2, Cust om4, Cust om8, to customize the
mapping of priority groups to queues. The assignment of priority group to queue number varies according
to the number of queues configured. The custom mapping for 4 queues is referenced by the QoS policy,
myPol i cyPQ:
[ l ocal ] Redback( conf i g- num- queues) #queue 1 priority 1 2 3 4 5 6 7
[ l ocal ] Redback( conf i g) #qos policy MyPolicy pq
[ l ocal ] Redback( conf i g- pol i cypq) #queue-map Custom4
[ l ocal ] Redback( conf i g- por t ) #bind interface BackboneOne local
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing MyPolicy
Related Commands
num-queues
qos policy pwfq
qos queue-map
queue 0 mode
queue priority-group group-num {rate kbps [exceed] | rate percentage value}
no queue priority-group group-num
Purpose
Sets the rate for the specified priority group.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the queue priority-group command to set the rate for the specified priority group. You enter this
command for each priority group created for this priority weighted fair queuing (PWFQ) policy.
A priority group is a set of queues that all have the same priority group number assigned to them with the
queue priority command (in PWFQ policy configuration mode). You enter this command for each priority
group.
Use the rate kbps construct to specify an absolute rate for the priority group; use the rate percentage
construct to specify a relative rate. You specify the policy rate using the rate command (in PWFQ policy
Use the no form of this command to delete the priority group from the policy.
Examples
The following example sets the rate and burst tolerance for the priority groups in the PWFQ policy, pwf q4:
rate kbps Absolute rate in kilobits per second for the specified priority group; the range
of values is 64 to 1,000,000.
exceed Optional. Allows the traffic rate to be exceeded for the specified priority group.
The default condition is to not allow the traffic rate to be exceeded.
rate percentage value Relative rate, as a percentage of the policy rate, for the specified priority
group; the range of values is 1 to 100.
The following example sets relative rates for the priority groups in the PWFQ policy, pwf q- per cent :
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #queue priority-group 0 rate percentage 10
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #queue priority-group 1 rate percentage 20
Related Commands
queue priority
rate
queue rate
queue queue-num rate kbps burst bytes [no-exceed]
no queue queue-num rate
Purpose
Establishes the rate limit and burst tolerance for the specified quality of service (QoS) priority queuing (PQ)
policy queue.
Command Mode
Syntax Description
Default
No limit is placed on the rate of any individual queue.
Usage Guidelines
Use the queue rate command to establish the rate limit and burst tolerance for the specified PQ policy
queue. A reasonable guideline for burst tolerance is 10 times the link maximum transmission unit (MTU),
or approximately 15,000 to 20,000 bytes. For a DS-1 circuit, the minimum rate is 56 kbps; for all other
circuits, the minimum rate is 1,000 kbps.
Use the no form of this command to return the rate limit and burst tolerance to their default values.
Examples
The following example sets the rate limit and burst tolerance for queue 4 for the PQ policy:
Related Commands
queue-num Number of the priority queue for which you are setting the rate limit and
burst tolerance. The range of values is 0 to 7.
rate kbps Rate in kilobits per second. The range of values is 56 to 1,000,000.
no-exceed Optional. Specifies that the rate is not to be exceeded, even if there are no
other traffic classes waiting to be sent.
num-queues
qos policy pq
queue red
In congestion map configuration mode, the command syntax is:
queue queue-num red profile [dscp class1[class2[...]]] max-threshold max min-threshold min
probability prob weight weight-exp
no queue queue-num red profile
In EDRR and PQ policy configuration modes, the command syntax is:
queue queue-num red max-threshold max min-threshold min probability prob weight weight-exp
no queue queue-num red
Purpose
In congestion map configuration mode, sets the random early detection (RED) parameters for the specified
queue in the specified RED drop profile for the congestion avoidance map. In EDRR and PQ policy
configuration modes, sets the RED parameters for the specified quality of service (QoS) queue.
Command Mode
Syntax Description
Default
profile Specifies the RED profile in the congestion avoidance map, according to one
of the following keywords:
defaultSpecifies the default profile for this queue.
profile-1Specifies an alternate profile for this queue.
profile-2Specifies an alternate profile for this queue.
dscp class1 class2.... Optional. Differentiated Services Code Point (DSCP) classes, separated by
spaces; the range of values is:
Congestion avoidance mapAn integer from 0 to 63 or one of the keywords
listed in Table 17-15.
Enhanced deficit round-robin (EDRR) and priority queuing (PQ)An
integer from 1 to 32 or one of the keywords listed in Table 17-15.
max-threshold max Average queue occupancy in packets above which all packets are dropped.
The range of values is:
Congestion avoidance map2 to 10,000.
EDRR1 to 10,922.
PQ1 to 32,736.
min-threshold min Average queue occupancy in packets below which no packets are dropped.
The range of values is:
EDRR1 to 10,922.
PQ1 to 32,736.
probability prob
Inverse of the probability of dropping a packet as the average queue
occupancy approaches the maximum threshold. The resulting probability
(1/prob) is the fraction of packets dropped when the average queue depth is at
the maximum threshold. The range of values is:
EDRR8 to 32,768.
PQ1 to 65,535.
weight weight-exp Exponent representing the inverse of the exponentially weighted moving
average. The range of values is as follows:
Congestion avoidance map2 to 10.
EDRR2 to 10.
PQ1 to 15.
For EDRR and PQ policies, RED is disabled. For a congestion avoidance map, none; you must enter a value
for each argument and construct.
Usage Guidelines
Use the queue red command in congestion map configuration mode to set the RED parameters for the
specified queue in the RED drop profile for the congestion avoidance map. Use the queue red command
in EDRR or PQ policy configuration mode to set the RED parameters for the specified QoS queue.
RED parameters specify how buffer utilization is to be managed under congestion by signaling to the
sources of traffic that the network is on the verge of entering a congested state. This signaling is
accomplished by dropping packets with a probability that varies as a function of how many packets are
waiting in a queue at any particular time, and of the values of the max, min, and weight-exp arguments.
Use the profile argument to specify one of three RED profiles for the RED parameters for this queue. Each
queue supports up to three RED profiles.
Use the dscp class1 class2... construct to specify a list of DSCP classes for which the RED parameters
pertain. Table17-15 lists the keywords for the DSCP classes.
Use the max-threshold max construct to set the average queue occupancy in packets above which the
probability of a packet being dropped is 100%. As the average occupancy approaches the maximum
threshold value, packets are dropped with increasing probability, as a function of the value of the prob
argument. For EDRR and PQ policies, the value of the max argument must be less than the value of the
count argument in the queue depth command.
Use the min-threshold min construct to set the average queue occupancy in packets at or below which the
probability of a packet being dropped is 0%. The value of the min argument must be less than the value of
the max argument in this command, and, for EDRR and PQ policies, less than the value of the count
argument in the queue depth command.
Drop precedence 1
cs0 (same as df)
AF Class 3/Drop precedence 3 af33 Default Forwarding (same as
Class Selector 0)
df (same as cs0)
Use the probability prob construct to establish the probability of a packet being dropped as the average
queue occupancy approaches the maximum threshold value. The value of the prob argument is the inverse
of the probability of a packet being dropped. The higher the value of the prob argument, the lower the
probability of a packet being dropped.
The average queue occupancy is computed as a moving average of the instantaneous queue occupancy. Use
the weight weight-exp construct to set the inverse of the exponential moving average. The larger the value
of the weight-exp argument, the longer term the average.
The average queue size is based on the previous average and the current size of the queue according to the
following formula:
average =(old_average * (1 - 0.5**w)) +(current_queue_size * **w)
where
w is the value of the weight-exp argument
* is the multiplication operator
** is the exponential operator
In congestion map configuration mode, use the no form of this command to remove the queue from the
specified profile. In EDRR and PQ policy configuration modes, use the no form of this command to disable
RED parameters.
Examples
The following example creates the PQ policy, r ed, and establishes RED parameters for each of the eight
queues, so that higher priority traffic has a lower probability of being dropped, while lower priority traffic
has a higher probability of being dropped. The example then attaches the policy to a Packet over
SONET/SDH (POS) port:
[ l ocal ] Redback( conf i g) #qos policy red pq
[ l ocal ] Redback( conf i g- pol i cypq) #queue 0 red probability 10 weight 12 min-threshold
1900 max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
max-threshold 5200
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing red
The following example specifies the RED parameters for the def aul t profile and queues 0 through 7 in
the congestion avoidance map, map- r ed:
[ l ocal ] Redback( conf i g) #qos congestion-avoidance-map map-red8 atmwfq
[ l ocal ] Redback( conf i g- congest i on- map) #queue 0 red default probability 10 weight 12
min-threshold 1900 max-threshold 5200
Related Commands
num-queues
qos policy edrr
qos policy pq
queue weight
queue queue-num weight traffic-weight
default queue queue-num weight
Purpose
Specifies the weight of the specified Asynchronous Transfer Mode weighted fair queuing (ATMWFQ),
enhanced deficit round-robin (EDRR), or modified deficit round-robin (MDRR) queue.
Command Mode
Syntax Description
Default
Default values for the traffic-weight argument are specified in the Syntax Description section.
Usage Guidelines
Use the queue weight command to specify the weight of the specified ATMWFQ, EDRR, or MDRR queue.
traffic-weight For ATMWFQ policies, the traffic weight is expressed as a unit of average packet
size. The average packet size is equivalent to 6 ATM cells. For example, a traffic
weight of 2,000 is equivalent to 12,000 ATM cells. The range of values is 1 to
5,461; the default value is 2.
For EDRR and MDRR policies, the traffic weight is expressed as a percentage of
bandwidth. The range of configurable values is 5 to 100%. The default value for
an EDRR policy is either 5% of the line capacity of the port or, if you have
configured the circuit using the rate command (in EDRR policy configuration
mode), 5% of the value you specified for the kbps argument. The default value for
MDRR is 0%.
Caution Risk of packet loss. Modifying the parameters of an ATMWFQ policy will momentarily
interrupt the traffic on all Asynchronous Transfer Mode (ATM) permanent virtual circuits
(PVCs) using the policy. To reduce the risk, use caution when modifying ATMWFQ policy
parameters.
Caution Risk of performance loss. For EDRR and MDRR policies, you must assign a weight to each
queue that is in use, as specified by either the default queue map or a customized queue map.
To reduce the risk, ensure that you assign a weight to each queue.
Use the default form of this command to return the queue to its default weight.
Examples
The following example provides queue number 3 with 30% of the bandwidth of the circuit to which the
EDRR policy, schedul i ng1, is attached:
[ l ocal ] Redback( conf i g) #qos policy scheduling1 edrr
[ l ocal ] Redback( conf i g- pol i cy- edr r ) #queue 3 weight 30
Related Commands
num-queues
qos mode
queue 0 mode
rate
For enhanced deficit round-robin (EDRR) and modified deficit round-robin (MDRR) policies, the
command syntax is:
rate kbps burst bytes
no rate
For priority weighted fair queuing (PWFQ) policies, the command syntax is:
rate {maximum | minimum} kbps
no rate {maximum | minimum}
Purpose
Sets the rate and burst tolerance for traffic on the circuit, port, or subscriber record to which the quality of
service (QoS) policy is attached.
Command Mode
Syntax Description
Default
Rate is calculated based on the default values for the kbps and bytes arguments.
Usage Guidelines
Use the rate command to set the rate and burst tolerance for traffic on the port, circuit, or subscriber record
to which the QoS policy is attached.
For PWFQ policies:
You must specify the maximum rate for the policy using this command; otherwise, you cannot attach
the policy to any traffic-managed port, or any of the 802.1Q tunnels, or permanent virtual circuits
(PVCs) configured on it.
You cannot specify a minimum rate if you intend to specify a relative weight for this policy, using the
weight command (in PWFQ policy configuration mode) and attach the policy to any traffic-managed
port, or any of the 802.1Q tunnels, or PVCs configured on it.
burst bytes Burst tolerance in bytes. This construct is available for EDRR and MDRR
policies only. The range of values is 1 to 1,250,000,000.
maximum Specifies the maximum rate to set.
minimum Specifies the minimum rate to set.
The maximum and minimum rates, if both are specified, are compared to ensure that the minimum
value is always less than the maximum value.
Use the no form of this command to return to the default traffic rate or burst tolerance.
Examples
The following example marks all traffic conforming to the configured policy rate with expedited
forwarding (ef ) and marks traffic that exceeds the policy rate with default forwarding (df ):
[ l ocal ] Redback( conf i g) #qos policy GE-in pwfq
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #rate 6000000
Related Commands
which the port, 802.1Q tunnel, or 802.1Q PVC operates; any priority queuing (PQ), EDRR,
MDRR, or PWFQ queue or circuit with a PQ, an EDRR, an MDRR, or a PWFQ policy is
limited by the rate specified by that command for the circuit. Also, the sum of all traffic on
the port carried by the queues belonging to the circuits or subscribers is limited to the rate
specified by that command.
conform mark dscp
exceed drop
exceed mark dscp
exceed no-action
qos rate
violate drop
violate mark dscp
violate no-action
weight
rate-factor
rate-factor percent
no rate-factor
Purpose
Defines the percentage of bandwidth for a specific access-line type that is unavailable to traffic on the
circuit, port, or subscriber record to which the quality of service (QoS) policy is attached.
Command Mode
Syntax Description
Default
Overhead on the access line is 0%, which allows full bandwidth usage.
Usage Guidelines
Use the rate-factor command to define the percentage of bandwidth for a specific access-line type that is
unavailable to traffic on the circuit, port, or subscriber record to which the QoS policy is attached.
Use the no form of this command to remove the percentage from the access-line configuration.
Examples
default values, you configure adsl 1 and vdsl 1 with custom encapsulation and reserve values with a rate
factor of 20%:
percent Percentage of overhead for this access-line type. The range of values is 1 to 100;
the default value is 0.
which the port, 802.1Q tunnel, or 802.1Q permanent virtual circuit (PVC) operates; any
priority queuing (PQ), enhanced deficit round-robin (EDRR), or priority weighted fair
queuing (PWFQ) queue or circuit with a PQ, an EDRR, or a PWFQ policy is limited by the
rate specified by that command for the circuit. Also, the sum of all traffic on the port carried
by the queues belonging to the circuits or subscribers is limited to the rate specified by that
command.
Related Commands
qos rate
rate
rate percentage
reserved
reserved
reserved bytes
no reserved
Purpose
Specifies the number of additional nonstandard Layer 1 overhead bytes reserved, per packet, for a specific
access-line type.
Command Mode
Syntax Description
Default
No additional nonstandard Layer 1 overhead bytes are reserved.
Usage Guidelines
Use the reserved command to specify the number of additional nonstandard Layer 1 overhead bytes
reserved, per packet, for a specific access-line type.
Use the no form of this command to remove the specified bytes, per packet from the access-line
configuration.
Examples
The following example configures an overhead profile for exampl e1, and sets the encapsulation type to
pppoa- l l c. After you set the default values, you set the data type to adsl , the rate factor to 20, and the
reserved value to 16:
bytes Number of reserved bytes, per packet, for the specified access-line type. The
range of values is 1 to 255; the default value is 0.
Related Commands
qos rate
rate
rate-factor
rate percentage
violate drop
violate no-action
qos rate
qos rate
type
type {adsl1 | adsl2 | adsl2+ | vdsl1 | vdsl2 | sds1}
no type
Purpose
Specifies the digital subscriber line (DSL) data type for the overhead profile and accesses overhead type
configuration mode.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the type command to specify the DSL data type for the overhead profile and access overhead type
configuration mode.
Use the no form of this command to remove the specified data type from the overhead profile.
Examples
The following example configures an overhead profile named exampl e1 with the encapsulation type set
to pppoa- l l c and the ADSL type set to ADSL1:
adsl1 Specifies the asymmetric DSL1 data type.
adsl2 Specifies the asymmetric DSL2 data type.
adsl2+ Specifies the asymmetric DSL2+data type.
vdsl1 Specifies the very-high-data rate DSL1 data type.
vdsl2 Specifies the very-high-data rate DSL2 data type.
sdsl Specifies the symmetric DSL data type.
Related Commands
qos rate
rate
rate-factor
rate percentage
violate drop
violate no-action
weight
weight weight
no weight weight
Purpose
Assigns a relative weight that is used to calculate a traffic ratio for all circuits to which you attach this
policy.
Command Mode
Syntax Description
Default
All circuits to which this policy is attached have the same weight.
Usage Guidelines
Use the weight command to assign a relative weight that is used to calculate a traffic ratio for all circuits
to which you attach a policy.
You can assign a relative weight or a minimum absolute rate using the rate command (in PWFQ policy
configuration mode), but you cannot do both. The relative weight and minimum absolute rate are mutually
exclusive.
You can, however, assign a relative weight (using this command) and a maximum absolute rate using the
rate command (in PWFQ policy configuration mode).
Examples
The following example shows how to assign guaranteed bandwidth to two different policies bound to two
802.1Q PVCs that share the same port. First, you configure two 802.1Q PVCs, set encapsulation to
dot 1q, and configure policy queuing. Next, you bind one 802.1Q PVC to QoS policy A and the other
802.1Q PVC to QoS policy B. You want to guarantee 1200/(1200+1500)% of the available bandwidth to
QoS policy A and 1500/(1200 +1500)% of the available bandwidth to QoS policy B:
[ l ocal ] Redback( conf i g) #qos policy A pwfq
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #weight 1200
[ l ocal ] Redback( conf i g) #qos policy B pwfq
[ l ocal ] Redback( conf i g- pol i cy- pwf q) #weight 1500
weight Relative weight that is assigned to any circuit to which you attach this policy. The range
of values is 1 to 4096.
Related Commands
qos weight
rate
QoS Circuit Configuration 18-1
C h a p t e r 1 8
QoS Circuit Configuration
This chapter describes the tasks and commands used to configure and applications for SmartEdge
OS
quality of service (QoS) features.
Chapter 16, QoS Rate- and Class-Limiting ConfigurationRate- and class-limiting features
(metering and policing policies)
Chapter 17, QoS Scheduling ConfigurationScheduling features (scheduling policies)
Overview
Configuration Tasks
Note In this chapter, the term, circuit, refers to a port, channel, permanent virtual circuit (PVC), or
link group.
media interface card (MIC), 4-port ATM OC-3c/STM-1c or Enhanced ATM OC-12c/STM-4c
traffic card.
respectively, on Fast Ethernet-Gigabit Ethernet (FE-GE), Gigabit Ethernet 3 (GE3) and
Gigabit Ethernet 1020 (GE1020) traffic cards, and Gigabit Ethernet media interface cards (GE
MICs).
Overview
Overview
The Internet provides only best-effort service, offering no guarantees on when or whether a packet is
delivered to the receiver. However, the SmartEdge OS offers QoS differentiation based on the subscriber
record, the traffic type, and the application. QoSpolicies create and enforce levels of service and bandwidth
rates, and prioritize how packets are scheduled into egress queues.
This section includes the following topics:
Circuit Configuration with QoS Policies
Circuit Groups
Hierarchical Configuration for Traffic-Managed Circuits
Propagation of QoS Across Layer 3 and Layer 2 Networks
Circuit Configuration with QoS Policies
You can attach both a metering and a policing policy to any port, channel, or PVC, to cross-connected ATM
and 802.1Q PVCs, and to link groups. QoS metering and policing policies are described in Chapter 16,
QoS Rate- and Class-Limiting Configuration.
Child circuits can inherit the QoS metering and policing policies attached to a parent circuit below which
the child circuits are configured. To enable a child circuit to inherit its parents metering or policing policy,
configure the keyword inherit or hierarchical on the parent circuit. If you attach a different metering or
policing policy to a child circuit, those policies override the metering or policing policy attached to the
parent circuit unless the policy applied to the parent is configured with the keyword hierarchical. The
keyword hierarchical allows a child circuit that has its own metering or policing policy to inherit its
parents policy and still be subject to its own policy. For more information about policy inheritance, see the
Policy Inheritance in Chapter 16, QoS Rate- and Class-Limiting Configuration..
The following types of inheritance are supported:
802.1Q PVC or tunnel from a parent Ethernet port
802.1Q PVC from a parent 802.1Q tunnel
Point-to-Point Protocol over Ethernet (PPPoE) sessions from a parent 802.1Q PVC
PPP and PPPoE sessions from a parent ATM PVC
You can attach a scheduling policy to individual circuits (that are not cross-connected); however, the type
of scheduling policy depends on the type of traffic card. QoS scheduling policies are described in
Chapter 16, QoS Scheduling Configuration.
You can also attach metering, policing, and scheduling policies to subscriber circuits; the type of scheduling
policy depends on the type of traffic card on which the subscriber session is initiated. Layer 2 Tunneling
Protocol (L2TP) network server (LNS) subscriber sessions are limited to priority weighted fair queuing
Note Inheritance can span multiple levels. For example, a policy configured on a port inherited by
a PVC in turn is inherited by PPPoX sessions configured under the PVC unless they have a
specific policy applied.
Overview
(PWFQ) policies. To attach a QoS policy of any type to a subscriber circuit, you attach it to the subscriber
record or profile. The system applies the policy to the subscriber circuit (port, channel, or PVC) on which
the session is initiated.
Table18-1 lists the traffic cards and their circuits to which QoS scheduling policies can be attached.
Note You can also configure a subscriber record or profile to reference a hierarchical node on a
traffic-managed port and attach the PWFQ policy to the hierarchical node. For more
information about hierarchical nodes and traffic-managed ports, see the Hierarchical
Configuration for Traffic-Managed Circuits section. For more information about attaching
PWFQ policies to subscriber records and hierarchical nodes, see the Configuration
Guidelines section.
Note Certain restrictions apply to the attachment of a QoS scheduling policy to a port, channel, or
PVC; for detailed usage guidelines for each type of circuit and policy, see the description for
the qospolicyqueuing command (in the appropriate circuit configuration mode).
Restrictions also apply to the configuration of the circuit; for information about configuring
traffic card ports, channels, and circuits, see the ATM, Ethernet, and POS Port
Configuration, the Clear-Channel and Channelized Port and Channel Configuration, the
Circuit Configuration, and the Cross-Connection Configuration chapters in the Ports,
Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
Table 18-1 QoS Scheduling Policy Support for SmartEdge Traffic Cards
Type Traffic Card or MIC Circuit Policy
First-generation ATMOC ATM OC-12c/STM-4c IR (1-port) ATM PVC EDRR or PQ
ATM OC-3c/STM-1c IR (2-port)
Second-generation ATMOC Enhanced ATM OC-12c/STM-4c IR (1-port) ATM PVC ATMWFQ
ATM OC-3c/STM-1c IR (4-port)
ATM DS-3 ATM DS-3 (12-port) ATM PVC ATMWFQ
Ethernet 10/100 Ethernet (12-port) Port, 802.1Q tunnel, 802.1Q PVC EDRR or PQ
Fast Ethernet-Gigabit
Ethernet
FE (60-port) Port, 802.1Q tunnel, 802.1Q PVC EDRR or PQ
GE (2-port)
Gigabit Ethernet GE (4-port) Port, 802.1Q tunnel, 802.1Q PVC EDRR or PQ
Advanced GE (4-port)
10-Gbps GE (10GE) (1-port) Port, 802.1Q tunnel, 802.1Q PVC MDRR
Gigabit Ethernet with traffic
management
GE3 (4-port) Port, 802.1Q tunnel, 802.1Q PVC,
hierarchical node
PWFQ
GE1020 (10-port)
GE1020 (20-port)
GE (2-port, copper)
GE (2-port, optical)
Overview
Circuit Groups
Circuit groups allow you to group arbitrary PVCs for collective metering, policing, and scheduling. You
can group VLANsfor example, to represent a business entityand apply class-aware or circuit-level rate
limits to the group. In this case, the traffic on all of the member circuits is collectively limited to any
metering, policing, and scheduling rates configured on the circuit group.
Circuit group membership is available for 802.1Q VLANs, 802.1Q PVCs within an 802.1Q tunnel, or a
mix of these circuit types. When hierarchical rate limiting is applied to a circuit group, traffic is first limited
according to any metering or policing policy applied to the member circuit. Subsequently, traffic is limited
again according to any metering or policing policy applied to the circuit group.
Circuit group members cannot themselves have any child circuits configured under them. The following
are specifically precluded in the CLI for circuit-group member PVCs; PVCs with one of these options
already configured cannot join a circuit group:
802.1Q inner PVCs under member 1qtunnel PVCs
The bind authentication option configured with maximum greater than 1
The circuit protocol option configured under multi encapsulation
PDH Channelized DS-3 (3-port) Clear-channel port, DS-1 channel,
Frame Relay PVC
EDRR or PQ
Channelized DS-3 (12-port)
Clear-Channel DS-3 (12-port) Port, Frame Relay PVC
Clear-Channel E3 (6-port)
Channelized E1 (24-port) Clear-channel E1 port,
DS-0 channel group,
Frame Relay PVC
POS OC-192c/STM-64c IR, LR or SR (1-port) Port, Frame Relay PVC EDRR or PQ
OC-48c/STM-16c ER (1-port)
OC-48c/STM-16c LR (1-port)
OC-48c/STM-16c SR (1-port)
OC-12c/STM-4c IR (4-port)
OC-3c/STM-1c IR (8-port)
SDH Channelized STM-1 (3-port)
1
Clear-channel E1 channel,
DS-0 channel group,
Frame Relay PVC
EDRR or PQ
SONET Channelized OC-12 to DS-3 IR (1-port)
2
Clear-channel DS-3 channel,
Frame Relay PVC
EDRR or PQ
Channelized OC-12 to DS-1 IR (1-port)
3
Clear-channel DS-3 channel,
DS-1 channel, Frame Relay PVC
1. The ports on this traffic card support the following Plesiochronous Digital Hierarchy (PDH) channels: DS-0 channel groups and E1 channels.
2. The ports on this traffic card support the following PDH channels: clear-channel DS-3 channels.
3. The ports on this traffic card support the following PDH channels: DS-1 channels and DS-3 channels.
Table 18-1 QoS Scheduling Policy Support for SmartEdge Traffic Cards (continued)
Type Traffic Card or MIC Circuit Policy
Overview
For information about the circuit-group and circuit-group-member commandsthe core circuit group
commandssee the Circuit Configurations chapter in the Ports, Circuits, and Tunnels Configuration
Guide for the SmartEdgeOS.
Hierarchical Configuration for Traffic-Managed Circuits
Hierarchical configuration provides two functions to support traffic-managed circuits on Gigabit Ethernet
traffic cards that support traffic management:
Hierarchical schedulingPerforms QoS scheduling at the port, 802.1Q tunnel, and 802.1Q PVC levels,
using PWFQ policies.
Hierarchical nodes and node groupsPerforms QoS scheduling and shaping using PWFQ policies for
subscriber sessions assigned to hierarchical nodes.
These functions are described in the following sections:
Hierarchical scheduling operates on PWFQ queues in either of two modes: strict and weighted round robin
(WRR). In a PWFQ policy, each queue is assigned a priority and a relative weight, which are used as
follows:
In strict mode, each queue is serviced according to the priority that you assigned to the queue.
In WRR mode, each queue is serviced in round-robin order according to its priority and its traffic share,
as determined by the relative weight that you assigned to the queue.
You can specify hierarchical scheduling at any level (port, 802.1Q tunnel, and 802.1Q PVC) on a
traffic-managed port and on multiple levels. A level that does not have hierarchical scheduling specified
inherits the scheduling specified at the next higher level.
A hierarchical node functions as an individual circuit, such as an 802.1Q PVC; you can assign a traffic rate
and attach a PWFQ policy to it. In addition, you can specify the scheduling mode for the queues defined
by the PWFQ policy, either strict or WRR.
Each node is a member of a node group. Like the individual nodes within it, a node group functions as a
circuit, such as an 802.1Q tunnel. You can assign a traffic rate and a scheduling mode (which might not be
the same traffic rate or scheduling mode assigned to any of the nodes within the group) to a node group;
node groups do not support PWFQ policies.
When you configure a subscriber record or profile to reference a hierarchical node, all sessions for that
subscriber are governed by the QoS PWFQ policy attached to that node and to the hierarchical scheduling
for the node and for the node group.
Note Hierarchical nodes and scheduling are supported only on traffic-managed ports and circuits.
Overview
Propagation of QoS Across Layer 3 and Layer 2 Networks
You can configure the SmartEdge OS to propagate IP Differentiated Services Code Point (DSCP) settings
in Layer 3 packets as they travel across Ethernet virtual LANs (VLANs), Multiprotocol Label Switching
(MPLS) networks, and Layer 2 Tunneling Protocol (L2TP) networks. Conversely, Ethernet 802.1p priority
bits, MPLS experimental (EXP) bits, and DSCP settings in Layer 3 packets encapsulated in L2TP packets
can be propagated across IP networks. DSCP drop precedence settings can be propagated to the ATM cell
loss priority (CLP) bit; however, the reverse is not true.
QoS propagation for a packet uses a packet descriptor (PD) in a SmartEdgeOS data structure that
associates attributes with a forwarded packet that are not stored in the packets actual headers or payload.
The PD includes a three-bit priority field and a three-bit drop-precedence field, as shown in Figure18-1.
The SmartEdge OS uses these PD fields to perform the following functions for an incoming Layer 2 packet:
1. Depending on configuration for the inbound circuit protocol, the SmartEdgeOS populates the PD for
this packet, using one of the following functions::
a. If a QoS propagate from command is configured for the Layer 2 protocol, the SmartEdgeOS copies
the priority bits from the Layer 2 header to the priority field in the PD. If no classification map is
specified, depending on the Layer 2 protocol (MPLS, 802.1Q, or L2TP), the SmartEdgeOS copies
the priority field in the PD to the DSCP bits in the Layer 3 header.
b. If no QoS propagate from command is configured, the SmartEdgeOS copies the three-most
significant DSCP bits from the Layer 3 header in the incoming packet to the priority field in the PD
and the drop precedence settings in that header to the drop field in the PD.
2. If a QoS policing policy, which can include a policy access control list (ACL), that includes a mark
command (of any type) is attached to the inbound circuit, the SmartEdgeOS modifies the bits in the
priority and drop fields in the PD based on the policy.
A decision is made whether to forward the incoming Layer 3 packet to the outbound circuit for further
QoS processing.
Figure 18-1 Propagation of QoS Across Layer 3 and Layer 2 Networks
Note You can also attach a PWFQ policy directly to a subscriber record or profile. However, if you
attach a PWFQ policy to the subscriber record and another PWFQ policy to the hierarchical
node, the policy that you attach to the subscriber record supersedes the policy that you attach
to the hierarchical node.
Overview
3. If a QoS metering policy (which can include a policy ACL) that includes a mark command (of any type)
is attached to the outbound circuit, the SmartEdgeOS modifies the bits in the qos and drop fields in the
PD based on the policy.
4. The SmartEdgeOS encapsulates the Layer 3 packet in a Layer 2 packet, using one of the following
functions:
a. If a QoS propagate to command is configured for the Layer 2 protocol, the SmartEdgeOS copies
the priority field in the PD to the priority bits in the Layer 2 header.
b. If no QoS propagate to command is configured, the SmartEdgeOS sets the priority bits in the
Layer 2 header to the default (lowest) priority.
5. The SmartEdgeOS uses the priority field in the PD to determine the egress queue for the outgoing
packet, and the drop-precedence field to determine the relative priority within that queue.
The following sections further describe QoS propagation:
Propagation of QoS from IP to ATM
Propagation of QoS Between IP and Ethernet
Propagation of QoS Between IP and MPLS
Propagation of QoS Between IP and L2TP
Propagation of QoS from IP to ATM
The CLP bit in the ATM header of a cell provides a method of controlling the discarding of cells in a
congested ATM environment. A CLP bit can be set to either 0 (default) or 1, and ATM cells with setting of
1 are discarded before cells with a setting of 0. When you use the clpbit propagate qos to atm command
to propagate the DSCP bits from IP packets to the CLP bit, the DSCP bits in the PD are used to determine
if the CLP bit should be set and thus which ATM cells to discard in an ATM congested network. DSCP bits
are mapped to the ATM CLP bit as described in Table18-2.
Table 18-2 Mapping DSCP Bits to the ATM CLP Bit
DSCP ATM CLP Bit
Network Control 0
Reserved 0
EF 0
AF11 AF21, AF31, AF41 0
AF12 AF22, AF32, AF42 1
AF13 AF23, AF33, AF43 1
DF 1
Note This default mapping can be modified using the clbit propagate qos to atm command (in
ATM profile configuration mode) in conjunction with an ATM egress class map.
Overview
Propagation of QoS Between IP and Ethernet
802.1p priority is carried in virtual LAN (VLAN) tags defined in IEEE 802.1p. A field in the VLAN tag
carries one of eight priority values (3 bits in length), recognizable by Layer 2 devices. This marking
determines the service level the packet receives when crossing an 802.1p-enabled network segment. DSCP
priority bits are mapped to Ethernet 802.1p bits, in either or both directions, depending on whether you
configure the qos propagate from ethernet and qos propagate to ethernet commands (in dot1q profile
configuration mode). As shown in Figure18-2, the following steps occur for an incoming 802.1Q packet:
1. As a 802.1Q packet enters the SmartEdge router, its 802.1p bits are copied to the PD QoS priority field,
if you use the propagate qos from ethernet command (in dot1q profile configuration mode) to
propagate Ethernet 802.1p user priority bits and do not specify a classification map. If you do specify
a classification map, the 802.1p bits are mapped to the PD QoS value.
2. The PD is copied to the DSCP field in the Layer 3 packet, if you use the propagate qos from ethernet
command (in dot1q profile configuration mode) to propagate Ethernet 802.1p user priority bits and do
not specify a classification map.
Figure 18-2 Propagation of QoS Between IP and Ethernet
When the SmartEdgerouter prepares to forward a packet on a 802.1Q virtual LAN (VLAN), the PD
priority value is copied to the 802.1p field of the outgoing packet, if you use the propagate qos to ethernet
command (in dot1q profile configuration mode) to propagate PD priority values.
If you create a classification map using the qos class-map command and reference it in qos propagate to
ethernet syntax, the PD priority value is mapped to the 802.1p field, rather than copied.
Note You can also use the mark dscp, mark priority, and mark precedence commands (in
metering policy or policing policy configuration mode) to indirectly set the ATM CLP bit
when using the clpbit propagate qos to atm command to propagate the DSCP bits from IP
packets to the CLP bit.
Overview
Propagation of QoS Between IP and MPLS
MPLS EXP bits use one of eight priority values (3 bits in length), recognizable by Layer 2 devices. This
marking determines the service level the packet receives when crossing an MPLS-enabled network
segment. On ingress, MPLS EXP values are mapped to PD priority values, by default. You can modify the
default mapping by doing one of the following:
Specifying a custom mapping using the propagate from mpls command with the class-map map-name
construct (in MPLS router configuration mode)
Specifying to copy the IP header DSCP value to the PD priority value using the egress prefer dscp-qos
command (in MPLS router configuration mode)
On egress, if you use the qos propagate to mpls command (in MPLS router configuration mode), PD bits
are mapped to MPLS EXP bits if you specify a classification map; see Figure18-3.
In addition, the EXP value can be copied to the priority field of the packets IP header DSCP field by
entering the qos propagate from mpls command without specifying a classification map.
Figure 18-3 Propagation of QoS Between IP and MPLS
Overview
Propagation of QoS Between IP and L2TP
With L2TP packets, the DSCP and the precedence bits of the original IP packet are copied. The downstream
process from the network to the SmartEdge router configured as an LNS to the SmartEdge router
configured as an L2TP access concentrator (LAC) to the subscriber is illustrated in Figure18-4:
Figure 18-4 Propagation of QoS Downstream from the Network
The downstream propagation process follows:
1. At the LNS, the SmartEdge OS copies the DSCP bits from the inner subscriber IP packet header in the
incoming IP packet to the PD priority field.
2. The SmartEdgeOS then copies the priority field to the DSCP bits in the outer L2TP IP packet header,
using the propagate qos to l2tp command (in L2TP peer configuration mode), if configured. If the
command is not configured, it sets the DSCP bits to the default (lowest) priority.
3. The SmartEdge OS selects an egress queue for the L2TP packet, based on the priority field.
4. At the LAC, the SmartEdge OS copies the DSCP bits in the outer L2TP IP packet header to the PD
priority field.
5. The SmartEdgeOS then copies the DSCP bits from the inner subscriber IP packet header to the PD
priority field, using the propagate qos from subscriber command (in L2TP peer configuration mode)
with the downstream keyword, if configured. This operation overwrites the priority field set by step4.
6. The SmartEdge OS selects an egress queue, based on the priority field in the PD.
The upstream process from the subscriber to the SmartEdge router configured as an LAC to the SmartEdge
router configured as an LNS to the network is illustrated in Figure18-5.
Configuration Tasks
Figure 18-5 Propagation of QoS Upstream from the Subscriber
The upstream propagation process follows:
1. At the LAC, if the propagate qos from subscriber command (in L2TP peer configuration mode) with
the upstream keyword is configured, the SmartEdge OS copies the DSCP bits from the inner subscriber
IP packet header in the incoming IP packet to the priority field in the PD. If the propagate qos from
subscriber command is not configured, it sets the priority field to the default (lowest) priority.
2. The SmartEdgeOS then copies the priority field to the DSCP bits in the outer L2TP IP packet header,
using the propagate qos to l2tp command (in L2TP peer configuration mode), if configured. If the
command is not configured, it sets the DSCP bits to the default priority.
3. The SmartEdge OS selects an egress queue for the L2TP packet based on the priority field.
4. At the LNS, the SmartEdge OS copies the DSCP bits from the outer L2TP IP packet header in the
incoming IP packet to the priority field in the PD.
5. The SmartEdgeOS then copies the priority field to the DSCP bits in the inner subscriber IP packet
header, using the propagate qos from l2tp command (in L2TP peer configuration mode), if configured
with no classification map specified. If this command is not used, the inner subscriber IP packet header
is not altered.
6. The SmartEdge OS selects an egress queue for the IP packet based on the priority field.
Configuration Tasks
To configure circuits for QoS features, perform the tasks described in the following sections:
Configure an ATM PVC for QoS
Descriptions section. You can enter unnumbered tasks in any sequence.
Configuration Tasks
Configure an Ethernet Circuit for QoS
Configure a PDH Circuit for QoS
Configure a POS Circuit for QoS
Configure Cross-Connected Circuits for QoS
Configure a Subscriber Circuit for QoS
Configure QoS Propagation (Optional)
Configure L2TP for QoS
Configure MPLS for QoS
Attach QoS Policies to a Circuit Group and Assign Members to the Group
This section includes configuration guidelines that affect more than one command or a combination of
commands:
If you attach an enhanced deficit round-robin (EDRR) or modified deficit round-robin (MDRR) policy
to a PVC, you must also attach it to the port on which you have configured the PVC.
Channelized DS-3 traffic cards support the attachment of EDRR and PQ policies with two to eight
queues to DS-1 channels. However, the total number of queues that are supported on any DS-3 traffic
card is limited to 1,018 queues; 348 of which are reserved by the system and 670 of which are available
for QoS scheduling policies. Therefore, you can configure up to 167 DS-1 channels with 4-queue
policies and up to 83 DS-1 channels with 8-queue policies.
If you attach a PWFQ policy to a hierarchical node and another PWFQ policy directly to the subscriber
record that references that node, the subscriber session is governed by the PWFQ policy attached
directly to the subscriber record.
Subscriber traffic is managed differently with PWFQ policies attached directly to the subscriber record
and attached to the hierarchical node:
If you attach the policy directly to the subscriber record, the traffic for that subscriber has its own
set of queues.
If you reference a hierarchical node that has an attached PWFQ policy, the traffic for that subscriber
shares the queues for that policy with all other subscribers that reference that node.
The following guidelines apply to cross-connected circuits:
When you attach a QoS metering or policing policy to a cross-connected circuit, you can attach a
policy to each individual circuit before or after you make the cross-connection.
You can attach a different metering or policing policy to each circuit.
You can attach both a metering and a policing policy to each circuit.
Scheduling policies are not supported on cross-connected circuits.
The following guidelines apply to Ethernet and 802.1Q link groups:
Configuration Tasks
You attach a policy to an Ethernet port rather than the link group of which it is a member; you attach
the policy using one of the QoS policy commands (qos policy metering, qos policy policing, qos
policy queuing) in port configuration mode.
You can attach any type of QoS policy that is supported by that type of Ethernet port. These include
metering, policing, EDRR, MDRR, PQ, and PWFQ policies. However, to preserve the operational
characteristics of a link group, attach the same set of policies (metering, policing, and scheduling)
to every constituent port in the link group.
Configure an ATM PVC for QoS
To configure an ATM PVC for QoS, perform the tasks described in the following sections:
Configure a PVC on a First-Generation ATM OC Traffic Card
Configure a PVC on an ATM DS-3 or Second-Generation ATM OC Traffic Card
Configure a PVC on a First-Generation ATM OC Traffic Card
To configure an ATM PVC on a first-generation ATM OC traffic card, perform the tasks described in
Table18-3; enter all commands in ATM PVC configuration mode, unless otherwise noted.
Configure a PVC on an ATM DS-3 or Second-Generation ATM OC Traffic Card
To configure an ATM PVC on a second-generation ATM OC or ATM DS-3 traffic card, perform the tasks
described in Table18-4; enter all commands in ATM PVC configuration mode, unless otherwise noted.
Table 18-3 Configure a PVC on a First Generation ATM OC Traffic Card
For packets coming into the SmartEdge router,
propagate the CLP bit to PD values in ATM cells.
clpbit propagate qos from atm Enter this command in ATM profile
configuration mode.
For packets going out of the SmartEdge router,
propagate IP DSCP bits to the CLP bit in ATM cells.
clpbit propagate qos to atm Enter this command in ATM profile
configuration mode.
Attach a policing policy. qospolicypolicing
Attach a metering policy. qospolicymetering
Optional. Specify the circuit rate, if different from the
rate specified by the attached metering and policing
policies.
ratecircuit You can specify rates for both inbound and
outbound traffic.
Attach a scheduling policy. qospolicyqueuing Possible policy types are EDRR and PQ.
You must attach an EDRR policy to both the
port and the PVC. To attach the EDRR
policy to the port, enter this command in
ATM OC configuration mode.
Optional. Modify the mode of an EDRR policy
algorithm.
qosmode Enter this command in ATM OC
configuration mode.
By default, the mode is normal. Only one
mode type is supported on a single port.
Configuration Tasks
Configure an Ethernet Circuit for QoS
To configure a circuit on any Ethernet traffic card for QoS, including any version of a Gigabit Ethernet
traffic card, perform the tasks described in the following sections:
Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for QoS
Configure a Traffic-Managed Port for Hierarchical Scheduling
Configure a Traffic-Managed Port for Hierarchical Nodes
Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for
QoS
To configure an Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet (any version) port, 802.1Q
tunnel, or 802.1Q PVC, perform the tasks described in Table18-5; enter all commands in port or dot1Q
PVC configuration mode, unless otherwise noted.
Table 18-4 Configure a PVC on an ATM DS-3 or Second-Generation ATM OC Traffic Card
propagate the CLP bit to PD values in ATM cells.
clpbit propagate qos from atm Enter this command in ATM profile
configuration mode.
propagate IP DSCP bits to the CLP bit in ATM
cells.
clpbit propagate qos to atm Enter this command in ATM profile
configuration mode.
Optional. Specify the circuit rate, if different from
the rate specified by the attached metering and
policing policies.
outbound traffic.
Attach a scheduling policy to a PVC.
1
1. An ATMWFQ policy cannot be attached to a PVC that is shaped as UBRe.
qospolicyqueuing Only ATMWFQ policies are supported; you
can attach them only to PVCs.
Table 18-5 Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for QoS
propagate Ethernet 802.1p user priority bits to IP DSCP
bits.
propagateqosfromethernet Enter this command in dot1q profile
configuration mode.
propagate IP DSCP bits to Ethernet 802.1p user priority
bits.
propagateqos toethernet Enter this command in dot1q profile
configuration mode.
Assign a priority group to the port, tunnel, or PVC. qospriority The QoS bit setting for packets traveling
across the ingress circuit is not changed by
the priority group assignment.
Not supported for CCOD ranges of 802.1q
PVCs.
Attach an overhead profile to a port or an 802.1Q PVC. qosprofileoverhead
Configuration Tasks
Configure a Traffic-Managed Port for Hierarchical Scheduling
To configure a traffic-managed port and any 802.1Q tunnels and PVCs configured on it for hierarchical
scheduling with a PWFQ policy, perform the tasks described in Table18-6; enter all commands in port
configuration mode, unless otherwise noted. For information about the dot1q pvc command (in port
configuration mode), see the Circuit Configuration chapter in the Ports, Circuits, and Tunnels
Configuration Guide for the SmartEdgeOS.
Attach a policing policy to the port, tunnel, or PVC. qospolicypolicing
Set the rate for outgoing traffic for a Gigabit Ethernet
port.
qosrate
Attach a metering policy to a port, tunnel, or PVC. qospolicymetering
Attach a scheduling policy to a port, tunnel, or PVC. qospolicyqueuing Possible policy types are EDRR, MDRR,
PQ, and PWFQ.
1
Optional. Specify the circuit rate, if different from the rate
specified by the attached metering and policing policies.
outbound traffic.
Not supported for CCOD ranges of 802.1q
PVCs.
Optional. Modify the mode of an EDRR policy algorithm. qosmode By default, the mode is normal. Only one
mode type is supported on a single port.
1. EDRR and PQ policies are not supported on traffic-managed circuits; these circuits support only PWFQ policies. MDRR policies are supported only on 10GE
circuits.
Table 18-6 Configure a Traffic-Managed Port for Hierarchical Scheduling
1. Set the maximum and minimum rates for the port. qosrate You must specify the maximum rate; the
minimum rate is optional.
2. Specify the scheduling algorithm for the port. qoshierarchical modestrict
3. Attach a PWFQ policy to the port. qospolicyqueuing You can attach a policy to any or all 802.1Q
tunnels and PVCs as well as the port.
4. Create one or more 802.1Q tunnels or PVCs and
access dot1q PVC configuration mode.
dot1q pvc
5. Set the maximum and minimum rates for the
tunnel or PVC.
qosrate Enter this command in dot1q PVC
configuration mode. You must specify the
maximum rate; the minimum rate is optional.
You cannot set a minimum rate if you also
assign a relative weight to this PVC.
6. Assign a relative weight to this PVC. qosweight Enter this command in dot1q PVC
configuration mode. You cannot assign a
relative weight if you also set a minimum
rate for this PVC.
7. Specify the scheduling algorithm for the tunnel or
PVC.
qoshierarchical modestrict Enter this command in dot1q PVC
configuration mode.
Table 18-5 Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for QoS (continued)
Configuration Tasks
Configure a Traffic-Managed Port for Hierarchical Nodes
To configure a traffic-managed port for hierarchical nodes, node groups, and attach PWFQ policies to them,
perform the tasks described in Table18-7; enter all commands in port configuration mode, unless otherwise
noted.
8. Attach a PWFQ policy to the tunnel or PVC. qospolicyqueuing Enter this command in dot1q PVC
configuration mode. You can attach a policy
to any or all tunnels and PVCs, as well as
the port.
Table 18-7 Configure a Traffic-Managed Port for Hierarchical Nodes
1. Set the maximum and minimum rates for the port. qosrate You must specify the maximum rate; the
minimum rate is optional.
2. Specify the scheduling algorithm for the port. qoshierarchical modestri
ct
3. Create one or more hierarchical node groups and
access hierarchical node group configuration mode.
qosnode-group
4. Set the maximum and minimum rates for the node
groups.
qosrate Enter this command in hierarchical node
group configuration mode. You must specify
the maximum rate; the minimum rate is
optional. You cannot set a minimum rate if you
also assign a relative weight to this node
group.
5. Assign a relative weight to this node group. qosweight Enter this command in hierarchical node
group configuration mode. You cannot assign
a relative weight if you also set a minimum
rate for this node group.
6. Specify the scheduling algorithm for the node
groups.
qoshierarchical modestri
ct
Enter this command in hierarchical node
group configuration mode. The mode need not
be the same as the one you specify for the
port.
7. Create one or more hierarchical nodes and access
hierarchical node configuration mode.
qosnode Enter this command in hierarchical node
group configuration mode.
8. Set the maximum and minimum rates for these
nodes.
qosrate Enter this command in hierarchical node
configuration mode. You must specify the
maximum rate; the minimum rate is optional.
You cannot set a minimum rate if you also
assign a relative weight to this node.
9. Assign a relative weight for these nodes. qosweight Enter this command in hierarchical node
configuration mode. You cannot assign a
relative weight if you also set a minimum rate
for this node.
10. Specify the scheduling algorithm for these nodes. qoshierarchical modestri
ct
Enter this command in hierarchical node
configuration mode. The mode need not be
the same as the one you specify for the port or
node group.
Table 18-6 Configure a Traffic-Managed Port for Hierarchical Scheduling (continued)
Configuration Tasks
Configure a PDH Circuit for QoS
To configure a PDH circuit (port, channel, PVC, or link group) for QoS, perform the tasks described in
Table18-8; enter all commands in DS-0 group, DS-1, DS-3, E1, E3, link group, or Frame Relay PVC
configuration mode (depending on the type of PDH circuit), unless otherwise noted.
Configure a POS Circuit for QoS
To configure a circuit on a Packet over SONET/SDH (POS) traffic card for QoS, perform the tasks
described in Table18-9; enter all commands in port configuration mode.
11. Attach a PWFQ policy to these nodes. qospolicyqueuing Enter this command in hierarchical node
configuration mode. The policy need not be
the same as the one you attach to the port,
tunnel, or PVC.
Table 18-8 Configure a PDH Circuit for QoS
Assign a priority group. qospriority The QoS bit setting for packets traveling across the ingress
Optional. Specify the circuit rate, if different from
the rate specified by the attached metering and
policing policies.
ratecircuit You can specify rates for both inbound and outbound traffic.
Attach a scheduling policy. qospolicyqueuing Policy types include EDRR and PQ.
algorithm.
qosmode By default, the mode is normal. Only one mode type is
Table 18-9 Configure a POS Circuit for QoS
Assign a priority group. qospriority The QoS bit setting for packets traveling across the ingress
Optional. Specify the circuit rate, if different
from the rate specified by the attached
metering and policing policies.
Attach a scheduling policy. qospolicyqueuing Policy types include EDRR and PQ.
algorithm.
Table 18-7 Configure a Traffic-Managed Port for Hierarchical Nodes (continued)
Configuration Tasks
Configure Cross-Connected Circuits for QoS
To configure a cross-connected circuit for QoS, perform the tasks described in Table18-10. You cannot
attach a scheduling policy to a cross-connected circuit; only metering and policing policies are supported
on either or both circuits.
Configure a Subscriber Circuit for QoS
You configure a subscriber circuit (or an LNS subscriber session) for QoS by configuring the subscriber
record or profile; to configure a subscriber record or profile and thus any circuit on which the subscriber
session is created, perform one or more of the tasks described in Table18-11; enter all commands in
subscriber configuration mode unless otherwise noted.
Note You can perform the tasks in Table18-10 in any order.
Table 18-10 Configure a Cross-Connected Circuit for QoS
Configure the inbound circuit for QoS with
one of the following tasks:
An inbound ATM PVC. Perform the tasks in Table 18-3 or Table 18-4, but do not attach
a scheduling policy.
An inbound 802.1Q PVC. Perform the tasks in Table 18-6, but do not attach a scheduling
policy.
Configure the outbound circuit for QoS
with one of the following tasks:
An outbound ATM PVC. Perform the tasks in Table 18-3 or Table 18-4, but do not attach
a scheduling policy.
An outbound 802.1Q PVC. qospriority Perform the tasks in Table 18-6, but do not attach a scheduling
policy.
Create the cross-connection between the
inbound and outbound circuits.
xc Enter this command in global configuration mode. For
information about this command, see the Cross-Connection
Configuration chapter in the Ports, Circuits, and Tunnels
Table 18-11 Configure a Subscriber Circuit for QoS
Create a reference to a hierarchical node. qosnode-reference
Optional. Specify the circuit rate, if different
from the rate specified by the attached
metering and policing policies.
Attach a scheduling policy. qospolicyqueuing Policy types include ATMWFQ, EDRR, MDRR, PQ, and
PWFQ. Only PWFQ policies are supported for LNS
subscriber sessions.
Configuration Tasks
Configure QoS Propagation (Optional)
To create and apply customized classification mappings for QoS bits, perform the tasks described in
Table18-12; enter all commands in class map configuration mode, unless otherwise noted.
Attach an overhead profile to a subscriber
record.
qosprofileoverhead Enter this command in port configuration mode.
Optional. Modify the mode of an EDRR
policy algorithm.
Table 18-12 Configure QoS Propagation
Create a classification map. qoshierarchical modestrict Enter this command in global
configuration mode.
For information about this
command, see Chapter 16, QoS
Rate- and Class-Limiting
Configuration.
Specify a set of default values for a classification map. mapping-schema For information about this
command, see Chapter 16, QoS
Rate- and Class-Limiting
Configuration.
Specify an initial PD value to assign to ATM packets with
the specified CLP value.
atmtoqos
Translate outgoing PD QoS values to ATM CLP values. qostoatm
For incoming packets with the specified CLP value,
determine the initial PD QoS value from the user priority
bits in the 802.1p VLAN TCI field of the packet header
value.
atm use-ethernet
For incoming packets with the specified CLP value,
determine the initial PD QoS value from the IP ToS field of
the packet header.
atmuse-ip
Translate incoming Ethernet 802.1p values to PD QoS
values.
ethernet toqos
Translate outgoing PD QoS values to Ethernet 802.1p
values.
qostoethernet
For 802.1Q transport PVCs, use the 802.1p value from
either the outer PVC header or the inner PVC header for
propagation between internal PD classification values and
Ethernet.
propagateqostransport use-vlan-heade
r
Enter this command in dot1q
profile configuration mode.
For incoming packets with the specified 802.1p value,
determine the initial PD QoS value from the DSCP value
in the IP header rather than the 802.1p value.
ethernet use-ip
Translate incoming IP header DSCP values to PD QoS
values.
ip to qos
Translate outgoing PD QoS values to IP header DSCP
values.
qostoip
Table 18-11 Configure a Subscriber Circuit for QoS (continued)
Configuration Tasks
Configure L2TP for QoS
To configure L2TP for QoS to propagate subscriber DSCP bits in the downstream direction, perform the
tasks described in Table18-13; enter all commands in L2TP peer configuration mode for the default peer.
To configure L2TP for QoS to propagate DSCP bits in the upstream direction, perform the tasks described
in Table18-14; enter all commands in L2TP peer configuration mode for the default peer.
For outgoing packets with the specified PD QoS value,
determine the final header EXP or 802.1p value based on
the IP header DSCP value rather than the PD QoS value.
qosuse-ip
Translate incoming MPLS EXP values to PD QoS values. mpls to qos
Translate outgoing PD QoS values to MPLS header EXP
values.
qostompls
For incoming packets with the specified MPLS EXP
priority label, use the encapsulated Ethernet packets
802.1p priority label to determine the PD value for the
packet.
mplsuse-ethernet
For incoming packets with the specified EXP value,
determine the initial PD QoS value from the IP header
DSCP value rather than the EXP value.
mplsuse-ip
For incoming MPLS EXP packets with an Ethernet VLAN
header, specify the 802.1q-over-MPLS packets to
examine for any header enclosed by the outer VLAN
header.
propagateqosuse-vlan-ethertype Enter this command in MPLS
router configuration mode.
For incoming MPLS packets, use the 802.1p value from
the header of either the outer PVC header or the inner
PVC for propagation from Ethernet to internal PD
classification values.
propagateqosuse-vlan-header Enter this command in MPLS
router configuration mode.
Reference the classification map when configuring
propagation.
propagateqosfromethernetpropagate
qosfromippropagateqosfroml2tppro
pagateqosfrommplspropagateqos
toethernetpropagateqostoippropagat
eqos tol2tppropagateqostompls
Specify the class-map class-map
construct for this function.
Table 18-13 Configure L2TP for QoS in the Downstream Direction
For network packets the SmartEdge router sends to the LAC
when the router is configured as an LNS, propagate the PD
priority bits to the outer DSCP value.
propagateqos tol2tp
For L2TP IP packets coming into the SmartEdge router when it
is configured as a LAC, propagate the subscriber DSCP bits
from the inner IP packet header to the PD priority bits from the
LNS for the subscriber IP packet.
propagateqosfromsubscriber Specify the downstream
keyword for this function.
Table 18-12 Configure QoS Propagation (continued)
Configuration Tasks
Configure MPLS for QoS
To configure MPLS for QoS, perform the tasks described in one of the following sections:
Propagate QoS Using DSCP Bits and MPLS EXP Bits
Propagate QoS Using DSCP Bits Only
Propagate QoS Using DSCP Bits and MPLS EXP Bits
To propagate QoS using DSCP bits to MPLS EXP bits (instead of DSCP bits) and vice versa, perform the
tasks described in Table18-15; enter either or both commands in MPLS router configuration mode.
Propagate QoS Using DSCP Bits Only
To propagate QoS by enabling the use of DSCP bits (instead of MPLS EXP bits) only, perform the task
Table 18-14 Configure L2TP for QoS in the Upstream Direction
For subscriber IP packets coming into the SmartEdge router
when it is configured as a LAC, propagate the subscriber
DSCP bits in the IP packet header to the PD priority bits for the
subscriber IP packet.
propagateqosfromsubscriber Specify the upstream keyword
for this function.
For network packets the SmartEdge router sends to the LNS
when the router is configured as a LAC, propagate the PD
priority bits to the outer DSCP value.
propagateqos tol2tp
For L2TP packets coming into the SmartEdge router when it is
configured as an LNS, after the outer DSCP bits have been
propagated to the PD priority bits, propagate the PD priority
bits to the subscribers inner DSCP bits.
propagateqosfroml2tp
Table 18-15 Propagate QoS Using DSCP Bits and MPLS EXP Bits
propagate MPLS EXP bits to DSCP bits.
propagateqosfrommpls
propagate PD priority values to MPLS EXP bits.
propagateqostompls
Table 18-16 Propagate QoS Using DSCP Bits Only
Enable the use of IP header DSCP bits (not MPLS
EXP values) when determining the initial PD priority
value of incoming MPLS packets.
egressprefer dscp-qos Enter this command in MPLS router
configuration mode.
Attach QoS Policies to a Circuit Group and Assign Members to the
Group
To create a circuit group, attach a QoS metering, policing or scheduling policy to it, and then assign
members to the group, perform the tasks described in Table18-17.
QoS configuration examples are included in the following sections:
Attaching Rate- and Class-Limiting Policies
Attaching Scheduling Policies
Propagating QoS
Attaching QoS Policies to Circuit Groups
Table 18-17 Attach QoS Policies to a Circuit Group and Assign Members to the Group
1. Create a circuit group and assign a specified
name to it.
circuit group Enter this command in global configuration
mode.
For information about this command, see the
Circuit Configurations chapter in the Ports,
Circuits, and Tunnels Configuration Guide for
the SmartEdge OS.
2. Attach a (QoS) metering, policing, or scheduling
policy to the circuit group.
Attach a metering policy. qospolicymetering Enter this command in dot1q PVC configuration
mode.
Attach a policing policy. qospolicypolicing Enter this command in dot1q PVC configuration
mode.
Attach a queuing policy. qospolicyqueuing Enter this command in dot1q PVC configuration
mode.
3. Select an Ethernet port in which the members of
the circuit group are to reside and access port
configuration mode.
port ethernet Enter this command in global configuration
mode.
4. Specify the use of 802.1Q encapsulation for the
Ethernet port.
encapsulation dot1q Enter this command in port configuration mode.
5. Specify the 802.1Q tunnel or one or more static
802.1Q PVCs to be assigned to the specified
circuit group and access dot1q PVC
configuration mode.
dot1q pvc Enter this command in port configuration mode.
6. Specify that the 802.1Q tunnel or PVCs being
configured are members of the specified circuit
group.
circuit-group-member Enter this command in dot1q PVC configuration
mode.
For information about this command, see the
Circuit Configurations chapter in the Ports,
Circuits, and Tunnels Configuration Guide for
the SmartEdge OS.
Attaching Rate- and Class-Limiting Policies
Examples of configuring PVCs and subscriber records for QoS policies are provided in the following
sections:
PVC Configuration
Cross-Connected Circuit Configuration
Subscriber Configuration
PVC Configuration
The following example attaches a metering policy, met er , to an 802.1Q PVC on an Ethernet port:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface if-200 local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy metering meter
Cross-Connected Circuit Configuration
The following example attaches a metering policy, out put , to the inbound circuits of cross-connected
802.1Q PVCs on Ethernet ports:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy metering output
!
!
[ l ocal ] Redback( conf i g) #xc 4/1 vlan-id 2001 to 4/3 vlan-id 2001
Subscriber Configuration
The following example attaches a metering policy, met er , to a subscriber record:
[ l ocal ] Redback( conf i g) #subscriber name redback
[ l ocal ] Redback( conf i g- sub) #password redback
[ l ocal ] Redback( conf i g- sub) #qos policy metering meter
Attaching Scheduling Policies
Examples of configuring ports and PVCs for QoS features using scheduling policies are provided in the
following sections:
Port Configuration
PVC Configuration
Overhead Profile Configuration
PWFQ Policy and Hierarchical Shaping
PWFQ Policy and Hierarchical Scheduling
Port Configuration
The following example attaches a PQ policy to a POS port:
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing pos-qos
PVC Configuration
The following example attaches a PQ scheduling policy to each of three 802.1Q PVCs:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 101
The following example attaches an EDRR policy, exampl e1, to an ATM PVC and its port on a
first-generation ATM OC traffic card:
[ l ocal ] Redback( conf i g- at m) #atm pvc 200 300 profile prof1 encaps multi
[ l ocal ] Redback( conf i g- at mpvc) #qos policy queuing example1
Overhead Profile Configuration
The following example allows the child circuits of 802.1Q PVC 100 to inherit the exampl e1 overhead
profile:
[ l ocal ] Redback( conf i g- por t ) #qos profile overhead example1 inherit
PWFQ Policy and Hierarchical Shaping
The following example configures a GE3 port with the home node group with 5 dsl amnodes and attaches
a PWFQ policy to each node:
[ l ocal ] Redback( conf i g- por t ) #qos rate maximum 100000000
[ l ocal ] Redback( conf i g- por t ) #qos rate minimum 100000
[ l ocal ] Redback( conf i g- por t ) #qos hierarchical mode strict
[ l ocal ] Redback( conf i g- por t ) #qos node-group home 1
[ l ocal ] Redback( conf i g- h- node) #qos node dslam 1 through 5
[ l ocal ] Redback( conf i g- h- node) #qos policy queuing pwfq4
PWFQ Policy and Hierarchical Scheduling
The following example configures a GE3 port and its 802.1Q PVC for hierarchical scheduling and attaches
a PWFQ policy to both the port (pwf q- por t ) and its PVC (pwf q- pvc):
[ l ocal ] Redback( conf i g- por t ) #qos rate minimum 100000
[ l ocal ] Redback( conf i g- por t ) #qos hierarchical mode strict
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing pwfq-port
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos rate maximum 10000000
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos rate minimum 10000
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing pwfq-pvc
Propagating QoS
The following example configures 802.1q profile, 8021q- on, to propagate QoS information between IP
and any 802.1Q tunnel or PVC that has that profile assigned to it:
[ l ocal ] Redback( conf i g) #dot1q profile 8201p-on
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #propagate qos from ethernet
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #propagate qos to ethernet
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #exit
The following example propagates QoS on an 802.1Q PVC by configuring it with the 8021p- on profile:
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 20 profile 8021p-on
The following example enables IP QoS information to be propagated to ATM on any ATM PVC or virtual
path (VP) that has the profile, cl p- on, assigned to it:
[ l ocal ] Redback( conf i g) #atm profile clp-on
[ l ocal ] Redback( conf i g- at m- pr of i l e) #clpbit propagate qos to atm
[ l ocal ] Redback( conf i g- at m- pr of i l e) #exit
The following example configures MPLS to propagate QoS in both directions:
[ l ocal ] Redback( conf i g- ct x) #router mpls
[ l ocal ] Redback( conf i g- mpl s) #propagate qos from mpls
[ l ocal ] Redback( conf i g- mpl s) #propagate qos to mpls
[ l ocal ] Redback( conf i g- mpl s) #exit
The following example creates a classification map exp- t o- pd that maps MPLS experimental EXP
values to QoS PD values on ingress, then applies the classification map to the propagate qos from mpls
command:
[ l ocal ] Redback( conf i g- cl ass- map) #mpls 1 to qos 0x24
[ l ocal ] Redback( conf i g- cl ass- map) #exit
[ l ocal ] Redback( conf i g) #context mycontext
[ l ocal ] Redback( conf i g- mpl s) #propagate qos from mpls class-map exp-to-dscp
[ l ocal ] Redback( conf i g- mpl s) #exit
Attaching QoS Policies to Circuit Groups
The following example shows how to create a circuit group sal esgr oup and attach previously configured
policing and metering policies (gr oup_pol i ci ng_pol i cy and gr oup_met er i ng_pol i cy) to this
circuit group. This example also shows how to assign the 802.1Q PVC tunnels (50 through 60, 30, and 40)
as members of the circuit group. The individual PVCs (or VLANs), 1 to 100, configured under the 802.1Q
tunnel 30 each have their own individual policing policy specified as cvl an_i ndi vi dual _pol i cy.
With the hierarchical keyword configured for the policing policy (gr oup_met er i ng_pol i cy), the
traffic on the individual PVCs are subject to both the child circuit policy (cvl an_i ndi vi dual _pol i cy)
and the parent circuit policy (gr oup_met er i ng_pol i cy):
[ l ocal ] Redback( conf i g) #circuit-group salesgroup
[ l ocal ] Redback( conf i g- ci r cui t - gr oup) #qos policy policing
group_policing_policy hierarchical
[ l ocal ] Redback( conf i g- ci r cui t - gr oup) #qos policy metering
group_metering_policy inherit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 50 through 60
[ l ocal ] Redback( conf i g- dot 1q- pvc) #circuit-group-member salesgroup
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 30:1 through 100
! Speci f y t hat each 802. 1Q PVC conf i gur ed under t he 802. 1Q t unnel al so
! has i t s own i ndi vi dual pol i ci ng pol i cy ( speci f i ed as
! cvl an_i ndi vi dual _pol i cy) .
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy policing
cvlan_individual_policy
atm to qos
atm use-ethernet
atm use-ip
clpbit propagate qos from atm
clpbit propagate qos to atm
egress prefer dscp-qos
ethernet to qos
ethernet use-ip
ip to qos
mpls to qos
mpls use-ethernet
mpls use-ip
propagate qos to ip
propagate qos transport use-vlan-header
propagate qos use-vlan-ethertype
propagate qos use-vlan-header
qos hierarchical mode strict
qos mode
qos node
qos node-group
qos node-reference
qos policy metering
qos policy policing
qos policy (protocol-rate-limit)
qos policy queuing
qos priority
qos rate
qos to atm
qos to ethernet
qos to ip
qos to mpls
qos use-ip
qos weight
rate circuit
atm to qos
atm {clp-value | all} to qos pd-value
{no | default} atm {clp-value | all}
Purpose
Translates Asynchronous Transfer Mode (ATM) cell loss priority (CLP) values into packet descriptor (PD)
quality of service (QoS) values on ingress.
Command Mode
Syntax Description
Default
ATM ingress classification maps use the CLP-to-PD mapping described in Table18-18.
Usage Guidelines
Use the atm to qos command to translate ATM CLP values into PD QoS values on ingress.
clp-value Either 0 or 1, representing the CLP bit in the ATM cell header. If a
packet is composed of multiple ATM cells, the SmartEdgeOS considers
the overall packet CLP value to be 1 if any ATM cell that makes up the
AAL5 packet has the CLP bit set to 1 (for second-generation ATM
traffic cards), or if the final cell, which contains the adaption layer type 5
(AAL5) trailer, has the CLP bit set to 1 (for first-generation ATM traffic
cards).
all Maps all valid values for the source value to the specified target value.
Any existing configuration for the classification map is overridden.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in
three higher-order bits and the packet drop precedence in the three
lower-order bits. You can enter the value in decimal or hexadecimal
format, for example 16 or 0x10. You can also enter a standard
Differentiated Services Code Point (DSCP) marking label as defined in
Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest
priority) to 7 (highest priority), is the relative inverse of the scale used by
the mark priority command. For details on this command, see
Chapter 16, QoS Rate- and Class-Limiting Configuration.
If you specify the all keyword, all valid ATM CLP values are mapped to the specified QoS value. Any
existing configuration for the classification map is overridden. You can use the all keyword to specify a
single default value for both mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the no or default form of this command to revert one or both map entries to the default mapping
Related Commands
Table 18-18 ATM CLP Bits Mapped to the QoS PD Value
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
Value AF Label QoS PD Value
0 1 2 AF11 10
1 0 0 DF 0
atm use-ethernet
ethernet to qos
qos class-map
atm use-ethernet
atm {clp-value | all} use-ethernet [class-map map-name]
Purpose
Determines initial packet descriptor (PD) values by mapping from the user priority bits in the 802.1p virtual
LAN (VLAN) Tag Control Information (TCI) field of the packet header rather than directly from the
Asynchronous Transfer Mode (ATM) cell loss priority (CLP) value for received ATM packets with the
specified CLP value.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the atm use-ethernet command to determine initial PD values by mapping from the user priority bits
in the 802.1p VLAN TCI field of the packet header rather than directly from the ATM CLP value for
received ATM packets with the specified CLP value.
If a packet includes both an outer permanent virtual circuit (PVC) header and an outer PVC Ethernet type
field value of 0x8100 or 0x88a8, the inner PVC 802.1p header determines the PD value. If a packet does
not include an Ethernet VLAN header, the SmartEdgeOS uses the default mapping described in
Table18-19.
packet is composed of multiple ATM cells, the SmartEdgeOS assigns a
CLP value of 1 if any ATM cell that makes up the adaption layer type 5
(AAL5) packet has the CLP bit set to 1 (for second-generation ATM
traffic cards), or if the final cell, which contains the AAL5 trailer, has the
CLP bit set to 1 (for first-generation ATM traffic cards).
use-ethernet Enables a secondary mapping lookup using the packets Ethernet 802.1p
bits as input. If no classification map is specified for the secondary
lookup, the default 8P0D mapping is used.
class-map map-name Optional. Name of the secondary classification map.
Only packets with an outer PVC Ethernet type field value of 0x8100 or 0x88a8 are examined for enclosed
inner PVC 802.1p values. The SmartEdgeOS uses the outer PVC 802.1p value to map all other outer PVC
Ethernet types.
If you specify the all keyword, both CLP value entries are mapped to the specified PD value. Any existing
configuration for the classification map is overridden. You can use the all keyword to specify a single
default value for both mapping entries, then override that value for an entry by entering a subsequent
mapping command without this keyword.
If you specify the class-map map-name construct, the resulting mapping uses the specified 802.1p-to-PD
classification map. The secondary classification map must have a value of ethernet for the marking-type
argument and a value of in for the mapping direction. If you do not specify a secondary classification map,
the SmartEdgeOS uses the default 8P0D mapping.
Use the no or default form of this command to revert one or both map entries to the default mapping
Related Commands
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
0 1 2 AF11 10
1 0 0 DF 0
atm to qos
atm use-ip
qos class-map
atm use-ip
atm {clp-value | all} [class-map map-name]
Purpose
Determines initial packet descriptor (PD) values by mapping from the Differentiated Services Code Point
(DSCP) value in the IP packet header rather than Ethernet 802.1p values on ingress for received
Asynchronous Transfer Mode (ATM) packets with the specified cell loss priority (CLP) value.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the atm use-ip command to determine initial PD values by mapping from the DSCP value in the IP
packet header rather than Ethernet 802.1p values on ingress for received ATM packets with the specified
CLP value. If a packet does not include an IP header, the SmartEdgeOS uses the default mapping described
in Table18-20.
Only 802.1p packets with an outer PVC Ethernet type field value of 0x8100 or 0x88a8 are examined for
DSCP values in the packet header. The SmartEdgeOS uses the default mapping described in Table18-20
for packets with all other VLAN Ethernet types.
packet is composed of multiple ATM cells, the SmartEdgeOS assigns a
CLP value of 1 if any ATM cell that makes up the adaption layer type 5
(AAL5) packet has the CLP bit set to 1 (for second-generation ATM
traffic cards), or if the final cell, which contains the AAL5 trailer, has the
CLP bit set to 1 (for first-generation ATM traffic cards).
use-ip Enables a secondary mapping lookup using the packets DSCP bits as
input. If no classification map is specified for the secondary lookup, the
default DSCP-to-target mapping is used.
If you specify the all keyword, both PD bits are set to the specified CLP value. Any existing configuration
for the classification map is overridden. You can use the all keyword to specify a single default value for
both mapping entries, then override that value for an entry by entering a subsequent mapping command
without this keyword.
If you specify the class-map map-name construct, the resulting mapping uses the specified DSCP-to-PD
classification map. The secondary classification map must have a value of ip for the marking-type argument
and a value of in for the mapping direction. If you do not specify a secondary classification map, the
SmartEdgeOS copies the DSCP value directly to the internal QoS PD value.
Use the no or default form of this command to revert one or both map entries to the default described in
Table18-20.
Related Commands
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
0 1 2 AF11 10
1 0 0 DF 0
atm to qos
atm use-ethernet
qos class-map
clpbit propagate qos from atm [class-map map-name]
no clpbit propagate qos from atm [class-map map-name]
Purpose
Propagates the cell loss priority (CLP) bit to packet descriptor (PD) values in cells transmitted over
Asynchronous Transfer Mode (ATM) permanent virtual circuits (PVCs) that reference the ATM profile for
incoming packets.
Command Mode
ATM profile configuration
Syntax Description
Default
CLP bit values are not propagated to PD values.
Usage Guidelines
Use the clpbit propagate qos from atm command to propagate the CLP bit to PD values in cells
transmitted over ATM PVCs that reference the ATM profile for incoming packets.
If you use the optional class-map map-name construct to specify a custom mapping schema for packets
transmitted on ATM PVCs that reference the ATM profile, the SmartEdgeOS sets the initial QoS PD value
according to the CLP values in the packets received ATM cell headers. If a packet is composed of multiple
ATM cells, the SmartEdgeOS assigns a CLP value of 1 if any ATM cell that makes up the adaption layer
type 5 (AAL5) packet has the CLP bit set to 1 (for second-generation ATM traffic cards), or if the final cell,
which contains the AAL5 trailer, has the CLP bit set to 1 (for first-generation ATM traffic cards).
If no classification map is specified, the SmartEdgeOS uses the default mapping described in Table18-21.
class-map map-name Optional. Name of an ingress ATM classification map, an alphanumeric
string of up to 39 characters, for defining a custom mapping of CLP
values to quality of service (QoS) PD values.
Note CLP bit priority settings cannot be directly propagated to IP header DSCP bits.
Note For more information about the CLP bit and its use in ATM profiles, see the Circuit
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
Use the no form of this command to disable propagation from the ATM CLPbit to internal QoS
classification values.
Related Commands
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
0 1 2 AF11 10
1 0 0 DF 0
qos class-map
clpbit propagate qos to atm [class-map map-name]
no clpbit propagate qos to atm [class-map map-name]
Purpose
Propagates the quality of service (QoS) classification values from the internal packet descriptor (PD) to the
cell loss priority (CLP) bit in cells transmitted over Asynchronous Transfer Mode (ATM) permanent virtual
circuits (PVCs) that reference the ATM profile for outgoing packets.
Command Mode
Syntax Description
Default
QoS PD values are not propagated to the ATM CLP bit.
Usage Guidelines
Use the clpbit propagate qos to atm command to propagate the QoS classification values from the internal
PD to the CLP bit in cells transmitted over ATM PVCs that reference the ATM profile for outgoing packets.
QoS PD values are mapped to the ATM CLP bit as described in Table18-22.
class-map map-name Optional. Name of an egress ATM classification map, an alphanumeric
string of up to 39 characters, for mapping Differentiated Services Code
Point (DSCP) bits to CLP bits.
Note For more information about the CLP bit and its use in ATM profiles, see the Circuit
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
Table 18-22 QoS PD Value to ATM CLP Bit Mapping
PD Priority Value PD Drop-Precedence Value AF Label ATM CLP Bit
7 N/A Network Control 0
6 N/A Reserved 0
5 N/A EF 0
4 0-2 AF41 0
4 3-7 AF42, AF43 1
3 0-2 AF31 0
3 3-7 AF32, AF33 1
If you specify a custom mapping schema for the optional class-map map-name construct, packets received
on ATM PVCs that reference the ATM profile have the CLP values of the cells in the AAL5 packet set
according to internal QoS classification values. If you do not specify a classification map, the
SmartEdgeOS uses the default mapping described in Table18-22.
Use the no or default form of this command to restore the default behavior.
Examples
The following example propagates DSCP bits from IP packets to the CLP bit in cells transmitted over
ATM PVCs that reference the ATM profile, l ow_r at e:
[ l ocal ] Redback( conf i g) #atm profile low_rate
[ l ocal ] Redback( conf i g- at m- pr of i l e) #clpbit propagate qos to atm
Related Commands
2 0-2 AF21 0
2 3-7 AF22, AF23 1
1 0-2 AF11 0
1 3-7 AF12, AF13 1
0 N/A DF 1
qos class-map
Table 18-22 QoS PD Value to ATM CLP Bit Mapping (continued)
PD Priority Value PD Drop-Precedence Value AF Label ATM CLP Bit
no egress prefer dscp-qos
Purpose
Enables the use of only Differentiated Services Code Point (DSCP) bits for queuing at the Multiprotocol
Label Switching (MPLS) egress router.
Command Mode
MPLS router configuration
Syntax Description
Default
If penultimate hop popping is enabled, the tunnel label is removed at the penultimate hop, and the egress
router uses the Virtual Private Network (VPN) label experimental (EXP) bits for queuing; however, if there
is no VPN label, the egress router uses the DSCP bits for queuing. For more information, see the MPLS
Configuration chapter in the Routing Protocols Configuration Guide for the SmartEdgeOS.
Usage Guidelines
Use the egress prefer dscp-qos command to enable the use of only DSCP bits for queuing at the MPLS
egress router.
Use the no form of this command to return the system to its default behavior.
Examples
The following example enables the use of only DSCP bits for queuing at the egress router:
[ l ocal ] Redback( conf i g- mpl s) #egress prefer dscp-qos
Related Commands
ethernet to qos
ethernet {802.1p-value | all} to qos pd-value
default ethernet {802.1p-value | all}
Purpose
Translates Ethernet 802.1p values to packet descriptor (PD) quality of service (QoS) values on ingress.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the ethernet to qos command to define ingress mappings from Ethernet 802.1p values to PD QoS
values.
If you specify the all keyword, all valid 802.1p values are mapped to the specified PD value. Any existing
default value for all the mapping entries, then override that value for a subset of entries by entering
Use the default form of this command to revert one or all map entries to either the default 8P0D or mapping
schema values, if a mapping schema has been specified.
802.1p-value An integer from 0 (lowest priority) to 7 (highest priority) representing the
contents of the three user priority bits in the 802.1p virtual LAN (VLAN) Tag
Control Information (TCI) field.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
Examples
The following example defines the classification map 8021p- t o- pd for PD bits on ingress, then maps the
Ethernet 802.1p values 1 and 7 to PD user priority values af 33 and af 21, respectively:
[ l ocal ] Redback( conf i g) #qos class-map 8021p-to-pd ethernet in
[ l ocal ] Redback( conf i g- cl ass- map) #ethernet 1 to qos af33
[ l ocal ] Redback( conf i g- cl ass- map) #ethernet 7 to qos af21
Related Commands
qos to ethernet
ethernet use-ip
ethernet {802.1p-value | all} use-ip [class-map map-name]
default ethernet {802.1p-value | all}
Purpose
For IP packets, determines packet descriptor (PD) values by mapping IP Differentiated Services Code Point
(DSCP) values rather than Ethernet 802.1p values on ingress.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the ethernet use-ip command to set initial PD values based on IP header DSCP bits rather than
Ethernet 802.1p values on ingress.
If you specify the all keyword, all valid 802.1p values are configured to use DSCP-to-PD mapping. Any
single default value for all the mapping entries, then override that value for a subset of entries by entering
If you specify the optional class-map map-name construct, the resulting DSCP-to-PD mapping uses the
specified DSCP-to-PD classification map. The secondary classification map must have a value of ip for the
marking-type argument, and a value of in for the mapping direction. If no secondary classification map is
specified, the default DSCP-to-target mapping is used.
Use the default form of this command to revert one or all map entries to either the default 8P0D or mapping
use-ip Enables a secondary mapping lookup using the packets DSCP bits as input.
If no classification map is specified for the secondary lookup, the default
DSCP-to-target mapping is used.
Examples
The following example defines the classification map 8021p- t o- pd to determine initial QoS PD values
on ingress, and specifies 7P1D encoding as a default mapping schema. It then overrides the default 7P1D
values for Ethernet 802.1p value 1 with PD value 0x24, and specifies that the IP header DSCP value
determines the initial QoS PD value for packets received with Ethernet 802.1p value 3:
[ l ocal ] Redback( conf i g) #qos class-map 8021p-to-pd ethernet in
[ l ocal ] Redback( conf i g- cl ass- map) #ethernet 1 to qos 0x24
[ l ocal ] Redback( conf i g- cl ass- map) #ethernet 3 use-ip
Related Commands
mapping-schema
qos to ethernet
ip to qos
ip {dscp-value | all} to qos pd-value
default qos {dscp-value | all}
Purpose
Translates Differentiated Services Code Point (DSCP) values into packet descriptor (PD) quality of service
(QoS) values on ingress.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the ip to qos command to define ingress mappings from IP header values to PD QoS values.
If you specify the all keyword, all valid IP header values are mapped to the specified QoS values. Any
Use the default form of this command to revert values for one or all map entries to their default values,
where each DSCP value is mapped to the equal and equivalent PD QoS value.
dscp-value An integer from 0 to 63 representing the contents of the most significant six
bits of the IP header type of service (ToS) field. You can enter the value in
decimal or hexadecimal format, for example 16 or 0x10. You can also enter a
standard DSCP marking label as defined in Table16-21 on page16-71.
0x10. You can also enter a standard DSCP marking label as defined in
Examples
The following example defines the classification map dscp- t o- pd for PD bits on ingress, then maps all
IP header values to the af 13 PD QoS value. It overrides this default mapping for IP header DSCP values
af 21 and 1, which are mapped to PD QoS values 25 and df respectively:
[ l ocal ] Redback( conf i g) #qos class-map dscp-to-pd ip in
[ l ocal ] Redback( conf i g- cl ass- map) #ip all to qos af13
[ l ocal ] Redback( conf i g- cl ass- map) #ip af21 to qos 25
[ l ocal ] Redback( conf i g- cl ass- map) #ip 1 to qos df
Related Commands
mpls to qos
mpls {exp-value | all} to qos pd-value
default mpls {exp-value | all}
Purpose
Translates Multiprotocol Label Switching (MPLS) experimental (EXP) values to packet descriptor (PD)
quality of service (QoS) values on ingress.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the mpls to qos command to define ingress mappings from MPLS EXP values to PD QoS values.
If you specify the all keyword, all valid MPLS EXP values are mapped to the specified PD value. Any
Use the default form of this command to revert map entries to either the default 8P0D or mapping schema
values, if a mapping schema has been specified.
exp-value An integer from 0 (lowest priority) to 7 (highest priority) representing the
contents of the three EXP bits in the MPLS label header.
Examples
The following example defines the classification map exp- t o- pd to determine initial MPLS values on
ingress, defines the default mapping schema using 7P1D values, then maps MPLS EXP value 1 to the PD
value 0x24:
Related Commands
qos to mpls
mpls use-ethernet
mpls {exp-value | all} use-ethernet [class-map map-name]
{no | default} mpls {exp-value | all}
Purpose
Determines initial packet descriptor (PD) values by mapping Ethernet 802.1p values rather than directly
mapping from Multiprotocol Label Switching (MPLS) experimental (EXP) values for received MPLS
packets with the specified EXP value.
Command Mode
Syntax Description
Default
Ingress MPLS classification map entries use the 8P0D EXP-to-PD mapping, where the EXP value is copied
to the PD priority field. The PD drop-precedence field is set to zero.
Usage Guidelines
Use the mpls use-ethernet command to determine initial PD values by mapping Ethernet 802.1p values
rather than directly mapping from MPLS EXP values for received MPLS packets with the specified EXP
value. If a received packet with the specified EXP value does not include an Ethernet header, the
SmartEdgeOS uses the default mapping instead of the specified mapping.
If you specify the all keyword, all valid MPLS EXP values are configured to use the 802.1p-to-PD
mapping. Any existing configuration for the classification map is overridden. You can use the all keyword
to specify a single default value for all the mapping entries, then override that value for a subset of entries
by entering subsequent mapping commands without this keyword.
If you specify the optional class-map map-name construct, the resulting mapping uses the specified
802.1p-to-PD classification map. The secondary classification map must have a value of ethernet for the
marking-type argument and a value of in for the mapping direction. If you do not specify a secondary
classification map, the default mapping is used.
exp-value An integer from 0 (lowest priority) to 7 (highest priority) representing
the contents of the three EXP bits in the MPLS label header.
use-ethernet Enables a secondary mapping lookup using the packets 802.1p bits as
input. If no classification map is specified for the secondary lookup, the
default 8P0D 802.1p-to-PD mapping is used.
Use the no or default form of this command to revert one or all map entries to either the default 8P0D or
mapping schema values, if a mapping schema has been specified.
Related Commands
qos to ethernet
mpls use-ip
mpls {exp-value | all} use-ip [class-map map-name]
default mpls {exp-value | all}
Purpose
Determines packet descriptor (PD) values by mapping Differentiated Services Code Point (DSCP) values
rather than Multiprotocol Label Switching (MPLS) experimental (EXP) values on ingress for IP packets.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the mpls use-ip command to determine PD values by mapping DSCP values rather than MPLS EXP
values on ingress for IP packets.
If you specify the all keyword, all valid EXP values are configured to use the DSCP-to-PD mapping. Any
If you specify the optional class-map map-name construct, the resulting mapping uses the specified
DSCP-to-PD classification map. The secondary classification map must have a value of ip for the
marking-type argument, and a value of in for the mapping direction. If you do not specify a secondary
classification map, the default mapping is used.
Use the default form of this command to revert values for one or all map entries to either the default 8P0D
or mapping schema values, if a mapping schema has been specified.
Examples
The following example defines the classification map dscp- t o- pd to determine initial quality of service
(QoS) PD values on ingress, and specifies 7P1D encoding as a default mapping schema. It then overrides
the default 7P1D values for EXP value 1 with PD value 0x24, and specifies the IP header DSCP value to
determine the initial QoS PD value for packets received with EXP value 3. The secondary classification
map exp- t o- dscp is used for translation:
[ l ocal ] Redback( conf i g) #qos class-map dscp-to-pd mpls in
[ l ocal ] Redback( conf i g- cl ass- map) #mpls 3 use-ip exp-to-dscp
Related Commands
mapping-schema
mpls to qos
propagate qos from ethernet [class-map map-name]
no propagate qos from ethernet [class-map map-name]
Purpose
For incoming packets, propagates Ethernet 802.1p user priority bits to packet descriptor (PD) quality of
service (QoS) bits.
Command Mode
Syntax Description
Default
Ethernet 802.1p user priority bits are not propagated to DSCP bits.
Usage Guidelines
Use the propagate qos from ethernet command to propagate Ethernet 802.1p user priority bits to PD QoS
bits.
You can use the qos class-map command to define an optional mapping schema. If you specify the
class-map map-name construct for the propagate qos from ethernet command, only the PD QoS values
are affected. If the class-map map-name construct is not specified, the Ethernet 802.1p bits are also copied
to the priority bits of the DSCP field in the IP header.
Use the no form of this command to disable the propagation of Ethernet 802.1p bits to PD QoS bits.
Examples
The following example propagates Ethernet 802.1p user priority bits to DSCP bits for incoming packets for
all 802.1Q PVCs that reference the 802.1Q profile, 8021p- on:
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #propagate qos from ethernet
class-map map-name Optional. Name of an ingress Ethernet classification map for mapping
Ethernet 802.1p user priority bits to quality of service (QoS) packet
descriptor (PD) values.
Note This command applies to incoming packets transmitted over 802.1Q permanent virtual
circuits (PVCs) that reference the dot1q profile.
Related Commands
propagate qos from ip class-map map-name
no propagate qos from ip class-map map-name
Purpose
Specifies a custom value mapping for propagating the Differentiated Services Code Point (DSCP) bits in
the IP packet header to the packet descriptor (PD) priority bits for incoming IP packets.
Command Mode
Syntax Description
Default
DSCP values are copied to the PD values using a default mapping.
Usage Guidelines
Use the propagate qos from ip command to specify a custom value mapping for propagating the DSCP
bits in the IP packet header to the PD priority bits for incoming IP packets. The DSCP bits are modified in
the received IP packet according to the specified classification map. In subscriber configuration mode, this
command allows you to customize the mapping for traffic received on a specific subscriber session. In
interface configuration mode, this command allows you to customize the mapping for all IP traffic received
through the interface. The SmartEdge OS propagates classification values and marks packets before it
applies any metering policy.
Custom classification mappings configured for either a subscriber or an interface affect Layer 3 (IP-routed)
circuits only.
Use the qos class-map command with the ip in keywords (in global configuration mode) to define a
mapping schema to be referenced by the propagate qos from ip command.
You can use the propagate qos from subscriber command (in L2TP peer configuration mode) to copy
DSCP bits to PD values for Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) sessions, then
use the propagate qos from ip command to specify a custom value mapping.
Use the no form of this command to remove a customized DSCP-to-PD mapping.
Examples
The following example customizes the propagation of IP header DSCP values to PD values for incoming
packets of all subscriber sessions in the local context:
[ l ocal ] Redback( conf i g- sub) #qos class-map ip-to-pd ip in
class-map map-name Name of the schema for mapping DSCP bits to PD priority bits.
[ l ocal ] Redback( conf i g- cl ass- map) #ip df to qos af43
[ l ocal ] Redback( conf i g- cl ass- map) #exit
[ l ocal ] Redback( conf i g- sub) #propagate qos from ip class-map ip-to-pd
Related Commands
qos class-map
propagate qos from l2tp [class-map map-name]
no propagate qos from l2tp [class-map map-name]
Purpose
If no classification map is specified, propagates the packet descriptor (PD) priority bits to the Differentiated
Services Code Point (DSCP) bits of the inner (subscriber) IP header for incoming Layer 2 Tunneling
Protocol (L2TP) packets when the SmartEdge router is configured as an L2TP network server (LNS).
Command Mode
L2TP peer configuration (default peer only)
Syntax Description
Default
The DSCP bits in the incoming L2TP IP packet headers are not propagated to the DSCP bits in subscriber
IP packet headers.
Usage Guidelines
Use the propagate qos from l2tp command to propagate the PD priority bits to the DSCP bits of the inner
(subscriber) IP header if no classification map is specified for incoming L2TP packets when the SmartEdge
router is configured as an LNS. Propagation occurs after the outer IP DSCP bits have been propagated to
the PD priority bits as part of IP forwarding. If you specify a classification map, this command customizes
the default mapping from the outer IP header DSCP value to the PD QoS value and leaves the inner IP
header DSCP value unmodified.
You can use the qos class-map command to define an optional mapping schema. If you do not specify the
class-map map-name construct with the propagate qos from l2tp command, the SmartEdgeOS
overwrites the value in the inner IP header with the DSCP value from the received outer IP header. If you
specify the class-map map-name construct, the SmartEdge OS customizes the default mapping from the
outer IP header DSCP value to the PD QoS value and leaves the inner IP header DSCP value unmodified.
L2TP tunnels are User Datagram Protocol (UDP)/IP-encapsulated circuits that carry subscriber-based IP
traffic encapsulated in Point-to-Point (PPP) sessions between routers. The LNS is the IP termination point
for subscriber traffic. DSCP bits from the L2TP IP packet header can be propagated into subscriber traffic.
class-map map-name Optional. Name of an ingress IP classification map for mapping DSCP values
in the IP packet header to quality of service (QoS) PD values.
Note This propagation occurs only in the upstream direction; this command applies only to a
SmartEdge router that is configured as an LNS as it receives packets from an L2TP access
concentrator (LAC).
Use the no form of this command to disable the propagation of DSCP bits to the inner (subscriber) IP
header or to remove the customized propagation to the QoS PD value.
Examples
The following example propagates DSCP bits from outer L2TP IP packet headers to DSCP bits in inner IP
packet headers:
[ l ocal ] Redback( conf i g- ct x) #l2tp-peer default
[ l ocal ] Redback( conf i g- l 2t p) #propagate qos from l2tp
Related Commands
propagate qos from mpls [class-map map-name] [l2vpn class-map map-name]
no propagate qos from mpls [class-map map-name] [l2vpn class-map map-name]
Purpose
Enables mapping Multiprotocol Label Switching (MPLS) experimental (EXP) bits to Differentiated
Services Code Point (DSCP) bits in the IP header or enables customized mapping of EXP to packet
descriptor (PD) quality of service (QoS) values for incoming packets when the SmartEdgerouter is
configured as a MPLS egress router.
Command Mode
Syntax Description
Default
MPLS EXP bits are not mapped to DSCP bits.
Usage Guidelines
Use the propagate qos from mpls command to enable mapping MPLS EXP bits to DSCP bits in the IP
header or enable customized mapping of EXP to PD QoS values for incoming packets when the
SmartEdgerouter is configured as a MPLS egress router. If the optional class-map map-name construct is
not specified, the EXP bits are also copied to the priority bits of the DSCP field in the IP header.
If you specify the optional class-map map-name construct, the propagate qos from mpls command
specifies a custom value mapping for MPLS EXP bits to PD values. The DSCP bits are unaffected. In this
case, use the qos class-map command to define a mapping schema, then reference the schema using the
class-map map-name construct. If you do not specify a Layer 2 virtual private network (L2VPN)
classification map, the standard classification map applies to both Layer 2 and Layer 3 traffic.
If you specify the optional l2vpn class-map map-name construct with the class-map map-name construct,
the L2VPN classification map applies to Layer 2 traffic and Layer 3 traffic uses the default 8P0D mapping
schema. If you specify both the l2vpn class-map map-name construct and the class-map map-name
construct, Layer 2 traffic uses the L2VPN classification map and Layer 3 traffic uses the standard
classification map.
If you use the mpls use-ethernet command to perform a secondary lookup and the encapsulated packet
contains no virtual LAN (VLAN) header, the PD value is determined by mapping the MPLS EXP value
using the default 8P0D schema.
class-map map-name Optional. Name of the ingress MPLS classification map for
mapping MPLS EXP values to QoS PD values.
l2vpn class-map map-name Optional. Name of the ingress MPLS classification map for
mapping packets received from Layer 2 MPLS VPNs.
Use the no form of this command to disable the mapping of MPLS EXP bits to DSCP bits or remove a
customized EXP-to-PD mapping.
Examples
The following example enables the mapping of MPLS EXP bits to DSCP bits for outgoing packets:
[ l ocal ] Redback( conf i g- mpl s) #propagate qos from mpls
The following example specifies a customized mapping of MPLS EXP bits to PD values by referencing the
existing MPLS ingress classification map exp- t o- pd:
[ l ocal ] Redback( conf i g- mpl s) #propagate qos from mpls class-map exp-to-pd
Related Commands
propagate qos from subscriber [{upstream | downstream | both}]
no propagate qos from subscriber [{upstream | downstream | both}]
Purpose
For incoming packets when the SmartEdge router is configured as a Layer 2 Tunneling Protocol (L2TP)
access concentrator (LAC), propagates the Differentiated Services Code Point (DSCP) bits in the
subscribers IP packet header to the packet descriptor (PD) priority bits.
Command Mode
Syntax Description
Default
DSCP bits are not propagated from the incoming subscriber IP packet header to the PD for the subscriber
IP packet.
Usage Guidelines
For incoming packets when the SmartEdge router is configured as a LAC, use the propagate qos from
subscriber command to propagate the DSCP bits in the subscribers IP packet header to the PD priority
bits.
Use the upstream keyword to propagate from inbound packets from the subscriber. Use the downstream
keyword to propagate from inbound packets from the network. Use the both keyword to propagate in both
directions.
The SmartEdgeOS performs a deep packet inspection of inner IP packet headers and copies the DSCP bits
in the IP header. L2TP tunnels are User Datagram Protocol (UDP)/IP-encapsulated circuits that carry
subscriber-based Point-to-Point Protocol (PPP) sessions between routers. On L2TP tunnels, subscriber
IP packets are encapsulated in PPP packets, which themselves are encapsulated in L2TP packets. DSCP
bits can be propagated from inner IP packet headers to outer L2TP IP packet headers, and vice versa. DSCP
bits are propagated between layers of encapsulated packets so that any Layer 3 device located between an
LNS and a LAC can recognize and apply DSCP settings.
Use the no form of this command to disable the propagation of DSCP bits in the specified direction or, if
neither keyword is specified, in both directions.
upstream Optional. Performs the propagation on inbound packets from the subscriber.
downstream Optional. Performs the propagation on inbound packets from the L2TP network
server (LNS).
both Optional. Performs the propagation on inbound packets from the subscriber and
inbound packets from the LNS.
Examples
The following example propagates the DSCP bits in a subscriber IP packet header to the PD for the
subscriber IP packet header in the upstream direction only:
[ l ocal ] Redback( conf i g- l 2t p) #propagate qos from subscriber upstream
The following example propagates the DSCP bits from subscriber IP packet headers to DSCP bits in L2TP
IP packet headers in both directions:
[ l ocal ] Redback( conf i g- l 2t p) #propagate qos from subscriber
Related Commands
propagate qos to ethernet [class-map map-name]
no propagate qos to ethernet [class-map map-name]
Purpose
Propagates packet descriptor (PD) priority values to Ethernet 802.1p user priority bits for outgoing packets.
Command Mode
Syntax Description
Default
Differentiated Services Code Point (DSCP) bits are not propagated to Ethernet 802.1p user priority bits.
Usage Guidelines
Use the propagate qos to ethernet command to propagate PD priority values to Ethernet 802.1p user
priority bits for outgoing packets.
You can use the qos class-map command to define an optional mapping schema. If you do not specify the
class-map map-name construct for the propagate qos to ethernet command, the default 8P0D mapping
is used.
Use the no form of this command to disable the propagation of DSCP bits.
Examples
The following example propagates DSCP bits from IP packets to Ethernet 802.1p user priority bits for
802.1Q PVCs that reference the 802.1Q profile, 8021p- on:
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #propagate qos to ethernet
Related Commands
class-map map-name Optional. Name of the egress Ethernet classification map for mapping quality
of service (QoS) PD values to Ethernet 802.1p user priority bits.
Note This command applies to outgoing packets transmitted over 802.1Q permanent virtual circuits
(PVCs) that reference the dot1q profile.
propagate qos to ip
propagate qos to ip [class-map map-name]
no propagate qos to ip [class-map map-name]
Purpose
Propagates packet descriptor (PD) priority values in the subscriber IP packet to Differentiated Services
Code Point (DSCP) bits in the IP packet header for outgoing IP packets.
Command Mode
Syntax Description
Default
PD values are not propagated to the DSCP bits in the IP packet header.
Usage Guidelines
Use the propagate qos to ip command to propagate PD priority values in the subscriber IP packet to DSCP
bits in the IP packet header for outgoing IP packets. In subscriber configuration mode, this command allows
you to enable propagation or customize mapping for traffic sent on a specific subscriber session. In
interface configuration mode, this command affects all IP traffic transmitted through the interface. The
SmartEdge OS propagates classification values and marks packets before it applies any metering policy.
If you specify the optional class-map map-name construct, the propagate qos to ip command maps PD
values to DSCP bits in the IP packet header. In this case, use the qos class-map command (in global
configuration mode) to define a mapping schema, then reference the schema using the optional class-map
map-name construct.
If you do not specify the class-map map-name construct, PD values are copied directly to DSCP values.
Use the no form of this command to disable the propagation of PD values to DSCP bits.
Custom classification mappings configured for either a subscriber or an interface affect Layer 3 (IP-routed)
circuits only.
Related Commands
class-map map-name Optional. Name of the schema for mapping PD priority bits to DSCP bits in
the IP packet header.
propagate qos to l2tp [class-map map-name]
no propagate qos to l2tp [class-map map-name]
Purpose
For a SmartEdge router configured as a Layer 2 Tunneling Protocol (L2TP) network server (LNS) or an
L2TP access concentrator (LAC), propagates the packet descriptor (PD) priority bits to the outer
Differentiated Services Code Point (DSCP) bits in the IP packet header for outgoing packets.
Command Mode
Syntax Description
Default
DSCP bits are not propagated from the PD to an L2TP IP packet header.
Usage Guidelines
For a SmartEdge router configured as an L2TP LNS or an LAC, use the propagate qos to l2tp command
to propagates the PD priority bits to the outer DSCP bits for outgoing packets. For the LNS configuration,
the DSCP bits are propagated from the incoming network packet headers, and for the LAC configuration,
the DSCP bits are propagated from the incoming subscriber packet headers.
As an LNS, the PD priority is derived from the subscribers inner DSCP value as part of IP forwarding. As
a LAC, the PD priority defaults to a low priority. If you configure the propagate qos from subscriber
command (in L2TP peer configuration mode) with the upstream keyword, the PD priority is derived from
subscribers inner DSCP value.
L2TP tunnels are User Datagram Protocol (UDP)/IP-encapsulated circuits that carry subscriber-based
Point-to-Point (PPP) sessions between routers. On L2TP tunnels, subscriber IP packets are encapsulated in
PPP packets, which themselves are encapsulated in L2TP packets. DSCP bits are propagated between
layers of encapsulated packets so that any Layer 3 device located between an LNS and a LAC can recognize
and apply DSCP settings.
You can use the qos class-map command (in global configuration mode) to define an optional mapping
schema. If you do not specify the class-map map-name construct for the propagate qos to l2tp command,
the unmodified PD QoS value is copied to the outer DSCP field in the IP header.
Use the no form of this command to disable the propagation of DSCP bits.
class-map map-name Optional. Name of the egress IP classification map for mapping quality of
service (QoS) PD values to DSCP values in the IP packet header.
Examples
The following example propagates DSCP bits from incoming network or subscriber IP packet headers to
L2TP IP packet headers:
[ l ocal ] Redback( conf i g- l 2t p) #propagate qos to l2tp
Related Commands
propagate qos to mpls [class-map map-name] [l2vpn class-map map-name]
no propagate qos to mpls [class-map map-name] [l2vpn class-map map-name]
Purpose
When the SmartEdgerouter is configured as a Multiprotocol Label Switching (MPLS) ingress router,
enables the mapping of packet descriptor (PD) quality of service (QoS) priority values to the MPLS
experimental (MPLS EXP) bits for outgoing packets.
Command Mode
Syntax Description
Default
PD priority values are mapped to the MPLS EXP bits.
Usage Guidelines
When the SmartEdge router is configured as an MPLS ingress router, use the propagate qos to mpls
command to enable the mapping of PD QoS priority values to the MPLS EXP bits for outgoing packets. If
you do not specify the optional class-map map-name construct, the default mapping is used.
If you specify the optional class-map map-name construct, the propagate qos to mpls command specifies
a custom value mapping for PD values to MPLS EXP bits. The Differentiated Services Code Point (DSCP)
values are unaffected. In this case, use the qos class-map command to define a mapping schema, then
reference the schema using the class-map map-name construct. If you do not specify an L2VPN
classification map, the standard classification map applies to both Layer 2 and Layer 3 traffic.
If you specify the optional l2vpn class-map map-name construct without the class-map map-name
construct, the L2VPN classification map applies to Layer 2 traffic. Layer 3 traffic uses the default 8P0D
mapping schema. If you specify both the l2vpn class-map map-name construct and the class-map
map-name construct, Layer 2 traffic uses the L2VPN classification map and Layer 3 traffic uses the
standard classification map.
Use the no form of this command to disable the mapping of PD priority values to MPLS EXP bits.
class-map map-name Optional. Name of the egress MPLS classification map for mapping
QoS PD values to MPLS EXP bits.
l2vpn class-map map-name Optional. Name of the egress MPLS classification map for mapping
packets received from Layer 2 Virtual Private Networks (L2VPNs).
Examples
The following example enables the mapping of the PD values to the MPLS EXP bits at the ingress router:
[ l ocal ] Redback( conf i g- mpl s) #propagate qos to mpls
Related Commands
Note The default behavior of the SmartEdge router is to map DSCP bits to MPLS EXP bits for
outgoing traffic. You can use the propagate qos to mpls command to return the router to its
default behavior (after it has been changed by the no form of this command) or to specify a
custom-mapping using the optional class-map map-name construct.
propagate qos transport use-vlan-header
propagate qos transport {in | out | both} use-vlan-header {inner | outer | both}
no propagate qos transport {in | out | both} use-vlan-header {inner | outer | both}
Purpose
Specifies whether propagation between packet descriptor (PD) values and Ethernet uses the 802.1p value
from the outer permanent virtual circuit (PVC) header or the inner PVC header, when both are present.
Command Mode
Syntax Description
Default
The 802.1p value from the inner PVC header is used.
Usage Guidelines
Use the propagate qos transport use-vlan-header command to specify whether propagation between PD
values and Ethernet uses the 802.1p value from the outer PVC header or the inner PVC header, when both
are present. This command applies only to transport ranges defined for 802.1Q PVCs.
Use the no form of this command to revert values.
Related Commands
in Uses the specified VLAN header 802.1p value when propagating 802.1p to PD
for incoming packets.
out Uses the specified VLAN header 802.1p value when propagating 802.1p to PD
for outgoing packets.
both Uses the specified VLAN header 802.1p value for both incoming and outgoing
packets.
inner Uses the 802.1p value from the inner PVC header. This is the default value.
outer Uses the 802.1p value from the outer PVC header.
both Modifies both the inner PVC 802.1p field and the outer PVC 802.1p field with
the same value, if both fields are present. Valid only when the out keyword is
specified (egress propagation only).
propagate qos use-vlan-ethertype
propagate qos use-vlan-ethertype tunl-type
{no | default} propagate qos use-vlan-ethertype tunl-type
Purpose
Specifies the virtual LAN (VLAN) Ethernet type field that determines whether the packet is examined for
an enclosed IP header and Differentiated Services Code Point (DSCP) value or for an inner VLAN header
and 802.1p value for incoming Multiprotocol Label Switching (MPLS) packets that encapsulate 802.1q
Ethernet frames.
Command Mode
Syntax Description
Default
The 8100 packet type is used.
Usage Guidelines
Use the propagate qos use-vlan-ethertype command to specify the VLAN Ethernet type field that
determines whether the packet is examined for an enclosed IP header and DSCP value or for an inner
VLAN header and 802.1p value for incoming MPLS packets that encapsulate 802.1q Ethernet frames. In
addition to packets with the specified VLAN Ethernet type field, packets with Ethernet type of 0x8100 are
also examined for enclosed header values. The SmartEdgeOS either maps packets with other outer PVC
Ethernet types based on the outer PVC 802.1p value (for the mpls use-ethernet command in class map
configuration mode) or uses the default 8P0D mapping based on the MPLS EXP value (for the mpls use-ip
command in class map configuration mode).
Use the mpls use-ethernet or mpls use-ip command to enable propagation.
Use the no form of this command to disable the use of VLAN header values to identify incoming packets
for propagation.
Use the default form of this command to revert to the default setting.
tunl-type Type of incoming 802.1Q traffic according to one of the following
argument or keywords (in hexadecimal format):
userCustom traffic type; the range of values is 0x0 to 0xffff.
8100Specifies the 8100 packet type; this is the default packet type.
88a8Specifies the 88a8 packet type.
9100Specifies the 9100 packet type.
9200Specifies the 9200 packet type.
Related Commands
mpls use-ethernet
mpls use-ip
propagate qos use-vlan-header
propagate qos use-vlan-header {inner | outer}
{no | default} propagate qos use-vlan-header {inner | outer}
Purpose
Specifies whether 802.1p-to-packet descriptor (PD) propagation uses the 802.1p value from the outer
permanent virtual circuit (PVC) header or the inner PVC header, when both values are present, for
incoming Multiprotocol Label Switching (MPLS) packets that encapsulate 802.1q Ethernet frames.
Command Mode
Syntax Description
Default
The 802.1p value from the inner PVC header is used.
Usage Guidelines
Use the propagate qos use-vlan-header command to specify whether 802.1p-to-PD propagation uses the
802.1p value from the outer PVC header or the inner PVC header, when both values are present, for
incoming MPLS packets that encapsulate 802.1q Ethernet frames.
Use the mpls use-ethernet command (in class map configuration mode) to enable propagation.
Use the no or default form of this command to revert to the default setting, which uses the inner PVC
802.1p value.
Related Commands
inner Uses the 802.1p value from the inner PVC header.
outer Uses the 802.1p value from the outer PVC header.
mpls use-ethernet
{no | default} qos hierarchical mode
Purpose
Specifies the strict priority quality of service (QoS) scheduling algorithm for the traffic-managed port,
802.1Q tunnel, 802.1Q permanent virtual circuit (PVC), hierarchical node group, or hierarchical node on a
traffic-managed port.
Command Mode
hierarchical node configuration
hierarchical node group configuration
Syntax Description
Default
Gigabit Ethernet ports on traffic-managed cards are the top level in the traffic management hierarchy.
Usage Guidelines
Use the qos hierarchical mode strict command to specify the strict priority QoS scheduling algorithm for
the traffic-managed port, 802.1Q tunnel, 802.1Q PVC, hierarchical node group, or hierarchical node on a
traffic-managed port. You can also use the qos rate or qos weight commands (in port or dot1q PVC
configuration mode) to create a node in the QoS hierarchy with the default strict priority mode.
A QoS traffic-managed port is always a node at the top of the hierarchy. The scheduling algorithms service
the QoS queues defined by the priority weighted fair queuing (PWFQ) policy attached to the port, 802.1Q
tunnel, or 802.1Q PVC according to the priority assigned to each queue with the queue priority command
(in PWFQ policy configuration mode). The priority determines the servicing order, and the relative
maximum rate or weight determines the amount of traffic that is transmitted.
For 802.1Q PVCs, you can use this command to configure both static and on-demand PVCs. If you do not
enter this command for an 802.1Q tunnel or PVC, the tunnel or PVC is not part of the QoS traffic
management hierarchy. In this case, a tunnel inherits only the PWFQ policy attached to its port and a PVC
inherits the policy attached to its tunnel, unless you apply a more specific PWFQ policy to the tunnel or
PVC.
Use the no or default form of this command to remove the tunnel or PVC from the hierarchy.
Examples
The following example enables an 802.1Q PVC tunnel as a traffic-managed hierarchical node, with strict
scheduling algorithm:
[ l ocal ] Redback( conf i g- por t ) # dot1q pvc 10 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos hierarchical mode strict
Related Commands
Note When you first configure the qos hierarchical mode strict, qos rate, or qos weight
command for a dot1q PVC, the SmartEdge OS removes previously configured QoS policy
queuing commands on the circuit or any of its children. Configuring one of these commands
on a circuit group for the first time deletes any QoS policy queuing commands on its existing
members, and adding a member to a circuit group that has a configured L3 command removes
all QoS policy queuing commands configured on the member circuit. To address this issue,
reconfigure these QoS policy queuing commands.
qos policy pwfq
qos rate
qos weight
qos mode
qos mode {alternate | normal | strict}
{no | default} qos mode
Purpose
Defines the mode of the quality of service (QoS) enhanced deficit round-robin (EDRR) policy algorithm.
Command Mode
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
link group configuration
port configuration
Syntax Description
Default
The mode is normal.
Usage Guidelines
Use the qos mode command to define the mode of the EDRR policy algorithm.
Use the no or default form of this command to return EDRR queuing to normal mode.
alternate Indicates that in every other round, either queue 0 or one of the other queues
configured on the port is serviced, in alternating fashion.
normal Indicates that queue 0 is treated like all other queues on the port. Each queue
receives its share of the ports bandwidth according to the configured
weights. This is the default mode for EDRR policies.
strict Indicates that queue 0 has strict priority over all other queues configured on
the port.
Note Only one EDRR mode type can be supported on a single port.
Examples
The following example configures a st r i ct mode for each configured port on the Ethernet traffic card in
slot 4:
[ l ocal ] Redback( conf i g) #qos policy qos-edrr-test edrr
[ l ocal ] Redback( conf i g- por t ) #qos mode strict
Related Commands
qos policy edrr
qos node
qos node node-name idx-start [through idx-end]
no qos node node-name
Purpose
Creates one or more quality of service (QoS) hierarchical nodes as aggregation points for applying traffic
shaping and accesses hierarchical node configuration mode.
Command Mode
Syntax Description
Default
No nodes are created.
Usage Guidelines
Use the qos node command to create one or more QoS hierarchical nodes as aggregation points for
applying traffic shaping and access hierarchical node configuration mode.
Each node is uniquely referenced by its name, its node index, its node group, and the index for the node
group.
Use the no form of this command to delete one or more nodes from the configuration.
Examples
The following example creates 10 hierarchical node groups and 50 hierarchical nodes, with 5 nodes in each
node group; the name of each node group is home and the name of each node is dsl am:
node-name Name of the node.
idx-start Initial index number.
through idx-end Optional. Final index number.
Note This command is available only for traffic-managed ports.
Note The command prompt for the hierarchical node configuration mode is identical to the prompt
for the hierarchical node group configuration mode; see the example in the Examples
section.
[ l ocal ] Redback( conf i g- por t ) #qos node-group home 1 through 10
[ l ocal ] Redback( conf i g- h- node) #
Related Commands
qos node-group
qos node-reference
qos policy queuing
qos node-group
qos node-group group-name idx-start [through idx-end]
no qos node-group group-name
Purpose
Creates one or more quality of service (QoS) hierarchical node groups as aggregation points for applying
traffic shaping and accesses hierarchical node group configuration mode.
Command Mode
port configuration
Syntax Description
Default
No node groups are created.
Usage Guidelines
Use the qos node-group command to create one or more QoS hierarchical node groups as aggregation
points for applying traffic shaping and accesses hierarchical node group configuration mode. This
command is available only for traffic-managed ports.
Each node group is uniquely referenced by its name and its index.
Use the no form of this command to delete the node group from the configuration.
Examples
The following example creates 10 hierarchical node groups; the name of each group is home:
[ l ocal ] Redback( conf i g- por t ) #qos node-group home 1 through 10
[ l ocal ] Redback( conf i g- h- node) #
Related Commands
group-name Name of the node groups.
idx-start Initial index number.
through idx-end Optional. Final index number.
qos node
qos node-reference
qos node-reference node-name node-idx group-name group-idx
no qos node-reference node-name
Purpose
Creates a reference to a quality of service (QoS) hierarchical node in the subscriber record, named
subscriber profile, or default subscriber profile.
Command Mode
Syntax Description
Default
No node references are created in any subscriber record, named subscriber profile, or default subscriber
profile.
Usage Guidelines
Use the qos node-reference command to create a reference to a QoS hierarchical node in the subscriber
record, named subscriber profile, or default subscriber profile.
Use the no form of this command to delete the reference from the subscriber record, named subscriber
profile, or default subscriber profile.
Examples
The following example creates a reference to the hierarchical node group, home, with index 1, in which
was created the node, dsl am, with index5, in the subscriber record, j oe:
[ l ocal ] Redback( conf i g) #context subs
[ l ocal ] Redback( conf i g- ct x) #subscriber joe
[ l ocal ] Redback( conf i g- sub) #qos node-reference home 1 dslam 5
Related Commands
node-name Name of the node.
node-idx Node index number.
group-name Name of the node group.
group-idx Node group index number.
qos node
qos node-group
qos policy metering
qos policy metering pol-name [acl-counters] [inherit] [hierarchical]
no qos policy metering pol-name
Purpose
Attaches a metering policy to the specified circuit, port, or subscriber record to be enforced on outbound
packets.
Command Mode
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
port configuration
Syntax Description
Default
No metering policy is attached to outbound packets on the specified circuit, port, or subscriber record.
Usage Guidelines
Use the qos policy metering command to attach a metering policy to a specified circuit, port, or subscriber
record to be enforced on outbound packets in any of the listed configuration modes, except link group
configuration mode.
pol-name Name of the metering policy to be attached.
acl-counters Optional. Enables per-rule access control list (ACL) statistics for a policy
ACL associated with the policy. Available in all listed configuration modes,
except global configuration.
inherit Optional. Attaches the specified policy as follows:
In port configuration modeUse this policy for any circuit (802.1Q
tunnel, 802.1Q permanent virtual circuit (PVC), and any child circuit
configured on an 802.1Q PVC) that is configured on this Ethernet port,
unless overridden by a quality of service (QoS) metering policy attached to
that circuit.
In dot1Q PVC configuration modeUse this policy for any circuit
configured on this 802.1Q tunnel or PVC (including child circuits), unless
overridden by a QoS metering policy attached to that 802.1Q PVC or child
circuit.
In ATM PVC configuration modeUse this policy for any child circuit
configured on this Asynchronous Transfer Mode (ATM) PVC, unless
overridden by a QoS metering policy attached to that child circuit.
This keyword is available only for Ethernet ports, 802.1Q tunnels and PVCs,
and ATM PVCs.
hierarchical Optional. Attaches the specified policy as follows:
In port configuration modeUse this policy for any circuit (802.1Q
tunnel, 802.1Q permanent virtual circuit (PVC), and any child circuit
configured on an 802.1Q PVC) that is configured on this Ethernet port.
In dot1Q PVC configuration modeUse this policy for any circuit
configured on this 802.1Q tunnel or PVC (including child circuits).
In ATM PVC configuration modeUse this policy for any child circuit
configured on this Asynchronous Transfer Mode (ATM) PVC.
This keyword is available only for Ethernet ports, 802.1Q tunnels and PVCs,
and ATM PVCs.
Use the qos policy metering command in link group configuration mode to attach the policy to a MP or
MFR bundle; use it in port configuration mode to attach the policy to an Ethernet or 802.1Q link group.
When you attach the policy to any type of link group, you effectively attach it to all ports or circuits in the
link group (MP, MFR, Ethernet, or 802.1Q).
For 802.1Q PVCs, this command can be used to configure both static and on-demand PVCs.
Child circuits can inherit the QoS metering and policing policies attached to the parent circuit on which the
child circuits are configured if the keyword inherit or hierarchical is specified on the parent binding. If you
attach a different metering or policing policy to a child circuit, those policies override the metering or
policing policy attached to the parent circuit unless the parent policy applied is configured with the
keyword hierarchical.
By default, using the optional keyword inherit when configuring a metering or policing policy for a parent
circuit results in all of the children of the parent circuit inheriting the parent circuit policy, unless the
children have a more specific policy configured. In this case, rate limiting is applied collectively to the child
circuit and the parent circuit, which means all circuits to which the parent policy is to be applied are
collectively subject to the rate limitations specified in the parent circuits metering or policing policy.
Using the optional keyword hierarchical when configuring a metering or policing policy for a parent
circuit results in applying both the child circuit policy and the parent circuit policy to the traffic on the child
circuit. With hierarchical metering or policing policy, rate limiting is applied on the packets destined for the
child circuit first using the child policy. If the child metering or policing policy includes a drop policy, then
the SmartEdge router drops the appropriate packets if the traffic rate exceeds the rate limit. Those packets
that were not dropped are processed and rate-limited once again, along with all the other packets destined
for the parent circuit, using the parent policy.
Essentially, the child circuit traffic is processed and rate-limited twice and the parent circuits native traffic
is processed and rate-limited once. With hierarchical metering or policing policy enabled, a child is subject
to its own specified rate limitations and then is collectively subject to the rate limitations specified in the
parent circuit metering or policing policy, along with its parent and peers.
Use the no form of this command to remove a metering policy from outbound packets on a circuit, port,
subscriber record, or link group (of any type).
Examples
The following example creates the metering policy, exampl e2, and attaches it to an Ethernet port:
[ l ocal ] Redback( conf i g) #qos policy example2 metering
Note Configuring the qos policy metering command on an ATM port has no effect. In order to limit
ATM traffic, configure this command on ATM PVCs.
Note Only one level of hierarchical metering or policing can be applied to a circuit. A circuit can
have a maximum of two policing or metering policies applied: one individual or inherited
through the inherit keyword, and one inherited through the hierarchical keyword. If a circuit
is subject to two "hierarchical" parents (for example, a PPPoX session with a hierarchical
metering binding on its 802.1q PVC parent and a hierarchical metering binding on its Ethernet
port grandparent), only the binding on its closest relative (the PVC in this example) applies.
[ l ocal ] Redback( conf i g- por t ) #qos policy metering example2
The following example configures an outbound rate limit for all traffic on a particular port and an individual
rate-limit for each 802.1Q VLAN configured under the port:
[ l ocal ] Redback( conf i g) #qos policy port-hierarchical-policy metering
[ l ocal ] Redback( conf i g) #qos policy vlan-individual-policy metering
.
.
[ l ocal ] Redback( conf i g- por t ) #qos policy metering port-hierarchical-policy
hierarchical
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 30 thr 40 encapsulation
[ l ocal ] Redback( conf i g- por t ) #qos policy metering vlan-individual-policy
Related Commands
qos policy policing
rate circuit
qos policy policing
qos policy policing pol-name [acl-counters] [inherit | hierarchical]
no qos policy policing pol-name
Purpose
Attaches a policing policy to the specified circuit, port, or subscriber record to be enforced on inbound
packets.
Command Mode
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
port configuration
Syntax Description
Default
No policing policy is attached to inbound packets on the port, circuit, or subscriber record.
Usage Guidelines
Use the qos policy policing command to attach a policing policy to inbound packets on a specific port,
circuit, or subscriber record in any of the listed configuration modes, except link group configuration mode.
pol-name Name of the policing policy to be attached.
acl-counters Optional. Enables per-rule access control list (ACL) statistics for a policy ACL
associated with the policy. Available in all configuration modes, except global
configuration.
inherit Optional. Attaches the specified policy as follows:
In port configuration modeUse this policy for any 802.1Q permanent virtual
circuit (PVC) that is configured on this Ethernet port, unless overridden by a quality
of service (QoS) policing policy attached to that circuit.
In dot1Q PVC configuration modeUse this policy for any 802.1Q tunnel or PVC,
unless overridden by a QoS policing policy attached to the PVC.
In ATM PVC configuration modeUse this policy for any child circuit configured
on this Asynchronous Transfer Mode (ATM) PVC, unless overridden by a QoS
policing policy attached to the child circuit.
This keyword is available only for Ethernet ports, 802.1Q tunnels and PVCs, and ATM
PVCs.
hierarchical Optional. Attaches the specified policy as follows:
In port configuration modeUse this policy for any circuit (802.1Q tunnel, 802.1Q
permanent virtual circuit (PVC), and any child circuit configured on an 802.1Q
PVC) that is configured on this Ethernet port.
In dot1Q PVC configuration modeUse this policy for any circuit configured on
this 802.1Q tunnel or PVC (including child circuits).
In ATM PVC configuration modeUse this policy for any child circuit configured
on this Asynchronous Transfer Mode (ATM) PVC.
This keyword is available only for Ethernet ports, 802.1Q tunnels and PVCs, and
ATM PVCs.
Note Configuring the qos policy policing command on an ATM port has no effect. In order to limit
Use the qos policy policing command in link group configuration mode to attach the policy to a multilink
Point-to-Point Protocol (MP) or Multilink Frame Relay (MFR) bundle; use it in port configuration mode
to attach the policy to an Ethernet or 802.1Q link group. When you attach the policy to any type of link
group, you effectively attach it to all ports or circuits in the link group (MP, MFR, Ethernet, or 802.1Q).
For 802.1Q PVCs, you can use this command to configure both static and on-demand PVCs.
Use the no form of this command to remove a policing policy from inbound packets on a port, circuit,
subscriber record, or link group (of any type).
Examples
The following example creates the exampl e2 policing policy and attaches it to an Ethernet port:
[ l ocal ] Redback( conf i g) #qos policy example2 policing
[ l ocal ] Redback( conf i g- por t ) #qos policy policing example2
The following example attaches the Whol ePor t policing policy to a Gigabit Ethernet port, and then
attaches the OneVC policing policy to one of the 802.1Q PVCs. The policy attached to the PVC supersedes
the policy attached to the port. For all the other PVCs on the port, the policy attached to the port takes effect:
[ l ocal ] Redback( conf i g) #qos policy OneVC policing
[ l ocal ] Redback( conf i g) #qos policy WholePort policing
[ l ocal ] Redback( conf i g- por t ) #qos policy policing WholePort
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface if_100 local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy policing OneVC
The following example configures an inbound rate limit to be enforced on all traffic on a particular 802.1Q
tunnel SVLAN and an individual rate limit for each CVLAN configured under SVLAN:
[ l ocal ] Redback( conf i g) #qos policy svlan-hierarchical-policy policing
[ l ocal ] Redback( conf i g) #qos policy cvlan-individual-policy policing
[ l ocal ] Redback( conf i g- dot 1q- pvc) #$svlan-hierarchical-policy
hierarchical
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 30:1 through 100
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy policing
cvlan-individual-policy
Related Commands
qos policy metering
rate circuit
qos policy (protocol-rate-limit)
qos policy pol-name protocol-rate-limit
no qos policy pol-name protocol-rate-limit
Purpose
Creates a named rate-limiting policy that can be applied to protocol specific packets.
Command Mode
port configuration
link PVC configuration
Syntax Description
Default
No protocol-specific rate-limiting policies exist.
Usage Guidelines
The qos policy (protocol-rate-limit) command creates a named rate-limiting policy that can be applied to
protocol-specific packets.
For information on how to use this command, see Configure ARP Policy to Prevent DoS Attacks on
page2-3 of Chapter 2, ARP Configuration.
Examples
the Ethernet port 5/ 1:
[ l ocal ] Redback( conf i g) #port ether 5/1
[ l ocal ] Redback( conf i g- por t ) #qos policy protocol-rate-limit ARPDOS
pol-name Specifies the policy name
protocol-rate-limit The named policy is applicable to protocol-specific packets.
subscriber circuits where the default subscriber profile is applied:
[ l ocal ] Redback( conf i g) #subscriber default
[ l ocal ] Redback( conf i g- sub) #qos policy protocol-rate-limit ARPDOS
Related Commands
None
qos policy queuing
qos policy queuing pol-name
no qos policy queuing pol-name
Purpose
Attaches a quality of service (QoS) scheduling policy to the port, circuit, hierarchical node, or subscriber
record.
Command Mode
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
port configuration
Syntax Description
Default
No queuing policy is not attached to the circuit or port.
Usage Guidelines
Use the qos policy queuing command to attach a QoS scheduling policy to the port, circuit, hierarchical
node, or subscriber record.
The specified QoS scheduling policy must already exist. The types of scheduling policies are
Asynchronous Transfer Mode weighted fair queuing (ATMWFQ), enhanced deficit round-robin (EDRR),
modified deficit round-robin (MDRR), priority queuing (PQ), and priority weighted fair queuing (PWFQ).
pol-name Name of the scheduling policy to be attached.
Note Configuring the qos policy queuing command on an ATM port has no effect. In order to limit
Use this command in link group configuration mode to attach the policy to a Multilink Point-to-Point
Protocol (MP) or Multilink Frame Relay (MFR) bundle; use it in port configuration mode to attach the
policy to an Ethernet or 802.1Q link group.
For 802.1Q permanent virtual circuits (PVCs), this command can be used to configure both static and
on-demand PVCs.
Note QoS scheduling policies are not supported on VLAN bridge circuits and Layer 2 Tunneling
Protocol (L2TP) Virtual Private Network (VPN) circuits.
Note ATMWFQ policies are applicable only to ATM PVCs (not ports) on ATM DS-3 and
second-generation ATM OC traffic cards. However, an ATMWFQ policy cannot be attached
to a PVC that is shaped as unspecified bit rate extended (UBRe).
Caution Risk of data loss. Modifying the parameters of an ATMWFQ policy will momentarily
interrupt the traffic on all ATM PVCs using the policy. To reduce the risk, modify an
ATMWFQ policy only when traffic is light.
Note MDRR policies apply to 10 Gigabit Ethernet (10GE) ports and the 802.1Q tunnels and
802.1Q PVCs that are configured on them. They also apply to 10GE ports that are members
of a link group.
Note PWFQ policies are supported only on traffic-managed ports, and the 802.1Q tunnels, 802.1Q
PVCs, and hierarchical nodes configured on them. You can attach the same PWFQ policy to
a port, its 802.1Q tunnels, its PVCs, and its hierarchical nodes; similarly, you can attach
different PWFQ policies to a port, its tunnels, PVCs and hierarchical nodes. For examples,
see the Examples section.
Note Layer 2 Tunneling Protocol (L2TP) network server (LNS) subscriber sessions support only
PWFQ policies; an LNS subscriber session initiated on any type of port except a
traffic-managed port will not be governed by the PWFQ policy attached to the subscriber
record.
Slot redundancy is not supported; if an LNS subscriber session moves to a traffic-managed
port in a different slot, it will no longer be governed by the PWFQ policy attached to the LNS
subscriber session. If the session moves to a different port in the same slot, the PWFQ policy
will resume queuing after a temporary traffic disruption.
Note For first-generation ATM OC traffic cards, you can attach EDRR or PQ policies to both ATM
ports and ATM PVCs. PQ and EDRR policies are not supported on second-generation
ATM OC or ATM DS-3 traffic cards.
Use the no form of this command to remove a QoS scheduling policy from the port, circuit, hierarchical
node, or subscriber record.
Examples
The following example creates a PQ policy and then attaches the policy to a GE3 port:
[ l ocal ] Redback( conf i g) #qos policy example1 pq
The following example attaches two PWFQ policies, pwf q1 and pwf q2, to a GE3 port, an 802.1Q tunnel
on that port, and an 802.1Q PVC within that tunnel:
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing pwfq1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing pwfq1
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 10:20
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing pwfq2
Related Commands
Note You can attach only one type of queuing policy to ports and circuits on a single traffic card.
That is, you can attach either ATMWFQ, EDRR, PQ, or PWFQ policies, but not any
combination of these types. You can, however, attach several queuing policies of the same
type to ports, subscribers, and circuits on a single traffic card.
Note To attach an EDRR policy to a circuit, you must also attach the policy at the port level. The
limit on attaching different EDRR policies to ports and circuits on a single traffic card is 15.
Note EDRR and ATMWFQ policies are not supported on link groups.
qos policy atmwfq
qos policy edrr
qos policy mdrr
qos policy pq
qos policy pwfq
rate circuit
qos priority
qos priority group-num
no qos priority group-num
Purpose
Classifies all traffic, including non-IP traffic, on the ingress circuit with a quality of service (QoS) priority
group number.
Command Mode
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
port configuration
Syntax Description
Default
By default, no QoS priority is configured and no priority group is assigned to any traffic.
Usage Guidelines
Use the qos priority command to classify all traffic, including non-IP traffic, on the ingress circuit with a
QoS priority group number.
A priority group is an internal value used by the SmartEdge router to determine into which egress queue
the inbound packet should be placed. The type of service (ToS) value, IP Differentiated Services Code Point
(DSCP) value, and Multiprotocol Label Switching (MPLS) experimental (EXP) bits are not changed by this
command. The actual queue number depends upon the number of queues configured on the circuit; see the
num-queues command in Chapter 17, QoS Scheduling Configuration.
Note If a QoS policy is applied to the same traffic assigned to a QoS priority group, the QoS policy
overrides the qos priority command.
This command is not supported for dynamic 802.1Q permanent virtual circuits (PVCs).
Use the no form of this command to remove a QoS priority configuration and to stop assigning traffic to
the priority group.
Examples
The following example configures a priority of 2 to port 1 on the Ethernet traffic card in slot 13:
[ l ocal ] Redback( conf i g- por t ) #bind interface eth-pc05 local
[ l ocal ] Redback( conf i g- por t ) #qos priority 2
Related Commands
Note Configuring the qos priority command on an ATM port has no effect. In order to classify
ATM traffic with a QoS priority group number, configure the qos priority command on ATM
PVCs.
num-queues
qos queue-map
qos profile overhead profile-name [inherit]
no qos profile overhead profile-name [inherit]
Purpose
Attaches an overhead profile to a port, an 802.1Q permanent virtual circuit (PVC), or a subscriber record.
Command Mode
port configuration
Syntax Description
Default
No overhead profile is attached to a port, an 802.1Q PVC, or a subscriber record.
Usage Guidelines
Use the qos profile overhead command to attach a overhead profile to the port, 802.1Q PVC, or a
subscriber record.
Use the inherit keyword to apply the overhead profile to any child circuit configured on an 802.1Q PVC
that is configured on this Ethernet port (unless it is overridden by a QoS overhead profile attached to that
circuit). If you do not specify the inherit keyword, the child circuits do not inherit the overhead profile of
the parent.
Use the no form of this command to delete an overhead profile from the port, 802.1Q PVC, or subscriber
record.
Examples
The following example allows the child circuits of the 802.1Q PVC to inherit the exampl e1 overhead
profile:
profile-name Name of the existing overhead profile to be attached to the port or PVC.
inherit Optional. Applies the overhead profile to any child circuit configured on an 802.1Q
PVC that is configured on this Ethernet port (unless it is overridden by a quality of
service [QoS] overhead profile attached to that circuit).
This keyword is available only for Ethernet ports and 802.1Q PVCs.
Note The inherit keyword is not valid when you apply an overhead profile to a subscriber record.
[ l ocal ] Redback( conf i g- por t ) #qos profile overhead example1 inherit
Related Commands
qos policy pwfq
rate
qos rate
For traffic-managed ports, or the 802.1Q tunnels or permanent virtual circuits (PVCs) configured on
them, the syntax is:
qos rate {maximum | minimum} kbps
no qos rate {maximum | minimum}
For all other Gigabit Ethernet ports, the syntax is:
qos rate maximum mbps burst bytes
no qos rate maximum
Purpose
Sets the rate for outgoing traffic on a Gigabit Ethernet port, or on an 802.1Q tunnel, 802.1Q PVC, or
hierarchical node group or node configured on a traffic-managed port.
Command Mode
port configuration
Syntax Description
Default
Outgoing traffic is transmitted at the full speed of the port.
maximum Specifies the maximum rate for the port, tunnel, PVC, or hierarchical node group, or
hierarchical node.
minimum Specifies the minimum rate for the port; available only for traffic-managed ports and
the 802.1Q tunnels, PVCs, and hierarchical node groups, and hierarchical nodes
configured on them.
kbps Rate in kbps for traffic-managed ports, tunnels, PVCs, and hierarchical node groups.
In hierarchical node and hierarchical node group configuration modes, the range of
values is 64 to 1,000,000; in dot1q PVC and port configuration modes, the range of
values is 10,000 to 1,000,000.
mbps Rate in Mbps for all other Gigabit Ethernet ports. The range of values is 100 to 1,000;
the default value is1,000 (the full speed of the port).
burst bytes Burst tolerance in bytes. For all other Gigabit Ethernet ports except traffic-managed
ports, the range of values is 1 to 1,250,000,000. This construct is not available for
traffic-managed ports.
Usage Guidelines
Use the qos rate command to set the maximum rate for outgoing traffic on a Gigabit Ethernet port, or an
802.1Q tunnel, 802.1Q PVC, or hierarchical node group or node configured on a traffic-managed port. You
can set the burst for any Gigabit Ethernet port, except for a traffic-managed port.
If you have not already entered the qos hierarchical mode strict command (in port or dot1q PVC
configuration mode) for this tunnel or PVC, this command also makes the tunnel or PVC a node in the
hierarchy. A Gigabit Ethernet 3 port is always a node at the top of the hierarchy.
Use the no form of this command to set the port, tunnel, or PVC to the default port rate.
Examples
The following example sets the maximum rate for outgoing traffic for port 1 on the Gigabit Ethernet traffic
card in slot 14 to 600 Mbps with a burst size of 1, 000 bytes:
[ l ocal ] Redback( conf i g- por t ) #qos rate maximum 600 burst 1000
Related Commands
Note The maximum rate set by this command is the rate at which the port operates; any priority
queuing (PQ), enhanced deficit round-robin (EDRR), or priority weighted fair queuing
(PWFQ) queue or circuit with a PQ, EDRR, or PWFQ policy is limited by the rate specified
by this command for the circuit. Also, the sum of all traffic on the port carried by the queues
belonging to the circuits or subscribers is limited to the rate specified by this command.
qos weight
rate
qos to atm
qos {pd-value | all} to atm clp-value
{no | default} qos {clp-value | all}
Purpose
Translates packet descriptor (PD) quality of service (QoS) values to Asynchronous Transfer Mode (ATM)
cell loss priority (CLP) values on egress.
Command Mode
Syntax Description
Default
Egress ATM classification map entries use the default PD-to-CLP mapping described in Table18-23.
Usage Guidelines
Use the qos to atm command to translate PD QoS values to ATM CLP values on egress.
If you specify the all keyword, all valid PD values are mapped to the specified CLP value. Any existing
Use the no or default form of this command to revert values for one or all map entries to their default values
defined in Table18-23.
higher-order bits and the packet drop precedence in the three lower-order
bits. You can enter the value in decimal or hexadecimal format, for example
16 or 0x10. You can also enter a standard Differentiated Services Code
Point (DSCP) marking label as defined in Table16-21 on page16-71.
clp-value Either 0 or 1. In case of network congestion, ATM cells marked with a value
of 1 have been tagged to be dropped ahead of those with a value of 0.
Related Commands
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
0 1 2 AF11 10
1 0 0 DF 0
qos class-map
qos to ethernet
qos {pd-value | all} to ethernet 802.1p-value
default qos {pd-value | all}
Purpose
Translates packet descriptor (PD) quality of service (QoS) values to Ethernet 802.1p values on egress.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the qos to ethernet command to define egress mappings from PD QoS values to Ethernet 802.1p
values.
If you specify the all keyword, all valid PD values are mapped to the specified 802.1p value. Any existing
Use the default form of this command to revert one or all Ethernet 802.1p values to either the default 8P0D
or mapping schema values, if a mapping schema has been specified.
Examples
The following example defines the classification map pd- t o- 8021p for Ethernet 802.1p values on egress,
then maps the af 33 and af 21 PD QoS values to Ethernet 802.1p values 1 and 7, respectively:
[ l ocal ] Redback( conf i g) #qos class-map pd-to-8021p ethernet out
[ l ocal ] Redback( conf i g- cl ass- map) #qos af33 to ethernet 1
[ l ocal ] Redback( conf i g- cl ass- map) #qos af21 to ethernet 7
Related Commands
ethernet to qos
qos to ip
qos {pd-value | all} to ip dscp-value
default qos {dscp-value | all}
Purpose
Translates packet descriptor (PD) quality of service (QoS) values to Differentiated Services Code Point
(DSCP) values in the IP header on egress.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the qos to ip command to translate PD QoS values to DSCP values in the IP header on egress.
If you specify the all keyword, all valid PD values are mapped to the specified IP header values. Any
Use the default form of this command to revert values for one or all map entries to their default values,
where each PD QoS value is mapped to the equivalent DSCP value.
dscp-value An integer from 0 to 63 representing the contents of the most significant six
bits of the Type of Service (ToS) field in the IP header. You can enter the
value in decimal or hexadecimal format, for example 16 or 0x10. You can
also enter a standard DSCP marking label as defined in Table16-21 on
page16-71.
Examples
The following example defines the classification map pd- t o- dscp for IP values on egress, then maps the
af 13 PD QoS value to all DSCP values. It then overrides this mapping for PD QoS values 25 and df ,
which are mapped to DSCP values af 21 and 1, respectively:
[ l ocal ] Redback( conf i g) #qos class-map pd-to-dscp ip out
[ l ocal ] Redback( conf i g- cl ass- map) #qos all to ip af13
[ l ocal ] Redback( conf i g- cl ass- map) #qos 25 to ip af21
[ l ocal ] Redback( conf i g- cl ass- map) #qos df to ip 1
Related Commands
mapping-schema
qos to mpls
qos {pd-value | all} to mpls exp-value
default qos {exp-value | all}
Purpose
Translates packet descriptor (PD) quality of service (QoS) values to Multiprotocol Label Switching
(MPLS) experimental (EXP) values on egress.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the qos to mpls command to define egress mappings from PD QoS values to MPLS EXP values.
If you specify the all keyword, all valid PD values are mapped to the specified MPLS EXP value. Any
Use the default form of this command to revert one or all MPLS EXP values to either the default 8P0D or
mapping schema values, if a mapping schema has been specified.
Examples
The following example defines the classification map pd- t o- exp for MPLS values on egress, then maps
the ef and df PD user priority bits to MPLS EXP bits 7 and 1, respectively:
[ l ocal ] Redback( conf i g- cl ass- map) #qos ef to mpls 7
[ l ocal ] Redback( conf i g- cl ass- map) #qos df to mpls 1
Related Commands
mpls to qos
qos use-ip
qos {pd-value | all} use-ip [class-map map-name]
default qos {pd-value | all}
Purpose
For IP packets, determines packet descriptor (PD) values by mapping Differentiated Services Code Point
(DSCP) values rather than quality of service (QoS) values on egress.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the qos use-ip command to determine the final 802.1p or Multiprotocol Label Switching (MPLS)
experimental (EXP) value based on the DSCP value IP header for a packet with the specified PD QoS value
on egress. Each packet is scheduled according to the PD value, but the MPLS or Ethernet header is marked
with the egress packets DSCP values rather than the PD values.
use-ip Enables a secondary mapping lookup using the packets DSCP bits as input.
If no classification map is specified for the secondary lookup, the default
DSCP-to-target mapping is used.
When configuring a classification map for use as a secondary classification
map on egress, omit the use-ip keyword.
class-map map-name Optional. Name of the classification map.
If you specify the all keyword, all PD value entries use DSCP-based mappings. Any existing configuration
for the classification map is overridden. You can use the all keyword to specify a single default value for
all the mapping entries, then override that value for a subset of entries by entering subsequent mapping
commands without this keyword.
If you specify the optional class-map map-name construct, the DSCP values are mapped to 802.1p values
according to the specified secondary classification map. The SmartEdgeOS interprets QoS-to-Ethernet or
Qos-to-MPLS entries as if the QoS value actually specified a DSCP value. For example, the entry
qos 1 t o et her net 2 actually maps DSCP value 1 to 802.1p value 2.
The secondary classification map must have the same values for the marking-type argument and mapping
direction as the primary classification map and cannot include any use-ip classification map entries. If you
do not specify a secondary classification map, the default DSCP-to-target mapping is used.
Use the default form of this command to revert one or all PD values to either the default 8P0D or mapping
Examples
The following example defines the classification map pd- t o- exp for MPLS values on egress and
specifies 6P2D as the default mapping schema. Then, it specifies to map PD values to DSCP values rather
than QoS values, using the secondary classification map dscp- t o- exp for translation. Finally, it maps
PD bit af 33 to MPLS bit 4, and QoS bit to the corresponding DSCP value:
[ l ocal ] Redback( conf i g- cl ass- map) #qos all use-ip dscp-to-exp
[ l ocal ] Redback( conf i g- cl ass- map) #qos af33 to mpls 4
[ l ocal ] Redback( conf i g- cl ass- map) #qos 13 use-ip
Related Commands
mapping-schema
qos to ethernet
qos to mpls
qos weight
qos weight weight
no qos weight weight
Purpose
Assigns to this circuit a relative weight that is used to calculate a traffic ratio for all circuits configured on
a traffic-managed port.
Command Mode
Syntax Description
Default
All circuits configured on this port have the same weight.
Usage Guidelines
Use the qos weight command to assign to this circuit a relative weight that is used to calculate a traffic ratio
for all circuits configured on a traffic-managed port.
You can assign a relative weight, or you can set a minimum absolute rate, for the circuit, using the qos rate
command (in dot1q PVC, hierarchical node, or hierarchical node group configuration mode), but you
cannot do both; the relative weight and minimum absolute rate are mutually exclusive.
You can assign a relative weight (using this command) and set a maximum absolute rate for the circuit,
using the qos rate command (in dot1q PVC, hierarchical node, or hierarchical node group configuration
mode).
For 802.1Q permanent virtual circuits (PVCs), this command can be used to configure both static and
on-demand PVCs.
weight Relative weight that is assigned to this circuit. The range of values is 1 to 4096.
Examples
The following example specifies a weight of 3 for the hierarchical nodes dsl am1 through dsl am5:
[ l ocal ] Redback( conf i g- por t ) #qos node-group home 1
[ l ocal ] Redback( conf i g- h- node) #qos hierarchical mode strict
[ l ocal ] Redback( conf i g- h- node) #qos weight 3
Related Commands
qos rate
weight
rate circuit
rate circuit {in | out} kbps burst bytes [excess-burst bytes]
no rate circuit {in | out}
Purpose
Specifies a different rate for a circuit that has a quality of service (QoS) metering, policing, or priority
weighted fair queuing (PWFQ) policy attached to it.
Command Mode
CLIPS PVC configuration
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
port configuration
Syntax Description
Default
The circuit rate is based on the policy rate as specified by the attached QoS policy.
Usage Guidelines
Use the rate circuit command to specify a different rate for a circuit that has a QoS metering, policing, or
PWFQ policy attached to it. The rate that you specify for the circuit overrides the rates specified by the
attached metering, policing, and PWFQ policies.
in Overrides the policy rate specified in the policy attached to this circuit for
incoming packets.
out Overrides the policy rate specified in the policy attached to this circuit for
outgoing packets.
excess-burst bytes Optional. Excess burst tolerance in bytes. The range of values is 1 to
1,250,000,000.
This command allows you to attach the same policy to a number of circuits, but specify a different rate for
each circuit.
This command is not supported for dynamic 802.1Q permanent virtual circuits (PVCs).
Examples
The following example changes the rate for port 1 to 2,000 kbps:
[ l ocal ] Redback( conf i g- por t ) #qos policy metering example2
[ l ocal ] Redback( conf i g- por t ) #rate circuit out 2000
Related Commands
Note Configuring the rate circuit command on an ATM port has no effect. In order to limit ATM
traffic, configure this command on ATM PVCs.
Note The application of a different rate in either direction occurs only while you have attached the
appropriate QoS policy to the circuit.
qos policy metering
qos policy policing
qos policy queuing
Flow Admission Control Configuration 19-1
C h a p t e r 1 9
Flow Admission Control Configuration
OS flow architecture.
It contains the following sections:
Overview
Configuration Tasks
Overview
A flow is a unidirectional object that identifies related data packets and enables you to apply a set of
services to a portion of an 802.1Q circuit. Flows provide greater efficiency because you can associate
services to be applied on a portion of the circuit. Without flows, you could apply services to entire groups
of subscribers mapped to a specified circuit. Flow attributes are inherited from any services that are applied
to the relevant circuit.
For information about the commands used to monitor, administer, and troubleshoot flow admission control
features, see the Flow Admission Control Operations chapter in the IP Services and Security Operations
Flow attributes reside in a flow admission control (FAC) profile which is the basic unit of flow
configuration. First you create a FAC profile and then you apply it to an existing circuit from circuit
configuration mode.
A FAC profile controls various attributes pertaining to flow limits, for example, the maximum number of
flows on a circuit.
Note You can apply circuits only to an 802.1Q circuit.
Note If you have fewer than a couple of packets per flow, the benefit realized through flows is less
than the overhead associated with their management.
Overview
The SmartEdge OS generates a flow when a packet passing through the SmartEdge OS contains attributes
that match specified settings. These settings are the source port, the destination port, the source IP address,
the destination IP address, and the protocol. This quintet of settings is the five-tuple method, a standard used
in flow generation.
To enable flow services on a circuit, you need to have Version 2 of the Packet Processing ASIC (PPA) for
the traffic card on which the circuit resides. All SmartEdge platforms support the flow feature.
The flow feature is further described in the following sections:
Circuit Flow State
Flow Attributes
Circuit Flow State
The flow state of a circuit refers to whether the flow is active or inactive. The flow state of a circuit is
enabled if a FAC profile is currently applied to the circuit.
To change the flow state from inactive to active, you enable a flow, specifying the ID of the circuit you want
to change. To change the flow state from active to inactive, you disable the flow, specifying the ID of the
circuit you want to change. The flow state of a circuit is disabled if a FAC profile is currently applied to the
circuit and you have not enabled flows on the circuit.
Flow Attributes
You can specify a traffic direction when you apply a FAC profile to each circuit: ingress, egress, or
bidirectional. Also, you can control how many flows generate using various time criteria:
Maximum Flows Per Circuit
Burst Flow Creation Rate
Sustained Flow Creation Rate
Figure19-1 displays a typical flow creation rate cycle.
Figure 19-1 Flow Creation Rates
Overview
Maximum Flows Per Circuit
The number of flows that can be applied to a circuit is limited. This limit is the maximum flows per circuit.
After the number of flows created reaches this maximum, the SmartEdge OS can create no more flows and
may drop packets.
If the SmartEdge OS creates too many flows, system resources like memory and processing power may be
overtaxed, degrading system performance. Set a meaningful maximum number of flows per circuit to
prevent system performance from degrading.
Creating the right number of flows on a circuit can improve performance because a flow affects the number
of services and the amount of quality of service (QoS) markings on a circuit. Creating the right balance
between too many and too few flows gives you more control over performance-related services on a circuit.
The maximum flows per circuit attribute has no default value. The maximum number of flows per circuit
you can create is 2 million. If more than 2 million flows are created for a circuit, the circuit may become
overloaded.
Burst Flow Creation Rate
You can control the number of flows that are created on a circuit by setting a fixed limit. This limit is the
burst flow creation rate (rate at which flows generate over a short period of time; the number of flows
created in one second). For example, if you set the burst flow creation rate to 100, the SmartEdge OS can
generate up to 100 flows per second. When the number of flows reaches 100, the SmartEdge OS generates
no more flows in that second and waits for the next second before continuing.
High burst flow creation rates can slow circuit performance. If the number of flows created in a second is
too high, system performance degrades. However, by setting the burst flow creation rate value, you can
prevent performance issues.
The burst flow creation rate has no default value. The maximum number of flows you can create in the first
second is 2 million. If more than 2 million flows are created for a circuit in the first second, the circuit may
become overloaded. By setting an optimal burst flow creation rate, you can keep the SmartEdge OS in a
stable state.
Sustained Flow Creation Rate
You can control the number of flows that are created on a circuit over time after the number of flows created
in a second has reached a limit. This setting is the sustained flow creation rate. This setting enables you to
limit flows, which stabilizes the SmartEdge OS. It is useful when the burst flow creation rate is optimal for
a one-second interval, but may overtax system memory over time.
For example, if the burst flow creation rate is 1,000, the circuit may be able to tolerate that many flows
created for a second. However, after four seconds elapse, the circuit may not be able to process the
cumulative number of flows allowed by the maximum flows per circuit value (4,000). To bring the flow
creation rate back to a value the SmartEdge OS can easily manage, configure a sustained flow creation rate
to a value less than 1,000; for example, 200.
When you change the sustained creation rate, the maximum number of flows created per second after the
first second is 200. The flow generation process stops when the maximum flows per circuit value is
reached. In this example, if the maximum flows per circuit value is 2,000, then the flow generation process
lasts six seconds.
Configuration Tasks
To arrive at this figure, add 1,000 flows in the first second (allowed by the burst flow creation rate), 200 in
each second (allowed by the sustained flow creation rate), reaching a maximum limit of 2,000 after five
seconds. Table19-1 shows the flow creation cycle based on these figures.
The sustained flow creation rate attribute has no default value.The maximum number of flows you can
create in each second after the first second elapses is 2 million. If more than 2 million flows are created for
a circuit after the first second, the circuit may become overloaded.
Configuration Tasks
To configure basic flow architecture, perform the tasks in Table19-2. Enter all commands in flow
Table 19-1 Flow Creation Cycle
Time Unit (Second) Flow Increment Flow Sum Notes
First 1,000 1,000 Allowed by the burst flow
creation rate.
Second 200 1,200 Allowed by the sustained
flow creation rate.
Third 200 1,400 Allowed by the maximum
flows per circuit value.
Fourth 200 1,600 Allowed by the maximum
Fifth 200 1,800 Allowed by the maximum
Sixth 200 2,000 Allowed by the maximum
Seventh 200 2,200 Disallowed by the
maximum flows per circuit
value.
Table 19-2 Configure a Flow Admission Control Profile
1. Create the FAC profile name and access flow
configuration mode.
flow admission-control
profile
Enter this command in global configuration
mode.
2. Optional. Create a maximum number of flows
that can exist on a single circuit.
max-flows-per-circuit
3. Optional. Create a fixed limit in which a flow can
be created in a second.
burst-creation-rate
This section includes the following examples:
Configuring a FAC Profile
Creating a FAC Profile Name and Entering the Mode
Configuring a Maximum Flows Per Circuit Rate
Configuring a Burst Creation Rate
Configuring a Sustained Creation Rate
Applying a FAC Profile to the Current Context
Enabling a FAC Profile on a Circuit
Configuring a FAC Profile
The following example configures a FAC profile to be applied to a circuit:
[ l ocal ] Redback( conf i g) #flow admission-control profile f1
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #max-flows-per-circuit 1000
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #burst-creation-rate 1000
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #exit
[ l ocal ] Redback( conf i g) #commit
The following example displays output of the flow configuration session:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #show configuration flow
car d ge- 10- por t 1
por t et her net 1/ 1
dot 1q pvc 1
f l ow appl y admi ssi on- cont r ol pr of i l e f 2 out
dot 1q pvc 2
f l ow appl y admi ssi on- cont r ol pr of i l e f 3 i n
dot 1q pvc 5
f l ow appl y admi ssi on- cont r ol pr of i l e f 3 bi di r ect i onal
4. Optional. Create a maximum number of flows
that can be created on a circuit in each second
after a burst creation rate limit has been
reached.
sustained-creation-rate
5. Apply FAC profiles to a circuit. flow apply
admission-control profile
Enter this command in circuit configuration
mode.
6. Enable a FAC profile on a circuit flow enable Enter this command in exec mode.
Table 19-2 Configure a Flow Admission Control Profile (continued)
Creating a FAC Profile Name and Entering the Mode
The following example configures a FAC profile name called profile1 and enters flow configuration mode:
[ l ocal ] Redback( conf i g) #flow admission-control profile profile1
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #
Configuring a Maximum Flows Per Circuit Rate
The following example sets the maximum flows allowed per circuit of 20:
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #max-flows-per-circuit 20
Configuring a Burst Creation Rate
The following example sets a flow burst creation rate of 20:
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #burst-creation-rate 20
Configuring a Sustained Creation Rate
The following example sets a flow sustained creation rate of 20:
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #sustained-creation-rate 20
Applying a FAC Profile to the Current Context
The following example applies FAC profile profile1 to the current circuit after configuring an attribute (for
example, a flow sustained creation rate): use the flow apply admission-control profile command from the
circuit configuration mode:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #flow apply admission-control profile1 bidirectional
Enabling a FAC Profile on a Circuit
The following example enables a FAC profile. You may first want to display flow circuits using the show
flow circuit all command to see which flow circuits are available. For details about this command, see the
IP Services and Security Configuration Guide:
[ l ocal ] Redback#show flow circuit all
Ci r cui t FAC I dDi r FAC I dDi r
- - - - - - - - - - - - - - - - - - - - - - - - - - -
3/ 1: 1023: 63/ 1/ 2/ 819220x40500002i n
[ l ocal ] Redback#f l ow enabl e ci r cui t 3/ 1: 1023: 63/ 1/ 2/ 81922 i n
This section describes the syntax and usage guidelines for the commands used to configure flow
architecture. The commands are presented in alphabetical order:
burst-creation-rate
flow admission-control profile
flow apply admission-control profile
flow enable
flow monitor circuit
burst-creation-rate
burst-creation-rate value
no burst-creation-rate
Purpose
Establishes the number of flows created, per second, on a circuit.
Command Mode
flow configuration
Syntax Description
Default
None
Usage Guidelines
Use the burst-creation-rate command to establish the number of flows created per second.
Use the no form of this command to set the creation rate to the previously set value.
Examples
The following example sets the burst creation rate to 2000:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #burst-creation-rate 2000
Related Commands
value Number of flows created on a circuit in one second. The range of values is 1 to
2097152.
flow admission-control profile profile
no flow admission-control
Purpose
Creates a flow admission control (FAC) profile and enters flow configuration mode.
Command Mode
Syntax Description
Default
No flow admission control profiles are configured.
Usage Guidelines
Use the flow admission-control profile command to create a FAC profile and enter flow configuration
mode. You use this profile to apply flow attributes to a circuit.
Use the no form of this command to remove a FAC profile.
Examples
The following example creates a FAC profile called profile1:
Related Commands
profile Name of the profile.
flow enable
flow apply admission-control profile name {in | out | bidirectional}
no flow apply admission-control
Purpose
Applies a flow admission control (FAC) profile to a circuit for a specified traffic direction.
Command Mode
circuit configuration
Syntax Description
Default
None
Usage Guidelines
Use the flow apply admission-control profile command to apply a FAC profile to a circuit for a specified
traffic direction.
Use the no form of this command to remove a FAC profile from a circuit.
Examples
The following example applies FAC profile profile1 to bidirectional traffic on circuit dot 1q pvc 1:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #flow apply admission-control profile profile1
bidirectional
Related Commands
name Name of the FAC profile.
in Specifies that the FAC profile applies to ingress traffic on the circuit.
out Specifies that the FAC profile applies to egress traffic on the circuit.
bidirectional Specifies that the FAC profile applies to both ingress and egress traffic on the circuit.
flow enable
flow enable
flow enable circuit circuit-handle direction
no flow enable
Purpose
Enables flows on a circuit.
Command Mode
exec
Syntax Description
Default
Flows are disabled.
Usage Guidelines
Use the flow enable command to enable flows on a circuit.
Use the no form of this command to disable flows on a circuit.
Examples
The following example enables flows on circuit 3/ 1: 1023: 63/ 1/ 2/ 81922:
[ l ocal ] Redback#flow enable circuit 3/1:1023:63/1/2/81922 in
Related Commands
circuit-handle Handle of the circuit to which flows apply. A circuit handle occurs in the following
syntax: slot/port:channel:sub-channel/circuit-id.
slot Chassis slot number of a traffic card to which the circuit is mapped.
port Required if you enter the slot argument. Port number for the circuit.
channel Channel number of the circuit.
sub-channel Sub-channel number of the circuit.
circuit-id Circuit ID number to which flows apply.
direction Direction of the flow on the circuit. The range of value can be in, out, or bidirectional.
flow monitor circuit
flow monitor circuit {count | list | log}
no flow monitor circuit
Purpose
Initiates monitoring of flows on a circuit.
Command Mode
flow configuration
Syntax Description
Default
Flows are not monitored.
Usage Guidelines
Use the flow monitor circuit command to initiate monitoring of flows on a circuit.
Examples
The following example initiates the counting of flows on a circuit:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #flow monitor circuit count
Related Commands
count Indicates that flows are to be counted on the current circuit.
list Indicates that flows are to be tracked on the current circuit.
log Indicates that flow events are to be logged on the current circuit.
max-flows-per-circuit value
no max-flows-per-circuit
Purpose
Sets the maximum number of flows the system can create on a circuit.
Command Mode
flow configuration
Syntax Description
Default
None
Usage Guidelines
Use the max-flows-per-circuit command to set the maximum number of flows the system can create on a
circuit.
Use the no form of this command to set the rate at the previously set value.
Examples
The following example sets the maximum number of flows the system can generate on the current circuit
to 2000:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #max-flows-per-circuit 2000
Related Commands
value Maximum number of flows the system can create on a circuit. The range of values is 1
to 2097152.
burst-creation-rate
sustained-creation-rate value
no sustained-creation-rate
Purpose
Sets the number of flows the system can apply to a circuit in each second after the first second elapses.
Command Mode
flow configuration
Syntax Description
Default
None
Usage Guidelines
Use the sustained-creation-rate command to establish the number of flows the system can apply to a
circuit in each second after the first second elapses.
Use the no form of this command to set the rate at the previously set value.
Examples
The following example sets the number of flows applied to a circuit to 1000 in each second after the first
second elapses:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #sustained-creation-rate 1000
Related Commands
value Rate, for each second after the first second, at which the system can create flows over a
sustained period of time. The range of values is 1 to 2097152.
burst-creation-rate
P a r t 7
IP Security
This part describes the tasks and commands used to configure security features, including authentication,
authorization, and accounting (AAA), Remote Authentication Dial-In User Service (RADIUS), Terminal
Access Controller Access Control System Plus (TACACS+), lawful intercept (LI), and key chains. It
consists of the following chapters:
Chapter 20, AAA Configuration
Chapter 21, RADIUS Configuration
Chapter 22, TACACS+Configuration
Chapter 23, Lawful Intercept Configuration
Chapter 24, Key Chain Configuration
AAA Configuration 20-1
C h a p t e r 2 0
AAA Configuration
OS authentication,
authorization, and accounting (AAA) features.
For information about the commands used to monitor, troubleshoot, and administer AAA, see the
AAA Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Overview
Configuration Tasks
Overview
SmartEdge OS AAA features are described in the following sections:
Authentication
Authorization and Reauthorization
Accounting
Authentication
Authentication features are described in the following sections:
Administrators
Subscribers
Note In the following descriptions, the term controller card refers to the Cross-Connect Route
Processor (XCRP) Controller card (XCRP, XCRP3, or XCRP4), unless otherwise noted. The
term controller carrier card refers to the controller functions on the carrier card within the
SmartEdge100 chassis; these functions are compatible with the XCRP3 Controller card.
Overview
Administrators
By default, the SmartEdge OS configuration performs administrator authentication. You can also
authenticate administrators through database records on a Remote Authentication Dial-In User Service
(RADIUS) server, through a Terminal Access Controller Access Control System Plus (TACACS+) server,
or through one method, followed by another.
You must configure the IP address of a reachable RADIUS or TACACS+server (or both) in the context in
which the administrator is configured. For information about RADIUS and TACACS+, see Chapter 21,
RADIUS Configuration, and Chapter 22, TACACS+Configuration, respectively.
You can set a maximum limit on the number of administrator sessions that can be simultaneously active in
each context.
Subscribers
Subscriber authentication is described in the following sections:
Authentication Options
Maximum Subscriber Sessions
Limit Subscriber Services
Binding Order
IP Address Assignment
Authentication Options
By default, the SmartEdge OS configuration performs subscriber authentication. You can also authenticate
subscribers through database records on a RADIUS server, or through one method, followed by another.
When the IP address or hostname of the RADIUS server is configured in the SmartEdge OS local context,
global RADIUS authentication is performed. That is, although subscribers may be configured in a
nonlocal context, subscribers in nonlocal contexts are authenticated through the RADIUS server
configured in the local context. With global RADIUS authentication, the RADIUS server returns the
Context-Name vendor-specific attribute (VSA) indicating the name of the particular context to which
subscribers are to be bound.
When the IP address or hostname of the RADIUS server is configured in a context other than the local
context, context-specific RADIUS authentication is performed; that is, only subscribers bound to the
context in which the RADIUS servers IP address or hostname is configured are authenticated.
You can also configure the SmartEdge OS to try authentication through a RADIUS server configured in the
nonlocal context first, with a fallback to a RADIUS server configured in the local context, in case the first
server becomes unavailable. Or, you can configure the SmartEdge OS to try authentication through a
RADIUS server configured in a nonlocal context, with a fallback to the SmartEdge OS configuration.
AAA includes the following Layer 2 Tunneling Protocol (L2TP) attribute-value pairs (AVPs), RADIUS
standard attributes, and Redback
vendor-specific attributes (VSAs) in RADIUS Access-Request

messages for L2TP network server (LNS) subscribers that are authenticated using RADIUS:
Tunnel-Client-Endpoint (66)
Tunnel-Server-Endpoint (67)
Overview
Acct-Tunnel-Connection (68)
Tunnel-Assignment-ID (82)
Tunnel-Client-Auth-ID (90)
Tunnel-Server-Auth-ID (91)
Tunnel-Function (VSA 18)
Tx-Connect-Speed (L2TP AVP 24)
Rx-Connect-Speed (L2TP AVP 38)
For more information about RADIUS standard attributes and Redback VSAs, see AppendixA, RADIUS
Attributes. For more information about L2TP AVPs, see the L2TP Attribute-Value Pairs appendix in the
Maximum Subscriber Sessions
You can set a maximum limit on the number of subscriber sessions that can be simultaneously active within
a given context and for all configured contexts.
Limit Subscriber Services
You can limit the services provided to subscribers based on volume (amount of traffic in Kbytes). You can
monitor volume-based services in the upstream and downstream directions independently, separately or;
you can also monitor the aggregated traffic in both directions. However, you cannot simultaneously
monitor the aggregated traffic and either upstream or downstream traffic.
Volume limits are imposed by the RADIUS VSA 113 in Access-Accept and Accounting-Request messages.
This attribute implements the following features:
Both in and out counters for incoming (upstream) and outgoing (downstream) traffic in Kbytes are
supported.
An aggregated counter of both incoming and outgoing traffic in Kbytes is supported. If the aggregated
counter exceeds the configured value for aggregated traffic limit, AAA is notified. The AAA, in turn,
either sends a RADIUS accounting message or tears down the subscriber session depending on the
configured action to perform.
If the attribute does not include the direction to which the limit is applied, the downstream direction is
assumed.
If no limit is included, the traffic volume is unlimited in both directions and is not monitored.
A limit of 0 in either direction, is treated as unlimited in that direction and is not monitored.
VSA 113 is also supported in a subscriber reauthorize Access-Accept message.
Binding Order
If a subscriber circuit has been configured with a dynamic binding, using the bind authentication
command (in the circuits configuration mode), AAA makes use of the subscriber attributes in messages
received during subscriber authentication to determine which IP address (and the associated interface) to
use when binding the subscriber circuit.
Overview
By default, the SmartEdge OS considers L2TP attributes before considering RADIUS attributes. You can
reverse this order so that the IP address provided in the RADIUS record is used in preference to one
provided by L2TP.
IP Address Assignment
You can configure the SmartEdgeOS to use either a round-robin or first-available algorithm to allocate
subscriber IP addresses from the IP pool. The default algorithm is round-robin.
AAA typically assigns an IP address to a Point-to-Point Protocol (PPP) subscriber from an IP pool after
receiving an Access-Accept packet from a RADIUS server. However, you can configure AAA to provide
an IP address from an IP pool in the Framed-IP-Address attribute in the RADIUS Access-Request packet.
This IP address is provided to the RADIUS server as a hint that it is a preferred address. If there are no
unassigned IP addresses in the pool, the authentication request is sent without an IP address.
The RADIUS server can choose to accept the address or not; Table20-1 lists the various responses that the
RADIUS server can make and the corresponding action that the SmartEdge OS performs.
Authorization and Reauthorization
Authorization and reauthorization features are described in the following sections:
CLI Commands Authorization
Dynamic Subscriber Reauthorization
CLI Commands Authorization
You can specify that commands with a matching privilege level (or higher) require authorization through
TACACS+.
Dynamic Subscriber Reauthorization
When subscribers request new or modified services during active sessions, the requests can be translated
to changes that are applied during the active session through dynamic subscriber reauthorization.
Reauthentication occurs without the requirement of PPP renegotiation and without interrupting or dropping
the active session.
Table 20-1 SmartEdge OS and RADIUS Server Actions
RADIUS Server Response SmartEdge Router Corresponding Action
Framed-IP-Address attribute contains
255.255.255.254, 0.0.0.0, or is missing.
SmartEdge OS assigns preferred IP address.
Framed-IP-Address attribute contains a
different IP address.
SmartEdge OS assigns the IP address in the Framed-IP-Address
attribute and returns the preferred IP address to its pool.
Overview
Accounting
Accounting features are described in the following sections:
CLI Commands Accounting
Administrator Accounting
Subscriber Accounting
L2TP Accounting
CLI Commands Accounting
You can configure the SmartEdge OS so that accounting messages are sent to a TACACS+server whenever
an administrator enters commands at the specified privilege level (or higher).
Administrator Accounting
You can configure administrator accounting, which tracks messages for administrator sessions; the
messages are sent to a TACACS+server.
Subscriber Accounting
You can configure subscriber accounting, which tracks messages for subscriber sessions; the messages are
sent to a RADIUS accounting server. Use the aaa accounting subscriber command with the radius
keyword to configure subscriber accounting. When the IP address or hostname of the RADIUS accounting
server is configured in the SmartEdge OS local context, global authentication is performed. That is,
although subscribers are configured in a nonlocal context, accounting messages for subscribers sessions in
the context are sent through the RADIUS accounting server configured in the local context. When using
global RADIUS subscriber accounting, configuring global RADIUS subscriber authentication is required.
When the IP address or hostname of the RADIUS accounting server is configured in a context other than
the local context, context-specific accounting is performed; that is, accounting messages are sent for only
subscribers bound to the context in which the RADIUS accounting server IP address or hostname is
configured.
You can configure the SmartEdge OS to send accounting messages to a RADIUS accounting server
configured in the nonlocal context and to a RADIUS accounting server configured in the local context; this
setup is called two-stage accounting.
For example, a copy of the accounting data can be sent to a wholesalers RADIUS accounting server and
to an upstream service providers RADIUS accounting server, allowing end-of-period accounting data to
be reconciled and validated by both parties.
Note Configuring the global keyword with the aaa accounting subscriber command allows you
to enable global RADIUS subscriber accounting without requiring that global authentication
also be performed. For more information, see the aaa accounting subscriber command.
Configuration Tasks
You can also specify the error conditions for which the SmartEdge router will suppress the sending of
accounting messages to a RADIUS accounting server.
L2TP Accounting
You can configure L2TP accounting, which tracks messages for L2TP tunnels, or sessions in L2TP tunnels;
the messages are sent to a RADIUS accounting server. When the IP address or hostname of the RADIUS
accounting server is configured in the SmartEdge OS local context, global authentication is performed.
When the IP address or hostname of the RADIUS accounting server is configured in a context other than
the local context, context-specific accounting is performed. You can also configure two-stage accounting.
If a subscriber session cannot be tunneled to a specific L2TP network server (LNS) or to an LNS in a group
of L2TP peers, or if the SmartEdge router has received a Link Control Protocol (LCP) termination request
from the subscriber before session establishment is complete, the Acct-Session-Time attribute is set to 0.
Configuration Tasks
To configure AAA, perform the tasks described in the following sections:
Configure Global AAA
Configure Authentication
Configure Authorization and Reauthorization
Configure Accounting
Note The SmartEdge OS attempts to send a single accounting on message when more than one
type of RADIUS accounting is enabled. For example, if you enable both subscriber
accounting and L2TP accounting, the SmartEdge OS sends a single accounting on message
to each RADIUS accounting server, even if you enable L2TP accounting at a later time.
Similarly, the accounting off message is not sent until you have disabled all types of
RADIUS accounting.
Note Configuring the global keyword with the aaa accounting l2tp session command allows you
to enable global RADIUS accounting for sessions in L2TP tunnels without requiring that
global authentication also be performed. For more information, see the aaa accounting l2tp
command.
Configuration Tasks
Configure Global AAA
To configure global attributes for AAA, perform the tasks in the following sections:
Limit the Number of Active Administrator Sessions
Limit the Number of Active Subscriber Sessions
Enable a Direct Connection for Subscriber Circuits
Define Structured Username Formats
Require Username for Authentication
Limit the Number of Active Administrator Sessions
To limit the number of administrator sessions that can be simultaneously active in a given context, perform
the task describer in Table20-2.
Limit the Number of Active Subscriber Sessions
To limit the number of subscriber sessions that can be simultaneously active, perform the appropriate task
(or tasks) described in Table20-3.
Enable a Direct Connection for Subscriber Circuits
To enable a direct connection for subscriber circuits by enabling the SmartEdge OS to install the route
specified by the RADIUS Framed-IP-Netmask attribute, perform the task described in Table20-4.
Table 20-2 Limit the Number of Active Administrator Sessions
Limit the number of administrator sessions that
can be simultaneously active in a given
context.
aaaauthenticationadministrator Enter this command in context configuration
mode.
To set the limit, use the maximum sessions
num-sess construct.
Table 20-3 Limit the Number of Active Subscriber Sessions
Limit the number of subscriber sessions that can
be simultaneously active in the entire system.
aaaglobal maximumsubscriber Enter this command in global configuration
mode.
Limit the number of subscriber sessions that can
be simultaneously active in a given context.
aaamaximumsubscriber Enter this command in context
configuration mode.
Table 20-4 Enable a Direct Connection for Subscriber Circuits
Enable use of the RADIUS Framed-IP-Netmask
attribute to install the route to a remote router.
aaaprovisionroute Enter this command in context configuration mode.
Configuration Tasks
Define Structured Username Formats
To define one or more schemas for matching the format of structured usernames (subscriber and
administrator names), perform the task described in Table20-5.
Require Username for Authentication
To require a username for authentication, perform the task described in Table20-6.
By default, the SmartEdgeOS sends Access-Request messages to the RADIUS server, regardless of
whether a username is specified.
Configure Authentication
To configure authentication, perform the tasks described in the following sections:
Configure Administrator Authentication
Configure Subscriber Authentication
Disable Subscriber Authentication
Configure Administrator Authentication
To configure administrator authentication, perform the task described in Table20-7.
Table 20-5 Define Structured Username Formats
Define one or more schemas for matching
the format of structured usernames.
aaausername-format Enter this command in global configuration mode.
If no username formats are explicitly defined, the
SmartEdge OS checks the default format,
username@domain-name, for a match.
Table 20-6 Require Username for Authentication
Specify that the User-Name attribute is
required in Access-Request messages.
aaaglobal reject empty-us
ername
Enter this command in global configuration mode.
If no value is specified for the User-Name attribute, AAA
suppresses the Access-Request message and subscriber
authentication fails.
Table 20-7 Configure Administrator Authentication
Configure administrator authentication. aaaauthenticationadministrator Enter this command in context configuration mode.
You have the option to configure either the console port
or a vty port for each specified authentication method.
By default, both ports are enabled for use. Use either
the console or vty keyword as needed.
Configuration Tasks
Configure Subscriber Authentication
To configure subscriber authentication, perform the tasks described in the following sections:
Configure IP Address Assignment
Enable the Assignment of Preferred IP Addresses
Change the Default Order for Determining Subscriber IP Addresses
Configure Global RADIUS Authentication
Configure Context-Specific RADIUS Authentication
Configure SmartEdge OS Configuration Authentication
Configure Context-Specific RADIUS and Global RADIUS Authentication
Configure Context-Specific RADIUS and SmartEdge OS Authentication
Configure a Last-Resort Authentication Context
Configure IP Address Assignment
To configure the algorithm the SmartEdgeOS uses to assign subscriber IP addresses, perform the task
Enable the Assignment of Preferred IP Addresses
To enable the SmartEdge OS to provide a RADIUS server with preferred IP addresses when performing
subscriber authentication, perform the task described in Table20-9.
Change the Default Order for Determining Subscriber IP Addresses
To change the default order for determining the IP address (and its interface) to be used for binding a
subscriber circuit, perform the task in Table20-10.
Table 20-8 Configure IP Address Assignment
Change the logic the SmartEdge OS uses to allocate
subscriber IP addresses from the default algorithm
(round-robin) to a first-available algorithm.
aaaip-pool allocation
first-available
Enter this command in global configuration mode.
Table 20-9 Enable the Assignment of Preferred IP Addresses
Enable the SmartEdge OS to provide the RADIUS
server with preferred IP addresses from unnamed IP
pools.
aaahint ip-address Enter this command in context configuration mode.
Table 20-10 Change the Default Order for Determining Subscriber IP Addresses
Change the default order for determining the IP
address for binding a subscriber circuit.
aaaprovisionbinding-order Enter this command in context configuration mode.
Configuration Tasks
Configure Global RADIUS Authentication
To configure global RADIUS authentication, perform the tasks described in Table20-11.
Configure Context-Specific RADIUS Authentication
To authenticate subscribers using one or more RADIUS servers with IP addresses or hostnames configured
in the current context, perform the task described in Table20-12.
Configure SmartEdge OS Configuration Authentication
To authenticate subscribers through the SmartEdge OS configuration, perform the task described in
Table20-13.
Table 20-11 Configure Global RADIUS Authentication
1. Enable global RADIUS authentication. aaaglobal authenticationsubscriber Enter this command in global
configuration mode.
At least one RADIUS server IP address
or hostname must be configured in the
local context; for more information, see
2. Authenticate subscribers in the current
context through one or more RADIUS
servers with IP addresses or hostnames
configured in the local context.
aaaauthenticationsubscriber Enter this command in context
configuration mode.
Use the global keyword with this
command.
Table 20-12 Configure Context-Specific RADIUS Authentication
Configure context-specific RADIUS authentication. aaaauthenticationsubscriber Enter this command in context configuration
mode.
Use the radius keyword with this command to
configure RADIUS authentication.
At least one RADIUS server IP address or
hostname must be configured in the current
context; for more information, see Chapter 21,
RADIUS Configuration.
Table 20-13 Configure SmartEdge OS Configuration Authentication
Configure SmartEdge OS configuration
authentication.
aaaauthenticationsubscriber Enter this command in context configuration mode.
Use the local keyword with this command to
configure RADIUS authentication.
Configuration Tasks
Configure Context-Specific RADIUS and Global RADIUS Authentication
To configure context-specific RADIUS authentication, followed by global RADIUS authentication,
perform the tasks described in Table20-14.
Configure Context-Specific RADIUS and SmartEdge OS Authentication
To authenticate subscribers using one or more RADIUS servers with IP addresses or hostnames configured
in the current context, followed by the SmartEdge OS, perform the task described in Table20-15.
Configure a Last-Resort Authentication Context
To specify a context to attempt authentication of a subscriber when the domain portion of the subscriber
name cannot be matched, perform the task described in Table20-16.
Disable Subscriber Authentication
To disable authentication of subscribers in the current context, perform the task described in Table20-17.
Table 20-14 Configure Context-Specific RADIUS and Global RADIUS Authentication
1. Enable global RADIUS
authentication.
aaaglobal authenticationsubscriber Enter this command in global configuration
mode.
At least one RADIUS server IP address or
hostname must be configured in the local
context; for more information, see
2. Configure context-specific RADIUS
followed by global RADIUS
authentication.
aaaauthenticationsubscriber Enter this command in context configuration
mode.
Use the radius global construct with this
command.
Table 20-15 Configure Context-Specific RADIUS and SmartEdge OS Authentication
Configure context-specific RADIUS
authentication, followed by SmartEdge OS
configuration authentication.
aaaauthenticationsubscriber Enter this command in context configuration mode.
Use the radius keyword followed by the local
keyword with this command. At least one RADIUS
server IP address or hostname must be configured in
the current context; for more information, see
Table 20-16 Configure a Last-Resort Authentication Context
Configure a last-resort authentication context. aaalast-resort Enter this command in global configuration mode.
Table 20-17 Disable Subscriber Authentication
Disable subscriber authentication. aaaauthenticationsubscriber Enter this command in context configuration mode. Use the
none keyword with this command if subscriber authentication
is not required, such as when Dynamic Host Configuration
Protocol (DHCP) is used to obtain IP addresses for
subscribers hosts.
Configuration Tasks
Configure Authorization and Reauthorization
To configure authorization and reauthorization, perform the tasks described the following sections:
Configure CLI Commands Authorization
Configure L2TP Peer Authorization
Configure Dynamic Subscriber Reauthorization
Configure CLI Commands Authorization
To specify that commands with a matching privilege level (or higher) require authorization through
TACACS+, perform the task described in Table20-18.
Configure L2TP Peer Authorization
To determine whether L2TP peers are authorized by the SmartEdge OS configuration or by a RADIUS
server, perform the task described in Table20-19.
Configure Dynamic Subscriber Reauthorization
To configure dynamic subscriber reauthorization, perform the task described in Table20-20.
Caution Risk of security breach. If you disable subscriber authentication, individual subscriber names
and passwords will not authenticated by the SmartEdge OS and therefore, IP routes and ARP
entries within individual subscriber records are not installed. To reduce the risk, verify your
network security setup before disabling subscriber authentication.
Table 20-18 Configure CLI Commands Authorization
Configure CLI commands authorization. aaaauthorizationcommands Enter this command in context configuration
mode.
A TACACS+server must be configured in the
specified context; for more information, see
Chapter 22, TACACS+Configuration.
Table 20-19 Configure L2TP Peer Authorization
Configure L2TP peer authorization. aaaauthorizationtunnel Enter this command in context configuration
mode.
By default, L2TP peers are authorized through the
SmartEdge OS configuration.
Table 20-20 Configure Dynamic Subscriber Reauthorization
Configure dynamic subscriber reauthorization. aaareauthorizationbulk Enter this command in context configuration mode.
Configuration Tasks
For reauthorization to take effect, Redback VSA 94, Reauth-String, must be configured on the RADIUS
server. Redback VSA 95, Reauth-More, is only needed if multiple reauthorization records are used for one
command; for example, if you have the following records, the reauthorize bulk 1 command causes the
RADIUS server to process reauthorization for r eaut h- 1@l ocal followed by r eaut h- 2@l ocal :
r eaut h- 1@l ocal
Passwor d=" r edback"
Reaut h- St r i ng=" I D- t ype; subI D; at t r - num; at t r - val ue; at t r - num; at t r - val ue. . .
Reaut h- Mor e=1
r eaut h- 2@l ocal
Passwor d=" r edback"
Reaut h- St r i ng=" I D- t ype; subI D; at t r - num; at t r - val ue; at t r - num; at t r - val ue. . .
Reaut h_St r i ng
At t r i but e number : 94
Val ue: St r i ng
For mat : " xxx" *
Send i n Access- Request packet : No
Send i n Account i ng- Request packet : No
Recei vabl e i n Access- Request packet : Yes
Descr i pt i on: ( SE)
* For mat f or Reaut h St r i ng
" t ype; sub_i d; at t r #; at t r _val ; at t r #; ; at t r #; at t r _val ; . . . "
( vsa_at t r : vi d- vsa_at t r _#)
Reaut h_Mor e
At t r i but e number : 95
Val ue: i nt eger
For mat : 1
Send i n Access- Request packet : No
Send i n Account i ng- Request packet : No
Recei vabl e i n Access- Request packet : Yes
Descr i pt i on: Mor e r eaut h r equest i s needed ( SE)
For a list of the standard RADIUS attributes and vendor-specific attributes (VSAs) that are supported as
part of the Reaut h- St r i ng and details about them, see AppendixA, RADIUS Attributes.
Configure Accounting
To configure accounting, perform the tasks described in the following sections:
Configure CLI Commands Accounting
Configure Administrator Accounting
Configure Subscriber Accounting
Configure L2TP Accounting
Configuration Tasks
Configure CLI Commands Accounting
To specify that accounting messages are sent to a TACACS+server whenever an administrator enters
commands at the specified privilege level (or higher), perform the task described in Table20-21.
Configure Administrator Accounting
To enable accounting messages for administrator sessions to be sent to the TACACS+server, perform the
task described in Table20-22.
Configure Subscriber Accounting
To configure subscriber accounting, perform the tasks described in the following sections:
Configure Global Subscriber Accounting
Configure Context-Specific Subscriber Accounting
Configure Two-Stage Subscriber Accounting
Configure Global Subscriber Accounting
To configure global subscriber accounting, perform the tasks described in Table20-23.
Table 20-21 Configure CLI Commands Accounting
Configure CLI commands accounting. aaaaccountingcommands Enter this command in context configuration mode.
A TACACS+server must be configured in the specified
context; see Chapter 22, TACACS+Configuration.
Table 20-22 Configure Administrator Accounting
Configure administrator accounting. aaaaccountingadministrator Enter this command in context configuration mode.
A TACACS+server must be configured in the specified
context; see Chapter 22, TACACS+Configuration.
Note You must configure local subscriber authentication; for more information, see Configure
Global RADIUS Authentication earlier in this section. You must also configure at least one
RADIUS accounting server in the local context; for more information, see Chapter 21,
Table 20-23 Configure Global Subscriber Accounting
1. Enable global
subscriber session
accounting messages.
aaaglobal accountingsubscriber Enter this command in context configuration
mode.
Accounting messages for subscriber sessions
in all contexts are sent to one or more RADIUS
accounting servers with IP addresses or
hostnames configured in the local context.
Configuration Tasks
Configure Context-Specific Subscriber Accounting
To configure context-specific subscriber accounting, perform the tasks described in Table20-24. Enter all
commands in context configuration mode.
2. Enable global
subscriber session
accounting update
messages.
aaaglobal updatesubscriber Enter this command in global configuration
mode.
Updated accounting records for subscriber
sessions in all contexts are sent to one or more
RADIUS accounting server with IP addresses
or hostnames configured in the local context.
3. Enable global
accounting messages
for the reauthorize
command.
aaaglobal accountingreauthorizationsubscriber Enter this command in global configuration
mode.
Accounting messages for the reauthorize
command issued in any context are sent to
one or more RADIUS accounting servers with
IP addresses or hostnames configured in the
local context.
4. Enable global
accounting messages
for subscriber session
DHCP lease,
reauthorization events,
or ANCP events.
aaaglobal accountingevent Enter this command in global configuration
mode.
Accounting updates for DHCP lease,
reauthorization events, or ANCP events for
subscriber sessions in all contexts are sent to
one or more RADIUS accounting servers with
IP addresses or hostnames configured in the
local context.
Note At least one RADIUS accounting server must be configured in the current context before any
messages can be sent; for more information, see Chapter 21, RADIUS Configuration.
Table 20-24 Configure Context-Specific Subscriber Accounting
1. Enable context-specific
subscriber accounting
messages.
aaaaccountingsubscriber Accounting messages for subscriber
sessions in the current context are sent to
one or more RADIUS accounting servers
with IP addresses or hostnames configured
in the same context.
subscriber session accounting
messages.
aaaupdatesubscriber Sends updated accounting records for
subscriber sessions in the current context to
one or more RADIUS accounting servers
with IP addresses or hostnames configured
in the same context.
accounting messages for the
reauthorize command.
aaaaccountingreauthorizationsubscriber Accounting messages for the reauthorize
command used in the current context are
sent to one or more RADIUS accounting
servers with IP addresses or hostnames
configured in the same context.
Table 20-23 Configure Global Subscriber Accounting (continued)
Configuration Tasks
Configure Two-Stage Subscriber Accounting
Two-stage accounting collects RADIUS accounting data on both global RADIUS servers and
context-specific RADIUS servers.
To configure two-stage accounting for subscriber sessions, perform the tasks in the Configure Subscriber
Accounting and Configure Context-Specific Subscriber Accounting sections.
Configure L2TP Accounting
To configure L2TP accounting, perform the tasks described in the following sections:
Configure Global L2TP Accounting
Configure Context-Specific L2TP Accounting
Configure Two-Stage L2TP Accounting
Configure Global L2TP Accounting
To configure global L2TP accounting, perform the task described in Table20-25.
accounting messages for DHCP
lease, reauthorization
information, or ANCP events.
aaaaccountingevent Accounting messages for DHCP lease,
reauthorization information, or ANCP
events for subscriber sessions in the current
context are sent to one or more RADIUS
accounting servers with IP addresses or
hostnames configured in the same context.
5. Suppress accounting messages
when subscriber sessions
cannot be established.
aaaaccountingsuppress-acct-on-fail Accounting messages are not sent to the
RADIUS server when subscriber sessions
cannot be established due to an
authentication problem, a changed IP
address, and so on.
Table 20-25 Configure Global L2TP Accounting
Configure global L2TP accounting. aaaglobal accountingl2tp-session Enter this command in global configuration mode.
For all contexts, accounting messages for L2TP
tunnels, or sessions in L2TP tunnels, are sent to one or
more RADIUS accounting servers with IP addresses or
Table 20-24 Configure Context-Specific Subscriber Accounting (continued)
Configure Context-Specific L2TP Accounting
To configure context-specific L2TP accounting, perform the task described in Table20-26.
Configure Two-Stage L2TP Accounting
Two-stage accounting collects RADIUS accounting data on both global RADIUS accounting servers and
context-specific RADIUS accounting servers.
To configure two-stage accounting for subscriber sessions, perform the tasks in the Configure Global
L2TP Accounting and Configure Context-Specific L2TP Accounting sections.
This following sections provide AAA configuration examples:
Subscriber Authentication
Subscriber Reauthorization
Subscriber Authentication
Subscriber authentication can be configured using several methods of authentication. For example,
different subscribers can be authenticated by different RADIUS servers in distinct contexts.
In this example, subscriber j anet in the AAA_l ocal context is authenticated by the configuration in that
context. Subscriber r ene in the AAA_r adi us context is authenticated by the RADIUS server in that
context. Subscriber kevi n in the AAA_gl obal context is authenticated by the RADIUS server in the
l ocal context. The configuration for this example is as follows:
[ l ocal ] Redback( conf i g) #aaa global authentication subscriber radius context local
[ l ocal ] Redback( conf i g- ct x) #radius server 10.1.1.1 key TopSecret
.
.
.
[ l ocal ] Redback( conf i g) #context AAA_local
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber local
[ l ocal ] Redback( conf i g- ct x) #interface corpA multibind
[ l ocal ] Redback( conf i g- ct x) #subscriber name janet
Table 20-26 Configure Context-Specific L2TP Accounting
Configure context-specific L2TP accounting. aaaaccountingl2tp Enter this command in context configuration mode.
For the current context, accounting messages for L2TP
tunnels, or sessions in L2TP tunnels, are sent to one or more
RADIUS accounting servers with IP addresses or hostnames
configured in the same context.
[ l ocal ] Redback( conf i g- sub) #password dragon
[ l ocal ] Redback( conf i g- sub) #ip address 10.1.3.30 255.255.255.0
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 1 100 profile ubr encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber janet@AAA_local password dragon
.
.
.
[ l ocal ] Redback( conf i g) #context AAA_radius
[ l ocal }Redback( conf i g- ct x) #interface corpB multibind
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber rene@AAA_radius password tiger
.
.
.
[ l ocal ] Redback( conf i g) #context AAA_global
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber global
[ l ocal }Redback( conf i g- ct x) #interface corpC multibind
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber kevin@AAA_global password lion
Subscriber Reauthorization
The following example enables RADIUS reauthorization for subscriber circuits and accounting messages:
[ l ocal ] Redback( conf i g- ct x) #radius server 10.10.11.12 key redback
[ l ocal ] Redback( conf i g- ct x) #radius attribute nas-ip-address interface loop1
[ l ocal ] Redback( conf i g- ct x) #aaa accounting reauthorization subscriber radius
[ l ocal ] Redback( conf i g- ct x) #aaa update subscriber 10
[ l ocal ] Redback( conf i g- ct x) #aaa accounting event reauthorization
[ l ocal ] Redback( conf i g- ct x) #aaa reauthorization bulk radius
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 10.10.11.2. key redback
This section describes the syntax and usage guidelines for the commands used to configure AAA. The
aaa accounting administrator
aaa accounting commands
aaa accounting event
aaa accounting l2tp
aaa accounting reauthorization subscriber
aaa accounting subscriber
aaa accounting suppress-acct-on-fail
aaa authentication administrator
aaa authentication subscriber
aaa authorization commands
aaa authorization tunnel
aaa double-authentication subscriber radius
aaa encrypted-password default
aaa global accounting event
aaa global accounting l2tp-session
aaa global accounting reauthorization subscriber
aaa global accounting subscriber
aaa global authentication subscriber
aaa global maximum subscriber
aaa global reject empty-username
aaa global session-id-count
aaa global update subscriber
aaa hint ip-address
aaa ip-pool allocation first-available
aaa last-resort
aaa maximum subscriber
aaa password
aaa provision binding-order
aaa provision route
aaa rate-report-factor
aaa reauthorization bulk
aaa update subscriber
aaa username-format
session-action
aaa accounting administrator
aaa accounting administrator {radius | tacacs+}
{no | default} aaa accounting administrator {radius | tacacs+}
Purpose
Enables accounting messages for administrator sessions.
Command Mode
Syntax Description
Default
Accounting is disabled.
Usage Guidelines
Use the aaa accounting administrator command to enable accounting messages for administrator
sessions. Messages can be sent to a RADIUS or TACACS+server.
You must configure at least one accounting server in the current context before any messages can be sent
to it:
To configure a TACACS+server, use the tacacs+ server command (in context configuration mode);
for more information, see Chapter 22, TACACS+Configuration.
To configure a RADIUS server, use theradius server command (in context configuration mode); for
more information, see Chapter 21, RADIUS Configuration.
Use the no or default form of this command to disable RADIUS or TACACS+accounting messages for
administrator sessions.
Examples
The following example shows how to enable TACACS+accounting messages for administrator sessions
for the l ocal context:
[ l ocal ] Redback( conf i g- ct x) #aaa accounting administrator tacacs+
radius Specifies that accounting messages are to be sent to a Remote Authentication
Dial-In User Service (RADIUS) server.
tacacs+ Specifies that accounting messages are to be sent to a Terminal Access
Controller Access Control System Plus (TACACS+) server.
The following example shows how to enable RADIUS accounting messages for administrator sessions for
the local context:
[ l ocal ] Redback( conf i g- ct x) #aaa accounting administrator radius
Related Commands
radius server
tacacs+ server
aaa accounting commands level tacacs+ [except except-level]
{no | default} aaa accounting commands level
Purpose
Specifies that accounting messages are sent to a Terminal Access Controller Access Control System Plus
(TACACS+) server whenever an administrator enters commands at the specified privilege level (or higher).
Command Mode
Syntax Description
Default
No TACACS+accounting of commands is required.
Usage Guidelines
Use the aaa accounting commands command to specify that accounting messages are sent to a TACACS+
server whenever an administrator enters commands at the specified privilege level (or higher).
To use TACACS+, you must configure the IP address or hostname of a TACACS+server in the context in
which commands are accessed. To configure the servers IP address or hostname, use the tacacs+ server
command (in context configuration mode); see Chapter 22, TACACS+Configuration.
For information about default privilege levels for commands and how to modify command privilege levels,
see the Basic System Configuration chapter in the Basic System Configuration Guide for the
SmartEdgeOS.
Use the no or default form of this command to disable the sending of accounting messages to the
TACACS+server.
Examples
The following example sends accounting messages to a TACACS+server for commands that are
configured with a privilege level of 6 or greater with the exception of privilege level 15:
[ l ocal ] Redback( conf i g- ct x) #aaa accounting commands 6 tacacs+ except 15
level Command privilege level. The range of values is 0 to 15.
tacacs+ Indicates that a TACACS+server must record commands for accounting.
except except-level Optional. Command privilege level that will not be sent to the server for
accounting. The range of values is 1 to 15. The value for this argument must
be greater than that specified for the level argument.
Related Commands
tacacs+ server
aaa accounting event {dhcp | reauthorization | ancp}
{no | default} aaa accounting event {dhcp | reauthorization | ancp}
Purpose
Enables accounting messages for Dynamic Host Configuration Protocol (DHCP) leases, reauthorization
information, or Access Node Control Protocol (ANCP) events for subscriber sessions in the current context
to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with
IP addresses or hostnames configured in the same context.
Command Mode
Syntax Description
Default
RADIUS-based accounting is disabled.
Usage Guidelines
Use the aaa accounting event command to enable accounting messages for DHCP leases, reauthorization
information, or ANCP events for subscriber sessions in the current context to be sent to one or more
RADIUS accounting servers with IP addresses or hostnames configured in the same context.
If an ANCP event occurs when no subscriber session is on the line, no accounting message is sent.
Use no or default form of this command to disable the sending of RADIUS-based accounting messages.
dhcp Enables accounting messages to be sent whenever a DHCP lease is created or
released.
reauthorization Enables accounting messages to be sent for subscriber reauthorization sessions.
The information sent in the messages provides details about subscriber circuits
after reauthorization is completed.
ancp Enables accounting messages to be sent whenever an ANCP event is received.
The information sent in the messages provides details from the digital subscriber
line (DSL) access multiplexer (DSLAM) about changes to the subscriber DSL,
such as a rate change.
Note You must configure at least one RADIUS accounting server in the current context before any
messages can be sent to it. To configure the server, use the radius accounting server
command (in context configuration mode); for more information, see Chapter 21, RADIUS
Configuration.
Examples
The following example enables accounting messages for reauthorization information for subscriber
sessions in the cor pA context to be sent to the RADIUS accounting server with an IP address or hostname
in the same context:
[ l ocal ] Redback( conf i g) #context corpA
[ l ocal ] Redback( conf i g- ct x) #aaa accounting event reauthorization
Related Commands
radius accounting server
aaa accounting l2tp
Enables accounting messages for sessions within L2TP tunnels:
aaa accounting l2tp session {none | radius | global}
{no | default} aaa accounting l2tp session {radius|global}
Enables accounting messages for L2TP tunnels:
aaa accounting l2tp tunnel {none | radius}
{no | default} aaa accounting l2tp tunnel
Purpose
Enables accounting messages for Layer 2 Tunneling Protocol (L2TP) tunnels or sessions in L2TP tunnels
or both for the current context to be sent to one or more RADIUS accounting servers with IP addresses or
hostnames configured in the same context. Also enables accounting messages for sessions in L2TP tunnels
for the current context to be sent to one or more RADIUS accounting servers with IP addresses or
hostnames configured in the same context, local context, or both contexts.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the aaa accounting l2tp to enable accounting messages for L2TP tunnels or sessions in L2TP tunnels
or both for the current context to be sent to one or more RADIUS accounting servers with IP addresses or
hostnames configured in the same context. Also enables accounting messages for sessions in L2TP tunnels
for the current context to be sent to one or more RADIUS accounting servers with IP addresses or
hostnames configured in the same context, local context, or both contexts.
Use the aaa accounting l2tp tunnel command with the radius keyword to enable accounting messages for
L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP
addresses or hostnames configured in the same context. Use the aaa accounting l2tp command with the
session and radius keywords to enable accounting messages for sessions in L2TP tunnels for the current
none Disables RADIUS-based accounting.
radius Enables RADIUS-based accounting.
global Enables global RADIUS-based accounting (without global RADIUS
authentication) for sessions in L2TP tunnels.
context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured
in the same context. Both uses of the aaa accounting l2tp command here reflect context-level L2TP
accounting.
Use the aaa accounting l2tp command with the session and global keywords to enable accounting
messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting
servers with IP addresses or hostnames configured in the local context. This use reflects global-level L2TP
accounting.
Two-stage accounting permits data for all contexts to be sent to both the RADIUS accounting servers in the
local context for global-level accounting and any RADIUS accounting servers in the context to which the
subscriber is bound for context-level accounting. Enabling two-stage accounting for L2TP tunnels requires
that you configure one or more RADIUS accounting servers in the local context and configure one or more
RADIUS accounting servers in a nonlocal context or current context. Configuring global L2TP accounting
and global authentication is also required. However, with two-stage accounting for sessions in L2TP
tunnels, global authentication is optional. To enable two-stage accounting with global authentication,
configure the aaa accounting l2tp command (in context configuration mode) with the radius keyword and
the aaa global accounting l2tp-session command (in global configuration mode). To enable two-stage
accounting without global authentication, use the aaa accounting l2tp command with the session, radius,
and global keywords. The global keyword allows accounting to be performed without global
authentication.
Use the no or default form of this command or the none keyword to disable the sending of RADIUS
Note If enabling context-level L2TP accounting, you must configure at least one RADIUS
accounting server in the current context before any messages can be sent to it. If enabling
global-level L2TP accounting., you must configure at least one RADIUS accounting server
in the local context before any messages can be sent to it. To configure the server, use the
radius accounting server command (in context configuration mode); for more information,
see Chapter 21, RADIUS Configuration.
Note When using global-level L2TP accounting, you must enable global L2TP accounting; use the
aaa global accounting l2tp-session command.
Note If the SmartEdge router is acting as an L2TP network server (LNS) in a context, the
accounting data is for the LNS; if it is acting as an L2TP access concentrator (LAC), the
accounting data is for the LAC. If the router is acting as a tunnel switch, both sets of
accounting data are sent to the RADIUS server; in this case, each set of data is tagged, as
follows:
LNS accounting data (facing the LAC)tag 1
LAC accounting data (facing the LNS)tag 2
Examples
The following example shows how to enable accounting messages for L2TP tunnels in the si t eA context
to be sent to the RADIUS accounting server configured in the si t eA context:
[ l ocal ] Redback( conf i g) #context siteA
[ l ocal ] Redback( conf i g- ct x) #aaa accounting l2tp radius
The following example shows how to enable accounting messages for sessions in L2TP tunnels in the
si t eB context to be sent to the RADIUS accounting server configured in the l ocal context:
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 1.1.1.1 key my_key
.
.
.
[ l ocal ] Redback( conf i g) #context siteB
[ l ocal ] Redback( conf i g- ct x) #aaa accounting l2tp global
Related Commands
aaa accounting reauthorization subscriber {none | radius}
{no | default} aaa accounting reauthorization subscriber
Purpose
Enables accounting messages for the reauthorize command entered in the current context in exec mode to
be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP
addresses or hostnames configured in the same context.
Command Mode
Syntax Description
Default
Usage Guidelines
Use the aaa accounting reauthorization command to enable accounting messages for the reauthorize
command entered in the current context in exec mode to be sent to one or more RADIUS accounting servers
with IP addresses or hostnames configured in the same context.
Examples
The following example enables accounting messages for subscriber reauthorization in the cor pA context
to be sent to the RADIUS server configured in the cor pA context:
[ l ocal ] Redback( conf i g) #context corpA
[ l ocal ] Redback( conf i g- ct x) #aaa accounting reauthorization radius
radius Enables RADIUS-based accounting messages to be sent.
Note You must configure at least one RADIUS accounting server in the current context before any
messages can be sent to it. To configure the server, use the radius accounting server
command (in context configuration mode); for more information, see Chapter 21, RADIUS
Configuration.
Related Commands
aaa accounting subscriber {none | radius | global}
{no | default} aaa accounting subscriber {radius | global}
Purpose
Enables accounting messages for subscriber sessions in the current context to be sent to one or more
RADIUS accounting servers with IP addresses or hostnames configured in the same context (for
context-level subscriber accounting), in the local context (for global-level subscriber accounting), or in
both contexts (for context- and global-level subscriber accounting).
Command Mode
Syntax Description
Default
Usage Guidelines
Use the aaa accounting subscriber command to enable accounting messages for subscriber sessions in the
current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames
configured in the same context (for context-level subscriber accounting), in the local context (for
global-level subscriber accounting), or in both contexts (for context- and global-level subscriber
accounting).
Use the aaa accounting subscriber command with the radius keyword to enable accounting messages for
subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP
addresses or hostnames configured in the same context.
Use the aaa accounting subscriber command with the global keyword to enable accounting messages for
subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP
addresses or hostnames configured in the local context.
radius Enables RADIUS-based accounting.
global Enables global RADIUS-based accounting (without global RADIUS
authentication).
To enable two-stage accounting, configure one or more RADIUS accounting servers in a nonlocal context
and configure one or more RADIUS accounting servers in the local context. With two-stage accounting,
global authentication is optional. To enable two-stage accounting with global authentication, configure
global authentication by using the radius keyword with the aaa authentication subscriber command (in
context configuration mode) and the aaa global authentication subscriber command (in global
configuration mode). To enable two-stage accounting without global authentication, configure the
keywords radius and global with the aaa accounting subscriber command. In two-stage accounting, data
for all contexts are sent to both the RADIUS accounting servers in the local context and to any RADIUS
accounting servers in the context to which the subscriber is bound.
Examples
The following example shows how to enable accounting messages for subscriber sessions in the si t eA
context to be sent to the RADIUS accounting server configured in the si t eA context:
The following example shows how to enable accounting messages for subscriber sessions in the si t eB
context to be sent to the RADIUS accounting server configured in the l ocal context and to the RADIUS
accounting server configured in the si t eB context:
Note If enabling context-level subscriber accounting, you must configure at least one RADIUS
accounting server in the current context before any messages can be sent to the server. If
enabling global-level subscriber accounting, you must configure at least one RADIUS
accounting server in the local context before any messages can be sent to the server. To
configure the server, use the radius accounting server command (in context configuration
mode); for more information, see Chapter 21, RADIUS Configuration.
Note To use global-level subscriber accounting, you must enable it; use the aaa global accounting
subscriber command.
Note The aaa accounting subscriber command can only enable the sending of accounting packets
that include packet and byte counts for a circuit if the counters command is configured in the
Asynchronous Transfer Mode (ATM) profile referenced by the circuit to which the subscriber
is bound; for more information about ATM profiles, see the Circuit Configuration chapter
in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
Note The SmartEdge OS does not send the RADIUS accounting packet for a Point-to-Point
Protocol (PPP) subscriber until the session completes the IP Control Protocol (IPCP) stage of
PPP. Delaying the start record assures that standard RADIUS attribute 8, Framed-IP-Address,
is populated.
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 1.1.1.1 key my_key
.
.
.
[ l ocal ] Redback( conf i g- ct x) #aaa accounting subscriber radius global
Related Commands
radius server
aaa accounting suppress-acct-on-fail
aaa accounting suppress-acct-on-fail [except-for error-cond]
{no | default}aaa accounting suppress-acct-on-fail [except-for error-cond]
Purpose
Suppresses the sending of accounting messages to Remote Authentication Dial-In User Service (RADIUS)
servers when a subscriber session cannot be established due to an authentication problem, a changed IP
address, and so on.
Command Mode
Syntax Description
Default
RADIUS-based accounting is disabled. When RADIUS-based accounting is enabled using the
aaa accounting subscriber command (in context configuration mode), the SmartEdge OS always sends
an accounting record when a subscriber session cannot be established.
Usage Guidelines
Use the aaa accounting suppress-acct-on-fail command to suppress the sending of accounting messages
to RADIUS accounting servers when a subscriber session cannot be established due to an authentication
problem, a changed IP address, and so on.
You can specify either or both of the error conditions for which accounting messages will not be
suppressed.
Use the no or default form of this command to always suppress the sending of accounting messages when
an error condition occurs.
except-for error-cond Optional. Error condition for which accounting messages are not suppressed,
according to one of the following keywords or constructs:
duplicate-ipDoes not suppress accounting messages if the IP address
specified in an Access Accept packet is already in use by another
subscriber.
no-l2tp-peerDoes not suppress accounting messages if the Layer 2
Tunneling Protocol (L2TP) peer cannot be reached and the session not
brought up.
duplicate-ip no-l2tp-peerDoes not suppress accounting messages if either
of the error conditions is true.
Examples
The following example suppresses accounting messages sent to RADIUS accounting servers except when
the L2TP peer for a subscriber session cannot be reached and the session not established:
[ l ocal ] Redback( conf i g- ct x) #aaa accounting suppress-acct-on-fail except-for no-l2tp-peer
Related Commands
aaa authentication administrator
aaa authentication administrator {[{console | vty}] {method[method[method]]}} |
maximum sessions num-sess
{no | default} aaa authentication administrator {[{console | vty}] {method[method[method]]}} |
maximum
Purpose
Prioritizes the methods available for authenticating administrators, or modifies the maximum number of
administrator sessions that can be simultaneously active.
Command Mode
Syntax Description
Default
Authentication is performed by the SmartEdge OS configuration and is permitted on both the console port
and vty ports. For the local context, the number of administrator sessions that can be simultaneously active
is 10; for nonlocal contexts, it is 0 or 1 (0 when no administrators are configured; 1 when administrators
are configured).
Usage Guidelines
Use the aaa authentication administrator command to prioritize the available administrator
authentication methods or modify the maximum number of administrator sessions that can be
simultaneously active. If you use this command to prioritize the available administrator authentication
methods, you can configure a port type for each specified authentication method.
Authentication methods are attempted in the order in which you enter the keywords. For example, if you
enter the radius keyword first, followed by the tacacs+ keyword, followed by the local keyword,
authentication is first attempted by the RADIUS server, then by the TACACS+server, and, finally, by the
local configuration.
console Optional. Enables the specified administrator authentication method on
the console port.
vty Optional. Enables the specified administrator authentication method on
a vty port, which is a virtual terminal port used for remote console
access.
method Authentication method, according to one of the following keywords:
localSpecifies authentication by the SmartEdge OS configuration.
radiusSpecifies authentication by a Remote Authentication Dial-In
User Service (RADIUS) server.
tacacs+Specifies authentication by a Terminal Access Controller
Access Control System Plus (TACACS+) server.
One method is required. Specifying a second or third method is
optional. Separate each value with a space.
maximum sessions num-sess Maximum number of administrator sessions that can be active
simultaneously. The range of values is 0 to 100. For the local context,
the default value is 10. For nonlocal contexts, the default value is 1.
The total number of active Telnet, Secure Shell (SSH), or both types of
administrator sessions must be fewer than or equal to 100 for all
configured contexts. In addition, one administrator session is supported
for the console port.
Use the no or default form of this command to return to using only the SmartEdge OS configuration for
authentication of administrators.
Examples
The following example shows how to configure the console port of a SmartEdge router to authenticate
administrators through a RADIUS server with the SmartEdge OS configuration authentication (local
database) as a backup:
[ l ocal ] Redback( conf i g- ct x) #aaa authentication administrator console
radius local
The following example shows how to configure a vty port on a SmartEdge router to authenticate
administrators through a TACACS+server:
[ l ocal ] Redback( conf i g- ct x) #aaa authentication administrator vty tacacs+
Note If a RADIUS or TACACS+server rejects the authentication of an administrator,
authentication is not attempted by the next method. If, however, the RADIUS or TACACS+
server is unavailable or unreachable, authentication is attempted by the next method.
Authentication by the SmartEdge OS configuration is always available as a fallback, even
when the local keyword is not specified. If the SmartEdge OS configuration rejects an
administrator, authentication is not attempted by the next method.
Note Do not use both console and vty keywords within the same command line. It is not supported.
This is functionally equivalent to the default behavior of.
Note To use RADIUS, the IP address or hostname of at least one RADIUS server must be
configured in the context to which the administrator is to be bound. To configure the servers
IP address or hostname, use the radius server command (in context configuration mode); for
more information, see Chapter 21, RADIUS Configuration. To use TACACS+, the IP
address or hostname of a TACACS+server must be configured in the context to which the
administrator is to be bound. To configure the servers IP address or hostname, use the
tacacs+ server command (in context configuration mode); for more information, see
Chapter 22, TACACS+Configuration.
Note The total number of simultaneous, active Telnet and SSH administrator sessions must be less
than or equal to 20 on the system as a whole (that is, for all configured contexts).
The maximum number of administrator SSH sessions that can be simultaneously active for
all configured contexts can be configured through the ssh server full-drop command (in
global configuration mode); the default value is 20. If there are active Telnet sessions, the
maximum number of global SSH sessions is limited to the maximum number of SSH sessions
configured through the ssh server full-drop command, minus the number of active Telnet
sessions in all contexts. For more information about the ssh server full-drop command, see
the System Access Configuration chapter in the Basic System Configuration Guide for the
SmartEdgeOS.
The following example shows how to modify the number of administrator sessions that can be
simultaneously active in the local context from 10 (the default) to 15:
[ l ocal ] Redback( conf i g- ct x) #aaa authentication administrator maximum
sessions 15
Related Commands
radius server
tacacs+ server
aaa authentication subscriber {global | local [{global | none | radius [{global | none}]}] | none |
radius [{global | local [{global | none}]}]}
{no | default} aaa authentication subscriber
Purpose
Authenticates subscribers through the SmartEdge OS configuration or through one or more Remote
Authentication Dial-In User Service (RADIUS) server databases.
Command Mode
Syntax Description
Default
Subscribers are authenticated by the SmartEdge OS configuration.
Usage Guidelines
Use the aaa authentication subscriber command to authenticate subscribers through the SmartEdge OS
configuration or through one or more RADIUS server databases.
The SmartEdge OS configuration is also referred to as the local database, which is simply a set of
commands, such as the subscriber command (in context configuration mode) and the password command
(in subscriber configuration mode). For more information about these commands, see the Subscriber
Configuration chapter in the Basic System Configuration Guide for the SmartEdgeOS.
global When used alone, authenticates subscribers through one or more RADIUS servers with IP
When used as an optional keyword following local, first attempts subscriber authentication
through the SmartEdge OS configuration in the current context. In the event that no
corresponding subscriber record is found in the local database, authenticates subscribers
through one or more RADIUS servers with IP addresses or hostnames configured in the local
context.
When used as an optional keyword following radius, first attempts subscriber authentication
through one or more RADIUS servers with IP addresses or hostnames configured in the current
context. If those RADIUS servers are not reachable, authenticates subscribers through one or
more RADIUS servers with IP addresses or hostnames configured in the local context.
local When used alone, authenticates subscribers through the SmartEdge OS configuration in the
current context.
When used as an optional keyword following radius, authenticates subscribers through one or
more RADIUS servers with IP addresses or hostnames configured in the current context. If the
RADIUS servers are not reachable, authenticates subscribers through the SmartEdge OS
configuration in the current context.
none When used alone, specifies that authentication of subscribers is not requiredall access
succeeds.
When used as an optional keyword following local, subscribers are first authenticated through
the SmartEdge OS configuration. In the event that no corresponding subscriber record is found
in the local database, access succeeds.
radius When used alone, authenticates subscribers by one or more RADIUS servers with IP addresses
or hostnames in the current context.
When used as an optional keyword following local, first attempts subscriber authentication
through the SmartEdge OS configuration in the current context. In the event that no
corresponding subscriber record is found in the local database, authenticates subscribers by one
or more RADIUS servers with IP addresses or hostnames in the current context.
With RADIUS, the database records of the RADIUS server are used to authenticate subscribers. The IP
address or hostname of one or more RADIUS servers can be configured in the local context or in the
context to which the subscribers circuit is to be bound. Each context can use its own set of RADIUS servers
for authentication. Alternatively, a context can be configured to use the RADIUS servers with IP addresses
or hostnames configured in the local contextthis is known as global authentication.
With global authentication, the RADIUS servers are expected to return the Context-Name vendor-specific
attribute (VSA) that indicates the particular context to which the subscriber is to be bound. You can also
configure the SmartEdge OS to try authentication through one or more RADIUS servers with IP addresses
or hostnames configured in the current context first, with a fallback to the global RADIUS server or to the
local database, in case the RADIUS server configured in the current context becomes unreachable.
To disable authentication of subscribers, use the none keyword with this command. Do this only when
subscriber authentication is not required, such as when Dynamic Host Configuration Protocol (DHCP) is
used to obtain IP addresses for subscribers hosts.
Use the no or default form of this command to authenticate subscribers through the SmartEdge OS
configuration.
Examples
The following example authenticates subscriber sessions for the si t eB context by first using the RADIUS
server configured within the context, followed by the SmartEdge OS configuration for the context should
the RADIUS server become unreachable:
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber radius local
Related Commands
Note To use RADIUS, the IP address or hostname of at least one RADIUS server must be
configured in the local context or in the context to which the subscriber is to be bound. To
configure the servers IP address or hostname, use the radius server command (in context
configuration mode); for more information, see Chapter 21, RADIUS Configuration.
Caution Risk of security breach. With the aaa authentication subscriber none command, the
SmartEdge OS does not read any of the subscriber records configured, except for the default
subscriber record. This means that individual subscriber usernames and passwords are not
authenticated by the SmartEdge OS. Therefore, IP addresses, routes, and Address Resolution
Protocol (ARP) entries within individual subscriber records are not installed. Verify your
network security setup before using the aaa authentication subscriber none command.
radius server
aaa authorization commands level tacacs+ [none] [except except-level]
{no | default}aaa authorization commands level
Purpose
Specifies that commands with a matching privilege level (or higher) require authorization through Terminal
Access Controller Access Control System Plus (TACACS+).
Command Mode
Syntax Description
Default
Commands do not require authorization through TACACS+.
Usage Guidelines
Use the aaa authorization commands command to specify that commands with a matching privilege level
(or higher) require authorization through TACACS+.
level Privilege level. The range of values is 0 to 15. A user account with a privilege
level that matches or is greater than the value of the level argument must be
authorized by TACACS+before the user can enter SmartEdge OS CLI
commands set to this privilege level.
tacacs+ Enforces authorization through TACACS+.
none Optional. Disables authorization if the server is unavailable.
except except-level Optional. Command privilege level that will not be sent to the server for
authorization. The range of values is 1 to 15. The value for this argument
must be greater than that specified for the level argument.
Caution Risk of administrative failure. If a TACACS+server has not been set up and configured before
this command is issued, you may not have authorization to use commands on your SmartEdge
router. To reduce the risk, you must first configure the IP address or hostname of a TACACS+
server in the context in which commands are accessed. To do so, enter the tacacs+ server
command (in context configuration mode); for more information, see Chapter 22,
TACACS+Configuration.
Caution Risk of administrative failure.If you have configured authorization without the none keyword
and the TACACS+server is not available, you might not have authorization to use commands
on your SmartEdge router. To reduce the risk, always include the none keyword when
entering this command.
Use the no or default form of this command to disable the requirement for TACACS+authorization.
Examples
The following example requires TACACS+authorization in the r est r i ct ed context for the use of
commands with privilege levels of 10 or higher with the exception of privilege level 15:
[ r est r i ct ed] Redback( conf i g) #configure
[ r est r i ct ed] Redback( conf i g- ct x) #aaa authorization commands 10 except 15
Related Commands
Caution Risk of administrative failure. If the administrator record on the TACACS+server is set up to
authorize only a limited set of commands, the administrator might not be allowed to perform
critical tasks using the SmartEdge OS. To reduce the risk, we recommend, therefore, that you
configure at least one administrator record on the TACACS+server that has authorization to
access all commands.
Note For information about default command privilege levels and how to modify them, see the
Basic System Configuration chapter in the Basic System Configuration Guide for the
SmartEdgeOS.
tacacs+ server
aaa authorization tunnel
aaa authorization tunnel {local | radius}
{no | default} aaa authorization tunnel {local | radius}
Purpose
Specifies the type of authorization for Layer 2 Tunneling Protocol (L2TP) peers.
Command Mode
Syntax Description
Default
L2TP peers are authorized by the SmartEdge OS configuration.
Usage Guidelines
Use the aaa authorization tunnel command to specify the type of authorization for L2TP peers.
Examples
The following example configures the l ocal context to authorize L2TP peers by a RADIUS server:
[ l ocal ] Redback( conf i g- ct x) #aaa authorization tunnel radius
Related Commands
None
local Specifies that L2TP peers are authorized by the local configuration.
radius Specifies that L2TP peers are authorized by a Remote Authentication Dial-In
User Service (RADIUS) server.
aaa double-authentication subscriber radius
aaa double-authentication subscriber radius [none [profile profile-name]]
no aaa double-authentication subscriber radius [none [profile profile-name]]
Purpose
Reauthenticates subscribers through the specified Remote Authentication Dial-In User Service (RADIUS)
server database.
Command Mode
Syntax Description
Default
Subscribers are authenticated one time, either through the SmartEdge OS configuration or through one of
the RADIUS server databases.
Usage Guidelines
Use the aaa double-authentication subscriber radius command to specify to subscribers reauthentication
through the specified RADIUS server database, and optionally, to define a local profile to be used when the
second RADIUS server is unavailable.
RADIUS provisioning is enhanced so that subscribers can be authenticated twice without a RADIUS proxy
server. Subscribers are first authenticated by a global RADIUS server and then by the RADIUS server for
the binding context.
When the SmartEdge router receives the Password Authentication Protocol (PAP) or Challenge Handshake
Authentication Protocol (CHAP) Auth-Req packet, it sends a RADIUS Access-Request packet to the
global RADIUS server configured for the local context. If the Access-Accept packet returned by the
RADIUS server indicates that the subscriber is to be reauthenticated, the SmartEdge router sends a second
Access-Request packet to the RADIUS server for the binding (nonlocal) context specified by the global
server. Depending on the response of the second server, the session is either terminated or tunneled using
a list of attributes consolidated from both RADIUS responses. Attribute values received from the second
RADIUS server override values received from the first server and values configured locally in the nonlocal
context.
If the configured authentication failover method is none and the second RADIUS server is unavailable, the
subscriber is provisioned using the local profile (specified with the profile keyword) plus the attributes
received from the first RADIUS server, and the subscriber is not reauthenticated.
none Optional. Specifies that no second authentication is to take place, if the
RADIUS server is unavailable.
profile profile-name Optional. Defines a local profile used when the second RADIUS server is
unavailable. This is also is referred to as the fallback profile.
Use the no form of this command to disable the requirement for reauthenticating subscribers through the
specified RADIUS server database.
Examples
The following example configures the context I SP3 to reauthenticate its subscriber sessions using the
RADIUS server with the IP address 155. 53. 44. 181 configured in the l ocal context:
[ l ocal ] Redback( conf i g- ct x) #aaa global authentication subscriber radius
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 155.53.44.181 encrypted-key
3828082561D6BDD6
[ l ocal ] Redback( conf i g) #context ISP3
[ l ocal ] Redback( conf i g- ct x) #aaa double-authentication subscriber radius none profile
last
[ l ocal ] Redback( conf i g- ct x) #radius server 155.53.44.181 encrypted-key 3828082561D6BDD6
oldports subscriber profile last
[ l ocal ] Redback( conf i g- sub) #ip address pool
Related Commands
Note The following is the order of attribute processing:
Service Provider RADIUS
Global RADIUS
Service Provider defined profile (local or fallback profile)
Service Provider default subscriber profile
aaa encrypted-password default password
no aaa encrypted-password default
Purpose
Changes the default AAA authentication and authorization password to the specified encrypted password.
Command Mode
Syntax Description
Default
The default AAA authentication and authorization password is Redback.
Usage Guidelines
Use the aaa encrypted-password default command to change the default authentication and authorization
password to the specified encrypted password. This new default AAA password is saved in the encrypted
form as well. When you enter the show configuration command, the display shows the default AAA
password in the encrypted form.
Use the no form of this command to restore the default password of Redback.
Examples
The following example shows how to configure the new default AAA encrypted password of
F9BFC75FC9F3F8AD:
[ l ocal ] Redback( conf i g- ct x) #aaa encrypted-password default F9BFC75FC9F3F8AD
Related Commands
password Alphanumeric string representing a default authentication and authorization
password. This password is encrypted. Control characters are not allowed.
aaa password
aaa global accounting event {dhcp | reauthorization | ancp}
{no | default} aaa global accounting event {dhcp | reauthorization | ancp}
Purpose
Enables accounting messages for Dynamic Host Configuration Protocol (DHCP) leases, reauthorization
information, or Access Node Control Protocol (ANCP) events for subscriber sessions in all contexts to be
sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP
Command Mode
Syntax Description
Default
Usage Guidelines
Use the aaa global accounting event command to enable accounting messages for DHCP leases,
reauthorization information, or ANCP events for subscriber sessions in all contexts to be sent to one or
more RADIUS accounting servers with IP addresses or hostnames configured in the local context.
If an ANCP event occurs when no subscriber session is on the line, no accounting message is sent.
Use the no or default form of this command to disable RADIUS-based accounting.
Examples
The following example enables accounting messages for reauthorization information for subscriber
sessions in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or
hostnames configured in the l ocal context:
[ l ocal ] Redback( conf i g) #aaa global accounting event reauthorization
dhcp Enables accounting messages to be sent whenever a DHCP lease is created or
released.
reauthorization Enables accounting messages to be sent for subscriber reauthorization sessions.
The information sent in the messages provides details about subscriber circuits
after reauthorization is completed.
ancp Enables accounting messages to be sent whenever an ANCP event is received.
The information sent in the messages provides details from the digital subscriber
line (DSL) access multiplexer (DSLAM) about changes, such as a rate change,
to the subscriber DSL.
Related Commands
aaa global accounting l2tp-session radius context local
{no | default} aaa global accounting l2tp-session
Purpose
Enables accounting messages for Layer 2 Tunneling Protocol (L2TP) tunnels or sessions in L2TP tunnels
in all contexts to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting
servers with IP addresses or hostnames configured in the local context.
Command Mode
Syntax Description
Default
The SmartEdge OS does not send accounting messages to a RADIUS server.
Usage Guidelines
Use the aaa global accounting l2tp-session command to enable accounting messages for L2TP tunnels or
sessions in L2TP tunnels in all contexts to be sent to one or more RADIUS accounting servers with IP
Use the no or default form of this command to return the system to its default behavior of performing
accounting based on the SmartEdge OS configuration.
Examples
The following example configures the system to send accounting messages for L2TP sessions in all
contexts to one or more RADIUS servers with IP addresses or hostnames configured in the l ocal context:
[ l ocal ] Redback( conf i g) #aaa global accounting l2tp-session radius context local
radius context local Indicates accounting messages are sent by RADIUS accounting servers with
IP addresses or hostnames configured in the local context.
Note To use RADIUS, you must configure the IP address or hostname of at least one RADIUS
accounting server in the local context. To configure the servers IP address or hostname, enter
the radius accounting server command (in context configuration mode); for more
information, see Chapter 21, RADIUS Configuration.
Related Commands
aaa accounting l2tp
aaa global accounting reauthorization subscriber radius context local
{no | default} aaa global accounting reauthorization subscriber
Purpose
Enables accounting messages for the reauthorize command entered in any context in exec mode to be sent
to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP
Command Mode
Syntax Description
Default
Usage Guidelines
Use the aaa global accounting reauthorization subscriber command to enable accounting messages for
the reauthorize command entered in any context in exec mode to be sent to one or more RADIUS
accounting servers with IP addresses or hostnames configured in the local context. These messages indicate
that subscriber reauthorization has been completed.
Examples
The following example configures the system to send accounting messages for subscriber reauthorization
in all contexts to one or more RADIUS servers with IP addresses or hostnames configured in the l ocal
context:
[ l ocal ] Redback( conf i g) #aaa global accounting reauthorization subscriber radius context
local
IP addresses or hostnames configured in the l ocal context.
Related Commands
aaa global accounting subscriber radius context local
{no | default} aaa global accounting subscriber
Purpose
Enables accounting messages for subscriber sessions in all contexts to be sent to one or more Remote
Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames
configured in the local context.
Command Mode
Syntax Description
Default
The SmartEdge OS does not send subscriber session accounting messages to a RADIUS server.
Usage Guidelines
Use the aaa global accounting subscriber command to enable accounting messages for subscriber
sessions in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or
Examples
The following example configures the system to send accounting messages for subscriber sessions in all
contexts to one or more RADIUS servers with IP addresses or hostnames configured in the l ocal context:
[ l ocal ] Redback( conf i g) #aaa global accounting subscriber radius context local
Related Commands
aaa global authentication subscriber radius context local
{no | default}aaa global authentication subscriber
Purpose
Enables global subscriber authentication through one or more Remote Authentication Dial-In User Service
(RADIUS) servers with IP addresses or hostnames configured in the local context.
Command Mode
Syntax Description
Default
The SmartEdge OS does not send subscriber authentication messages to a RADIUS server.
Usage Guidelines
Use the aaa global authentication subscriber command to enable global subscriber authentication
through one or more RADIUS servers with IP addresses or hostnames configured in the local context.
Use the no or default form of this command to disable global subscriber authentication.
Examples
The following example configures the context si t eA to globally authenticate its subscriber sessions using
the RADIUS server with the IP address of 10. 2. 3. 4 configured in the l ocal context:
[ l ocal ] Redback( conf i g) #aaa global authentication subscriber radius context local
radius context local Indicates authentication is performed by the RADIUS servers with IP
server in the local context. To configure the servers IP address or hostname, enter the radius
server command (in context configuration mode); for more information, see Chapter 21,
Related Commands
radius server
aaa global maximum subscriber active count
{no | default}aaa global maximum subscriber
Purpose
Limits the total number of subscriber sessions that can be simultaneously active in all configured contexts.
Command Mode
Syntax Description
Default
There is no limit to the number of subscriber sessions that can be simultaneously active in all configured
contexts.
Usage Guidelines
Use the aaa global maximum subscriber command to limit the total number of subscriber sessions that
can be simultaneously active in all configured contexts.
Table20-27 lists the values for the active count construct.
active count Maximum number of subscriber sessions that can be simultaneously active.
The value of the count argument depends on the purchased subscriber license, the
SmartEdge router platform, and the controller card. Table20-27 lists the possible
values.
Table 20-27 Global Maximum Subscriber Sessions
SmartEdge Router Controller Card Value
SmartEdge 100 router Controller carrier card 16,000
SmartEdge 400 router XCRP
XCRP3 with base license
XCRP3 with upgrade
XCRP4
16, 000
16,000
32,000
250,000
XCRP3 with upgrade
XCRP4
16,000
16,000
48,000
250,000
XCRP3 with upgrade
XCRP4
16,000
16,000
48,000
250,000
Use the no or default form of this command to restore the default of no limit to the number of subscriber
sessions.
Examples
The following example sets the maximum number of simultaneous active subscriber sessions for all
configured contexts to 12000:
[ l ocal ] Redback( conf i g) #aaa global maximum subscriber active 12000
Related Commands
Note The subscriber command (in software license configuration mode) specifies the maximum
number of active subscriber sessions and is described in the Basic System Configuration
chapter in the Basic System Configuration Guide for the SmartEdgeOS.
no aaa global reject empty-username
Purpose
Suppresses Remote Authentication Dial-In User Service (RADIUS) Access-Request messages when no
username is specified.
Command Mode
Syntax Description
Default
The SmartEdgeOS sends RADIUS Access-Request messages to the RADIUS server regardless of whether
a username is specified.
Usage Guidelines
Use the aaa global reject empty-username command to suppress RADIUS Access-Request messages
when no username is specified. The relevant attribute in the Access-Request message is the User-Name
attribute. The SmartEdgeOS logs an informational message that identifies the circuit, then discards the
Access-Request packet.
Use the no form of this command to restore the default behavior of sending Access-Request messages to
the RADIUS server regardless of whether a username is specified.
Examples
The following example configures the SmartEdgeOS to suppress Access-Request messages when no
username is specified:
[ l ocal ] Redback( conf i g) #aaa global reject empty-username
Related Commands
None
no aaa global session-id-count
Purpose
Changes the account session ID rules to comply with the requirements of vendor-specific equipment.
Command Mode
Syntax Description
Default
By default, vendor-specific account session ID rules are disabled.
Usage Guidelines
Use the aaa global session-id-count command to change the account session ID rules to comply with the
requirements of vendor-specific equipment. When you apply this command, the SmartEdge router enforces
the following rules:
The account session ID attribute is a unique hexadecimal number.
The first session is number zero (0) and subsequent sessions increment by one (1) until the value
FFFFFFFF is reached. Upon process restart or failover, the count of the session begins with the value
after the previous value is reached.
After the value FFFFFFFF is reached, renumbering from zero begins.
When a SmartEdge router receives an accounting request, it sends an account session ID.
The SmartEdge OS supports this feature in the following environments:
L2TP (LAC/LNS)
PPPoE
PPPoA
PPPoEoA
PPPoEoE
To use this feature, configure the RADIUS and RADIUS accounting on a SmartEdge router, and then
configure a RADIUS accounting server.
Use the no form of this command to reset the aaa global session-id-count command to the default account
session ID rules.
Examples
The following example shows how to globally configure the SmartEdge router so that the account session
ID rules comply with the requirements of vendor-specific equipment:
[ l ocal ] Redback( conf i g) #aaa global session-id-count
Related Commands
None
aaa global update subscriber interval
{no | default} aaa global update subscriber
Purpose
Sends updated accounting records for subscribers in all contexts to one or more Remote Authentication
Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local
context.
Command Mode
Syntax Description
Default
This authentication, authorization, and accounting (AAA) feature is disabled.
Usage Guidelines
Use the aaa global update subscriber command to send updated accounting records for subscribers in all
contexts to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local
context.
Use the no or default form of this command to disable subscriber account updating.
Examples
The following example globally configures an update to be sent for all subscribers in the system when each
subscribers session comes up, and every 20 minutes thereafter, for as long as the subscriber session lasts:
[ l ocal ] Redback( conf i g) #aaa global update subscriber 20
interval Period (in minutes) between accounting updates. The range of values is 10 to 10,080.
Note You must configure accounting using the aaa global accounting subscriber command (in
global configuration mode).
Related Commands
aaa hint ip-address
aaa hint ip-address
no aaa hint ip-address
Purpose
Enables the SmartEdge OS to notify the Remote Authentication Dial-In User Service (RADIUS) server that
the IP address in the Framed-IP-Address attribute is the preferred IP address.
Command Mode
Syntax Description
Default
This feature is disabled.
Usage Guidelines
Use the aaa hint ip-address command to enable the SmartEdge OS to notify the RADIUS server that the
IP address in the Framed-IP-Address attribute is the preferred IP address.
This feature applies only to subscribers that you have configured using the ip address command (in
subscriber configuration mode) with the pool keyword. The SmartEdge OS selects an unused IP address
from the pool and sends it to the RADIUS server in an Access-Request message. The ip address command
is described in the Subscriber Configuration chapter in the Basic System Configuration Guide for the
SmartEdgeOS. It does not apply to subscribers who are configured for SmartEdge OS authentication.
The IP address selected from the unnamed IP pool is a hint to the RADIUS server that the selected address
is preferred. The RADIUS server can choose to honor the hint or override it with a different IP address. The
SmartEdge OS uses the address only if the RADIUS server confirms that it is acceptable; the SmartEdge
OS action corresponding to the RADIUS response is described in the IP Address Assignment section.
Use the no form of this command to disable this feature.
Examples
The following example enables this feature in the cust omer s context:
[ l ocal ] Redback( conf i g) #context customers
[ l ocal ] Redback( conf i g- cxt ) #aaa hint ip-address
Note This command is not available if you have enabled global subscriber authentication using the
aaa global authentication subscriber command (in global configuration mode).
Related Commands
no aaa ip-pool allocation first-available
default fault aaa ip-pool allocation
Purpose
Specifies that the SmartEdge OS uses a first-available algorithm to allocate IP addresses to subscribers.
Command Mode
Syntax Description
Default
The SmartEdgeOS uses a round-robin algorithm to allocate IP addresses to subscribers.
Usage Guidelines
Use the aaa ip-pool allocation first-available command to specify that the SmartEdge OS uses a
first-available algorithm to allocate IP addresses to subscribers.
When the SmartEdge receives a request for an IP address, by default it uses the round-robin method to
select an address from the IP pool. The round-robin method begins its search where the last search ended;
that is, the SmartEdgeOS checks whether the first address in the IP pool following the last allocated IP
address is available. If this address is unavailable, the SmartEdgeOS checks the next address until either
an available address is assigned or the pool is exhausted.
In the first-available method, the search for an available IP address always begins with the first address in
the pool.
Use the no or default form of this command to revert to the default behavior.
Examples
The following example specifies that the SmartEdge OS uses a first-available algorithm to allocate
subscriber IP addresses:
[ l ocal ] Redback( conf i g) #aaa ip-pool first-available
Related Commands
aaa hint ip-address
aaa last-resort
aaa last-resort context ctx-name [append]
no aaa last-resort
Purpose
Specifies the context in which authentication of a subscriber should be attempted if the subscriber name
does not contain a valid domain or context that has been configured in the system.
Command Mode
Syntax Description
Default
No last resort context is configured.
Usage Guidelines
Use the aaa last-resort command to specify the context in which authentication of a subscriber name is to
be attempted whenever the domain portion of the subscriber name provided cannot be matched to any
configured context or domain.
At the time you enter this command, the SmartEdge OS does not check to ensure you specify a valid
context. When a subscriber attempts to connect, and the SmartEdge OS attempts to validate the subscriber
in the last resort context, an error message displays if the context does not exist.
Only one last resort context can be in effect at a time. To change the last resort context, create a new one
and it overwrites the existing one.
Use the no form of this command to remove the last resort context.
context ctx-name Name of the last resort context.
append Optional. Appends the @ symbol and context name to the subscribers name.
Note To use Remote Authentication Dial-In User Service (RADIUS), the IP address or hostname
of at least one RADIUS server must be configured in the last resort context. To configure the
servers IP address or hostname, enter the radius server command (in context configuration
mode); for more information, see Chapter 21, RADIUS Configuration.
Examples
The following configuration assumes three contexts: cal i f or ni a, nevada, and ot her st at es. A
username, j i l l @ar i zona, is submitted for authentication, but there is no configured ar i zona context.
The following example configures the system in such a way that j i l l @ar i zona would be submitted for
authentication in the ot her st at es context:
[ l ocal ] Redback( conf i g) #aaa last-resort context otherstates
Related Commands
aaa maximum subscriber active count
{no | default}aaa maximum subscriber
Purpose
Limits the number of subscriber sessions that can be simultaneously active in a given context.
Command Mode
Syntax Description
Default
There is no limit to the number of subscriber sessions that can be simultaneously active in a given context.
Usage Guidelines
Use the aaa maximum subscriber command to limit the number of subscriber sessions that can be
simultaneously active in a given context.
Table20-28 lists the values for the active count construct.
active count Maximum number of subscriber sessions that can be simultaneously active.
The value of the count argument is dependent on the purchased subscriber license, the
SmartEdge router platform, and the controller card. Table20-28 lists the possible
values.
Table 20-28 Context Maximum Subscriber Sessions
SmartEdge Router Controller Card Value
SmartEdge 100 router Controller carrier card 16,000
XCRP3 with upgrade
XCRP4
16, 000
16,000
32,000
250,000
XCRP3 with upgrade
XCRP4
16,000
16,000
48,000
250,000
XCRP3 with upgrade
XCRP4
16,000
16,000
48,000
250,000
Use the no or default form of this command to restore the default of no limit to the number of subscriber
sessions.
Examples
The following example sets the maximum number of simultaneous active subscriber sessions for the
l ocal context to 100:
[ l ocal ] Redback( conf i g- ct x) #aaa maximum subscriber active 100
Related Commands
Note The subscriber command (in software license configuration mode) specifies the maximum
number of active subscriber sessions and is described in the Basic System Configuration
aaa password
aaa password {default password [disable-subscriber] | disable-subscriber}
no aaa password default
Purpose
Changes the default authentication and authorization password for the authentication, authorization, and
accounting (AAA) to the specified password. It also disables the default authentication and authorization
password on the subscriber circuits.
Command Mode
Syntax Description
Default
The default authentication and authorization password is Redback.
Usage Guidelines
Use the aaa password command to change the default authentication and authorization password for the
AAA or disable the default authentication and authorization password on subscriber circuits. To change the
default authentication and authorization password to a specified password, use the default keyword with
the aaa password command. This new default password is saved in the encrypted form. When you enter
the show configuration command, the display shows the default AAA password in the encrypted form.
To disable the default authentication and authorization password on subscriber circuits, use the
disable-subscriber keyword with the aaa password command.
Use the no form of this command to restore the default password of Redback.
Examples
The following example shows how to configure the new default AAA password of secret123:
[ l ocal ] Redback( conf i g- ct x) #aaa password default secret123
The following example shows how to configure the new default AAA password of secret123 and disable
this default AAA password on the subscriber circuits:
[ l ocal ] Redback( conf i g- ct x) #aaa password default secret123 disable-subscriber
default password Changes the default authentication and authorization password to the specified
password. The password is an alphanumeric string and is plaintext. Control
characters are not allowed.
disable-subscriber Disables the default authentication and authorization password on the subscriber
circuits.
Related Commands
aaa provision binding-order
aaa provision binding-order ip-address-attr l2tp-attr
no aaa provision binding-order ip-address-attr l2tp-attr
Purpose
Changes the default order in which the SmartEdge OS searches for the Remote Authentication Dial-In User
Service (RADIUS) and Layer 2 Tunneling Protocol (L2TP) attributes to find the IP address be used to bind
a subscriber circuit.
Command Mode
Syntax Description
Default
The SmartEdge OS searches for the L2TP attribute before searching for the RADIUS attribute.
Usage Guidelines
Use the aaa provision binding-order command to change the default order in which the SmartEdge OS
searches for the RADIUS and L2TP attributes to find the IP address to be used to bind a subscriber circuit.
The circuit binding has been created using the bind authentication command (in the circuits configuration
mode).
Use this command to enable the SmartEdge OS to look for the RADIUS Framed-IP-Address attribute
before looking at the L2TP Sub-Address AVP. If the Framed-IP-Address attribute does not exist, the L2TP
ICRQ message is examined for the Sub-Address AVP. If the Sub-Address AVP does not exist, the session
is not brought up.
Use the no form of this command to specify the default order.
For more information about using the bind authentication command to create a dynamic binding, see the
Bindings Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
Examples
The following example specifies that the IP address (and its interface) in the RADIUS record be used to
bind a subscriber circuit:
[ l ocal ] Redback( conf i g- ct x) #aaa provision binding-order ip-address-attr l2tp-attr
ip-address-attr Uses the IP address in the Framed-IP-Address attribute in the authentication message
received from a RADIUS server.
l2tp-attr Uses the IP address in the Sub-Address attribute value pair (AVP) in the incoming call
request (ICRQ) message received from the L2TP access concentrator (LAC) peer.
Related Commands
None
aaa provision route
aaa provision route ip-netmask encapsulation encaps-type
{no | default} aaa provision route ip-netmask
Purpose
Enables the SmartEdge OS to install a route specified by the Remote Authentication Dial-In User Service
(RADIUS) Framed-IP-Netmask attribute.
Command Mode
Syntax Description
Default
The Framed-IP-Netmask attribute is ignored.
Usage Guidelines
Use the aaa provision route command to enable the SmartEdge OS to install a route specified by the
RADIUS Framed-IP-Netmask attribute. The subnet route specified by the Framed-IP-Netmask attribute is
installed in the route table. This command is available only for PPP- or PPPoE-encapsulated circuits.
Use the no or default form of this command to ignore the Framed-IP-Netmask attribute.
Examples
The following example enables a direct connection to PPP routers:
[ l ocal ] Redback( conf i g) #context remote
[ l ocal ] Redback( conf i g- ct x) #aaa provision route ip-netmask encapsulation ppp
Related Commands
None
ip-netmask Installs the subnet route specified by the RADIUS Framed-IP-Netmask
attribute in the route table.
encapsulation encaps-type Encapsulation type, according to one of the following keywords:
pppSpecifies Point-to-Point Protocol (PPP)-encapsulated subscriber
circuits.
pppoeSpecifies PPP over Ethernet (PPPoE)-encapsulated subscriber
circuits.
ppp pppoeSpecifies PPP- and PPPoE-encapsulated subscriber circuits.
aaa rate-report-factor
aaa rate-report-factor {adsl1 | adsl2 | adsl2+ | vdsl1 | vdsl2 | sdsl | unknown} percentage
no aaa rate-report-factor
Purpose
Multiplies the raw digital subscriber line (DSL) data rate by a factor and reports the result for one or more
line types as the subscriber traffic rate in Remote Authentication Dial-In User Service (RADIUS) and Layer
2 Tunneling Protocol (L2TP) messages.
Command Mode
Syntax Description
Default
No rate adjustment is calculated for any DSL line type.
Usage Guidelines
Use the aaa rate-report-factor command to multiply the raw DSL data rate by a factor and report the result
for one or more line types as the subscriber traffic rate in RADIUS and L2TP messages.
Access nodes send raw data rates of one or more DSL line types to the SmartEdge router; however, only a
portion of the raw data rate is available for subscriber traffic. You can configure the SmartEdge router to
multiply the raw data rate for each type of DSL line by a specific percentage.
The magnitude of the adjustment can differ by DSL line type. For this reason, you can specify a different
factor for each possible line type. You must issue this command once for each line type that you expect
connected access nodes to use.
adsl1 Specifies an asymmetric DSL line type.
adsl2 Specifies an asymmetric DSL line type.
adsl2+ Specifies an asymmetric DSL line type.
vdsl1 Specifies a very high DSL line type.
vdsl2 Specifies a very high DSL line type.
sdsl Specifies an asymmetric DSL line type.
unknown Specifies an unknown DSL line type.
percentage Factor by which you want to multiply the data rate prior to sending the
RADIUS message.
The SmartEdge router sends the adjusted rate in RADIUS vendor-specific attribute (VSA) 185,
DSL_Actual_Rate_Down_Factor and L2TP (Tx) Connect Speed attribute-value pair (AVP) 24 attributes.
If you do not specify a factor for a specific line type, an unaltered learned rate for that line type is sent in
the attributes.
Use the no form of this command to revert to the default behavior.
Examples
The following example enables the SmartEdge router to multiply the DSL line type data rate for ADSL1 by
80% prior to sending a RADIUS accounting message:
[ l ocal ] Redback( conf i g- ct x) #aaa rate-report-factor adsl1 80
Related Commands
Note This command adjusts only the reported rates for the mentioned attributes. It does not affect
data rates used for traffic shaping or quality of service (QoS) policies. QoS policies use the
raw rates combined with more precise encapsulation information to achieve proper metering
and shaping.
access-line rate
aaa reauthorization bulk {global | none | radius}
{no | default} aaa reauthorization bulk
Purpose
Configures subscriber reauthorization so that attribute changes can be dynamically applied to active
subscriber sessions, without requiring Point-to-Point Protocol (PPP) renegotiation and without interrupting
or dropping active sessions.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the aaa reauthorization bulk command to configure subscriber reauthorization so that attribute
changes can be dynamically applied to active subscriber sessions, without requiring PPP renegotiation and
without interrupting or dropping active sessions. After this command has been enabled, enter the
reauthorize command (in exec mode) to initiate subscriber reauthorization.
The standard RADIUS attributes and Redback VSAs that are supported with dynamic subscriber
reauthorization are listed in AppendixA, RADIUS Attributes.
global Enables reauthorization of all subscribers in the current context through one
or more Remote Authentication Dial-In User Service (RADIUS) servers with
none Disables subscriber reauthorization.
radius Enables reauthorization of subscribers in the current context through one or
more RADIUS servers with IP addresses or hostnames in the same context.
Note The SmartEdge OS appends the context name to the subscriber name when sending
reauthorization messages; for example, j oe@l ocal .
Note You must configure at least one RADIUS server in the local or the current context before any
messages can be sent to it. To configure the server, enter the radius server command (in
context configuration mode); for more information, see Chapter 21, RADIUS
Configuration.
Use the no or default form of this command to disable dynamic subscriber reauthorization.
Examples
The following example enables the global reauthorization of all subscribers in the SmartEdge OS:
[ l ocal ] Redback( conf i g- ct x) #aaa reauthorization bulk global
The following is an example of a subscriber record on a RADIUS server. The subscriber has requested a
new service that is translated to a particular session t i meout value:
#r eaut h of absol ut e t i meout
r eaut h- 501@l ocal User - Passwor d==r edback
Ser vi ce- Type=Out bound- User ,
Reaut h_St r i ng=2; pppoe1@l ocal ; 27; 1000;
Before the administrator enters the reauthorize command (in exec mode), the subscriber record appears as:
[ l ocal ] Redback>show subscribers active
pppoe1@l ocal
Ci r cui t 13/ 1 vpi - vci 0 33
i p addr ess 10. 1. 1. 4
In the following example, the administrator enters the reauthorize command (in exec mode) and the
subscriber session is reauthorized with the new t i meout attribute added:
[ l ocal ] Redback>reauthorize username pppoe1@local
[ l ocal ] Redback>show subscribers active
pppoe1@l ocal
Ci r cui t 13/ 1 vpi - vci 0 33
i p addr ess 10. 1. 1. 4
t i meout absol ut e 1000
Related Commands
Note To enable RADIUS authentication, you must enter the aaa authentication subscriber
command (in context configuration mode).
aaa update subscriber interval
{no | default} aaa update subscriber
Purpose
Sends updated accounting records for subscriber sessions in the current context to one or more Remote
Authentication Dial-In User Service (RADIUS) servers with IP addresses or hostnames configured in the
same context.
Command Mode
Syntax Description
Default
Updates for subscriber accounts are not performed.
Usage Guidelines
Use the aaa update subscriber command to send updated accounting records for subscriber sessions in
the current context to one or more RADIUS servers with IP addresses or hostnames configured in the same
context.
Use the no or default form of this command to disable subscriber account updating.
Examples
The following example configures an update to be sent every 20 minutes, for as long as the subscriber
session lasts:
[ l ocal ] Redback( conf i g- ct x) #aaa update subscriber 20
interval Period (in minutes) between accounting updates. The range of values is 10 to
10,080.
Note You must configure accounting using the aaa accounting subscriber command (in context
configuration mode) with the radius keyword.
Note To use RADIUS, the IP address or hostname of at least one RADIUS accounting server must
be configured in the context to which the subscriber is to be bound. To configure the servers
IP address or hostname, enter the radius accounting server command (in context
configuration mode); for more information, see Chapter 21, RADIUS Configuration.
Related Commands
aaa username-format
aaa username-format {domain | username} separator [rightmost-separator]
no aaa username-format {domain | username} separator [rightmost-separator]
Purpose
Defines one or more schemas for matching the format of structured usernames.
Command Mode
Syntax Description
Default
If no username formats are specified with this command, the SmartEdge OS default format of
username@domain-name is checked for a format match.
Usage Guidelines
Use the aaa username-format command to define one or more schemas for matching the format of
structured usernames. A username can be for a subscriber or an administrator.
You can use this command multiple times to create a list of formats against which an incoming username
is matched. The first format configured is checked first for a match, then the second, and so on until a match
is found or until the configured username formats are exhausted.
Use the rightmost-separator keyword with the aaa username-format command when you have multiple
separators within a structured username; for example, joe@gold@example.com. If the
rightmost-separator keyword is configured, the SmartEdge OS treats the far right (rightmost) separator
character as the separator that divides the user portion of the structured username from the domain portion.
If no username formats are explicitly defined with the aaa username-format command, the SmartEdgeOS
checks the default format of username@domain-name for a match.
domain Specifies that the domain portion of the structured username is to precede the
user portion.
username Specifies that the user portion of the structured username is to precede the
domain portion.
separator Character that separates the user portion of the structured username from the
domain portion. The possible characters are%, -, @, _, \\, #, and /. To
designate a backslash (\), you must enter it on the command line as two
backslashes (\\). A single backslash has a reserved meaning in the SmartEdge
OS. A maximum of six characters can be used in a single schema.
rightmost-separator Specifies that the far right (rightmost) character within a structured username
that contains multiple separators is to be treated as the separator character.
Use the no form of this command to remove the specified format from those considered to be valid
structured-username formats.
Examples
The following example configures a structured-username format with the subscriber name specified first,
separated from its domain by the%symbol:
[ l ocal ] Redback( conf i g) #aaa username-format username %
In this example, for a subscriber, j oe, configured in the l ocal context, the SmartEdge OS checks for a
match against the structured-username j oe%l ocal .
The following example configures a structured-username format with the domain name specified first,
separated from the subscriber name by the / symbol:
[ l ocal ] Redback( conf i g) #aaa username-format domain /
In this example, for a subscriber, j oe, configured in the l ocal context, the SmartEdge OS checks for a
match against the format l ocal / j oe.
The following example shows how to configure a structured-username format with the domain name
specified first, separated from the subscriber name using the far right (rightmost) separator, a @symbol:
[ l ocal ] Redback( conf i g) #aaa username-format domain @ rightmost-separator
In this example, for a username, l ocal @exampl e. com@j oe, the SmartEdge OS checks for the far right
separator, a @symbol. For this username, the subscriber name is j oe and the context is
l ocal @exampl e. com.
Related Commands
session-action
session-action failure always-up [trap]
no session-action failure always-up
Purpose
Enables a subscriber session to be successfully established and remain active, regardless of a misconfigured
RADIUS attribute, nonexistent RADIUS attribute, or nonmandatory RADIUS attribute that failed to apply.
Command Mode
Syntax Description
Default
By default, a subscriber session fails to be established and remain active if a RADIUS attribute is
misconfigured or nonexistent, or if a nonmandatory RADIUS attribute fails to be applied.
Usage Guidelines
Use the session-action failure always-up command to enable a subscriber session to be successfully
established and remain active regardless of a misconfigured RADIUS attribute, nonexistent RADIUS
attribute, or a nonmandatory RADIUS attribute that failed to apply. These RADIUS attributes are of the
type that can be allowed to be provisioned, regardless of missing RADIUS attribute data or a provisioning
failure. The following are examples of these types of RADIUS attributes:
A Filter-id attribute with an access list that is not configured.
A queueing policy attribute for encapsulation that does not match the actual encapsulation the
subscriber uses. For example, the encapsulation type configured on the RADIUS server is ATM PPP
over Ethernet (PPPoE), and the actual encapsulation type the subscriber uses is Ethernet PPPoE.
failure Specifies the action to take when RADIUS attributes fail to be provisioned.
always-up Keeps the session active regardless of a misconfigured RADIUS attribute,
nonexistent RADIUS attribute, or nonmandatory RADIUS attribute that
failed to apply.
trap Optional. Enables SNMP traps and logs to be sent when a RADIUS attribute
fails to be initially provisioned. The SNMP trap and log includes information
about the reason a RADIUS attribute failed to be initially provisioned, as well
as information about keeping the subscriber session active. The logs are sent
to a console to alert the appropriate administrator.
To use the keyword trap, you must have a configured SNMP server.
If more than one queuing policy attribute is configured for subscriber encapsulation after the session-action
failure always-up command is enabled, the SmartEdge router selects the attribute to apply by matching
the queueing policy name and its configured encapsulation type with the actual encapsulation type the
subscriber is using. Once matched, the session is established and allowed to remain active.
The session-action failure always-up command must be enabled for a subscriber using either the default
subscriber profile or a named subscriber profile within the context to which the subscriber is bound.
Use the keyword trap to enable the SmartEdge router to send SNMP traps and logs that include information
about the reason a RADIUS attribute failed to be initially provisioned, as well as information about the
action taken to keep the subscriber session up.
Examples
The following example shows how to enable the session-action failure always-up command for the
default subscriber profile within the context l ocal . The keyword trap enables the SmartEdge router to
send SMNP traps and logs about the RADIUS attributes that initially fails to be provisioned before being
established and kept up:
[ l ocal ] Redback( conf i g) #config
[ l ocal ] Redback( conf i g- sub) #session-action failure always-up trap
Related Commands
None
RADIUS Configuration 21-1
C h a p t e r 2 1
RADIUS Configuration
OSRemote Authentication
Dial-In User Service (RADIUS) features.
For information about RADIUS attributes, see AppendixA, RADIUS Attributes.
For information about tasks and commands used to monitor, troubleshoot, and administer RADIUS, see the
RADIUSOperations chapter in the IP Services and Security Operations Guide for the SmartEdge OS.
Overview
Configuration Tasks
Overview
The RADIUS protocol, which is based on a client/server architecture, enables remote access to networks
and network services. When configured with the IP address or hostname of a RADIUS server, the
SmartEdge router can act as a RADIUS client.
To enable authentication through RADIUS, you must also configure authentication, authorization, and
accounting (AAA) features; for more information, see Chapter 20, AAA Configuration.
This section contains the following topics:
This section contains the following topics:
RADIUS Servers
RADIUS Services Engine
Accounting and Service Accounting Messages
Overview
RADIUS Servers
RADIUS servers can perform the following functions:
Accounting serverMaintains accounting records for subscribers. The SmartEdgeOS transmits
session start and stop times in Accounting Start and Stop messages to the server.
Authentication serverMaintains authentication records for subscribers. The SmartEdgeOS requests
authentication in Access Request messages before permitting subscribers access.
Accounting and authenticationPerforms the functions of both the accounting and authentication
servers.
The SmartEdgeOS can perform the functions of any of these servers.
In addition to providing authentication, a RADIUS server can collect and store accounting data for
subscriber sessions. You can configure a single server that provides both authentication and accounting
functions, or you can configure separate authentication and accounting servers.
Accounting is the process of tracking activity and network resources used in a subscriber session, including
the number of packets and bytes transmitted during the session. It occurs after the authentication phase in
AAA is complete. Accounting can occur for specific contexts, enabling customers to manage activity in
their individual accounts.
In addition, the AAA accounting feature enables you to track the services used by an Internet site owner,
for example, a wholesaler. When you enable AAA accounting, the router reports user activity to the
RADIUS server in the form of accounting records. Common services tracked through service accounting
are voice and video.
A RADIUS server can also act as a Change of Authorization (CoA) server, allowing dynamic
RADIUS-guided services for subscriber sessions. The SmartEdgeOS supports both RADIUS CoA
messages and disconnect messages. CoA messages can modify the characteristics of existing subscriber
sessions, without loss of service; disconnect messages can terminate subscriber sessions.
For more information about RADIUS messages, see AppendixA, RADIUS Attributes.
Load balancing between multiple servers is valuable if a large number of sessions are established and
terminated every second, and a single RADIUS server is unable to handle the load.
Two load-balancing algorithms are supported:
Strict-priorityRequests are always sent first to the first server configured in the SmartEdge OS. If the
request fails, the requests are sent to the next server and so on.
Round-robin priorityRequests are sent to the server following the one where the last request was sent.
If the SmartEdge OS receives no response from the server, requests are sent to the next server and so on.
RADIUS Services Engine
The RADIUS Services Engine (RSE) is the set of RADIUS-guided features and functions that support
dynamic changes to subscriber services.
Note Throughout this chapter, the term RADIUS server, refers to any of the server types. The terms,
RADIUS accounting server, RADIUS authentication server, and RADIUS CoA server, refer
to servers that support those specific features.
Overview
RADIUS-guided services include the following capabilities:
RADIUS-guided HTTP redirectSee Chapter 9, HTTP Redirect Configuration
Dynamic ACLsSee Chapter 12, ACL Configuration
RADIUS-guided forward policiesSee Chapter 14, Forward Policy Configuration
RADIUS-guided NAT policies (attached to received traffic only)See Chapter 13, NAT Policy
Configuration
RADIUS-guided QoS metering and policing policiesSee Chapter 16, QoS Rate- and Class-Limiting
Configuration
RADIUS-guided QoS PWFQ policiesSee Chapter 17, QoS Scheduling Configuration
Dynamic changes to QoS metering, policing, and PWFQ policy optionsSee Chapter 16, QoS Rate-
and Class-Limiting Configuration and Chapter 17, QoS Scheduling Configuration
To support RADIUS-guided services, the SmartEdgeOS uses a service profile that specifies various
service conditions and that activates services and establishes the service conditions for that subscriber
session. It is these service conditions against which the service data in a CoA Request or Access Response
message is matched.
A service condition in a RADIUS-guided service profile can be mandatory or optional. For a mandatory
condition, the RADIUS server must include a value for that condition in the CoA Request or Access
Response message. An optional condition includes a default value in the service profile; the SmartEdgeOS
uses default value if the RADIUS server does not supply a value.
Accounting and Service Accounting Messages
In addition to providing authentication, a RADIUS server collects and stores accounting data for subscriber
sessions. Accounting is the process of tracking activity and network resources used in a subscriber session.
The process tracks the number of packets and bytes transmitted during the session. It occurs after the
authentication phase. Accounting can occur for specific contexts, enabling customers to manage activity in
their individual accounts.
The AAA accounting feature also enables you to track the services used by an Internet site, for example, a
wholesaler. The SmartEdge router reports service activity to the RADIUS server in the form of accounting
records. Common services tracked through service accounting are voice and video.
As part of both general accounting and service accounting, the router generates messages indicating the
states of the accounting process. Common service messages indicate when the router starts and stops
sending service accounting packets to the RADIUS server. For example, when the router initiates
accounting, the router generates a message (with an acct-start message) indicating the accounting process
has begun.
While accounting messages can be helpful to identify accounting states, they create overhead, using system
memory and CPU resources. To manage overhead associated with this activity, SmartEdge enables you to
configure the router to drop RADIUS accounting messages in a specific context. To drop a message, you
specify the message using the attribute command.
Common service messages indicate when the router begins and stops sending service accounting packets
to the RADIUS server. The router sends these packets to the server when the RADIUS Change of
Authorization (CoA) server initiates these actions.
Configuration Tasks
For general accounting, the router generates the following messages:
access-requestIndicates a client-generated Access-Request message that includes a login and a
password.
acct-start Indicates an Accounting-Request message.
acct-stopIndicates an Access-Request message.
acct-updateAccess-Request message.
For service accounting, the router generates the following messages:
service-acct-stopIndicates that a service accounting process has started.
service-acct-startIndicates that a service accounting process has stopped.
service-acct-updateIndicates that a service accounting process has entered the interim stage.
Figure21-1 shows the flow of service accounting messages.
Figure 21-1 Flow of Service Accounting Messages
Configuration Tasks
To configure RADIUS, perform the tasks described in the following sections:
Configure the Server IP Address or Hostname
Configure an IP Source Address (Optional)
Configure Load Balancing Between RADIUS Servers (Optional)
Configuration Tasks
Strip the Domain Portion of Structured Usernames (Optional)
Change or Ignore the Server Source Port Value (Optional)
Configure and Assign a RADIUS Policy to a Context (Optional)
Configure and Send Attributes in RADIUS Packets (Optional)
Configure RADIUS-Guided Services (Optional)
Remap Account Termination Codes (Optional)
RADIUS Secret Key, Retry, and Timeout
RADIUS Loopback Interface
Custom RADIUS Policy
Dynamic RADIUS Profile and Forward Policy
Configure the Server IP Address or Hostname
To configure the IP address or hostname of a RADIUS accounting server or RADIUS server, perform the
appropriate task described in Table21-1. Enter all commands in context configuration mode..
Configure an IP Source Address (Optional)
By default, the local IP address of the interface on which RADIUS is transmitted is included in the
IP header of RADIUS packets sent by the SmartEdge router. If you do not want to publish the IP address
of the RADIUS server, configure a loopback interface to appear to be the source address for RADIUS
packets as described in Table21-2.
Table 21-1 Configure the Server IP Address or Hostname
Configure the RADIUS accounting
server IP address or hostname.
radiusaccountingse
rver
To enable accounting through RADIUS, you must also
enter the aaa accounting subscriber radius
command (in context configuration mode); see
Chapter 20, AAA Configuration.
Configure the RADIUS server IP
address or hostname.
radiusserver To enable authentication through RADIUS, you must
also enter the aaa authentication subscriber radius
command (in context configuration mode); see
Chapter 20, AAA Configuration.
To use the RADIUS server as a CoA server, use the
CoA-server keyword for this command. To configure
an independent CoA server, use the radius coa server
command.
Configure the RADIUS CoA server
IP address or hostname.
radiuscoaserver To configure an independent CoA server, use this
command. To use the RADIUS authentication server as
a CoA server, use the CoA-server keyword for the
radius server command.
Configuration Tasks
Configure Load Balancing Between RADIUS Servers (Optional)
To load balance between multiple RADIUS accounting or RADIUS servers, perform the appropriate task
described in Table21-3. Enter all commands in context configuration mode.
Modify RADIUS Connection Parameters (Optional)
To configure how the SmartEdge router responds to connections with RADIUS servers, perform the tasks
described in the following sections:
Send Accounting On and Off Messages
Modify RADIUS Timeout Parameters
Send Accounting On and Off Messages
To send accounting on or accounting off messages to any other RADIUS servers that are configured
in the current context when a RADIUS server is added or removed, perform the task described in
Table21-4.
Modify RADIUS Timeout Parameters
RADIUS timeout parameters allow you to configure three different intervals that are used by the system to
manage responses when a RADIUS server is not responding. Table21-5 presents a timeline that describes
the intervals and how you can configure them.
Table 21-2 Configure an IP Source Address
Configure an IP source
address.
ip source-address radius Enter this command in interface configuration mode.
The interface must be reachable by the RADIUS
server; for command details, see the Interface
Table 21-3 Configure Load Balancing Between RADIUS Servers
Specify a load-balancing algorithm to use among multiple
RADIUS accounting servers.
radiusaccountingalgorithm
Specify a load-balancing algorithm to use among multiple
RADIUS servers.
radiusalgorithm
Table 21-4 Send Accounting On and Off Messages
When an accounting server is added to or removed from
the configuration, send an accounting on or accounting
off message, respectively, to any other RADIUS servers
that are configured in the current context.
radiusaccountingsend-ac
ct-on-off
Enter this command in context
configuration mode. By default,
the SmartEdge OS sends these
messages.
Configuration Tasks
To modify the RADIUS timeout parameters that the SmartEdge OS uses for managing the connections to
and from RADIUS servers and RADIUS accounting servers, perform the appropriate tasks described in
Table21-6. Enter all commands in context configuration mode.
Table 21-5 RADIUS Timeout Intervals
Time RADIUS Action Interval Set By
T0 Sends a request to a RADIUS server and sets a time
for interval T1.
radius timeout
radius accounting timeout
T0+T1 T1 expires. Assumes packet is lost or server is
unreachable; sets a timer for interval T2.
radius server-timeout
radius accounting server-timeout
T0+T1+T2 T2 expires. Marks the server as dead and tries
another server; sets a timer for interval T3.
radius deadtime
radius accounting deadtime
T0+T1+T2+T3 T3 expires. Sends another request to the first server.
Table 21-6 Modify RADIUS Timeout Parameters
1. Optional. Modify the interval that the
SmartEdge OS waits for a response from a
RADIUS server after sending a packet:
For a RADIUS accounting server. radiusaccountingtimeout
For a RADIUS server. radiustimeout
2. Optional. Modify the maximum number of
retransmission attempts during the timeout
interval:
For a RADIUS accounting server. radiusaccountingmax-retrie
s
For a RADIUS server. radiusmax-retries
SmartEdge OS waits for a response before
marking a non-responsive server dead:
4. For a RADIUS accounting server. radiusaccountingserver-tim
eout
Setting the value to 0
disables the feature.
5. For a RADIUS server. radiusserver-timeout
SmartEdge OS treats a non-responsive server
as dead before trying to reach it again:
For a RADIUS accounting server. radiusaccountingdeadtime Setting this value to 0
disables the feature.
For a RADIUS server. radiusdeadtime
Configuration Tasks
Strip the Domain Portion of Structured Usernames (Optional)
To specify that the domain portion of structured usernames is to be removed before sending the usernames
to a RADIUS server for authentication, perform the task described in Table21-7.
Change or Ignore the Server Source Port Value (Optional)
To increase the number of outstanding authentication requests per RADIUS server by sending the requests,
using a different source port value, perform the task described in Table21-8.
To enable the SmartEdge OS to ignore the source port sent by a RADIUS server in an Access-Response
message, perform the task described in Table21-9.
Configure and Assign a RADIUS Policy to a Context (Optional)
To configure and assign a RADIUS policy to a context, perform the tasks described in Table21-10.
7. Optional. Modify the number of outstanding
requests that can be sent:
For a RADIUS accounting server. radiusaccountingmax-outst
anding
For a RADIUS server. radiusaccountingmax-outst
anding
Table 21-7 Strip the Domain Portion of Structured Usernames
Strip the domain portion of structured
usernames.
radiusstrip-domain Enter this command in context
configuration mode.
Table 21-8 Change the Server Source Port Value
Change the server source port
value.
radiussource-port Enter this command in global configuration mode.
Table 21-9 Ignore the Server Source Port Value
Ignore the server source port value in
RADIUS Access-Response messages.
radiussource-port Enter this command in context
configuration mode.
Table 21-6 Modify RADIUS Timeout Parameters (continued)
Configuration Tasks
Configure and Send Attributes in RADIUS Packets (Optional)
To configure and send attributes in RADIUS request packets, perform one or more of the tasks described
in Table21-11. Enter all commands in context configuration mode, unless otherwise noted.
Table 21-10 Configure and Assign a RADIUS Policy to a Context
1. Create or modify a RADIUS policy and
access RADIUS policy configuration mode.
radiuspolicy Enter this command in global
configuration mode.
2. Specify the RADIUS attribute or VSA, and
optionally the RADIUS messages, from
which it is to be dropped.
attribute Enter this command in RADIUS policy
configuration mode.
3. Assign the policy to a context. radiuspolicy Enter this command in context
configuration mode.
Table 21-11 Configure and Send Attributes in RADIUS Request Packets
Send the Acct-Delay-Time attribute in
RADIUS Access-Request and
Accounting-Request packets.
radiusattributeacct-delay-time By default, this attribute is not
sent.
Send the Acct-Session-Id attribute in
RADIUS Access-Request packets.
radiusattributeacct-session-id By default, this attribute is sent
only in Accounting-Request
packets.
Send a Layer 2 Tunneling Protocol (L2TP)
call serial number type value in the
Acct-Tunnel-Connection attribute in
RADIUS packets.
radiusattributeacct-tunnel-connec
tion l2tp-call-serial-num
By default, this attribute is not
sent.
Specify the behavior of the SmartEdge OS
when it receives a RADIUS Filter-Id
attribute that does not specify a direction
and there is an access control list (ACL)
applied to the circuit.
radiusattributefilter-id By default, this attribute is not
sent.
Send the NAS-Identifier attribute in
radiusattributenas-identifier By default, this attribute is not
sent.
Send the NAS-IP-Address attribute in
radiusattributenas-ip-address By default, this attribute is not
sent.
Modify the format in which the NAS-Port
attribute is sent in RADIUS
Access-Request and Accounting-Request
packets.
radiusattributenas-port By default, this attribute is sent
using the slot-port format.
Modify the format in which the NAS-Port-Id
attribute in RADIUS Access-Request and
radiusattributenas-port-id By default, this attribute is sent
using the all format.
Configuration Tasks
Configure RADIUS-Guided Services (Optional)
To enable RADIUS-guided services for subscriber sessions using a service profile, perform the following
tasks:
To configure how the SmartEdge router responds to connections with RADIUS servers, perform the tasks
described in the following sections:
Configure the RADIUS-Guided Policies for the Service Profile
Configure a RADIUS-Guided Service Profile
Configure the Subscriber Profile or Record
Configure the RADIUS-Guided Policies for the Service Profile
Configure one or more RADIUS-guided policies, such as a forward policy, NAT policy, or QoS metering
or policing policy, to be applied to the subscriber record or profile. These tasks are described in Chapter 13,
Forward Policy Configuration, Chapter 12, NAT Policy Configuration, and Chapter 15, QoS Rate-
and Class-Limiting Configuration, respectively.
Configure a RADIUS-Guided Service Profile
Configure the service profile that references the RADIUS-guided policies that you have configured. To
configure a RADIUS-guided service profile, perform the tasks in Table21-12; enter all commands in
service profile configuration mode, unless otherwise noted.
Modify the value of the NAS-Port-Type
attribute sent in RADIUS Access-Request
and Accounting-Request packets.
radiusattributenas-port-type Enter this command in
ATMprofile, dot1q profile, or
port configuration mode.
By default, this attribute is sent
using a value of either 0 or 5,
indicating an asynchronous
connection through a console
port or a virtual connection
through a transport protocol,
respectively.
Specify the character the SmartEdge OS
uses to separate the fields for the medium
access control (MAC) addresses in the
Redback
VSA 145, Mac-Addr.

radiusattributevendor-specific
Table 21-12 Configure a RADIUS-Guided Service Profile
1. Create or select a context in which to
configure the policies and service profile
and access context configuration mode.
configuration mode.
For information about the context
command, see the Basic System
Configuration Guide.
2. Create or select the service profile and
access service profile configuration mode.
radiusserviceprofile Enter this command in context
configuration mode.
Table 21-11 Configure and Send Attributes in RADIUS Request Packets (continued)
Configuration Tasks
Configure the Subscriber Profile or Record
Configure the subscriber profile or record. You do not apply the policies to the subscriber profile or record;
they are specified by the RADIUS server and applied by the RADIUS-guided service profile.
Remap Account Termination Codes (Optional)
When a subscriber session is terminated, the system reports the reason for the termination to RADIUS,
using one of several terminate cause codes that are defined in RFC 2866, RADIUS Accounting, in
attribute49 (Acct-Terminate-Cause). Because the set of codes defined for RADIUS attribute 49 is very
limited, the SmartEdge OS defines a more extensive set of terminate cause codes to more precisely indicate
the reason for the termination. The system transmits these codes in Redback VSA 142
(Session-Error-Code) and 143 (Session-Error-message).
Terminate error codes and their RADIUS attribute 49 error codes are listed in the RADIUS Attribute 49
Error Codes appendix in the IP Services and Security Operations Guide for the SmartEdgeOS You can
change the RADIUS attribute 49 error code for a Redback terminate cause code to different attribute 49
error code.
To remap an Redback terminate error code to a different RADIUS attribute 49 error code, perform the tasks
3. Specify a service condition for the service
profile and its default condition, if
necessary.
parameter Enter this command to specify a
mandatory or optional condition for
the profile.
4. Optional. Specify counters for service
accounting.
accounting
5. Specify a service policy attribute with its
options.
attribute Enter this command to specify an
attribute for each service condition in
this profile.
6. Specify a parameter that can have
multiple values.
foreach Enter this command preceding an
attribute command when a field has
multiple values.
Table 21-13 Remap Redback Terminate Error Codes
1. Enable the remapping of account
termination error codes and access
terminate error cause configuration
mode.
radiusattributeacct-terminate-cause
remap
Enter this command in
global configuration mode.
2. Remap a Redback terminate error code
to a different RADIUS attribute 49 error
code.
rbak-term-ec Enter this command in
terminate error cause
configuration mode for
each Redback terminate
error code that you want to
remap.
Table 21-12 Configure a RADIUS-Guided Service Profile (continued)
This following sections provide RADIUS configuration examples:
The following example configures the IP address of the RADIUS server, 10. 43. 32. 56, using the key,
Secr et , and configures related behaviors of the SmartEdgeOS:
[ l ocal ] Redback( conf i g- ct x) #radius server 10.43.32.56 key Secret
The following example configures the interface at IP address, 108. 1. 1. 1, to connect to the RADIUS
server; however, a loopback interface is also configured using IP address, 11. 200. 1. 1, which is sent to
the RADIUS server as the source IP address for RADIUS packets.
[ l ocal ] Redback( conf i g- ct x) #interface to-radius-server
[ l ocal ] Redback( conf i g- i f ) #ip source-address radius
The following example creates the cust omRADIUS policy to drop RADIUS attribute 123 in all RADIUS
messages, Redback VSA 10 in Access-Request messages, and Redback VSAs 11 and 12 in various
Accounting messages, and then assigns it to the gol d- i sp context:
[ l ocal ] Redback( conf i g) #radius policy name custom
[ l ocal ] Redback( conf i g- r ad- pol i cy) #attribute 123 drop
[ l ocal ] Redback( conf i g- r ad- pol i cy) #attribute rbak 10 drop access-request
[ l ocal ] Redback( conf i g- r ad- pol i cy) #attribute rbak 11 drop acct-start acct-update
[ l ocal ] Redback( conf i g- r ad- pol i cy) #attribute rbak 12 drop acct-start acct-stop
[ l ocal ] Redback( conf i g- r ad- pol i cy) #exit
[ l ocal ] Redback( conf i g) #context gold-isp
[ l ocal ] Redback( conf i g- ct x) #radius policy custom
The following examples create a RADIUS-guided forward policy and a RADIUS-guided service profile
that specifies the dynamic service conditions for the forward policy. All configurations are created in the
l ocal context. The subscriber configuration on a RADIUS server is listed after the service profile.
First, you create a RADIUS-guided forward policy with three classes. The forward policy redirects one
class with an ACL policy and takes no action on the other two classes. For the class named por t al you
set the optional field name for the destination port number for the portal class to 80 and the service timeout
value to 900.
[ l ocal ] Redback( conf i g- ct x) #forward policy captive-portal radius-guided
[ l ocal ] Redback( conf i g- f r wd) #access-group
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class redirect
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class portal
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class bypass
[ l ocal ] Redback( conf i g- f r wd) #exit
! Cr eat e a ser vi ce pr of i l e f or t he r edi r ect and por t al cl asses of t r af f i c
[ l ocal ] Redback( conf i g- ct x) #radius service profile redirect
! Speci f y t he URL f i el d name f or t he r edi r ect cl ass
[ l ocal ] Redback( conf i g- svc- pr of i l e) #parameter value redirect-url
! Speci f y t he f i el d name f or t he I P addr ess of t he dest i nat i on por t f or t he por t al cl ass
[ l ocal ] Redback( conf i g- svc- pr of i l e) #parameter value portal-ip
[ l ocal ] Redback( conf i g- svc- pr of i l e) #parameter value portal-port 80
! Speci f y t he f i el d name f or an ar r ay of TCP por t number s f or t he r edi r ect cl ass
[ l ocal ] Redback( conf i g- svc- pr of i l e) #parameter list tcp-port
[ l ocal ] Redback( conf i g- svc- pr of i l e) #parameter value service-timeout 900
! Enabl e account i ng f or i ncomi ng t r af f i c f or t he r edi r ect cl ass
[ l ocal ] Redback( conf i g- svc- pr of i l e) #accounting in fwd redirect
! Speci f y t he f i el ds i n t he at t r i but es f or dynami c ser vi ce condi t i ons
! Names begi nni ng wi t h $ ar e r epl aced when t he val ue of t he f i el d i s speci f i ed by a
RADI US ser ver
! Names ar e t hose pr evi ousl y def i ned by t he par amet er st at ement s
! Speci f y t he name of t he f or war d pol i cy;
! i n t hi s exampl e, al l subscr i ber sessi ons use t he same pol i cy
[ l ocal ] Redback( conf i g- svc- pr of i l e) #attribute Forward-Policy in:$captive-portal
! Speci f y t he f i el d name f or t he dynami c URL f or t he r edi r ect cl ass
[ l ocal ] Redback( conf i g- svc- pr of i l e) #attribute HTTP-Redirect $redirect-url
! Speci f y t he f i el d name f or t he ser vi ce t i meout
[ l ocal ] Redback( conf i g- svc- pr of i l e) #attribute Service-Timeout $service-timeout
! Speci f y t he f i el d names f or t he I P addr ess and por t number f or t he por t al cl ass
[ l ocal ] Redback( conf i g- svc- pr of i l e) #attribute Dynamic-Policy-Filter
ip in forward dstip $portal-ip tcp dstport = $portal-port class portal fwd
! Speci f y t he TCP por t ar r ay f or t he dest i nat i on por t number s f or t he r edi r ect cl ass
[ l ocal ] Redback( conf i g- svc- pr of i l e) #foreach tcp-port
[ l ocal ] Redback( conf i g- svc- pr of i l e) #attribute Dynamic-Policy-Filter ip in forward tcp
dstport = $tcp-port class redirect fwd
! RADI US ser ver subscr i ber conf i gur at i on wi t h val ues f or t he dynami c ser vi ce condi t i ons
! I n t hi s exampl e, t he dynami c condi t i ons ar e t agged wi t h t he val ue 1
! Speci f y t he name of t he ser vi ce pr of i l e
Redback- Ser vi ce- Name: 1 = r edi r ect
! Enabl e ser vi ce account i ng
Redback- Ser vi ce- Opt i ons: 1 = 0x01
! Speci f y t he ser vi ce condi t i on f i el d names
! Speci f y t he r edi r ect URL
Redback- Ser vi ce- Par amet er s: 1 = r edi r ect - ur l =ht t p: / / 172. 16. 1. 1/ por t al . php
! Speci f y t he dest i nat i on I P addr ess f or t he por t al cl ass
! Use t he def aul t val ue i n t he pr of i l e f or t he por t number
Redback- Ser vi ce- Par amet er s: 1 = por t al - i p=172. 16. 1. 1/ 32
! Speci f y t he TCP por t number s f or t he r edi r ect cl ass
Redback- Ser vi ce- Par amet er s: 1 = t cp- por t =www, 443, 8080
! Speci f y t he t i meout i nt er val ; t hi s val ue over r i des t he def aul t val ue ( 900)
Redback- Ser vi ce- Par amet er s: 1 = Ser vi ce- Ti meout =1800
This section describes the syntax and usage guidelines for the commands used to configure RADIUS. The
accounting
attribute
foreach
parameter
radius accounting algorithm
radius accounting max-outstanding
radius accounting max-retries
radius accounting send-acct-on-off
radius algorithm
radius attribute acct-delay-time
radius attribute acct-session-id
radius attribute acct-terminate-cause remap
radius attribute acct-tunnel-connection
l2tp-call-serial-num
radius attribute calling-station-id
radius attribute filter-id
radius attribute nas-identifier
radius attribute nas-ip-address
radius attribute nas-port
radius attribute nas-port-type
radius attribute vendor-specific
radius coa server
radius deadtime
radius max-outstanding
radius max-retries
radius policy
radius server
radius service profile
radius source-port
radius strip-domain
radius timeout
rbak-term-ec
accounting
accounting {in | out} pol-type {variable-name | class-name-1 [class-name-2]...}
no accounting {in | out} pol-type {variable-name | class-name-1 [class-name-2]...}
Purpose
Enables accounting for the specified policy and class.
Command Mode
service profile configuration
Syntax Description
Default
Accounting is disabled for all policies and classes.
Usage Guidelines
Use the accounting command to enable accounting for the specified policy and class.
Use the no form of this command to disable accounting for the specified policy and class.
in Enables accounting for traffic received by the SmartEdge router.
out Enables accounting for traffic transmitted by the SmartEdge router.
pol-type Type of policy for which accounting is enabled, according to one of the following
keywords:
fwdForward policy
qosQuality of service (QoS) policy
circuitCircuit policy
class-name-n Class name that you have specified in the policy. You can specify up to eight class
names, separated by spaces. Double quotation marks ( ) must surround the string of
one to eight class names.
variable-name Specifies the variable name using the parameter value command that contains a
reference to a dynamic class or classes that are specified in the profile. The $ symbol
must be the first character of the variable name.
Note Forward policies do not support accounting for transmitted traffic.
Examples
The following example enables accounting for incoming traffic in the r edi r ect class:
[ l ocal ] Redback( conf i g- svc- pr of i l e) #accounting in fwd redirect
The following example enables accounting for incoming traffic in the dynami c_ser vi ce profile. The
$cl ass_bear er variable, which is configured using the parameter command, contains references to
the dynamic classes. In the following example, D1 and D2 are the names of the predefined classes:
[ l ocal ] Redback( conf i g- ct x) #radius service profile dynamic_service
[ l ocal ] Redback( conf i g- ct x) #parameter value %dynamic_class_qos_in D1 D2
[ l ocal ] Redback( conf i g- ct x) #parameter value %dynamic_class_qos_in
[ l ocal ] Redback( conf i g- svc- pr of i l e) #accounting qos in $class_bearer
Related Commands
None
attribute
In RADIUS policy configuration mode, the syntax is:
attribute [vendor-specific {rbak | vendor-num}] {attribute-name | attribute-num} drop [msg-type-1...
msg-type-n]
{no | default} [vendor-specific {rbak | vendor-num}] attribute-num
In parameter-array-loop configuration and service policy configuration mode, the syntax is:
[seq seq-num] attribute attribute-name {in | out} {attribute-value | $param-list-name}
no seq seq-num
Purpose
In RADIUS policy configuration mode, specifies one or more Remote Authentication Dial-In User Service
(RADIUS) messages in which the specified attribute is to be dropped. In service policy configuration mode,
specifies the attribute for a dynamic service condition in which one or more fields are defined.
Command Mode
parameter array loop configuration
RADIUS policy configuration
Syntax Description
In RADIUS policy configuration mode, the keywords and arguments are:
vendor-specific Optional. Specifies a vendor-specific attribute (VSA) instead of a RADIUS
standard attribute.
rbak Specifies that the attribute is a Redback VSA. Required only if you enter the
vendor-specific keyword.
vendor-num Specifies that the attribute is a VSA of another vendor. Required only if you enter
the vendor-specific keyword.
attribute-name RADIUS attribute or VSA name. For the supported RADIUS standard attributes
and Redback VSAs, see AppendixA, RADIUS Attributes. For the keywords to
use for these RADIUS standard attributes and Redback VSAs, see the online Help
in the command-line interface (CLI).
attribute-num RADIUS attribute or VSA number. For the numbers of supported RADIUS
standard attributes and Redback VSAs, see AppendixA, RADIUS Attributes.
drop Specifies one or more attributes to be dropped. Not entered in the no form.
In parameter array loop configuration or service policy configuration mode, the keywords and arguments
are:
Default
In RADIUS policy configuration mode, this RADIUS attribute or the VSA is not dropped from any
RADIUS message from which it appears. There is no default in parameter array loop or service policy
configuration mode.
Usage Guidelines
In RADIUS policy configuration mode, use the attribute command to specify one or more RADIUS
messages in which the specified attribute is to be dropped.
You can specify the attribute using either the attribute-name or attribute-num argument. If the attribute
name is listed in AppendixA, RADIUS Attributes, but not in the online help for the CLI, enter the
attribute number.
msg-type-1 ...
msg-type-n
Optional. One or more of the following RADIUS message types in which the
attribute is to be removed:
access-requestAccess-Request message.
acct-start Accounting-Start message.
acct-stopAccounting-Stop message.
acct-updateAccounting-Update message.
service-acct-stop Service Accounting-Stop message.
service-acct-start Service Accounting-Start message.
service-acct-update Service Accounting-Update message.
If you do not specify a message type, the attribute is dropped from all RADIUS
messages.
seq seq-num Optional. Sequence number for the statement. The range of values is 1to 1,000.
attribute-name Name of the attribute, according to one of the keywords listed in Table21-14.
in Required for certain attributes; see Table21-14. Applies the attribute to incoming
traffic.
out Required for certain attributes; see Table21-14. Applies the attribute to outgoing
traffic.
attribute-value String defining the fields within the attribute, enclosed in quotation marks ( ),
according to the format for the attribute.
param-list-name Name of an array that defines a list of values for a field within the attribute.
Note The online help for the CLI includes all RADIUS standard attributes and Redback VSAs,
some of which are not supported by the SmartEdge OS.
You can specify any or all message types, separated by spaces, in a single instance of the command, or you
can enter them individually.
Use the no or default form of this command to restore this RADIUS attribute or VSA to any RADIUS
message in which it appears.
In parameter array loop or service policy configuration mode, use the attribute command to specify the
RADIUS standard attribute, Redback VSA, or service attribute for a dynamic service condition in which
one or more fields are defined. Table21-14 lists the possible values for the attribute-name argument and
the service condition it supports. For attribute format descriptions, see the following tables in the
AppendixA, RADIUS Attributes:
RADIUS standard attributesTableA-4 on pageA-5
Redback VSAsTableA-7 on pageA-13
Other VSAsTableA-16 on pageA-41
Service attributesTableA-17 on pageA-42
You use this command to specify one or more fields in an attribute that have a single value; if a field can
have multiple values, enter the foreach command (in service profile configuration mode) with the name of
the field that supports multiple values, followed by the attribute command that includes that field. For
more information about using the attribute command for fields with multiple values, see the foreach
command description.
Table 21-14 Service Condition Keywords for the attribute-name Argument
Service Condition Attribute Name Attribute # Notes
Dynamic ACLs Ascend-Data-Filter 242
Dynamic policy ACLs Dynamic-Policy-Filter VSA 164
Dynamic QoS policy options Dynamic-QoS-Parameter VSA 196
Dynamic traffic filtering Filter-Id RADIUS 11 Use the in and out keywords
as appropriate.
Forward policy Forward-Policy VSA 92 Use the in and out keywords
as appropriate.
HTTP redirect HTTP-Redirect VSA 165
IGMP service profile IGMP-Service-Profile VSA 90
Interim accounting interval Service-Interim-Accounting
Metering policy Qos-Metering VSA 88
NAT policy NAT-Policy VSA 105
Policing policy Qos-Policing VSA 87
PWFQ policy Qos-Queuing VSA 89
QoS-Rate-Inbound Qos-Rate VSA 156 Use the in keyword.
QoS-Rate-Outbound Qos-Rate VSA 157 Use the out keyword.
Service timeout limit Service-Timeout
Service volume limit Service-Volume-Limit
You must enter this command for each service attribute that includes one or more fields for which you have
created an entry using the parameter command (in service profile configuration mode). The maximum
number of attribute instances in a service profile is 32; an attribute instance is each occurrence of the
command in service profile configuration mode plus each instance in a foreach loop (in parameter array
loop configuration mode) for each parameter value.
For example, if a service profile includes two attributes each with two fields with a single parameter value
and one attribute with a field with a parameter list with four values, that service profile has six attribute
instances.
You can use the optional seq seq-num construct with the attribute command to establish a sequence
number for the statement you are creating. If you do not use the seq seq-num construct, the system
automatically assigns sequence numbers to the statements that you enter, in increments of 10. The first
statement that you enter is assigned the sequence number 10, the second is assigned the number 20, and so
on. This allows room to assign intermediate sequence numbers to statements that you might want to add
later. In the parameter-array-loop or service policy configuration mode, use the no form of this command
along with the specified sequence number to remove the attribute statement from the service profile.
Examples
The following example creates the cust omRADIUS policy to drop RADIUS attribute 123 in all RADIUS
messages and Redback VSA 10 in Access-Request messages:
[ l ocal ] Redback( conf i g- r ad- pol i cy) #attribute 123 drop
[ l ocal ] Redback( conf i g- r ad- pol i cy) #attribute rbak 10 drop access-request
The following example specifies the HTTP- Redi r ect - URL attribute to define a dynamic URL:
[ l ocal ] Redback( conf i g- svc- pr of i l e) #attribute HTTP-Redirect $redirect-url
The following example specifies the Dynami c- Pol i cy- Fi l t er attribute for multiple TCP ports within
a foreach loop.
[ l ocal ] Redback( conf i g- par am- ar r ay- l oop) #attribute Dynamic-Policy-Filter ip in forward
tcp dstport = $tcp-port class redirect forward
Note Only the Ascend-Data-Filter, Dynamic-Policy-Filter, and Dynamic-QoS-Parameter attributes
support fields with multiple values.
Related Commands
foreach
parameter
radius policy
foreach
foreach param-name-list
no foreach
Purpose
Specifies a field in a Remote Authentication Dial-In User Service (RADIUS) standard attribute, Redback
vendor-specific attribute (VSA), or service attribute that can have multiple values and accesses parameter
array loop configuration mode.
Command Mode
Syntax Description
Default
No fields are specified in any attribute in the service profile.
Usage Guidelines
Use the foreach command to specify a field in a RADIUS standard attribute, Redback VSA, or service
attribute that can have multiple values and access parameter array loop configuration mode.
The param-name-list argument is the one you specified for the field in the parameter command (in service
profile configuration mode). When the param-name-list argument is inserted in the string for the attribute
command (in parameter array loop configuration mode), include a dollar sign ($) immediately before the
field name.
Use the no form of this command to remove the foreach command and the attribute command that follows
it from the service profile.
Examples
The following example defines the t cp- por t field in Redback VSA 164 (Dynami c- Pol i cy- Fi l t er )
to have multiple values:
[ l ocal ] Redback( conf i g- par am- ar r ay- l oop) #attribute Dynamic-Policy-Filter ip in forward
tcp dstport = $tcp-port class redirect fwd
param-name-list Name of the field that can have multiple values.
Related Commands
attribute
parameter
parameter
To specify a field that can have a single value in the definition of an attribute, the syntax is:
parameter value param-name [default-value]
no parameter param-name
To specify a field that can have multiple values, the syntax is:
parameter list param-name [default-value[, default-value-2[,....]]]
no parameter param-name
Purpose
Specifies a field in a service condition that can be dynamically changed.
Command Mode
Syntax Description
value Specifies that the field has a single value
param-name Name of a field in a service condition. The Remote Authentication Dial-In User
Service (RADIUS) server specifies this name when it configures the service
condition for the subscriber on the RADIUS server.
The param-name can also be any one of the following predefined parameter names
that is used to support dynamic class assignment:
%dynamic_class_qos_inThis parameter holds the Quality of Service (QoS)
classes for incoming traffic.
%dynamic_class_qos_outThis parameter holds the QoS classes for outgoing
traffic.
%dynamic_class_fwd_inThis parameter holds the forwarding classes for
incoming traffic.
%dynamic_class_fwd_outThis parameter holds the forwarding classes for
outgoing traffic.
%dynamic_class_nat_outThis parameter holds the NAT classes for outgoing
traffic.
default-value Optional. The default value for an optional field in a service condition. Not specified
if the field is mandatory.
list Specifies that an array of values is possible for this field.
default-value-n,... Optional. Additional default values separated by commas (,).
Default
No fields are defined in a service profile.
Usage Guidelines
Use the parameter command to specify a field in a service condition that can be dynamically changed. You
can also use the parameter command to specify one of the predefined parameter names that is used to
support dynamic class assignment. The maximum number of parameter instances in a service profile is 16;
a parameter instance is each occurrence of the command in service profile configuration mode and each
occurrence of the command for an array of parameter values in parameter array loop configuration mode.
For example, if the parameter value command appears twice in service profile configuration mode and once
in parameter array loop configuration mode for a parameter with four values, the number of parameter
instances is six.
Specify a value for each default-value argument if the subscriber configuration on the RADIUS server need
not include this field. If the field is mandatory (the value must be specified in the subscriber configuration
on the RADIUS server), do not specify a default value.
Use the attribute command (in service profile configuration mode) to specify the attribute that includes
the field. If the field can have multiple values, use the foreach command (in service profile configuration
mode) followed by the attribute command.
Use the no form of this command to remove the field from the service profile.
Examples
The following example specifies a mandatory redirect URL field for the HTTP redirect service condition;
the field is defined in the HTTP-Redirect-URL VSA, using the attribute command (in service profile
configuration mode):
[ l ocal ] Redback( conf i g- svc- pr of i l e) #
The following example specifies a mandatory TCP port number field that can have an array of values; the
field is defined using the attribute command within a loop initiated by the foreach command (in service
profile configuration mode):
The following example specifies default values for the TCP port number field; in this case, the TCP port
number is optional and need not be specified by the RADIUS server:
[ l ocal ] Redback( conf i g- svc- pr of i l e) #parameter list tcp-port www, 443, 8080
The following example predefines classes D1 D2 D4 D5 using the parameter
%dynami c_cl ass_qos_i n and creates a reference to the predefined classes using the cl ass_bear er
variable:
[ l ocal ] Redback( conf i g- ct x) #radius service profile dyn-service
[ l ocal ] Redback( conf i g- svc- pr of i l e) #parameter value %dynamic_class_qos_in D1 D2 D4 D5
[ l ocal ] Redback( conf i g- svc- pr of i l e) #parameter value class_bearer %dynamic_class_qos_in
Related Commands
attribute
foreach
radius accounting algorithm {first | round-robin}
default radius accounting algorithm
Purpose
Specifies a load-balancing algorithm to use among multiple Remote Authentication Dial-In User Service
(RADIUS) accounting servers.
Command Mode
Syntax Description
Default
The SmartEdge router uses the first configured RADIUS server first.
Usage Guidelines
Use the radius accounting algorithm command to specify a load-balancing algorithm to use among
multiple RADIUS accounting servers.
Use the default form of this command to reset the load-balancing algorithm to use the first configured
RADIUS server first.
Examples
The following example sets the load-balancing algorithm to r ound- r obi n:
[ l ocal ] Redback( conf i g- ct x) #radius accounting algorithm round-robin
Related Commands
first Specifies that the first configured RADIUS server is always queried first.
round-robin Specifies that RADIUS servers are queried in round-robin fashion.
radius accounting deadtime interval
default radius accounting deadtime
Purpose
Sets the interval during which the SmartEdge OS treats a nonresponsive Remote Authentication Dial-In
User Service (RADIUS) accounting server as dead.
Command Mode
Syntax Description
Default
The waiting interval is five minutes.
Usage Guidelines
Use the radius accounting deadtime command to set the interval during which the SmartEdge OS treats
a nonresponsive RADIUS accounting server as dead. During the interval, the SmartEdge OS tries to
reach another RADIUS accounting server; after the interval expires, the SmartEdge OS tries again to reach
the accounting server. If there is no response, the RADIUS accounting server remains marked as dead
and the timer is set again to the configured interval.
If you disable this feature (with the 0 value), the SmartEdge OS never waits but attempts to reach the server
immediately.
Use the default form of this command to specify the default interval.
Examples
The following example sets the deadtime interval to 10 minutes:
[ l ocal ] Redback( conf i g- ct x) #radius accounting deadtime 10
interval Deadtime interval in minutes. The range of values is 0 to 65,535; the default
value is 5. The 0 value disables the feature.
Note You must configure at least one RADIUS accounting server using the radius accounting
server command (in context configuration mode) prior to entering this command.
Related Commands
radius accounting max-outstanding requests
{no | default} radius accounting max-outstanding
Purpose
Modifies the number of simultaneous outstanding accounting requests that can be sent by the
SmartEdgerouter to Remote Authentication Dial-In User Service (RADIUS) accounting servers.
Command Mode
Syntax Description
Default
The number of simultaneous outstanding accounting requests sent by the SmartEdge router is 256.
Usage Guidelines
Use the radius accounting max-outstanding to modify the number of simultaneous outstanding
accounting requests that can be sent by the SmartEdge router to RADIUS accounting servers.
Use this command if the RADIUS servers cannot handle the default of 256 simultaneous outstanding
accounting requests that the SmartEdge router can send to RADIUS accounting servers configured within
the context.
Use the no or default form of this command to reset the maximum number of allowable outstanding
requests to 256.
Examples
The following example limits the number of simultaneous outstanding requests to 128:
[ l ocal ] Redback( conf i g- ct x) #radius accounting max-outstanding 128
Related Commands
requests Number of simultaneous outstanding requests per RADIUS server in the
current context. The range of values is 1 to 256.
radius accounting max-retries retries
default radius accounting max-retries
Purpose
Modifies the number of retransmission attempts the SmartEdge router makes to a Remote Authentication
Dial-In User Service (RADIUS) server in the event that no response is received from the server within the
timeout period.
Command Mode
Syntax Description
Default
The SmartEdge router sends three retransmissions.
Usage Guidelines
Use the radius accounting max-retries command to modify the number of retransmission attempts the
SmartEdge router makes to a RADIUS accounting server in the event that no response is received from the
server within the timeout period.
If an acknowledgment is not received, each successive, configured server is tried (wrapping from the last
server to the first, if necessary) until the maximum number of retransmissions is reached.
Use the default form of this command to reset the number of retries to 3.
Examples
The following example sets the retransmit value to 5:
[ l ocal ] Redback( conf i g- ct x) #radius accounting max-retries 5
The following example resets the retransmit value to the default of 3:
[ l ocal ] Redback( conf i g- ct x) #default radius accounting max-retries
Related Commands
retries Number of times the SmartEdge router retransmits a RADIUS accounting
packet. The range of values is 1 to 2,147,483,647; the default value is 3.
{no | default} radius accounting send-acct-on-off
Purpose
Enables the sending of accounting on and accounting off messages to all Remote Authentication
Dial-In User Service (RADIUS) accounting servers that are configured in the current context.
Command Mode
Syntax Description
Default
Accounting on and accounting off messages are sent.
Usage Guidelines
Use the radius accounting send-acct-on-off command to enable the sending of accounting on and
accounting off messages to all RADIUS accounting servers that are configured in the current context.
The SmartEdge OS sends messages to RADIUS accounting servers in various circumstances:
An Accounting-On message is sent when you enable RADIUS accounting in a context; this message is
sent to all RADIUS accounting servers configured within the context. This type of message is also sent
when you add a new RADIUS accounting server; however, the message is only sent to the newly added
RADIUS accounting server.
An Accounting-off message is sent when you disable RADIUS accounting within a context; this
message is sent to all RADIUS accounting servers configured in a context. If you remove a single
RADIUS accounting server, the message is only sent to the newly removed RADIUS accounting server.
Use the no form of this command to prevent the SmartEdge router from sending these messages.
Use the default form of this command to return the system to its default behavior.
Note The SmartEdge OS attempts to send a single accounting on message when more than one type
of RADIUS accounting is enabled. For example, if you enable both subscriber accounting and
L2TP accounting, the SmartEdge OS sends a single accounting on message to each RADIUS
accounting server, even if you enable L2TP accounting at a later time.
Similarly, the accounting off message is not sent until you have disabled all types of RADIUS
accounting.
Examples
The following example disables the sending of accounting on and off messages to all other RADIUS
accounting servers in the l ocal context:
[ l ocal ] Redback( conf i g- ct x) #no radius send-acct-on-off
Related Commands
radius accounting server {ip-addr | hostname} {key key | encrypted-key key} [{oldports | port
udp-port}]
no radius accounting server
Purpose
Configures the IP address or hostname of a Remote Authentication Dial-In User Service (RADIUS)
accounting server.
Command Mode
Syntax Description
Default
RADIUS accounting server hostnames and IP addresses are not preconfigured. The UDP accounting port
is 1813.
Usage Guidelines
Use the radius accounting server command to configure the IP address or hostname of a RADIUS
accounting server. Use this command multiple times to configure up to five RADIUS accounting servers
per context. To use the hostname argument, you must enable DNS; for more information, see Chapter 11,
DNS Configuration.
Use the no form of this command to delete a previously configured RADIUS accounting server.
ip-addr IP address of the RADIUS accounting server.
hostname Hostname of the RADIUS accounting server. Domain Name System (DNS) must
be enabled to use the hostname argument.
key key Authentication key used when communicating with the accounting server.
encrypted-key key Alphanumeric string representing the encrypted authentication key used when
communicating with the RADIUS accounting server.
oldports Optional. Designates the old RADIUS User Datagram Protocol (UDP) port 1646.
port udp-port Optional. RADIUS accounting UDP port. The range of values is 1 to 65,536; the
default value is 1813.
Note To enable accounting to be performed by RADIUS, you must also enter the
aaa accounting subscriber command (in context configuration mode); for more
information, see Chapter 20, AAA Configuration.
Examples
The following example configures a RADIUS accounting server IP address of 10. 3. 3. 3 with the key,
secr et , using port 4445 for accounting:
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 10.3.3.3 key secret port 4445
Related Commands
radius accounting server-timeout interval
default radius accounting server-timeout
Purpose
Sets the time interval the SmartEdge OS waits before marking a non-responsive Remote Authentication
Dial-In User Service (RADIUS) accounting server as dead.
Command Mode
Syntax Description
Default
The maximum time interval is 60 seconds.
Usage Guidelines
Use the radius accounting server-timeout command to set the time interval the SmartEdge OS waits
before marking a non-responsive RADIUS accounting server as dead.
The SmartEdge OS marks a RADIUS accounting server as dead when no response is received to any
RADIUS requests during the time period specified by the interval argument. Setting the value to 0 disables
this feature; in this case, no RADIUS accounting server is marked as dead.
Examples
The following example sets the waiting interval to 80 seconds:
[ l ocal ] Redback( conf i g- ct x) #radius accounting server-timeout 80
Related Commands
interval Time period that the SmartEdge OS checks back for successful responses, after an
individual RADIUS request times out, before treating the accounting server as dead.
The range of values is 0 to 2147483647 seconds; the default value is 60 seconds.
radius accounting timeout timeout
default radius accounting timeout
Purpose
Sets the maximum time the SmartEdge OS waits for a response from a Remote Authentication Dial-In User
Service (RADIUS) accounting server before assuming that a packet is lost, or that the RADIUS accounting
server is unreachable.
Command Mode
Syntax Description
Default
The maximum time is 10 seconds.
Usage Guidelines
Use the radius accounting timeout command to set the maximum time the SmartEdge router waits for a
response from a RADIUS accounting server before assuming that a packet is lost, or that the RADIUS
accounting server is unreachable.
Examples
The following example sets the timeout interval to 30 seconds:
[ l ocal ] Redback( conf i g- ct x) #radius accounting timeout 30
Related Commands
timeout Timeout period in seconds. The range of values is 1 to 2147483647; the default value is
10 seconds.
radius algorithm
radius algorithm {first | round-robin}
default radius algorithm
Purpose
Specifies the algorithm to use among multiple Remote Authentication Dial-In User Service (RADIUS)
servers.
Command Mode
Syntax Description
Default
The SmartEdge router queries the first configured server first.
Usage Guidelines
Use the radius algorithm command to specify the algorithm to use among multiple RADIUS servers.
Use the default form of this command to reset the SmartEdge router to query the first configured RADIUS
server first.
Examples
The following example sets the algorithm to r ound- r obi n:
[ l ocal ] Redback( conf i g- ct x) #radius algorithm round-robin
Related Commands
first Specifies that the first configured RADIUS server is always queried first.
round-robin Specifies that the RADIUS servers are queried in round-robin fashion,
enabling load balancing.
radius source-port
radius strip-domain
radius timeout
{no | default} radius attribute acct-delay-time
Purpose
Sends the Acct-Delay-Time attribute in the Remote Authentication Dial-In User Service (RADIUS)
Accounting-Request packets for the current context regardless of whether the SmartEdge router had a delay
in sending the accounting record to the RADIUS server.
Command Mode
Syntax Description
Default
The Acct-Delay-Time attribute is only sent in RADIUS Accounting-Request packets for the current
context, if there is a delay in sending the accounting record.
Usage Guidelines
Use the radius attribute acct-delay-time command to send the Acct-Delay-Time attribute in RADIUS
Accounting-Request packets for the current context regardless of whether the SmartEdge router had a delay
in sending the accounting record to the RADIUS server. If there is no delay, the SmartEdge sets the
Acct-Delay-Time attribute to 0. By default, the Acct-Delay-Time attribute is sent in RADIUS
Accounting-Request packets for the current context only if there is a delay in sending the accounting record
to the RADIUS server.
Standard RADIUS attribute 41, Acct-Delay-Time, is described in AppendixA, RADIUS Attributes.
Use the no or default form of this command to reset the SmartEdge OS behavior to the default condition.
Examples
The following example shows how to configure the SmartEdge OS to send the Acct-Delay-Time attribute
in RADIUS Accounting-Request packets:
[ l ocal ] Redback( conf i g- ct x) #radius attribute acct-delay-time
Related Commands
radius attribute acct-session-id access-request
{no | default} radius attribute acct-session-id access-request
Purpose
Sends the Acct-Session-Id attribute in Remote Authentication Dial-In User Service (RADIUS)
Access-Request packets for the current context.
Command Mode
Syntax Description
Default
The Acct-Session-Id attribute is only sent in Accounting-Request packets.
Usage Guidelines
Use the radius attribute acct-session-id command to send the Acct-Session-Id attribute in RADIUS
Access-Request packets for the current context.
This command affects only subscriber sessions, not administrator sessions.
Standard RADIUS attribute 41, Acct-Session-Id, is described in AppendixA, RADIUS Attributes.
Use the no or default form of this command to disable the sending of the Acct-Session-Id attribute in
Access-Request packets.
Examples
The following example configures the SmartEdge OS to send the Acct-Session-Id attribute in RADIUS
access- r equest packets:
[ l ocal ] Redback( conf i g- ct x) #radius attribute acct-session-id access-request
Related Commands
access-request Specifies that the attribute is to be sent in Access-Request packets.
no radius attribute acct-terminate-cause remap
Purpose
Enables the remapping of Redback account termination error codes and accesses terminate error cause
configuration mode.
Command Mode
Syntax Description
Default
Remapping of account termination error codes is disabled.
Usage Guidelines
Use theradius attribute acct-terminate-cause remap command to enable the remapping of Redback
account termination error codes and access terminate error cause configuration mode. By default, the
SmartEdge OS maps a Redback termination error code to a Remote Authentication Dial-In User Service
(RADIUS) Attribute 49 (Acct-Terminate-Cause) terminate cause error code, which it sends in RADIUS
Accounting-Stop packets. RADIUS attribute 49 terminate cause error codes and their definitions are
included in RFC 2866, RADIUS Accounting. The RADIUS Attribute 49 Error Codes appendix in the IP
Services and Security Operations Guide for the SmartEdgeOSlists the default mapping of Redback
account termination error codes to RADIUS attribute 49 error codes.
Use the no form of this command to remove the remapping of all Redback account termination error codes.
Examples
The following example enables the remapping of Redback account termination error codes:
[ l ocal ] Redback( conf i g) #radius attribute acct-terminate-cause remap
[ l ocal ] Redback( conf i g- t er m- ec) #
Related Commands
rbak-term-ec
{no | default} radius attribute acct-tunnel-connection l2tp-call-serial-num
Purpose
Sends a Layer 2 Tunneling Protocol (L2TP) call serial number type value in the Acct-Tunnel-Connection
attribute in Remote Authentication Dial-In User Service (RADIUS) packets for the current context, when
the SmartEdge router is functioning as an L2TP access concentrator (LAC).
Command Mode
Syntax Description
Default
When functioning as a LAC, the SmartEdge router sends an L2TP session ID type value in the
Acct-Tunnel-Connection attribute.
Usage Guidelines
Use theradius attribute acct-tunnel-connection l2tp-call-serial-num command to send an L2TP call
serial number ID type value in the Acct-Tunnel-Connection attribute in the RADIUS packets for the current
context, when the SmartEdge router is functioning as a LAC. This enables the RADIUS server to correlate
the ID type values received from the SmartEdge router and those received from L2TP network server
(LNS) devices when it attempts to authenticate Point-to-Point Protocol over Ethernet (PPPoE) sessions.
(LNS) devices send L2TP call serial numbers in the Acct-Tunnel-Connection attribute by default.)
This command affects only subscriber sessions, not administrator sessions.
Standard RADIUS attribute 68, Acct-Tunnel-Connection, is described in AppendixA, RADIUS
Attributes.
Use the no or default form of this command to remove a tunnel with the RADIUS server from either a LAC
or LNS.
Examples
The following example configures the SmartEdge router, when functioning as a LAC, to send the L2TP
call serial number in the Acct-Tunnel-Connection attribute to the RADIUS server:
[ l ocal ] Redback( conf i g- ct x) #radius attribute acct-tunnel-connection l2tp-call-serial-num
Related Commands
radius attribute calling-station-id
To specify the format for the automatically generated ID string, use the following syntax:
[no | default]
radius attribute calling-station-id {[{media atm | media eth}] format {agent | description |
hostname agent | slot-port agent}
To specify that a separator character be prepended to the Calling-Station-Id attribute string in RADIUS
packets, use the following syntax:
[no | default]
radius attribute calling-station-id prepend-separator
To pad the virtual path identifier (VPI) or virtual channel identifier (VCI) value with zeros to make a
4-character string, use the following syntax:
[no | default]
radius attribute calling-station-id pvc-pad
To use a character that separates the elements of the attribute string, use the following syntax:
[no | default]
radius attribute calling-station-id separator separator
Purpose
Using the specified format, sends the Calling-Station-Id attribute in Remote Authentication Dial-In User
Service (RADIUS) Access-Request and Accounting-Request packets for the current context.
Command Mode
Syntax Description
agent agent-circuit-id [non-ascii] [agent-remote-id [non-ascii]] | agent-remote-id
[non-ascii]
The non-ascii, agent-circuit-id, and agent-remote-id keywords are described
separately in this table.
media atm Uses the Asynchronous Transfer Mode (ATM) media format for the
automatically generated Calling-ID string.
media eth Uses the Ethernet media format for the automatically generated Calling-ID
string.
format Indicates a particular format to be applied.
agent-circuit-id Specifies that the format or the type of the information for the Calling-Station-Id
attribute is the circuit agent ID. Optional only when specifying the slot-port
keyword.
agent-remote-id Optional. Specifies that the format or the type of the information for the
Calling-Station-Id attribute is Agent-Remote-Id. Optional only when specifying
the agent-circuit-id keyword.
description Specifies a circuit description format using the information configured with the
description command in the configuration mode for the circuit with the
hostname prepended to it.
hostname Prepends the SmartEdge router hostname to the contents of the
Calling-Station-Id attribute in RADIUS packets. The hostname is either the one
that has been configured using the system hostname command (in context
configuration mode), or the default hostname, Redback.
non-ascii Available in context configuration mode. Specifies one of the following
translations when you use RADIUS with option 82:
The agent circuit ID is translated into binary format: agent-circuit-id [non-ascii]
The agent remote ID is translated into binary format: agent-remote-id
[non-ascii].
The agent circuit ID and agent remote IDs are both translated into binary
format agent-circuit-id [non-ascii] [agent-remote-id [non-ascii]].
The default translation is the agent circuit ID and agent remote ID into
hexadecimal format .
slot-port Specifies a slot number/port number format that has the hostname prepended to
it.
prepend-separator Optional. Specifies that a separator character be prepended to the
Calling-Station-Id attribute string in RADIUS packets. The separator character
to append depends on which character is used for the separator keyword.
pvc-pad Pads the virtual path identifier (VPI)/virtual channel identifier (VCI) value with
zeros to make a 4-character string.
Default
The Calling-Station-Id attribute is not sent.
Usage Guidelines
Use the radius attribute calling-station-id command to send the Calling-Station-Id attribute, using the
specified format, in RADIUS Access-Request and Accounting-Request packets for the current context.
If you specify the media keyword, you can customize the format for ATM or Ethernet subscribers or for
both. The default format is valid for all circuit types.
If you specify the agent-circuit-id keyword, you can also specify the agent-remote-id keyword.
If you specify the agent-circuit-id non-ascii keywords, you can also specify the agent-remote-id
non-ascii keywords.
For Dynamic Host Configuration Protocol (DHCP) clients, the information for the Calling-Station-Id
attribute is extracted from the suboption1 information in option 82 of the DHCP request packet; for
Point-to-Point Protocol over Ethernet (PPPoE) clients, the information is extracted in the PPPoE Active
Discovery Request (PADR) packet.
If the agent-circuit-id keyword is specified, but the circuit agent ID information is not present in the DHCP
request packet or in the PADR packet sent by the client, the SmartEdge OS inserts the Agent-Circuit-Id
Not Present string.
If the agent-remote-id keyword is specified, but the remote agent ID information is not present in the
DHCP request packet or in the PADR packet sent by the client, the SmartEdge OS inserts the
Agent-Remote-Id Not Present string.
For Asynchronous Transfer Mode (ATM) permanent virtual circuits (PVCs), the format for the slot-port
keyword is #Host name#sl ot / por t #VPI #VCI ; the description format is #Host name#VC
descr i pt i on#VPI #VCI .
For virtual LANs (VLANs), the formats for the slot-port keyword and description keyword, respectively,
are:
#Host name#sl ot / por t #Vl an- I D
#Host name#Vl an descr i pt i on#Vl an- I D
Use the no form of this command to disable the sending of the Calling-Station-Id attribute.
Use the default form of this command to specify the default separator. To change the default separator
character, specify the separator keyword and character to use as the separator.
separator separator Character that separates the elements of the attribute string. The default separator
character is the number symbol (#). You can change this default.
Note If the description keyword is used, but the description of the ATM PVC itself has not been
configured using the description command (in ATM PVC configuration mode), the
SmartEdge OS defaults to the slot-port format.
Examples
The following example sends the Calling-Station-Id attribute using the sl ot - por t format and inserts
agent - ci r cui t - i d and agent - r emot e- i d information into Access-Request and
Accounting-Request packets:
[ l ocal ] Redback( conf i g- ct x) #radius attribute calling-station-id format slot-port
agent-circuit-id agent-remote-id separator #
The format in which the Calling-Station-Id attribute is sent for VLAN connections is as follows:
host name#sl ot #por t #( VLAN I D) #( Agent - Ci r cui t - I d) #( Agent - Remot e- I d)
The following example configures the context so that the Calling-Station-Id attribute is sent in
Access-Request and Accounting-Request packets using a slash (/) as the separator character:
[ l ocal ] Redback( conf i g- ct x) #r adi us at t r i but e cal l i ng- st at i on- i d separ at or /
Related Commands
radius attribute filter-id
radius attribute filter-id direction {in | out | both | none}
{no | default} radius attribute filter-id
Purpose
Specifies the behavior of the SmartEdge OS when it receives a Remote Authentication Dial-In User Service
(RADIUS) Filter-Id attribute that does not specify a direction and there is an access control list (ACL)
applied to the circuit.
Command Mode
Syntax Description
Default
If the Filter-Id attribute does not include a direction, the SmartEdge OS applies the ACL to outbound
packets only.
Usage Guidelines
Use the radius attribute filter-id command to specify the behavior of the SmartEdge OS when it receives
a RADIUS Filter-Id attribute that does not specify a direction and there is an ACL applied to the circuit.
The choice of behavior depends on the nature of the ACL and the type of data that is exchanged.
The following sequence determines how the SmartEdge OS applies the ACL:
If the Filter-Id attribute includes a direction, it is honored.
If the Filter-Id attribute does not include a direction, and you have configured this command, the
SmartEdge OS determines the direction from the configuration for this command.
If the Filter-Id attribute does not include a direction, and this command is not configured, the SmartEdge
OS applies the ACL to outbound packets only (the default condition).
direction Specifies the direction of the packets to which the ACL is applied.
in Applies the ACL to inbound packets only.
out Applies the ACL to outbound packets only.
both Applies the ACL to inbound and outbound packets.
none Ignores the Filter-Id attribute and does not apply the ACL to packets in either direction.
Examples
The following example specifies that the ACL be applied to inbound packets only:
[ l ocal ] Redback( conf i g- ct x) #radius attribute filter-id in
Related Commands
None
radius attribute nas-identifier arbitrary-string
{no | default}radius attribute nas-identifier arbitrary-string
Purpose
Includes the network access server (NAS)-Identifier attribute in Remote Authentication Dial-In User
Service (RADIUS) Access-Request and Accounting-Request packets sent by the SmartEdge router.
Command Mode
Syntax Description
Default
The NAS-Identifier attribute is not sent.
Usage Guidelines
Use the radius attribute nas-identifier command to include the NAS-Identifier attribute in RADIUS
Access-Request and Accounting-Request packets sent by the SmartEdge router.
Standard RADIUS attribute 32, NAS-Identifier, is described in AppendixA, RADIUS Attributes.
Examples
The following example shows how to configure the NAS-Identifier in RADIUS Access-Request and
Accounting-Request packets sent by the SmartEdge router:
[ l ocal ] Redback( conf i g- ct x) #radius attribute nas-identifier somearbritrarystring
Related Commands
arbitrary-string Indicates the value for the NAS system. Alphanumeric string of up
to 255 characters.
radius attribute nas-ip-address interface if-name
{no | default} radius attribute nas-ip-address
Purpose
Includes the network access server (NAS)-IP-Address attribute in Remote Authentication Dial-In User
Service (RADIUS) Access-Request and Accounting-Request packets sent by the SmartEdge router.
Command Mode
Syntax Description
Default
The NAS-IP-Address attribute is not sent.
Usage Guidelines
Use the radius attribute nas-ip-address command to includes the NAS-IP-Address attribute in RADIUS
Access-Request and Accounting-Request packets sent by the SmartEdge router.
Standard RADIUS attribute 4, NAS-IP-Address, is described in AppendixA, RADIUS Attributes.
Use the no or default form of this command to reset the SmartEdge router behavior so that the
NAS-IP-Address attribute is not included.
Examples
The following example sends the primary IP address for interface et her 21 as the source IP address in
RADIUS Access-Request and Accounting-Request packets sent by the SmartEdge router:
[ l ocal ] Redback( conf i g- ct x) #radius attribute nas-ip-address interface ether21
Related Commands
interface if-name Interface name. Uses the primary IP address associated with the interface as
the source IP address sent in RADIUS packets. If the interface is not
configured or is unreachable, the IP address of the outgoing interface is used
instead as the source IP address for packets.
radius attribute nas-port format {agent-remote-id | physical | slot-port | session-info} [no-pseudo]
{no | default}radius attribute nas-port format
Purpose
Modifies the format of the network access server (NAS)-Port attribute, which is sent in Remote
Authentication Dial-In User Service (RADIUS) Access-Request and Accounting-Request packets for the
current context.
Command Mode
Syntax Description
format Indicates a particular attribute string format is to be applied.
agent-remote-id Specifies that the content of the NAS-Port attribute is a 32-bit remote agent ID.
physical Provides slot, port, virtual path identifier (VPI), and virtual channel identifier
(VCI) in the NAS-Port attribute sent to the RADIUS server.
For Asynchronous Transfer Mode (ATM) circuits and PPP over Ethernet (PPPoE)
over ATM sessions, the attribute format is slot-port-vpi-vci, such that:
slotSSSS (4 bits)
portPPPP (4 bits)
vpiCCCCCCCC (8 bits)
vciCCCCCCCCCCCCCCCC (16 bits)
For Ethernet and virtual LAN (VLAN) circuits, the attribute format depends on
whether the session is connected through an untagged Ethernet port, a VLAN, or a
stacked VLAN circuit:
For untagged Ethernet, the format is slot/port: unused, such that:
slotSSSS (4 bits)
portPPPP (4 bits)
unusedXXXXXXXXXXXXXXXXXXXXXXXX (24 bits)
For VLAN circuits, the format is slot/port:vlan-id, such that:
slotSSSS (4 bits)
portPPPP (4 bits)
zero000000000000 (12 bits)
vlan-idCCCCCCCCCCCC (12 bits)
For Stacked VLAN circuits, the format is slot/port:SvlanID-CvlanID, such that:
slotSSSS (4 bits)
portPPPP (4 bits)
SvlanIDSSSSSSSSSSSS (12 bits)
CvlandIDCCCCCCCCCCCC (12 bits)
slot-port Provides slot, port, and channel information in the NAS-Port attribute sent to the
RADIUS server. The attribute format is slot-port-channel, such that:
slotSSSSSSSS (8 bits)
portPPPPPPPP (8 bits)
channelCCCCCCCCCCCCCCCC (16 bits)
If no channel exists, the channel argument contains zeros.
This is the default format for standard RADIUS attribute 5, NAS-Port.
Default
Standard RADIUS attribute 5, NAS-Port, is sent in the slot-port format. L2TP circuits (LNS or LAC), use
pseudo formatting.
Usage Guidelines
Use theradius attribute nas-port command to modify the format of the NAS-Port attribute, which is sent
in RADIUS Access-Request and Accounting-Request packets for the current context.
Use the radius attribute nas-port command with the no-pseudo keyword to remove pseudo formatting
on L2TP circuits (LNS or LAC).
The standard RADIUS attribute 5, NAS-Port, is described in AppendixA, RADIUS Attributes.
Use the no or default form of this command to revert to the default behavior.
Examples
The following example sends the attribute NAS-Port using the sl ot - por t format in RADIUS
Access-Request and Accounting-Request packets for the l ocal context:
[ l ocal ] Redback( conf i g- ct x) #radius attribute nas-port format slot-port
session-info Provides slot, port, and session information in the NAS-Port attribute sent to the
RADIUS server.
For ATM circuits, the attribute format is slot-port-vpi-vci, such that:
slotSSSS (4 bits)
portPPPP (4 bits)
vpiCCCCCCCC (8 bits)
vciCCCCCCCCCCCCCCCC (16 bits)
For PPPoE over ATM, Ethernet, and VLAN circuits, the format is
slot-port-unused-pppoe_session, such that:
slotSSSS (4 bits)
portPPPP (4 bits)
unusedXXXXXXXX (8 bits)
sessionCCCCCCCCCCCCCCCC (16 bits)
no-pseudo Enables formatting for sessions that are not Layer 2 Tunneling Protocol (L2TP)
network server (LNS) or L2TP access concentrator (LAC) sessions.
Related Commands
l2tp-call-serial-num
radius attribute nas-port-id {format {agent-circuit-id [agent-remote-id] | all |
hostname {agent-circuit-id [agent-remote-id]} | physical | agent-remote-id} |
modified-agent-circuit-id [prefix-lg-description] | prepend-separator | separator separator}
no radius attribute nas-port-id format
default radius attribute nas-port-id {format | separator separator}
Purpose
Modifies the format of the network access server (NAS)-Port-Id attribute, which is sent in Remote
Authentication Dial-In User Service (RADIUS) Access-Request and Accounting-Request packets for the
current context.
Command Mode
Syntax Description
format Indicates a particular format to be applied.
agent-circuit-id Specifies that the format or the type of the information for the NAS-Port-Id
attribute is the circuit agent ID.
agent-remote-id Optional. Specifies that the format or the type of the information for the
Calling-Station-Id attribute is Agent-Remote-Id. Optional only when
specifying the agent-circuit-id keyword.
hostname Prepends the SmartEdge router hostname to the contents of the NAS-Port-Id
attribute in RADIUS packets. The hostname is either the one that has been
configured using the system hostname command (in context configuration
mode), or the default hostname, Redback.
all Specifies a format that includes the physical circuit and session information.
This is the default format.
physical Specifies a format that includes the physical circuit only.
modified-agent-circuit-i
d
Specifies that the format or the type of the information for the NAS-Port-Id
attribute is a modified form of the circuit agent ID.
prefix-lg-description Optional. Specifies that a text string description of the access link group is to
be used as a prefix to the NAS-Port-Id attribute.
prepend-separator Optional. Specifies that a separator character be prepended to the
NAS-Port-Id attribute string in RADIUS packets. The separator character to
append depends on which character is used for the separator keyword.
separator separator Character to use to separate the elements of the attribute string. The default
separator character is the number symbol (#). You can change this default.
Default
Standard RADIUS attribute 87, NAS-Port-Id, is sent using the all format.
Usage Guidelines
Risk of interoperability loss. The NetOp Policy Manager (PM) requires the default format setting for this
command to assimilate the RADIUS attribute information. To avoid loss of interoperability with NetOp
PM, use this command with its default setting only.
If you specify the agent-circuit-id keyword, you can also specify the agent-remote-id keyword.
For Dynamic Host Configuration Protocol (DHCP) clients, the information for the NAS-Port-Id attribute
is extracted from the suboption1 information in option 82 of the DHCP request packet; for Point-to-Point
Protocol over Ethernet (PPPoE) clients, the information is extracted in the PPPoE Active Discovery
Request (PADR) packet.
If the agent-circuit-id keyword is specified, but the circuit agent ID information is not present in the DHCP
request packet or in the PADR packet sent by the client, the SmartEdge OS inserts the Agent-Circuit-Id
Not Present string.
If the agent-remote-id keyword is specified, but the remote agent ID information is not present in the
DHCP request packet or in the PADR packet sent by the client, the SmartEdge OS inserts the
Agent-Remote-Id Not Present string.
If you specify the all keyword, the physical circuit information includes the slot, port, circuit identifier, and
session identifier; the format in which the NAS-Port-Id attribute is sent is:
slot/port [vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id] [pppoe sess-id | clips sess-id]
The circuit identifier can be the virtual path identifier (VPI) with the virtual channel identifier (VCI), or it
can be the virtual LAN (VLAN) identifier, depending on the type of circuit.
If you specify the physical keyword, the format in which the NAS-Port-Id attribute is sent is:
slot/port [vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id].
If you specify the modified-agent-circuit-id keyword, the system inserts the specific subscriber line
information in the NAS-Port-ID attribute. Line information includes:
slot/port [vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id]
which is prepended to the subscriber identification fields.
To indicate that a text string description of the access link group is to be used as a prefix to the NAS-Port-Id
attribute using the description command, specify the format, modified-agent-circuit-id, and
prefix-lg-description keywords with the radius attribute nas-port-id command. For more information
about the description command, see the Link Group chapter in the Ports, Circuits, and Tunnels
Standard RADIUS attribute 87, NAS-Port-Id, and Redback vendor-specific attributes (VSAs) 96,
Agent-Remote-Id, and 97, Agent-Circuit-Id, are described in AppendixA, RADIUS Attributes.
Use the no or default form of this command to reset the format for the NAS-Port-Id attribute to the all
format.
Caution Use the radius attribute nas-port-id command to modify the format of the NAS-Port-Id
attribute, which is sent in RADIUS Access-Request and Accounting-Request packets for the
current context.
Use the default form of this command to specify the default separator. To change the default separator
character, specify the separator keyword and character to use as the separator.
Examples
The following example shows how to send the NAS-Port-Id attribute using the physi cal format in
RADIUS Access-Request and Accounting-Request packets for the l ocal context:
[ l ocal ] Redback( conf i g- ct x) #radius attribute nas-port-id format physical
Related Commands
radius attribute nas-port-type port-type
{no | default} radius attribute nas-port-type port-type
Purpose
Modifies the value for the network access server (NAS)-Port-Type attribute sent in Remote Authentication
Dial-In User Service (RADIUS) Access-Request and Accounting-Request packets.
Command Mode
port configuration
Syntax Description
Default
The Nas-Port-Type attribute is sent in RADIUS Access-Request and Accounting-Request packets. The
value is either 0 or 5, depending on how the subscriber is connected to its authenticating NAS.
Usage Guidelines
Use the radius attribute nas-port-type command to modify the value for the NAS-Port-Type attribute
sent in RADIUS Access-Request and Accounting-Request packets.
Table21-15 lists the definitions of the values for the port-type argument.
port-type Value that represents the type of connection the subscriber has to the network
access server (NAS) through which it is authenticated. The range of values is
0 to 255. Values 0 to 19 are defined in Table21-15.
The default value is either 0 or 5, indicating an asynchronous connection
through a console port or a virtual connection through a transport protocol,
respectively.
Table 21-15 Values for the port-type Argument
Value Definition
0 async
1 sync
2 ISDN (sync)
3 ISDN (async V120)
4 ISDN (async V110)
5 Virtual
Standard RADIUS attribute 61, NAS-Port-Type, is described in AppendixA, RADIUS Attributes.
Use the no or default form of this command to reset the SmartEdge OS behavior to the default condition.
Examples
The following example modifies the NAS-Port-Type attribute in RADIUS Access-Request and
Accounting-Request packets to type 4 (ISDN):
[ l ocal ] Redback( conf i g- at m- pr of i l e) #radius attribute nas-port-type 4
Related Commands
6 PIAFS (wireless ISDN used in J apan)
7 HDLC (clear-channel)
8 X.25
9 X.75
10 G3_Fax (G.3 Fax)
11 SDSL (symmetric DSL)
12 ADSL_CAP (asymmetric DSL Carrierless Amplitude Phase Modulation)
13 ADSL_DMT (asymmetric DSL, Discrete Multi-Tone)
14 IDSL (ISDN digital subscriber line)
15 Ethernet
16 xDSL (digital subscriber line of unknown type)
17 Cable
18 Wireless (wirelessOther)
19 Wireless_802_11 (wirelessIEEE 802.11)
Table 21-15 Values for the port-type Argument (continued)
Value Definition
radius attribute vendor-specific
radius attribute vendor-specific Redback {mac-address separator char | salt-encrypted-attr
{authen-server | coa-server}}
{no | default} radius attribute vendor-specific Redback {mac-address separator char |
salt-encrypted-attr {authen-server | coa-server}}
Purpose
Specifies the character the SmartEdge OS uses to separate the fields in the specified Remote Authentication
Dial-In User Service (RADIUS) attribute, and whether attributes can be encrypted.
Command Mode
Syntax Description
Default
The SmartEdge OS uses the hyphen (-) character, and Redback VSAs can be encrypted.
Usage Guidelines
Use the radius attribute vendor-specific command to specify the character the SmartEdge OS uses to
separate the fields in the specified RADIUS attribute, and whether attributes can be encrypted.
Use the no or default form of this command to specify the default character as the separator.
Examples
The following example specifies the colon (: ) as the separator character:
[ l ocal ] Redback( conf i g- ct x) #radius attribute vendor-specific Redback mac-address
separator :
Related Commands
None
Redback Specifies Redback as the vendor.
mac-address Specifies Redback vendor-specific attribute (VSA) 145, Mac-Addr, as the attribute.
separator char Character to be used as a separator. The default is hyphen (-).
salt-encrypted-attr Allows encrypted Redback VSA attributes
authen-server Allows encrypted Redback VSAs in Access-Response packets.
coa-server Allows encrypted Redback VSAs in CoA-Request packets.
radius coa server
radius coa server {ip-addr | hostname}{key key | encrypted-key key} [port udp-port]
no radius coa server {ip-addr | hostname}
Purpose
Configures the IP address or hostname of a Remote Authentication Dial-In User Service (RADIUS)
Change of Authorization (CoA) server.
Command Mode
Syntax Description
Default
RADIUS CoA server hostnames and IP addresses are not preconfigured. Port 3799 is the User Datagram
Protocol (UDP) CoA port.
Usage Guidelines
Use the radius coa server command to configure the IP address or hostname of a RADIUS CoA server.
You can use this command multiple times to configure up to five RADIUS CoA servers per context.
RADIUS CoA servers configured in a non-local context can change session settings only for subscribers
in the same context. CoA servers configured in the local context can change settings for all subscribers.
To use the hostname argument, DNS must be enabled; for more information, see Chapter 11, DNS
Configuration.
ip-addr IP address of the RADIUS CoA server.
hostname Hostname of the RADIUS CoA server. The Domain Name System (DNS)
must be enabled in order to use the hostname argument.
key key Alphanumeric string indicating the secret key that must be shared with the
RADIUS CoA server. If multiple subscriber sessions share the same key, all
sessions are affected by a CoA change.
encrypted-key key Alphanumeric string representing the encrypted secret key that must be
shared with the RADIUS CoA server. If multiple subscriber sessions share
the same key, all sessions are affected by a CoA change.
port udp-port Optional. RADIUS CoA server User Datagram Protocol (UDP) port. The
range of values is 1 to 65,536. If no port is specified, port 3799 is used is for
CoA messages. The udp-port value indicates the CoA port.
The RADIUS CoA server can use one or more of the identifiers listed in Table21-16 to identify a
subscriber session.
For CoA disconnect messages, specify at least one keyword in Table21-16. For all other CoA messages,
specify at least one keyword in Table21-16, as well as one or more attributes to change. If multiple
keywords are specified, all specified keywords must match subscriber session attributes.
AppendixA lists the RADIUS attributes supported by the SmartEdgeOS. In addition, CoA messages can
also contain the RADIUS lawful intercept (LI) attributes. If a CoA message contains any unsupported
attributes, the request fails. RADIUS CoA and disconnect features are described in RFC 3576, Dynamic
Authorization Extensions to Remote Authentication Dial-In User Service (RADIUS).
If the specified keyword matches multiple subscriber sessions, and the requested change is successful for
only a subset of the sessions, all successful changes are preserved. The SmartEdgeOS sends a negative
acknowledgement (NAK).
When an attempt to modify an LI attribute fails, the subscriber session is preserved. When an attempt to
modify any other attribute fails, the subscriber session is terminated.
Use the no form of this command to delete a previously configured RADIUS CoA server.
Examples
The following example configures a RADIUS CoA server IP address of 10. 3. 3. 3 with the key, secr et ,
using port 4444 for CoA messages:
[ l ocal ] Redback( conf i g- ct x) #radius coa server 10.3.3.3 key secret port
4444
Note To enable authentication to be performed by RADIUS, you must also enter the aaa
authentication subscriber command (in context configuration mode); for more information,
see Chapter 20, AAA Configuration.
Table 21-16 RADIUS CoA Session Identifiers
Identifier Notes
Username For global authentication, use the RBN CONTEXT-NAME VSA to search
the appropriate context. If this attribute is not specified, only the local
context is searched.
Acct-Session-ID This identifier is unique across all contexts.
IP-Address This identifier is unique only within a context. Using this identifier returns
all sessions in all contexts with the specified IP address.
For global authentication, use the RBN CONTEXT-NAME VSA to search
the appropriate context. If this attribute is not specified, only the local
context is searched.
Agent-Circuit-ID This identifier is unique across all contexts.
Agent-Remote-ID This identifier is unique across all contexts.
Related Commands
radius server
radius source-port
radius deadtime
radius deadtime interval
default radius deadtime
Purpose
Sets the interval during which the SmartEdge OS treats a nonresponsive Remote Authentication Dial-In
User Service (RADIUS) server as dead.
Command Mode
Syntax Description
Default
The waiting interval is five minutes.
Usage Guidelines
Use the radius deadtime command to set the interval during which the SmartEdge OS treats a
nonresponsive RADIUS server as dead. During the interval, the SmartEdge OS tries to reach another
RADIUS server; after the interval expires, the SmartEdge OS tries again to reach the server. If there is no
response, the RADIUS server remains marked as dead and the timer is set again to the configured
interval.
If you disable this feature (with the 0 value), the SmartEdge OS never waits but attempts to reach the server
immediately.
Examples
The following example sets the deadtime interval to 10 minutes:
[ l ocal ] Redback( conf i g- ct x) #radius deadtime 10
interval Deadtime interval in minutes. The range of values is 0 to 65,535; the default
value is 5. The 0 value disables this feature.
Note You must configure at least one RADIUS server using the radius server command (in context
configuration mode) prior to entering this command.
Related Commands
radius server
radius timeout
radius max-outstanding requests
{no | default} radius max-outstanding
Purpose
Modifies the number of simultaneous outstanding requests that can be sent by the SmartEdge router to
Remote Authentication Dial-In User Service (RADIUS) servers.
Command Mode
Syntax Description
Default
The maximum number of allowable outstanding requests is 256.
Usage Guidelines
Use the radius max-outstanding command to modify the number of simultaneous outstanding requests
the SmartEdge router can send to RADIUS servers.
Use the no or default form of this command to reset the maximum number of outstanding requests to 256.
Examples
The following example limits the number of simultaneous outstanding requests to 128:
[ l ocal ] Redback( conf i g- ct x) #radius max-outstanding 128
Related Commands
requests Number of simultaneous outstanding requests per RADIUS server in the current
context. The range of values is 1 to 256.
radius max-retries
radius server
radius source-port
radius strip-domain
radius timeout
radius max-retries
radius max-retries retries
default radius max-retries
Purpose
Modifies the number of retransmission attempts the SmartEdge router makes to a Remote Authentication
Dial-In User Service (RADIUS) server in the event that no response is received from the server within the
timeout period.
Command Mode
Syntax Description
Default
The SmartEdge router makes three retransmission attempts.
Usage Guidelines
Use the radius max-retries command to modify the number of retransmission attempts the SmartEdge
router makes to a RADIUS server in the event that no response is received from the server within the
timeout period.
You set the timeout period with the radius timeout command (in context configuration mode).
If an acknowledgment is not received, each successive server is tried (wrapping from the last server to the
first, if necessary) until the maximum number of retransmissions is reached.
Use the default form of this command to specify the default number of retries.
Examples
The following example sets the retransmit value to 5:
The following example resets the retransmit value to the default (3):
[ l ocal ] Redback( conf i g- ct x) #default radius max-retries
Related Commands
retries Number of retransmission attempts the SmartEdge router will make. The
range of values is 1 to 2,147,483,647; the default value is 3.
radius timeout
radius policy
In global configuration mode, the syntax is:
radius policy name pol-name
no radius policy name pol-name
In context configuration mode, the syntax is:
radius policy pol-name
no radius policy pol-name
Purpose
In global configuration mode, creates or modifies a Remote Authentication Dial-In User Service
(RADIUS) policy and accesses RADIUS policy configuration mode; in context configuration mode,
assigns a RADIUS policy to the context.
Command Mode
Syntax Description
Default
No RADIUS policy is created or assigned to a context.
Usage Guidelines
Use the radius policy command in global configuration mode to create or modify a RADIUS policy and
access RADIUS policy configuration mode; use it in context configuration mode to assign a RADIUS
policy to the context.
The RADIUS policy specifies which RADIUS attributes and vendor-specific attributes (VSAs) are to be
removed from RADIUS Access-Request and various Accounting-Request messages, such as
Accounting-Start, Accounting-Stop, and Accounting-Update. Use the attribute command (in RADIUS
policy configuration mode) to specify the attributes to be removed from the messages.
Use the no form of this command in global configuration mode to delete the policy; use it in context
configuration mode to remove the policy from the context configuration.
pol-name Name of the RADIUS policy being assigned.
name pol-name Name of the RADIUS policy being created or modified.
Examples
The following example creates the cust omRADIUS policy:
[ l ocal ] Redback( conf i g- r ad- pol i cy) #
The following example assigns the cust omRADIUS policy to the gol d- i sp context:
[ l ocal ] Redback( conf i g) #context gold-isp
[ l ocal ] Redback( conf i g- ct x) #radius policy custom
Related Commands
attribute
radius server
radius server {ip-addr | hostname} {key key | encrypted-key key} [CoA-server] [{oldports | port
udp-port}]
no radius server {ip-addr | hostname}
Purpose
Configures the IP address or hostname of a Remote Authentication Dial-In User Service (RADIUS) server.
Command Mode
Syntax Description
Default
RADIUS server hostnames and IP addresses are not preconfigured. 1812 is the UDP authentication port.
Usage Guidelines
Use the radius server command to configure the IP address or hostname of a RADIUS server. You can use
this command multiple times to configure up to five RADIUS servers per context.
To use the hostname argument, DNS must be enabled; for more information, see Chapter 11, DNS
Configuration.
ip-addr IP address of the RADIUS server.
hostname Hostname of the RADIUS server. The Domain Name System (DNS) must be
enabled in order to use the hostname argument.
key key Alphanumeric string indicating the authentication key that must be shared
with the RADIUS server.
encrypted-key key Alphanumeric string representing the encrypted authentication key that must
be shared with the RADIUS server.
CoA-server Optional. Uses the RADIUS server as a Change of Authorization (CoA)
server.
oldports Optional. Uses the RADIUS User Datagram Protocol (UDP) ports 1645 for
authentication.
port udp-port Optional. RADIUS authentication UDP port. The range of values is 1 to
65,536. If no port is specified, port 1812 is used for authentication. The
udp-port value indicates the authentication port.
If you specify the optional CoA-server keyword, the same port that is used for authentication is also used
for CoA messages.
The RADIUS CoA server can use one or more of the keywords listed in Table21-16 to identify a subscriber
session. For information on CoA interactions, see the radius coa server command.
Use the no form of this command to delete a previously configured RADIUS server.
Examples
The following example configures a RADIUS server with an IP address of 10. 3. 3. 3 with the key,
secr et , using ports 4444 for authentication:
[ l ocal ] Redback( conf i g- ct x) #radius server 10.3.3.3 key secret port 4444
Related Commands
Note To enable authentication to be performed by RADIUS, you must also enter the aaa
authentication subscriber command (in context configuration mode); for more information,
see Chapter 20, AAA Configuration.
radius coa server
radius source-port
radius server-timeout interval
default radius server-timeout
Purpose
Sets the time interval the SmartEdge OS waits before marking a non-responsive Remote Authentication
Dial-In User Service (RADIUS) server as dead.
Command Mode
Syntax Description
Default
The maximum time interval is 60 seconds.
Usage Guidelines
Use the radius server-timeout command to set the time interval the SmartEdge OS waits before marking
a non-responsive RADIUS accounting server as dead.
The SmartEdge OS marks a RADIUS server as dead when no response is received to any RADIUS
requests during the time period specified by the interval argument. Setting the value to 0 disables this
feature; in this case, no RADIUS server is marked as dead.
Examples
The following example sets the waiting interval to 80 seconds:
[ l ocal ] Redback( conf i g- ct x) #radius server-timeout 80
Related Commands
interval Number of seconds after which the SmartEdge OS checks for successful responses after an
individual RADIUS request times out, before treating the server as dead. The range of
values, in seconds, is 0 to 2,147,483,647; the default value is 60.
radius deadtime
radius service profile prof-name
no radius service profile prof-name
Purpose
Creates or selects a Remote Authentication Dial-In User Service (RADIUS)-guided service profile and
accesses service profile configuration mode.
Command Mode
Syntax Description
Default
No RADIUS-guided service profiles exist.
Usage Guidelines
Use the radius service profile command to create or select a RADIUS-guided service profile and access
service profile configuration mode.
A RADIUS service profile specifies various service conditions and is used to activate services and establish
service conditions for that subscriber session. It is these service conditions against which the service data
in a CoA Request and Access Response message is matched. You can specify as many as 16 conditions in
a service profile.
Use the no form of this command to delete the RADIUS-guided service profile from the configuration.
Examples
The following example creates the r edi r ect service profile in the l ocal context and accesses service
profile configuration mode:
Related Commands
prof-name Name of a service profile.
accounting
attribute
foreach
parameter
radius source-port
radius source-port port-num num-ports
no radius source-port
Purpose
In context configuration mode, enables the SmartEdge OS to ignore the source port sent by the Remote
Authentication Dial-In User Service (RADIUS) server in Access-Response messages. In global
configuration mode, increases the number of outstanding requests for each RADIUS server by sending
requests using a different source port value.
Command Mode
Syntax Description
Default
This feature is disabled.
Usage Guidelines
In context configuration mode, use the radius source-port command to enable the SmartEdge OS to ignore
the source port sent by the RADIUS server in Access-Response messages. In this configuration mode, this
command refers to the source port that the RADIUS server uses when sending a RADIUS Access-Response
message to the SmartEdge OS.
In global configuration mode, use the radius source-port command to increase the number of outstanding
requests for each RADIUS server by sending requests using a different source port value. In this
configuration mode, this command refers to the source port that the SmartEdge OS uses when sending a
RADIUS Access-Request message to a RADIUS server.
Use the no form of this command to return to the default number of outstanding requests.
Examples
The following example configures a port number of 2000 and sets the number of ports to 5:
[ l ocal ] Redback( conf i g) #radius source-port 2000 5
port-num Port number. The range of values is 1,024 to 65,535.
num-ports Number of ports. The range of values is 1 to 10.
Related Commands
radius algorithm
radius max-retries
radius server
radius strip-domain
radius timeout
radius strip-domain
radius strip-domain
no radius strip-domain
Purpose
Strips the domain portion of a structured username before relaying an authentication request to a Remote
Authentication Dial-In User Service (RADIUS) server.
Command Mode
Syntax Description
Default
The entire username, including the domain name, is sent to the RADIUS server.
Usage Guidelines
Use the radius strip-domain command to strip the domain portion of a structured username before
relaying an authentication request to a RADIUS server. The username can be either a subscriber name or
administrator name.
Use the no form of this command to disable stripping the domain portion of the structured username.
Examples
The following example prevents the domain portion of the structured username from being sent to the
RADIUS server for authentication:
[ l ocal ] Redback( conf i g- ct x) #radius strip-domain
Related Commands
radius algorithm
radius max-retries
radius server
radius source-port
radius timeout
radius timeout
radius timeout timeout
default radius timeout
Purpose
Sets the maximum time the SmartEdge router waits for a response from a Remote Authentication Dial-In
User Service (RADIUS) server before assuming that a packet is lost, or that the RADIUS server is
unreachable.
Command Mode
Syntax Description
Default
The maximum time is 10 seconds.
Usage Guidelines
Use the radius timeout command to set the maximum time the SmartEdge router waits for a response from
a RADIUS server before assuming that a packet is lost, or that the RADIUS server is unreachable.
Examples
The following example sets the timeout interval to 30 seconds:
Related Commands
timeout Timeout period in seconds. The range of values is 1 to 2,147,483,647; the default value
is 10 seconds.
radius algorithm
radius max-retries
radius server
radius source-port
radius strip-domain
rbak-term-ec
rbak-term-ec term-error-code ietf-attr-49 error-code
no rbak-term-ec term-error-code
Purpose
Remaps a Redback account (session) termination error code to a different Remote Authentication Dial-In
User Service (RADIUS) attribute 49 (Acct-Terminate-Cause) error code.
Command Mode
terminate error cause configuration
Syntax Description
Default
No Redback account termination error codes are remapped.
Usage Guidelines
Use the rbak-term-ec command to remap a Redback account (session) termination error code to a different
RADIUS attribute 49 (Acct-Terminate-Cause) error code. The RADIUS Attribute 49 Error Codes
appendix in the IP Services and Security Operations Guide for the SmartEdgeOS lists the default mapping
of Redback account termination error codes to RADIUS attribute 49 (Acct-Terminate-Cause) error codes.
RADIUS attribute 49 error codes and their definitions are included in RFC 2866, RADIUS Accounting.
Use the no form of this command to specify the default RADIUS attribute 49 error code for the specified
Redback account termination error code.
Examples
The following example remaps Redback account termination code 24 (Authentication failed) from its
default RADIUS attribute 49 error code 17 (User error), to the RADIUS attribute 49 error code 2 (network
access server [NAS] error).
[ l ocal ] Redback( conf i g) #radius attribute acct-terminate-cause remap
[ l ocal ] Redback( conf i g- t er m- ec) #rbak-term-ec 24 ieft-attr-49 2
Related Commands
term-error-code Redback account termination error code to be remapped.
ietf-attr-49 error-code Attribute 49 error code to which the Redback termination error code is
remapped.
TACACS+ Configuration 22-1
C h a p t e r 2 2
TACACS+ Configuration
This chapter describes the commands used to configure SmartEdge
OS Terminal Access Controller

Access Control System Plus (TACACS+) features.
For information about TACACS+attribute-value pairs (AVPs), see AppendixB, TACACS+
Attribute-Value Pairs.
For information about the commands used to monitor, troubleshoot, and administer TACACS+, see the
TACACS+Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Overview
Configuration Tasks
Overview
The TACACS+protocol enables the building of a system that secures remote access to networks and
network services. TACACS+is based on a client/server architecture. When configured with the IP address
or hostname of a TACACS+server, the SmartEdge router can act as a TACACS+client. TACACS+servers
are configured on a per-context basis, with a limit of six servers in each context.
The SmartEdge OS supports the TACACS+features of One-Time Passwords in Everything (OPIE), S/Key,
and SecurID, if they are supported by and enabled on the TACACS+server. These functions are limited to
Telnet sessions only.
The SmartEdge OS uses Simple Network Management Protocol (SNMP) notifications when the
SmartEdge router has difficult in communicating with a TACACS+server and declares it down and also
when communication to the server is restored.
Configurable options for a TACACS+server include:
Timeout interval, maximum number of retries, deadtime interval
Domain stripping of structured usernames
Configuration Tasks
Authenticating of administrators and authorizing the use of specific command-line interface (CLI)
commands
Sending of accounting messages for administrator sessions and CLI command accounting records to
TACACS+servers
To enable authentication and accounting features, you must also configure authentication, authorization,
and accounting (AAA). For information about AAA tasks and commands, see Chapter 20, AAA
Configuration.
To enable administrator authentication through TACACS+, enter the aaa authentication administrator
command (in context configuration mode). To configure CLI authorization, enter the aaa authorization
commands command (in context configuration mode). To enable accounting messages to be sent to a
TACACS+server, enter the aaa accounting administrators and aaa accounting commands commands
(in context configuration mode).
Configuration Tasks
The SmartEdge OS supports up to six TACACS+servers in each context. Servers are assigned priority
based on the order in which they are configured in the SmartEdge OS. The first configured server is used
first. If the first server becomes unavailable or unreachable, the second server is used, and so on.
By default, the local IP address for the interface on which TACACS+is transmitted is included in packets
sent by the SmartEdge OS. To not publish the IP address to the TACACS+server, you must configure a
loopback interface to appear to be the source address for TACACS+packets. The interface must be
reachable by the TACACS+server; for details about this command, see the Interface Configuration
To configure a TACACS+server, perform the tasks described in Table22-1; enter all commands in context
configuration mode, unless otherwise noted. For information about the ip source-address command (in
interface configuration mode) with the tacacs+ keyword, see the Interface Configuration chapter in the
Basic System Configuration Guide for the SmartEdgeOS.
For information about configuring interfaces and the ip source-address command (in interface
configuration mode), see the Interface Configuration chapter in the Basic System Configuration Guide
for the SmartEdgeOS.
The following example configures a TACACS+server IP address, 10. 43. 32. 56, with the key, Secr et .
The SmartEdge router will attempt to open a TCP connection to the TACACS+server up to 5 times when
no response is received within 30 seconds:
[ l ocal ] Redback( conf i g- ct x) #tacacs+ server 10.43.32.56 key Secret
[ l ocal ] Redback( conf i g- ct x) #tacacs+ max-retries 5
[ l ocal ] Redback( conf i g- ct x) #tacacs+ timeout 30
[ l ocal ] Redback( conf i g- ct x) #tacacs+ strip-domain
Table 22-1 Configure a TACACS+ Server
1. Configure the IP address or hostname of a
TACACS+server.
tacacs+server
2. Optional. Configure server parameters, using one
or more of the following tasks:
Modify the interval during which the SmartEdge OS
is to treat a nonresponsive TACACS+server as
dead, and try instead to reach another configured
server.
tacacs+deadtime
Modify the TACACS+server identifier used for
lawful intercept (LI) administrators or LI users.
tacacs+identifier
Modify the number of retransmission attempts to
open a TCP connection to the TACACS+server in
the event that no response is received from the
server within the timeout period.
tacacs+max-retries
Strip the domain portion of a structured username
before relaying an authentication, authorization, or
accounting request.
tacacs+strip-domain
Modify the timeout value. tacacs+timeout
Configure an IP source address. ipsource-address Enter this command in interface configuration
mode and specify the tacacs+ keyword.
This section describes the syntax and usage guidelines for the commands used to configure TACACS+. The
tacacs+ deadtime
tacacs+ identifier
tacacs+ max-retries
tacacs+ server
tacacs+ strip-domain
tacacs+ timeout
tacacs+ deadtime
tacacs+ deadtime interval
{no | default}tacacs+ deadtime
Purpose
Modifies the interval during which the SmartEdge OS is to treat a nonresponsive Terminal Access
Controller Access Control System Plus (TACACS+) server as dead, and instead, try to reach another
server if one is configured.
Command Mode
Syntax Description
Default
The SmartEdge OS waits five minutes after a timeout occurs before considering the affected server to be
eligible to accept TACACS+requests again.
Usage Guidelines
Use the tacacs+ deadtime command to modify the interval during which the SmartEdge OS is to treat a
nonresponsive TACACS+server as dead, and try, instead, to reach another configured server.
If a server fails to respond to a TACACS+request within the configured TACACS+timeout window, which
configured with the tacacs+ timeout command (in context configuration mode), it is declared dead. No
TACACS+requests are sent to a dead server until the server deadtime (the value of the interval argument)
expires, at which time the server is again considered eligible for new TACACS+requests and resumes its
original priority. However, if all servers are unresponsive, the SmartEdgeOS uses local authentication, if
enabled. If local authentication is disabled and all servers are unresponsive, authentication fails. Use the
aaa authentication administrator command in context configuration mode to enable local authentication;
for more information, see Chapter 20, AAA Configuration.
Use the no form of this command or specify a value of 0 for the interval argument to disable the deadtime
feature, which means that the server is always eligible for TACACS+requests.
Use the default form of this command to reset the number of retransmission attempts to five minutes.
Examples
The following example specifies a deadtime interval of 10 minutes:
[ l ocal ] Redback( conf i g- ct x) #tacacs+ deadtime 10
interval Deadtime interval in minutes. The range of values is 0 to 65,535; the default value is 5.
Related Commands
tacacs+ max-retries
tacacs+ server
tacacs+ timeout
tacacs+ identifier
tacacs+ identifier {li-admin | li-user}id
Purpose
Modifies the Terminal Access Controller Access Control System Plus (TACACS+) identifier used for
lawful intercept (LI) administrators or LI users.
Command Mode
Syntax Description
Default
The identifier for LI administrators is li-admin. The identifier for LI users is li-user.
Usage Guidelines
Use the tacacs+ identifier command to modify the TACACS+identifier used for LI administrators or LI
users. When an LI administrator or LI user authenticates, the TACACS+server returns this identifier to the
SmartEdgeOS. The LI license must be enabled before you can use this command.
Examples
The following example modifies the default LI administrator identifier to a value of new- l i - admi n:
[ l ocal ] Redback( conf i g- ct x) #tacacs+ identifier li-admin new-li-admin
Related Commands
li-admin Modifies the TACACS+server identifier for LI administrators.
li-user Modifies the TACACS+server identifier for LI users.
id Identifier for LI administrators or LI users. An alphanumeric string of up to 32
characters.
lawful-intercept
tacacs+ max-retries
tacacs+ max-retries retries
{no | default} tacacs+ max-retries
Purpose
Modifies the number of retransmission attempts the SmartEdge router will make to open a Transmission
Control Protocol (TCP) connection to the Terminal Access Controller Access Control System Plus
(TACACS+) server in the event that no response is received from the server within the timeout period.
Command Mode
Syntax Description
Default
The SmartEdge OS makes three attempts to open a TCP connection to the TACACS+server.
Usage Guidelines
Use the tacacs+ max-retries command to modify the number of retransmission attempts the
SmartEdgeOS makes to open a TCP connection to the TACACS+server in the event that no response is
received from the server within a timeout period.
The timeout period is configured through the tacacs+ timeout command (in context configuration mode).
If no acknowledgment is received, all configured TACACS+servers in the context are tried (moving from
the last server back to the first, if necessary) until the maximum number of retransmission attempts have
been made for each configured server.
Use the no form of this command or specify a value of 0 for the retries argument to disable the
retransmission completely.
Use the default form of this command to reset the number of retransmission attempts to 3.
Examples
The following example modifies the retry count to allow the SmartEdge OS to make up to 5 attempts to
open a TCP connection to the TACACS+server in the event that no response is received from the server
within the timeout period:
[ l ocal ] Redback( conf i g- ct x) #tacacs+ max-retries 5
retries Number of retransmission attempts. The range of values is 0 to 255; the default value is3.
Related Commands
tacacs+ deadtime
tacacs+ server
tacacs+ timeout
tacacs+ server
tacacs+ server {ip-addr | hostname} {key key | encrypted-key key} [port tcp-port]
no tacacs+ server {ip-addr | hostname} key key [port tcp-port]
Purpose
Configures the IP address or hostname for a Terminal Access Controller Access Control System Plus
(TACACS+) server.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the tacacs+ server command to configure the IP address or hostname for a TACACS+server. The
SmartEdge OS can support up to five TACACS+servers in each context. The servers are assigned priority
based on the order configured. The first configured server is used first. If the first server becomes
unavailable or unreachable, the second server is used, and so on.
For the hostname argument to take effect, Domain Name System (DNS) resolution must be enabled; for
more information, see Chapter 11, DNS Configuration, for information.
The key key construct allows you to specify the authentication key that the SmartEdge OS uses to
communicate with the TACACS+server. After the configuration is saved, this key is stored in the encrypted
form. The output of the show configuration command displays the encrypted-key keyword with the
encrypted key indicating that the key is encrypted.
The encrypted-key key construct allows you to specify and enter an encrypted authentication key, which
was previously configured in clear text using the key key construct. Use the encrypted-key key construct,
if you want the tacacs+ server command configured with an encrypted authentication key as part of a
ip-addr IP address of the TACACS+server.
hostname Hostname of the TACACS+server.
key key Alphanumeric string indicating the authentication key that is used when
communicating with the TACACS+server.
encrypted-key key Alphanumeric string representing the encrypted authentication key that is
used when communicating with the TACACS+server.
port tcp-port Optional. TACACS+server Transmission Control Protocol (TCP) port. The
range of values is 1 to 65,536. If no port is specified, TCP port number 49 is
used as the default.
configuration file you are loading onto a SmartEdge router. Copy the encrypted key from either the output
of the show configuration command or a configuration file that contains it, and then paste it as the key
argument within the encrypted-key key construct of the tacacs+ server command configuration of the
configuration file you are loading. The SmartEdge OS does not encrypt the encrypted key before storing it
because the key is already encrypted.
Use the no form of this command to delete a previously configured TACACS+server.
Examples
The following example shows how define a TACACS+server with an IP address, 10. 43. 32. 56, and a
key, Secr et key, for authentication:
[ l ocal ] Redback( conf i g- ct x) #tacacs+ server 10.43.32.56 key Secretkey port 53
The following example shows how to define a TACACS+server with an IP address, 12. 33. 56. 78, and
an encrypted key, A04915CDD716F0CC3BC20910847B1834, for authentication:
[ l ocal ] Redback( conf i g- ct x) #tacacs+ server 12.33.56.78 encrypted-key
A04915CDD716F0CC3BC20910847B1834 port 53
Related Commands
tacacs+ max-retries
tacacs+ timeout
{no | default} tacacs+ strip-domain
Purpose
Specifies that the domain portion of a structured username be removed before relaying an authentication,
authorization, or accounting request to a Terminal Access Controller Access Control System Plus
(TACACS+) server.
Command Mode
Syntax Description
Default
The SmartEdge OS sends entire structured username, including the domain name, to the TACACS+server.
Usage Guidelines
Use the tacacs+ strip-domain command to specify that the domain portion of a structured username be
removed before relaying an authentication, authorization, or accounting request to a TACACS+server. For
example, subscriber name joe is sent rather than joe@local. The domain portion can be stripped, even if
custom structured username formats have been defined using the aaa username-format command (in
global configuration mode).
The decision to strip the domain name depends on whether or not subscriber and administrator records are
defined with or without the domain name in the TACACS+server configuration.
Use the no or default form of this command to disable the stripping of the domain portion of the structured
username.
Examples
The following example prevents the domain portion of the structured username from being sent to the
TACACS+server:
[ l ocal ] Redback( conf i g- ct x) #tacacs+ strip-domain
Related Commands
aaa username-format
tacacs+ timeout
tacacs+ timeout seconds
default fault tacacs+ timeout
Purpose
Modifies the maximum amount of time the SmartEdge OS waits for a response from a Terminal Access
Controller Access Control System Plus (TACACS+) server before assuming that a packet is lost or that the
TACACS+server is unreachable.
Command Mode
Syntax Description
Default
The timeout interval is 10 seconds.
Usage Guidelines
Use the tacacs+ timeout command to modify the maximum amount of time that the SmartEdge OS waits
for a response from a TACACS+server before assuming that a packet is lost or that the TACACS+server
is unreachable.
The timeout value is displayed in the output of the show tacacs+ server command.
Use the default form of this command to return the timeout to the default value of 10 seconds.
Examples
The following example sets the TACACS+timeout to 60 seconds:
[ l ocal ] Redback( conf i g- ct x) #tacacs+ timeout 60
Related Commands
seconds Timeout period in seconds. The range of values is 1 to 65,535; the default value is10.
tacacs+ deadtime
tacacs+ max-retries
tacacs+ server
Lawful Intercept Configuration 23-1
C h a p t e r 2 3
Lawful Intercept Configuration
OS lawful intercept (LI)

features.
For information about tasks and commands used to monitor, troubleshoot, and administer LI features, see
the Lawful Intercept Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
Overview
Configuration Tasks
Overview
LI enables service providers to mirror subscriber packets and send them to a mediation device (MD), which
can be anywhere in the network. The SmartEdge OS can mirror packets from any circuit in the system, at
the ingress or egress point, and send the mirrored packets to the MD using a User Datagram Protocol
(UDP)-over-IP session or a Generic Routing Encapsulation (GRE) tunnel.
LI features and functions are licensed; that is, you must be an LI administrator to enable and disable the LI
license. Like other licensed features, you need a password to enable the LI license. Redback
provides this
password when the LI license is purchased.
With the right hardware configuration, LI subscriber intercepts persist; that is, they resume after a system
reload, a process restart, or a switchover from the active to the standby controller card in a SmartEdge 400
or SmartEdge 800 router.
Note The persistence feature requires that you have a compact-flash card, either Type I or Type II,
mounted on /md in the external slot on the controller cards, both active and standby, in a
SmartEdge400 or SmartEdge800 router or in the external slot on front panel of the
SmartEdge100 router.
Configuration Tasks
LI features are restricted. That means that you must have an authorized LI account and log on to the system
using that account, either as an administrator or a user, to perform the following tasks:
Create LI accounts for other administrators
Configure LI features and functions
Display LI configuration information, LI messages, LI command history, and LI status
Start and stop LI intercepts
An LI administrator can perform all system functions; an LI user is limited to LI functions only. The system
functions (commands) that LI administrators and users can perform are limited only by the privilege level
that you assign to the account and the context in which it is configured. There is no restriction on the
privilege level that you assign to either type of LI account. The following examples illustrate possible LI
account configurations:
An LI administrator that is configured in the local context with privilege level 15 can perform any
system function in any context.
An LI administrator that is configured in a non-local context with privilege level 10 can configure any
system function, but only for the non-local context.
An LI user that is configured in the local context with privilege level 10 can configure LI functions (but
not any other system functions) in any context.
An LI user that is configured in a non-local context with privilege level 6 (the default) cannot configure
LI functions (including activating, starting, and stopping intercepts) and cannot view LI configuration
or status in any context, except the one in which the account is configured.
Configuration Tasks
To configure, start, and stop LI features, perform the tasks described in the following sections:
Enable or Disable LI Features and Functions
Configure an LI Account
Configure an LI Profile
Configure Circuits for LI
Start or Stop an Intercept
Note Administrators that are not LI authorized cannot perform any of the listed tasks; however, any
administrator, even those who are not LI authorized, can enable LI features and functions.
Configuration Tasks
Enable or Disable LI Features and Functions
To enable or disable LI features and functions, perform the tasks described in Table23-1.
Configure an LI Account
To configure an LI account, perform the tasks described in Table23-2.
Configure an LI Profile
To configure an LI profile, perform the tasks described in Table23-3; enter all commands in LI profile
Table 23-1 Configure an LI Profile
1. Enable software licensing and access
software license configuration mode.
software license Enter this command in global configuration mode. For more
information about this command, see the Basic System
Configuration chapter in the Basic System Configuration Guide for
the SmartEdge OS.
2. Enable the software license for LI
features and functions.
lawful-intercept Enter this command in software license configuration mode.
Use the no form to disable the software license for LI features and
functions.
Table 23-2 Configure an LI Account
1. Create an administrator logon account and
access administrator configuration mode.
administrator Enter this command in context configuration mode. For more
information about this command, see the Context
Configuration chapter in the Basic System Configuration
2. Authorize this administrator as an LI
administrator or user.
command-access Enter this command in administrator configuration mode.
3. Specify general attributes for the account, enter these commands in administrator configuration mode (all attributes are optional):
Specify the initial privilege level for exec
sessions initiated by the administrator.
privilege start For more information about these commands, see the
Context Configuration chapter in the Basic System
Specify the maximum privilege level for the
administrator.
privilege max For more information about these commands, see the
Specify public key authentication if the
administrator is accessing the SmartEdge
OS CLI through SSH.
public-key For more information about these commands, see the
Table 23-3 Configure an LI Profile
1. Create or select an LI profile and access LI profile
configuration mode.
li-profile Enter this command in global configuration mode.
Use the vendor-specific keyword to create a
vendor-specific profile. See the Usage
Guidelines section for restrictions on
vendor-specific profiles.
Configuration Tasks
Configure Circuits for LI
To configure circuits on which you can start and stop intercepts, perform the tasks described in Table23-4.
Start or Stop an Intercept
To start or stop an intercept, perform one of the tasks described in Table23-5; enter all commands in exec
mode. These commands are described in the Lawful Intercept Operations chapter in the IP Services and
Security Operations Guide for the SmartEdgeOS.
2. Specify the type of intercept. type
3. Define the transport data section:
Define the transport data section for this LI profile to use
UDP/IP.
transport udp
Define the transport data section for this LI profile to use
a GRE tunnel.
transport gre
Define the specified field in the LI profile header. header Enter this command for each field in the header.
Use the radius-li-hdr keyword for vendor-specific
profiles.
Enable pending intercept requests. pending This command does not apply to intercepts that
were started using the intercept
account-session-id command.
Table 23-4 Configure a Circuit for LI
1. Configure the context. For information about configuring contexts, see the
2. Configure the interfaces for the circuits and the
interface or the GRE tunnel with the output portal
for MD.
For information about configuring interfaces, see the
Interface Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS. For
information about configuring GRE tunnels, see the
Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdge OS. For information about configuring output
portals, see Chapter 14, Forward Policy Configuration.
3. Configure the subscribers. For information about configuring subscribers, see the
Subscriber Configuration chapter in the Basic System
4. Configure the circuits. For information about configuring ports and circuits, see
the ATM, Ethernet, and POS Ports Configuration,
Clear-Channel and Channelized Ports and Channels
Configuration, and Circuits Configuration chapters in
the Ports, Circuits, and Tunnels Configuration Guide for
the SmartEdge OS. For information about binding port,
channels, and circuits, see the Bindings Configuration
chapter in the Ports, Circuits, and Tunnels Configuration
5. Configure one or more IP ACLs to use with the
intercepts.
For information about configuring IP ACLs, see
Chapter 12, ACL Configuration.
Table 23-3 Configure an LI Profile (continued)
You can also start or stop an intercept using a Remote Authentication Dial-in User Service (RADIUS)
Change of Authorization (CoA) server and the RADIUS LI vendor-specific attributes (VSAs) described in
AppendixA, RADIUS Attributes. Including LI VSAs in CoA messages enables you to start and stop
intercepts. For information on configuring a RADIUS CoA server, see Chapter 21, RADIUS
Configuration.
RADIUS LI VSAs can be encoded and decoded using salt-encryption, as specified in the draft RFC,
Salt-Encryption of RADIUS Attributes. When the RADIUS CoA server is configured for salt-encryption,
the SmartEdgeOS detects and handles the encrypted attributes.
The following example enables LI features and functions, configures an LI account, a context for
subscribers and interfaces, an ACL, and an LI profile; it then configures the ports and starts an intercept:
! Enabl e LI f eat ur es and f unct i ons
[ l ocal ] Redback( conf i g- ct x) #software license
[ l ocal ] Redback( conf i g- l i cense) #lawful-intercept password 1234567890
[ l ocal ] Redback( conf i g- l i cense) #exit
! Cr eat e an LI account f or al l cont ext s ( t hat i s, i n t he l ocal cont ext )
[ l ocal ] Redback( conf i g- ct x) #administrator LI-super
[ l ocal ] Redback( conf i g- admi ni st r at or ) #command-access li-admin
! Conf i gur e t he cont ext and i nt er f aces f or subscr i ber t r af f i c
[ l ocal ] Redback( conf i g) #context isp1
[ l ocal ] Redback( conf i g- ct x) #interface subs multibind
[ l ocal ] Redback( conf i g- i f ) #ip pool 10.1.1.0/24
[ l ocal ] Redback( conf i g- ct x) #interface egress
! Conf i gur e t he i nt er f ace t o t he MD- 1 syst em
Table 23-5 Start or Stop an Intercept
Start or stop an intercept on a specified circuit. intercept circuit Use the no form to stop the intercept.
Start or stop an intercept on a specified account session. intercept account-session-id Use the no form to stop the intercept.
Start or stop an intercept on a specified agent circuit. intercept agent-circuit-id Use the no form to stop the intercept.
Start or stop an intercept for a subscriber by its agent remote
ID.
intercept agent-remote-id Use the no form to stop the intercept.
Start or stop an intercept for a subscriber by its name. intercept subscriber Use the no form to stop the intercept.
[ l ocal ] Redback( conf i g- ct x) #interface toMD
! Conf i gur e t he i nt er f ace t o t he MD- 2 syst em
[ l ocal ] Redback( conf i g- ct x) #interface tunnel5
[ l ocal ] Redback( conf i g- i f ) #gre-peer name test remote 90.1.1.5 local 90.1.1.1
[ l ocal ] Redback( conf i g- i f ) #no shutdown
! Conf i gur e aut hent i cat i on and a def aul t pr of i l e f or subscr i ber s
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber none
[ l ocal ] Redback( conf i g- sub) #ip address pool
! Cr eat e subscr i ber r ecor ds
[ l ocal ] Redback( conf i g- ct x) #subscriber usr5
[ l ocal ] Redback( conf i g- ct x) #subscriber usr6
! Cr eat e an ACL f or t he i nt er cept s
[ l ocal ] Redback( conf i g- ct x) #ip access list acl-both
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip any 5.0.0.0 0.255.255.255
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit ip 100.1.1.0 0.0.0.255 any
[ l ocal ] Redback( conf i g- access- l i st ) #seq 30 deny ip any 200.0.0.0 0.255.255.255
[ l ocal ] Redback( conf i g- access- l i st ) #seq 40 deny ip 201.1.1.0 0.0.0.255 any
! Conf i gur e t he LI pr of i l es
[ l ocal ] Redback( conf i g) #li-profile li-001
[ l ocal ] Redback( conf i g- l i pr of i l e) #type ip-datagrams
[ l ocal ] Redback( conf i g- l i pr of i l e) #transport udp destination 1.1.1.2 4000 context isp1
source 1.1.1.1 5000
[ l ocal ] Redback( conf i g- l i pr of i l e) #header li-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header acct-session-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header seq-no
[ l ocal ] Redback( conf i g- l i pr of i l e) #header session-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header label Redback SE800
[ l ocal ] Redback( conf i g- l i pr of i l e) #pending
[ l ocal ] Redback( conf i g- l i pr of i l e) #exit
[ l ocal ] Redback( conf i g) #li-profile li-gre
[ l ocal ] Redback( conf i g- l i pr of i l e) #transport gre gre-portal
[ l ocal ] Redback( conf i g- l i pr of i l e) #exit
! Conf i gur e t he por t s f or subscr i ber t r af f i c
[ l ocal ] Redback( conf i g- por t ) #bind subscriber usr5@isp1 password pass
[ l ocal ] Redback( conf i g- por t ) #bind subscriber usr6@isp1 password pass
[ l ocal ] Redback( conf i g- por t ) #bind interface egress isp1
! Conf i gur e t he por t f or MD- 1 t r af f i c
[ l ocal ] Redback( conf i g- por t ) #bind interface toMD isp1
! Conf i gur e t he GRE t unnel f or MD- 2 t r af f i c
[ l ocal ] Redback( conf i g) #tunnel map
[ l ocal ] Redback( t unnel - map) #gre-tunnel test local key 5
[ l ocal ] Redback( conf i g- gr e- t unnel ) #bind interface tunnel5 local
[ l ocal ] Redback( conf i g- gr e- t unnel ) #forward output gre-portal
! St ar t t he subscr i ber usr 5@i sp1 i nt er cept f or bot h i ncomi ng and out goi ng t r af f i c
[ l ocal ] Redback#intercept subscriber usr5@isp1 li-profile li-001 li-id 001 label usr5
traffic acl acl-both
! St ar t t he subscr i ber usr 6@i sp1 i nt er cept f or bot h i ncomi ng and out goi ng t r af f i c wi t h
l i - pr of i l e l i - gr e
[ l ocal ] Redback#intercept subscriber usr6@isp1 li-profile li-gre
This section describes the syntax and usage guidelines for the commands used to enable and disable LI
features and functions, create LI accounts, and configure LI features. The commands are presented in
alphabetical order. Commands to start or stop intercepts are described in the Lawful Intercept Operations
chapter in the IP Services and Security Operations Guide for the SmartEdgeOS:
command-access
header
lawful-intercept
li-profile
pending
transport gre
transport udp
type
command-access
command-access {li-admin | li-user}
no command-access
Purpose
Authorizes this administrator as a lawful intercept (LI) administrator or user.
Command Mode
administrator configuration
Syntax Description
Default
The administrator account is not authorized to perform LI functions or view LI configuration information
or status.
Usage Guidelines
Use the command-access command to authorize this administrator as an LI administrator or user. You must
enter this command to allow the administrator account to function as an LI administrator or user. The LI
license must be enabled before you can use this command.
An LI administrator can perform all system functions; an LI user is limited to LI functions only. The system
functions (commands) that LI administrators and users can perform are limited only by the privilege level
that you assign to the account and the context in which the account is configured. There is no restriction on
the privilege level that you assign to either type of LI account. The following examples illustrate possible
LI account configurations:
An LI administrator that is configured in the local context with privilege level 15 can perform any
system function in any context.
An LI administrator that is configured in a non-local context with privilege level 10 cannot configure
any system function, including LI functions, and view system and LI configuration commands and
status.
An LI user that is configured in the local context with privilege level 10 can configure LI functions, start
and stop intercepts, and view LI configuration and status (but not perform any system functions) in any
context.
An LI user that is configured in a non-local context with privilege level 6 (the default) can start and stop
intercepts and view LI status in that context, but cannot configure LI functions and cannot view LI
configuration commands in any context.
Use the no form of this command to remove LI authorization from this account.
li-admin Specifies an LI administrator.
li-user Specifies an LI user.
Examples
The following example authorizes this account as an LI administrator:
[ l ocal ] Redback( conf i g- ct x) #administrator admin1 password supersecret
[ l ocal ] Redback( conf i g- admi ni st r at or ) #command-access li-admin
Related Commands
lawful-intercept
header
For generic lawful intercept (LI) profiles, the syntax is:
header {label description | acct-session-id | li-id | seq-no | session-id | md-addr | md-port}
no header {label | acct-session-id | li-id | seq-no | session-id | md-addr | md-port}
For vendor-specific LI profiles, the syntax is:
header {radius-li-hdr | md-addr | md-port}
no header {radius-li-hdr | md-addr | md-port}
Purpose
Defines the specified field in the header for this LI profile.
Command Mode
LI profile configuration (15, authorized LI administrator only)
Syntax Description
Default
The header is undefined.
label description Description for this profile. An alphanumeric string with 0 to 15 characters; if
more than one word, enclose it in quotation marks ( ). The description
argument is not entered in the no form.
acct-session-id Specifies a placeholder for an Acct-Session-Id LI header that correlates to an
Acct-Session-Id attribute. The Acct-Session-Id attribute, a RADIUS
accounting ID, is used to identify the start, interim, and stop records in a log
file for a given subscriber.
li-id For generic LI profiles only. Specifies a placeholder for the identifier that you
assign to an intercept when you start it using this LI profile.
seq-no Specifies a placeholder for a system-assigned packet sequence number.
session-id Specifies a placeholder for the system-assigned session identifier.
md-addr Specifies a placeholder for the IP address of the mediation device at run time.
md-port Specifies a placeholder for the port number used by the mediation device at
run time.
radius-li-hdr For vendor-specific profiles only. Specifies a placeholder for a fixed format
LI header provided by the Remote Authentication Dial-In User Service
(RADIUS) server.
Usage Guidelines
Use the header command to define the specified fields in the header for this LI profile. Use the show li
dictionary command to view details for parameters of the header command. For more information about
the show li dictionary command, see the Lawful Intercept Operations chapter in the IP Services and
Use the acct-session-id keyword to define an Acct-Session-Id LI header field that correlates to an
Acct-Session-Id attribute. The Acct-Session-Id attribute is a unique session RADIUS accounting ID that is
used to match start, interim, and stop records in a log file. The start, interim, and stop records for a given
subscriber session have the same Acct-Session-Id value. The Acct-Session-Id LI header field is 13 bytes,
with the first 8 bytes consisting of a circuit handle (cct-handle), the next byte consisting of a hyphen (-),
and the last 4 bytes consisting of a time stamp that indicates the start time of the subscriber session. For
information about the Acct-Session-Id attribute, see AppendixA, RADIUS Attributes.
Use the md-addr and md-port keywords if the IP address and port number of the mediation device will
be specified when an intercept is started. If the md-addr or md-port keyword is specified in the header
command, values for these header fields must be provided when starting the intercept. If one or more
generic LI profiles and a vendor-specific LI profile are configured on the same SmartEdgerouter, the
values of the md-addr and md-port fields affect both header types.
Use the radius-li-header keyword to define a header for a vendor-specific profile. The set of header fields
is limited to fields defined in the LI dictionary. For vendor-specific profiles, the LI-Identifier
vendor-specific attribute (VSA) is 8 bytes, and its value is the entire LI header. For generic profiles, the
LI-Identifier VSA is 4 bytes, and its value is inserted into the LI header with other header fields. For
information on RADIUS LI VSAs, see AppendixA, RADIUS Attributes.
Use the no form of this command to delete the specified field from the header configuration.
Examples
The following example creates a header for the MD- 001 LI profile:
[ l ocal ] Redback( conf i g) #li-profile MD-001
[ l ocal ] Redback( conf i g- l i pr of i l e) #header li-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header acct-session-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header seq-no
[ l ocal ] Redback( conf i g- l i pr of i l e) #header session-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header label Redback SE800
Related Commands
li-profile
pending
transport gre
transport udp
type
lawful-intercept
lawful-intercept {encrypted 1 | password} password
no lawful-intercept
Purpose
Enables the software license for lawful intercept (LI) features and functions.
Command Mode
software license configuration
Syntax Description
Default
LI features and functions are disabled.
Usage Guidelines
Use the lawful-intercept command to enable the software license for LI features and functions. You can
specify the password argument in either encrypted or unencrypted form.
Any administrator that is authorized for the local context and that has configuration privileges (level 10 or
above) can enter this command.
Use the no form of this command to disable the software license for LI features and functions. A password
is not required; it is ignored if entered.
Examples
The following example enables LI features and functions:
[ l ocal ] Redback( conf i g) #software license
[ l ocal ] Redback( conf i g- l i cense) #lawful-intercept password LIsuper
Related Commands
None
encrypted 1 Specifies that the password that follows is encrypted.
password Specifies that the password that follows is not encrypted.
password Paid license password that is required to enable LI features and functions. The
password argument is unique for LI and is provided at the time the software
license is paid.
li-profile
li-profile name [vendor-specific]
no li-profile name
Purpose
Creates or selects a lawful intercept (LI) profile and accesses LI profile configuration mode.
Command Mode
global configuration (15, authorized LI administrator only)
Syntax Description
Default
No LI profiles are created.
Usage Guidelines
Use the li-profile command to create or select an LI profile and access LI profile configuration mode.
Use the vendor-specific keyword to specify that this LI profile is a vendor-specific profile. When this
keyword is specified, the LI header is determined by the Remote Authentication Dial-In User Service
(RADIUS) server. Only one vendor-specific profile can be defined, and the value specified for the name
argument cannot be the same as the name of a generic profile. When entering the header command for a
vendor-specific LI profile, use the vendor-specific syntax to define the LI header.
Use the no form of this command to delete the specified profile.
Examples
The following example creates an LI profile, l i - 001, and accesses LI profile configuration mode:
[ l ocal ] Redback( conf i g- l i pr of i l e) #
Related Commands
name Name of the LI profile to be created or selected.
vendor-specific Optional. Specifies that the profile is vendor-specific. Only one
vendor-specific profile can be defined per SmartEdgerouter.
header
pending
transport gre
transport udp
type
pending
pending
no pending
Purpose
Enables pending intercept requests.
Command Mode
Syntax Description
Default
The system rejects an intercept request if the subscriber circuit to which this profile is attached is down.
Usage Guidelines
Use the pending command to enable pending intercept requests.
When you use the intercept account-session-id command to start an intercept, the pending command does
not apply in the referenced lawful intercept (LI) profile. For more information on the intercept
account-session-id command, see the Lawful Intercept Operations chapter in the IP Services and
Use the no form of this command to specify the default condition (intercept requests are rejected for
subscriber circuits that are down).
Examples
The following example enables pending intercept requests for the l i - 001 profile:
[ l ocal ] Redback( conf i g- l i pr of i l e) #pending
Related Commands
header
li-profile
transport gre
transport udp
type
transport gre
transport gre dest-name
no transport gre
Purpose
Defines the transport section for this lawful intercept (LI) profile to use a Generic Routing Encapsulation
(GRE) tunnel.
Command Mode
LI profile configuration
Syntax Description
Default
The transport section is undefined.
Usage Guidelines
Use the transport gre command to define the transport data section for this LI profile to use a GRE tunnel.
This command and the transport udp command (in LI profile configuration mode) are mutually exclusive.
The dest-name argument defined in the forward output command (in GRE tunnel configuration mode) as
the destination of the intercepted traffic (the mediation device).
Use the no form of this command to delete the data from the transport section in this LI profile.
Examples
The following example defines the transport data section in the header for the l i - 001 profile:
[ l ocal ] Redback( conf i g- l i pr of i l e) #transport gre gre-101
Related Commands
dest-name Output destination name for the intercepted traffic.
header
li-profile
pending
type
transport udp
transport udp destination md-ip-addr md-udp-port context ctx-name source src-ip-addr src-udp-port
[{dscp dscp-class | tos tos-value}]
Purpose
Defines the transport data section for this lawful intercept (LI) profile to use the User Datagram Protocol
(UDP) over IP (UDP/IP).
Command Mode
Syntax Description
Default
The transport section is undefined.
Usage Guidelines
Use the transport udp command to define the transport data section for this LI profile to use UDP/IP. This
command and the transport gre command (in LI profile configuration mode) are mutually exclusive.
Use the destination keyword with themd-ip-addr and md-udp-port arguments to specify the IP address
and UDP port for the MD to which the SmartEdge OS sends the intercepted traffic.
destination Specifies the destination address for the mediation device (MD) to which the
SmartEdge OS sends the mirrored traffic.
md-ip-addr IP address for the MD.
md-udp-port UDP port number for the MD. The range of values is 1 to 65535.
context ctx-name Name of the context in which the interface is configured with the destination IP
address.
source Specifies the source address of the mirrored traffic.
src-ip-addr Source IP address of the mirrored traffic.
src-udp-port Source UDP port number of the mirrored traffic. The range of values is 1 to
65535.
dscp dscp-class Optional. Differentiated Services Code Point (DSCP) priority for which the traffic
is mirrored. Values can be:
tos tos-value Optional. Type of service (TOS) for which the traffic is mirrored. The range of
values is 0 to 255.
Use the context ctx-name construct to specify the context in which you have configured an interface with
the destination IP address.
Use the source keyword with the src-ip-addr and src-udp-port arguments to specify the IP address and
UDP port for the IP address and UDP port for the traffic to be intercepted.
If you do not specify the dscp dscp-class or tos tos-value construct, the field defaults to the DSCP class
af41.
Examples
The following example defines the transport data section in the l i - 001 profile:
[ l ocal ] Redback( conf i g- l i pr of i l e) #transport udp destination 10.1.1.1 2001 context local
source 10.1.1.2 3001 dscp af41
Related Commands
/Drop precedence 1
cs0 (same as df)
df (same as cs0)
header
li-profile
pending
type
type
type ip-datagrams
Purpose
Defines the type of intercept for this lawful intercept (LI) profile.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the type command to define the type of intercept for this LI profile.
Examples
The following example defines IP datagrams as the type of traffic to be intercepted:
Related Commands
ip-datagrams Specifies that IP datagrams are to be intercepted.
li-profile
Key Chain Configuration 24-1
C h a p t e r 2 4
Key Chain Configuration
OS key chain features.

For information about the commands used to monitor, troubleshoot, and administer key chains, see the
KeyChain Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Overview
Configuration Tasks
Overview
Key chains allow you to control authentication keys used by various protocols in the system. The
SmartEdge OS supports the use of key chains with Mobile IP services and the Open Shortest Path First
(OSPF), Intermediate System-to-Intermediate System (IS-IS), and Virtual Router Redundancy Protocol
(VRRP) routing protocols. Enabling key chains for a protocol is part of the configuration process for the
protocol. For information about configuring Mobile IP services, see Chapter 7, Mobile IP Foreign Agent
Configuration. For information about configuring routing protocols, see the Routing Protocols
Configuration Guide for the SmartEdgeOS.
Configuration Tasks
Configuration Tasks
To configure key chains, perform the tasks described in the following sections:
Configure a Key Chain Name and Description (Optional)
Configure a Key Chain Name and ID
Configure a Security Parameter Index
Configure a Key String
Limit the Lifespan of a Key
Enable Key Chain Authentication with Routing Protocols
Enable Key Chain Authentication with Mobile IP
Configure a Key Chain Name and Description (Optional)
To configure a key chain name and description, perform the task described in Table24-1.
Configure a Key Chain Name and ID
To configure a key chain name and ID, perform the task described in Table24-2.
Configure a Security Parameter Index
To configure a security parameter index (SPI) for a key chain, perform the task described in Table24-3.
Table 24-1 Configure a Key Chain Name and Description (Optional)
Configure a key chain name and description. key-chaindescription Enter this command in context configuration mode.
The description is displayed in the output of the show
configuration and show key-chain commands.
Table 24-2 Configure a Key Chain Name and ID
Configure a key chain name and ID, and access key chain
configuration mode.
key-chain Enter this command in context configuration mode.
Table 24-3 Configure an SPI for a Key Chain
Configure an SPI for a key chain. key-chain Enter this command in key chain configuration mode.
Configuration Tasks
Configure a Key String
To configure a key string (a password), perform the task described in Table24-4.
Limit the Lifespan of a Key
To limit the lifespan of a key, perform one or more of the tasks described in Table24-5; enter all commands
in key chain configuration mode.
Enable Key Chain Authentication with Routing Protocols
To enable key chain authentication with OSPF, IS-IS, or VRRP, perform the task described in Table24-6.
For information about configuring routing protocols and the authentication command (in any of the modes
listed in Table24-6), see the OSPF Configuration, IS-IS Configuration, or VRRP Configuration
chapter in the Routing Protocols Configuration Guide for the SmartEdgeOS.
Enable Key Chain Authentication with Mobile IP
To enable key chain authentication for Mobile IP services, perform the task described in Table24-7.
For information about configuring Mobile IP services and the authentication command (in FA
configuration mode), see Chapter 7, Mobile IP Foreign Agent Configuration.
Table 24-4 Configure a Key String
Configure a key string. key-string Enter this command in key chain configuration mode.
Table 24-5 Limit the Lifespan of a Key
Specify a date and time at which to start sending the key,
and optionally, a time at which to stop sending the key.
send-lifetime If you do not issue the send-lifetime command, the
key is sent starting immediately and continues to be
sent indefinitely.
Specify a date and time at which to start accepting the
key, and optionally, a time at which to stop accepting the
key.
accept-lifetime If you do not issue the accept-lifetime command,
the key is accepted starting immediately and
continues to be accepted indefinitely.
Table 24-6 Enable Key Chain Authentication with Routing Protocols
Enable key chain authentication with routing protocols. authentication Enter this command in OSPF interface, IS-IS router, IS-IS
interface, or VRRP configuration mode, depending on the
routing protocol being configured.
Table 24-7 Enable Key Chain Authentication for Mobile IP Services
Enable key chain authentication for Mobile IP services. authentication Enter this command in foreign agent (FA) or home agent
(HA) peer configuration mode.
The following example configures a rollover period on Feb 2, 2002 from 12:00 a.m to 2:00 a.m. During
this period, both keys will be accepted. Starting at 1:00 a.m., the new key will be sent:
[ l ocal ] Redback( conf i g- ct x) #key-chain ospf-keychain key-id 1
[ l ocal ] Redback( conf i g- keychai n) #key-string redback
[ l ocal ] Redback( conf i g- keychai n) #accept-lifetime 2001:02:02:00:00:00
2001:02:02:02:00:00
[ l ocal ] Redback( conf i g- keychai n) #send-lifetime 2001:02:02:01:00:00 2002:02:02:01:00:00
[ l ocal ] Redback( conf i g- keychai n) #key-chain ospf-keychain key-id 2
[ l ocal ] Redback( conf i g- keychai n) #key-string se800
2003:02:02:02:00:00
[ l ocal ] Redback( conf i g- keychai n) #send-lifetime 2002:02:02:01:00:00 2003:02:02:01:00:00
[ l ocal ] Redback( conf i g- ct x) #router ospf 1
[ l ocal ] Redback( conf i g- ospf ) #area 0
[ l ocal ] Redback( conf i g- ospf - ar ea) #interface fa4/1
[ l ocal ] Redback( conf i g- ospf - i f ) #authentication md5 ospf-keychain
This section describes the syntax and usage guidelines for the commands used to configure key chains. The
accept-lifetime
key-chain description
key-chain
key-string
send-lifetime
spi
accept-lifetime
accept-lifetime start-datetime [{duration seconds | infinite | stop-datetime}]
no accept-lifetime start-datetime [{duration seconds | infinite | stop-datetime}]
Purpose
Establishes a start date and time for accepting the key, and optionally, a stop time for accepting the key.
Command Mode
key chain configuration
Syntax Description
Default
If you do not issue this command, the key is accepted starting immediately and continues to be accepted
indefinitely. If you do not specify a duration when issuing this command, the key is accepted indefinitely.
Usage Guidelines
Use the accept-lifetime command to specify when the key being configured is to be accepted. The format
of the start-datetime and stop-datetime arguments is yyyy:mm:dd:hh:mm[:ss] and is defined as follows:
yyyy =The year in four digits (for example, 2003).
mm =The month of the year in two digits (for example, 01). The range of values is 1 to 12.
dd =The day of the month in two digits (for example, 24). The range of values is 1 to 31.
hh =The hour of the day in two digits (for example, 23). The range of values is 0 to 23.
mm =The minute of the hour in two digits (for example, 59). The range of values is 0 to 59.
ss =Optional. The second of the minute in two digits (for example, 55). The range of values is 0 to 59.
If you issue the accept-lifetime command without any optional constructs, the key is accepted starting with
the date and time that you specify and continues to be accepted indefinitely. You can replace an existing
accept lifetime value by issuing the accept-lifetime command again and specifying new values.
start-datetime Date and time to start accepting the key being configured. Must be in the
format yyyy:mm:dd:hh:mm[:ss]. For more information about the format of
this argument, see the Usage Guidelines section.
duration seconds Optional. Number of seconds to continue accepting the key. The range of
values is 1 to 2,147,483,646.
infinite Optional. Specifies that the key is to be accepted indefinitely.
stop-datetime Optional. Date and time to stop accepting the key being configured. Must be
in the format yyyy:mm:dd:hh:mm[:ss]. For more information about the
format of this argument, see the Usage Guidelines section.
Use the no form of this command to specify that the key is no longer to be accepted.
Examples
The following example establishes a lifetime acceptance of J anuary 25, 2002 at one minute and one second
after 4:00 a.m. The key continues to be accepted indefinitely:
The following example establishes a lifetime acceptance of J anuary 25, 2002 at exactly midnight, and
specifies that the key is to be accepted for 30 minutes (1800 seconds):
[ l ocal ] Redback( conf i g- keychai n) #accept-lifetime 2002:01:25:00:00 duration 1800
Related Commands
send-lifetime
key-chain key-chain-name description text
no key-chain key-chain-name [description text]
Purpose
Configures a key chain name and description.
Command Mode
Syntax Description
Default
No key chains are created.
Usage Guidelines
Use the key-chain description command to configure a key chain name and description.
Only one description can be associated with a single key chain. To update a description, issue this command
with the new description; the old description is overwritten.
Use the no form of this command with the description text construct to remove a description from the key
chain configuration. Use the no form of this command without the optional construct to delete the entire
key chain.
Examples
The following example configures key01 with a text description specifying 3 keys ospf onl y:
[ l ocal ] Redback( conf i g- ct x) #key-chain key01 description 3 keys ospf only
Related Commands
key-chain-name Name of the key chain.
text Alphanumeric text description to be associated with the key chain. Optional
only when deleting a key chain.
key-chain
key-chain
key-chain key-chain-name key-id key-id
no key-chain key-chain-name [key-id key-id]
Purpose
Creates a new key chain with a key, or creates a key within an existing key chain, and enters key chain
configuration mode.
Command Mode
Syntax Description
Default
No key chains are created.
Usage Guidelines
Use the key-chain key-id command to create a new key chain with a key, or to create a key within an
existing key chain, and to enter key chain configuration mode.
Key chains allow you to control authentication keys used by various routing protocols in the system.
Currently, the SmartEdge OS supports the use of key chains with the Mobile IP services, Open Shortest
Path First (OSPF), intermediate-system-to-intermediate-system (IS-IS), and Virtual Router Redundancy
Protocol (VRRP) routing protocols.
For information about the authentication command used with the key-chain key-id command for routing
protocols, see the OSPF Configuration, IS-IS Configuration, or VRRP Configuration chapters in the
Routing Protocols Configuration Guide for the SmartEdgeOS. For information about the authentication
command that is used with the key-chain key-id command for Mobile IP services, see Chapter 7, Mobile
IP Foreign Agent Configuration.
Use the no form of this command with the key-id key-id construct to remove a key from the key chain
configuration. Use the no form of this command without the optional construct to remove the entire key
chain.
key-chain-name Name of the key chain.
key-id Identification number of a key within the chain. The range of values is 1 to
65,535. Must be unique within the key chain. Optional only when deleting a
key chain.
Examples
The following example creates a new key chain, super keychai n, and creates three keys within it (IDs
200, 201, 202), each with its own string and lifetime:
[ l ocal ] Redback( conf i g- ct x) #key-chain superkeychain key-id 200
[ l ocal ] Redback( conf i g- keychai n) #key-string di492jffs
[ l ocal ] Redback( conf i g- keychai n) #accept-lifetime 2001:01:01:01:01 duration 10000
[ l ocal ] Redback( conf i g- keychai n) #send-lifetime 2001:01:01:01:01 infinite
[ l ocal ] Redback( conf i g- keychai n) #key-chain superkeychain key-id 201
[ l ocal ] Redback( conf i g- keychai n) #key-string 7744kkciao
[ l ocal ] Redback( conf i g- keychai n) #accept-lifetime 2001:01:01:01:01 infinite
[ l ocal ] Redback( conf i g- keychai n) #send-lifetime 2001:01:01:01:01
[ l ocal ] Redback( conf i g- keychai n) #key-chain superkeychain key-id 202
[ l ocal ] Redback( conf i g- keychai n) #key-string secret222
[ l ocal ] Redback( conf i g- keychai n) #accept-lifetime 2001:01:01:01:01 2002:01:01:00:00
[ l ocal ] Redback( conf i g- keychai n) #send-lifetime 2001:01:01:01:01 infinite
In this example, you do not have to exit from key chain configuration mode before you enter the key-chain
command because commands from the next highest mode in the hierarchy (context configuration mode, in
this case) are accepted in any configuration mode.
Related Commands
accept-lifetime
key-string
send-lifetime
key-string
key-string {string | hex hex-string}
no key-string {string | hex hex-string}
Purpose
Configures a string for the specified key.
Command Mode
Syntax Description
Default
No key string is configured.
Usage Guidelines
Use the key-string command to configure a string for the specified key. A string is equivalent to a password
and is encrypted in the output of the show configuration command. In the output of the show key-chain
command, the key string is shown both encrypted and unencrypted. You can replace an existing key string
by using the key-string command again, specifying a new string.
The SmartEdgeOS stores hexadecimal strings left justified in the key string with the remaining characters
set to 0x0.
Use the no form of this command to remove the key string from the configuration.
Examples
The following example configures 7744kkci ao as the string for the key chain, secr et keychai n:
[ l ocal ] Redback( conf i g- ct x) #key-chain secretkeychain key-id 200
[ l ocal ] Redback( conf i g- keychai n) #key-string 7744kkciao
Related Commands
string Alphanumeric string.
hex hex-string Hexadecimal string. Must be composed of valid hexadecimal characters (A-F, a-f,
0-9) and may be preceded by an optional 0x or 0X. The 0x or 0X is not included in
the stored key string.
key-chain
send-lifetime
send-lifetime start-datetime [{duration seconds | infinite | stop-datetime}]
no send-lifetime start-datetime [{duration seconds | infinite | stop-datetime}]
Purpose
Establishes a start date and time for sending the key, and optionally, a stop date and time for sending the key.
Command Mode
Syntax Description
Default
If you do not use this command, the key is sent starting immediately and continues to be sent indefinitely.
If you do not specify a duration when using this command, the key is sent indefinitely.
Usage Guidelines
Use the send-lifetime command to specify when the key being configured is to be sent. The format of the
start-datetime and stop-datetime arguments is yyyy:mm:dd:hh:mm[:ss] and is defined as follows:
yyyy =The year in four digits (for example, 2001).
mm =The month of the year in two digits (for example, 01). The range of values is 1 to 12.
dd =The day of the month in two digits (for example, 24). The range of values is 1 to 31.
hh =The hour of the day in two digits (for example, 23). The range of values is 0 to 23.
mm =The minute of the hour in two digits (for example, 59). The range of values is 0 to 59.
ss =The second of the minute in two digits (for example, 55). The range of values is 0 to 59.
If you issue the send-lifetime command without any optional constructs, the key is sent starting with the
date and time that you specify and continues to be sent indefinitely.
start-datetime Date and time to start sending the key being configured. Must be in the
format yyyy:mm:dd:hh:mm[:ss]. For more information about the format of
this argument, see the Usage Guidelines section.
duration seconds Optional. Number of seconds to continue sending the key. The range of
values is 1 to 2147483646.
infinite Optional. Specifies that the key is to be sent indefinitely.
stop-datetime Optional. Date and time to stop sending the key being configured. Must be in
the format yyyy:mm:dd:hh:mm[:ss]. For more information about the format
of this argument, see the Usage Guidelines section.
You can replace an existing send lifetime value by issuing the send-lifetime command again, and
specifying new parameters.
Use the no form of this command to specify that the key is no longer to be sent.
Examples
The following example establishes a send lifetime of J anuary 25, 2002 at one minute and one second after
4:00 a.m. The key is accepted indefinitely:
[ l ocal ] Redback( conf i g- keychai n) #send-lifetime 2002:25:04:01:01
The following example establishes a send lifetime of J anuary 25, 2002 at exactly midnight, and specifies
that the key is to be sent for 30 minutes (1800 seconds):
[ l ocal ] Redback( conf i g- keychai n) #send-lifetime 2002:25:00:00 duration 1800
Related Commands
accept-lifetime
spi
spi {spi-num | in spi-num | out spi-num}
no spi {spi-num | in spi-num | out spi-num}
Purpose
Specifies a security parameter index (SPI) for this key chain.
Command Mode
Syntax Description
Default
None
Usage Guidelines
Use the spi command to specify an SPI for this key chain. Use the in and out keywords to limit the SPI
number to incoming or outgoing packets, respectively. If you do not specify the direction, the SPI is
assigned to both incoming and outgoing traffic.
Use the no form of this command to remove the SPI from the key chain.
Examples
The following example assigns an SPI number of 256 to incoming traffic:
[ l ocal ] Redback( conf i g- ct x) #key-chain key-in key-id 101
[ l ocal ] Redback( conf i g- keychai n) #spi in 256
Related Commands
spi-num SPI index number. The range of values is 256 to 4294967295.
in Assign this SPI number to a key chain for incoming traffic only.
out Assign this SPI number to a key chain for outgoing traffic only.
key-chain
P a r t 8
Appendixes
This part describes attributes used with Remote Authentication Dial-In User Service (RADIUS) and
attribute-value pairs (AVPs) used with Terminal Access Controller Access Control System Plus
(TACACS+), and consists of the following appendixes:
Chapter A, RADIUS Attributes
Chapter B, TACACS+Attribute-Value Pairs
RADIUS Attributes A-1
A p p e n d i x A
RADIUS Attributes
This appendix describes standard Remote Authentication Dial-In User Service (RADIUS) and
vendor-specific attributes (VSAs) supported by the SmartEdge
OS.
For information about configuring RADIUS features, see Chapter 20, AAA Configuration.
For more information about RADIUS attributes, see the following documents:
RFC 2865, Remote Authentication Dial In User Service (RADIUS)
RFC 2866, RADIUS Accounting
RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support
RFC 2868, RADIUS Attributes for Tunnel Protocol Support
RFC 2869, RADIUS Extensions
RFC 3576, Dynamic Authorization Extensions to Remote Authentication Dial-In User Service
(RADIUS)
This appendix contains the following sections:
Overview
Supported Standard RADIUS Attributes
Redback VSAs
Redback VSA Support for CCOD Multiencapsulated PVCs in 802.1Q Tunnels
Other VSAs Supported by the SmartEdgeOS
Service Attributes Supported by the SmartEdgeOS
RADIUS Attributes Supported by Mobile IP Services
Overview
Internet Engineering Task Force (IETF) RADIUS attributes are the original set of 255 standard attributes
used to communicate authentication, authorization, and accounting (AAA) information between a client
and a server. Because IETF attributes are standard, the attribute data is predefined and well known so that
Overview
A-2 IP Services and Security Configuration Guide
all clients and servers can exchange AAA information. RADIUS VSAs are derived from one IETF
RADIUS attribute 26, Vendor-Specific, which enables a vendor, in this case, Redback
Networks, to create
an additional 255 attributes.
RADIUS packets and files are described further in the following sections:
RADIUS Packet Format
Packet Types
RADIUS Files
RADIUS Packet Format
FigureA-1 illustrates the format of a RADIUS packet.
Figure A-1 RADIUS Packet Format
TableA-1 describes the fields contained in a RADIUS packet.
Table A-1 RADIUS Packet Fields
Field Description
Code Identifies the RADIUS packet type. The type can be one of the following:
Access-Request (1)
Access-Accept (2)
Access-Reject (3)
Accounting-Request (4)
Accounting-Response (5)
Disconnect-Request (40)
Disconnect-ACK (41)
Disconnect-NAK (42)
CoA-Request (43)
CoA-ACK (44)
CoA-NAK (45)
Identifier Helps the RADIUS server match request and responses and detect duplicate requests.
Length Specifies the length of the entire packet.
Overview
Packet Types
TableA-2 describes RADIUS packet types.
RADIUS Files
RADIUS files communicate AAA information between a client and server. These files are described in the
following sections:
RADIUS Dictionary File
Authenticator Authenticates the reply from the RADIUS server. There are two types of authenticators:
Request-Authentication (available in Access-Request and Accounting-Request packets)
Response-Authentication (available in Access-Accept, Access Reject, Access-Challenge,
and Accounting-Response packets)
Table A-2 RADIUS Packet Types
Type Description
Access-Request Sent from a client to a RADIUS server. The RADIUS server uses the packet to determine
whether to allow access to a specific network access server (NAS), which permits
subscriber access. Subscribers performing authentication must submit an
Access-Request packet. When an Access-Request packet is received, the RADIUS
server must forward a reply.
Access-Accept Upon receiving an Access-Request packet, the RADIUS server sends an Access-Accept
packet if all attribute values in the Access-Request packet are acceptable.
Access-Reject Upon receiving an Access-Request packet, the RADIUS server sends an Access-Reject
packet if any of the attribute values are not acceptable.
Access-Challenge Upon receiving an Access-Request packet, the RADIUS server can send the client an
Access-Challenge packet, which requires a response. If the client does not know how to
respond, or if the packets are invalid, the RADIUS server discards the packets. If the
client responds to the packet, a new Access-Request packet is sent with the original
Access-Request packet.
Accounting-Request Sent from a client to a RADIUS accounting server. If the RADIUS accounting server
successfully records the Accounting-Request packet, it must submit an
Accounting-Response packet.
Accounting-Response Sent by the RADIUS accounting server to the client to acknowledge that the
Accounting-Request has been received and recorded successfully.
CoA-Request Sent by the RADIUS server to the NAS to dynamically change session authorizations.
CoA-Response Sent by the NAS to the RADIUS server to acknowledge (ACK) a CoA request if the
session authorizations were successfully changed. A NAK is sent if the CoA request is
unsuccessful.
Disconnect-Request Sent by the RADIUS server to the NAS to terminate a session and discard all session
context.
Disconnect-Response Sent by the NAS to the RADIUS server to acknowledge (ACK) a disconnect request if the
session is successfully terminated and the context discarded. A NAK is sent if the
disconnect request is unsuccessful.
Table A-1 RADIUS Packet Fields (continued)
Field Description
Overview
RADIUS Clients Files
Subscriber Files
RADIUS Dictionary File
TableA-3 describes the information contained in a RADIUS dictionary file.
An integer can be expanded to represent a string. The following example is an integer-based attribute and
its corresponding string values. In this example, the values for VSA 144, Acct-Reason, describe the reason
for sending subscriber accounting packets to the RADIUS server. Each value is represented by an integer:
#
ATTRI BUTE Acct - Reason 144 I nt eger
VALUE AAA_LOAD_ACCT_SESSI ON_UP 1
VALUE AAA_LOAD_ACCT_SESSI ON_DOWN 2
VALUE AAA_LOAD_ACCT_PERI ODI C 3
.
.
RADIUS Clients Files
A clients file contains a list of RADIUS clients allowed to send authentication and accounting requests to
the RADIUS server. To receive authentication, the client name and authentication key sent to the RADIUS
server must be an exact match with the data contained in the clients file; see the following example:
#
Cl i ent Name Key
10. 1. 1. 1 t est
nas- 1 secr et
Subscriber Files
A subscriber file contains an entry for each subscriber that the RADIUS server will authenticate. The first
line in any subscriber file is a user access line; that is, the server must check the attributes on the first line
before it can grant access to the user.
The following example allows the subscriber to access five tunnel attributes:
#
r edback. comPasswor d=r edback Ser vi ce- Type Out bound
Tunnel - Type = : 1: L2TP
Table A-3 RADIUS Dictionary File
Name ID Value Type
ASCII string name of the attribute;
for example, User-Name.
Numerical identification of the
attribute; for example, the
User-Name attribute is 1.
Each attribute can be specified through one of the following
value types:
binary0 to 254 octets.
date32-bit value in big enian order; for example,
seconds since 00:00:00 GMT, J AN. 1, 1970.
ipadd4 octets in network byte order.
integer32-bit value in big endian order (high byte first).
string0 to 253 octets.
Tunnel - Medi um- Type = : 1: I P
Tunnel - Ser ver - Endpoi nt = : 1: 10. 0. 0. 1
Tunnel - Passwor d =: 1: wel come
Tunnel - Assi gnment - I D = : 1: nas
Standard RADIUS attributes appear in the various types of RADIUS messages as described in the
following sections:
Standard RADIUS Attributes in Access and Account Messages
Standard RADIUS Attributes in CoA and Disconnect Messages
Standard RADIUS Attributes That Can Be Reauthorized
Standard RADIUS Attributes in Access and Account Messages
TableA-4 describes the standard RADIUS attributes that are supported by the SmartEdge OS and that can
appear in Access-Request, Account-Request, and Access-Response messages.
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
1 User-Name Yes Yes No String. Name of the user to be authenticated; only used
in Access-Request packets.
2 User-Password Yes No No String. Sent unless using the CHAP-Password attribute.
3 CHAP-Password Yes No No String. Sent in Access-Request packet unless using the
User-Password attribute.
4 NAS-IP-Address Yes Yes No IP address. Specifies an IP source address for RADIUS
packets sent by the SmartEdge router.
This attribute is not sent unless explicitly enabled through
the radius attribute nas-ip-address command (in
context configuration mode); see Chapter 21, RADIUS
Configuration.
5 NAS-Port Yes Yes No Integer. This attribute is sent using the slot-port format.
For details on this format or to modify the format in which
this attribute is sent, see the radius attribute nas-port
command in Chapter 21, RADIUS Configuration.
6 Service-Type Yes Yes Yes Integer. Type of service requested or provided. Values
are:
2=Framed
5=Outbound
6=Administrative
7=NAS Prompt
7 Framed-Protocol Yes Yes Yes Integer. The value indicates the framing to be used for
framed access. This attribute must not be used in a user
profile designed for RFC 1483 and RFC 1490 bridged or
routed circuits, or for Telnet sessions. This value is sent
only for Point-to-Point Protocol (PPP) service types. The
value for PPP is 1.
8 Framed-IP-Address Yes Yes Yes IP address. In Accounting-Request packets, returns the
IP address assigned to the subscriber either dynamically
or statically. In Access-Accept packets, a return value of
255.255.255.254 or 0.0.0.0 causes the SmartEdge OS to
assign the subscriber an address from an IP address
pool. This attribute is received in Access-Response
messages and is sent in Access-Request messages
conditioned by the aaa hint ip address command (in
context configuration mode).
9 Framed-IP-Netmask No Yes Yes IP address. Assigns a range of addresses to a subscriber
circuitit is not a netmask in the conventional sense of
determining which address bits are host vs. prefix, and
so on.
11 Filter-Id No Yes Yes String. Specifies that inbound or outbound traffic be
filtered. Use the in:<name> and out:<name> format.
12 Framed-MTU No Yes Yes Integer. Maximum transmission unit (MTU) to be
configured for the user when it is not negotiated by some
other means (such as Point-to-Point Protocol [PPP]). It is
only used in Access-Accept packets.
18 Reply-Message No No Yes String. Text that can be displayed to the user. Multiple
Reply-Message attributes can be included. If any are
displayed, they must be displayed in the same order as
they appear in the packet.
22 Framed-Route No Yes Yes IP address. The format is h.h.h.h/nn g.g.g.g n where:
h.h.h.h=IP address of destination host or network.
nn=optional netmask size in bits (if not present,
defaults to 32).
g.g.g.g=IP address of gateway.
n=Number of hops for this route.
24 State No No Yes Binary String.
25 Class No Yes Yes String. If received, this information must be sent on,
without interpretation, in all subsequent packets sent to
the RADIUS accounting server for that subscriber
session.
26 Vendor-Specific Yes Yes No String. Allows Redback Networks to support its own
VSAs, embedded with the Vendor-Id attribute set to
2352. For the VSAs supported by the SmartEdge OS,
see Table A-7.
27 Session-Timeout No Yes Yes Integer. Sets the maximum number of seconds of service
allowed the subscriber before termination of the session.
Corresponds to the SmartEdge OS timeout command
(in subscriber configuration mode) with the absolute
keyword, except that the attribute requires seconds
instead of minutes. The value 0 indicates that the timeout
is disabled.
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
28 Idle-Timeout No Yes Yes Integer. Sets the maximum number of consecutive
seconds of idle connection allowed to the user before
termination of the session. Corresponds to the
SmartEdge OS timeout idle command (in subscriber
configuration mode), except that the attribute calls for
seconds instead of minutes.
30 Called-Station-Id Yes No No String. The telephone number that the call came from.
31 Calling-Station-Id Yes Yes No Dependent on the type of subscriber terminated in the
SmartEdge router:
This attribute is not sent unless explicitly enabled through
the radius attribute calling-station-id command (in
context configuration mode); see Chapter 21, RADIUS
Configuration.
32 NAS-Identifier Yes Yes No String. Value for the system hostname.
33 Proxy_State No Yes No Binary String. Specifies the state sent by the proxy
server.
40 Acct-Status-Type No Yes No Integer. Values can be:
1=Start
2 =Stop
3=Interim-Updated
7=Accounting-On
8=Accounting-Off
9=Tunnel Start
10=Tunnel Stop
12=Link Start
13=Link Stop
15=Reserved for failed
101=Service-Start
102=Service-Stop
103=Service-Interim-Update
41 Acct-Delay-Time No Yes No Integer. Time, in seconds, for which the client has been
trying to send the record.
42 Acct-Input-Octets No Yes No Integer. Number of octets that have been received from
the port over the course of this service being provided.
Can only be present in Accounting-Request records
where the Acct-Status-Type attribute is set to Stop or
Update.
43 Acct-Output-Octets No Yes No Integer. Number of octets that have been sent to the port
in the course of delivering this service. Can only be
present in Accounting-Request records where the
Acct-Status-Type attribute is set to Stop or Update.
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
44 Acct-Session-Id Yes Yes No String. Unique session accounting ID to match start and
stop records for in a log file. The start and stop records
for a given subscriber session have the same
Acct-Session-Id attribute value. The format is cct-handle
timestamp.
If service accounting is enabled with VSA 191, this
attribute also includes the service accounting identifier,
which is the service-name that is defined in VSA 190.
The session accounting and service accounting
identifiers are separated by a colon (:).
By default, this attribute is sent in Accounting-Request
packets. To send this attribute in Access-Request
packets, you must use the radius attribute
acct-session-id command (in context configuration
mode); see Chapter 21, RADIUS Configuration.
45 Acct-Authentic No Yes No String. Values are RADIUS and local.
46 Acct-Session-Time No Yes No Integer. Number of seconds for which the user has
received service. Can only be present in
Accounting-Request records where the Acct-Status-Type
attribute is set to Stop or Update.
47 Acct-Input-Packets No Yes No Integer. Number of packets that have been received from
the port over the course of this service being provided to
a framed user. Can only be present in
Accounting-Request records where the Acct-Status-Type
attribute is set to Stop or Update.
48 Acct-Output-Packets No Yes No Integer. Number of packets that have been sent to the
port in the course of delivering this service to a Framed
User. Can only be present in Accounting-Request
records where the Acct-Status-Type attribute is set to
Stop or Update.
49 Acct-Terminate-Cause No Yes No Integer. Value represents the cause of session
termination. Values are:
1=User request
2=Lost carrier
3=Lost service
4=Idle timeout
5=Session timeout
6=Admin reset
8=Port error
9=NAS error
10=NAS request
15=Service unavailable
17=User error
50 Acct-Multi-Session-Id No Yes Yes String. Links multiple related sessions with a unique
accounting ID.
52 Acct-Input-Gigawords No Yes No Integer. Value represents the number of times the
Acct-Input-Octets counter has wrapped around 2^32 in
the course of providing this service. This attribute can
only be present in Accounting-Request records where
the Acct-Status-Type attribute is set to Stop or
Interim-Update.
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
53 Acct-Output-Gigawords No Yes No Integer. Value represents the number of times the
Acct-Output-Octets counter has wrapped around 2^32 in
the course of delivering this service. This attribute can
only be present in Accounting-Request records where
the Acct-Status-Type attribute is set to Stop or
Interim-Update.
55 Event-Timestamp No Yes No Integer. Value represents the time this event occurred on
the NAS, in seconds, since J anuary 1, 1970 00:00 UTC.
61 NAS-Port-Type Yes Yes No Integer. The default value is either 0 or 5, indicating an
asynchronous connection through a console port or a
connection through a transport protocol, respectively,
depending on how the subscriber is connected to its
authenticating NAS. The range of values is 0 to 255.
Values 0 to 19 are as follows:
0async
1sync
2ISDN (sync)
3ISDN (async V120)
4ISDN (async V110)
5Virtual
6PIAFS (wireless ISDN used in J apan)
7HDLC (clear-channel)
8X.25
9X.75
10G3_Fax (G.3 Fax)
11SDSL (symmetric DSL)
12ADSL_CAP (asymmetric DSL, Carrierless
Amplitude Phase Modulation)
13ADSL_DMT (asymmetric DSL, discrete
multi-tone)
14IDSL (ISDN digital subscriber line)
15Ethernet
16xDSL (digital subscriber line of unknown type)
17Cable
18Wireless (wirelessOther)
19Wireless_802_11 (wirelessIEEE 802.11)
You can also modify the value of this attribute through the
radius attribute nas-port-type command (in context
configuration mode); see Chapter 21, RADIUS
Configuration.
62 Port-Limit No Yes Yes Integer. Maximum number of sessions a particular
subscriber can have active at one time.
64 Tunnel-Type No Yes Yes Integer. Value indicates the tunneling protocol to be
used. The supported value is 3, which indicates the
Layer 2 Tunneling Protocol (L2TP).
65 Tunnel-Medium-Type No Yes Yes Integer. Value represents the transport medium to use
when creating an L2TP tunnel for protocols that can
operate over multiple transports. The supported value is
1, which indicates IPv4.
66 Tunnel-Client-Endpoint No Yes Yes String. Fully qualified domain name or IP address of the
initiator end of an L2TP tunnel.
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
67 Tunnel-Server-Endpoint No Yes Yes String. Fully qualified domain name or IP address of the
server end of an L2TP tunnel.
68 Acct-Tunnel-Connection No Yes No String. Unique accounting ID to easily match start and
stop records in a log file for L2TP sessions. The start and
stop records for a given session will have the same
Acct-Tunnel-Connection attribute value.
69 Tunnel-Password No No Yes String. Password. Only used in Access-Accept packets.
77 Connect-Info Yes Yes No String containing either:
An ATM, 802.1Q, or Frame Relay profile name sent to
the RADIUS server.
The values from L2TP attribute-value pairs (AVPs) 24
and 38 in the Tx/Rx format. Speeds are in
bits-per-second.
80 Message-Authenticator Yes No Yes String. Signs access requests to prevent spoofing.
82 Tunnel-Assignment-ID No Yes Yes String. Used to distinguish between different peers with
configurations that use the same IP address. If no
Tunnel-Client-Endpoint or Tunnel-Server-Endpoint
attribute is supplied with this tag, and if the
Tunnel-Assignment-ID matches the name of a locally
configured peer, the session will be tunneled to that peer.
83 Tunnel-Preference No No Yes String. If more than one set of tunneling attributes is
returned by the RADIUS server to the tunnel initiator, this
attribute should be included in all sets to indicate the
preference assigned to each set; the lower the value for
a set, the more preferable it is.
85 Acct-Interim-Interval No No Yes Integer. The Value field indicates the number of seconds
between each interim update sent from the NAS for this
specific session.
The value must be between 600 and 604,800 seconds (7
days). Any value outside this range logs a message to
the system and the value resets to the corresponding
minimum or maximum allowed value.
Before you set this value, consider the possible impact to
network traffic.
87 NAS-Port-ID Yes Yes No String. By default, this attribute is sent in RADIUS
packets. The default format is:
slot/port [vpi-vci vpi vci |
vlan-id [tunl-vlan-id:]pvc-vlan-id] [pppoe sess-id | clips
sess-id].
where slot and port are each 4 bits and tunl-vlan-id and
pvc-vlan-id are each 12 bits. The tunl-vlan-id field is 0 if it
does not exist.
For example, 4/1 vpi-vci 207 138 pppoe 5.
Use the radius attribute nas-port-id command (in
context configuration mode) to specify another format for
this attribute. This command is described in Chapter 20,
89 CUI Yes Yes Yes String. Optional. Chargeable User Identify (CUI).
Identifies users when they roam outside their home
network.
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
Standard RADIUS Attributes in CoA and Disconnect Messages
TableA-5 lists the standard RADIUS attributes that can appear in CoA-Request, CoA-Response,
Disconnect-Request, and Disconnect-Response messages. For details about these standard attributes, see
TableA-5.
90 Tunnel-Client-Auth-ID No Yes Yes String. Defines the local hostname provided to remote
tunnel peer (used during tunnel setup). The behavior is
identical to Redback VSA 16, Tunnel-Local-Name.
91 Tunnel-Server-Auth-ID No Yes Yes String. Defines an alias for the remote peer name. The
value of this attribute must match the value of the
hostname AVP that the peer sends in the SCCRQ or
SCCRP message (depending on the tunnel initiator).
242 Ascend_Data_Filter No Yes Yes Binary String.
Table A-5 Standard RADIUS Attributes in CoA and Disconnect Messages
# Attribute Name
Sent in
CoA
Request
Sent in
CoA
Response
Sent in
Disconnect
Request
Sent in
Disconnect
Response Notes
1 User-Name Yes No Yes No
4 NAS-IP-Address Yes No Yes No
5 NAS-Port Yes No Yes No
6 Service-Type Yes Yes
1
Yes Yes1
7 Framed-Protocol Yes No No No
8 Framed-IP-Address Yes No Yes No
9 Framed-IP-Netmask Yes No No No
11 Filter-Id Yes No No No
12 Framed-MTU Yes No No No
18 Reply-Message Yes No Yes No
22 Framed-Route Yes No No No
24 State Yes Yes Yes Yes
25 Class Yes No Yes No
26 Vendor-Specific Yes No Yes No
27 Session-Timeout Yes No No No
28 Idle-Timeout Yes No No No
30 Called-Station-Id Yes No Yes No
31 Calling-Station-Id Yes No Yes No
32 NAS-Identifier Yes No Yes No
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
Standard RADIUS Attributes That Can Be Reauthorized
TableA-6 lists the standard RADIUS attributes that are reauthorized when you enter the reauthorize
command (in exec mode).
33 Proxy_State Yes Yes Yes Yes
44 Acct-Session-Id Yes No Yes No
50 Acct-Multi-Session-Id Yes No Yes No
55 Event-Timestamp Yes Yes Yes Yes
61 NAS-Port-Type Yes No Yes No
62 Port-Limit Yes No No No
64 Tunnel-Type Yes No No No
65 Tunnel-Medium-Type Yes No No No
66 Tunnel-Client-Endpoint Yes No No No
67 Tunnel-Server-Endpoint Yes No No No
69 Tunnel-Password Yes No No No
82 Tunnel-Assignment-ID Yes No No No
83 Tunnel-Preference Yes No No No
85 Acct_Interim_Interval Yes No No No
87 NAS-Port-Id Yes No Yes No
90 Tunnel-Client-Auth-ID Yes No No No
91 Tunnel-Server-Auth-ID Yes No No No
94 Originating-Line-Id Yes No Yes No
96 Framed-Interface-Id Yes No Yes No
101 Error-Cause No Yes1 No Yes
242 Ascend_Data_Filter Yes No No No
1. Sent in NAK message only.
Table A-6 Standard RADIUS Attributes Supported by Reauthorization
# Attribute Name Description
11 Filter-Id Filters inbound or outbound traffic through an access control list (ACL).
25 Class Forwards the information sent by the RADIUS server to the SmartEdge router,
without interpretation, in subsequent accounting messages to the RADIUS
accounting server for that subscriber session.
26 Vendor_Specific Allows Redback Networks to support its own VSAs.
Table A-5 Standard RADIUS Attributes in CoA and Disconnect Messages (continued)
# Attribute Name
Sent in
CoA
Request
Sent in
CoA
Response
Sent in
Disconnect
Request
Sent in
Disconnect
Response Notes
Redback VSAs
Redback VSAs
Redback VSAs appear in the various types of RADIUS messages as described in the following sections:
Redback VSAs in Access and Account Messages
Redback VSAs in CoA and Disconnect Messages
Redback VSAs That Can Be Reauthorized
VSA 164 Format
VSA 196 Format
Redback VSAs in Access and Account Messages
TableA-7 lists the Redback VSAs that are supported by the SmartEdge OS and that can appear in
Access-Request, Account-Request, and Access-Response messages.
27 Session-Timeout Sets the in-service time allowed before the session terminates.
28 Idle-Timeout Sets the idle time allowed before the session terminates.
85 Acct_Interim_Interval Sets the value to an integer.
242 Ascend_Data_Filter Allows multiple values.
Table A-7 Redback VSAs Supported by the SmartEdge OS
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
1 Client-DNS-Pri No No Yes IP address of the primary DNS server for this
subscribers connection.
2 Client-DNS-Sec No No Yes IP address of the secondary DNS server for this
subscribers connection.
3 DHCP-Max-Leases No Yes Yes Integer. Maximum number of DHCP addresses this
subscriber can allocate to hosts. The range of
values is 1 to 255.
4 Context-Name No Yes Yes Binds the subscriber session to specified context,
overriding the structured username. This
information is only interpreted when global AAA is
enabled.
5 Bridge-Group No No Yes String. Bridge group name; attaches subscriber to
the named bridge group.
6 BG-Aging-Time No No Yes String. bg-name:val; configures bridge aging time
for subscriber attaching to the named bridge group.
7 BG-Path-Cost No No Yes String. bg-name:val; configures bridge path cost for
subscriber attaching to the named bridge group.
Table A-6 Standard RADIUS Attributes Supported by Reauthorization (continued)
Redback VSAs
8 BG-Span-Dis No No Yes String. bg-name:val; disables spanning tree for
The val argument can have the following values:
1 =TRUE
2 =FALSE
9 BG-Trans-BPDU No No Yes String. bg-name:val; sends transparent spanning
tree bridge protocol data units (BPDUs) for a
The val argument can have the following values:
1 =TRUE
2 =FALSE
10 Rate-Limit-Rate No Yes Yes 4-byte integer. Configures rate limit rate for
subscribers in kbps. Valid range of values is 10 to
1,250,000 kbps. If this parameter is configured, the
Rate-Limit-Burst must also be configured.
11 Rate-Limit-Burst No Yes Yes 4-byte integer. Configures rate limit burst rate for
subscribers in bytes. Valid range of values is 0 to
1,562,500,000 bytes. If this parameter is
configured, the Rate-Limit-Rate must also be
configured.
12 Police-Rate No Yes Yes 4-byte integer. Configures policing rate for
subscribers in kbps. Valid range of values is 10 to
1,250,000 kbps. If this parameter is configured, the
Police-Burst must also be configured.
13 Police-Burst No Yes Yes 4-byte integer. Configures policing burst rate for
subscribers in bytes. Valid range of values is 0 to
1,562,500,000 bytes. If this parameter is
configured, the Police-Rate must also be
configured.
14 Source-Validation No Yes Yes Integer. Enables source validation for subscriber,
according to one of the following values:
1=TRUE
0=FALSE
15 Tunnel-Domain No No Yes Integer. Binds the subscriber to a tunnel based on
the domain name portion of the username,
1=TRUE
0=FALSE
16 Tunnel-Local-Name No No Yes String. Defines the local hostname provided to the
remote peer during tunnel setup.
17 Tunnel-Remote-Name No No Yes String. Defines an alias for the remote peer name.
18 Tunnel-Function No Yes Yes Integer. Determines this tunnel configuration as a
LAC-only endpoint or an LNS endpoint, according
to one of the following values:
1=LAC only
2=LNS only
21 Tunnel-Max-Sessions No Yes Yes Integer. Limits the number of sessions per tunnel
using this tunnel configuration.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
22 Tunnel-Max-Tunnels No Yes Yes Integer. Limits the number of tunnels that can be
initiated using this tunnel configuration.
23 Tunnel-Session-Auth No No Yes Integer. Specifies the authentication method to use
during PPP authentication, according to one of the
following values:
1=CHAP
2=PAP
3=CHAP-PAP
24 Tunnel-Window No No Yes Integer. Configures the receive window size for
incoming L2TP messages.
25 Tunnel-Retransmit No No Yes Integer. Specifies the number of times the
SmartEdge router retransmits a control message.
26 Tunnel-Cmd-Timeout No No Yes Integer. Specifies the number of seconds for the
timeout interval between control message
retransmissions.
27 PPPOE-URL No Yes Yes String in PPPoE URL format. Defines the PPPoE
URL that is sent to the remote PPPoE client via the
PADM packet.
28 PPPOE-MOTM No Yes Yes String. Defines the PPPoE MOTM message that is
sent to the remote PPPoE client via the PADM
packet.
29 Tunnel-Group No Yes Yes Integer. Indicates whether this record is a tunnel
group with a list of member peers:
1 =TRUE
0 =FALSE
30 Tunnel-Context No Yes Yes String. Context name. Used in a DNIS peer record,
this attribute specifies the context where the named
peer should be found.
31 Tunnel-Algorithm No No Yes Integer. Specifies the session distribution algorithm
used to choose between the peer configurations in
the RADIUS response. This VSA instructs the
SmartEdge OS on how to interpret standard
RADIUS attribute 83, Tunnel-Preference, according
to one of the following values:
1=Priority
2=Load-Balance
3=Weighted round-robin
32 Tunnel-Deadtime No No Yes Integer. Specifies the number of minutes during
which no sessions are attempted to an L2TP peer
when the peer is down.
33 Mcast-Send No Yes Yes Integer. Defines whether or not the subscriber can
send multicast packets, according to one of the
following values:
1=NO SEND
2=SEND
3=UNSOLICITED SEND
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
34 Mcast-Receive No Yes Yes Integer. Defines whether or not the subscriber can
receive multicast packets, according to one of the
following values:
1=NO RECEIVE
2=RECEIVE
35 Mcast-MaxGroups No Yes Yes Integer. Specifies the maximum number of multicast
groups of which the subscriber can be a member.
36 Ip-Address-Pool-Name No Yes Yes String. Name of the interface or IP pool used to
assign an IP pool address to the subscriber.
37 Tunnel-DNIS No Yes Yes Integer. L2TP peer parameter specifying if incoming
sessions from this peer are to be switched based on
the incoming DNIS AVP if present or on the
incoming DNIS AVP only (terminated if no DNIS
AVP is present):
1 =DNIS
2 =DNIS ONLY
38 Medium-Type Yes Yes No Integer. Contains the medium type of the circuit.
The system sets this value to DSL for CLIPS and
PPP subscribers.
39 PVC-Encapsulation-Type No No Yes Integer. Encapsulation type to be applied to the
circuit:
2 =Routed 1483
4 =ATM multi
5 =Bridged 1483
6 =ATM PPP
7 =ATM PPP serial
8 =ATM PPP NLPID
9 =ATM PPP auto
10 =ATM PPPoE
12 =ATM PPP LLC
22 =Ethernet IPoE
23 =Ethernet PPPoE
24 =Ethernet dot1q
26 =Ethernet dot1q pppoe
31 =Ethernet dot1q tunnel pppoe
32 =Ethernet dot1q multi
33 =Ethernet dot1q tunnel multi
40 PVC-Profile-Name No No Yes String. Name of the ATM profile that is assigned to
the subscriber record, a named profile, or the
default profile, using the shaping profile command
(in subscriber configuration mode), to use for this
circuit.
42 Bind-Type No No Yes Integer. Binding type to be applied to this circuit:
1 =authentication
3 =interface
4 =subscriber
14 =autosubscriber
CCOD (circuit creation on demand) circuits
support only subscriber bind types.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
43 Bind-Auth-Protocol No No Yes Integer. Authentication protocol to use for this
circuit:
1 =PAP
2 =CHAP
4 =CHAP PAP
5 =AAA-PPP-CHAP-WAIT-PAP
7 =PAP CHAP
44 Bind-Auth-Max-Sessions No No Yes Integer. Maximum number of PPPoE sessions
allowed to be created for this circuit. Also specifies
the same for PPPoE sessions tunneled with
Ethernet encapsulation over L2TP on the LNS.
45 Bind-Bypass-Bypass No No Yes String. Name of the bypass being bound.
46 Bind-Auth-Context No No Yes String. Bind authentication context name. Also
specifies the same for PPPoE sessions tunneled
with Ethernet encapsulation over L2TP on the LNS.
47 Bind-Auth-Service-Grp No No Yes String. Bind authentication service group name.
Also specifies the same for PPPoE sessions
tunneled with Ethernet encapsulation over L2TP on
the LNS.
48 Bind-Bypass-Context No No Yes String. Bind bypass context name.
49 Bind-Int-Context No No Yes String. Bind interface context name. Also specifies
the same for IP bridging sessions tunneled with
50 Bind-Tun-Context No No Yes String. Bind tunnel context name.
51 Bind-Ses-Context No No Yes String. Bind session context name.
52 Bind-Dot1q-Slot No No Yes Integer. Bind 802.1Q slot number.
53 Bind-Dot1q-Port No No Yes Integer. Bind 802.1Q port number.
54 Bind-Dot1q-Vlan-Tag-Id No No Yes Integer. Bind 802.1Q VLAN tag ID.
55 Bind-Int-Interface-Name No No Yes String. Bind interface name. Also specifies the
same for IP bridging sessions tunneled with
56 Bind-L2TP-Tunnel-Name No No Yes String. Bind L2TP tunnel name.
57 Bind-L2TP-Flow-Control No No Yes Integer. Bind L2TP flow control.
58 Bind-Sub-User-At-Context No No Yes String. Bind subscriber context name.
59 Bind-Sub-Password No No Yes String. Bind subscriber password.
60 Ip-Host-Addr No No Yes String in the form A.B.C.D hh:hh:hh:hh:hh:hh.
IP host address and MAC address. A space must
separate the IP address from the MAC address.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
61 IP-TOS-Field No No Yes Integer. Specifies the value of the IP ToS field. Used
for soft QoS:
0 =normal
1 =min-cost only
2 =max-reliability only
3 =max-reliability plus min-cost
4 =max-throughput only
5 =max-throughput plus min-cost
6 =max-throughput plus max-reliability
7 =max-throughput plus max-reliability plus
min-cost
8 =min-delay only
9 =min-delay plus min-cost
10 =min-delay plus max-reliability
11 =min-delay plus max-reliability plus min-cost
12 =min-delay plus max-throughput
13 =min-delay plus max-throughput plus
min-cost
max-reliability
max-reliability plus min-cost
62 NAS-Real-Port Yes Yes No Integer. Indicates the port number of the physical
circuit on which the session was received. The
format (in bits) is:
SSSSPPPPCCCCCCCCCCCCCCCCCCCCCCCC
where:
S =Slot
P =Port
C =Circuit (for ATM, 8-bits of VPI, and 16-bits of
VCI)
63 Tunnel-Session-Auth-Ctx No Yes Yes String. L2TP peer parameter that specifies the
name of the context in which all incoming PPP over
L2TP sessions should be authenticated, regardless
of the domain specified in the username.
64 Tunnel-Session-Auth-Service-Grp No Yes Yes String. L2TP peer parameter specifying the service
group (service access control list [ACL]) to be used
for all incoming PPP over L2TP sessions.
65 Tunnel-Rate-Limit-Rate No Yes Yes 4-byte integer. L2TP or GRE peer parameter
specifying the rate-limit rate for a tunnel in kbps.
Valid range of values is 10 to 1,250,000 kbps. If this
parameter is configured, the
Tunnel-Rate-Limit-Burst must also be configured.
66 Tunnel-Rate-Limit-Burst No Yes Yes 4-byte integer. L2TP or GRE peer parameter
specifying the rate-limit burst for a tunnel in bytes.
Valid range of values is 0 to 1,562,500,000 bytes. If
this parameter is configured, the
Tunnel-Rate-Limit-Rate must also be configured.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
67 Tunnel-Police-Rate No Yes Yes 4-byte integer. L2TP or GRE peer parameter
specifying the policing rate for a tunnel in kbps.
Valid range of values is 10 to 1,250,000 kbps. If this
parameter is configured, the Tunnel-Police-Burst
must also be configured.
68 Tunnel-Police-Burst No Yes Yes 4-byte integer. L2TP or GRE peer parameter
specifying the policing burst for a tunnel in bytes.
Valid range of values is 0 to 1,562,500,000 bytes. If
this parameter is configured, the
Tunnel-Police-Rate must also be configured.
69 Tunnel-L2F-Second-Password No Yes Yes String. L2F peer parameter specifying the password
string used to authenticate the L2F remote peer.
Note: The Tunnel-Password attribute is used for
authentication in the other direction.
70 ACL-Definition No Yes Yes String. Used to define ACL definitions in the
RADIUS database. The ACL-Name attribute is the
username and the Service-Type attribute must be
set to Access-Control-List. The data content of this
attribute contains ACL definitions similar to the
SmartEdge OS command-line interface (CLI).
71 PPPoE-IP-Route-Add No Yes Yes String. Allows the PPPoE subscriber routing table to
be populated in terms of what routes to be installed
if multiple PPPoE sessions exist. A more granular
set of routes can be achieved when multiple
sessions are active to the client. The format is
h.h.h.h nn g.g.g.g m where:
h.h.h.h=IP address of destination host or network.
nn=optional netmask size in bits (if not present,
defaults to 32).
g.g.g.g=IP address of gateway.
m=Number of hops for this route.
If the first byte of VSA 71 is 121 (classless static
route), then this VSA is used to handle the DHCP
option 121.
72 TTY-Level-Start No No Yes Integer. Indicates the starting privilege level for the
administrator. The range of values is 0 to 15 and the
value must be less than or equal to the value of
TTY-Level-Max.
73 TTY-Level-Max No No Yes Integer. Indicates the maximum privilege level for
the administrator. The range of values is 0 to 15,
and the value must be greater than or equal to the
value of TTY-Level-Start.
74 Tunnel-Checksum No Yes Yes Integer. Enables GRE checksums. When enabled,
a checksum is computed for each outgoing GRE
packet. This allows the remote system to verify the
integrity of each packet. Incoming packets that fail
the checksum are discarded. A value of 1 equals
enabled. Any other value for this attribute equals
disabled.
75 Tunnel-Profile No No Yes String. Attaches a profile to the tunnel. Used when
configuring a tunnel from a RADIUS server. A
Tunnel-Profile attribute in a subscriber record is
ignored.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
78 Tunnel-Client-VPN No Yes Yes String. Name of the target context (a virtual private
network [VPN]) on the client side of the tunnel.
Required for GRE. If omitted, the system
automatically sets the value equal to the value set
for the Tunnel-Server-VPN attribute.
79 Tunnel-Server-VPN No Yes Yes String. Name of the target context (VPN) on the
server side of the tunnel.
80 Tunnel-Client-Rhost No Yes Yes String. Normally configured in the ip host command
(in GRE tunnel, or ATM, dot1q, Frame Relay, or link
PVC configuration mode) on the client system. If
omitted, the system uses the value of the
Tunnel-Client-Int-Addr attribute on the server side.
81 Tunnel-Server-Rhost No Yes Yes String. Normally configured in the ip host command
(in PVC configuration mode) on the server system.
If omitted, the system uses the value of the
Tunnel-Server-Int-Addr attribute on the client side.
82 Tunnel-Client-Int-Addr No Yes Yes IP address of the interface to bind in the VPN
context. This address is also used in the ip host
statement on the server system. Required attribute
for GRE.
83 Tunnel-Server-Int-Addr No Yes Yes IP address of the server interface. This address is
also used in the ip host command (in GRE tunnel,
or ATM, dot1q, Frame Relay, or link PVC
configuration mode) on the client system. Required
attribute for GRE.
85 Tunnel-Hello-Timer No No Yes Integer. Hello timer (in seconds) representing the
time the tunnel is silent before it transmits a hello
message. It is configured using the hello-timer
command (in L2TP peer configuration mode).
86 Redback-Reason No Yes No Integer. If the NetOp Policy Manager (PM) sends
the SmartEdge router (through SNMP) a non-zero
clear reason while trying to clear (bounce) the
subscriber session, this clear reason value is sent
to the RADIUS server in the RADIUS accounting
Stop packet in this VSA.
87 Qos-Policy-Policing No Yes Yes String. Attaches a QoS policing policy to the
subscriber session.
88 Qos-Policy-Metering No Yes Yes String. Attaches a QoS metering policy to the
subscriber session.
89 Qos-Policy-Queuing No Yes Yes String. Attaches a QoS queuing policy of any type
supported by the circuit to the subscriber session.
90 Igmp-Service-Profile-Name No Yes Yes String. Name of the IGMP service profile that is
applied to the subscriber session.
91 Subscriber-Profile-Name No Yes Yes Name of the subscriber profile that is applied to the
subscriber session.
92 Forward-Policy No Yes Yes String. Attaches an in or out forward policy to the
subscriber session. The forward policy is in the
following format:
in:forward-policy-name
out:forward-policy-name
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
94 Reauth-String No No Yes String. The format is:
I D- t ype; subI D; at t r - num; at t r - val u
e; at t r - num; at t r - val ue. . .
When the I D- t ype is 1, the subI Dis read as a
RADIUS accounting session ID. When the
I D- t ype is 2, the subI Dis read as a name.
The semicolon (; ) acts as a delimiter.
At t r - numis an integer that identifies a RADIUS
attribute. For example, standard RADIUS attribute
11 (Filter-Id) for an access control list (ACL) or
Redback VSA 87 (Qos-Policy-Policing) for a QoS
policing policy. (Redback VSAs include the
Redback prefix, 2352.)
At t r - val ue is the value of the RADIUS
attribute specified by at t r - num.
95 Reauth-More No No Yes Integer. 0 or 1 (False or True).
96 Agent-Remote-Id Yes Yes No String. Used for two types of subscriber sessions:
Incoming CLIPS sessions to the SmartEdge
router from a DHCP relay network. This is
suboption 2 in a DHCP option 82 packet.
PPPoE sessions. Sent by the PPP client in the
PADR.
This attribute can also be set through the radius
attribute calling-station-id and radius attribute
nas-port-id commands in context configuration
mode; see Chapter 21, RADIUS Configuration.
97 Agent-Circuit-Id Yes Yes No String. Used for two types of subscriber sessions:
CLIPS sessions coming into the SmartEdge via a
DHCP relay network. This is suboption 1 in a
DHCP option 82 packet.
PPPoE sessions. Sent by the PPP client in the
PADR.
This attribute can also be set through the radius
attribute calling-station-id and radius attribute
nas-port-id commands in context configuration
mode; see Chapter 21, RADIUS Configuration.
98 Platform-Type Yes Yes No Integer. Indicates the Redback product family from
which the RADIUS access request is sent. The
supported values are:
2=PLATFORM_TYPE_SE800
3=PLATFORM_TYPE_SE400
99 RB-Client-NBNS-Pri No Yes Yes IP address. Configures the IP address of a primary
NetBios Name Server (NBNS) that the subscriber
must use.
100 RB-Client-NBNS-Sec No Yes Yes IP address. Configures the IP address of a
secondary NBNS that the subscriber must use.
101 Shaping-Profile-Name No Yes Yes String. Name of the ATM shaping profile.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
104 IP-Interface-Name No Yes Yes String. Interface name. Binds a subscriber to the
specified interface. This VSA is used in conjunction
with VSA 3, DHCP-Max-Leases.
This attribute can also be set through the ip
interface name command (in subscriber
configuration mode); see Chapter 5, DHCP
Configuration.
105 NAT-Policy-Name No Yes Yes String. NAT policy name. Attaches the specified
NAT policy to a subscriber.
106 NPM-Service-Id No No Yes String. Service identifier for a service defined in the
NetOp Policy Manager (PM) database.
107 HTTP-Redirect-Profile-Name No Yes
(alive/
and stop
records
only)
Yes String of up to 32 characters. HTTP redirect profile
name.
108 Bind-Auto-Sub-User No No Yes String. Subscriber name prefix as specified by the
bind auto-subscriber command (in ATM PVC,
CLIPS PVC, or dot1q PVC configuration mode).
The prefix is included in the automatically
generated subscriber name. For more information
about this command and the format for the
automatically generated subscriber name, see the
Bindings Configuration chapter in the Ports,
Circuits, and Tunnels Configuration Guide for the
SmartEdge OS.
109 Bind-Auto-Sub-Context No No Yes String. Name of context in which the subscriber is
bound with the bind auto-subscriber command (in
ATM PVC, CLIPS PVC, or dot1q PVC configuration
mode). For more information about this command,
see the Bindings Configuration chapter in the
Ports, Circuits, and Tunnels Configuration Guide for
the SmartEdge OS.
110 Bind-Auto-Sub-Password No No Yes String. Password prefix as specified by the bind
auto-subscriber command (in ATM PVC, CLIPS
PVC, or dot1q PVC configuration mode). The prefix
is included in the automatically generated
subscriber password. For more information about
this command and the format for the automatically
generated subscriber password, see the Bindings
Configuration chapter in the Ports, Circuits, and
SmartEdge OS.
111 Circuit-Protocol-Encap No Yes Yes Integer. Circuit encapsulation for CCOD child
circuit. The following are the supported values:
27 =PPPoE encapsulation
34 =PPPoE multiencapsulation
35 =PPPoE tunnel multiencapsulation
112 OS-Version Yes Yes No String. Software version number.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
113 Session-Traffic-Limit No Yes Yes String. Specifies that inbound, outbound, or
aggregated traffic be limited. Use the in: limit, out:
limit or aggregate: limit format, where limits are in
Kilobytes (KB). The limit values set for inbound and
outbound traffic are independent of each other. The
limit value set for aggregate traffic is the total sum of
both inbound and outbound traffic.
When configuring Session-Traffic-Limit, you can
configure the limit for either of these options:
Inbound traffic, outbound traffic, or both
Aggregate traffic
You cannot configure the limit for aggregate traffic
and for inbound or outbound traffic.
114 QoS-Reference No Yes Yes String. Specifies the node name, the node-name
index, the group name, and the group-name index.
A colon (:) separates the node-name index from the
group name.
125 DHCP-Vendor-Class-Id Yes Yes No String. DHCP option 60 value.
127 DHCP-Vendor-Encap-Options No Yes Yes String. DHCP option 43 values. The format is:
code:value:code:value ....
where:
code =DHCP vendor-encapsulation option
number
value =option data in one of the following
formats::
IP address type =dot notation
Number =decimal integer
ASCII string =ACSII characters without
quotation marks
Binary string =Hex values of bytes separated
by commas (,)
For descriptions of the vendor-encapsulated
options found in RFC 2132, DHCP Options and
BOOTP Vendor Extension, see Table 4-10 to
Table 4-16.
128 Acct-Input-Octets-64 No Yes No Integer. 64-bit value for the Acct-Input-Octets
standard attribute per RFC 2139.
129 Acct-Output-Octets-64 No Yes No Integer. 64-bit value for the Acct-Output-Octets
130 Acct-Input-Packets-64 No Yes No Integer. 64-bit value for the Acct-Input-Packets
131 Acct-Output-Packets-64 No Yes No Integer. 64-bit value for Acct-Output-Packets
attribute per RFC 2139.
132 Assigned-IP-Address No Yes No IP address. Reports IP addresses assigned to a
subscriber via IP pools or DHCP.
133 Acct-Mcast-In-Octets-64 No Yes No Integer. 64-bit value for the Acct-Mcast-In-Octets
attribute.
134 Acct-Mcast-Out-Octets-64 No Yes No Integer. 64-bit value for the Acct-Mcast-Out-Octets
attribute.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
135 Acct-Mcast-In-Packets-64 No Yes No Integer. 64-bit value for the Acct-Mcast-In-Packets
attribute.
136 Acct-Mcast-Out-Packets-64 No Yes No Integer. 64-bit value for the Acct-Mcast-Out-Packets
attribute.
137 LAC-Port Yes Yes No Integer. Contains the circuit handle for the incoming
session on an L2TP LAC. This attribute should be
present for a subscriber on an L2TP tunnel switch
or LNS only. The circuit can be virtual for a PPPoE
session.
138 LAC-Real-Port Yes Yes No Integer. Contains the circuit handle for the real
circuit of an incoming PPPoE session on an L2TP
LAC. This attribute should be present for a
subscriber on an L2TP tunnel switch or LNS only.
139 LAC-Port-Type Yes Yes No Integer. Contains the port type for the incoming
session on an L2TP LAC. This attribute should be
present for a subscriber on an L2TP tunnel switch
or LNS only. The port can be virtual for a PPPoE
session.
Values for port types are:
40 =NAS_PORT_TYPE_10BT
41 =NAS_PORT_TYPE_100BT
42 =NAS_PORT_TYPE_DS3_FR
43 =NAS_PORT_TYPE_DS3_ATM
44 =NAS_PORT_TYPE_OC3
45 =NAS_PORT_TYPE_HSSI
46 =NAS_PORT_TYPE_EIA530
47 =NAS_PORT_TYPE_T1
48 =NAS_PORT_TYPE_CHAN_T3
49 =NAS_PORT_TYPE_DS1_FR
50 =NAS_PORT_TYPE_E3_ATM
51 =NAS_PORT_TYPE_IMA_ATM
52 =NAS_PORT_TYPE_DS3_ATM_2
53 =NAS_PORT_TYPE_OC3_ATM_2
54 =NAS_PORT_TYPE_1000BSX
55 =NAS_PORT_TYPE_E1_FR
56 =NAS_PORT_TYPE_E1_ATM
57 =NAS_PORT_TYPE_E3_FR
58 =NAS_PORT_TYPE_OC3_POS
59 =NAS_PORT_TYPE_OC12_POS
60 =NAS_PORT_TYPE_PPPOE
140 LAC-Real-Port-Type Yes Yes No Integer. Contains the port type for the real circuit of
an incoming PPPoE session on an L2TP LAC. This
attribute should be present for a subscriber on an
L2TP tunnel switch or LNS only.
See VSA 139 for port-type values.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
141 Acct-Dyn-Ac-Ent No Yes No String. Used for dynamic redirect ACLs. Specifies
that when a watch access entry is triggered, an
accounting update is generated.
Format for the accounting entry is:
status:direction:access-entry:byte-count:packet
count:
status =ON or OFF. The status is ON when the
dynamic access entry is triggered and OFF when
the dynamic access entry expires.
direction =IN or OUT. Flow of traffic in which the
ACL was applied. Direction is IN for subscriber
traffic destined for the SMS device and OUT for
traffic destined to the subscriber.
access-entry =Triggered dynamic access entry
that caused the update to be generated.
byte-count =Number of bytes that have passed
through the dynamic access entry since it was
triggered.
packet-count =Number of packets that have
passed through the dynamic access entry since it
was triggered.
142 Session-Error-Code No Yes No Integer. 32 bits. Stop record only. Communicates
specific error code information between Redback
devices.
143 Session-Error-Msg No Yes No String. Stop record only. Describes how the session
terminated.
144 Acct-Update-Reason No Yes No Integer. Reason code describing why the
SmartEdge OS generated an accounting packet for
a particular subscriber to RADIUS. Reason code
values are:
1 =AAA_LOAD_ACCT_SESSION_UP
2 =AAA_LOAD_ACCT_SESSION_DOWN
3 =AAA_LOAD_ACCT_PERIODIC
16 =AAA_LOAD_ACCT_VOLUME_INGRESS_
EXCEEDED
17 =AAA_LOAD_ACCT_VOLUME_EGRESS_
EXCEEDED
18 =AAA_LOAD_ACCT_IDLE_TIMEOUT
19 =AAA_LOAD_ACCT_TIME_EXCEEDED
145 Mac-Addr Yes Yes No String. MAC address. The format is 17 octets in
hex. The MAC address is sent for all subscriber
PPPoE sessions. Supported media includes ATM
PVCs, 802.1Q PVCs (tagged or untagged VLANs),
and Ethernet ports.
147 Acct-Mcast-In-Octets No Yes No Integer. Number of inbound multicast octets.
148 Acct-Mcast-Out-Octets No Yes No Integer. Number of outbound multicast octets.
149 Acct-Mcast-In-Packets No Yes No Integer. Number of inbound multicast packets.
150 Acct-Mcast-Out-Packets No Yes No Integer. Number of outbound multicast packets.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
151 Reauth-Session-Id No No Yes String. Identifies the reauthorize session request.
The value in this attribute is a string of attributes
and values for the identified subscriber.
156 Qos-Rate-Inbound No Yes Yes String. Changes the inbound QoS rate. The format
is rate:burst:excess-burst; changing the burst and
excess-burst values is optional.
157 Qos-Rate-Outbound No Yes Yes String. Changes the outbound QoS rate. The format
is rate:burst:excess-burst; changing the burst and
excess-burst values is optional.
158 Route-Tag No Yes Yes String. Assigns a route tag to the subscribers IP
address (Framed-IP-Route), as well as the
subscribers route statements (Framed-IP-Route).
159 LI-Id No No Yes String. For lawful interception, identifies the
intercepted target session. The mediation device
ensures that this attribute is unique for all
intercepted sessions. This field can be
salt-encrypted.
160 LI-Md-Address No No Yes String (IP Address Version 4, dotted format). For
lawful interception, specifies the IP address of the
mediation device that receives the duplicated data.
The IP address cannot be 255.255.255.255 or
0.0.0.0. This field can be salt-encrypted.
161 LI-Md-Port No No Yes Integer. For lawful interception, specifies the User
Data Protocol (UDP) port number of the mediation
device that receives the duplicated data. This field
can be salt-encrypted.
162 LI-Action No No Yes Integer. For lawful interception, specifies one of the
following intercept actions:
0Stop interception of a session.
1Start interception of a session.
2No action; a dummy interception is ignored.
Check to see if a subscriber is logged on.
When LI-Action is in Access-Accept packets, only 1
starts the tap. When LI-Action is in CoA-Request
packets, you can enter any action. This field can be
salt-encrypted.
163 LI-Profile Yes No Yes String. For lawful interception, specifies the name of
the LI profile configured on the SmartEdge OS. This
field can be salt-encrypted.
164 Dynamic-Policy-Filter No Yes Yes String. The string consists of a set of ASCII tokens
separated by one or more spaces. No other
characters are allowed. The tokens are shown in a
syntax statement in the 'VSA 164 Format section
along with descriptions of the keywords and
arguments in the syntax table.
165 HTTP-Redirect-URL No Yes Yes String. URL to which the SmartEdge OS redirects
HTTP requests.
166 DSL-Actual-Rate-Up Yes Yes No Integer 32-bit value. The actual DSL rate in the
upstream direction.
167 DSL-Actual-Rate-Down Yes Yes No Integer 32-bit value. The actual DSL rate in the
downstream direction.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
168 DSL-Min-Rate-Up Yes Yes No Integer 32-bit value. The minimum DSL rate in the
upstream direction.
169 DSL-Min-Rate-Down Yes Yes No Integer 32-bit value. The minimum DSL rate in the
170 DSL-Attainable-Rate-Up Yes Yes No Integer 32-bit value. The attainable DSL rate in the
upstream direction.
171 DSL-Attainable-Rate-Down Yes Yes No Integer 32-bit value. The attainable DSL rate in the
172 DSL-Max-Rate-Up Yes Yes No Integer 32-bit value. The maximum DSL rate in the
upstream direction.
173 DSL-Max-Rate-Down Yes Yes No Integer 32-bit value. The maximum DSL rate in the
174 DSL-Min-Low-Power-Rate-Up Yes Yes No Integer 32-bit value. The DSL minimum low power
rate in the upstream direction.
175 DSL-Min-Low-Power-Rate-Down Yes Yes No Integer 32-bit value. The DSL minimum low power
rate in the downstream direction.
176 DSL-Max-Inter-Delay-Up Yes Yes No Integer 32-bit value. The maximum DSL
interleaving delay in the upstream direction.
177 DSL-Actual-Inter-Delay-Up Yes Yes No Integer 32-bit value. The actual DSL interleaving
delay in the upstream direction.
178 DSL-Max-Inter-Delay-Down Yes Yes No Integer 32-bit value. The maximum DSL
interleaving delay in the downstream direction.
179 DSL-Actual-Inter-Delay-Down Yes Yes No Integer 32-bit value. The actual DSL interleaving
delay in the downstream direction.
180 DSL-Line-State Yes Yes No Integer 32-bit value. The DLS port state:
1 =SHOWTIME
2 =IDLE
3 =SILENT
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
181 DSL-L2-Encapsulation Yes Yes No Integer 32-bit value. The DSL data link protocol and
data link encapsulation:
Data link byte:
0 =ATM AAL5
1 =ETHERNET
Encapsulation byte 1:
1 =Untagged
2 =Ethernet
Encapsulation byte 2:
0 =NA
1 =PPPoA LLC
2 =PPPoA NULL
3 =IPoA LLC
4 =IPoA NULL
5 =Ethernet over AAL5 LLC with FCS
6 =Ethernet over AAL5 LLC without FCS
7 =Ethernet over AAL5 NULL with FCS
8 =Ethernet over AAL5 NULL without FCS
182 DSL-Transmission-System Yes Yes No Integer 32-bit value. The DSL access-loop type of
transmission system:
1 =ADSL1
2 =ADSL2
3 =ADSL2+
4 =VDSL1
5 =VDSL2
6 =SDSL
7 =UNKNOWN
183 DSL-PPPOA-PPPOE-Inter-Work-
Flag
Yes Yes No Integer. PPPoA-to-PPPoE interworking flag.
184 DSL-combined-Line-Info Yes Yes No String. The value of the TLV described in GSMP
Extensions for Layer 2 Control (L2C) Topology
Discovery and Line Configuration, section 5.4.1,
Topology Discovery.
185 DSL-Actual-Rate-Down-Factor Yes Yes No Integer. The rate that can be learned from the
DSLAM or from a PPPoE or DHCP tag, depending
on the configuration of the access-line rate
command (in subscriber configuration mode).
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
186 Class-Traffic-Limit No No Yes String. Specifies a traffic volume limit associated
with a specific class when a subscriber session is
initiated. The syntax for the Class-Traffic-Limit VSA
string is [in: | out:] class-name limit, where:
in:Optional. Specifies a traffic volume limit for
traffic inbound to the SmartEdge router. If the
traffic direction (inbound or outbound) is not
specified, the traffic limit is applied to outbound
traffic.
out:Optional. Specifies a traffic volume limit for
traffic outbound from the SmartEdge router.
class-nameClass name with which to associate
the traffic volume limit. The class name must
match an existing policy ACL applied, or being
applied, to the subscriber circuit. If the class
name does not exist, the subscriber circuit is not
torn down during a reauthorization request and
comes up with no effect on the traffic. If the class
name does not have counters in the metering or
policing policy, the subscriber circuit comes up
with no effect on the traffic.
limitTraffic volume limit in KB. A value of 0
specifies an unlimited, unmonitored traffic
volume.
Zero or more Class-Traffic-Limit VSAs can be sent
in an Access-Accept packet to the SmartEdge
router. If the Class-Traffic-Limit VSA is not
configured, the traffic volume is unlimited in both
directions and is not monitored.
187 Acct-Class-In-Octets-64 No Yes No String. The actual inbound class traffic usage. Zero
or more Acct-Class-In-Octets-64 and
Acct-Class-Out-Octets-64 VSA pairs can be sent in
an Acct-Request packet. The syntax for the
Acct-Class-In-Octets-64 string is class-name count,
where:
class-nameClass name for which traffic volume
counts are sent.
count64-bit count of the traffic volume, in KB,
for inbound traffic.
For more information about specifying the traffic
volume limit associated with a specific class when a
subscriber session is initiated, see the Redback
VSA 186, Class-Traffic-Limit.
188 Acct-Class-Out-Octets-64 No Yes No String. The actual outbound class traffic usage.
Zero or more Acct-Class-In-Octets-64 and
Acct-Class-Out-Octets-64 VSA pairs can be sent in
an Acct-Request packet. The syntax for the
Acct-Class-Out-Octets-64 string is class-name
count, where:
class-nameClass name for which traffic volume
counts are sent.
count64-bit count of the traffic volume, in KB,
for inbound traffic.
For more information about specifying the traffic
volume limit associated with a specific class when a
subscriber session is initiated, see the Redback
VSA 186, Class-Traffic-Limit.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
189 Flow_FAC_Profile No Yes No String. Specifies the name of a Flow
Admission-Control profile. This attribute is used to
apply flow on the circuit of the configured
subscriber.
The Flow_FAC_Profile attribute can only be
configured under subscriber profile.
190 Service-Name No Yes Yes String. The name of the service to be activated,
together with the following optional fields:
:service idUsed when there is more than one
instance of the same service.
service-parameterZero or more parameters
formatted as name-value pairs. Names and
values are separated by an equals sign (=) with
no spaces around it. Pairs are separated by
spaces. You can also specify service parameters
in VSA 192. See VSA 192 for formatting details.
191 Service-Options No No Yes Integer. Specifies whether or not accounting is
enabled for service management:
ACCT-DISABLED =0x00
ACCT-ENABLED =0x01
192 Service-Parameter No Yes Yes String. Service parameters for a service that is
specified in VSA 190, formatted as name-value
pairs. Names and values are separated by an equal
sign (=) with no spaces around it. Pairs are
separated by spaces. If a parameter needs an
array, the values in the array are separated by
commas (,) with no space between the value and
the comma. If the value is a string that includes
either spaces or commas, enclose the string in
double quotes ().
193 Service-Error-Cause No Yes No Integer. Specifies a service management error
0 =Service success
401 =Unsupported attribute
402 =Missing attribute
404 =Invalid request
506 =Resource unavailable
550 =Generic service error
551 =Service not found
552 =Service already active
553 =Service accounting disabled
554 =Service duplicate parameter
If the RADIUS server does not support this VSA,
the 550, 551, 552, 553, and 554 error codes can be
mapped to the standard Error-Cause attribute 550
(other proxy processing error).
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
194 Deactivate-Service-Name No No No String. The service profile name of the service to be
deactivated together with the following optional
fields:
:service idUsed when there is more than one
instance of the same service.
service-parameterZero or more parameters
formatted as name-value pairs. Names and
values are separated by an equals sign (=) with
no spaces around it. Pairs are separated by
spaces.
195 QoS-Overhead No Yes Yes String. Attaches a QoS overhead profile to the
subscriber session. If the overhead profile is
defined in the RADIUS record of the subscriber, the
subscriber has the specified overhead profile when
the subscriber session comes up.
196 Dynamic-QoS-Param No No Yes String.The format varies by QoS parameter. For
more information, see the VSA 196 Format
section.
Zero or more Dynamic-QoS-Param VSAs can be
sent in an Access-Accept or CoA-Request packet to
the SmartEdge router.
199 Double_Authentication No No Yes Integer. The integer value is 1. Indicates that the
session needs one more authentication. It is valid
only if it is received from a global access response.
201 DHCP-Field Yes Yes No Binary. Identifies a standard DHCP client field.
This generic VSA is used to identify standard DHCP
client fields that must be sent in RADIUS
authentication or accounting requests. To
distinguish each supported DHCP client field, a
unique dhcp-sub-field field is used within this VSA
to indicate a specific value that corresponds to a
specific DHCP client field. Currently, this VSA
supports only dhcp-sub-field field of type 1, the
giaddr or gateway address field. A RADIUS server
uses the gateway address field to provide static
routes to clients based on this address.
202 DHCP-Option Yes Yes No Binary. Identifies a DHCP client option.
This VSA is a generic VSA, which is used to identify
various supported DHCP client options that must be
sent in RADIUS authentication or accounting
requests. To distinguish each supported DHCP
client option, a unique dhcp-sub-type field is used
within this VSA to indicate a specific value that
corresponds to a specific DHCP option. Currently,
this VSA supports DHCP options 12 (hostname), 61
(client identifier), and 77 (user class).
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
Redback VSAs in CoA and Disconnect Messages
TableA-8 lists the Redback VSAs that can appear in CoA-Request, CoA-Response, Disconnect-Request,
and Disconnect-Response messages. For details about these attributes, see TableA-7.
204 Reauth-Service-Name No No No String. The name of the service to be reauthorized,
together with the optional field of
service-parameter. Parameters are formatted as
name-value pairs. Names and values are separated
by an equals sign (=) with no spaces around it.
Pairs are separated by spaces. The service name
and service parameters are separated by spaces.
For example:
Reauth-Service-Name: =voip_service
inLimit=1000 timeout=10
This VSA is used to provide dynamic
reauthorization of the RADIUS service attributes of
an RSE service without bringing the associated
service down. The following are the supported
RADIUS service attributes:
Service-Interim-Accounting
Service-Timeout
Service-Volume-Limit
For more information about these attributes, see the
section Service Attributes Supported by the
SmartEdge OS.
If not all reauthorizable service parameters fit in
VSA 204 due to the limitations of number of
characters you can use in this VSA, you can use
Redback VSA 192, Service-Parameters, to carry
these additional service parameters. You can also
configure VSA 204 to carry only the service name
and VSA 192 carry all the service parameters. See
VSA 192 for formatting details.
If you are using VSA 192 with VSA 204, use a
RADIUS attribute tag to correlate this VSA with
VSA 204. The tag is an arbitrary number you assign
to both VSAs.
For example:
Reaut h- Ser vi ce- Name: 2 = voi p_ser vi ce
Ser vi ce- Par amet er s: 2 = t i meout =1
i nLi mi t =777 out Li mi t =1000
In the above example, 2 is the RADIUS attribute
tag assigned to both VSAs.
Note:
If a CoA-Request message is to include more than
one set of associated VSAs that are tagged with
RADIUS attribute tags, and there exists among
these sets at least one common VSA, ensure that
the RADIUS attribute tag you assign to each set is
unique. Ensuring the uniqueness of each tag allows
the SmartEdge OS to successfully process the
CoA-Request message.
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
Table A-8 Redback VSAs in CoA and Disconnect Messages
# VSA Name
Sent in
CoA
Request
Sent in
CoA
Response
Sent in
Disconnect
Request
Sent in
Disconnect
Response Notes
4 Context_Name Yes No Yes No
33 Mcast_Send Yes No No No
34 Mcast_Receive Yes No No No
35 Mcast_MaxGroups Yes No No No
87 Qos-Policy-Policing Yes Yes
88 Qos-Policy-Metering Yes Yes
89 Qos-Policy-Queuing Yes Yes
90 IGMP_Service_Profile Yes No No No
92 Forward-Policy Yes No No No
94 Reauth_String Yes No No No
95 Reauth_More Yes No No No
96 RBN_Agent_Remote_ID Yes No Yes No
97 RBN_Agent_Circuit_ID Yes No Yes No
101 Shaping_Profile_Name Yes No No No
102 Bridge_Profile Yes No No No
105 Nat_Policy_Name Yes No No No
107 HTTP_Redirect_Profile_Name Yes No No No
112 OS_Version Yes No No No
113 Session_Traffic_Limit Yes No No No
114 Qos_Reference Yes No No No
156 Qos_Rate_Inbound Yes No No No
157 Qos_Rate_Outbound Yes No No No
159 LI_Id Yes No No No
160 LI_Md_Address Yes No No No
161 LI_Md_Port Yes No No No
162 LI_Action Yes No No No
163 LI_Profile Yes No No No
164 Dynamic-Policy-Filter Yes No No No
165 HTTP-Redirect-URL Yes No No No
186 Class_Traffic_Limit Yes No No No
189 Flow_FAC_Profile Yes No No No
190 Service-Name Yes Yes No No
Redback VSAs
Redback VSAs That Can Be Reauthorized
TableA-9 lists the Redback VSAs that are reauthorized when you enter the reauthorize command (in exec
mode). For details about these VSAs, see TableA-7.
191 Service-Options Yes No No No
192 Service-Parameter Yes No No No
193 Service-Error-Cause No Yes No No
194 Deactivate-Service-Name Yes Yes No No
196 Dynamic-QoS-Param Yes No No No
204 Reauth-Service-Name Yes Yes No No
Table A-9 Redback VSAs Supported by Reauthorization
# VSA Name Description
33 Mcast-Send Defines whether the subscriber can send multicast packets.
34 Mcast-Receive Defines whether the subscriber can receive multicast packets.
35 Mcast-MaxGroups Specifies the maximum number of multicast groups of which the subscriber can be a member.
87 QoS-Policy-Policing Attaches a QoS policing policy to the subscriber session.
88 QoS-Policy-Metering Attaches a QoS metering policy to the subscriber session.
89 QoS-Policy-Queuing Attaches a QoS queuing service profile to the subscriber session.
90 Igmp-Service-Profile Applies an IGMP service profile to the subscriber session.
92 Forward-Policy Attaches an in or out forward policy to the subscriber session.
101 Shaping-Profile-Name Indicates the name of the ATM shaping profile.
102 Bridge-Profile-Name Indicates the name of the bridge profile.
105 Nat_Policy_Name Indicates the NAT policy name. Attaches the specified NAT policy to a subscriber.
107 HTTP-Redirect-Profile-Name Indicates the name of the HTTP redirect profile.
113 Session-Traffic-Limit Specifies that inbound, outbound, or aggregated traffic be limited.
114 Qos_Reference Specifies the node name, node-name index, group name, and group-name index.
A colon (:) separates the node-name index from the group name.
156 Qos_Rate_Inbound Changes the inbound QoS rate; changing the excess burst rate is optional.
157 Qos_Rate_Outbound Changes the outbound QoS rate; changing the excess burst rate is optional.
159 LI_Id For lawful intercept, identifies the intercepted target session. The mediation device enforces
the fact that this attribute is unique for all intercepted sessions. This field can be salt encrypted.
160 LI_Md_Address For lawful intercept, specifies the IP address of the mediation device that receives the
duplicated data. The IP address cannot be 255.255.255.255 or 0.0.0.0. This field can be salt
encrypted.
Table A-8 Redback VSAs in CoA and Disconnect Messages (continued)
# VSA Name
Sent in
CoA
Request
Sent in
CoA
Response
Sent in
Disconnect
Request
Sent in
Disconnect
Response Notes
Redback VSAs
VSA 164 Format
VSA 164 has the following format:
ip dir action [dstip n.n.n.n[/nn]] [srcip n.n.n.n[/nn]] [{dscp dscp-value | tos tos-value tos-mask}]
[protocol [dstport dst-op dst-port] [srcport src-op src-port] [est]] class class-name service
The keywords and arguments for VSA 164 follow.
161 LI_Md_Port For lawful intercept, specifies the User Datagram Protocol (UDP) port number of the mediation
device that receives the duplicated data. This field can be salt encrypted.
162 LI_Action For lawful intercept, specifies one of the following intercept actions:
0-Stop interception of a session.
1-Start interception of a session.
2-Take no action; a dummy interception is ignored. Check to see if a subscriber is logged on.
163 LI_Profile For lawful intercept, specifies the name of the LI profile configured on the SmartEdge OS. This
field can be salt encrypted.
164 Dynamic_Policy_Filter Specifies a class rule for a dynamic policy ACL.
165 HTTP_Redirect_URL Specifies the URL to which the SmartEdge OS redirects HTTP requests.
186 Class-Traffic-Limit Specifies a traffic volume limit associated with a specific class when a subscriber session is
initiated.
189 Flow_FAC_Profile Specifies flow.
190 Service_Name Carries the service name and parameters required to activate the service.
191 Service_Options Carries the service action, which indicates the action that SmartEdge router should perform.
The enumerated types for this attribute are shown below:
a) ACTIVATE-ENABLED =0x01
b) ACTIVATE-DISABLED =0x00
192 Service_Parameter Carries the parameters required to activate the service.
194 Deactivate_Service_Name
195 Qos_Overhead Attaches a QoS overhead profile to the subscriber session
196 Dynamic_QoS_Param Parameterizes QoS policies
204 Reauth-Service-Name Carries the service name and parameters required to reauthorize the named service.
ip Specifies that the filter applies to IP packets.
dir Specifies the direction of the traffic with one of the following keywords:
inTraffic is inbound to the SmartEdge router.
outTraffic is outbound from the SmartEdge router.
forward Specifies the filter action.
dstip n.n.n.n[/nn Optional. IP address and netmask for the destination port. The range of values
for the netmask is 0 to 32.
Table A-9 Redback VSAs Supported by Reauthorization (continued)
# VSA Name Description
Redback VSAs
TableA-10 lists the keyword operators for the dst-op and src-op arguments.
srcip n.n.n.n[/nn Optional. IP address and netmask for the source port. The range of values for
the netmask is 0 to 32.
dscp dscp-value Optional. Differentiated Services Code Point (DSCP) value that the packet
must have to be considered a match. The range of values is decimal 0 to 63, a
hexadecimal value listed in TableA-12, or one of the keywords listed in
TableA-12.
tos tos-value tos-mask Optional. Type of service (ToS) that the packet must have to be considered a
match. The range of values for the tos-value argument is decimal 0 to 255 or
the hexadecimal equivalent, but only certain values are allowed. The tos-mask
argument identifies the group of bits in the IP ToS byte; see TableA-13.
protocol Optional. Protocol, according to one of the following keywords:
icmpInternet Control Message Protocol (ICMP)
tcpTransmission Control Protocol (TCP)
udpUser Datagram Protocol (UDP)
ospfOpen Shortest Path First (OSPF) protocol
dstport dst-op dst-port Optional. Comparison operation and port name or number for the destination
port. TableA-10 lists the keywords for the comparison operation (the dst-op
argument). For the dst-port argument, you can specify either a port name or a
port number. TableA-11 lists the keywords for the port name. The range of
values for port number is 1to 1,023.
srcport src-op src-port Optional. Comparison operation and port name or number for the source port.
TableA-10 lists the keywords for the comparison operation (the src-op
argument). For the src-port argument, you can specify either a port name or a
port number. TableA-11 lists the keywords for the port name. The range of
values for port number is 1to1,023.
est Optional. TCP established. This keyword is valid only if you specify the tcp
keyword for the protocol.
class class-name Class name. The format is a string of 1 to 39 case-sensitive printable
characters.
service Type of service policy, according to one of the following keywords:
fwdForward policy
natNetwork Address Translation (NAT) policy
qosQuality of service (QoS) policy (either metering or policing)
Table A-10 Keyword Operators for Comparison Operations
Operator Description
< Port number is less than the specified port number.
= Port name or number matches the specified port name or number.
> Port number is greater than the specified port number.
Redback VSAs
TableA-11 lists the keywords for the dst-port and src-port arguments in alphabetical order.
TableA-12 lists the keyword and hexadecimal value substitutions for the dscp-value argument.
!= Port name or number does not match the specified port name or number.
Table A-11 Keywords for Destination and Source Port Numbers and Names
Port Name Description
cmd 514/udp; shell command
domain 53/udp, 53/tcp; Domain Name Server
exec 512/tcp; remote process execution
finger 79/udp, 79/tcp; Finger
ftp 21/udp, 21/tcp; FTP
ftp-data 20/udp, 20/tcp; FTP default data
gopher 70/udp, 70/tcp; Gopher
hostname 101/udp, 101/tcp; NIC Host Name Server
kerberos 88/udp, 88/tcp; Kerberos
login 513/tcp; remote login, such as Telnet
nameserver 42/udp, 42/tcp; Host Name Server
nntp 119/udp, 119/tcp; NNTP
ntp 123/tcp, 123/udp; NTP
smtp 25/udp; SMTP
talk 517/udp; similar to a tenex link, but across machine; does not use link protocol; a rendezvous port
from which a tcp connection is established
telnet 23/udp; Telnet
tftp 69/udp; TFTP
www 80/udp, 80/tcp; World Wide Web HTTP
Table A-12 Keyword and Hexadecimal Substitutions for the dscp-value Argument
Keyword Hexadecimal Value Definition
af11 0x0a Assured ForwardingClass 1/Drop precedence 1
af12 0x0c Assured ForwardingClass 1/Drop precedence 2
af13 0x0e Assured ForwardingClass 1/Drop precedence 3
af21 0x12 Assured ForwardingClass 2/Drop precedence 1
Table A-10 Keyword Operators for Comparison Operations (continued)
Operator Description
Redback VSAs
TableA-13 lists the definitions for the groups of bits in the IP ToS byte and the value for the tos-mask
argument for each group. ToS values must correspond to the ToS mask so that the value does not have any
bits outside the range of the mask.
af31 0x1a Assured ForwardingClass 3/Drop precedence 1
af32 0x1c Assured ForwardingClass 3/Drop precedence 2
af33 0x1e Assured ForwardingClass 3/Drop precedence 3
cs0 0x00 Class selector 0
df 0x00 Default Forwarding (alternative to cs0)
ef 0x2e Expedited Forwarding
prec1 0x08 Precedence selector 1 (alternative to cs1)
Table A-13 ToS Mask Group Definitions
ToS Group Bit Range Decimal Value Hexadecimal Value
Flags 1 to 4 30 0x1E
Precedence 5 to 7 224 0xE0
Combined 1 to 7 254 0xFE
DSCP 2 to 7 252 0xFC
Table A-12 Keyword and Hexadecimal Substitutions for the dscp-value Argument (continued)
Keyword Hexadecimal Value Definition
Redback VSAs
If you specify either the dscp dscp-value or the tos tos-value construct in the VSA, you must specify the
construct before you specify any protocol-related options (protocol argument, class keyword).
To display the definition of this VSA, use the show subscribers command with the active keyword (in any
mode) or the show access-group command (in any mode). For more information about the
show subscribers command see the Subscriber Operations chapter in the Basic System Operations
Guide for the SmartEdgeOS. For more information about the show access-group command, see the ACL
Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Matching criteria consist of Layer 3 and Layer 4 parameters. All parameters are optional; if you omit a
parameter, the parameter has the value any, which means that any packet matches that parameter.
You can specify Layer 4 parameters only if you specify either TCP or UDP as the protocol.
If you do not specify the netmask argument, the system uses a default netmask, which is based on the IP
network class corresponding to the IP address.
You cannot specify 0. 0. 0. 0 as an IP address.
VSA 196 Format
VSA 196 has the following format:
attribute [flag]
attribute Specifies one of the following dynamic quality of service (QoS) parameters:
fwd-in-access-group group-name
meter-class-burst class-name burst-bytes
meter-class-conform class-name {mark-dscp | mark-precedence | mark-priority |
no-action}
meter-class-exceed class-name {mark-dscp | mark-precedence | mark-priority |
drop-qos-priority-group | drop-all | no-action}
meter-class-excess-burst class-name excess-burst-bytes
meter-class-mark class-name {mark-dscp | mark-precedence | mark-priority}
meter-class-rate class-name {rate-absolute kbps | rate-percentage percentage}
meter-class-violate class-name {mark-dscp | mark-precedence | mark-priority |
drop-all | no-action}
police-class-burst class-name burst-bytes
police-class-conform class-name {mark-dscp | mark-precedence | mark-priority |
no-action}
police-class-exceed class-name {mark-dscp | mark-precedence | mark-priority |
drop-qos-priority-group | drop-all | no-action}
police-class-excess-burst class-name excess-burst-bytes
police-class-mark class-name {mark-dscp | mark-precedence | mark-priority}
police-class-rate class-name {rate-absolute kbps | rate-percentage percentage}
police-class-violate class-name {mark-dscp | mark-precedence | mark-priority |
drop-all | no-action}
pwfq-priority-group-rate group-num {rate-absolute kbps | rate-percentage
percentage}
pwfq-queue-priority queue-num {priority-group | weight-value}
pwfq-queue-weight queue-num weight-value
Redback VSA Support for CCOD Multiencapsulated PVCs in 802.1Q Tunnels
The description of policy refresh command (in exec mode) provides more information on this VSA; for
details, see the AAA Operations chapter in the IP Services and Security Operations Guide for the
SmartEdge OS.
Redback VSA Support for CCOD Multiencapsulated PVCs
in 802.1Q Tunnels
Remote Authentication Dial-In User Service (RADIUS) supports circuit creation on demand (CCOD)
multiencapsulated permanent virtual circuits (PVCs) in 802.1Q tunnels. Multiencapsulated CCOD is used
in a typical scenario in which some subscribers have high-speed Internet service only while others have
voice over IP (VoIP) or Video-on-Demand (VoD) and optionally high-speed Internet. When the SmartEdge
router receives a subscriber request for service, it queries the RADIUS server. The RADIUS server returns
an authorization that informs the SmartEdge router about which type of C-VLAN (customer VLAN)
encapsulation to provision:
For customers subscribed to high-speed Internet services only, RADIUS authorizes the creation of a
PPPoE-encapsulated 802.1Q PVC only
For customers subscribed to high-speed Internet services and have VoIP, VoD, or both, RADIUS
authorizes an on-demand multiencapsulated 802.1Q PVC and a static PPPoE-encapsulated 802.1Q
PVC.
TableA-14 and TableA-15 lists the Redback VSAs that provide support for multiencapsulated CCOD
802.1Q PVCs. For details about these VSAs, see TableA-7.
If the C-VLAN encapsulation type is PPPoE, then the supported RADIUS Redback VSAs in the Access
Accept message are listed in the following table:
flag Optional. Enter the remove keyword to remove a dynamic parameter and
revert the QoS parameter to the default value.
Table A-14 Redback VSAs Supported in PPPoE-Encapsulated 802.1Q PVCs
# VSA Name
39 PVC-Encapsulation-Type
40 PVC-Profile-Name
42 Bind-Type
43 Bind-Auth-Protocol
44 Bind-Auth-Max-Sessions
46 Bind-Auth-Context
89 Qos-Policy-Queuing
97 Agent-Circuit-Id
195 QoS-Overhead
Other VSAs Supported by the SmartEdge OS
If the C-VLAN encapsulation type is multi, then the supported RADIUS Redback VSAs in the Access
Accept message are listed in the following table:
Other VSAs Supported by the SmartEdge OS
TableA-16 lists other VSAs that the SmartEdgeOS supports. These VSAs require a vendor ID of 529.
Service Attributes Supported by the SmartEdge OS
TableA-17 lists the service attributes that the SmartEdgeOS supports. These attributes appear in service
profiles that a RADIUS server uses to specify the conditions for a subscriber session.
Table A-15 Redback VSAs Supported in Multiencapsulated PVCs in 802.1Q Tunnels
# VSA Name
39 PVC-Encapsulation-Type
40 PVC-Profile-Name
42 Bind-Type
43 Bind-Auth-Protocol
44 Bind-Auth-Max-Sessions
46 Bind-Auth-Context
89 Qos-Policy-Queuing
97 Agent-Circuit-Id
108 Bind-Auto-Sub-User
109 Bind-Auto-Sub-Context
110 Bind-Auto-Sub-Password
111 Circuit-Protocol-Encap
195 QoS-Overhead
Table A-16 Other VSAs Supported by the SmartEdge OS
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
242 Ascend-Data-Filter No Yes Yes Multivalue attribute. An Access-Accept packet
contains multiple binary strings each representing a
rule in an IP access control list (ACL). The rules are
interpreted in the order they are received from the
RADIUS server. If the RADIUS server returns both
the SmartEdge OS Filter-Id and Ascend-Data-Filter
attributes for the same subscriber in the same
direction, the Ascend-Data-Filter attribute is ignored,
the SmartEdge OS Filter-Id attribute is applied in
that direction, and an event message to that effect is
logged.
For Mobile IP services, RADIUS attributes appear in the various types of RADIUS messages, as described
in the following sections:
Standard RADIUS Attributes and Mobile IP Services
3GPP2 RADIUS VSAs
3GPP2 RADIUS VSAs That Can Be Reauthorized
WiMax Forum RADIUS VSAs
WiMax Forum RADIUS VSAs in the CoA
Motorola VSAs
Standard RADIUS Attributes and Mobile IP Services
The following lists the standard Mobile IP service RADIUS attributes that are supported by the SmartEdge
OS and that can appear in Access-Request, Account-Request, and Access-Response messages:
CUI
User-Name
User-Password
NAS-IP-Address
NAS-Port
Framed-IP-Address
Idle-Timeout
Message-Authenticator
NAS-Identifier
Ip-Address-Pool-Name
Table A-17 Service Attributes Supported by the SmartEdge OS
Attribute Name Notes
Service-Interim-Accounting Integer. Number of seconds after which the service accounting counters are
updated. The range of values is 900 to 2147483647.
Before this attribute is sent to the PPA of the SmartEdge router for processing,
the value for the Service-Interim-Accounting attribute is rounded to the nearest
integer that divides by 60 evenly. For example, if 925 is the value for the
Service-Interim-Accounting attribute, the SmartEdge OS rounds this integer to
900, which is a value that divides by 60 evenly.
Service-Timeout Integer. Number of seconds after which a session times out. The range of values
is 60 to 2,147,483,647.
Service-Volume-Limit Integer. Volume of traffic (in KB) in either the upstream or downstream direction
after which a service for a subscriber session has exceeded its volume limit. The
range of values is 0 through 2,147,483,647.
Acct-Status-Type
Acct-Input-Octets
Acct-Multi-Session-ID - This identifier is set to the value of the AAA-Session-ID attribute, which is
generated by the AAA server after the mobile node (MN) is successfully authenticated. It is sent by the
Access-Accept message, which is unique for each connectivity service network (CSN), and is used to
match all accounting records within a session.
Acct-Output-Octets
Acct-Session-Id
Acct-Session-Time
Acct-Input-Packets
Acct-Output-Packets
For more information about these attributes, see the Standard RADIUS Attributes in Access and Account
Messages section on pageA-5 and the Standard RADIUS Attributes That Can Be Reauthorized section
on pageA-12.
3GPP2 RADIUS VSAs
TableA-18 describes the Third Generation Partnership Project 2 (3GPP2) RADIUS VSAs used by Mobile
IP services that are supported by the SmartEdge OS and that can appear in Access-Request,
Account-Request, and Access-Response messages. Mobile IP services complies with the following 3GPP2
standard: X.S0011-001-C v3.0, cdma2000 Wireless IP Network Standard: Introduction.
3GPP2 RADIUS VSAs That Can Be Reauthorized
TableA-19 lists the 3GPP2 RADIUS VSAs used by Mobile IP services that are reauthorized when you
enter the reauthorize command (in exec mode).
Note For Mobile IP, the username is the mobile node (MN) Network Access Identifier (NAI).
Table A-18 3GPP2 RADIUS VSAs Supported by the SmartEdge OS
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
7 Home Agent IP Address Yes Yes No IP address of the HA.
57 MN-HA SPI Yes No No Integer. Security Parameter Index (SPI). Sent
when the SPI is changing for the mode node
(MN) along with the HA and MN shared secret
key.
58 MN-HA shared secret key No No Yes Octet string. Shared secret key used for MN and
HA authentication.
79 Foreign Agent Address No Yes No IP address of the foreign agent (FA).
WiMax Forum RADIUS VSAs
TableA-20 lists the WiMax Forum RADIUS VSAs supported for Mobile IP and that can appear in
Access-Request, Account-Request, and Access-Response messages.
Table A-19 3GPP2 RADIUS VSAs Supported by Reauthorization
57 MN-HA SPI Integer. SPI. Sent when the SPI is changing for the MN along with the HA and
MN shared secret key.
58 MN-HA shared secret
key
Octet string. Shared secret key used for MN and HA authentication.
Table A-20 WiMax Forum RADIUS VSAs for Mobile IP Supported by the SmartEdge OS
# Attribute Name
Sent in Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
1 WiMax-Capability Yes No Yes Type-length values (TLVs). Indicates
the capabilities that the home agent
(HA) supports, such as accounting and
hotlining.
TLV ID 1: WiMAX release
TLV ID 2: Accounting capabilities
TLV ID 3: Hotlining capabilities
TLV ID 4: Idle Mode notification
capabilities
The WiMax-Capability attribute is
optionally received in the access
response message.
3 GMT-Time-Zone-Offset No. Yes No Integer. The difference in seconds
between the HA and RADIUS server in
Greenwich Mean Time (GMT). This
information is used to calculate local
time.
The GMT-Time-Zone-Offset attribute is
optionally sent in the Acct-Request
message.
4 AAA-Session-ID No No Yes Binary string. Unique identifier in the
home network for the session set in the
home network AAA server. The
Received in Access-Response is also
received in the CoA.
6 HA-IP-MIP4 Yes Yes No IP address. IP address of the home
agent (HA).
10 MN-HA-MIP4-Key No No Yes Binary string. The shared secret key
used for authentication between the
mobile node (MN) and HA.
WiMax Forum RADIUS VSAs in the CoA
TableA-21 lists the WiMax Forum RADIUS VSAs supported for Mobile IP and that can appear in
CoA-Request and CoA-Response messages. For details about these VSAs, see TableA-20.
11 MN-HA-MIP4-SPI Yes No Yes Integer. Security Parameter Index (SPI)
that corresponds to the shared secret
key used for mobile node (MN) and HA
authentication. The HA includes this
attribute in the Access-Request
message to request the corresponding
shared key from the RADIUS server.
The RADIUS server includes this
attribute in the Access-Response
message and when it sends the CoA
message to the HA to indicate that a
new key will be used for subsequent
MN and HA authentication or
reauthentication for an existing mobile
subscriber session.
15 HA-RK-Key No No Yes Octet. Key used to generate FA-HA
keys.
16 HA-RK-SPI Yes
(Optional)
No Yes Integer. SPI associated with
HA-RK-Key.
17 HA-RK-Lifetime No No Yes Integer. Lifetime of the HA-RK-Key.
24 Hotline-Indicator No Yes Yes String. Enables hotlining. Sent by
RADIUS or COA server that is reported
in the session and hotlining accounting
records. The Hotline-Profile-ID and
Hotline-Indicator enable hotlining. For
information about hotlining, see
Chapter 10, Hotlining Configuration.
48 Acct-Input-Packets-Gigawords No Yes No Integer. Incremented when the
standard RADIUS attribute 47,
Acct-Input-Packets, overflows. The
Sent in Acct-Request is optional.
49 Acct-Output-Packets-Gigawords No Yes No Integer. Incremented when the
standard RADIUS attribute 48,
Acct-Output-Packets, overflows. The
Sent in Acct-Request is optional.
53 Hotline-Profile-ID No Yes Yes String. Hotlining profile identifier sent
by RADIUS or CoA server. The
Hotline-Profile-ID and Hotline-Indicator
attributes enable hotlining. For
information about hotlining, see
58 HA-RK-Key-Requested Yes
(if dynamic keys
are required)
No No Integer. Flag indicating that the HA
needs a HA-RK-Key.
Table A-20 WiMax Forum RADIUS VSAs for Mobile IP Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
Motorola VSAs
TableA-22 lists the Motorola VSAs supported for Mobile IP and that can appear in Access-Request,
Account-Request, and Access-Response messages.
Table A-21 WiMax Forum RADIUS VSAs for Mobile IP Supported by the SmartEdge OS
# Attribute Name
Sent in CoA
Request
Sent in CoA
Response Notes
10 MN-HA-MIP4-Key Yes No
11 MN-HA-MIP4-SPI Yes. No
24 Hotline-Indicator Yes No String. Sent by RADIUS or CoA server that is reported
in the session and hotlining accounting records. A CoA
containing a Hotline-Profile-ID without an
accompanying Hotline-Indicator deactivates hotlining
for that profile. For information about hotlining, see
53 Hotline-Profile-ID Yes. No String. Hotlining profile identifier sent by RADIUS or
CoA. A CoA containing a Hotline-Profile-ID without an
accompanying Hotline-Indicator deactivates hotlining
for that profile. For information about hotlining, see
Table A-22 Motorola VSAs for Mobile IP Supported by the SmartEdge OS
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
67 FA-HA-Key No No Yes Encrypted string. The FA-HA-key is used by
the FA to create an FA-HA authentication
extension. This field is protected with an
encryption algorithm defined in RFC 2868,
RADIUS Attributes for Tunnel Protocol
Support, for Tunnel-Password.
68 FA-HA-Lifetime No. No Yes Integer. The amount of time in seconds that
this FA-HA-key can be used after it is fetched.
69 FA-HA-SPI Yes
(Optional)
No Yes Integer. The SPI for the FA-HA-key.
The FA-HA-SPI may be sent in the Access
Request to the AAA server if the foreign agent
(FA) does not have a matching key
corresponding to the key used by the home
agent (HA) in a registration revocation
message.
TACACS+ Attribute-Value Pairs B-1
A p p e n d i x B
TACACS+ Attribute-Value Pairs
Terminal Access Controller Access Control System Plus (TACACS+) attribute-value pairs (AVPs) are used
to define specific administrator and command-line interface (CLI) command authentication, authorization,
and accounting (AAA) elements for user profiles that are stored on a TACACS+server.
For information about configuring TACACS+features, see Chapter 22, TACACS+Configuration.
This appendix contains the following sections:
TACACS+Authentication and Authorization AVPs
TACACS+Administrator Accounting AVPs
TACACS+Command Accounting AVPs
TACACS+ Authentication and Authorization AVPs
TableB-1 describes TACACS+authentication and authorization AVPs supported by the SmartEdge
OS.
TACACS+ Administrator Accounting AVPs
TableB-2 describes the TACACS+administrator accounting AVPs supported by the SmartEdgeOS.
Table B-1 TACACS+ Authentication and Authorization AV Pairs
Attribute Description
cmd=x Administrator shell command. Indicates the command name for the command to be
issued. This attribute can only be specified if service=shell.
cmd-arg=x Argument used with an administrator shell command. Indicates the argument name to
be used with the command. Multiple cmd-arg attributes can be specified and cmd-arg
attributes are order dependent.
priv-lvl=x When received in an administrator authorization response from the server, sets the
starting privilege level for the administrator.
service=x Service used by the administrator.
TACACS+ Command Accounting AVPs
B-2 IP Services and Security Configuration Guide
TACACS+ Command Accounting AVPs
TableB-3 describes the TACACS+command accounting AVPs supported by the SmartEdgeOS.
Table B-2 TACACS+ Administrator Accounting AV Pairs
service=shell Service used by the administrator.
start_time=x Time at which the administrator logged onto the SmartEdge OS. The format is in number of
seconds since 12:00 a.m. J anuary 1, 1970.
stop_time=x Time at which the administrator logged off the SmartEdge OS. The format is in number of
seconds since 12:00 a.m., J anuary 1, 1970.
task_id=x Start and stop records for the same event must have matching (unique) task ID numbers.
timezone=x Time zone abbreviation for all time stamps included in this packet.
Table B-3 TACACS+ Command Accounting AV Pairs
cmd=x Command issued by the administrator. Includes all supported CLI commands.
priv-lvl=x Privilege level associated with the command being issued.
start_time=x Time at which the command is issued.
service=shell Service used by the administrator.
task_id=x Start and stop records for the same event must have matching (unique) task ID numbers.
timezone=x Time zone abbreviation for all timestamps included in this packet.
Index 1
Index
Numerics
3GGP2 RADIUS VSAs
Mobile IP services, A-43
3GPP2 RADIUS VSAs authorized
802.1Q PVCs
specifying DSL line for subscribers, 6-5, 6-7
802.1Q Tunnel
mapping tunnel to DSL line, 6-5
specifying DSLAM ANI, slot, port, 6-5
specifying DSL line for subscribers, 6-5
A
AAA (authentication, authorization, and accounting)
administrator
accounting, 20-14
authentication, 20-8
assigning preferred IP addresses, 20-9
CLI commands
accounting, 20-14
authorization, 20-12
examples
subscriber authentication, 20-17
subscriber reauthorization, 20-18
L2TP accounting
context-specific, 20-17
global, 20-16
two-stage, 20-17
L2TP peer authorization, 20-12
structured username formats, 20-8
subscriber accounting
global, 20-14
two-stage, 20-16
subscriber authentication
disabling, 20-11
last-resort context, 20-11
local configuration, 20-10
RADIUS, context-specific, 20-10
RADIUS, context-specific, then global, 20-11
RADIUS, followed by SmartEdge OS, 20-11
RADIUS, global, 20-10
subscriber circuits
assigning IP addresses, 20-9
assigning routes, 20-7
subscriber reauthorization, configuring, 20-12
subscriber sessions, limiting number of, 20-7
access control list configuration mode, described, 1-14
Acct-Authentic attribute, A-8
Acct-Class-In-Octets-64 VSA, A-29
Acct-Class-Out-Octets-64 VSA, A-29
Acct-Delay-Time attribute, A-7
Acct-Dyn-Ac-Ent VSA, A-25
Acct-Input-Gigawords attribute, A-8
Acct-Input-Octets-64 VSA, A-23
Acct-Input-Octets attribute, A-7
Acct-Input-Packets-64 VSA, A-23
Acct-Input-Packets attribute, A-8
Acct-Interim-Interval attribute, A-10
Acct-Mcast-In-Octets-64 VSA, A-23
Acct-Mcast-In-Octets VSA, A-25
Acct-Mcast-In-Packets-64 VSA, A-24
Acct-Mcast-In-Packets VSA, A-25
Acct-Mcast-Out-Octets-64 VSA, A-23
Acct-Mcast-Out-Octets VSA, A-25
Acct-Mcast-Out-Packets-64 VSA, A-24
Acct-Mcast-Out-Packets VSA, A-25
Acct-Output-Gigawords attribute, A-9
Acct-Output-Octets-64 VSA, A-23
Acct-Output-Octets attribute, A-7
Acct-Output-Packets-64 VSA, A-23
Acct-Output-Packets attribute, A-8
Acct-Session-Id attribute, A-8
Acct-Session-Time attribute, A-8
Acct-Status-Type attribute, A-7
Acct-Terminate-Cause attribute, A-8
Acct-Tunnel-Connection attribute, A-10
Acct-Update-Reason VSA, A-25
2 IP Services and Security Configuration Guide
ACL condition configuration mode, described, 1-14
ACL-Definition VSA, A-19
ACLs (access control lists)
enabling ACL counters for subscribers, 12-9
examples
attaching an IP ACL to an interface, 12-13
configuring a forward policy ACL, 12-13
configuring a NAT policy ACL, 12-13
configuring a QoS policy ACL, 12-14
modifying an IP ACL, 12-11
resequencing statements in an IP ACL, 12-11
ACLs (access control lists), IP
absolute conditions
creating, 12-8
modifying in real time, 12-9
applying to
a context, 12-8
an interface, 12-8
a subscriber, 12-8
conditions, creating, 12-8
creating or selecting, 12-8
deny statements, creating, 12-8
described, 12-1
description, creating, 12-8
periodic conditions
creating, 12-8
permit statements, creating, 12-8
resequencing statements, 12-8
ACLs (access control lists), policy
absolute conditions
creating, 12-9
applying to
a forward policy, 14-3
a NAT policy with dynamic translations, 13-8
a QoS metering policy, 16-12
a QoS policing policy, 16-12
condition ID, creating, 12-9
described, 12-3
description, creating, 12-9
periodic conditions
creating, 12-9
permit statements, creating, 12-9
resequencing statements, 12-9
administrator configuration mode, described, 1-14
Agent-Circuit-Id VSA, A-21, A-40, A-41
Agent-Remote-Id VSA, A-21
ANCP (Access Node Control Protocol)
mapping 802.1Q tunnel to DSL line, 6-5
overriding rates specified by QoS policies, 6-5
overriding rates using DSLAM data, 6-5
specifying DSLAM ANI, slot, port, 6-5
specifying DSL line for subscribers, 6-5, 6-7
ANCP (Access Node Control Protocol) neighbor peers
creating profile for, 6-4
specifying interface for ANCP sessions, 6-4
specifying IP address for, 6-4
specifying name for, 6-4
specifying TCP remote port for, 6-4
ANCP (Access Node Control Protocol) routers
assigning ID for SmartEdge router, 6-4
assigning TCP local port for, 6-4
creating, 6-4
specifying keepalive interval and retries for, 6-4
ANCP configuration mode, described, 1-14
ANCP neighbor configuration mode, described, 1-14
ARP (Address Resolution Protocol)
configuring the router to prevent DoS attacks, 2-4
disabling, 2-2
enabling
ARP, 2-2
proxy ARP, 2-2
secured ARP, 2-2
examples, 2-4
preventing DoS attacks, 2-3
table entries
creating static, 2-3
deleting expired, 2-3
incomplete, setting a maximum, 2-3
modifying the lifespan of, 2-3
ARP and DHCP, 5-2
Ascend-Data-Filter attribute, A-41
Assigned-IP-Address VSA, A-23
ATM DS-3 configuration mode, described, 1-14
ATM OC configuration mode, described, 1-14
ATM profile configuration mode, described, 1-14
ATM PVC configuration mode, described, 1-14
ATMWFQ policy configuration mode, described, 1-14
attributes
standard RADIUS, A-5
vendor-specific Redback, A-13
autonomous address configuration flag, specifying, 3-12
AVPs (attribute-value pairs), TACACS+, B-1
B
BG-Aging-time VSA, A-13
BG-Path-Cost VSA, A-13
BG-Trans-BPDU VSA, A-14
Bind-Auth-Context VSA, A-17, A-40, A-41
Bind-Auth-Max-Sessions VSA, A-17, A-40, A-41
Bind-Auth-Protocol VSA, A-17, A-40, A-41
Bind-Auth-Service-Grp VSA, A-17
Bind-Auto-Sub-Context VSA, A-22, A-41
Bind-Auto-Sub-Password VSA, A-22, A-41
Index 3
Bind-Auto-Sub-User VSA, A-22, A-41
Bind-Bypass-Bypass VSA, A-17
Bind-Bypass-Context VSA, A-17
Bind-Dot1q-Port VSA, A-17
Bind-Dot1q-Slot VSA, A-17
Bind-Dot1q-Vlan-Tag-Id VSA, A-17
Bind-Int-Context VSA, A-17
Bind-Int-Interface-Name VSA, A-17
Bind-L2TP-Flow-Control VSA, A-17
Bind-L2TP-Tunnel-Name VSA, A-17
Bind-Ses-Context VSA, A-17
Bind-Sub-Password VSA, A-17
Bind-Sub-User-At-Context VSA, A-17
Bind-Tun-Context VSA, A-17
Bind-Type VSA, A-16, A-40, A-41
Bridge-Group VSA, A-13, A-14
burst flow creation rate, 19-3
C
Called-Station-Id attribute, A-7
Calling-Station-Id attribute, A-7
card configuration mode, described, 1-14
CHAP-Password attribute, A-5
Circuit groups
assigning members to, 18-22
attaching QoS policies to, 18-22, 18-26
hierarchical rate limiting, 18-4
Circuit groups, described, 18-4
Circuit-Protocol-Id VSA, A-22, A-41
Class attribute, A-6
classification mappings, creating, 16-13
Class-Traffic-Limit VSA, A-29
CLI (command-line interface) syntax, 1-14
Client-DNS-Pri VSA, A-13
Client-DNS-Sec VSA, A-13
CLIPS
dynamic CLIPS client, 5-2
CLIPS and DHCP, 5-2
CLIPS PVC configuration mode, described, 1-14
congestion map configuration mode, described, 1-14
Connect-Info attribute, A-10
context configuration mode, described, 1-14
Context-Name VSA, A-13
D
Deactivate-Service-Name VSA, A-31
Destination NAT, described, 13-4, 13-20
DHCP (Dynamic Host Configuration Protocol)
configuring the router to prevent DoS attacks, 5-7
described, 5-1
examples
IP source address, 5-21
proxy, dynamic, 5-16
proxy, static, 5-18
RADIUS, 5-19
external server
adding options to packets, 5-6
assigning to server group, 5-5
configuring subscriber circuits to use, 5-7
forwarding all, 5-5
forwarding discover packets, 5-5
hostname, assigning, 5-5
IP address for, 5-5
maximum hops, 5-5
minimum wait, 5-5
NAK suppression, 5-6
retries, 5-6
standby, forwarding to, 5-5
interfaces
external proxy server, 5-6
external relay server, 5-6
IP address for the giaddr field, 5-6
IP source address for external server, 5-6
internal server
assigning subnet IP addresses, 5-5
creating static mapping between subnet and vendor
class ID, 5-4
creating static mapping for IP address, 5-5
creating static mapping with MAC address, 5-5
creating subnet, 5-4
default lease time, specifying global setting, 5-4
default lease time, specifying subnet setting, 5-5
duplicate MAC addresses, allowing, 5-4
enabling context for, 5-4
enabling interface for, 5-4
maximum lease time, specifying global setting, 5-4
offer lease time, specifying global setting, 5-4
options, specifying global setting, 5-4
specifying boot loader image file, 5-4
specifying global settings, 5-4
specifying maximum number of IP addresses, 5-5
specifying server for boot loader image file, 5-4
specifying subnet settings, 5-5
threshold, enabling monitoring of leases, 5-4
DHCP giaddr configuration mode, described, 1-14
DHCP-Max-Leases VSA, A-13
DHCP relay server configuration mode, described, 1-14
DHCP server configuration mode, described, 1-14
DHCP subnet configuration mode, described, 1-14
DHCP-Vendor-Class-Id VSA, A-23
DHCP-Vendor-Encap-Option VSA, A-23
disabling and enabling
MN access to an FA, 8-8
DNS (Domain Name System)
creating domain names, 11-2
described, 11-1
enabling, 11-2
examples, 11-3
host table, creating static entries, 11-3
specifying server IP addresses for, 11-2
subscribers, 11-2
dot1q profile configuration mode, described, 1-14
dot1q PVC configuration mode, described, 1-14
dropping packets
associated with a class, 14-4
not associated with a class, 14-3
DS-0 group configuration mode, described, 1-14
DS-1 configuration mode, described, 1-14
DS-3 configuration mode, described, 1-14
DSCP (Differentiated Services Code Point)
marking incoming packets
conforming, 16-11
exceeding, 16-11
priority assignment, 16-11
violating, 16-11
marking outgoing packets
conforming, 16-10
exceeding, 16-10
priority assignment, 16-9
violating, 16-10
propagating
first-generation ATM to PD, 18-13
IP and L2TP, 18-20
IP and MPLS, 18-21
IP from Ethernet, 18-14
IP to Ethernet, 18-14
IP to first-generation ATM, 18-13
IP to second-generation ATM, 18-14
second-generation ATM to PD, 18-14
DSL-Actual-Inter-Delay-Down VSA, A-27
DSL-Actual-Inter-Delay-Up VSA, A-27
DSL-Actual-Rate-Down-Factor VSA, A-28
DSL-Actual-Rate-Down VSA, A-26
DSL-Actual-Rate-Up VSA, A-26
DSL-Attainable-Rate-Down VSA, A-27
DSL-Attainable-Rate-Up VSA, A-27
DSL-combined-Line-Info VSA, A-28
DSL-L2-Encapsulation VSA, A-28
DSL-Line-State VSA, A-27
DSL-Max-Inter-Delay-Down VSA, A-27
DSL-Max-Inter-Delay-Up VSA, A-27
DSL-Max-Rate-Down VSA, A-27
DSL-Max-Rate-Up VSA, A-27
DSL-Min-Low-Power-Rate-Down VSA, A-27
DSL-Min-Low-Power-Rate-Up VSA, A-27
DSL-Min-Rate-Down VSA, A-27
DSL-Min-Rate-Up VSA, A-27
DSL-PPPOA-PPPOE-Inter-Work-Flag VSA, A-28
DSL-Transmission-System VSA, A-28
dynamic CLIPS client, 5-2
Dynamic NAT, described, 13-3
Dynamic-Policy-Filter VSA, A-26
Dynamic Tunnel Profile configuration mode,
described, 1-14
E
E1 configuration mode, described, 1-14
E3 configuration mode, described, 1-14
EDRR policy configuration mode, described, 1-14
EPD (early packet discard) parameters, ATMWFQ
policies, 17-11
Event-Timestamp attribute, A-9
exec mode, described, 1-14
F
FAC (flow admission control) profile
applying profiles to a circuit, 19-5
attributes, 19-2
burst flow creation rate, 19-3
circuit flow state, 19-4
configuring a FAC profile, 19-4
configuring burst creation rate, 19-4
configuring maximum flows per circuit, 19-4
configuring sustained creation rate, 19-5
controlling circuits, 19-1
creation rates, 19-2
criteria for generating, 19-2
definition, 19-1
enabling a FAC profile on a circuit, 19-5
five tuple, 19-2
flow creation cycle, 19-4
generation, 19-2
hardware requirements, 19-2
limits, 19-1
maximum flows per circuit, 19-3
sustained flow creation rate, 19-3
FA configuration mode, described, 1-14
Filter-Id attribute, A-6
flow configuration mode, described, 1-15
flow creation cycle, 19-4
forwarding all, 5-5
forwarding discover packets, 5-5
forward policies
applying a policy ACL, 14-3
classifying packets, 14-4
destination port, specifying, 14-3
dropping packets
examples
combination of mirror, redirect, and drop, 14-10
dropping packets, 14-8
mirroring packets, 14-4
Index 5
redirecting packets, 14-6
mirroring packets
redirecting packets
forward policy configuration mode, described, 1-15
Forward-Policy VSA, A-20
Framed-IP-Address attribute, A-6
Framed-IP-Netmask attribute, A-6
Framed-MTU attribute, A-6
Framed-Protocol attribute, A-6
Framed-Route attribute, A-6
Frame Relay PVC configuration mode, described, 1-15
G
global configuration mode, described, 1-15
GRE tunnel configuration mode, described, 1-15
H
HA peer configuration mode, described, 1-15
hierachical rate limiting
circuit groups, 18-4
hierarchical metering, 16-6, 16-52, 18-2
hierarchical node configuration mode, described, 1-15
hierarchical node group configuration mode,
described, 1-15
hierarchical policing, 16-52
hotlining, 10-1
HTTP redirect
attaching
a forward policy to a subscriber circuit, 9-4, 10-4
the redirect profile to a subscriber, 9-3
configuring
forward policy, 9-4, 10-4
IP ACL for subscriber access, 9-2
policy ACL, 9-3, 10-4
redirect profile, 9-3
subscriber access, 9-2
subscriber authentication, 9-2
subscriber reauthorization, 9-2
URL, 9-3
described, 9-1
examples, 9-4
server
enabling, 9-2, 10-3
port number, modifying, 9-2, 10-3
HTTP redirect profile mode, described, 1-15
HTTP-Redirect-Profile-Name VSA, A-22
HTTP redirect server configuration mode, described, 1-15
HTTP-Redirect-URL VSA, A-26
I
Idle-Timeout attribute, A-7
Igmp-Service-Profile VSA, A-20
interface configuration mode, described, 1-15
Ip-Address-Pool-Name VSA, A-16
Ip-Host-Addr VSA, A-17
IP-Interface VSA, A-22
IP-TOS-Field VSA, A-18
K
key chain configuration mode, described, 1-15
key chains
creating a description, 24-2
enabling for use with
IS-IS, 24-3
Mobile IP, 24-3
OSPF, 24-3
VRRP, 24-3
examples, 24-4
specifying
key ID, 24-2
key string, 24-3
send lifetime, 24-3
L
L2TP (Layer 2 Tunneling Protocol)
accounting
global, 20-16
two-stage, 20-17
propagating QoS, 18-20
l2tp peer configuration mode, described, 1-15
LAC-Port-Type VSA, A-24
LAC-Port VSA, A-24
LAC-Real-Port-Type VSA, A-24
LAC-Real-Port VSA, A-24
LI (lawful intercept)
accessing software license configuration mode, 23-3
accounts, creating, 23-3
configuring circuits for
contexts, 23-4
interfaces, 23-4
subscribers, 23-4
described, 23-1
examples, 23-5
features and functions, enabling and disabling, 23-3
profiles
configuring circuits, 23-4
configuring IP ACL for, 23-4
creating, 23-3
defining header fields, 23-4
defining transport data section, 23-4
enabling pending intercept requests, 23-4
specifying intercept type, 23-4
starting circuit or subscriber intercepts, 23-5
starting subscriber intercepts, 23-5
stopping circuit or subscriber intercepts, 23-5
stopping subscriber intercepts, 23-5
LI-Action VSA, A-26
LI-Identifier VSA, A-26
LI-Md-Address VSA, A-26
LI-Md-Port VSA, A-26
link group configuration mode, described, 1-15
LI profile configuration mode, described, 1-15
LI-Profile VSA, A-26
M
Mac-Addr VSA, A-25
maximum flows per circuit, 19-3
maximum hops, external DHCP server, 5-5
maximum lease time, specifying subnet setting, 5-5
Mcast-MaxGroups VSA, A-16
Mcast-Receive VSA, A-16
Mcast-Send VSA, A-15
MDRR policy configuration mode, described, 1-15
Medium-Type VSA, A-16
metering policy configuration mode, described, 1-15
minimum wait, external DHCP server, 5-5
mirroring packets
Mobile IP configuration mode, described, 1-15
Mobile IP interface configuration mode, described, 1-15
Mobile IP services
binding Ethernet ports and circuits, 7-11
CoA context and interfaces, described, 7-5
configuring advertising tunnel type, 7-10
configuring a key string, 7-9
configuring authentication, 7-11
configuring default authentication, 7-10
configuring Ethernet ports and circuits, 7-11
configuring GRE tunnels, 7-12
configuring IP-in-IP tunnels, 7-12
configuring registration revocation, 7-10
creating a key chain, 7-9
creating a Mobile IP router, 7-9
creating an FA instance, 7-10
creating CoA contexts, 7-8
creating CoA interfaces, 7-8
creating FA contexts, 7-8
creating FA contexts, described, 7-5
creating HA peer instance, 7-10
creating HA VPN contexts, 7-9
creating interfaces, 7-8
creating tunnel interfaces, 7-9
deployment scenarios
described, 7-5
for mobile ISPs, 7-6
network, 7-6
network with private IP addresses, 7-6
network with public IP addresses, 7-6
network with some private IP addresses, 7-6
FA instances, 7-12
HA peers, 7-12
MN access to an FA, 7-12
enabling MN location detection, 7-10
enabling mobile IP services on a context
HA peers, 7-10
MNs, 7-11
FA instances, described, 1-5
FA instances supported, 7-4
forwarding non-Mobile IP traffic, 7-10
HA peer instances, described, 1-5
HA peers instances supported, 7-4
HA VPN contexts, described, 7-5
selecting a context for an FA instance
described, 7-9
MN access, 7-11
selecting an existing interface for MN access, 7-11
selecting an FA instance, 7-10
selecting the context, 7-10
selecting the key chain context, 7-9
specifying a SPI, 7-9
specifying HA VPN context, 7-11
specifying MN message forwarding criteria, 7-10
specifying the care of interface for a FA instance, 7-10
specifying the maximum interval, 7-11
specifying the maximum lifetime, 7-11
specifying the maximum pending registrations, 7-11
specifying the maximum registration lifetime, 7-11
specifying the minimum interval, 7-11
typical FA network, described, 7-4
typical network, described, 1-6
mobile IP services
configuring advertising tunnel type
HA instance, 8-6
configuring a key string
HA instance, 8-6
configuring authentication
FA peer, 8-7
configuring default authentication
HA, 8-6
configuring GRE tunnels
FA peers, 8-8
configuring IP-in-IP tunnels
FA peers, 8-8
configuring maximum registration lifetime
HA, 8-6
configuring MN subscribers, 8-7
Index 7
configuring regisration revocation
HA, 8-6
configuring replay tolerance
HA, 8-6
creating a key chain
HA, 8-6
creating an HA instance, 8-6
creating CoA contexts
HA instances, 8-5
creating FA contexts
peers, 8-5
creating FA peers, 8-7
creating interfaces
FA peers, 8-5
HA local addresses, 8-6
FA peers, 8-8
HA instances, 8-8
dynamic tunnel profile, FA Peer, 8-7
enabling a context for an HA instance, 8-6
enabling mobile IP services for FA peer, 8-7
selecting the context
HA instances, 8-6
selecting the context for an HA instance
described, 8-6
FA peers, 8-7
selecting the HA instance for FA peers, 8-7
specifying an SPI
HA, 8-6
MPLS (Multiprotocol Label Switching)
propagating QoS, 18-21
using only DSCP for queuing, 18-21
MPLS router configuration mode, described, 1-15
N
NAK suppression, external DHCP server, 5-6
NAS-Identifier attribute, A-7
NAS-IP-Address attribute, A-5
NAS-Port attribute, A-5
NAS-Port-Id attribute, A-10
NAS-Port-Type attribute, A-9
NAS-Real-Port VSA, A-18
NAT (Network Address Translation) policies
and Session limit control, 13-5
described, 13-1
DMZ, 13-4
dynamic, 13-3
dynamic translations
attaching a policy, 13-8
configuration tasks, 13-7
creating or selecting a policy, 13-7
creating or selecting a pool, 13-7
dropping a class of packets, 13-8
dropping or ignoring packets, 13-7
enabling session limit control, default class, 13-8
enabling session limit control, named class, 13-8
overwriting destination IP address, 13-8
specifying a class, 13-8
specifying a maximum number of sessions, 13-7
specifying a pool, 13-7
specifying IP addresses for a pool, 13-7
specifying the class timeout, 13-8
specifying the pool for a class of packets, 13-8
specifying timeout, 13-7
examples
combination of all translation types, 13-11
dynamic translations, 13-10
NAPT with dynamic translations, 13-11
NAPT with static translations, 13-9
static translations, 13-9
with Destination NAT, 13-12
ignore source IP address translation, 13-23
order of application to packets, 13-5
source NAT, 13-2
static, 13-2
static translations, configuring, 13-6
using policy ACLs with, described, 13-3
NAT DMZ, described, 13-4
NAT policy configuration mode, described, 1-15
NAT-Policy-Name VSA, A-22
NAT pool configuration mode, described, 1-15
ND (Neighbor Discovery) protocol
examples, 3-4
ND router
configuring global settings for, 3-3
creating, 3-3
creating interface for, 3-3
creating or selecting context for, 3-3
specifying IPv6 interface address for, 3-3
ND router interface
configuring interface settings for, 3-3
configuring prefixes for, 3-3
selecting context for, 3-3
selecting interface for, 3-3
selecting ND router for, 3-3
specifying static neighbors for, 3-3
Preferred Lifetime, 3-10
prefixes, configuring, 3-12
RA messages
configuration flags, 3-14
Reachable Time, 3-16
Router Lifetime, 3-14
Retrans Timer, 3-8
Valid Lifetime, 3-19
ND router configuration mode, described, 1-15
ND router interface configuration mode, described, 1-15
NPM-Service-Id VSA, A-22
NTP (Network Time Protocol)
accessing NTP configuration mode, 4-2
configuring
peer synchronization, 4-2
server synchronization, 4-2
enabling slowsync, 4-2
examples, 4-2
NTP configuration mode, described, 1-15
num-queues configuration mode, described, 1-15
O
offer lease time, specifying subnet setting, 5-5
on-link flag, specifying, 3-12
options, specifying subnet setting, 5-5
OS-Version VSA, A-22
overhead profile configuration mode, described, 1-15
overhead type configuration mode, described, 1-15
P
parameter array loop configuration mode, described, 1-15
Platform-Type VSA, A-21
Police-Burst VSA, A-14
Police-Rate VSA, A-14
policing policy configuration mode, described, 1-15
policy ACL class configuration mode, described, 1-15
policy ACL configuration mode, described, 1-15
policy class rate configuration mode, described, 1-16
policy rate configuration mode, described, 1-16
port configuration mode, described, 1-16
Port-Limit attribute, A-9
PPPoE-IP-Route-Add VSA, A-19
PPPOE-MOTM VSA, A-15
PPPOE-URL VSA, A-15
PQ policy configuration mode, described, 1-16
Preferred Lifetime, specifying, 3-10
Prefix Information option, configuring
autonomous address configuration flag, 3-12
on-link flag, prefix specific, 3-12
Preferred Lifetime, 3-12
Valid Lifetime
interfaces, 3-13
ND router, 3-19
priority groups, customizing queue maps for, 17-9
propagating QoS
classification maps
creating, 16-13, 18-19
mapping 802.1p values to QoS values, 18-19
mapping DSCP values to QoS values, 18-19
mapping EXP values to QoS values, 18-20
mapping QoS values to 802.1p values, 18-19, 18-20
mapping QoS values to ATM CLP values, 18-19
mapping QoS values to DSCP values, 18-19
mapping QoS values to EXP values, 18-20
referencing, 18-20
specifying default values, 18-19
using DSCP values, 18-19, 18-20
IP from MPLS, 18-21
IP to MPLS, 18-21
L2TP
inbound packets, downstream direction, 18-21
inbound packets, to an LAC, 18-21
inbound packets, to an LNS, 18-20
inbound packets, upstream direction, 18-20
outbound packets, from an LNS, 18-21
outbound packets, upstream direction, 18-21
propagating QoS, described
IP and Ethernet, 18-8
IP and L2TP, 18-10
IP and MPLS, 18-9
IP to ATM, 18-7
types of settings, 18-6
protocol policy configuration mode, described, 1-16
proxy ARP, enabling, 2-2
PVC-Encapsulation-Type VSA, A-16, A-40, A-41
PVC-Profile-Name VSA, A-16, A-40, A-41
Q
QoS
classifying packets using ACLs, described, 16-2
DSCP bits, marking incoming packets
conforming, 16-11
exceeding, 16-11
priority, 16-11
violating, 16-11
DSCP bits, marking outgoing packets
conforming, 16-10
exceeding, 16-10
priority, 16-9
violating, 16-10
QoS (quality of service)
circuit groups, 18-4
classifying traffic with priority groups
Ethernet circuits, 18-14
PDH circuits, 18-17
POS circuits, 18-17
congestion avoidance maps
described, 17-6, 17-8
setting exponential weight for, 17-10
Index 9
setting RED parameters for, 17-10
congestion management, described, 17-6, 17-8
EDRR algorithm mode, defining for
first-generation ATM PVCs, 18-13
PDH circuits, 18-17
POS circuits, 18-17
subscriber circuits, 18-19
high-level view of QoS traffic, 16-8
Mapping child policy class to parent class, 16-6
marking, described, 16-3
metering and policing policy inheritance,
described, 16-6
policy ACLs, described, 16-2
priority groups
customizing queue maps for, 17-9
priority groups, described, 16-2
propagating
described, 18-6
queue depth, described, 17-8
queue maps
creating, 17-9
described, 17-2
mapping priority groups to queues, 17-9
specifying the number of queues for, 17-9
queue rates, described, 17-8
rate-limiting, described, 16-3
setting the rate for outgoing traffic, 18-15
QoS (quality of service), classification mappings, 16-13
QoS (quality of service), examples
ATMWFQ policy, 17-15
congestion avoidance map, 17-15, 17-21
EDRR policy
attaching, 18-24
configuring, 17-16
hierarchical scheduling, 18-25
hierarchical shaping, 18-25
MDRR policy, configuring, 17-16
metering policies, attaching
cross-connected circuits, 18-23
PVCs, 18-23
subscribers, 18-24
overhead profile, 18-25
policing policies
circuit-based marking, 16-14
circuit-based rate-limiting, 16-14
class and rate-limiting, 16-14
rate-limiting and marking, 16-15
PQ policies
attaching, 18-24
backbone application, 17-18
rate-limiting, 17-17
PWFQ policies
attaching to node, 18-25
attaching to port and PVC, 18-25
configuring, 17-19
ports, 18-25
QoS propagation, 18-25
queue maps, 17-14
RED parameters, 17-16
QoS (quality of service), hierarchical scheduling,
configuring
ports
attaching PWFQ policy, 18-15
scheduling algorithm for, 18-15
setting rates for, 18-15
tunnels and PVCs
scheduling algorithm, 18-15
QoS (quality of service), hierarchical shaping, configuring
node groups
creating, 18-16
for subscriber circuits, 18-16
nodes
creating, 18-16
ports
subscriber circuits, creating reference to node, 18-18
QoS (quality of service), overhead profile
assign encaps-factor, 17-14
assign rate-factor for specific overhead profile, 17-14
configuring data types, 17-13
creating, 17-13
creating a default rate-factor, 17-13
creating a encaps-access-line, 17-13
creating a reserved value, 17-13
creating reserve value for specified profile, 17-14
QoS (quality of service), overhead profile policies
scheduling policies, attaching to
QoS (quality of service), policies
ATMWFQ policies
assigning a congestion avoidance map to, 17-10
assigning a queue map to, 17-10
attaching to second-generation ATM PVCs, 18-14
creating the name of, 17-10
defining the algorithm mode for, 17-10
described, 17-5
setting EPD parameters for, 17-11
specifying the traffic weight for, 17-10
congestion avoidance maps, specifying the queue depth
for, 17-10
EDRR policies
described, 17-3
modifying the traffic weight for, 17-11
setting a rate limit for, 17-11
specifying RED parameters for, 17-11
specifying the depth of each queue, 17-11
MDRR policies
modifying the traffic weight for, 17-12
setting a rate limit for, 17-12
specifying the scheduling algorithm, 17-12
metering policies
marking outgoing packets, 16-9
rate-limiting outgoing packets, 16-9
metering policies, attaching to
PDH circuits, 18-17
POS circuits, 18-17
second-generation ATM PVCs, 18-14
overhead profile, attaching to Ethernet circuits, 18-14
policing policies
described, 16-2
marking incoming packets, 16-11
rate-limiting incoming packets, 16-11
policing policies, attaching to
PDH circuits, 18-17
POS circuits, 18-17
second-generation ATM PVCs, 18-14
PQ policies
described, 17-3
setting a rate limit per queue, 17-12
specifying RED parameters for, 17-12
specifying the queue depth for, 17-12
PWFQ policies
defining the algorithm mode for, 17-13
described, 17-5
setting rate and burst for priority groups, 17-13
setting rate limits, 17-13
setting relative weight, 17-13
scheduling policies, attaching to
PDH circuits, 18-17
POS circuits, 18-17
scheduling policies, attaching to subscriber
circuits, 18-18
scheduling policies, circuits supported, 18-3
scheduling policies, described
ATMWFQ, 17-5
EDRR, 17-3
PQ, 17-3
PWFQ, 17-5
specifying circuit rate
802.1Q tunnels and PVCs, 18-15
ATM DS-3 PVCs, 18-14
Ethernet and GE ports, 18-15
first-generation ATM OC PVCs, 18-13
link groups and PVCs, 18-17
PDH ports and channels, 18-17
POS ports, 18-17
second-generation ATM OC PVCs, 18-14
QoS, hierarchical shaping, configuring nodes for subscriber
circuits, 18-16
QoS, policies
metering policies
described, 16-2
QoS-Overhead VSA, A-31, A-40, A-41
Qos-Policy-Metering VSA, A-20
Qos-Policy-Policing VSA, A-20
Qos-Policy-Queuing VSA, A-20, A-40, A-41
Qos-Rate-Inbound VSA, A-26
Qos-Rate-Outbound VSA, A-26
QoS-Reference VSA, A-23
queue map configuration mode, described, 1-16
Index 11
R
RA (Router Advertisement) messages
Managed address configuration flag, 3-14
Other stateful configuration flag, 3-14
Reachable Time, 3-16
Router Lifetime, 3-14
RADIUS (Remote Authentication Dial-In User Service)
accounting servers
accounting messages, sending, 21-6
configuring hostname or IP address, 21-5
configuring load balancing, 21-6
modifying number of requests, 21-8
modifying number of retransmissions, 21-7
timeout, deadtime, 21-7
timeout, lost packet, 21-7
timeout, server dead, 21-7
timeout, server unreachable, 21-7
account termination error code, remapping, 21-11
attributes
standard, A-5
attributes, 3GPP2 VSAs that can be reauthorized, A-43
attributes, Filter-Id, 21-9
attributes, sending in request packets
Acct-Delay-Time, 21-9
Acct-Session-Id, 21-9
NAS-Identifier attribute, 21-9
NAS-IP-Address attribute, 21-9
NAS-Port, 21-9
NAS-Port-ID, 21-9
NAS-Port-Type, 21-10
attributes, specifying separator character, 21-10
attributes, standard
in CoA and Disconnect messages, A-11
that can be reauthorized, A-12
attributes, VSA, A-13
in CoA and Disconnect messages, A-32
that can be reauthorized, A-34
authentication servers
configuring hostname or IP address, 21-5
configuring load balancing, 21-6
authentication service profile
counters for service accounting, specifying, 21-11
creating or selecting the context for, 21-10
RADIUS and Redback attributes, specifying, 21-11
service parameters, specifying, 21-11
service profile, creating or selecting, 21-10
CoA servers, configuring hostname or IP address, 21-5
described, 21-1
examples, 19-5, 21-12
increasing number of server ports, 21-8
policies
assigning to a context, 21-9
creating or modifying, 21-9
specifying attributes to be dropped, 21-9
servers
modifying number of requests, 21-8
modifying number of retransmissions, 21-7
timeout, dead time, 21-7
timeout, lost packet, 21-7
timeout, server dead, 21-7
timeout, server unreachable, 21-7
service profile
Dynamic-Policy-Filter attribute for, 21-20
Dynamic-QoS-Param attribute for, 21-20
Filter-Id attribute for, 21-20
Forward-Policy attribute for, 21-20
HTTP-Redirect-URL attribute for, 21-20
Qos-Policy-Metering attribute for, 21-20
Qos-Policy-Policing attribute for, 21-20
Qos-Policy-Queuing attribute for, 21-20
Service-Interim-Acct-Interval attribute for, 21-20,
A-42
Service-Timeout attribute for, 21-20, A-42
Service-Volume-Limit attribute for, 21-20, A-42
source address, configuring, 21-6
stripping domain from username, 21-8
RADIUS and DHCP, 5-3
RADIUS attributes
RADIUS policy configuration mode, described, 1-16
RADIUS Remote Authentication Dial-In User Service)
attributes, Redback prefix for VSAs, A-6
radius service profile configuration mode, described, 1-16
rate-Limit-Burst VSA, A-14
Rate-Limit-rate VSA, A-14
RB-Client-NBNS-Pri VSA, A-21
RB-Client-NBNS-Sec VSA, A-21
Reauth-More VSA, A-21
Reauth-Session-Id VSA, A-26
Reauth-String VSA, A-21
RED (random early detection) parameters
ATMWFQ policies, 17-10
EDRR policies, 17-11
MDRR policies, 17-12
PQ policies, 17-12
PWFQ policies, 17-13
Redback Reason VSA, A-20
redirecting packets
Reply-Message attribute, A-6
Retrans Timer, 3-8
retries, external DHCP server, 5-6
Route-Tag VSA, A-26
S
secured ARP, enabling, 2-2
server group, assigning external DHCP server to, 5-5
Service-Error-Cause VSA, A-30
Service-Name VSA, A-30
Service-Options VSA, A-30
Service-Parameter VSA, A-30
service policies
attaching to subscriber sessions, 15-2
configuring
allowable contexts or domains, 15-2
denied contexts or domains, 15-2
policy name, 15-2
described, 15-1
examples, 15-3
service policy configuration mode, described, 1-16
Service-Type attribute, A-5
Session-Error-Code VSA, A-25
Session-Error-Msg VSA, A-25
Session Limit Control, described, 13-4
Session-Timeout attribute, A-6
Session-Traffic-Limit VSA, A-23
Shaping-Profile-Name VSA, A-21
software license configuration mode, described, 1-16
Source NAT (SNAT), 13-2
Source-Validation VSA, A-14
Standard RADIUS attributes
standby server, forwarding to, 5-5
Static NAT, described, 13-2
Sub-Profile-Name VSA, A-20
subscriber configuration mode, described, 1-16
subscribers, overriding rates specified by QoS policies, 6-5
subscribers, overriding rates using DSLAM data, 6-5
sustained flow creation rate, 19-3
T
TACACS+(Terminal Access Controller Access Control
System Plus)
AVPs, B-1
configuring IP address or hostname, 22-3
described, 22-1
examples, 22-3
modifying deadtime interval, 22-3
modifying number of maximum retries, 22-3
modifying server identifier, 22-3
modifying timeout, 22-3
source address, configuring, 22-3
stripping the domain portion of a username, 22-3
terminate error cause configuration mode, described, 1-16
traffic cards, listed, 5-63, 18-3
Tunnel-Algorithm VSA, A-15
Tunnel-Assignment-Id attribute, A-10
Tunnel-Checksum VSA, A-19
Tunnel-Client-Auth-Id attribute, A-11
Tunnel-Client-Endpoint attribute, A-9
Tunnel-Client-Int-Addr VSA, A-20
Tunnel-Client-Rhost VSA, A-20
Tunnel-Client-VPN VSA, A-20
Tunnel-Cmd-Timeout VSA, A-15
Tunnel-Context VSA, A-15
Tunnel-Deadtime VSA, A-15
Tunnel-DNIS VSA, A-16
Tunnel-Domain VSA, A-14
Tunnel-Function VSA, A-14
Tunnel-Group VSA, A-15
Tunnel-Hello-Timer VSA, A-20
Tunnel-L2F-Second-Password VSA, A-19
Tunnel-Local-Name VSA, A-14
tunnel map configuration mode, described, 1-16
Tunnel-Max-Sessions VSA, A-14
Tunnel-Max-Tunnels VSA, A-15
Tunnel-Medium-Type attribute, A-9
Tunnel-Password attribute, A-10
Tunnel-Police-Burst VSA, A-19
Tunnel-Police-Rate VSA, A-19
Tunnel-Preference attribute, A-10
Tunnel-Profile VSA, A-19
Tunnel-Rate-Limit-Burst VSA, A-18
Tunnel-Rate-Limit-Rate VSA, A-18
Tunnel-Remote-Name VSA, A-14
Tunnel-Retransmit VSA, A-15
Tunnel-Server-Auth-Id, A-11
Tunnel-Server-Endpoint attribute, A-10
Tunnel-Server-Int-Addr VSA, A-20
Tunnel-Server-Rhost VSA, A-20
Tunnel-Server-VPN VSA, A-20
Tunnel-Session-Auth-Ctx VSA, A-18
Tunnel-Session-Auth-Service-Grp VSA, A-18
Tunnel-Session-Auth VSA, A-15
Tunnel-Type attribute, A-9
Tunnel-Window VSA, A-15
U
URL, HTTP redirect, 9-3
User-Name attribute, A-5
User-Password attribute, A-5
V
Vendor-Specific attribute, A-6
VSAs (vendor-specific attributes), Redback
listed, A-13
prefix for, A-6
Index of Commands 1
Index of Commands
A
aaa accounting administrator, 20-20
aaa accounting commands, 20-22
aaa accounting event, 20-24
aaa accounting l2tp, 20-26
aaa accounting reauthorization subscriber, 20-29
aaa accounting subscriber, 20-31
aaa accounting suppress-acct-on-fail, 20-34
aaa authentication administrator, 20-36
aaa authentication subscriber, 20-40
aaa authorization commands, 20-43
aaa authorization tunnel, 20-45
aaa double-authentication subscriber radius, 20-46
aaa encrypted-password default, 20-48
aaa global accounting event, 20-49
aaa global accounting l2tp-session, 20-51
aaa global accounting reauthorization subscriber, 20-53
aaa global accounting subscriber, 20-55
aaa global authentication subscriber, 20-57
aaa global maximum subscriber, 20-59
aaa global reject empty-username, 20-61
aaa global update subscriber, 20-64
aaa hint ip-address, 20-66
aaa ip-pool allocation first-available, 20-68
aaa last-resort, 20-69
aaa maximum subscriber, 20-71
aaa password, 20-73
aaa provision binding-order, 20-75
aaa provision route, 20-77
aaa rate-report-factor, 20-78
aaa reauthorization bulk, 20-80
aaa update subscriber, 20-82
aaa username-format, 20-84
absolute, 12-16
accept-lifetime, 24-5
access-group, 12-18
access-line access-node-id, 6-12
access-line adjust, 6-9
access-line agent-circuit-id, 6-10
access-line rate, 6-14
access-list, 12-20
accounting, 21-16
address, 13-14
admin-access-group, 12-21
admission-control, 13-16
advertise max-interval, 7-16
advertise max-lifetime, 7-17
advertise min-interval, 7-18
advertise tunnel-type, 7-19
allow, 15-5
allow-duplicate-mac, 5-22
arp rate, 2-6
atm to qos, 18-28
atm use-ethernet, 18-30
atm use-ip, 18-32
attribute, 21-18
HA instance and FA peer, 8-10
B
bootp-enable-auto, 5-23
bootp-filename, 5-24
boot-siaddr, 5-25
broadcast-discover, 5-26
burst-creation-rate, 19-8
C
care-of-address, 7-22
class, 12-23
class-group, 16-17
clear-df, 7-23
clpbit propagate qos from atm, 18-34
clpbit propagate qos to atm, 18-36
command, 5-69
command-access, 23-8
condition, 12-25
conform mark dscp, 16-19
conform mark precedence, 16-22
conform mark priority, 16-24
conform no-action, 16-27
congestion-map, 17-22
connections, 13-18
D
default-lease-time, 5-27
deny, 12-27, 15-7
description, 12-37
destination, 13-20
dhcp max-addrs, 5-28
dhcp proxy, 5-30
dhcp relay, 5-32
dhcp relay option, 5-34
dhcp relay server, 5-36
dhcp relay server retries, 5-38
dhcp relay suppress-nak, 5-39
dhcp server, 5-40
dhcp server policy, 5-42
dns, 11-4
drop
forward policies, 14-14
NAT policies, 13-22
dynamic-tunnel-profile, 7-24, 8-12
E
egress prefer dscp-qos, 18-38
encaps-access-line, 17-23
encrypt, 9-7
ethernet to qos, 18-39
ethernet use-ip, 18-41
exceed drop, 16-28
exceed mark dscp, 16-30
exceed mark precedence, 16-33
exceed mark priority, 16-35
exceed no-action, 16-38
F
flow admission-control profile, 19-9
flow apply admission-control profile, 19-10
flow enable, 19-11
flow monitor circuit, 19-12
foreach, 21-23
foreign-agent, 7-27
foreign-agent-peer, 8-15
forward-all, 5-43
forwarding scheme, 7-28
forwarding traffic, 7-29
forward output, 14-16
forward policy, 14-18
forward policy in, 14-19
forward policy out, 14-21
G
gre mtu, 7-30
H
header, 23-10
hold-time, 7-31
home-agent, 8-16
home-agent-peer, 7-32
http-redirect profile, 9-9
http-redirect server, 9-11
I
ignore, 13-23
interface
ANCP protocol, 6-16
Mobile IP interface configuration, 7-33
ND protocol, 3-5
ip access-group, 12-38
ip access-list, 12-40
ip arp, 2-7
ip arp arpa, 2-9
ip arp delete-expired, 2-10
ip arp maximum incomplete-entries, 2-11
ip arp proxy-arp, 2-12
ip arp secured-arp, 2-14
ip arp timeout, 2-16
ip dmz, 13-24
ip domain-lookup, 11-5
ip domain-name, 11-6
ip host, 11-7
ip interface, 5-44
ipip mtu, 7-34
ip name-servers, 11-8
ip nat, 13-25
ip nat pool, 13-26
ip static in, 13-27
ip static out, 13-29
ip subscriber arp, 2-17
ip to qos, 18-43
ipv6 host, 11-9
ipv6 name-servers, 11-10
K
keepalive, 6-17
key-chain description, 24-7
key-chain key-id, 24-8
key-string, 24-10
L
lawful-intercept, 23-12
li-profile, 23-13
llc-xid-processing, 7-35
Index of Commands 3
local-address, 8-17
M
mac-address, 5-46
mapping-schema, 16-40
mark dscp, 16-45
mark precedence, 16-47
mark priority, 16-49
max-flows-per-circuit, 19-13
max-hops, 5-47
max-lease-time, 5-48
max-pending-registrations, 7-36
min-wait, 5-49
mirror destination, 14-23
modify ip access-list, 12-42
modify policy access-list, 12-44
mpls to qos, 18-45
mpls use-ethernet, 18-47
mpls use-ip, 18-49
N
nat policy, 13-31
nat policy-name, 13-33
neighbor, 3-7
neighbor profile, 6-19
ns-retry-interval, 3-8
ntp mode, 4-4
ntp peer, 4-5
ntp server, 4-7
num-queues, 17-26
O
offer-lease-time, 5-50
option, 5-51
option-82, 5-57
out, 21-80
P
parameter, 21-25
parent-class, 16-52
peer id, 6-20
peer ip-address, 6-21
pending, 23-14
periodic, 12-46
permit, 12-48
policy access-list, 12-58
pool, 13-34
port, 9-12
preferred-lifetime, 3-10
prefix, 3-12
propagate qos from ethernet, 18-51
propagate qos from ip, 18-53
propagate qos from l2tp, 18-55
propagate qos from mpls, 18-57
propagate qos from subscriber, 18-59
propagate qos to ethernet, 18-61
propagate qos to ip, 18-62
propagate qos to l2tp, 18-63
propagate qos to mpls, 18-65
propagate qos transport use-vlan-header, 18-67
propagate qos use-vlan-ethertype, 18-68
propagate qos use-vlan-header, 18-70
Q
qos class, 16-54
qos class-definition, 16-56
qos class-map, 16-57
qos congestion-avoidance-map, 17-28
qos hierarchical mode strict, 18-71
qos mode, 17-30, 18-73
qos node, 18-75
qos node-group, 18-77
qos node-reference, 18-78
qos policy atmwfq, 17-31
qos policy edrr, 17-33
qos policy mdrr, 17-35
qos policy metering, 16-59
attaching, 18-79
qos policy policing, 16-61
attaching, 18-83
qos policy pq, 17-37
qos policy protocol-rate-limit, 18-87
qos policy pwfq, 17-39
qos policy queuing, 18-89
qos priority, 18-92
qos profile overhead, 18-94
creating, 17-40
selecting, 17-40
qos queue-map, 17-41
qos rate, 18-96
qos to atm, 18-98
qos to ethernet, 18-100
qos to ip, 18-102
qos to mpls, 18-104
qos use-ip, 18-106
qos weight, 18-108
queue 0 mode, 17-43
queue congestion epd, 17-44
queue depth, 17-46
queue exponential-weight, 17-48
queue-map, 17-50
queue priority, 17-51
queue priority-group, 17-54
queue rate, 17-56
queue red, 17-57
queue weight, 17-62
R
ra, 3-14
radius accounting algorithm, 21-28
radius accounting deadtime, 21-29
radius accounting max-outstanding, 21-31
radius accounting max-retries, 21-32
radius accounting send-acct-on-off, 21-33
radius accounting server, 21-35
radius accounting server-timeout, 21-37
radius accounting timeout, 21-38
radius algorithm, 21-39
radius attribute acct-delay-time, 21-40
radius attribute acct-session-id, 21-42
radius attribute acct-terminate-remap, 21-43
l2tp-call-serial-num, 21-44
radius attribute calling-station-id, 21-46
radius attribute filter-id, 21-50
radius attribute nas-identifier, 21-52
radius attribute nas-ip-address, 21-53
radius attribute nas-port, 21-54
radius attribute nas-port-id, 21-58
radius attribute nas-port-type, 21-61
radius attribute vendor-specific, 21-63
radius coa server, 21-64
radius deadtime, 21-67
radius max-outstanding, 21-69
radius max-retries, 21-70
radius policy, 21-71
radius server, 21-73
radius server-timeout, 21-75
radius service profile, 21-76
radius source-port, 21-77
radius strip-domain, 21-79
radius timeout, 21-80
range, 5-59
rate, 16-63
EDRR and PWFQ policies, 17-64
rate-adjust dhcp pwfq, 5-61
rate-calculation, 16-66
rate circuit, 18-110
rate-factor, 17-66
rate-limit dhcp, 5-63
rate percentage, 16-67
rbak-term-ec, 21-81
reachable-time, 3-16
redirect destination circuit, 14-25
redirect destination local, 9-13
redirect destination next-hop, 14-26
registration max-lifetime, 7-37
HA, 8-19
replay-tolerance, 8-20
resequence ip access-list, 12-60
resequence policy access-list, 12-61
reserved, 17-68
revocation, 7-38
HA, 8-21
router ancp, 6-22
router mobile-ip, 7-40
HA, 8-23
router nd, 3-18
S
send-lifetime, 24-11
server-group, 5-65
service-policy, 15-9
session-action, 20-86
shutdown, 8-24
FA configuration, 7-41
HA peer configuration, 7-41
Mobile IP interface configuration, 7-41
slowsync, 4-9
spi, 24-13
standby, 5-66
subnet, 5-67
sustained-creation-rate, 19-14
system-id, 6-23
T
tacacs+deadtime, 22-5
tacacs+identifier, 22-7
tacacs+max-retries, 22-8
tacacs+server, 22-10
tacacs+strip-domain, 22-12
tacacs+timeout, 22-13
tcp-port local, 6-24
tcp-port remote, 6-25
time-out, 7-43
timeout, 13-35
transport gre, 23-15
transport udp, 23-16
tunnel-type, 8-25
type, 17-70, 23-18
U
url, 9-15
user-class-id, 5-71
V
valid-lifetime, 3-19
vendor-class, 5-73
vendor-class-id, 5-75
violate drop, 16-69
Index of Commands 5
violate mark dscp, 16-71
violate mark precedence, 16-74
violate mark priority, 16-76
violate no-action, 16-79
vpn-context, 7-44
W
weight, 17-72
Index of Command Modes 1
Index of Command Modes
A
access control list configuration mode
condition, 12-25
deny, 12-27
description, 12-37
permit, 12-48
ACL condition configuration mode
absolute, 12-16
periodic, 12-46
administrator configuration mode
command-access, 23-8
ANCP configuration mode
keepalive, 6-17
neighbor profile, 6-19
system-id, 6-23
tcp-port local, 6-24
ANCP neighbor configuration mode
access-line rate, 6-14
interface, 6-16
peer id, 6-20
peer ip-address, 6-21
tcp-port remote, 6-25
ATM DS-3 configuration mode
qos priority, 18-92
ATM OC configuration mode
qos mode, 18-73
qos priority, 18-92
ATM profile configuration mode
clpbit propagate qos from atm, 18-34
clpbit propagate qos to atm, 18-36
ATM PVC configuration mode
qos priority, 18-92
ATMWFQ policy configuration mode
num-queues, 17-26
queue 0 mode, 17-43
queue congestion epd, 17-44
queue-map, 17-50
queue weight, 17-62
C
card configuration mode
rate-limit dhcp, 5-63
circuit configuration mode
flow apply admission-control profile, 19-10
class definition configuration mode
qos class, 16-54
class map configuration mode
atm to qos, 18-28
atm use-ethernet, 18-30
atm use-ip, 18-32
ethernet to qos, 18-39
ethernet use-ip, 18-41
ip to qos, 18-43
mapping-schema, 16-40
mpls to qos, 18-45
mpls use-ethernet, 18-47
mpls use-ip, 18-49
qos to atm, 18-98
qos to ethernet, 18-100
qos to ip, 18-102
qos to mpls, 18-104
qos use-ip, 18-106
CLIPS PVC configuration mode
congestion map configuration mode
queue depth, 17-46
queue exponential-weight, 17-48
queue red, 17-57
context configuration mode
aaa accounting administrator, 20-20
aaa accounting commands, 20-22
aaa accounting event, 20-24
aaa accounting l2tp, 20-26
aaa accounting reauthorization subscriber, 20-29
aaa accounting subscriber, 20-31
aaa accounting suppress-acct-on-fail, 20-34
aaa authentication administrator, 20-36
aaa authentication subscriber, 20-40
aaa authorization commands, 20-43
aaa authorization tunnel, 20-45
aaa double-authentication subscriber radius, 20-46
aaa encrypted-password default, 20-48
aaa hint ip-address, 20-66
aaa maximum subscriber, 20-71
aaa password, 20-73
aaa provision binding-order, 20-75
aaa provision route, 20-77
aaa rate-report-factor, 20-78
aaa reauthorization bulk, 20-80
aaa update subscriber, 20-82
admin-access-group, 12-21
arp rate, 2-6
dhcp relay option, 5-34
dhcp relay server, 5-36
dhcp relay server retries, 5-38
dhcp relay suppress-nak, 5-39
dhcp server policy, 5-42
encrypt, 9-7
ip access-list, 12-40
ip arp, 2-7
ip arp maximum incomplete-entries, 2-11
ip domain-lookup, 11-5
ip domain-name, 11-6
ip host, 11-7
ip name-servers, 11-8
ip nat pool, 13-26
ipv6 host, 11-9
ipv6 name-servers, 11-10
key-chain description, 24-7
key-chain key-id, 24-8
nat policy, 13-31
policy access-list, 12-58
radius accounting algorithm, 21-28
radius accounting deadtime, 21-29
radius accounting max-outstanding, 21-31
radius accounting max-retries, 21-32
radius accounting send-acct-on-off, 21-33
radius accounting server, 21-35
radius accounting server-timeout, 21-37
radius accounting timeout, 21-38
radius algorithm, 21-39
radius attribute acct-delay-time, 21-40
radius attribute acct-session-id, 21-42
radius attribute acct-tunnel-connection, 21-44
radius attribute calling-station-id, 21-46
radius attribute filter-id, 21-50
radius attribute nas-identifer, 21-52
radius attribute nas-ip-address, 21-53
radius attribute nas-port, 21-54
radius attribute nas-port-id, 21-58
radius attribute vendor-specific, 21-63
radius coa server, 21-64
radius deadtime, 21-67
radius max-outstanding, 21-69
radius max-retries, 21-70
radius server, 21-73
radius server-timeout, 21-75
radius service profile, 21-76
radius strip-domain, 21-79
radius timeout, 21-80
resequence ip access-list, 12-60
resequence policy access-list, 12-61
router ancp, 6-22
router mobile-ip, 7-40, 8-23
router nd, 3-18
subnet, 5-67
tacacs+deadtime, 22-5
tacacs+identifier, 22-7
tacacs+max-retries, 22-8
tacacs+server, 22-10
tacacs+strip-domain, 22-12
tacacs+timeout, 22-13
D
DHCP giaddr configuration mode
user-class-id, 5-71
vendor-class-id, 5-75
DHCP relay server configuration mode
broadcast-discover, 5-26
forward-all, 5-43
max-hops, 5-47
min-wait, 5-49
server-group, 5-65
standby, 5-66
DHCP server configuration mode
allow-duplicate-mac, 5-22
bootp-enable-auto, 5-23
bootp-filename, 5-24
boot-siaddr, 5-25
default-lease-time, 5-27
option, 5-51
threshold, 5-69
vendor-class, 5-73
DHCP subnet configuration mode
mac-address, 5-46
option, 5-51
option-82, 5-57
range, 5-59
dot1q profile configuration mode
propagate qos from ethernet, 18-51
propagate qos to ethernet, 18-61
propagate qos transport use-vlan-header, 18-67
dot1q PVC configuration mode
access-line access-node-id, 6-12
access-line agent-circuit-id, 6-10
qos priority, 18-92
qos rate, 18-96
qos weight, 18-108
DS-0 group configuration mode
qos mode, 18-73
qos priority, 18-92
DS-1 configuration mode
qos mode, 18-73
qos priority, 18-92
DS-3 configuration mode
qos mode, 18-73
qos priority, 18-92
dynamic tunnel profile configuration mode
clear-df (dynamic tunnel), 7-23
gre mtu, 7-30
hold-time, 7-31
ipip mtu, 7-34
time-out, 7-43
E
E1 configuration mode
qos mode, 18-73
qos priority, 18-92
E3 configuration mode
qos mode, 18-73
qos priority, 18-92
EDRR policy configuration mode
num-queues, 17-26
queue depth, 17-46
queue-map, 17-50
queue red, 17-57
queue weight, 17-62
exec mode
flow enable, 19-11
modify ip access-list, 12-42
modify policy access-list, 12-44
F
FA configuration mode
advertise tunnel-type, 7-19
care-of-address, 7-22
forwarding scheme, 7-28
forwarding traffic, 7-29
home-agent-peer, 7-32
llc-xid-processing, 7-35
revocation, 7-38
shutdown, 7-41
FA peer configuration mode
shutdown, 8-24
flow configuration mode
burst-creation-rate, 19-8
flow monitor circuit, 19-12
max-flows-per-circuit, 19-13
forward policy configuration mode
access-group, 12-18
drop, 14-14
Frame Relay PVC configuration mode
qos priority, 18-92
G
global configuration mode
aaa global accounting event, 20-49
aaa global accounting l2tp-session, 20-51
aaa global accounting reauthorization subscriber, 20-53
aaa global accounting subscriber, 20-55
aaa global authentication subscriber, 20-57
aaa global maximum subscriber, 20-59
aaa global reject empty-username, 20-61
aaa global update subscriber, 20-64
aaa last-resort, 20-69
aaa username-format, 20-84
flow admission-control profile, 19-9
forward policy, 14-18
http-redirect server, 9-11
li-profile, 23-13
ntp mode, 4-4
ntp peer, 4-5
ntp server, 4-7
qos class-definition, 16-56
qos congestion-avoidance-map, 17-28
qos policy atmwfq, 17-31
qos policy edrr, 17-33
qos policy mdrr, 17-35
qos policy pq, 17-37
qos policy pwfq, 17-39
qos queue-map, 17-41
radius attribute acct-terminate-cause remap, 21-43
radius source-port, 21-77
service-policy, 15-7, 15-9
GRE tunnel configuration mode
H
HA configuration mode
advertise, 8-25
foreign-agent-peer, 8-15
local-address, 8-17
replay-tolerance, 8-20
revocation, 8-21
shutdown, 8-24
HA peer configuration mode
max-pending-registrations, 7-36
shutdown, 7-41
vpn-context, 7-44
hierarchical node configuration mode
qos rate, 18-96
qos weight, 18-108
hierarchical node group configuration mode
qos node, 18-75
qos rate, 18-96
qos weight, 18-108
HTTP redirect profile configuration mode
url, 9-15
HTTP redirect server configuration mode
port, 9-12
I
interface configuration mode
dhcp proxy, 5-30
dhcp relay, 5-32
dhcp server, 5-40
ip arp arpa, 2-9
ip arp delete-expired, 2-10
ip arp proxy-arp, 2-12
ip arp secured-arp, 2-14
ip arp timeout, 2-16
ip nat, 13-25
shutdown, 7-41
K
key chain configuration mode
accept-lifetime, 24-5
key-string, 24-10
send-lifetime, 24-11
spi, 24-13
L
L2TP peer configuration mode
propagate qos from l2tp, 18-55
propagate qos from subscriber, 18-59
propagate qos to l2tp, 18-63
link group configuration mode
qos mode, 18-39, 18-41, 18-73
qos priority, 18-92
link-group configuration mode
link PVC configuration mode
LI profile configuration mode
pending, 23-14
transport gre, 23-15
transport udp, 23-16
type, 23-18
M
MDRR configuration mode
qos mode, 17-30
metering policy configuration mode
class-group, 16-17
mark dscp, 16-45
rate, 16-63
Mobile IP configuration mode
dynamic-tunnel-profile, 7-24, 8-12
foreign-agent, 7-27
home-agent, 8-16
interface, 7-33
Mobile IP interface configuration mode
advertise max-interval, 7-16
advertise max-lifetime, 7-17
advertise min-interval, 7-18
MPLS router configuration mode
egress prefer dscp-qos, 18-38
propagate qos from mpls, 18-57
propagate qos to mpls, 18-65
propagate qos use-vlan-ethertype, 18-68
propagate qos use-vlan-header, 18-70
N
NAT policy configuration mode
access-group, 12-18
connections, 13-18
destination, 13-20
drop, 13-22
ignore, 13-23
ip dmz, 13-24
ip static in, 13-27
ip static out, 13-29
pool, 13-34
timeout, 13-35
NAT policy group class configuration mode
destination, 13-20
NAT pool configuration mode
address, 13-14
ND router configuration mode
interface, 3-5
ra, 3-14
ND router interface configuration mode
neighbor, 3-7
prefix, 3-12
ra, 3-14
NTP configuration mode
slowsync, 4-9
num-queues configuration mode
O
overhead profile configuration mode
encaps-factor-default, 17-23
rate-factor, 17-66
reserved, 17-68
type, 17-70
overhead type configuration mode
rate-factor, 17-66
reserved, 17-68
P
policing policy configuration mode
class-group, 16-17
mark dscp, 16-45
rate, 16-63
policy class rate configuration mode
exceed drop, 16-28
violate drop, 16-69
policy group class configuration mode
drop
forward policies, 14-14
NAT policies, 13-22
ignore, 13-23
mark dscp, 16-45
parent-class, 16-52
pool, 13-34
rate, 16-63
rate percentage, 16-67
timeout, 13-35
policy group configuration mode
class, 12-23
policy rate configuration mode
exceed drop, 16-28
violate drop, 16-69
port configuration mode
qos mode, 18-73
qos node-group, 18-77
qos priority, 18-92
qos rate, 18-96
PQ policy configuration mode
num-queues, 17-26
queue depth, 17-46
queue-map, 17-50
queue rate, 17-56
queue red, 17-57
PWFQ policy configuration mode
congestion-map, 17-22
num-queues, 17-26
queue-map, 17-50
queue priority-group, 17-54
weight, 17-72
Q
QoS metering policy configuration mode
access-group, 12-18
QoS policing policy configuration mode
access-group, 12-18
queue map configuration mode
num-queues, 17-26
R
RADIUS policy configuration mode
attribute, 21-18
S
service policy configuration mode
allow, 15-5
attribute, 21-18
service profile configuration mode
accounting, 21-16
foreach, 21-23
parameter, 21-25
software license configuration mode
lawful-intercept, 23-12
subscriber configuration mode
access-line adjust, 6-9
access-list, 12-20
dhcp max-addrs, 5-28
dns, 11-4
ip interface, 5-44
ip subscriber arp, 2-17
nat policy-name, 13-33
propagate qos from ip, 18-53
qos node-reference, 18-78
rate-adjust dhcp pwfq, 5-61
session-action, 20-86
subscriber confiuration mode
T
terminate error cause configuration mode
rbak-term-ec, 21-81

Redback-Ipservices Configuration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Redback-Ipservices Configuration Guide

Uploaded by

Copyright:

Available Formats

Corporate Headquarters

Redback Networks Inc.

OS IP services and security

Networks Enterprise MIBs.

OS IP services and security features and consists of:

OS IP services and security features and lists the relevant

OS Network Time Protocol

VSAs, see Chapter A, RADIUS Attributes.

OS Access Node Control

OS Mobile IP services and

OS HTTP redirect features.

vendor-specific attribute (VSA) 107, HTTP-Redirect-Profile-Name, in the

OS Domain Name System

OS access control lists

OS forward policy features.

OS service policy features.

OS quality of service (QoS)

OS quality of service (QoS)

vendor-specific attributes (VSAs) in RADIUS Access-Request

VSA 145, Mac-Addr.

OS Terminal Access Controller

OS lawful intercept (LI)

OS key chain features.

You might also like