Professional Documents
Culture Documents
OS Address Resolution
Protocol (ARP) features.
For information about the tasks and commands used to monitor, troubleshoot, and administer ARP features,
see the ARP Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
The SmartEdge OS supports RFC 826, An Ethernet Address Resolution Protocol, also called, Converting
Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. In
addition, the SmartEdge OS supports the following features:
A configurable ARP entry age timer
The option to enable automatic deletion of dynamic ARP entries (as opposed to automatic refresh of the
ARP table)
The static IP ARP entry mapping of a unicast IP address to a multicast medium access control (MAC)
address
Configuration Tasks
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
2-2 IP Services and Security Configuration Guide
To configure ARP, perform the tasks described in the following sections:
Enable ARP
Enable Secured ARP (Optional)
Enable Proxy ARP (Optional)
Configure Static Entries in the ARP Table (Optional)
Configure the Automatic Deletion of ARP Entries (Optional)
Set a Maximum Number of Incomplete ARP Entries (Optional)
Configure ARP Policy to Prevent DoS Attacks
Enable ARP
To enable ARP, perform the task described in Table2-1.
Enable Secured ARP (Optional)
To enable secured ARP, perform the task described in Table2-2. You can enable either secured ARP or
proxy ARP on an interface.
Enable Proxy ARP (Optional)
To enable proxy ARP, perform the task described in Table2-3. You can enable either secured ARP or proxy
ARP on an interface.
Table 2-1 Enable ARP
Task Root Command Notes
Enable ARP. iparp arpa Enter this command in interface configuration mode.
By default, ARP is already enabled. Use the no form of this command to disable ARP.
Table 2-2 Enable Secured ARP (Optional)
Task Root Command Notes
Enable secured ARP. iparp secured-arp Enter this command in interface configuration mode.
ARP must be enabled before you can enable secured ARP.
Table 2-3 Enable Proxy ARP (Optional)
Task Root Command Notes
Enable proxy ARP. ip arp proxy-arp Enter this command in interface configuration mode.
ARP must be enabled before you can enable proxy ARP.
Configuration Tasks
ARP Configuration 2-3
Configure Static Entries in the ARP Table (Optional)
To configure static entries in the ARP table, perform the appropriate task described in Table2-4. If you use
both commands to specify the same IP address and MAC address, the most recently updated command
takes precedence.
Configure the Automatic Deletion of ARP Entries (Optional)
To configure the automatic deletion of ARP table entries, perform the tasks described in Table2-5; enter
all commands in interface configuration mode.
Set a Maximum Number of Incomplete ARP Entries (Optional)
When requesting the MAC address that corresponds to a particular IP address for a subscriber circuit, the
SmartEdge OS creates an incomplete entry in the ARP table and sends an ARP request packet. On reply,
the entry is updated and completed. By default, the maximum number of incomplete entries that are
allowed in the ARP table is 4,294,967,295.
To set a maximum allowable number of incomplete entries, perform the task described in Table2-6.
Configure ARP Policy to Prevent DoS Attacks
To configure a subscriber circuit or port to prevent denial of service (DoS) attacks, perform the tasks
described in Table2-7.
Table 2-4 Configure Static Entries in the ARP Table (Optional)
Task Root Command Notes
Configure an entry in the ARP table for a subscriber
whose host cannot (or is not configured to) respond to
ARP requests.
ip subscriber arp Enter this command in subscriber configuration mode.
Configure an entry in the ARP table. ip arp Enter this command in context configuration mode.
Table 2-5 Configure the Automatic Deletion of ARP Entries
Task Root Command Notes
Configure the automatic deletion of ARP
entries.
iparpdelete-expired
Modify the length of time entries remain in the
ARP table before being automatically deleted.
ip arp timeout Optional. When you enable the ip arp delete-expired
command, entries are deleted after 60 minutes by default.
Table 2-6 Set a Maximum Number of Incomplete ARP Entries (Optional)
Task Root Command Notes
Set a maximum allowable number of
incomplete ARP entries.
iparpmaximumincomplete-entries Enter this command in context configuration mode.
Configuration Examples
2-4 IP Services and Security Configuration Guide
Configuration Examples
The following example enables secured ARP on the interface, i nt f - 1:
[ l ocal ] Redback( conf i g- ct x) #interface intf-1
[ l ocal ] Redback( conf i g- i f ) #ip arp secured-arp
The following example creates a static entry in the ARP table for IP address, 31. 22. 213. 124, and
associates the IP address with the MAC address, 43: 3: 23: 32: 12: 82. After 4 minutes (240 seconds),
any ARP entry associated with the i nt f - 2 interface is deleted from the ARP table:
[ l ocal ] Redback( conf i g- ct x) #ip arp 31.22.213.124 43:32:23:32:12:82
[ l ocal ] Redback( conf i g- ct x) #interface intf-2
[ l ocal ] Redback( conf i g- i f ) #ip arp delete-expired
[ l ocal ] Redback( conf i g- i f ) #ip arp timeout 240
Table 2-7 Configure a Subscriber Circuit or Circuits or Port to Prevent DoS ARP Attacks
# Task Root Command Notes
1. Enter protocol policy configuration mode qos policy (protocol-rate-limit) Global configuration mode
2. Create a rate limit and burst threshold on
incoming ARP packets.
arp rate Protocol policy configuration mode
3. To configure a port for prevention of DoS ARP
attacks, enter the port configuration mode.
port Global configuration mode
Apply ARP policy to port. qos policy (protocol-rate-limit) Port configuration mode
4. To configure a subscriber circuit or circuits for
prevention of DoS ARP attacks, enter the
configuration mode for the default subscriber
profile, a named subscriber profile, or an
individual subscriber record.
subscriber Context configuration mode
See the Basic System Configuration
Guide for information on this
command.
Apply ARP policy to subscriber profile or
individual subscriber record.
qos policy (protocol-rate-limit) Subscriber configuration mode
5. To configure a 802.1Q PVC for prevention of DoS
ARP, enter the Dot1Q PVC configuration mode.
port
encapsulation
dot1q pvc
Enter the encapsulation command
with the dot1q keyword.
Apply ARP policy to 802.1Q PVC. qos policy (protocol-rate-limit) Dot1Q PVC configuration mode
6. To configure an access link group or aggregated
802.1Q pseudocircuit in an access link group for
prevention of DoS ARP, enter the access link
group configuration mode or link PVC
configuration mode within the link group.
link-group
encapsulation
dot1q pvc
Enter the link-group command with the
access keyword.
Enter the encapsulation command
with the dot1q keyword.
Apply ARP policy to access link group or
aggregated 802.1Q pseudocircuit.
qos policy (protocol-rate-limit) Access link-group configuration mode
or aggregated link PVC configuration
mode.
Command Descriptions
ARP Configuration 2-5
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure ARP features.
The commands are presented in alphabetical order:
arp rate
ip arp
ip arp arpa
ip arp delete-expired
ip arp maximum incomplete-entries
ip arp proxy-arp
ip arp secured-arp
ip arp timeout
ip subscriber arp
Command Descriptions
2-6 IP Services and Security Configuration Guide
arp rate
arp rate pps burst packets
Purpose
Creates a rate limit and burst threshold on incoming ARP packets.
Command Mode
protocol policy
Syntax Description
Default
No ARP rate limit.
Usage Guidelines
The arp rate command creates a rate limit and burst threshold on ARP packets.
Examples
The following example shows the use of the arp rate command to rate-limit incoming ARP packets from
Ethernet port 5/ 1:
[ l ocal ] Redback( conf i g) #qos policy ARPDOS protocol-rate-limit
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #arp rate 5000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #exit
[ l ocal ] Redback( conf i g) #port ether 5/1
[ l ocal ] Redback( conf i g- por t ) #qos policy protocol-rate-limit ARPDOS
The following example shows the use of the arp rate command to rate-limit incoming ARP packets from
default subscriber circuits:
[ l ocal ] Redback( conf i g) #qos policy ARPDOS protocol-rate-limit
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #arp rate 5000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #exit
[ l ocal ] Redback( conf i g) #subscriber default
[ l ocal ] Redback( conf i g- sub) #qos policy protocol-rate-limit ARPDOS
Related Commands
None
pps Rate in packets per second. The range of values is 1 to 2,500,000.
burst packets Burst tolerance in packets. The range of values is 1 to 25,000,000.
Command Descriptions
ARP Configuration 2-7
ip arp
ip arp ip-addr mac-addr [alias]
no ip arp ip-addr mac-addr [alias]
Purpose
Associates an IP address with a medium access control (MAC) address and creates a corresponding entry
in the Address Resolution Protocol (ARP) table.
Command Mode
context configuration
Syntax Description
Default
No entry is created in the ARP table.
Usage Guidelines
Use the ip arp command to associate an IP address with a MAC address and create a corresponding entry
in the ARP table.
Use the no form of this command to remove an entry from the configuration and from the ARP table.
Examples
The following example associates IP address, 31. 22. 213. 124, with the MAC address,
00: 30: 23: 32: 12: 82, and creates a corresponding entry in the ARP table:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #ip arp 31.22.213.124 00:30:23:32:12:82
ip-addr Host IP address in the form A.B.C.D.
mac-addr MAC address of the host in the form hh:hh:hh:hh:hh:hh.
alias Optional. Configures the system to respond to ARP requests for the IP
address.
Note If you enter both this command and the ip subscriber arp command (in subscriber
configuration mode) and specify the same IP address and MAC address, the most recently
updated command takes precedence. Only the circuit and interface are updated in the ARP
table.
Command Descriptions
2-8 IP Services and Security Configuration Guide
Related Commands
ip subscriber arp
Command Descriptions
ARP Configuration 2-9
ip arp arpa
ip arp arpa
{no | default}ip arp arpa
Purpose
Enables the standard Address Resolution Protocol (ARP) on this interface.
Command Mode
interface configuration
Syntax Description
This command has no keywords or arguments.
Default
Standard ARP is enabled.
Usage Guidelines
Use the ip arp arpa command to enable standard ARP on this interface.
Use the no form of this command to disable standard ARP on this interface.
Use the default form of this command to enable standard ARP on this interface.
Examples
The following example disables standard ARP on the t oTor ont o interface at IP address, 10. 20. 1. 1:
[ l ocal ] Redback( conf i g- ct x) #interface toToronto
[ l ocal ] Redback( conf i g- i f ) #ip address 10.20.1.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #no ip arp arpa
Related Commands
ip arp
Command Descriptions
2-10 IP Services and Security Configuration Guide
ip arp delete-expired
ip arp delete-expired
{no | default}ip arp delete-expired
Purpose
Enables the automatic deletion of expired dynamic Address Resolution Protocol (ARP) entries associated
with this interface from the ARP table.
Command Mode
interface configuration
Syntax Description
This command has no keywords or arguments.
Default
Automatic deletion is disabled.
Usage Guidelines
Use the ip arp delete-expired command to enable the automatic deletion of expired dynamic ARP entries
associated with this interface from the ARP table. Entries are deleted after they have been in the ARP table
for the amount of time specified by the ip arp timeout command (in interface configuration mode). If the
ip arp timeout command is not configured, the default value of 3,600 seconds (60 minutes) is used.
If you do not enable automatic deletion of expired dynamic ARP entries, expired entries are treated
differently depending on the value of the seconds argument in theip arp timeout command. If the value
of the seconds argument is greater than 70, an ARP entry is refreshed unless no ARP reply is received in
response to the refresh request packet. In that case, the entry is removed from the cache. If the value of the
seconds argument is less than 70, expired entries are removed from the cache.
Use the no or default form of this command to disable the automatic deletion of expired entries.
Examples
The following example configures the system to automatically delete expired dynamic ARP entries on the
toBoston interface at IP address, 10. 30. 2. 1:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface toBoston
[ l ocal ] Redback( conf i g- i f ) #ip address 10.30.2.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #ip arp delete-expired
Related Commands
ip arp maximum incomplete-entries ip arp timeout
Command Descriptions
ARP Configuration 2-11
ip arp maximum incomplete-entries
ip arp maximum incomplete-entries num-entries
{no | default}ip arp maximum incomplete-entries
Purpose
Sets a maximum allowable number of incomplete entries for subscriber circuits that can exist in the
Address Resolution Protocol (ARP) table for the context.
Command Mode
context configuration
Syntax Description
Default
The maximum number of incomplete entries for subscriber circuits in the ARP table is 4,294,967,295.
Usage Guidelines
Use the ip arp maximum incomplete-entries command to set a maximum allowable number of
incomplete entries for subscriber circuits that can exist in the ARP table for the context.
When requesting the medium access control (MAC) address that corresponds to a particular IP address, the
SmartEdge OS creates an incomplete entry in the ARP table and sends an ARP request packet. On reply,
the entry is updated and complete.
Use the no or default form of this command to return to the default setting of a maximum of 4,294,967,295
incomplete entries for subscriber circuits in the ARP table.
Examples
The following example limits the number of incomplete entries in the ARP table to 250 for the l ocal
context:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #ip arp maximum 250
Related Commands
num-entries Maximum number of incomplete entries in the ARP table. The range of
values is 1 to 4,294,967,295; the default value is 4,294,967,295.
ip arp delete-expired
ip arp timeout
Command Descriptions
2-12 IP Services and Security Configuration Guide
ip arp proxy-arp
ip arp proxy-arp [always]
{no | default}ip arp proxy-arp
Purpose
Enables the proxy Address Resolution Protocol (ARP) on this interface.
Command Mode
interface configuration
Syntax Description
Default
Proxy ARP is disabled.
Usage Guidelines
Use the ip arp proxy-arp command to enable proxy ARP on this interface. When enabled, the SmartEdge
router acts as an ARP proxy for hosts that are not on the same interface as the ARP request sender.
Proxy ARP and secured ARP are mutually exclusive services for an interface; enabling either service for
an interface automatically disables the other service for that interface.
Use the always keyword to enable proxy ARP for multiple hosts that reside on the same circuit; if not
specified, this capability is limited to hosts on individual circuits.
Use the no or default form of this command to disable proxy ARP on this interface.
Examples
The following example enables proxy ARP on the f r omBost on interface at IP address, 10. 2. 3. 4, for
all hosts on the circuit:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface fromBoston
[ l ocal ] Redback( conf i g- i f ) #ip address 10.2.3.4 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #ip arp proxy-arp always
always Optional. Indicates that proxy ARP must be functional for multiple hosts on the same
circuit.
Note You must enable standard ARP on this interface before you can enable proxy ARP; by default,
standard ARP is enabled.
Note To disable only the support for multiple hosts on the same circuit, you must first disable proxy
ARP, and then enable it without the always keyword.
Command Descriptions
ARP Configuration 2-13
Related Commands
ip arp arpa
Command Descriptions
2-14 IP Services and Security Configuration Guide
ip arp secured-arp
ip arp secured-arp [always]
{no | default} ip arp secured-arp
Purpose
Enables the secured Address Resolution Protocol (ARP) on a specified interface.
Command Mode
interface configuration
Syntax Description
Default
Secured ARP is disabled.
Usage Guidelines
Use the ip arp secured-arp command to enable secured ARP on a specified interface.
Secured ARP and proxy ARP are mutually exclusive services for an interface; enabling either service for
an interface automatically disables the other service for the same interface.
Use the always keyword to enable secured ARP for multiple hosts that reside on the same circuit; if not
specified, this capability is limited to hosts on individual circuits.
When secured ARP is enabled, ARP requests received on an interface are not answered unless the request
comes from the circuit known to contain the requesting host. ARP requests are sent by the interface only
on the circuit known to contain the target host, and are not flooded to all circuits bound to an interface.
Use the no or default form of this command to disable secured ARP on this interface.
always Optional. Indicates that proxy ARP must be functional for multiple hosts on the same
circuit.
Note You must enable standard ARP on this interface before you can enable secured ARP; by
default, standard ARP is enabled.
Note To disable only the support for multiple hosts on the same circuit, you must first disable
secured ARP, and then enable it without the always keyword.
Command Descriptions
ARP Configuration 2-15
Examples
The following example enables secured ARP on the interface, sec- ar p, at IP address, 10. 1. 1. 1, for all
hosts on the circuit:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface sec-arp
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #ip arp secured-arp always
Related Commands
ip arp arpa
Command Descriptions
2-16 IP Services and Security Configuration Guide
ip arp timeout
ip arp timeout seconds
{no | default}ip arp timeout
Purpose
Configures how long Address Resolution Protocol (ARP) entries remain in the ARP table before automatic
deletion (if configured).
Command Mode
interface configuration
Syntax Description
Default
ARP entries remain in the table for 3,600 seconds (one hour).
Usage Guidelines
Use the ip arp timeout command to specify how long ARP entries remain in the ARP table.
If you do not use the ip arp delete-expired command (in interface configuration mode) to enable the
automatic deletion of expired dynamic ARP entries, expired entries are treated differently depending on the
value of the seconds argument in theip arp timeout command. If the value of the seconds argument is
greater than 70, an ARP entry is refreshed unless no ARP reply is received in response to the refresh request
packet. In that case, the entry is removed from the cache. If the value of the seconds argument is less than
70, expired entries are removed from the cache.
Use the no or default form of this command to restore the timeout setting to its default value of 3,600
seconds.
Examples
The following example sets the ARP timeout value for the t oTor ont o interface at IP address,
10. 30. 2. 1, to two hours (7200 seconds):
[ l ocal ] Redback( conf i g- ct x) #interface toToronto
[ l ocal ] Redback( conf i g- i f ) #ip address 10.30.2.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #ip arp timeout 7200
Related Commands
seconds Number of seconds after which an ARP entry is deleted from the ARP table.
The range of values is 0 to 4,294,967; the default value is 3,600.
ip arp arpa
ip arp delete-expired
ip arp proxy-arp
Command Descriptions
ARP Configuration 2-17
ip subscriber arp
ip subscriber arp ip-addr mac-addr
no ip subscriber arp ip-addr
Purpose
Creates an entry in the Address Resolution Protocol (ARP) cache for a subscriber whose host cannot (or is
not configured to) respond to ARP requests.
Command Mode
subscriber configuration
Syntax Description
Default
None
Usage Guidelines
Use theip subscriber arp command to create an entry in the ARP cache for a subscriber whose host cannot
(or is not configured to) respond to ARP requests.
Use the no form of this command to remove the specified entry.
Examples
The following example configures an ARP cache entry for a host with IP address, 10. 1. 1. 1, and
hardware address, d3: 9f : 23: 46: 77: 13, for the NoGr okARPs subscriber. The entry is installed into the
ARP cache of the appropriate interface when the circuit is brought up:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #subscriber name NoGrokARPs
ip-addr IP address of the subscribers host.
mac-addr Medium access control (MAC) address of the subscribers host.
Note This command is available only if you are configuring a named subscriber record and is only
relevant for circuits with RFC 1483 bridged-encapsulation.
Note If you enter both the ip subscriber arp and the ip arp commands (in subscriber and context
configuration modes, respectively), and specify the same IP address and MAC address, the
most recently updated command takes precedence. Only the circuit and interface are updated
in the ARP table.
Command Descriptions
2-18 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- sub) #ip address 10.1.1.1
[ l ocal ] Redback( conf i g- sub) #ip subscriber arp 10.1.1.1 d3:9f:23:46:77:13
Related Commands
ip arp
ND Configuration 3-1
C h a p t e r 3
ND Configuration
The SmartEdge
routers use the Neighbor Discovery (ND) protocol for IP Version 6 (IPv6) to determine
the link-layer addresses for neighbors known to reside on attached links and to quickly purge cached values
that become invalid. This chapter describes the tasks and commands used to configure the ND protocol
through the SmartEdge OS.
For information about the tasks and commands used to monitor, troubleshoot, and administer the ND
protocol, see the NDOperations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
The IPv6 ND protocol for the SmartEdge OS corresponds to a combination of the IPv4 Address Resolution
Protocol (ARP) and Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDP). The
ND protocol is described in RFC 2461, Neighbor Discovery for IP Version 6 (IPv6).
The ND protocol provides many improvements over the IPv4 set of protocols, some of which are included
here:
Router advertisement messages carry link-layer addresses; no additional packet exchange is needed to
resolve the router's link-layer address.
Note When IPv6 addresses are not referenced or explicitly specified, the term, IP address, can refer
generally to IP Version 4 (IPv4) addresses, IPv6 addresses, or IP addressing. In instances
where IPv6 addresses are referenced or explicitly specified, the term, IP address, refers only
to IPv4 addresses. For a description of IPv6 addressing and the types of IPv6 addresses, see
RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture.
Configuration Tasks
3-2 IP Services and Security Configuration Guide
Router advertisement messages carry prefixes for a link; there is no need to have a separate mechanism
to configure the netmask.
Router advertisement messages enable address autoconfiguration.
Routers can advertise an maximum transmission unit (MTU) for use on the link, ensuring that all nodes
use the same MTU value on links that lack a well-defined MTU.
Address resolution multicasts are spread over 4 billion (2^32) multicast addresses, greatly reducing
address resolution related interrupts on nodes other than the target node. Moreover, non-IPv6 routers
should not be interrupted at all.
Multiple prefixes can be associated with the same link. Routers can be configured to omit some or all
prefixes from Router Advertisement messages. In such cases, hosts assume that destinations are off-link
and send traffic to routers.
Neighbor Unreachability Detection is part of the base protocol, significantly improving the robustness
of packet delivery in the presence of failing routers, partially failing or partitioned links, and nodes that
change their link-layer addresses.
Unlike ARP, ND detects half-link failures (using Neighbor Unreachability Detection) and avoids
sending traffic to neighbors with which two-way connectivity is absent.
Unlike in IPv4 Router Discovery, the Router Advertisement messages do not contain a preference field.
The preference field is not needed to handle routers of different stability; the Neighbor Unreachability
Detection detects a dead router and switches to a working one.
Requiring the hop limit to be equal to 255 makes ND immune to off-link senders that accidentally or
intentionally send ND messages. In IPv4, off-link senders can send Router Advertisement messages.
Placing address resolution at the ICMP layer makes the ND protocol more media-independent than
ARP and makes it possible to use standard IP authentication and security mechanisms as appropriate.
Configuration Tasks
To configure an ND router, perform the tasks described in Table3-1; enter all commands in ND router
configuration mode, unless otherwise noted. For more information about the context, interface, and ipv6
address commands (in global, context, and interface configuration modes, respectively), see the Context
Configuration and Interface Configuration chapters in the Basic System Configuration Guide for the
SmartEdgeOS.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
ND Configuration 3-3
To configure an interface for an ND router, perform the tasks described in Table3-2; enter all commands
in ND router interface configuration mode, unless otherwise noted.
Table 3-1 Configure an ND Router
# Task Root Command Notes
1. Create or select the context for the ND router. context Enter this command in global
configuration mode.
2. Create the interface for the ND router. interface Enter this command in context
configuration mode.
3. Specify an IPv6 IP address for the interface. ipv6 address Enter this command in interface
configuration mode.
4. Create the ND router and access ND router configuration
mode.
router nd Enter this command in context
configuration mode.
5. Optional. Configure global settings for the ND router using one
or more of the following tasks, in any order:
Specify the value for the Retrans Timer field. ns-retry-interval
Specify the value for the Preferred Lifetime field. preferred-lifetime
Configure RA messages. ra You can enter this command multiple
times to configure different parameters.
Specify the value for the Reachable Time field. reachable-time
Specify the value for the Valid Lifetime field. valid-lifetime
Table 3-2 Configure an ND Router Interface
# Task Root Command Notes
1. Select the context for the ND router. context Enter this command in global
configuration mode.
2. Select the ND router and access ND router configuration
mode.
router nd Enter this command in context
configuration mode.
3. Select an existing interface and access ND router interface
configuration mode.
interface Enter this command in ND router
configuration mode.
4. Optional Configure the settings for this interface using one or
more of the following tasks, in any order:
Unspecified settings default to the ND
router global settings.
Specify the value for the Retrans Timer field. ns-retry-interval
Specify the value for the Preferred Lifetime field. preferred-lifetime
Configure RA messages. ra You can enter this command multiple
times to configure different parameters.
Specify the value for the Reachable Time field. reachable-time
Specify the value for the Valid Lifetime field. valid-lifetime
5. Specify a static neighbor for this interface. neighbor You can enter this command multiple
times.
6. Configure a prefix to be advertised for this interface. prefix You can enter this command multiple
times.
Configuration Examples
3-4 IP Services and Security Configuration Guide
Configuration Examples
The following example configures an ND router in the l ocal context and the i nt 1 interface for the ND
router:
! Cr eat e or sel ect t he cont ext
[ l ocal ] Redback( conf i g) #context local
! Cr eat e t he i nt er f ace wi t h an I Pv6 I P addr ess
[ l ocal ] Redback( conf i g- ct x) #interface int1
[ l ocal ] Redback( conf i g- i f ) #ipv6 address 2005::1/64
[ l ocal ] Redback( conf i g- i f ) #exit
! Cr eat e t he ND r out er ; speci f y gl obal par amet er s f or al l ND i nt er f aces i n t hi s cont ext
! The gl obal set t i ngs over r i de t he def aul t set t i ngs
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 100
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 43200
[ l ocal ] Redback( conf i g- nd) #ra interval 60
[ l ocal ] Redback( conf i g- nd) #ra lifetime 360
[ l ocal ] Redback( conf i g- nd- i f ) #reachable-time 1800
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 43200
! Sel ect an i nt er f ace
[ l ocal ] Redback( conf i g- nd) #interface int1
! Speci f y i nt er f ace- speci f i c par amet er s; t he i nt er f ace set t i ngs over r i de t he gl obal
set t i ngs
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 20
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 2880
[ l ocal ] Redback( conf i g- nd- i f ) #ra suppress
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 2880
! Speci f y one or mor e st at i c nei ghbor s f or t hi s i nt er f ace
[ l ocal ] Redback( conf i g- nd- i f ) #neighbor 2006::1/64 00:30:88:00:0a:30
! Speci f y one or mor e pr ef i xes and t hei r par amet er s; t he pr ef i x set t i ngs over r i de t he
i nt er f ace set t i ngs
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 2006::1/64 no-autoconfig no-onlink
preferred-lifetime 360 valid-lifetime 360
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 2007::/112
[ l ocal ] Redback( conf i g- ct x) #
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure the ND
protocol. The commands are presented in alphabetical order:
interface
neighbor
ns-retry-interval
preferred-lifetime
prefix
ra
reachable-time
router nd
valid-lifetime
Command Descriptions
ND Configuration 3-5
interface
interface if-name [disable-on-address-collision]
no interface if-name
Purpose
Selects the interface to be configured for the Neighbor Discovery (ND) protocol and accesses ND router
interface configuration mode.
Command Mode
ND router configuration
Syntax Description
Default
None
Usage Guidelines
Use the interface command to select the interface to be configured for the ND router protocol and access
ND router interface configuration mode.
You must have already created the interface with the interface command (in context configuration mode).
You must also have assigned an IPv6 IP address to it with the ipv6 address command (in interface
configuration mode). Both commands are described in the Interface Configuration chapter in the Basic
System Configuration Guide for the SmartEdgeOS.
The interface inherits the default ND parameters and any global ND parameters that you have configured
for the ND router. To configure an ND parameter specific to this interface, enter the appropriate command
in ND router interface configuration mode.
Use the disable-on-address-collision keyword to shut down the interface if an IP address collision occurs.
The system brings up the interface after the collision is no longer detected.
Use the no form of this command to delete the ND router configuration for the specified interface.
Examples
The following example selects the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #
if-name Name of the ND router interface.
disable-on-address-collision Optional. Shuts down the interface if an IP address collision occurs.
The default is not to shut down the interface.
Command Descriptions
3-6 IP Services and Security Configuration Guide
Related Commands
neighbor
preferred-lifetime
prefix
ra
reachable-time
router nd
valid-lifetime
Command Descriptions
ND Configuration 3-7
neighbor
neighbor ipv6-addr mac-addr
no neighbor ipv6-addr mac-addr
Purpose
Specifies a static neighbor for this Neighbor Discovery (ND) router interface.
Command Mode
ND router interface configuration
Syntax Description
Default
No static neighbors are specified for any interface.
Usage Guidelines
Use the neighbor command to specify a static neighbor for this ND router interface. Enter this command
multiple times to configure more than one neighbor.
Use the no form of this command to delete the neighbor from the configuration for this ND router interface.
Examples
The following example specifies a neighbor with IPv6 address, 2006: : 1/ 112, and MAC address,
00: 30: 88: 00: 0a: 30, for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #neighbor 2006::1/112 00:30:88:00:0a:30
Related Commands
ipv6-addr IPv6 address for this neighbor in the format A:B:C:D:E:F:G:H.
mac-addr Medium access control (MAC) address for this neighbor.
prefix
ra
reachable-time
Command Descriptions
3-8 IP Services and Security Configuration Guide
ns-retry-interval
ns-retry-interval retrans-timer
{no | default} ns-retry-interval
Purpose
Specifies the value for the Retrans Timer field.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
The Retrans Timer field is 0 (unspecified).
Usage Guidelines
Use the ns-retry-interval command to specify the value for the Retrans Timer field. In ND router
configuration mode, this command specifies the global value for all interfaces; in ND router interface
mode, it specifies the value for this Neighbor Discovery (ND) router interface. If specified, the setting for
the interface overrides the global setting.
Use the no or default form of this command to specify the default value for the Retrans Timer field.
Examples
The following example specifies 100 milliseconds for the Retrans Timer field for the ND router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 100
The following example specifies 20 milliseconds for the Retrans Timer field for the ND router interface,
i nt 1, which overrides the global setting:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 20
retrans-timer Value for the Retrans Timer field (in milliseconds). The range of values is
0to 4,294,967,295; the default value is 0.
Command Descriptions
ND Configuration 3-9
Related Commands
None
Command Descriptions
3-10 IP Services and Security Configuration Guide
preferred-lifetime
preferred-lifetime preferred-lifetime
{no | default} preferred-lifetime
Purpose
Specifies the value for the Preferred Lifetime field.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
The preferred lifetime is seven days.
Usage Guidelines
Use the preferred-lifetime command to specify the value for the Preferred Lifetime field. In ND router
configuration mode, this command specifies the global value for all interfaces; in ND router interface
mode, it specifies the value for this Neighbor Discovery (ND) router interface. If specified, the setting for
the interface overrides the global setting.
Use the no or default form of this command to specify the default value.
Examples
The following example specifies a preferred lifetime of 43200 seconds (12 hours) for all interfaces for this
ND router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 43200
The following example specifies a preferred lifetime of 2880 seconds (48 minutes) for the i nt 1 ND router
interface, which overrides the global setting:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 2880
preferred-lifetime Value for the Preferred Lifetime field (in seconds). The range of values is 0to
4,294,967,295; the default value is 604,800 seconds (7 days).
Command Descriptions
ND Configuration 3-11
Related Commands
prefix
valid-lifetime
Command Descriptions
3-12 IP Services and Security Configuration Guide
prefix
prefix ipv6-prefix/length [no-autoconfig] [no-onlink] [preferred-lifetime preferred-lifetime]
[valid-lifetime valid-lifetime]
{no | default} prefix ipv6-prefix/length
Purpose
Configures a prefix to be advertised for this Neighbor Discovery (ND) router interface.
Command Mode
ND router interface configuration
Syntax Description
Default
No prefix is configured for any ND router interface.
Usage Guidelines
Use the prefix command to configure a prefix to be advertised for this ND router interface. Enter this
command multiple times to configure more than one prefix.
Use the optional keywords and constructs to define the fields in the Prefix Information option for this
prefix:
no-autoconfigSets the autonomous address configuration flag in the Prefix Information option to
FALSE.
no-onlinkSets the on-link flag to FALSE.
preferred-lifetimeSpecifies the value for the Preferred Lifetime field.
ipv6-prefix Prefix for the IPv6 address for this ND router interface in the
format A:B:C:D:E:F:G:H.
length Number of prefix bits. The range of values is 0 to 128.
no-autoconfig Optional. Sets the autonomous address configuration flag to not
use this prefix for automatic configuration; this is the default.
no-onlink Optional. Sets the on-link flag to not use this prefix for on-link
determination; this is the default.
preferred-lifetime preferred-lifetime Optional. Preferred lifetime for this prefix (in seconds). The
range of values is 0to 4,294,967,295; the default value is
604,800 seconds (7 days).
valid-lifetime valid-lifetime Optional. Valid lifetime for this prefix (in seconds). The range
of values is 0to 4,294,967,295; the default value is 2,592,000
seconds (30 days).
Command Descriptions
ND Configuration 3-13
valid-lifetimeSpecifies the value for the Valid Lifetime field.
The values for the preferred-lifetime preferred-lifetime and valid-lifetime valid-lifetime constructs
override the values for the interface that you specified with the preferred-lifetime and valid-lifetime
commands (in ND router interface configuration mode).
Use the no or default form of this command to delete the specified prefix from this interface configuration.
Examples
The following example configures the 5555: bbbb: : 22/ 64 prefix for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 5555:bbbb::22/64 no-autoconfig no-onlink
preferred-lifetime 360 valid-lifetime 360
Related Commands
preferred-lifetime
ra
valid-lifetime
Command Descriptions
3-14 IP Services and Security Configuration Guide
ra
When entered in ND router configuration mode, the syntax is:
ra {interval ra-interval | lifetime ra-lifetime | managed-config | other-config | suppress}
{no | default}ra {interval | lifetime | managed-config | other-config | suppress}
When entered in ND router interface configuration mode, the syntax is:
ra {enable | interval ra-interval | lifetime ra-lifetime | managed-config | other-config | suppress}
{no | default}ra {enable | interval | lifetime | managed-config | other-config | suppress}
Purpose
Configures options and settings for router advertisement (RA) messages.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
RA messages are not configured for any ND router or ND router interface.
Usage Guidelines
Use the ra command to configure options and settings for RA messages. In ND router configuration mode,
this command configures RA for all interfaces; in ND router interface mode, it configures RA for this ND
router interface. If specified, the interface parameters override the global parameters. Enter this command
multiple times to configure more than one parameter.
enable Enables the sending of RA messages for this Neighbor Discovery (ND)
router interface. This keyword is not available in ND router configuration
mode.
interval ra-interval Optional. RA interval between transmissions (in seconds). The range of
values is 5 to 600; the default value is 200 seconds.
lifetime ra-lifetime Optional. RA lifetime (in seconds). The range of values is 30 to 36,000; the
default value is 1,800 seconds.
managed-config Optional. Sets the managed-address configuration flag in RA messages to
TRUE; the default value is not set (FALSE).
other-config Optional. Sets the other-stateful configuration flag in RA messages to TRUE;
the default value is not set (FALSE).
suppress Optional. Specifies that RA messages be suppressed; the default value is not
suppressed.
Command Descriptions
ND Configuration 3-15
Use the no or default form of this command to remove RA messages from the configuration for this ND
router or ND router interface.
Examples
The following example configures RA for this ND router with a retransmission interval of 60 seconds and
a lifetime of six minutes (360 seconds):
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #ra interval 60
[ l ocal ] Redback( conf i g- nd) #ra lifetime 360
The following example suppresses RA for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #ra suppress
Related Commands
prefix
reachable-time
Command Descriptions
3-16 IP Services and Security Configuration Guide
reachable-time
reachable-time duration
{no | default} reachable-time
Purpose
Specifies the value for the Reachable Time field in Router Advertisement (RA) messages.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
The duration is unspecified in any RA messages.
Usage Guidelines
Use the reachable-time command to specify the value for the Reachable Time field in RA messages. This
value is the time this Neighbor Discovery (ND) router or ND router interface assumes that a neighbor is
reachable. In ND router configuration mode, this command specifies the global value for all interfaces; in
ND router interface mode, it specifies the value for this ND router interface. If specified, the parameters for
an interface override the global parameters.
Use the no or default form of this command to specify the default duration.
Examples
The following example specifies a reachable time of 1800 milliseconds for all interfaces for the ND router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #reachable-time 1800
The following example specifies a reachable time of 3600 milliseconds for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #reachable-time 3600
duration Value for the Reachable Time field (in milliseconds). The range of values is 0 to
3,600,000; the default value is 0 (unspecified).
Command Descriptions
ND Configuration 3-17
Related Commands
neighbor
ra
Command Descriptions
3-18 IP Services and Security Configuration Guide
router nd
router nd
no router nd
Purpose
Creates or selects a Neighbor Discovery (ND) router and accesses ND router configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
No ND router is created.
Usage Guidelines
Use the router nd command to create or select an ND router and access ND router configuration mode.
You can create a single ND router in each context.
Use the no form of this command to remove the ND router from the configuration; the no form also
removes the ND-specific configuration from any interfaces in this context.
Examples
The following example creates an ND router in the l ocal context:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
Related Commands
interface
Command Descriptions
ND Configuration 3-19
valid-lifetime
valid-lifetime lifetime
{no | default} valid-lifetime
Purpose
Specifies the value for the Valid Lifetime field in the Prefix Information option.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
The valid lifetime is 30 days.
Usage Guidelines
Use the valid-lifetime command to specify the value for the Valid Lifetime field in the Prefix Information
option. In ND router configuration mode, this command specifies the global value for all interfaces; in ND
router interface mode, it specifies the value for this ND router interface. If specified, the setting for the
interface overrides the global setting.
Use the no or default form of this command to specify the default condition.
Examples
The following example specifies a valid lifetime of 43200 seconds (12 hours) for all interfaces for this ND
router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 43200
The following example specifies a valid lifetime of 2880 seconds (48 minutes) for the i nt 1 ND router
interface, which overrides the global setting:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 2880
lifetime Value for the Valid Lifetime field (in seconds). The range of values is 0to
4,294,967,295; the default value is 2,592,000 seconds (30 days).
Command Descriptions
3-20 IP Services and Security Configuration Guide
Related Commands
preferred-lifetime
prefix
NTP Configuration 4-1
C h a p t e r 4
NTP Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS Dynamic Host
Configuration Protocol (DHCP) features.
For information about the commands used to monitor, troubleshoot, and administer DHCP features, see the
DHCP Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
DHCP dynamically configures IP address information for subscriber hosts. The SmartEdge OS provides
three types of DHCP support:
DHCP relay server
The SmartEdge router acts as an intermediary between an external DHCP server and the subscriber
(client). The router forwards requests from the subscriber to the DHCP server and relays the servers
responses back to the subscriber.
DHCP proxy server
The SmartEdge router provides responses directly to subscriber requests. Each subscriber sees the
router as the DHCP server, and as such, sends all DHCP negotiations, including IP address release and
renewal, to the router, which then relays the information to the external DHCP server. The proxy feature
enables the router to maintain IP address lease timers.
DHCP internal
The SmartEdge router provides the functions of the DHCP server; no communications are sent to an
external DHCP server.
DHCP is described in the following RFCs:
RFC 2131Dynamic Host Configuration Protocol
Overview
5-2 IP Services and Security Configuration Guide
RFC 2132DHCP Options and BOOTP Vendor Extensions
RFC 3004The User Class Option for DHCP
For more information about RADIUS, see Chapter 21, RADIUS Configuration. For information about
Redback
OS Mobile IP (wireless)
services for foreign agent (FA) instances on the SmartEdge router and their home-agent (HA) peers.
For information about the tasks and commands used to monitor, administer, and troubleshoot Mobile IP
services, see the Mobile IP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
You configure IP-in-IP tunnels and, optionally, Generic Routing Encapsulation (GRE) tunnels on the
SmartEdge router to support the connections from FA instances to their HA peers. For information about
configuring the IP-in-IP and GRE tunnels, see the Single-Tunnel Circuit Configuration chapter in the
Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
For information about configuring Ethernet, Fast Ethernet-Gigabit Ethernet, and Gigabit Ethernet ports and
circuits to support mobile subscribers, see the ATM, Ethernet, and POS Port Configuration and Circuit
Configuration chapters in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Note The terms FA instance and HA instance refer to the FAs and HAs, respectively, that you
configure on the SmartEdge router.
The terms FA peers and HA peers refer to FAs and HAs that exist on other equipment in the
network.
The term Mobile IP binding refers to the association between a mobile node (MN) and its HA
instance on the SmartEdge router. The term visitor or visiting MN refers to the association
between an MN and an FA instance when that MN is communicating with its HA through the
FA instance on the SmartEdgerouter.
FA and HA tunnels can be used with Mobile IP services and non-mobile IP services traffic.
Overview
7-2 IP Services and Security Configuration Guide
Overview
This section includes the following topics:
Mobile IP Components
Traffic Flow
Deployment Scenarios
Restrictions
Supported Standards
Mobile IP Components
Mobile IP allows MNs to retain their IP addresses when they roam across multiple networks. Doing so
enables MNs to maintain their existing IP sessions.
Mobile IP consists of the following components:
Mobile Nodes
Home Agent Peer
Foreign Agent Instance
Registration
Mobile Nodes
The MN is a IP devicefor example, a laptop computer or personal digital assistant (PDA)whose point
of attachment (POA) to the Internet can frequently change. The MN maintains its connections using its
home IP address.
Home Agent Peer
The HA peer, a router on the MN home network, is the anchor component in Mobile IP network that
provides seamless mobility to the MN. When an MN is attached to its home network, it does not use Mobile
IP services because it communicates directly using normal IP routing. When an MN is roaming and is not
connected to its home network, its HA peer does the following:
Tracks the MN current POA to the Internet.
Tunnels datagrams destined to the MN current POA.
Authenticates the MN (usually with the user ID and password) and verifies that IP Mobile services
should be provided. It optionally assigns the MN a home address (HoA) on its home network. When
the MN roams outside its home network, it retains its home address to prevent losing existing IP
sessions.
Overview
Mobile IP Foreign Agent Configuration 7-3
Foreign Agent Instance
MNs listen for FA instance advertisements to determine if they are attached to a home or foreign network.
An FA instance is a router on a foreign network that provides routing services to visiting MNs. When the
MN visits a foreign network with whom its HA peer has service agreements and is authenticated by its HA
peer, the MN can obtain Mobile IP services while visiting this network. During the visit, the MN listens for
Internet Control Message Protocol (ICMP) Router Advertisements (RAs) from an FA instance. The RAs
allow the MN to learn which FA instances are available and what Mobile IP services they have to provide.
The FA instance does the following:
Allows the MN to maintain its existing sessions when it visits the foreign network.
Terminates the tunnels from HAs peers corresponding to visiting MNs.
Decapsulates packets destined for the MN and delivers them locally.
Reverse-tunnels traffic from the MN to other Internet nodes. This is often required to satisfy ingress
filtering (as described in RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks),
and facilitate accurate billing and accounting.
If the MN does not hear RAs from any FAs, the MN sends an ICMP Router Solicitation requesting that any
FA instances on the foreign network reply with an RA.
Registration
When the MN discovers a foreign agent (FA) instance with whom its HA peer has a service agreement, it
sends a Mobile IP registration request to the FA instance. The FA instance validates the request and
forwards it to the corresponding HA peer. The registration request does the following:
Requests Mobile IP services for the MN from the FA instance when it is visiting one of its foreign
networks. For successful registrations, the FA instance maintains the state of the visitor such as the
lifetime of the registration.
Informs the HA peer of the MN current POA to the Internet. This is normally the FA instance
care-of-address (CoA), which is also the termination point of the tunnel between the HA peer and FA
instance.
For new registrations, the HA peer creates a binding that maintains the MN location and other related
information, such as the lifetime of the registration. For existing registrations, the HA peer and FA
instance renews the registration lifetime in their respective binding and visitor entries.
Optionally, deregisters the MN when it returns to its home network or no longer requires Mobile IP
services.
The MN registration request includes the FA instance CoA and the IP address of its HA peer. It may include
the MN assigned home address (HoA) and the MN user identity as described in RFC 2794, Mobile IP
Network Access Identifier Extension for IPv4s.
The MN sends the registration request to the HA peer so that the HA peer knows where the MN is located.
When the MN is successfully authenticated, the HA peer sends a Mobile IP registration reply to the FA
instance and the FA instance, in turn, forwards it to the MN.
The HA peer and FA instance also set up forwarding so that all packets destined for the MN home address
are forwarded to the MN through the tunnel between the HA peer and the FA instance. The FA instance sets
up forwarding so that packets from the MN are reverse tunneled to back over the same tunnel to the HA
peer. Packets originating from an MN are always reverse tunneled.
Overview
7-4 IP Services and Security Configuration Guide
The MN uses it HoA as the source of all packets it sends when it is attached to its home network or visits
a foreign network through a FA instance. MN authentication is always performed on the HA peer. The
SmartEdge router HA peer uses the MN's user identifier (included in the registration request) to
authenticate mobile IP services using AAA protocols with a RADIUS server.
Optionally, the MN can acquire a collocated care-of address (CCoA) on the foreign network and perform
Mobile IP services without, or with minimal interaction, with the FA instance. The SmartEdge router does
not support this mode of operation.
Traffic Flow
Mobile IP services enables the SmartEdge router to act as one or more FA instances. Each FA instance
communicates with HA peers that support its mobile subscribers, which are referred to as mobile nodes
(MNs). Each FA instance has a care-of address (CoA) that the system uses as the termination address for
the tunnel to an HA peer.
In a typical deployment, MNs connect wirelessly to Base Transceiver Stations (BTSs), which connect to
the SmartEdge router FA instance through Ethernet. In this topology, each MN is represented by a separate
Ethernet circuit and MNs can move between BTSs. The FA instance communicates with a SmartEdge HA
peer through a tunnel endpoint (a local address of an HA instance). The SmartEdge router routes the MN
traffic to the HA peer using an IP-in-IP tunnel or GRE tunnel. Each HA peer uses a different tunnel. Traffic
for the MNs is routed from the FA instance to the HA peer using the same tunnel.
MNs communicate with the SmartEdge router (the FA instance) over Ethernet-based circuits using a
context where you configure the FA instance. The system routes the MN traffic to each external HA peer
using an IP-in-IP tunnel or a GRE tunnel. Each HA peer uses a different tunnel. Traffic from an HA peer
is routed back to the MNs associated with that HA peer using the same tunnel.
Figure7-1 illustrates the physical network for MNs, BTS, HA peers, and an FA instance.
Note Because the tunnels described in this chapter each support a single tunnel circuit, the term
tunnel refers to the tunnel and its circuit. For information about configuring the IP-in-IP and
GRE tunnels, see the Single-Tunnel Circuit Configuration in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdgeOS.
Overview
Mobile IP Foreign Agent Configuration 7-5
Figure 7-1 Physical Network of MNs, BTSs, HA Peers, and an FA Instance
Deployment Scenarios
The Mobile IP services implementation can use the multiple context support that the SmartEdgeOS
provides. The contexts that Mobile IP services can use in different deployment scenarios include:
CoA context
The CoA interface resides in the CoA context. The CoA interface provides an endpoint for a tunnel to
a home-agent peer. The CoA context is typically the local context, but other contexts can be used as
well. Each CoA interface can be in a different CoA context independent of other CoA interfaces.
FA context
The FA context provides one or more interfaces to the MN and defines the set of HA peers for the FA
instance. Each FA instance configured on the SmartEdge router has its own FA context.
HoA VPN context
The home address (HoA) Virtual Private Network (VPN) context includes the interfaces that terminate
the tunnels to the HA peers. Each HA peer that uses private HoAs has its own context. HA peers that
use nonoverlapping HoAs can share a single context. Each HA peer that has an overlapping HoA must
have its own HoA VPN context.
These contexts allow the SmartEdgeOS to support various deployment scenarios, which are described in
the following sections:
Home Agent Without Overlapping IP Addresses
Some Home Agents Use Private IP Addresses
Any Home Agent Can Use Private IP Addresses
Overview
7-6 IP Services and Security Configuration Guide
Home Agents Can Be Grouped for Each Mobile IP Service Provider
SmartEdge Router Provides Wholesale Mobile IP Services for Other Providers
Home Agent Without Overlapping IP Addresses
In the most basic deployment, a single FA instance provides connectivity to all MNs while interfacing with
all the HA peers. The MN HoAs do not overlap; that is, each MN has a public HoA. In this case, the
configuration is simplified to make use of a single context, the FA context.
Some Home Agents Use Private IP Addresses
A few HA peers can allocate HoAs from a private address space while providing Internet connectivity using
Network Address Translation (NAT). If so, the IP addresses of the MNs can overlap.
To configure the SmartEdgeOS for this deployment, use a single context for the FA instances, HA peers,
and CoAs, but exclude the HA peers that use private IP addresses. Use a separate context for each HA peer
that uses a private address space.
Any Home Agent Can Use Private IP Addresses
Each HA peer is independent and can use private IP addresses. For this deployment scenario, each HA peer
uses a separate context. The CoA and FA contexts can be the same.
Home Agents Can Be Grouped for Each Mobile IP Service Provider
In this scenario, an FA instance provides services to multiple mobile Internet service providers (ISPs). Each
ISP owns a set of HA peers and the HoAs that belong to the same ISP do not overlap. Each ISP may use
private IP addresses.
To configure this scenario, each ISP uses a use a separate HA VPN context; that is, all HA peers belonging
to an ISP use the same HA VPN context. The CoA and FA contexts can be the same for each ISP.
SmartEdge Router Provides Wholesale Mobile IP Services for Other Providers
In this scenario, the SmartEdgeOS can separate MN, FA, and HA peer networks for each mobile ISP. Each
ISP is like an enterprise VPN, ISP contexts are as follows::
A separate FA context is used for each ISP.
The CoA context for each ISP can be the same as its FA context; this is more appropriate than using the
local context because the ISP can choose to use private IP addresses for the tunnel endpoints.
The FA context can also serve as the HA VPN context, assuming that no HoAs overlap within the same
ISP. If HoAs overlap, then a separate HA VPN context is used for each HA peer.
If the backbone links are not within a nonlocal context, then the backbone connectivity is through the local
context.
Configuration Tasks
Mobile IP Foreign Agent Configuration 7-7
Restrictions
Mobile IP services has the following restrictions:
Mobile IP services is currently supported only for unicast traffic; broadcast and multicast traffic are not
supported.
Mobile IP services is supported only on PPA2 line cards. Do not have any PPA1-based line cards on the
chassis when enabling Mobile IP Services.
Supported Standards
Mobile IP services comply with the standards found in the following documents:
RFC 2794Mobile IP Network Access Identifier Extension for IPv4
RFC 3024Reverse Tunneling for Mobile IP, revised
RFC 3344IP Mobility Support for IPv4
RFC 3543Registration Revocation in Mobile IPv4
Configuration Tasks
To configure FA instances on the SmartEdge router and their home-agent (HA) peers, use the configuration
guidelines and perform the tasks described in the following sections:
Mobile IP Configuration Guidelines
Create the Contexts and Interfaces for Mobile IP Services
Configure a Key Chain Authentication Between a FA and HA
Configure an FA Instance
Configure an HA Peer
Configure a Mobile IP Interface for MN Access
Configure the MN Access to an FA Instance
Configure the Mobile IP Tunnels
Enable or Disable an FA Instance, an HA Peer, or MN Access
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
7-8 IP Services and Security Configuration Guide
Mobile IP Configuration Guidelines
The following configuration guidelines apply when configuring Mobile IP services for an FA instance:
Within a given context, the SmartEdge router can act as an FA instance.
HA peers that use public IP addresses can share an HoA VPN context.
If an HA peer uses private IP addresses, it can share an HoA VPN context with other HA peers if their
IP addresses do not overlap; otherwise, HA peers cannot share a HoA VPN context.
MNs can have overlapping IP addresses if they are registered with different HA peers.
You must configure IP-in-IP tunnels to HA peers; optionally, you can configure and use GRE tunnels
in addition to the IP-in-IP tunnels.
Configure the tunnel to an HA peer in the HoA VPN context for that peer if it exists; otherwise,
configure the tunnel in the FA context (the default for the HoA VPN context for that peer).
To prevent Mobile IP tunnels from shutting down because of circuit problems, create the interfaces for
the IP-in-IP and GRE tunnels as loopback interfaces. Loopback interfaces are always up.
When you configure the Ethernet circuits that provide access for all MNs, create a single interface in
the FA context for all the Ethernet circuits or create a separate interface in the FA context for each
802.1Q permanent virtual circuit (VLAN).
Create the Contexts and Interfaces for Mobile IP Services
To create the contexts and interfaces for Mobile IP services, perform the tasks described in Table7-1. These
contexts and interfaces are used in subsequent configuration tasks for the FA instances, HA peers, and
Mobile IP tunnels.
Table 7-1 Create the Contexts and Interfaces for Mobile IP Services
# Task Root Command Notes
1. Optional. Create the context for the CoA interface and access
context configuration mode.
context Enter this command in global configuration
mode. You can use the local context instead
of performing this step. For information
about the context command (in global
configuration mode), see the Basic System
Configuration Guide for the SmartEdge OS.
2. Create the CoA interface and access interface configuration
mode.
interface Enter this command in context configuration
mode. For information about the interface
command (in context configuration mode),
see the Basic System Configuration Guide
for the SmartEdge OS.
3. Optional. Create an FA context for an FA instance and access
context configuration mode.
context Enter this command in global configuration
mode. You can use the local context instead
of performing this step.
4. Create the interface for the Ethernet ports and 802.1Q VLANs
that BTS MNs use to access this FA instance and access
interface configuration mode.
interface Enter this command in context configuration
mode.
Configuration Tasks
Mobile IP Foreign Agent Configuration 7-9
Configure a Key Chain Authentication Between a FA and HA
To configure a key chain between a foreign-agent (FA) instance and home-agent (HA) peer, perform the
tasks described in Table7-2. For more information about configuring key chains, see Chapter 24, Key
Chain Configuration. Enter all commands in key chain configuration mode, unless otherwise noted.
Configure an FA Instance
To configure an FA instance, perform the tasks described in Table7-3; enter all commands in FA
configuration mode, unless otherwise noted.
5. Optional. Create an HA VPN context for the terminating
interfaces for the IP-in IP tunnel and, optionally, a GRE tunnel
for one or more HA peers and access context configuration
mode.
context Enter this command in global configuration
mode. You can use the local context instead
of performing this step, but only HA peers
that use public IP addresses or
nonoverlapping private IP addresses can
share a single context.
6. Create an interface for an IP-in-IP tunnel and, optionally, an
interface for a GRE tunnel, to the HA peer and access
interface configuration mode.
interface Enter this command in context configuration
mode. Consider making this interface a
loopback interface.
Table 7-2 Configure a Key Chain
# Task Root Command Notes
1. Select the context for the FA instance and access context
configuration mode.
context Enter this command in global
configuration mode.
2. Create the key chain and access key chain configuration
mode.
key-chain Enter this command in context
configuration mode.
3. Configure a key string. key-string
4. Specify the security parameter index (SPI) for this key chain. spi
Table 7-3 Configure an FA Instance
# Task Root Command Notes
1. Select the context for the FA instance and access context
configuration mode.
context Enter this command in global
configuration mode.
2. Enable Mobile IP services in this context and access Mobile
IP configuration mode.
router mobile-ip Enter this command in context
configuration mode.
3. Optional. Create a dynamic tunnel profile and enter Dynamic
Tunnel Profile configuration mode.
dynamic-tunnel-profile Enter this command in Mobile IP
configuration mode.
4. Optional. Clear the IP header DF flag in all packets that are
transmitted on an IP-in-IP or a GRE tunnel.
clear-df (dynamic
tunnel)
Enter this command in Dynamic Tunnel
Profile configuration mode.
5. Optional. Set the MTU for packets sent to GRE tunnels. gre mtu Enter this command in Dynamic Tunnel
Profile configuration mode.
Table 7-1 Create the Contexts and Interfaces for Mobile IP Services (continued)
# Task Root Command Notes
Configuration Tasks
7-10 IP Services and Security Configuration Guide
Configure an HA Peer
To configure an HA peer, perform the tasks described in Table7-4; enter all commands in HA peer
configuration mode, unless otherwise noted.
6. Optional. Specify the number of seconds for the router to wait
before it brings down a dynamic tunnel that has no active
bindings or visitors.
hold-time Enter this command in Dynamic Tunnel
Profile configuration mode.
7. Optional. Set the MTU for packets sent to IP-in-IP tunnels. ipip mtu Enter this command in Dynamic Tunnel
Profile configuration mode.
8. Optional. Specify the number of seconds for the router to wait
for a dynamic tunnel to be established before bringing the
current subscriber or visitor down.
time-out Enter this command in Dynamic Tunnel
Profile configuration mode.
9. Create or select the FA instance in this context and access
FA configuration mode.
foreign-agent
10. Optional. Reference an existing dynamic tunnel profile. The
dynamic tunnel attributes defined in this profile are applied to
the dynamic tunnels that are used by this FA instance.
dynamic-tunnel-profile
11. Specify the interface for the CoA advertised by this FA
instance.
care-of-address This is the interface that you created for
the tunnel for this FA instance.
12. Optional. Specify the GRE tunnel type to advertise. advertisetunnel-type The default is not to advertise optional
tunnel types.
13. Optional. Configure registration revocation. revocation The default is to not configure
revocation support.
14. Optional. Configure the default authentication for this FA
instance.
authentication This is the default authentication for all
HA peers for this FA instance.
15. Optional. Enable (the default condition) or disable the
forwarding of non-Mobile IP traffic for this FA instance.
forwardingtraffic
16. Optional. Specifies the means by which the forwarding
address for an MN is determined.
forwardingscheme
17. Optional. Enable or disable MN access interface change
detection using logical link control (LLC) exchange ID (XID)
messages received on a circuit.
llc-xid-processing Enable is the default.
Table 7-4 Configure an HA Peer
# Task Root Command Notes
1. Select the context for the FA instance for this HA
peer and access context configuration mode.
context Enter this command in global configuration
mode.
2. Enable Mobile IP services in this context and
access Mobile IP configuration mode.
router mobile-ip Enter this command in context configuration
mode.
3. Select the FA instance in this context for the HA
peer and access FA configuration mode.
foreign-agent Enter this command in Mobile IP configuration
mode.
4. Create or select the HA peer and access HA peer
configuration mode.
home-agent-peer Enter this command in FA configuration mode.
5. Optional. Apply a dynamic tunnel profile. dynamic-tunnel-profile
Table 7-3 Configure an FA Instance (continued)
# Task Root Command Notes
Configuration Tasks
Mobile IP Foreign Agent Configuration 7-11
Configure a Mobile IP Interface for MN Access
To configure a Mobile IP interface for MN access, perform the tasks described in Table7-5; enter all
commands in Mobile IP interface configuration mode, unless otherwise noted.
Configure the MN Access to an FA Instance
To configure the MN access to an FA instance, perform the tasks described in Table7-6.
6. Optional. Specify the maximum number of pending
registrations for this HA peer.
max-pending-registrations
7. Optional. Specify the HoA VPN context for this HA
peer.
vpn-context
8. Optional. Configure the authentication for the HA
peer.
authentication This authentication overrides the default
authentication configured for the FA instance.
Table 7-5 Configure a Mobile IP Interface for MN Access
# Task Root Command Notes
1. Select the context for the FA instance and access
context configuration mode.
context Enter this command in global configuration
mode.
2. Enable Mobile IP services in this context and
access Mobile IP configuration mode.
router mobile-ip Enter this command in context configuration
mode.
3. Select an existing interface, enable it for Mobile IP
services, and access Mobile IP interface
configuration mode.
interface This interface is the one you created for the
Ethernet circuits in step 4 in Table 7-1.
4. Optional. Specify the maximum lifetime registration
for an MN on this interface.
registrationmax-lifetime
5. Optional. Specify the maximum interval between
advertisement messages.
advertisemax-interval
6. Optional. Specify the maximum lifetime of
advertisement messages.
advertisemax-lifetime
7. Optional. Specify the minimum interval between
advertisement messages.
advertisemin-interval
Table 7-6 Configure MN Access to the FA Instance
# Task Root Command Notes
1. Configure the Ethernet ports and circuits on
which the MNs access an FA instance.
For information about configuring Ethernet circuits, see the
ATM, Ethernet, and POS Port Configuration and the
Circuit Configuration chapters in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdge OS.
2. Bind the Ethernet ports and circuits to the
interfaces created for MN access in the FA
context.
bind interface For information about binding circuits to interfaces, see the
Bindings Configuration chapter in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdge OS.
Table 7-4 Configure an HA Peer (continued)
# Task Root Command Notes
Configuration Examples
7-12 IP Services and Security Configuration Guide
Configure the Mobile IP Tunnels
You must configure an IP-in-IP tunnel to each HA peer. You can also configure a GRE tunnel to each HA
peer. To configure the Mobile IP tunnels, perform the tasks described in Table7-7.
Enable or Disable an FA Instance, an HA Peer, or MN Access
To enable or disable an FA instance, an HA peer, or MN access to the SmartEdge router, perform the task
described in Table7-8.
Configuration Examples
The following examples show configurations for:
Single FA Instance and HA Peer with IP-in-IP Tunnels
Single FA Instance with Multiple HA Peers and IP-in-IP Tunnels
Single FA Instance and HA Peer with IP-in-IP Tunnels
The following example creates an IP-in-IP tunnel and the interfaces to support an FA instance and a single
HA peer, all in the local context. The interface for the IP-in-IP tunnel is unnumbered; it borrows its IP
address from the CoA interface. Traffic to and from the MNs is carried on GE port 2/ 1:
! Cr eat e t he i nt er f aces f or t he CoA, t he MN access, and t he I P- i n- I P t unnel t o t he HA
peer , al l i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface coa loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 172.16.1.1/16
Table 7-7 Configure the Mobile IP Tunnels
# Task Root Command Notes
1. Configure the IP-in-IP tunnels to the HA peers. For information about configuring IP-in-IP
tunnels, see the Single-Tunnel Circuit
Configuration chapter in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdge
OS.
2. Optional. Configure the GRE tunnels to the HA peers. For information about configuring GRE tunnels,
see the Single-Tunnel Circuit Configuration
chapter in the Ports, Circuits, and Tunnels
Configuration Guide for the SmartEdge OS.
Table 7-8 Enable or Disable an FA Instance, an HA Peer, or MN Access to the SmartEdge Router
Task Root Command Notes
Optional. Disable or enable an FA instance, an HA
peer, or MN access to the SmartEdge router
shutdown Enter this command in FA, HA peer, or Mobile IP
interface configuration mode.
Use the no form of this command to enable an FA
instance, an HA peer, or MN access to the SmartEdge
router
Configuration Examples
Mobile IP Foreign Agent Configuration 7-13
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface mn-access
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface toHA-peer
[ l ocal ] Redback( conf i g- i f ) #ip unnumbered coa
[ l ocal ] Redback( conf i g- i f ) #exit
! Enabl e t he l ocal cont ext and t he mn- access i nt er f ace f or Mobi l e I P ser vi ces
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #exit
! Cr eat e t he f or ei gn agent , speci f y t he CoA i nt er f ace and cr eat e a home agent peer
l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #end
! Conf i gur e t he GE por t f or MN t r af f i c and bi nd i t t o t he MN access i nt er f ace
[ l ocal ] Redback#config
[ l ocal ] Redback( conf i g) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface mn-access local
[ l ocal ] Redback( conf i g- por t ) #exit
! Conf i gur e t he I P- i n- I P t unnel t o t he HA peer usi ng t he CoA as t he l ocal endpoi nt
! Bi nd i t t o t he HA peer i nt er f ace i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #tunnel ipip HApeerTnl
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 172.16.1.1 remote 172.16.2.1
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHA-peer local
[ l ocal ] Redback( conf i g- t unnel ) #end
Single FA Instance with Multiple HA Peers and IP-in-IP Tunnels
The following example creates an IP-in-IP tunnel and the interfaces to support an FA instance and two HA
peers with overlapping IP addresses. The FA instance and tunnels are configured in the local context; each
HA peer has its own VPN context. Traffic to and from the MNs is carried on the GE port 2/ 1:
! Cr eat e t he i nt er f aces f or t he CoA and t he MN access i nt er f ace i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface coa loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 20.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface mn-access
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/16
! Cr eat e t he cont ext s and t unnel i nt er f aces f or t he HA peer s ( HA- VPN 1 and HA- VPN 2)
[ l ocal ] Redback( conf i g) #context ha-vpn1
! Cr eat e t he i nt er f ace f or t he I P- i n- I P t unnel endpoi nt f or t he HA peer 1
Configuration Examples
7-14 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- ct x) #interface toHApeer1
! Use t he CoA I P addr ess f or t he i nt er f ace
[ l ocal ] Redback( conf i g- i f ) #ip 20.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #context ha-vpn2
! Cr eat e t he i nt er f ace f or t he I P- i n- I P t unnel endpoi nt f or t he HA peer 2
[ l ocal ] Redback( conf i g- ct x) #interface toHApeer2
! Use t he CoA I P addr ess f or t he i nt er f ace
[ l ocal ] Redback( conf i g- i f ) #ip 20.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
! Enabl e t he l ocal cont ext and t he MN access i nt er f ace f or Mobi l e I P vi si t or s
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #exit
! Cr eat e t he f or ei gn agent and speci f y t he car e of i nt er f ace
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa
! Cr eat e t he f i r st home- agent peer and speci f y i t s cont ext
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #vpn-context ha-vpn1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #exit
! Cr eat e t he second home- agent peer and speci f y i t s cont ext
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.2
[ l ocal ] Redback( conf i g- mi p- hapeer ) #vpn-context ha-vpn2
[ l ocal ] Redback( conf i g- mi p- hapeer ) #end
! Conf i gur e t he GE por t f or MN t r af f i c and bi nd i t t o t he MN access i nt er f ace
[ l ocal ] Redback#config
[ l ocal ] Redback( conf i g) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface mn-access local
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 2/2
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface toHApeer1 ha-vpn1
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 2/3
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface toHApeer2 ha-vpn2
[ l ocal ] Redback( conf i g- por t ) #exit
! Conf i gur e t he I P- i n- I P t unnel s t o t he HA peer s
Command Descriptions
Mobile IP Foreign Agent Configuration 7-15
! Bi nd t hemt o t hei r i nt er f aces i n t he HA peer VPN cont ext s
! Cr eat e t he I P- i n- I P t unnel t o t he HA- 1 peer , usi ng t he CoA f or t he l ocal end
[ l ocal ] Redback( conf i g) #tunnel ipip HApeer1Tnl
[ l ocal ] Redback( conf i g- t unnel ) #description IP-in-IP tunnel circuit to HA-VPN 1 peer
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1/24 remote 172.16.2.1
context local
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHApeer1 ha-vpn1
[ l ocal ] Redback( conf i g- t unnel ) #no shutdown
[ l ocal ] Redback( conf i g- t unnel ) #exit
! Cr eat e t he I P- i n- I P t unnel t o t he HA- 2 peer ; use t he CoA f or t he l ocal end
[ l ocal ] Redback( conf i g) #tunnel ipip HApeer2Tnl
[ l ocal ] Redback( conf i g- t unnel ) #description IP-in-IP tunnel circuit to HA-VPN 2 peer
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1/24 remote 172.16.2.2
context local
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHApeer2 ha-vpn2
[ l ocal ] Redback( conf i g- t unnel ) #no shutdown
[ l ocal ] Redback( conf i g- t unnel ) #exit
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure Mobile IP FA
features. The commands are presented in alphabetical order:
advertise max-interval
advertise max-lifetime
advertise min-interval
advertise tunnel-type
authentication
care-of-address
clear-df (dynamic tunnel)
dynamic-tunnel-profile
foreign-agent
forwarding scheme
gre mtu
forwarding traffic
hold-time
home-agent-peer
interface
ipip mtu
llc-xid-processing
max-pending-registrations
registration max-lifetime
revocation
router mobile-ip
shutdown
time-out
vpn-context
Command Descriptions
7-16 IP Services and Security Configuration Guide
advertise max-interval
advertise max-interval max-int
no advertise max-interval max-int
Purpose
Specifies the maximum interval between advertisement messages sent by the foreign-agent (FA) instance
to the mobile nodes (MNs).
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The maximum interval between advertisement messages is 600 seconds.
Usage Guidelines
Use the advertise max-interval command specify the maximum interval between advertisement messages
sent by the FA instance or HA instance to the mobile nodes.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 300 seconds as the maximum interval between advertisement messages:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise max-interval 300
Related Commands
max-int Maximum interval (in seconds) between advertisement messages. The range of values
is 4 to 1800 seconds; the default value is 600 seconds (10 minutes).
advertise max-lifetime
advertise min-interval
interface
Command Descriptions
Mobile IP Foreign Agent Configuration 7-17
advertise max-lifetime
advertise max-lifetime max-life
no advertise max-lifetime max-life
Purpose
Specifies the maximum amount of time that an advertisement message sent by the foreign-agent (FA)
instance to the mobile node (MN) is valid in the absence of further advertisement messages.
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The maximum advertisement lifetime is three times the value of the max-int argument set by the advertise
max-interval command.
Usage Guidelines
Use the advertise max-lifetime command to specify the maximum amount of time that an advertisement
message sent by the FA instance or HA instance to the mobile node is valid in the absence of further
advertisement messages.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 900 seconds as the maximum lifetime of an advertisement message:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise max-lifetime 900
Related Commands
max-lifetime max-life Amount of time (in seconds) that an advertisement message is valid in the
absence of further advertisement messages. The minimum value equals the
value of the max-int argument set by the advertise max-interval command
(in Mobile IP interface configuration mode); the maximum value is 9000
seconds (150 minutes). The default value is three times the value of the
max-int argument set by the advertise max-interval command.
advertise max-interval
advertise min-interval
interface
Command Descriptions
7-18 IP Services and Security Configuration Guide
advertise min-interval
advertise min-interval min-int
no advertise min-interval min-int
Purpose
Specifies the minimum interval between advertisement messages sent by the foreign-agent (FA) instance
to the mobile node (MN).
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The minimum advertisement interval is 0.75 times the value of the max-int argument for the advertise
max-interval command.
Usage Guidelines
Use the advertise min-interval command to specify the minimum interval between advertisement
messages sent by the FA instance or HA instance to the mobile node.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 200 seconds as the minimum interval between advertisement messages:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise min-interval 200
Related Commands
min-int Minimum interval (in seconds) between advertisement messages. The range of values
is 3 to 1800 seconds; the default value is 0.75 times the value of the max-int argument
for the advertise max-interval command (in Mobile IP interface configuration
mode).
advertise max-interval
advertise max-lifetime
interface
Command Descriptions
Mobile IP Foreign Agent Configuration 7-19
advertise tunnel-type
advertise tunnel-type gre
no advertise tunnel-type gre
Purpose
Advertises Generic Routing Encapsulation (GRE) tunnel types sent by the foreign-agent (FA) instance to
mobile nodes (MNs).
Command Mode
FA configuration
Syntax Description
Default
IP-in-IP tunnels are advertised implicitly; no GRE tunnel types are advertised.
Usage Guidelines
Use the advertise tunnel-type command to advertise GRE tunnel types in the mobility agent advertisement
extension in the ICMP Router Advertisement (RA) message.
Use the no form of this command to specify the default condition.
Examples
The following example advertises the GRE tunnel type:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #advertise tunnel-type gre
Related Commands
gre Specifies that Generic Routing Encapsulation (GRE) tunnels are advertised to
mobile nodes.
interface
Command Descriptions
7-20 IP Services and Security Configuration Guide
authentication
authentication hmac-md5 {key-chain-name | dynamic-key wimax proprietary}
no authentication hmac-md5
Purpose
Configures authentication between this foreign-agent (FA) instance and all its home-agent (HA) peers or
between this FA instance and a specific HA peer.
Command Mode
FA configuration
HA peer configuration
Syntax Description
Default
No authentication is configured for any FA instance or HA peer.
Usage Guidelines
Use the authentication command to configure authentication between this FA instance and its HA peers
or between this FA instance and a specific HA peer.
In FA configuration mode, this command configures the default authentication between the FA instance and
all its HA peers; in HA peer configuration, this command configures the authentication between the FA
instance and the relevant HA peer.
Use the no form of this command to remove the authentication configuration for this FA instance or HA
peer.
hmac-md5 Specifies the Hash-based Message Authentication Code (HMAC)-
Message Digest 5 (MD5) algorithm.
key-chain-name Name of an existing key chain, which you must have configured in
the context in which you have configured the HA peer.
dynamic-key wimax proprietary Specifies to use the Motorola FA-HA key Vendor Specific Attribute
(VSA) for FA-HA authentication. The Motorola FA-HA-Key VSA
ID is 26/161/67. The Motorola WiMax solution provides this VSA
to the FA. For more information about supported WiMax Attributes,
see TableA-22 in AppendixA, RADIUS Attributes.
Command Descriptions
Mobile IP Foreign Agent Configuration 7-21
Examples
The following example configures the key- ha key chain for key 100 and an security parameter index
(SPI) of 256 for incoming traffic and then specifies it when configuring the default authentication between
an FA instance and its HA peers:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #key-chain key-ha key-id 100
[ l ocal ] Redback( conf i g- key- chai n) #spi 256
[ l ocal ] Redback( conf i g- key- chai n) #key-string hex 0xfeedaceedeadbeef
[ l ocal ] Redback( conf i g- key- chai n) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #authentication hmac-md5 key-ha
The following example configures dynamic keys between an FA instance and its HA peers:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #authentication hmac-md5 dynamic-keys wimax
proprietary
Related Commands
foreign-agent
home-agent-peer
key-chain
spi
Command Descriptions
7-22 IP Services and Security Configuration Guide
care-of-address
care-of-address if-name [ctx-name]
no care-of-address if-name [ctx-name]
Purpose
Specifies the interface used for the care-of-address (CoA) advertised by this foreign-agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
The interface used for the CoA is not specified in advertisement messages.
Usage Guidelines
Use the care-of-address command to specify the interface used for the CoA advertised by this FA instance.
Enter this command multiple times to specify multiple CoA interfaces. This command specifies an existing
interface as the CoA interface; you must first create that interface using the interface command (in context
configuration mode).
Use the no form of this command to specify the default condition.
Examples
The following example creates the coa interface in the l ocal context and specifies it as the CoA interface
for the FA instance:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface coa
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa local
Related Commands
if-name Name of the interface for the CoA.
ctx-name Optional. Context name in which the interface exists. If the interface exists in
a context other than the one you are currently in, you must specify the context
name.
foreign-agent
Command Descriptions
Mobile IP Foreign Agent Configuration 7-23
clear-df (dynamic tunnel)
clear-df
{no | default}clear-df
Purpose
Clears the IP header Dont Fragment (DF) flag in all packets that are transmitted on an IP-in-IP or a Generic
Routing Encapsulation (GRE) tunnel.
Command Mode
Dynamic Tunnel Profile
Syntax Description
This command has no keywords or arguments.
Default
The IP header DF flag is not cleared.
Usage Guidelines
Use the clear-df command to clear the IP header DF flag in all packets that are transmitted on an IP-in-IP
or a GRE tunnel. If the IP packet length exceeds the tunnel interface maximum transmission unit (MTU),
the packet is fragmented.
Use the no or default form of this command to honor the DF flag in inbound packets.
Examples
The following example shows how to specify that the DF flag in all transmitted packets be cleared in the
GRE and IP-in-IP tunnels:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
dynamic-tunnel-profile
gre mtu
hold-time
ipip mtu
time-out
Command Descriptions
7-24 IP Services and Security Configuration Guide
dynamic-tunnel-profile
dynamic-tunnel-profile profile
no dynamic-tunnel-profile profile
Purpose
In Mobile IP configuration mode, creates a dynamic tunnel profile and enters Dynamic Tunnel Profile
configuration mode.
In Foreign Agent configuration mode, applies the dynamic tunnel profile to an FA instance.
In HA peer configuration mode, applies a dynamic tunnel profile to an HA peer.
Command Mode
Mobile IP configuration
Foreign Agent configuration
HA peer configuration
Syntax Description
Default
The following are the defaults for the dynamic tunnel profile:
clear-dfDisabled.
gre mtu mtu1468 bytes
hold-time seconds30 seconds
ipip mtu mtu1480 bytes
time-out seconds3 seconds
Usage Guidelines
Use the dynamic-tunnel-profile command in Mobile IP configuration mode to create a dynamic tunnel
profile and enter Dynamic Tunnel Profile configuration mode. Dynamic Tunnel mode allows you configure
dynamic tunnel profile attributes.
Use the dynamic-tunnel-profile command in Foreign Agent Configuration mode to apply a dynamic
tunnel profile to a foreign-agent instance.
Use the dynamic-tunnel-profile command HA peer configuration mode to apply a dynamic tunnel profile
to a home-agent peers.
Configured static tunnels take precedence over dynamic tunnels. If a dynamic tunnel profile is not applied
to an HA peer, the peer inherits the dynamic tunnel profile specified in the FA instance. If there is no profile
configured in this mode, the HA peer inherits the default dynamic tunnel profile values. If you delete a
referenced dynamic tunnel profile, the references to this profile are also deleted by the FA instance and HA
profile Name of dynamic tunnel profile.
Command Descriptions
Mobile IP Foreign Agent Configuration 7-25
peer. When these references are deleted, the FA instance and HA peers use the default dynamic tunnel
profile values. For information about applying a dynamic tunnel profile to a HA instance or FA peer, see
the dynamic-tunnel-profile section on page8-12.
Use the no form of this command to delete a dynamic tunnel profile.
Examples
The following example creates a last resort interface and dynamic tunnel profile, pr of 1, (in Dynamic
tunnel configuration mode) and then applies the profile to an FA instance:
! Cr eat e a dynami c t unnel pr of i l e mode.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Appl y dynami c t unnel pr of i l e pr of 1 t o t he FA i nst ance.
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #dynamic-tunnel-profile prof1
! Cr eat e a l ast r esor t i nt er f ace wi t h an I P unnumber ed i nt er f ace.
[ l ocal ] Redback( conf i g- ct x) #interface loop loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 2.2.2.2/16
[ l ocal ] Redback( conf i g- i f ) #exit
l ocal ] Redback( conf i g- ct x) #interface mip2 multibind lastresort
[ l ocal ] Redback( conf i g- i f ) ip unnumbered loop
The following example creates a last resort interface, two dynamic tunnel profiles, pr of 1 and pr of 2, and
then applies profile pr of 1 to an FA instance and pr of i l e pr of 2 to an HA peer 1. 1. 1. 2. HA peer
3. 1. 1. 2 inherits the dynamic tunnel profile pr of 1 specified in FA configuration mode because no
dynamic tunnel profiles are applied in HA peer level:
! Cr eat e dynami c t unnel pr of i l e pr of 1.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
Note You must configure a last-resort interface within the same context (FA context or VPN
context) to use a dynamic tunnel profile. The last-resort interface must borrow an IP address
using an unnumbered interface. For information about configuring last resort interfaces, see
theBasic System Configuration Guide.
Command Descriptions
7-26 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Cr eat e dynami c t unnel pr of i l e pr of 2.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 120
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 8
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1000
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Cr eat e a l ast r esor t i nt er f ace.
[ l ocal ] Redback( conf i g- ct x) #interface loop loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 2.2.2.2/16
[ l ocal ] Redback( conf i g- i f ) #exit
l ocal ] Redback( conf i g- ct x) #interface mip2 multibind lastresort
[ l ocal ] Redback( conf i g- i f ) ip unnumbered loop
! Appl y t he dynami c t unnel pr of i l e t o t he FA i nst ance.
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- f a) #tunnel-type gre
[ l ocal ] Redback( conf i g- f a) #authentication none
[ l ocal ] Redback( conf i g- f a) #local-address to_fa
! Appl y t he dynami c t unnel pr of i l e t o t he HA peer 1. 1. 1. 2.
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 1.1.1.2
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #end
! HA peer 3. 1. 1. 2 i nher i t s dynami c t unnel pr of i l e pr of 1 ( used by t he FA
i nst ance) si nce no dynami c pr of i l e i s conf i gur ed i n HA peer
conf i gur at i on mode.
[ l ocal ] Redback( conf i g- ) #home-agent-peer 3.1.1.2
Related Commands
clear-df (dynamic tunnel)
foreign-agent
gre mtu
hold-time
home-agent-peer
ipip mtu
time-out
Command Descriptions
Mobile IP Foreign Agent Configuration 7-27
foreign-agent
foreign-agent
no foreign-agent
Purpose
Creates or selects a foreign-agent (FA) instance in this context and accesses FA configuration mode.
Command Mode
Mobile IP configuration
Syntax Description
This command has no keywords or arguments.
Default
No FAs are created.
Usage Guidelines
Use the foreign-agent command to create or select an FA instance in this context and access FA
configuration mode. You can only create one FA instance in a context. You can also apply a dynamic tunnel
profile.
Use the no form of this command to delete the FA instance in this context.
Examples
The following example creates an FA instance in the f a context:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #
Related Commands
care-of-address
dynamic-tunnel-profile
home-agent-peer
interface
shutdown
Command Descriptions
7-28 IP Services and Security Configuration Guide
forwarding scheme
forwarding scheme {source-mac}
{no | default} forwarding scheme
Purpose
Specifies how the IP route used for packet forwarding for a mobile node (MN) is determined.
Command Mode
FA configuration
Syntax Description
Default
The forwarding scheme uses the source MAC address.
Usage Guidelines
Use the forwarding scheme command to specify the means by which IP route used for packet forwarding
for a MN is determined.
Use the no or default form of this command to specify the default condition.
Examples
The following example specifies forwarding based on the source MAC address:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #forwarding scheme source-mac
Related Commands
source-mac Use the source medium access control (MAC) address to look up the IP route.
foreign-agent
Command Descriptions
Mobile IP Foreign Agent Configuration 7-29
forwarding traffic
forwarding traffic routed-ip
no forwarding traffic routed-ip
Purpose
Enables the forwarding of non-Mobile IP traffic for this foreign-agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
Routing of non-Mobile IP traffic is enabled.
Usage Guidelines
Use the forwarding traffic command to enable the forwarding of non-Mobile IP traffic for this
foreign-agent (FA) instance. Non-Mobile IP traffic is routed IP traffic received on an interface that is
enabled for Mobile IP services.
Use the no form of this command to disable the forwarding of non-Mobile IP traffic.
Examples
The following example disables the forwarding of non-Mobile IP traffic:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #no forwarding traffic routed-ip
Related Commands
routed-ip Forward routed IP (non-Mobile IP) traffic.
foreign-agent
Command Descriptions
7-30 IP Services and Security Configuration Guide
gre mtu
gre mtu bytes
no gre mtu
Purpose
Sets the Maximum Transmission Unit (MTU) for packets sent on GRE tunnels.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
1468 bytes
Usage Guidelines
Use the gre mtu command to set the MTU for packets sent in GRE tunnels. If an IP packet exceeds the
MTU, the system fragments that packet.
A tunnel uses the MTU size for the interface to which the tunnel is bound to compute the tunnel MTU size,
unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel,
the system determines the effective MTU by comparing the configured MTU with the interface MTU and
selecting the lesser of the two values.
Use the no form of this command to delete the configured MTU and use the interface MTU.
Examples
The following example shows how to set the maximum IP packet size for GRE tunnels for pr of 1 to 1200
bytes:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #gre mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
bytes MTU size in bytes. The range of values is 256 through 1468 bytes.
clear-df (dynamic tunnel)
dynamic-tunnel-profile
hold-time
ipip mtu
time-out
Command Descriptions
Mobile IP Foreign Agent Configuration 7-31
hold-time
hold-time seconds
{no | default}hold-time
Purpose
Specify the number of seconds for the router to wait before it brings down a dynamic tunnel that has no
active bindings or visitors.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
30 seconds
Usage Guidelines
Use the hold-time command to specify the number of seconds for the router to wait before it brings down
a dynamic tunnel that has no active bindings or visitors
Use the no or default form of this command to restore the setting to its default value of 30 seconds.
Examples
The following example shows how to set the router to wait to 10 seconds before it brings down a dynamic
tunnel that has no active bindings or visitors for the pr of 1:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
seconds Number of seconds for the router to wait before it brings down a dynamic
tunnel that has no active bindings or visitors. The range of values is 0 through
3600 seconds.
clear-df (dynamic tunnel)
dynamic-tunnel-profile
gre mtu
ipip mtu
time-out
Command Descriptions
7-32 IP Services and Security Configuration Guide
home-agent-peer
home-agent-peer ip-addr
no home-agent-peer ip-addr
Purpose
Creates or selects a home-agent (HA) peer for this foreign-agent (FA) instance and accesses HA peer
configuration mode.
Command Mode
FA configuration
Syntax Description
Default
No HA peers are created.
Usage Guidelines
Use the home-agent-peer command to create or select an HA peer for this FA instance and access HA peer
configuration mode. If a Mobile IP registration is received for a Home Agent peer that isn't configured, one
is created dynamically. FA and HA authentication and dynamic tunnel configuration are inherited from the
FA instance.
Use the no form of this command to delete the HA peer with the specified IP address.
Examples
The following example creates an HA peer with IP address 172. 16. 2. 1 for the FA instance in the f a
context:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #
Related Commands
ip-addr IP address for this HA peer.
max-pending-registrations
shutdown
vpn-context
Command Descriptions
Mobile IP Foreign Agent Configuration 7-33
interface
interface if-name
no interface if-name
Purpose
Selects an existing interface, enables it for Mobile IP services, and accesses Mobile IP interface
configuration mode.
Command Mode
Mobile IP configuration
Syntax Description
Default
None
Usage Guidelines
Use the interface command to select an existing interface, enable it for Mobile IP services, and access
Mobile IP interface configuration mode. Use this command to specify the interfaces supporting IPv4
Mobility as defined in RFC 3344, IP Mobility Support for IPv4.
Use the no form of this command to disable the interface for Mobile IP services.
Examples
The following example creates the mn- access interface in the f a context, selects it, and accesses Mobile
IP interface configuration mode:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #interface mn-access
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/16
Related Commands
if-name Name of an existing interface.
advertise max-interval
registration max-lifetime
shutdown
Command Descriptions
7-34 IP Services and Security Configuration Guide
ipip mtu
ipip mtu bytes
no ipip mtu
Purpose
Sets the Maximum Transmission Unit (MTU) for packets sent on IP-in-IP tunnels.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
1480 bytes
Usage Guidelines
Use the ipip mtu command to set the MTU for packets for IP-in-IP tunnels. If an IP packet exceeds the
MTU, the system fragments that packet.
A tunnel uses the MTU size for the interface to which the tunnel is bound to compute the tunnel MTU size,
unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel,
the system determines the effective MTU by comparing the configured MTU with the interface MTU and
selecting the lesser of the two values.
Use the no form of this command to delete the configured MTU and use the interface MTU.
Examples
The following example shows how to set the maximum IP packet size for IP-in-IP tunnels for pr of 1 to
1200 bytes:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
bytes MTU size in bytes. The range of values is 256 through 1480 bytes.
clear-df (dynamic tunnel)
dynamic-tunnel-profile
gre mtu
hold-time
time-out
Command Descriptions
Mobile IP Foreign Agent Configuration 7-35
llc-xid-processing
llc-xid-processing
no llc-xid-processing
Purpose
Enables the SmartEdge OS to detect the access interface change of a mobile node (MN) based on logical
link control (LLC) exchange ID (XID) messages received on a circuit.
Command Mode
FA configuration
Syntax Description
This command has no keywords or arguments.
Default
The detection of access interface changes of a MN based on LLC XID messages received on a circuit is
enabled.
Usage Guidelines
Use the llc-xid-processing command to enable SmartEdge OS to detect the access interface changes of a
MN based on LLC XID messages received on a circuit.
When XID is enabled, the SmartEdgeOS uses the received LLC XID frame to change the access interface
and circuit associated with the MN and transmits traffic to the MN over the new circuit. This feature allows
for a quick traffic switchover if the relocation of an MN remains in the same FA instance.
If you disable XID, the SmartEdgeOS must process a Mobile IP registration message on the new interface
before the MN can be moved to a new access interface.
Use the no form of this command to disable LLC XID message processing.
Examples
The following example disables LLC XID message processing:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #no llc-xid-processing
Related Commands
foreign-agent
Command Descriptions
7-36 IP Services and Security Configuration Guide
max-pending-registrations
max-pending-registrations maximum
no max-pending-registrations maximum
Purpose
Specifies the maximum number of pending registrations permitted for this home-agent (HA) peer.
Command Mode
HA peer configuration
Syntax Description
Default
Pending registrations are unlimited.
Usage Guidelines
Use the max-pending-registrations command to specify maximum number of pending registrations
permitted for this HA peer.
Use the no form of this command to specify the default condition.
Examples
The following example specifies that a maximum of 10 pending registrations are permitted for this HA
peer:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 10.1.1.1
[ l ocal ] Redback( conf i g- mi p- ha- peer ) #max-pending-registrations 10
Related Commands
maximum Maximum number of pending registrations permitted for this HA peer. The range of
values is 1 to 65535.
home-agent-peer foreign-agent
Command Descriptions
Mobile IP Foreign Agent Configuration 7-37
registration max-lifetime
registration max-lifetime seconds
no registration max-lifetime
Purpose
Specifies the maximum lifetime registration for any mobile node (MN) that uses this foreign agent (FA)
instance.
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The maximum lifetime registration is 1800 seconds (30 minutes).
Usage Guidelines
Use the registration max-lifetime command to specify the maximum lifetime registration for any MN that
uses this FA instance.
Use the no form of this command to specify the default condition.
Examples
The following example specifies a maximum registration lifetime of 60 minutes (3600 seconds) with the
FA instance in this context:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #registration max-lifetime 3600
Related Commands
seconds Maximum lifetime registration. The range of values is 1 to 65535 seconds. The default
value is 1800 seconds (30 minutes).
interface
Command Descriptions
7-38 IP Services and Security Configuration Guide
revocation
revocation [mobile-notify condition] [timeout seconds] [retransmit num]
no revocation [mobile-notify condition] [timeout seconds] [retransmit num]
Purpose
Configures registration revocation for this foreign agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
Registration revocation is not configured for any FA instance.
Usage Guidelines
Use the revocation command to configure registration revocation for this FA instance. For more
information, see RFC 3543, Registration Revocation in Mobile IPv4.
Use the no form of this command to remove the registration from the configuration for this FA instance.
Examples
The following example configures this FA instance to al ways notify the MNs when service is revoked:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #revocation mobile-notify always
mobile-notify condition Optional. Specifies the conditions for which the SmartEdgeOS notifies
mobile nodes (MNs) that their Mobile IP service has been revoked, according
to one of the following keywords:
alwaysAlways notify the MNs.
neverNever notify the MNs.
home-dictateNotify the MNs based on the home-agent (HA) preference
specified by the setting I-bit in received registration revocation requests
and replies. This is the default.
timeout seconds Number of seconds between registration revocation messages. The range of
values is 1 to 100; the default value is 7.
retransmit num Number of times the SmartEdgeOS transmits registration revocation
messages. The range of values is 1 to 100; the default value is 3.
Command Descriptions
Mobile IP Foreign Agent Configuration 7-39
Related Commands
foreign-agent
Command Descriptions
7-40 IP Services and Security Configuration Guide
router mobile-ip
router mobile-ip
no router mobile-ip
Purpose
Enables Mobile IP services in this context and accesses Mobile IP configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
Mobile IP services are not enabled in any context.
Usage Guidelines
Use the router mobile-ip command to enable Mobile IP services in this context and access Mobile IP
configuration mode.
Use the no form of this command to disable Mobile IP services in this context.
Examples
The following example enables Mobile IP services in the f a context:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #
Related Commands
foreign-agent
home-agent-peer
interface
Command Descriptions
Mobile IP Foreign Agent Configuration 7-41
shutdown
shutdown
no shutdown
Purpose
Disables or enables the foreign-agent (FA) instance, home-agent (HA) peer, or mobile node (MN) access
to the SmartEdge router for an FA instance.
Command Mode
FA configuration
HA peer configuration
Mobile IP interface configuration
Syntax Description
This command has no keywords or arguments.
Default
All FA instances, HA peers, and Mobile IP interfaces are enabled.
Usage Guidelines
Use the shutdown command to disable the FA instance, the HA peer, or the MN interface for an FA
instance.
Use the no form of this command to enable the FA instance, the HA peer, or the MN interface for an FA
instance.
Examples
The following example disables an FA instance:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #shutdown
The following example disables an HA peer:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #shutdown
Command Descriptions
7-42 IP Services and Security Configuration Guide
The following example disables the MN interface for an FA instance:
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #shutdown
Related Commands
foreign-agent
home-agent-peer
interface
Command Descriptions
Mobile IP Foreign Agent Configuration 7-43
time-out
time-out seconds
{no | default} timeout
Purpose
Specifies the number of seconds for the router to wait for a dynamic tunnel to be established before bringing
the current subscriber or visitor down.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
3 seconds
Usage Guidelines
Use the time-out command to specify the number of seconds for the router to wait for a dynamic tunnel to
be established before bringing the current subscriber or visitor down.
Use the no or default form of this command to restore the setting to its default value of 3 seconds.
Examples
The following example shows how to set the timeout for pr of 1 to 10 seconds:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
seconds Number of seconds for the router to wait for a dynamic tunnel to be established before
bringing the current subscriber or visitor down. The range of values is 2 through 10
seconds.
clear-df (dynamic tunnel)
dynamic-tunnel-profile
gre mtu
hold-time
ipip mtu
Command Descriptions
7-44 IP Services and Security Configuration Guide
vpn-context
vpn-context ctx-name
no vpn-context ctx-name
Purpose
Specifies the context in which the IP-in-IP tunnel or Generic Routing Encapsulation (GRE) tunnel to this
home agent (HA) peer is terminated.
Command Mode
HA peer configuration
Syntax Description
Default
None
Usage Guidelines
Use the vpn-context command to specify the context in which the IP-in-IP tunnel or GRE tunnel to this
HA peer is terminated. The HA peers can share a context if they use public IP addresses or if their private
IP addresses do not overlap. HA peers with overlapping private IP addresses must each have their own
context.
Use the no form of this command to specify the default condition.
Examples
The following example specifies the ha- vpn1 context for the MNs associated with this HA peer:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #ha-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #vpn-context ha-vpn1
Related Commands
ctx-name Context in which the IP-in-IP tunnel or GRE tunnel to this HA peer is terminated and in
which the IP routes are added for the mobile nodes (MNs) that are registered with this
HA peer.
home-agent-peer
Mobile IP Home Agent Configuration 8-1
C h a p t e r 8
Mobile IP Home Agent Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS Mobile IP wireless
services for home-agent (HA) instances on the SmartEdge router and their foreign-agent (FA) peers.
For information about the tasks and commands used to configure FA instances and their HA peers, see
Chapter 7, Mobile IP Foreign Agent Configuration.
You configure IP-in-IP and, optionally, Generic Routing Encapsulation (GRE) tunnels on the SmartEdge
router to support the connections from FA instances to their HA peers and from HA instances to their FA
peers. For information about configuring the IP-in-IP and GRE tunnels, see the Single-Circuit Tunnel
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
For information about the tasks and commands used to monitor, administer, and troubleshoot Mobile IP
services, see the Mobile IP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
For information about configuring Ethernet, Fast Ethernet-Gigabit Ethernet, and Gigabit Ethernet ports and
circuits to support mobile subscribers, see the ATM, Ethernet, and POS Port Configuration and the
Circuit Configuration chapters in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Note The terms FA instance and HA instance, each refer to the FAs and HAs, respectively, that you
configure on the SmartEdge router.
The terms FA peer and HA peer refer to FAs and HAs that exist on other equipment in the
network.
The term Mobile IP binding refers to the association between a mobile node (MN) and its HA
instance on the SmartEdge router. The term visitor or visiting MN refers to the association
between an MN and an FA instance when that MN is communicating with its HA through the
FA instance on the SmartEdgerouter.
HA tunnels can be used with Mobile IP services and non-Mobile IP services traffic.
Overview
8-2 IP Services and Security Configuration Guide
Overview
The following section provides an overview of Mobile IP services of the HA instance. This section includes
the following topics:
Traffic Flow
Deployment Scenarios
Supported Standards
Restrictions
Traffic Flow
Mobile IP services allows MNs to retain their IP addresses, and therefore maintain their existing IP
sessions, when they roam across multiple networks.
Mobile IP consists of the following components:
MNs
HA instance
FA peer
The HA instance, a router on the MN home network, is the anchor component in Mobile IP network that
provides seamless mobility to the MN. When an MN is attached to its home network, it does not use Mobile
IP services because it communicates directly using normal IP routing. When a MN is roaming and is not
connected to its home network, its HA instance provides the following services:
Tracks the MN current point of attachment (POA) to the Internet.
Tunnels datagrams destined to the MN current POA. HA tunnels can be used with Mobile IP services
and non-Mobile IP services traffic.
Authenticates the MN (usually with the user ID and password) and verifies that IP Mobile services
should be provided. It optionally assigns the MN a home address (HoA) on its home network. When
the MN roams outside its home network, it retains its home address so that active IP sessions remain up.
Receives reverse-tunneled packets from the FA peer and forwards them based on the IP packet sent by
MN.
Mobile IP services enable the SmartEdge router to act as one or more HA instances. Each instance
communicates with its mobile subscribers (MNs). When an MN moves outside the network for the HA
instance, it connects to the HA instance through an FA peer, which then communicates with the HA
instance. Each HA instance has a local address that the system uses as the termination address for its MNs
and FA peers.
Mobile IP subscribers are assigned a home slot where their corresponding subscriber circuit is anchored for
the purposes of accounting and other circuit based features. When selecting a home slot, preference is given
to the line card with the current HA-FA tunnel egress circuit. When a subscriber re-registers and the
subscriber's home slot is not on the same line card as the tunnel egress, an attempt will be may to
re-optimize the subscriber's home slot.
Overview
Mobile IP Home Agent Configuration 8-3
In a typical deployment, MNs connect wirelessly to Base Transceiver Stations (BTSs), which connect to
the SmartEdge router FA peer through Ethernet. In this topology, each MN is represented by a separate
Ethernet circuit and MNs can move between BTSs. The FA instance communicates with a SmartEdge HA
instance through a tunnel endpoint (a local address of an HA instance). The SmartEdge router routes the
MN traffic to the FA peer using an IP-in-IP tunnel or GRE tunnel. Each FA peer uses a different tunnel.
Traffic for the MNs is routed from the HA instance to the FA peer using the same tunnel
Figure8-1 illustrates the physical network of MNs, BTS, FA peers, and an HA instance.
Figure 8-1 Physical network of MNs, BTS, FA peers, and an HA instance.
Deployment Scenarios
The Mobile IP services implementation can use the SmartEdge OS multiple context support. For the HA,
all home addresses (HoAs) are allocated from the HA context address space. The HA local address
interfaces can be in the same context or in different contexts. This allows IP-in-IP or GRE tunnels to FA
peers to terminate in other contexts. For example, an FA peer tunnel could terminate in the local context
that is providing connectivity to the Internet backbone.
Note Because the tunnels described in this chapter each support a single tunnel circuit, the term
tunnel refers to the tunnel and its circuit. For information about configuring the IP-in-IP and
GRE tunnels, see the Single-Circuit Tunnel Configuration in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdgeOS.
Configuration Tasks
8-4 IP Services and Security Configuration Guide
Restrictions
Mobile IP services has the following restrictions:
Mobile IP services is currently supported only for unicast traffic; broadcast and multicast traffic are not
supported.
Mobile IP services is supported only on PPA2 line cards. Do not have any PPA1-based line cards on the
chassis when enabling Mobile IP Services.
Supported Standards
Mobile IP services comply with the standards found in the following documents:
RFC 2794Mobile IP Network Access Identifier Extension for IPv4
RFC 3024Reverse Tunneling for Mobile IP, revised
RFC 3344IP Mobility Support for IPv4
RFC 3543Registration Revocation in Mobile IPv4
X.S0011-001-C v3.0, cdma2000 Wireless IP Network Standard: Introduction
Configuration Tasks
To configure HA Mobile IP features, perform the tasks described in the following sections:
Mobile IP Configuration Guidelines
Create the Contexts and Interfaces for Mobile IP Services
Configure a Key Chain for FA-HA Authentication
Configure an HA Instance
Configure an FA Peer
Configure an MN Subscriber
Configure AAA for MN Subscribers
Configure the Mobile IP Tunnels
Enable or Disable an HA Instance or FA Peer
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
Mobile IP Home Agent Configuration 8-5
Mobile IP Configuration Guidelines
The following HA configuration guidelines apply when configuring Mobile IP services for an HA instance:
Within a given context, the SmartEdge router can act as an HA instance or an FA instance; it cannot
perform both roles. For information about configuring it as an FA instance, see Chapter 7, Mobile IP
Foreign Agent Configuration.
You must configure IP-in-IP tunnels to FA peers; optionally, you can configure and use GRE tunnels in
addition to the IP-in-IP tunnels.
Configure the tunnel to an FA peer in the HA context for that peer.
MNs do not connect directly with an HA instance; instead they reach that HA instance through its FA
peers. If the SmartEdge router is also acting as an FA instance (in another context), the MNs can connect
to that FA instance as described in Chapter 7, Mobile IP Foreign Agent Configuration.
To prevent Mobile IP tunnels from shutting down because of circuit problems, create the interfaces for
the IP-in-IP and GRE tunnels as loopback interfaces. Loopback interfaces are always up.
When using GRE tunnels to connect FA peers, a separate GRE tunnel is required for each FA peer. GRE
keys are not supported.
Create the Contexts and Interfaces for Mobile IP Services
To create the contexts and interfaces for Mobile IP services, perform the tasks described in Table8-1. These
contexts and interfaces are used in subsequent configuration tasks for the HA instances and FA peers.
Table 8-1 Create the Contexts and Interfaces for Mobile IP Services
# Task Root Command Notes
1. Optional. Create the context for the HA instance and
access context configuration mode.
context Enter this command in global configuration mode.
You can use the local context instead of
performing this step.
2. Create an interface for the FA peers to connect to the
HA instance (using tunnels) using the HA local address
and access interface configuration mode.
interface Enter this command in context configuration
mode.
3. Optional. Create an FA context for an FA peer and
access context configuration mode.
context Enter this command in global configuration mode.
You can use the HA instance context for all FA
peers instead of performing this step.
Note For information about the context command (in global configuration mode) and the interface
command (in context configuration mode), and the various commands to configure contexts
and interfaces, see the Basic System Configuration Guide for the SmartEdgeOS.
Configuration Tasks
8-6 IP Services and Security Configuration Guide
Configure a Key Chain for FA-HA Authentication
To configure a key chain authentication for the FA and HA, perform the tasks described in Table8-2. For
more information about configuring key chains, see Chapter 24, Key Chain Configuration.
Configure an HA Instance
To configure an HA instance, perform the tasks described in Table8-3; enter all commands in HA
configuration mode, unless otherwise noted.
Table 8-2 Configure a Key Chain
# Task Root Command Notes
1. Select the context for the HA instance and access context
configuration mode.
context Enter this command in global
configuration mode.
2. Create the key chain and access key chain configuration mode. key-chain Enter this command in context
configuration mode.
3. Configure a key string. key-string Enter this command in key chain
configuration mode.
4. Specify the security parameter index (SPI) for this key chain. spi Enter this command in key chain
configuration mode.
Table 8-3 Configure an HA Instance
# Task Root Command Notes
1. Select the context for the HA instance and access
context configuration mode.
context Enter this command in global
configuration mode.
2. Enable Mobile IP services in this context and access
Mobile IP configuration mode.
router mobile-ip Enter this command in context
configuration mode.
3. Create or select the HA instance and access HA
configuration mode.
home-agent Enter this command in Mobile IP
configuration mode.
4. Apply a dynamic tunnel profile to an HA instance. dynamic-tunnel-profile Enter this command in HA configuration
mode.
5. Specify the interface for the HA local address. local-address This is the interface that you created for
the tunnels for this HA instance.
6. Optional. Enable the optional tunnel type. tunnel-type The default is not to enable optional
tunnel types.
7. Optional. Configure the default authentication for this
HA instance.
authentication This is the default authentication for all FA
peers for this HA instance.
8. Optional. Configure the registration maximum lifetime
for MN registrations using this HA instance.
registrationmax-lifetime The default is 1800 seconds.
9. Optional. Configure the tolerance for timestamp-based
replay protection between an MN and its HA instance.
replay-tolerance The default is 7 seconds.
10. Optional. Configure registration revocation support for
this HA instance.
revocation The default is that registration revocation
is not enabled.
Configuration Tasks
Mobile IP Home Agent Configuration 8-7
Configure an FA Peer
To configure an FA peer, perform the tasks described in Table8-4.
Configure an MN Subscriber
To configure an MN subscriber record, profile, or default profile, perform the task described in Table8-5.
Configure AAA for MN Subscribers
You can configure authentication, authorization, and accounting (AAA) features and Remote
Authentication Dial-In User Service (RADIUS) servers for MN subscribers. For information about
configuring AAA features, see Chapter 20, AAA Configuration and Chapter 21, RADIUS
Configuration, respectively.
Table 8-4 Configure an FA Peer
# Task Root Command Notes
1. Select the context for the HA instance for this FA
peer and access context configuration mode.
context Enter this command in global configuration mode.
2. Enable Mobile IP services in this context and
access Mobile IP configuration mode.
router mobile-ip Enter this command in context configuration
mode.
3. Select the HA instance for the FA peer and access
HA configuration mode.
home-agent Enter this command in Mobile IP configuration
mode.
4. Create or select the FA peer and access FA peer
configuration mode.
foreign-agent-peer Enter this command in HA configuration mode.
5. Optional. Apply a dynamic tunnel profile to an FA
peer.
dynamic-tunnel-profile Enter this command in FA peer configuration
mode. The dynamic tunnel profile is created in
Mobile IP configuration and Dynamic Tunnel
Profile configuration mode.
6. Optional. Configure the authentication for the FA
peer.
authentication Enter this command in FA peer configuration
mode. This authentication overrides the default
authentication for all FA peers for this HA instance.
Table 8-5 Configure an MN Subscriber Record, Profile, or Default Profile
# Task Root Command Notes
1. Configure the subscriber record, profile, or default
profile.
subscriber For information about configuring
subscribers and their attributes, see the
Basic System Configuration Guide for
the SmartEdge OS.
Configuration Examples
8-8 IP Services and Security Configuration Guide
Configure the Mobile IP Tunnels
You must configure an IP-in-IP tunnel to each FA peer. You can also configure a GRE tunnel to each FA
peer. To configure the Mobile IP tunnels, perform the tasks described in Table8-6.
Enable or Disable an HA Instance or FA Peer
To enable or disable an HA instance or an FA peer, perform the task described in Table8-7.
Configuration Examples
The following example creates an IP-in-IP tunnel and the interfaces to support an HA instance and an FA
peer, all in the local context. Traffic is carried on two Ethernet ports:
[ l ocal ] Redback( conf i g) #context
[ l ocal ] Redback( conf i g) #context local
! Cr eat e t he i nt er f aces f or t he I P- i n- I P t unnel s t o t he FA peer s and f or t he MNs
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface tun1
[ l ocal ] Redback( conf i g- i f ) #ip address 20.2.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface loc-addr
[ l ocal ] Redback( conf i g- i f ) #ip address 20.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
! Enabl e t he l ocal cont ext f or Mobi l e I P ser vi ces
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
Table 8-6 Configure the Mobile IP Tunnels
# Task Root Command Notes
1. Configure the IP-in-IP tunnels to the FA peers. For information about creating IP-in-IP tunnels
and GRE tunnels, see the Ports, Circuits, and
Tunnels Configuration Guide for the
SmartEdge OS.
2. Optional. Configure the GRE tunnels to the FA peers. For information about creating IP-in-IP tunnels
and GRE tunnels, see the Ports, Circuits, and
Tunnels Configuration Guide for the
SmartEdge OS.
Table 8-7 Enable or Disable an FA, an HA Peer, or MN Access to the SmartEdge Router
Task Root Command Notes
Optional. Disable or enable an HA instance or an
FA peer.
shutdown Enter this command in HA instance or FA peer interface
configuration mode.
Use the no form of this command to enable an HA
instance or an FA peer.
Command Descriptions
Mobile IP Home Agent Configuration 8-9
! Cr eat e t he home agent i nst ance, speci f y t he l ocal addr ess i nt er f ace and cr eat e a
f or ei gn agent peer
l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- f a) #local-address loc-addr
[ l ocal ] Redback( conf i g- mi p- f a) #foreign-agent-peer 20.1.1.2
[ l ocal ] Redback( conf i g- mi p- hapeer ) #end
! Conf i gur e t he Et her net ci r cui t s ( bi nd t hemt o t he MN access and l ocal addr ess
i nt er f aces)
[ l ocal ] Redback#conf i g
[ l ocal ] Redback( conf i g) #port ethernet 2/10
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface loc-addr local
[ l ocal ] Redback( conf i g- por t ) #exit
! Conf i gur e t he I P- i n- I P t unnel ( bi nd i t t o t he t unnel i nt er f ace i n t he l ocal cont ext )
[ l ocal ] Redback( conf i g) #tunnel ipip tun1
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1 remote 20.1.1.2
[ l ocal ] Redback( conf i g- t unnel ) #bind interface tun1 local
[ l ocal ] Redback( conf i g- t unnel ) #end
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure HA instances
and their FA peers. The commands are presented in alphabetical order:
authentication
dynamic-tunnel-profile
foreign-agent-peer
home-agent
local-address
replay-tolerance
registration max-lifetime
revocation
router mobile-ip
shutdown
tunnel-type
Command Descriptions
8-10 IP Services and Security Configuration Guide
authentication
authentication hmac-md5 {key-chain-name | dynamic-key wimax}
no authentication hmac-md5
Purpose
Configures authentication between this home agent (HA) instance and its foreign agent (FA) peers or
between the HA instance and a specific FA peer.
Command Mode
HA configuration
FA peer configuration
Syntax Description
Default
No authentication is configured for any HA instance or FA peer.
Usage Guidelines
Use the authentication command to configure authentication between this HA instance and its FA peers
or between the HA instance and a specific FA peer.
In HA configuration mode, this command configures the default authentication between the HA instance
and all its FA peers; in FA peer configuration, this command configures the authentication specifically
between the HA instance and the FA peer.
Use the no form of this command to remove the authentication configuration for this HA instance or FA
peer.
hmac-md5 Specifies the Hash-based Message Authentication Code (HMAC)-
Message Digest 5 (MD5) algorithm.
key-chain-name Name of an existing key chain, which you must have configured in the
context in which you have configured the HA instance or FA peer.
dynamic-key wimax Specifies to dynamically compute FA-HA keys using the WiMAX AAA
HA-RK-Key Vendor Specific Attribute (VSA).The WiMAX HA-RK-Key
VSA ID is 26/24757/15. Configured static key chains take precedence over
dynamic keys. For more information about supported WiMax Attributes,
see the RADIUS Attributes Supported by Mobile IP Services section in
AppendixA, RADIUS Attributes.
Command Descriptions
Mobile IP Home Agent Configuration 8-11
Examples
The following example configures the key- ha key chain for key 100 and an security parameter index
(SPI) of 256 for incoming traffic and then specifies it when configuring the default authentication between
an HA instance and its FA peers:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #key-chain key-ha key-id 100
[ l ocal ] Redback( conf i g- key- chai n) #spi 256
[ l ocal ] Redback( conf i g- key- chai n) #key-string hex 0xfeedaceedeadbeef
[ l ocal ] Redback( conf i g- key- chai n) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi b- ha) #authentication hmac-md5 key-ha
The following example configures dynamic keys between an HA instance and its FA peers:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi b- ha) #authentication hmac-md5 dynamic-key wimax
Related Commands
home-agent
foreign-agent-peer
key-chain
spi
Command Descriptions
8-12 IP Services and Security Configuration Guide
dynamic-tunnel-profile
dynamic-tunnel-profile profile
no dynamic-tunnel-profile profile
Purpose
In Home Agent configuration mode, applies a dynamic tunnel profile to a home-agent (HA) instance.
In FA Peer configuration mode, applies a dynamic tunnel profile to a foreign-agent (FA) peer.
Command Mode
Home Agent configuration
FA Peer configuration
Syntax Description
Default
The following are the defaults for the dynamic tunnel profile:
clear-dfDisabled.
gre mtu mtu1468 bytes
hold-time seconds30 seconds
ipip mtu mtu1480 bytes
time-out seconds3 seconds
Usage Guidelines
Use the dynamic-tunnel-profile command (in Home Agent configuration mode) to apply a dynamic
tunnel profile to an HA instance.
Use the dynamic-tunnel-profile command (in FA Peer configuration mode) to apply a dynamic tunnel
profile to a FA peer.
You first create a dynamic tunnel profile (in Mobile IP configuration mode and configure its attributes in
Dynamic Tunnel Profile configuration mode). You then apply the profile to the HA instance (in Home
Agent configuration mode) and its FA peers (in FA Peer configuration mode). Configured static tunnels
take precedence over dynamic tunnels. When the dynamic tunnel profile is not applied to an FA peer, the
peer inherits the profile specified in HA configuration mode. If you delete a referenced dynamic tunnel
profile, the references to this profile are also deleted for the HA instance and FA peers. When this happens,
the HA instance and FA peers use the default dynamic tunnel profile values. For information about how to
create a dynamic tunnel profile, see the dynamic-tunnel-profile section on page7-24.
profile Name of dynamic tunnel profile.
Command Descriptions
Mobile IP Home Agent Configuration 8-13
Use the no form of this command to delete the dynamic tunneling profile.
Examples
The following example creates a last-resort interface, two dynamic tunnel profiles ( pr of 1 and pr of 2),
and then applies these profiles to a HA instance and FA peer:
! Cr eat e dynami c t unnel pr of i l e pr of 1.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Cr eat e dynami c t unnel pr of i l e pr of 2
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 120
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 8
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1000
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Cr eat e l ast r esor t i nt er f ace.
[ l ocal ] Redback( conf i g- ct x) #interface loop loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 2.2.2.2/16
[ l ocal ] Redback( conf i g- i f ) #exit
l ocal ] Redback( conf i g- ct x) #interface mip2 multibind lastresort
[ l ocal ] Redback( conf i g- i f ) ip unnumbered loop
! Appl y dynami c t unnel pr of i l e pr of 1 t o HA i nst ance.
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- f a) #tunnel-type gre
[ l ocal ] Redback( conf i g- f a) #authentication none
[ l ocal ] Redback( conf i g- f a) #local-address to_fa
! Appl y dynami c t unnel pr of i l e pr of 2 t o FA peer 1. 1. 1. 2.
[ l ocal ] Redback( conf i g- mi p- ha) #foreign-agent-peer 1.1.1.2
Note You must configure a last-resort interface within the same context to use a dynamic tunnel
profile. For information about configuring last-resort interfaces, see theBasic System
Configuration Guide.
Command Descriptions
8-14 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- mi p- ha- f apeer ) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- f a- f apeer ) #end
! The FA peer 3. 1. 1. 2 i nher i t s dynami c t unnel pr of i l e pr of 1 ( whi ch i s
speci f i ed i n HA conf i gur at i on mode) because no dynami c pr of i l e i s
appl i ed at t he FA peer l evel .
[ l ocal ] Redback( conf i g- ) #foreign-agent-peer 3.1.1.2
Related Commands
home-agent
foreign-agent-peer
Command Descriptions
Mobile IP Home Agent Configuration 8-15
foreign-agent-peer
foreign-agent-peer ip-addr
no foreign-agent-peer ip-addr
Purpose
Creates or selects a foreign-agent (FA) peer for this home-agent (HA) instance and accesses FA peer
configuration mode.
Command Mode
HA configuration
Syntax Description
Default
No FA peers are created.
Usage Guidelines
Use the foreign-agent-peer command to create or select an FA peer for this HA instance and access FA
peer configuration mode. If a Mobile IP registration is received from an FA peer that isn't configured, one
is created dynamically. FA and HA authentication and dynamic tunnel configuration are inherited from the
HA instance.
Use the no form of this command to delete the FA peer with the specified IP address.
Examples
The following example creates an FA peer with IP address 172. 16. 2. 1 for the HA instance in the ha
context:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #foreign-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- f apeer ) #
Related Commands
ip-addr IP address for this FA peer.
authentication
dynamic-tunnel-profile
shutdown
Command Descriptions
8-16 IP Services and Security Configuration Guide
home-agent
home-agent
no home-agent
Purpose
Creates or selects a home-agent (HA) instance in this context and accesses HA configuration mode.
Command Mode
Mobile IP configuration
Syntax Description
This command has no keywords or arguments.
Default
No HA instances are created.
Usage Guidelines
Use the home-agent command to create or select an HA instance in this context and access HA
configuration mode.
Use the no form of this command to delete the HA instance in this context.
Examples
The following example creates an HA instance in the ha context:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #
Related Commands
authentication
foreign-agent-peer
local-address
shutdown
Command Descriptions
Mobile IP Home Agent Configuration 8-17
local-address
local-address if-name [ctx-name]
no local-address if-name [ctx-name]
Purpose
Specifies the interface for the home agent (HA) local address used by remote foreign agent (FA) peers for
this HA instance.
Command Mode
HA configuration
Syntax Description
Default
None
Usage Guidelines
Use the local-address command to specify the interface for the HA local address used by FA peers for this
HA instance. Enter this command multiple times to specify multiple HA interfaces. This command
specifies an existing interface as the HA interface; you must first create that interface using the interface
command in context configuration mode.
Use the no form of this command to remove the HA local address.
Examples
The following example creates the local address interface in a context called ha and specifies it as the local
address interface for the HA instance:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #interface ha
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.2/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #local-address ha
if-name Name of the interface for the HA.
ctx-name Optional. Context name in which the interface exists. If the interface exists in
a context other than the one you are currently in, you must specify the context
name.
Command Descriptions
8-18 IP Services and Security Configuration Guide
Related Commands
home-agent
Command Descriptions
Mobile IP Home Agent Configuration 8-19
registration max-lifetime
registration max-lifetime seconds
no registration max-lifetime
Purpose
Specifies the registration maximum lifetime for any mobile node (MN) that uses this home agent (HA)
instance.
Command Mode
HA configuration
Syntax Description
Default
The registration maximum lifetime default is 1800 seconds (30 minutes).
Usage Guidelines
Use the registration max-lifetime command to specify the registration maximum lifetime for any MN that
uses this HA instance.
Use the no form of this command to specify the default.
Examples
The following example specifies a registration maximum lifetime of 60 minutes (3600 seconds) for the
HA instance in this context:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #registration max-lifetime 3600
Related Commands
seconds Registration maximum lifetime. The range of values is 1 to 65535 seconds.
home-agent
Command Descriptions
8-20 IP Services and Security Configuration Guide
replay-tolerance
replay-tolerance seconds
no replay-tolerance
Purpose
Configures the tolerance for timestamp-based replay protection used between the home agent (HA)
instance and the registering mobile nodes (MN).
Command Mode
HA configuration
Syntax Description
Default
The default for tolerance for timestamp-based replay protection is 7 seconds.
Usage Guidelines
Use the replay-tolerance command to configure the tolerance for timestamp-based replay protection used
between the HA instance and the registering MN. Thereplay-tolerance command specifies the number of
seconds that the HA instance timestamp and MN timestamp can be different. When the HA instance
discovers that this difference is greater than the number of seconds specified, it rejects the MN registration.
Use the no form of this command to specify the default.
Examples
The following example configures a timestamp-based replay tolerance of 10 seconds for this HA instance:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #replay-tolerance 10
Related Commands
seconds Tolerance for timestamp-based replay protection used between the HA instance and
registering MNs. The range of values is 4 to 255 seconds.
authentication
Command Descriptions
Mobile IP Home Agent Configuration 8-21
revocation
revocation [mobile-notify {always | never | foreign-dictate}] [timeout seconds] [retransmit num]
no revocation [mobile-notify condition] [timeout seconds] [retransmit num]
Purpose
Configures registration revocation as described in RFC 3543, Registration Revocation in Mobile IPv4, for
this home agent (HA) instance. Registration revocation is negotiated between the HA instance and its
foreign agent (FA) peers.
Command Mode
HA configuration
Syntax Description
Default
Registration revocation is not configured for any HA instance.
Usage Guidelines
Use the revocation command to configure registration revocation, as described in RFC 3543, Registration
Revocation in Mobile IPv4, for this HA instance. Registration revocation is negotiated between the HA
instance and its FA peers.
mobile-notify condition Optional. Specifies the conditions for which the HA instance negotiates I-bit
support with its FA peers when the mobile node (MN) registers, according to
one of the following keywords:
alwaysAlways notify the MN when Mobile IP services have been
revoked, except when the MN is no longer receiving service from the FA
peer. This is the default.
neverNever notify the MN that Mobile IP services have been revoked.
foreign-dictateDoes not negotiate I-bit support with the FA peer when the
MN registers. The FA peer determines whether or not to notify the MN.
timeout seconds Number of seconds between registration revocation retransmissions. A
registration revocation request is retransmitted to the FA peer when an
acknowledgement is not received. The range of values is 1 to 100; the default
value is 7.
retransmit num Number of times the SmartEdgeOS retries transmission registration
revocation messages. The range of values is 1 to 100; the default value is 3.
Command Descriptions
8-22 IP Services and Security Configuration Guide
Use the no form of this command to disable support for registration revocation for the HA instance.
Examples
The following example enables registration revocation support for the HA instance. Registration
revocation I-bit support is negotiated with the FA peer and the MN is never notified that Mobile IP services
have been revoked:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #revocation mobile-notify never
Related Commands
Note To use registration revocation, you must configure authentication with the revocation
command. If authentication is not enabled for the FA peer, registration revocation is not
negotiated for registrations received from that peer. For more information about
authentication, see the authentication command (in HA configuration or FA peer
configuration mode).
authentication
home-agent
Command Descriptions
Mobile IP Home Agent Configuration 8-23
router mobile-ip
router mobile-ip
no router mobile-ip
Purpose
Enables mobile services in this context and accesses Mobile IP configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
Mobile IP services are not enabled in any context.
Usage Guidelines
Use the router mobile-ip command to enable Mobile IP services in this context and access Mobile IP
configuration mode.
Use the no form of this command to disable Mobile IP services in this context.
Examples
The following example enables Mobile IP services in the ha context:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #
Related Commands
foreign-agent-peer
home-agent
local-address
Command Descriptions
8-24 IP Services and Security Configuration Guide
shutdown
shutdown
no shutdown
Purpose
Disables or enables the home-agent (HA) instance or foreign-agent (FA) peer.
Command Mode
FA peer configuration
HA configuration
Syntax Description
This command has no keywords or arguments.
Default
HA instances and FA peers are all enabled.
Usage Guidelines
Use the shutdown command to disable the HA instance or FA peer.
Use the no form of this command to enable HA instance or FA peer.
Examples
The following example disables an HA instance:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #shutdown
The following example disables an FA peer:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #foreign-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- f apeer ) #shutdown
Related Commands
foreign-agent-peer
home-agent
local-address
Command Descriptions
Mobile IP Home Agent Configuration 8-25
tunnel-type
tunnel-type gre
no tunnel-type gre
Purpose
Enables use of Generic Routing Encapsulation (GRE) tunnel types by mobile nodes (MN).
Command Mode
HA configuration
Syntax Description
Default
IP-in-IP tunnels are enabled implicitly; no optional tunnel types are enabled.
Usage Guidelines
Use the tunnel-type command to use of GRE tunnel types by MNs.
Use the no form of this command to specify the default condition.
Examples
The following example enables the GRE tunnel type:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #tunnel-type gre
Related Commands
gre Specifies Generic Routing Encapsulation tunnels.
local-address
Command Descriptions
8-26 IP Services and Security Configuration Guide
P a r t 4
IP Services
This part describes the tasks and commands used to configure HTTP redirect, Domain Name System
(DNS), and access control lists (ACLs) for IP services and policies. It consists of the following chapters:
Chapter 9, HTTP Redirect Configuration
Chapter 10, Hotlining Configuration
Chapter 11, DNS Configuration
Chapter 12, ACL Configuration
HTTP Redirect Configuration 9-1
C h a p t e r 9
HTTP Redirect Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS hotlining features.
For information about tasks and commands used to monitor, troubleshoot, and administer hotlining
features, see the HTTP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Overview
Hotlining allows WiMAX operators to efficiently redirect subscribers to a portal controlled by a service
provider for service registration, updates, service advertisements, and address issues that require immediate
attention, such as virus attacks and missed payments. When hotlining is complete, the subscriber is released
from the hotlined state (released from the portal) and to the original destination.
For example, if a subscriber has a mobile device that is locked to a subscription with a service provider,
that subscriber can be hotlined to a subscription server then the device is turned on. No other traffic is
allowed. The subscription server provides subscription options that the subscriber can choose from. When
the subscriber completes the subscription process, the subscriber is removed from the hotlined state.
When a hotlining session is activated, the HA receives the WiMAX Forum RADIUS VSA,
Hotline-Profile-ID (the hotlining profile identifier attribute), and Hotline-Indicator attribute (an attribute
that enables hotlining) from the AAA server in a RADIUS Access-accept or change of authorization
message (CoA). These attributes enable hotlining.The hotlining profile identifier selects a preconfigured
Note Hotlining is WiMAX feature that supports only WiMAX subscribers.
There will be accounting discrepancies of a few bytes per packet when the home agent (HA)
receives packets containing IP and GRE field values.
If the shared-key is configured using thesubscriber default mobile-ip shared-key
command, the SmartEdge OS treats the subscriber as a 3GPP2 user.
Overview
10-2 IP Services and Security Configuration Guide
profile during the session. The RADIUS server or CoA sends the WiMax Forum RADIUS VSA
Hotline-Indicator attribute in the Access-Accept or COA-Request message, which is reported in the session
and hotlining accounting records. For information on hotlining RADIUS attributes (Hotline-Profile-ID and
Hotline-Indicator), see the WiMax Forum RADIUS VSAs and WiMax Forum RADIUS VSAs in the
CoA sections in AppendixA, RADIUS Attributes.
The following are key accounting attributes in SmartEdge router RADIUS accounting records that
distinguish hotline accounting records from session accounting records and start records from stop records:
(A) SESSION-ACCT-START
Acct - St at us- Type = St ar t
( no Hot l i ne- I ndi cat or )
Acct - Sessi on- I D = <gener at ed- i d- 2
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
( no count er s)
(B) SESSION-ACCT-STOP (session stop, hotlining begin)
Acct - St at us- Type = St op
Acct - Sessi on- I D = <gener at ed- i d- 2>
( no Hot l i ne- I ndi cat or )
( no Acct - Ter mi nat e- Cause)
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
Count er s
(C) SESSION-ACCT-STOP (regular session down)
Acct - St at us- Type = St op
( no Hot l i ne- I ndi cat or )
Acct - Ter mi nat e- Cause = <some cause code)
Acct - Sessi on- I D = <gener at ed- i d- 2>
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
Count er s
(D) HOTLINE-ACCT-START
Acct - St at us- Type = St ar t
Hot l i ne- I ndi cat or = <hl - i nd- 1> ( f r omAAA ser ver )
Acct - Sessi on- I D = <gener at ed- i d- 1>
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
( no count er s)
(E) HOTLINE-ACCT-STOP (hotline stop, begin regular session)
Acct - St at us- Type = St op
Hot l i ne- I ndi cat or = <hl - i nd- 1>
Acct - Sessi on- I D = <gener at ed- i d- 1>
( no Acct - Ter mi nat e- Cause)
( no count er s)
Configuration Tasks
Hotlining Configuration 10-3
(F) HOTLINE-ACCT-STOP (session down from hotlining)
Acct - St at us- Type = St op
Hot l i ne- I ndi cat or = <hl - i nd- 1>
Acct - Sessi on- I D = <gener at ed- i d- 1>
Acct - Ter mi nat e- Cause = <some cause code>
( no count er s)
For information about the Acct-Terminate-Cause attribute, see AppendixA, RADIUS Attributes.
Configuration Tasks
To configure hotlining, perform the tasks described in the following sections:
Configure the Local HTTP Server on the Active Controller Card
Configure a RADIUS Server Profile
Configure a Policy ACL That Classifies HTTP Packets
Configure a Forward Policy to Redirect HTTP Packets
Configure Accounting Server
Configure the Local HTTP Server on the Active Controller Card
To configure the HTTP server on the active controller card, perform the tasks described in Table10-1.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section on page9-6 in Chapter 9, HTTP Redirect Configuration.
Note Hotlining is a WiMAX feature that supports only WiMax subscribers.
Hotlining does not support IP and GRE header field values in packets
Table 10-1 Configure the HTTP Server on the Controller Card
# Task Root Command Notes
1. Enable the HTTP server on the controller card and
access HTTP redirect server configuration mode.
http-redirect server Enter this command in global configuration mode.
2. Optional. Select the port on which the HTTP
server listens.
port Enter this command in HTTP redirect server
configuration mode.
Configuration Tasks
10-4 IP Services and Security Configuration Guide
Configure a RADIUS Server Profile
To configure a RADIUS server profile, perform the task described in Table10-2.
Configure a Policy ACL That Classifies HTTP Packets
To configure a policy access control list (ACL) that classifies HTTP packets for the forward policy that
redirects HTTP packets, perform the tasks described in Table10-3.
Configure a Forward Policy to Redirect HTTP Packets
To configure a forward policy to redirect HTTP packets, perform the tasks described in Table10-4.
Table 10-2 Configure and Attach an HTTP Redirect Profile to Subscribers
# Task Root Command Notes
1. Create or select RADIUS-guided service profile
and accesses service profile configuration mode.
radiusserviceprofile Enter this command in context configuration mode.
For more information about RADIUS configuration,
see Chapter 21, RADIUS Configuration.
Table 10-3 Configure a Policy ACL That Classifies HTTP Packets
# Task Root Command Notes
1. Create or select the policy ACL and enter
access control list configuration mode.
policyaccess-list Enter this command in context configuration mode.This profile
is the one selected by the value of the WiMAX attribute
Hotline-Profile-Id. For more information about ACLs, see
Chapter 12, ACL Configuration.
2. Assign HTTP packets that are destined to
the web server hosting the URL to a
separate class.
permit Enter this command in access control list configuration mode.
Use the following construct:
permit tcp any hostip-addr eq www class class-name
Where the ip-addr argument is the IP address of the web
server hosting the URL that you configured in step 2 in
Table 10-2.
3. Assign all other HTTP packets to a
different class.
permit Enter this command in access control list configuration mode.
Use the following construct:
permit tcp any any eq www class class-name
Where the class-name argument is distinct from the one that
you configured in step 2.
Table 10-4 Configure and Attach a Forward Policy to Redirect HTTP Packets
# Task Root Command Notes
1. Create or select the forward policy and
access forward policy configuration mode.
forward policy Enter this command in global configuration mode.
For more information about forward policies, see
Chapter 14, Forward Policy Configuration.
2. Apply the policy ACL that you configured
in Table 10-3 to the forward policy and
access policy ACL configuration mode.
access-group Enter this command in forward policy configuration
mode.
3. Specify all HTTP packets and access
policy ACL class configuration mode.
class Enter this command in policy ACL configuration mode.
Use the class-name argument that you specified in
step 3 in Table 10-3.
Configuration Examples
Hotlining Configuration 10-5
Configure Accounting Server
To configure an accounting server, perform the tasks described in Table10-4.
Configuration Examples
The following section includes the following topics:
Hotlining Configuration Example
RADIUS Entry Example
Hotlining Configuration Example
The following example shows a HTTP redirect configuration:
! Fi r st enabl e t he HTTP r edi r ect ser ver on t he cont r ol l er car d.
[ l ocal ] Redback( conf i g) #http-redirect server
[ l ocal ] Redback( conf i g- hr - ser ver ) #port 80
[ l ocal ] Redback( conf i g- hr - ser ver ) #exit
! Conf i gur e t he RADI US pr of i l e:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #radius service profile wimax-h1-prof-3
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #accounting in circuit
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #accounting out circuit
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #at t r i but e f or war d- pol i cy f wd- pol - 1
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #at t r i but e ht t p- r edi r ect - ur l
" ht t p: / / my- r edi r - ur l . f unky. com"
[ l ocal ] Redback( conf i g- hr - pr of i l e) #exit
! Conf i gur e t he ACL pol i cy.
[ l ocal ] Redback( conf i g- ct x) #policy access-list http-packets-1
! cl ass PORTAL al l ows HTTP f r omany t o t he r edi r ect ed web ser ver at 10. 1. 1. 1
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any host 10.1.1.1 eq www class PORTAL
4. Redirect HTTP packets to the HTTP
server on the controller card.
redirect destinationlocal Enter this command in policy ACL class configuration
mode.
Table 10-5 Configure and Attach a Forward Policy to Redirect HTTP Packets
# Task Root Command Notes
1. Create or select the forward policy and
access forward policy configuration mode.
radiusaccountingserver Enter this command in context configuration mode. For
more information about RADIUS configuration, see
Chapter 21, RADIUS Configuration.
Table 10-4 Configure and Attach a Forward Policy to Redirect HTTP Packets (continued)
# Task Root Command Notes
Configuration Examples
10-6 IP Services and Security Configuration Guide
! Speci f y t hat packet s t hat ar e not par t of t he PORTAL cl ass get r edi r ect ed t o t he l ocal
HTTP.
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq www class REDIRECT
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq www CATCH-ALL
[ l ocal ] Redback( conf i g- ct x) #exit
! Cr eat e t he f or war d pol i cy.
[ l ocal ] Redback( conf i g) #forward policy www-redirect-1
! Appl y t he ACL pol i cy t hat cl assi f i es HTTP packet s.
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group http-packets-1 local
! Redi r ect al l REDI RECT cl ass packet s t o t he l ocal HTTP ser ver on t he Smar t Edge r out er .
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class REDIRECT
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #redirect destination local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exi t
! Cl ass PORTAL packet s dest i ned f or t he r edi r ect ed web ser ver t ypi cal l y get r out ed t o t he
por t al .
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class PORTAL
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CATCH-ALL
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exi t
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #exit
! Conf i gur e a RADI US account i ng ser ver I P addr ess of 10. 3. 3. 3 wi t h t he key, secr et , usi ng
por t 4445 f or account i ng.
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 10.3.3.3 key secret port 4445
RADIUS Entry Example
The following RADIUS entry applies the forward policy at hotline activation time by referring to it from
the RADIUS service profile configured on the SmartEdge router.
WiMAX-Hotline-Profile-ID="wimax-hl-prof-3",
WiMAX-Hotline-Indicator="ABCDEF",
WiMAX-Capability ="\002\003\001"
DNS Configuration 11-1
C h a p t e r 1 1
DNS Configuration
This chapter describes the tasks and commands used to configure SmartEdge
vendor-specific attribute (VSA) 164 instance. All rules in all dynamic policy
ACLs are downloaded in a single RADIUS message. You do not apply a dynamic policy ACL to a
class-based policy; instead, the SmartEdgeOS applies the dynamic policy ACL from the VSA 164
instance. Class-based policies configured with dynamic ACLs are referred to as RADIUS-guided policies.
Traditional policy ACLs and class-based policies are referred to as static policy ACLs and static policies,
respectively.
Policy ACL Statements
A policy ACL uses permit statements to define how packets are assigned to classes. A packet that does not
match the criteria of the first statement is subjected to the criteria of the second statement, and so on, until
the end of the policy ACL is reached; at which point, the packet is assigned to the default class.
You can use the optional seq seq-num construct with any permit statement to establish a sequence number
for the statement. If you do not use the seq seq-num construct, the system automatically assigns sequence
numbers to the statements that you enter, in increments of 10. The first statement you enter is assigned the
sequence number of 10, the second is assigned the number 20, and so on. This allows room to assign
intermediate sequence numbers to statements that you might want to add later. The assigned sequence
numbers for the various statements are displayed in the output of the show configuration acl, show
configuration policy, and show policy access-list commands.
If manually assigned sequence numbers leave no room for insertion of additional entries in the policy ACL,
you can use the resequence policy access-list command (in context configuration mode) to reassign the
sequence numbers so they are in increments of 10. The no seq seq-num construct removes an individual
statement from the policyACL.
Policy ACL Packet Filtering
Statement criteria for filtering includes all Internet protocols, which can be specified by the protocol
numbers established in RFC 1700, Assigned Numbers. A subset of these options can also be specified by
keyword. Based on classification, a class-based policy defines the type of action to be performed on the
packets in a particular class. All packets that match the criteria can be counted by the statement if you
Configuration Tasks
ACL Configuration 12-5
enable the count when you apply a policy ACL. By default, the counting of packets is disabled because this
function has an impact on system performance. Redback recommends that you enable counting only when
required for diagnostic purposes.
Configuration Tasks
To configure ACLs, perform the tasks described in the following sections:
Configuration Guidelines
Configure an IP ACL
Apply an IP ACL
Enable ACL Counters or Logging for a Subscriber
Modify IP ACL Conditions in Real Time
Configure a Policy ACL
Apply a Policy ACL
Modify Policy ACL Conditions in Real Time
Configuration Guidelines
Guidelines for configuring IP and policy ACLs are described in the following sections:
Static IP and Policy ACL Guidelines
IP ACL Guidelines
Policy ACL Guidelines
Guidelines for RADIUS-Guided Policies
VSA 164 Guidelines for Dynamic Policy ACLs
Static IP and Policy ACL Guidelines
The following guidelines apply to the configuration of static IP and policy ACLs:
The optional construct, seq seq-num, for permit and deny commands, allows you to assign a sequence
number to a particular statement, affecting where it is located within a series of statements in an ACL.
If you do not use this construct, the SmartEdgeOS automatically assigns sequence numbers in
increments of 10. The first statement you enter is assigned the sequence number of 10, the second is
assigned the number 20, and so on.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
12-6 IP Services and Security Configuration Guide
You cannot modify static IP ACL and policy ACL statements that do not reference time range
conditions in real time unless you modify or remove the statements themselves, because the actions
(permit or deny) and the resulting class names are constant. However, you can modify statements that
reference time-range conditions, because their actions or the resulting class names depend on the
current date and time as defined in the corresponding condition statement.
ACL conditions redefine the rules action or the rules class name based on specified date and time
ranges. You can configure any combination of up to seven absolute (one specific time interval) or
periodic (recurring time interval) statements in an ACL condition. When an IP ACL rule or a policy
ACL rule references an ACL condition, the rules action (permit/deny) or the rules class name is
determined by the action and the class name defined in the condition.
ACL conditions are configured with individual IDs to make them unique. The cond-id argument used
with the condition command must match the condition ID specified in the ACL rule.
An IP or policy ACL can contain multiple entries; the order is significant. Each entry is processed in
the order it appears in the configuration file. As soon as an entry matches, the corresponding action is
taken and no further processing takes place.
IP ACL Guidelines
The following filtering rules apply to IP ACLs:
Each IP ACL has an implicit deny any any statement at the end. If a packet does not match any explicit
filter statement in the list, it is dropped. Unlike the explicit statements in the ACL, this implicit final
statement is not displayed in the output of the show configuration acl or show ip access-list command
(in any mode).
You apply IP ACLs to interfaces, subscriber records, and contexts. Administrative access control is
context-specific. To ensure that all inbound packets are filtered before being delivered to the kernel, you
must apply an IP ACL to each and every configured context.
If you apply an IP ACL to a multibind interface, it does not affect the IP traffic on the subscriber
sessions that are bound to that interface; the ACL is applied only to the IP traffic on circuits that are
statically bound to the interface using the bind interface command (in the circuits configuration
mode).
If a nonexistent IP ACL is applied to an interface, all packets are forwarded with no filtering.
If a nonexistent IP ACL is applied to a subscriber record, the subscriber session will not come up; this
restriction also applies if a nonexistent ACL is applied to a Remote Authentication Dial-In User Service
(RADIUS) attribute.
Policy ACL Guidelines
The following rules apply to static and dynamic policy ACLs:
If a packet does not match any classifying rule, it is considered to belong to the default class.
If a nonexistent policy ACL is applied to a forward policy, NAT policy, a QoS metering policy, or a QoS
policing policy, it is ignored and packets are forwarded according to a policy action with no
classification.
Configuration Tasks
ACL Configuration 12-7
Guidelines for RADIUS-Guided Policies
Configuration guidelines for RADIUS-guided policies include:
You can configure any class-based policy to allow a dynamic policy ACL to govern it. Class-based
policies include forward, NAT, and QoS policies.
Dynamic policy ACLs are not supported for NAT policies in the outgoing direction.
You cannot change the type of a class-based policy from static to RADIUS-guided or from
RADIUS-guided to static; you must delete the policy and recreate it.
You can configure a class-based policy with a static policy ACL in addition to allowing a dynamic
policy ACL, but the static policy ACL takes precedence. That is, the dynamic policy ACL classifies
only those packets that are not already classified by the static policy ACL.
You can apply any combination of static and dynamic policy ACLs to a RADIUS-guided policy.
You cannot apply a dynamic policy ACL to a static class-based policy.
RADIUS-guided policies can be attached only to subscriber profiles (named and default) and records.
You do not attach a RADIUS-guided policy with a dynamic policy ACL; instead, it is attached by the
SmartEdgeOS.
A RADIUS-guided policy must exist before the SmartEdgeOS can apply a dynamic policy ACL to it.
If you add a class to an existing RADIUS-guided policy and that class is governed by a dynamic policy
ACL, then that class is immediately active on all circuits to which the RADIUS-guided policy is
attached. If the class is not included in the dynamic policy ACL, it is dormant until the dynamic policy
ACL is changed to include the class.
If you delete a class from an existing RADIUS-guided policy, the change takes effect immediately on
all circuits to which the policy is attached. If you delete a dormant class, traffic is unaffected.
You can delete all classes from a RADIUS-guided policy that is already attached to subscriber circuits.
You can modify class parameters in a RADIUS-guided policy at any time.
If you delete a RADIUS-guided policy, it is removed from all subscriber circuits to which it was
attached. The subscriber circuits remain up, but the show subscribers command (in any mode) with the
active keyword might not display current information.
VSA 164 Guidelines for Dynamic Policy ACLs
The following guidelines govern the use of Redback VSAs for dynamic policy ACLs::
Dynamic policy ACLs are defined on a RADIUS server and downloaded using one or more instances
of VSA 164.
Each downloaded VSA 164 instance contains one classification rule.
A subscriber profile or record can contain multiple VSA 164 instances.
All VSA 164 instances that have the same service (forward, NAT, or QoS) and the same direction are
considered to be rules of a dynamic policy ACL for that service.
The rules in a dynamic policy ACL are sequenced by the order in which VSA 164 instances appear in
a subscriber record.
Configuration Tasks
12-8 IP Services and Security Configuration Guide
Configure an IP ACL
To configure an IP ACL, perform the tasks described in Table12-1; enter all commands in access control
list configuration mode, unless otherwise noted.
Apply an IP ACL
To apply an IP ACL to packets associated with a context, an interface, or a subscriber record, named profile,
or default profile, perform the appropriate task described in Table12-2.
Note For more information about Redback VSAs, see the Redback VSAs section in Chapter A,
RADIUS Attributes.
Table 12-1 Configure an IP ACL
# Task Root Command Notes
1. Create or select an ACL and enter access control
list configuration mode.
ipaccess-list Enter this command in context configuration
mode.
2. Optional. Associate a description with an IP ACL. description
3. Optional. Create ACL statements using either or
both of the following tasks:
4. Create an ACL statement using permit conditions. permit There is an implicit deny any any statement
at the end of any permit statement.
5. Create an ACL statement using deny conditions. deny
6. Optional. Create an ACL condition using a unique
ID and access ACL condition configuration mode.
condition Enter the following commands in ACL
condition configuration mode.
7. Optional. Configure absolute time condition
statements.
absolute An absolute time ACL statement redefines
an ACL rules action for only one specific
time interval.
8. Optional. Configure periodic time condition
statements.
periodic A periodic time ACL statement redefines the
ACL rule action for a recurring time interval.
9. Optional. Resequence statements in an IP ACL. resequenceipaccess-list Enter this command in context configuration
mode.
Table 12-2 Apply an IP ACL
Task Root Command Notes
Apply an IP ACL to an interface or to a subscriber record,
named profile, or default profile.
ipaccess-group Enter this command in either interface or
subscriber configuration mode.
Apply an IP ACL to a context. admin-access-group Enter this command in context configuration
mode.
Configuration Tasks
ACL Configuration 12-9
Enable ACL Counters or Logging for a Subscriber
To enable ACL counters or logging for a subscriber through the subscriber record, the default subscriber
profile, or a named subscriber profile, perform the task described in Table12-3.
Modify IP ACL Conditions in Real Time
To modify the action for an IP ACL condition, in real time, without requiring the reconfiguration of the
ACL condition statements, perform the task described in Table12-4.
Configure a Policy ACL
To configure a static policy ACL, perform the tasks described in Table12-5; enter all commands in access
control list configuration mode, unless otherwise noted.
Table 12-3 Enable ACL Counters or Logging for a Subscriber
Task Root Command Notes
Enable ACL counters or logging for a subscriber record, the
default subscriber profile, or a named subscriber profile.
access-list Enter this command in subscriber configuration mode.
Table 12-4 Modify IP ACL Condition Actions in Real Time
Task Root Command Notes
Modify the action for a condition referenced by an IP ACL. modifyipaccess-list Enter this command in exec mode.
Table 12-5 Configure a Policy ACL
# Task Root Command Notes
1. Create or select a policy ACL and enter
access control list configuration mode.
policyaccess-list Enter this command in context configuration
mode.
2. Optional. Associate a description with a
policy ACL.
description
3. Optional. Create policy ACL statements to
allow packets that meet the specified criteria.
permit Enter this command multiple times to specify
multiple classes.
4. Optional. Create a policy ACL condition
using a unique ID and access ACL condition
configuration mode.
condition Enter the following commands in ACL
condition configuration mode. You can create
up to seven conditions in a policy ACL.
5. Optional. Configure absolute time condition
statements.
absolute An absolute time ACL condition statement
applies an ACL rule for only one specific time
interval.
6. Optional. Configure periodic time condition
statements.
periodic A periodic time ACL statement applies an
ACL rule for a recurring time interval.
7. Optional. Resequence statements in a policy
ACL.
resequencepolicyaccess-list Enter this command in context configuration
mode.
Configuration Examples
12-10 IP Services and Security Configuration Guide
Apply a Policy ACL
To apply a policy ACL to packets associated with a forward policy, a NAT policy, or a QoS metering or
policing policy, and complete the configuration of the policy, perform the tasks described in Chapter 13,
Forward Policy Configuration, Chapter 12, NAT Policy Configuration, and Chapter 15, QoS Rate-
and Class-Limiting Configuration, respectively.
Modify Policy ACL Conditions in Real Time
To modify the class name for a policy ACL condition, in real time, without requiring the reconfiguration
of the ACL condition statements, perform the task described in Table12-6.
Configuration Examples
This section provides ACL configuration examples as described in the following subsections:
Configure an ACL Statement
Add an ACL Statement
Resequence ACL Statements
Configure an Absolute Time Condition Statement
Configure a Periodic Time Condition Statement
Configure an IP ACL
Configure a Policy ACL Associated with a Forward Policy
Configure a Policy ACL Associated with a NAT Policy
Configure a Policy ACL Associated with a QoS Policing Policy
Configure an ACL Statement
The following example configures a policy ACL to prioritize web and voice-over-IP (VOI P) traffic:
[ l ocal ] Redback( conf i g- ct x) #policy access-list QoSACL-1
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq 80 class Web
[ l ocal ] Redback( conf i g- access- l i st ) #permit udp any any eq 1000 class VOIP
[ l ocal ] Redback( conf i g- access- l i st ) #permit any any class default
The following example uses a policy ACL to define classes of traffic to be mirrored:
[ l ocal ] Redback( conf i g- ct x) #policy access-list PBR_ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit tcp any eq www any class WEB
Table 12-6 Modify Policy ACL Condition Actions in Real Time
Task Root Command Notes
Modify the action for a class name referenced by a policy
ACL.
modifypolicyaccess-list Enter this command in exec mode.
Configuration Examples
ACL Configuration 12-11
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq www class WEB
[ l ocal ] Redback( conf i g- access- l i st ) #seq 30 permit udp any class UDP
[ l ocal ] Redback( conf i g- access- l i st ) #seq 40 permit ip any class IP
The following example specifies that all IP traffic to destination host 10. 25. 1. 1 is to be denied, and all
other traffic on subnet 10.25.1/24 is to be permitted:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect201
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip any host 10.25.1.1
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any 10.25.1.0 0.0.0.255
Add an ACL Statement
The following example shows how to use the seq keyword to modify the existing t c1 ACL, adding a
statement between the statements with sequence numbers 20 and 30:
[ l ocal ] Redback#configure
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #ip access-list tc1
[ l ocal ] Redback( conf i g- access- l i st ) #seq 25 deny tcp 10.10.10.4 0.0.0.0 any eq 80
The output of the show configuration acl command now includes the new statement, with sequence
number 25:
!
i p access- l i st t c1
descr i pt i on Thi s i s a sampl e access cont r ol l i st
seq 10 deny i p host 10. 10. 10. 2 host 10. 10. 20. 2
seq 20 deny t cp host 10. 10. 10. 3 any eq www
seq 25 deny t cp host 10. 10. 10. 4 any eq www
seq 30 deny udp host 10. 10. 10. 3 any
seq 40 deny i p host 10. 10. 10. 4 any
seq 50 deny i p host 10. 10. 10. 5 any
seq 60 per mi t i p any any
Resequence ACL Statements
The following example displays the current sequencing of an IP ACL:
[ l ocal ] Redback#show configuration acl
Bui l di ng conf i gur at i on. . .
!
i p access- l i st t c1
descr i pt i on Thi s i s a sampl e access cont r ol l i st
seq 10 deny i p host 10. 10. 10. 2 host 10. 10. 20. 2
seq 20 deny t cp host 10. 10. 10. 5 any eq t el net
seq 25 deny t cp host 10. 10. 10. 4 any eq www
seq 30 deny udp host 10. 10. 10. 3 any
seq 50 deny i p host 10. 10. 10. 5 any
seq 60 per mi t i p any any
Configuration Examples
12-12 IP Services and Security Configuration Guide
The following example resequences the statements in the IP ACL to increments of 10 and displays the new
sequence of statements:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #resequence ip access-list tc1
[ l ocal ] Redback#show configuration
Bui l di ng conf i gur at i on. . .
Cur r ent conf i gur at i on:
cont ext l ocal
i p access- l i st t c1
descr i pt i on Thi s i s a sampl e access cont r ol l i st
seq 10 deny i p host 10. 10. 10. 2 host 10. 10. 20. 2
seq 20 deny t cp host 10. 10. 10. 5 any eq t el net
seq 30 deny t cp host 10. 10. 10. 4 any eq www
seq 40 deny udp host 10. 10. 10. 3 any
seq 50 deny i p host 10. 10. 10. 5 any
seq 60 per mi t i p any any
Configure an Absolute Time Condition Statement
The following example creates an absolute time ACL condition statement for ACL condition 342, which
is defined in the IP ACL, i p- acl - 1. The absolute time ACL condition applies a deny action to all IP
ACL statements that reference the ACL condition for the time interval beginning on December 15, 2003 at
9:00 p.m. (21: 00) and ending on the same day at 11:00 p.m (23: 00):
[ l ocal ] Redback( conf i g- ct x) #ip access-list ip-acl-1
[ l ocal ] Redback( conf i g- access- l i st ) #condition 342 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2003:12:15:21:00 end
2003:12:15:23:00 deny
Configure a Periodic Time Condition Statement
The following example creates an periodic ACL condition statement for the ACL condition 101, which is
referenced by the IP ACL, i p- acl - 2, such that all packets traveling between 9 a.m. and 5 p.m. (9:00 to
17:00 in 24-hour format) on weekdays are permitted:
[ l ocal ] Redback( conf i g- ct x) #ip access-list ip-acl-2
[ l ocal ] Redback( conf i g- access- l i st ) #condition 101 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic weekdays 9:00 to 17:00 permit
The following example creates a periodic ACL condition statement for the ACL condition 342, which is
referenced by the policy ACL pol i cy_acl _1, such that all packets traveling every weekday (Monday to
Friday) from 9:00p.m. to 11:00 p.m (9:00 to 23:00 in 24-hour format) are permitted:
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy_acl_1
[ l ocal ] Redback( conf i g- access- l i st ) #condition 342 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic weekdays 21:00 to 23:00 permit
Configuration Examples
ACL Configuration 12-13
Configure an IP ACL
The following example creates an IP ACL, t c1, and applies the list to an interface, oc1:
[ l ocal ] Redback( conf i g- ct x) #ip access-list tc1
[ l ocal ] Redback( conf i g- access- l i st ) #description This is a sample access control list
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.2 0.0.0.0 10.10.20.2 0.0.0.0
[ l ocal ] Redback( conf i g- access- l i st ) #deny tcp 10.10.10.3 0.0.0.0 any eq 80
[ l ocal ] Redback( conf i g- access- l i st ) #deny udp 10.10.10.3 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.4 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.5 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any any
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface oc1
[ l ocal ] Redback( conf i g- i f ) #ip access-group tc1 in log
Configure a Policy ACL Associated with a Forward Policy
The policy ACL and forward policy configuration is as follows:
[ l ocal ] Redback( conf i g- ct x) #policy access-list PBR_Drop_ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit icmp host 51.1.1.2 class ICMP
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit pim any class PIM
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g) #forward policy DropPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_Drop_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class ICMP
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class PIM
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
The following configuration applies the forward policy to the i ncomi ng_t r af f i c interface:
[ l ocal ] Redback( conf i g) #port pos 9/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface incoming_traffic local
[ l ocal ] Redback( conf i g- por t ) #forward policy DropPolicy in
[ l ocal ] Redback( conf i g- por t ) #exit
Configure a Policy ACL Associated with a NAT Policy
The following example creates a policy ACL and applies it to a NAT policy with dynamic translations in
which all packets except those classified as CLASS3 are ignored (that is, the NAT policy is not applied to
them). All source IP addresses for incoming packets classified as CLASS3 are translated using IP addresses
from the pool _dyn pool:
! Cr eat e t he NAT pool
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn
[ l ocal ] Redback( conf i g- nat - pool ) #address 11.11.11.0/24
Configuration Examples
12-14 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- nat - pool ) #exit
! Cr eat e t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #policy access-list NAT-ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip 10.10.10.0 0.0.0.255 class CLASS3
[ l ocal ] Redback( conf i g- access- l i st ) #exit
! Cr eat e t he NAT pol i cy and appl y t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- nat - pool ) #ignore
[ l ocal ] Redback( conf i g- nat - pool ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn local
Configure a Policy ACL Associated with a QoS Policing Policy
The following example applies the conditions set by the ACL qos created for any circuit to which the QoS
policing policy, cl ass, is attached. Packets are classified into three classes: web, voice over IP (VOI P),
and def aul t :
[ l ocal ] Redback( conf i g- ct x) #policy access-list qos
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq 80 class Web
[ l ocal ] Redback( conf i g- access- l i st ) #permit udp any any eq 1000 class VOIP
[ l ocal ] Redback( conf i g- access- l i st ) #permit any any class default
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #qos policy class policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group qos local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #rate 5000 burst 1000
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #conform mark dscp AF11
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class voip
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp ef
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class default
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp df
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #port ethernet 3/1
[ l ocal ] Redback( conf i g- por t ) #bind interface eth1 local
[ l ocal ] Redback( conf i g- por t ) #qos policy policing class
Web t r af f i c t hat conf or ms t o t he t r af f i c r at e of 5000 kbps i s mar ked wi t h
a Di f f er ent i at ed Ser vi ces Code Poi nt ( DSCP) val ue of AF11. Web t r af f i c
exceedi ng t hat r at e i s dr opped by def aul t . Packet s cl assi f i ed as VOI P
ar e pr i or i t i zed over bot h web and def aul t t r af f i c t hr ough t he DSCP
set t i ng of ef , or expedi t ed f or war di ng. Packet s cl assi f i ed as def aul t
ar e set t o t he DSCP val ue of df , or def aul t .
Command Descriptions
ACL Configuration 12-15
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure ACLs. The
commands are presented in alphabetical order.:
absolute
access-group
access-list
admin-access-group
class
condition
deny
description
ip access-group
ip access-list
modify ip access-list
modify policy access-list
periodic
permit
policy access-list
resequence ip access-list
resequence policy access-list
Command Descriptions
12-16 IP Services and Security Configuration Guide
absolute
absolute start yyyy:mm:dd:hh:mm end yyyy:mm:dd:hh:mm [:ss] {{permit | deny} | class class-name}
no absolute start yyyy:mm:dd:hh:mm end yyyy:mm:dd:hh:mm
Purpose
Creates an absolute time access control list (ACL) condition statement.
Command Mode
ACL condition configuration
Syntax Description
Default
No ACL condition statements are configured.
start yyyy:mm:dd:hh:mm [:ss] Date and time to start the ACL condition. Arguments are defined as
follows:
yyyyYear.
mmMonth. The range of values is 1 to 12.
ddDay. The range of values is 1 to 31.
hhHour in 24-hour format. The range of values is 0 to 23.
mmMinutes. The range of values is 0 to 59.
ssSeconds. Optional. The range of values is 0 to 60.
end yyyy:mm:dd:hh:mm [:ss] Date and time to stop the ACL condition. Arguments are defined as
follows:
yyyyYear.
mmMonth. The range of values is 1 to 12.
ddDay. The range of values is 1 to 31.
hhHour 24-hour format. The range of values is 0 to 23.
mmMinutes. The range of values is 0 to 59.
ssSeconds. Optional. The range of values is 0 to 60.
permit Applies a permit action to packets processed during the specified
time range.
deny Applies a deny action to packets processed during the specified time
range. Used only with IP ACLs.
class class-name Name of the class assigned to policy ACL statements that reference
the ACL condition. Used only with policy ACLs.
Command Descriptions
ACL Configuration 12-17
Usage Guidelines
Use the absolute command to create an absolute time ACL condition statement that, when referenced in
an IP ACL statement, permits or denies packets, based on specific date and time ranges. Use this command
to create an absolute time ACL conditional statement that, when referenced in a policy ACL statement,
assigns a class name to packets.
Use the no form of this command to delete the absolute time ACL condition statement.
Examples
The following example creates an absolute time ACL condition statement for the ACL condition 500,
which is referenced in the policy ACL, pol i cy- acl - f or war d. The absolute time ACL condition applies
the Bar 003 class name to all policy ACL statements that reference the ACL condition during the time
interval beginning on December 15, 2003 at 9:00 p.m. (21: 00) and ending on the same day at 11:00 p.m
(23: 00):
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy-acl-forward
[ l ocal ] Redback( conf i g- access- l i st ) #condition 500 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2003:12:15:21:00 end
2003:12:15:23:00 class Bar003
Related Commands
condition
deny
ip access-list
periodic
permit
policy access-list
Command Descriptions
12-18 IP Services and Security Configuration Guide
access-group
access-group [acl-name] [ctx-name]
no access-group [acl-name] [ctx-name]
Purpose
Applies a policy access control list (ACL) to a class-based policy (forward policy, Network Address
Translation [NAT] policy, or quality of service [QoS] policy) and enters policy group configuration mode.
Command Mode
forward policy configuration
metering policy configuration
NAT policy configuration
policing policy configuration
Syntax Description
Default
None
Usage Guidelines
Use the access-group command to apply a policy ACL to a class-based policy (forward policy, NAT policy,
or QoS policy) and enter policy group configuration mode.
If the class-based policy is Remote Authentication Dial-In User Service (RADIUS)-guided, the policy ACL
can be dynamic or static:
A dynamic policy ACL is one that the SmartEdgeOS applies to the class-based policy using the rules
specified in an instance of vendor-specific attribute (VSA) 164 that has been downloaded from the
RADIUS server. In this case, use this command without specifying the name of the policy ACL.
A static policy ACL is one that you apply to the class-based policy. In this case, you must specify the
name of the policy ACL.
If you include the acl-name argument, you must also include the ctx-name argument when you apply a
static policy ACL to a forward policy or QoS policy. For a NAT policy, you need only enter the acl-name
argument; the context defaults to the context of the NAT policy.
You can apply a dynamic policy ACL in addition to a static policy ACL. However, the static policy ACL
takes precedence over the dynamic policy ACL.
acl-name Optional. Name of the policy ACL created using the policy access-list command (in
context configuration mode); required to apply or remove a static policy ACL.
ctx-name Optional. Name of the context in which the policy ACL was created; required to apply
or remove a static policy ACL to or from a forward or QoS policy. For a NAT policy,
the context defaults to the context of the NAT policy.
Command Descriptions
ACL Configuration 12-19
Use the no form of this command to remove a static policy ACL from a specified policy.
To remove a policy ACL from a RADIUS-guided policy, you must delete the RADIUS-guided policy and
then recreate it.
Examples
The following example applies the myacl policy ACL to the GE- i n QoS policing policy. The myacl ACL
has one class, voi p, and packets in this class are marked with the Differentiated Service Code Point
(DSCP) code af 13:
[ l ocal ] Redback( conf i g) #qos policy GE-in policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group myacl local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class voip
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp af13
The following example applies the forward policy, Redi r ect Pol i cy, as specified by the rules in the
policy ACL PBR_Redi r ect _ACL. The PBR_Redi r ect _ACL access group has one class, Web, and
packets in this class are redirected to the next hop in the route at IP address 100. 1. 1. 0:
[ l ocal ] Redback( conf i g) #forward policy RedirectPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_Redirect_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #redirect destination next-hop 100.1.1.0
Related Commands
Note The names of the IP and policy ACLs in the output of the show access-group command (in
any mode) include a prefix: ADF for dynamic IP ACLs and DPF for dynamic policy
ACLs.
class
conform mark dscp
policy access-list
Command Descriptions
12-20 IP Services and Security Configuration Guide
access-list
access-list {count counter-type | log ip}
no access-list {count counter-type | log ip}
Purpose
Enables access control list (ACL) counters or logging for the default subscriber profile, this named
subscriber profile, or this named subscriber record.
Command Mode
subscriber configuration
Syntax Description
Default
ACL counters are not enabled for any subscriber records or profiles.
Usage Guidelines
Use the access-list command to enable ACL counters or logging for the default subscriber profile, this
named subscriber profile, or this named subscriber record.
Use the no form of this command to disable ACL counters for the default subscriber profile, this named
subscriber profile, or this named subscriber record.
Examples
The following example enables ACL IP counters for the default subscriber profile:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #access-list count ip
Related Commands
None
count counter-type ACL counter type, according to one of the following keywords:
ipSpecifies IP ACL counters.
policySpecifies policy ACL counters.
log ip Enables logging of dropped counters for IP ACL.
Command Descriptions
ACL Configuration 12-21
admin-access-group
admin-access-group acl-name1 acl-name2 acl-name3... in [count] [log]
no admin-access-group { | acl-name1 acl-name2 acl-name3...}in [count] [log]
Purpose
Applies access control to all inbound packets delivered to the kernel, regardless of the interface through
which packets are received.
Command Mode
context configuration
Syntax Description
Default
No administrative access control is applied.
Usage Guidelines
Use the admin-access-group command to apply access control to all inbound packets delivered to the
kernel, regardless of the interface through which packets are received. This is referred to as administrative
access control and is used with IP ACLs only.
If you configure multiple ACLs in an IP access group, the SmartEdge OS applies the ACLs in the order
they appear within the access group to produce a specific filtering behavior. The SmartEdge OS appends
an implicit deny ip any any rule after all configured rules are applied.
acl-name Name of the IP ACL being applied. You can configure up to ten
ACL names in one administrative access group list. You must
enclose multiple ACL names in quotation marks and separate
ACL names with one or more spaces.
Each IP ACL name can be up to 39 alphanumeric characters
long. However, ensure that the total number of characters for all
ACL names referenced in the access group does not exceed 255.
If you want to use ten ACLs, create names that are 24 or fewer
characters long. A colon (:) is not allowed in ACL names.
in Specifies that the IP ACL is to be applied to incoming packets.
count Optional. Enables ACL packet counting.
log Optional. Enables ACL packet logging.
Caution Risk of security breach. Administrative access control is context-specific. To ensure that all
inbound packets are filtered before being delivered to the kernel, you must apply an
administrative ACL to each and every context that is configured.
Command Descriptions
12-22 IP Services and Security Configuration Guide
When you use the count keyword, the system keeps track of the number of packet matches that occur.
When you use the log keyword, the system keeps track of the number of packets that were denied as a result
of the ACL. Count and log information is displayed in the output of the show access-group command.
Use the no form of this command to remove the application of an ACL to traffic inbound to the kernel.
Enter empty quotations marks ( ) to remove all associated ACL names. If you want to delete one or more
(but not all) ACLs, enter their names in quotation marks.
Examples
The following example applies the t est _2 and f i l t er _3 ACLs to inbound traffic for the l ocal
context:
[ l ocal ] Redback( conf i g- ct x) #admin-access-group test_2 filter_3 in count
log
The following example removes all ACLs from the administrative access group for the local context:
[ l ocal ] Redback( conf i g- ct x) #no admin-access-group in count log
The following example removes the ACL kt r af f i c from the administrative access group for the local
context:
[ l ocal ] Redback( conf i g- ct x) #no admin-access-group ktraffic in
Related Commands
Caution Risk of system performance impact. By default, counting and logging of packets is disabled
because these functions have an impact on system performance. To reduce the risk, we
recommend that you only enable logging or counting when required for diagnostic purposes.
ip access-group
ip access-list
Command Descriptions
ACL Configuration 12-23
class
class class-name
no class class-name
Purpose
Creates a class in a class-based policy and accesses policy group class configuration mode.
Command Mode
policy group configuration
Syntax Description
Default
None
Usage Guidelines
Use the class command to create a class in a class-based policy and access policy group class configuration
mode. This command allows a forward policy, a Network Address Translation (NAT) policy, or a quality
of service (QoS) policy to apply a different action to different sets (classes) of packets that are defined in
the applied policy access control list (ACL).
If the class-name argument matches a class-name argument in a rule in the policy ACL, the class-based
policy processes packets of that type as specified by the class-based policy. If a rule for the class-name
argument is not specified in the policy ACL, the class-based policy considers the class to be dormant and
takes no action. If a rule for the class-name argument is specified in the ACL, but you do not include the
class in the policy (using this command), the SmartEdge OS considers those packets to be in the default
class.
Use the no form of this command to delete the specified class.
Examples
The following example applies the QoSACL- 1 policy ACL to a QoS policing policy that prioritizes
incoming packets in the Web class using a Differentiated Service Code Point (DSCP) value of DF. For the
VOI P class, incoming traffic packets are prioritized with a DSCP value of AF11:
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group QoSACL-1 local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #rate 6000 burst 3000
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #exceed mark dscp DF
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class VOIP
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp AF11
class-name Class name for a class of traffic packets to which the policy applies an action.
Command Descriptions
12-24 IP Services and Security Configuration Guide
The following example applies the PBR_ACL policy ACL to the Mi r r or Pol i cy forward policy, which
mirrors all traffic packets in the Web class to the mirror output destination, WebTr af f i c:
[ l ocal ] Redback( conf i g) #forward policy MirrorPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mirror destination WebTraffic all
Related Commands
access-group
permit
policy access-list
Command Descriptions
ACL Configuration 12-25
condition
condition cond-id time-range
no condition cond-id
Purpose
Creates an access control list (ACL) condition and enters ACL condition configuration mode.
Command Mode
access control list configuration
Syntax Description
Default
None
Usage Guidelines
Use the condition command to create an ACL condition, and to enter ACL condition configuration mode.
An ACL condition is comprised of up to seven ACL condition statements (using any combination of the
absolute and periodic commands in ACL condition configuration mode). When an ACL statement
references an ACL condition, the ACL condition statements apply those time-dependent rules to the
referencing IP ACL or policy ACL statement.
Use the no form of this command to delete an ACL condition.
Examples
The following example creates the time range condition identified as 342 for the IP ACL, pr ot ect , and
enters ACL condition configuration mode:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect
[ l ocal ] Redback( conf i g- access- l i st ) #condition 342 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #
The following example creates the time range condition identified as 10. 1. 2. 3 for the policy ACL,
cont r ol , and enters ACL condition configuration mode:
[ l ocal ] Redback( conf i g- ct x) #policy access-list control
[ l ocal ] Redback( conf i g- access- l i st ) #condition 10.1.2.3 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #
cond-id Condition ID in integer or IP address format. The ID range of values is 1 to
4294967295.
time-range Specifies a time range condition type.
Command Descriptions
12-26 IP Services and Security Configuration Guide
Related Commands
absolute
ip access-list
periodic
policy access-list
Command Descriptions
ACL Configuration 12-27
deny
[seq seq-num] deny [protocol] {src src-wildcard | any | host src} [cond port | range port end-port]
[dest dest-wildcard | any | host dest] [cond port | range port end-port] [length {cond length |
range length end-length}] [icmp-type icmp-type [icmp-code icmp-code]] [igmp-type igmp-type]
[dscp eq dscp-value] [established] [precedence prec-value] [tos tos-value] [condition cond-id]
no seq seq-num
Purpose
Creates an IP access control list (ACL) statement that denies packets that meet the specified criteria.
Command Mode
access control list configuration
Command Descriptions
12-28 IP Services and Security Configuration Guide
Syntax Description
seq seq-num Optional. Sequence number for the statement. The range of values is 1to
4,294,967,295.
protocol Optional. Number indicating a protocol as specified in RFC 1700, Assigned
Numbers. The range of values is 0 to 255 or one of the keywords listed in
Table12-7.
src Source address to be included in the permit or deny criteria. An IP address in
the form A.B.C.D.
src-wildcard Indication of which bits in the src argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the src-wildcard argument mean that the corresponding bits in the
src argument must match; one-bits in the src-wildcard argument mean that the
corresponding bits in the src argument are ignored.
any Specifies a completely wildcard source or destination IP address indicating
that IP traffic to or from all IP addresses is to be included in the permit or
deny criteria. Identical to 0.0.0.0 255.255.255.255.
host src Address of a single-host source with no wild-carded address bits. The
host source construct is identical to the src src-wildcard construct if the
wildcard address indicates that all bits should be matched (0.0.0.0).
cond Optional. Matching condition for the port or length argument, according to
one of the keywords listed in Table12-8.
port Optional. TCP or UDP source or destination port. This argument is only
available if you specified TCP or UDP as the protocol. The range of values is
1 to 65,535 or one of the keywords listed in Table12-9 and Table12-10.
range port end-port Optional. Beginning and ending TCP or UDP source or destination ports that
define a range of port numbers. A packets port must fall within the specified
range to match the criteria. This construct is only available if you specified
TCP or UDP as the protocol. The range of values is 1 to 65,535 or one of the
keywords listed in Table12-9 and Table12-10.
dest Optional. Destination address to be included in the permit or deny criteria. An
IP address in the form A.B.C.D.
dest-wildcard Indication of which bits in the dest argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the dest-wildcard argument mean that the corresponding bits in
the dest argument must match; one-bits in the dest-wildcard argument mean
that the corresponding bits in the dest argument are ignored.
host dest Address of a single-host destination with no wildcard address bits. The
host dest construct is identical to the dest dest-wildcard construct, if the
wildcard address indicates that all bits should be matched (0.0.0.0).
Command Descriptions
ACL Configuration 12-29
Default
None
Usage Guidelines
Use the deny command to create the IP ACL statement to deny packets that meet the specified criteria.
The cond port and cond length constructs are mutually exclusive with the range port end-port and
range length end-length constructs.
Use the no form of this command to delete the statement with the specified sequence number from the
ACL.
Table12-7 lists the valid keyword substitutions for the protocol argument.
length Optional. Indicates that packet length is to be used as a filter. The packet
length is the length of the network-layer packet, beginning with the IP header.
This is true irrespective of the specified protocol.
length Packet length. The range of values is 20 to 65,535.
range length end-length Packets that fall into the range of specified lengths. Each value (length and
end-length) can be from 20 to 65,535.
icmp-type icmp-type Optional. Type of ICMP packet to be matched. The range of values is 0 to 255
or one of the keywords listed in Table12-11. This argument is only available
if you specify icmp for the protocol argument.
icmp-code icmp-code Optional if you use the icmp-type icmp-type construct. A particular ICMP
message code to be matched. The range of values is 0 to 255. This argument
is only accepted if you specified icmp for the protocol argument.
igmp-type igmp-type Optional. Type of IGMP packet to be matched. This argument is only
accepted if you specified igmp as the protocol argument The range of values
is 0 to 15 or one of the keywords listed in Table12-12.
dscp eq dscp-value Optional. Packets Differentiated Services Code Point (DSCP) value must be
equal to the value specified in the dscp-value argument to match the criteria.
The range of values is 0 to 63 or one of the keywords listed in Table12-13.
established Optional. Specifies that only established connections are to be matched. This
keyword is only available if you specify tcp for the protocol argument.
precedence prec-value Optional. Precedence value of packets to be considered a match. The range of
values is 0 to 7, 7 being the highest precedence, or one of the keywords listed
in Table12-14.
tos tos-value Optional. Type of service (ToS) to be considered a match. The range of values
is 0 to 15 or one of the keywords listed in Table12-15.
condition cond-id Optional. ACL condition ID in integer or IP address format. The ID range of
values is 1 to 4,294,967,295.
Command Descriptions
12-30 IP Services and Security Configuration Guide
Table12-8 lists the valid keyword substitutions for the cond argument.
Table12-9 lists the valid keyword substitutions for the port argument when it is used to specify a TCP port.
Table 12-7 Valid Keyword Substitutions for the protocol Argument
Keyword Definition
ahp Specifies Authentication Header Protocol.
esp Specifies Encapsulation Security Payload.
gre Specifies Generic Routing Encapsulation.
host Specifies host source address.
icmp Specifies Internet Control Message Protocol.
igmp Specifies Internet Group Management Protocol.
ip Specifies any IP protocol.
ipinip Specifies IP-in-IP tunneling.
ospf Specifies Open Shortest Path First.
pcp Specifies Payload Compression Protocol.
pim Specifies Protocol Independent Multicast.
tcp Specifies Transmission Control Protocol.
udp Specifies User Datagram Protocol.
Table 12-8 Valid Keyword Substitutions for the cond Argument
Keyword Description
eq Specifies that values must be equal to those specified by the port or length argument.
gt Specifies that values must be greater than those specified by the port or length argument.
lt Specifies that values must be less than those specified by the port or length argument.
neq Specifies that values must not be equal to those specified by the port or length argument.
Table 12-9 Valid Keyword Substitutions for the port Argument (TCP Port)
Keyword Definition Corresponding Port Number
bgp Border Gateway Protocol (BGP) 179
chargen Character generator 19
cmd Remote commands (rcmd) 514
daytime Daytime 13
discard Discard 9
domain Domain Name System 53
echo Echo 7
exec Exec (rsh) 512
Command Descriptions
ACL Configuration 12-31
Table12-10 lists the valid keyword substitutions for the port argument when it is used to specify a UDP
port.
finger Finger 79
ftp File Transfer Protocol 21
ftp-data FTP data connections (used infrequently) 20
gopher Gopher 70
hostname Network interface card (NIC) hostname server 101
ident Identification protocol 113
irc Internet Relay Chat 194
klogin Kerberos login 543
kshell Kerberos Shell 544
login Login (rlogin) 513
lpd Printer service 515
nntp Network News Transport Protocol 119
pim-auto-rp Protocol Independent Multicast Auto-RP 496
pop2 Post Office Protocol Version 2 109
pop3 Post Office Protocol Version 3 110
shell Remote command shell 514
smtp Simple Mail Transport Protocol 25
ssh Secure Shell 22
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control
System
49
talk Talk 517
telnet Telnet 23
time Time 37
uucp UNIX-to-UNIX Copy Program 540
whois Nickname 43
www World Wide Web (HTTP) 80
Table 12-10 Valid Keyword Substitutions for the port Argument (UDP Port)
Keyword Definition Corresponding Port Number
biff Biff (Mail Notification, Comsat) 512
Table 12-9 Valid Keyword Substitutions for the port Argument (TCP Port) (continued)
Keyword Definition Corresponding Port Number
Command Descriptions
12-32 IP Services and Security Configuration Guide
Table12-11 lists the valid keyword substitutions for the icmp-type argument.
bootpc Bootstrap Protocol client 68
bootps Bootstrap Protocol server 67
discard Discard 9
dnsix DNSIX Security Protocol Auditing 195
domain Domain Name System 53
echo Echo 7
isakmp Internet Security Association and Key Management
Protocol (ISAKMP)
500
mobile-ip Mobile IP Registration 434
nameserver IEN116 Name Service (obsolete) 42
netbios-dgm NetBIOS Datagram Service 138
netbios-ns NetBIOS Name Service 137
netbios-ss NetBIOS Session Service 139
ntp Network Time Protocol 123
pim-auto-rp Protocol Independent Multicast Auto-RP 496
rip Router Information Protocol (router, in.routed) 520
snmp Simple Network Management Protocol 161
snmptrap SNMP Traps 162
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control System 49
talk Talk 517
tftp Trivial File Transfer Protocol 69
time Time 37
who Who Service (rwho) 513
xdmcp X Display Manager Control Protocol 177
Table 12-11 Valid Keyword Substitutions for the icmp-type Argument
Keyword Description
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
Table 12-10 Valid Keyword Substitutions for the port Argument (UDP Port) (continued)
Keyword Definition Corresponding Port Number
Command Descriptions
ACL Configuration 12-33
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
general-parameter-problem General parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for ToS
host-tos-unreachable Host unreachable for ToS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirects
net-redirect Network redirect
net-tos-redirect Network redirect for ToS
net-tos-unreachable Network unreachable for ToS
net-unreachable Network unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
Table 12-11 Valid Keyword Substitutions for the icmp-type Argument (continued)
Keyword Description
Command Descriptions
12-34 IP Services and Security Configuration Guide
Table12-12 lists the valid keyword substitutions for the igmp-type argument.
Table12-13 lists the valid keyword substitutions for the dscp-value argument.
router-advertisement Router discovery advertisement
router-solicitation Router discovery solicitation
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceeded messages
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given type of service (ToS) value
traceroute Traceroute
ttl-exceeded TTL Exceeded
unreachable All unreachables
Table 12-12 Valid Keyword Substitutions for the igmp-type Argument
Keyword Description
dvmrp Specifies Distance-Vector Multicast Routing Protocol.
Host-query Specifies host query.
Host-report Specifies host report.
pim Specifies Protocol Independent Multicast.
Table 12-13 Valid Keyword Substitutions for the dscp-value Argument
Keyword Definition
af11 Assured ForwardingClass 1/Drop precedence 1
af12 Assured ForwardingClass 1/Drop precedence 2
af13 Assured ForwardingClass 1/Drop precedence 3
af21 Assured ForwardingClass 2/Drop precedence 1
af22 Assured ForwardingClass 2/Drop precedence 2
af23 Assured ForwardingClass 2/Drop precedence 3
af31 Assured ForwardingClass 3/Drop precedence 1
af32 Assured ForwardingClass 3/Drop precedence 2
af33 Assured ForwardingClass 3/Drop precedence 3
Table 12-11 Valid Keyword Substitutions for the icmp-type Argument (continued)
Keyword Description
Command Descriptions
ACL Configuration 12-35
Table12-14 lists the valid keyword substitutions for the prec-value argument.
Table12-15 lists the valid keyword substitutions for the tos-value argument.
af41 Assured ForwardingClass 4/Drop precedence 1
af42 Assured ForwardingClass 4/Drop precedence 2
af43 Assured ForwardingClass 4/Drop precedence 3
cs0 Class Selector 0
cs1 Class Selector 1
cs2 Class Selector 2
cs3 Class Selector 3
cs4 Class Selector 4
cs5 Class Selector 5
cs6 Class Selector 6
cs7 Class Selector 7
df Default Forwarding (same as cs0)
ef Expedited Forwarding
Table 12-14 Valid Keyword Substitutions for the prec-value Argument
Keyword Description
tine Specifies routine precedence (value=0).
priority Specifies priority precedence (value=1).
immediate Specifies immediate precedence (value=2).
flash Specifies flash precedence (value=3).
flash-override Specifies flash override precedence (value=4).
critical Specifies critical precedence (value=5).
internet Specifies internetwork control precedence (value=6).
network Specifies network control precedence (value=7).
Table 12-15 Valid Keyword Substitutions for the tos-value Argument
Keyword Description
max-reliability Specifies maximum reliable ToS (value=2).
max-throughput Specifies maximum throughput ToS (value=4).
min-delay Specifies minimum delay ToS (value=8).
min-monetary-cost Specifies minimum monetary cost ToS (value=1).
Table 12-13 Valid Keyword Substitutions for the dscp-value Argument (continued)
Keyword Definition
Command Descriptions
12-36 IP Services and Security Configuration Guide
Examples
The following example specifies that all IP traffic to destination host, 10. 25. 1. 1, is to be denied, and all
other traffic on subnet 10. 25. 1/ 24 is to be permitted:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect201
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip any host 10.25.1.1
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any 10.25.1.0 0.0.0.255
Related Commands
normal Specifies normal ToS (value=0).
ip access-group
ip access-list
permit
resequence ip access-list
Table 12-15 Valid Keyword Substitutions for the tos-value Argument (continued)
Keyword Description
Command Descriptions
ACL Configuration 12-37
description
description text
no description
Purpose
Associates a text description with an IP access control list (ACL) or a policy ACL.
Command Mode
access control list configuration
Syntax Description
Default
No description is associated with the ACL.
Usage Guidelines
Use the description command to associate a text description with the ACL.
You can use a text description to notate what an ACL consists of or how it is to be used. Only one
description can be associated with a single ACL. To revise a description, create a new one, and the old one
is overwritten.
Use the no form of this command to remove the description from an ACL.
Examples
The following example creates a text description to be associated with the IP ACL, r est r i ct ed:
[ l ocal ] Redback( conf i g- ct x) #ip access-list restricted
[ l ocal ] Redback( conf i g- access- l i st ) #description private net
The following example creates a text description to be associated with the policy ACL, t r af f i ci n:
[ l ocal ] Redback( conf i g- ct x) #policy access-list trafficin
[ l ocal ] Redback( conf i g- access- l i st ) #description inbound traffic web
Related Commands
text Alphanumeric text description to be associated with the ACL.
ip access-list
policy access-list
Command Descriptions
12-38 IP Services and Security Configuration Guide
ip access-group
ip access-group acl-name1 acl-name2 acl-name3... {in | out} [count] [log]
no ip access-group { | acl-name1 acl-name2 acl-name3...}{in | out} [count] [log]
Purpose
Applies from one to ten IP access control lists (ACL) to packets associated with an interface or subscriber.
Command Mode
interface configuration
subscriber configuration
Syntax Description
Default
No ACL is applied.
Usage Guidelines
Use the ip access-group command to apply an IP ACL to packets associated with an interface or subscriber,
restricting the flow of traffic through the SmartEdge router. If you configure multiple ACLs to an IP access
group, the SmartEdge OS combines the ACLs in order of appearance within the IP access group to produce
a specific filtering behavior. If you configure a dynamic filter ACL for a subscriber, the SmartEdge OS
applies the rules of the combined ACL and then the dynamic filter ACL. The SmartEdge OS appends an
implicit deny ip any any rule after all configured rules complete.
The SmartEdge router ignores conditional ACLs referenced in an access group.
acl-name Name of the IP ACL to apply to the interface, which can be up to 39 alphanumeric
characters long. You can configure up to ten ACL names to one IP access-group list.
Enclose multiple ACL names within quotation marks and separate each ACL name with
one or more spaces.
To include ten ACLs in a single ACL, however, you need to ensure that the total number
of characters for the ACL names does not exceed 255 for interface mode and 253 for
subscriber mode (average of 24 characters per name). A colon (:) is not allowed in ACL
names.
in Specifies that the ACL is to be applied to incoming packets.
out Specifies that the ACL is to be applied to outgoing packets.
count Optional. Enables ACL packet counting. Not available in subscriber configuration mode.
log Optional. Enables ACL packet logging. Not available in subscriber configuration mode.
Command Descriptions
ACL Configuration 12-39
When you use the count keyword, the system keeps track of the number of matches that occur. When you
use the log keyword, the system keeps track of the number of packets that were denied. By default, counting
and logging of packets is disabled.
To disable packet counting or logging, enter the ip access-group command again, omitting the count or
log keyword.
Use theno form of this command to remove an applied IP ACL from association with the interface. Enter
empty quotations marks ( ) to remove all associated ACL names. If you want to delete one or more (but
not all) ACLs, enter their names in quotation marks.
Examples
The following example applies the IP ACLs, WebCacheACL and Smar t Fi l t er , to the interface,
t opgun, and enables both packet counting and logging:
[ l ocal ] Redback( conf i g) #context fighter
[ l ocal ] Redback( conf i g- ct x) #interface topgun
[ l ocal ] Redback( conf i g- i f ) #ip access-group WebCacheACL SmartFilter in
log count
The following example applies the ACLs, WebCacheACL and Smar t Fi l t er , to the subscriber, j oe:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #subscriber name joe
[ l ocal ] Redback( conf i g- sub) #ip access-group WebCacheACL SmartFilter out
Related Commands
Note Applying an ACL to an interface has no effect if the named ACL has not yet been defined.
All packets are permitted as if no restrictions were in place.
If an access group for an interface has multiple ACLs, some of the ACLs can be unconfigured;
however any unconfigured ACLs have no (zero) rules. Only the configured ACLs in the
access group apply to traffic.
Caution Risk of performance loss. Enabling the count and log functions can affect system
performance. To reduce the risk, exercise caution when enabling these features on a
production system.
deny
ip access-list
permit
Command Descriptions
12-40 IP Services and Security Configuration Guide
ip access-list
ip access-list acl-name [ssh-and-telnet-acl]
no ip access-list acl-name [ssh-and-telnet-acl]
Purpose
Configures an IP access control list (ACL) and enters access control list configuration mode.
Command Mode
context configuration
Syntax Description
Default
None
Usage Guidelines
Use the ip access-list command to configure an IP ACL and enter access control list configuration mode,
where you can define statements using the permit and deny commands. All IP ACLs have an implicit
deny any any statement at the end.
When the IP ACL is created and its conditions have been set, you can apply the list to any of these entities:
An interface to restrict the flow of traffic through the SmartEdge router with the ip access-group
command (in interface configuration mode).
Local inbound traffic coming into the SmartEdge kernel with the admin-access-group command (in
context configuration mode).
Inbound SSH and Telnet traffic with the service command (in context configuration mode).
An interface enabled with reverse path forwarding (RPF) to allow packets that fail the RPF check but
match the ACL to pass through with the ip verify unicast source command (in interface configuration
mode).
A reference to an IP ACL that does not exist or does not contain any configured entries implicitly matches
and permits all packets.
Use theno form of this command to remove an ACL from the configuration.
acl-name Name of the ACL. Must be unique within the context.
ssh-and-telnet-acl Optional. Specifies that the ACL applies to Telnet and Secure Shell (SSH)
traffic.
Command Descriptions
ACL Configuration 12-41
Examples
The following example creates an IP ACL, WebCacheACL:
[ l ocal ] Redback( conf i g- ct x) #ip access-list WebCacheACL
[ l ocal ] Redback( conf i g- access- l i st ) #
Related Commands
admin-access-group
deny
ip access-group
permit
Command Descriptions
12-42 IP Services and Security Configuration Guide
modify ip access-list
modify ip access-list acl-name condition cond-id {permit | deny}
Purpose
Modifies, in real time, the action for the specified condition referenced by statements in the IP access
control list (ACL), without requiring reconfiguration of the IP ACL.
Command Mode
exec
Syntax Description
Default
None
Usage Guidelines
Use the modify ip access-list command to modify, in real time, the action for the specified condition
referenced by statements in the IP ACL, without requiring reconfiguration of the IP ACL.
For information about the condition and ip access-list commands in context configuration mode, see the
ACL Configuration Commands chapter in the IP Services and Security Command Reference for the
SmartEdgeOS.
Examples
With the following configuration, using the modify ip access-list list_cond condition 200 deny command
changes the action of the ACL condition 200 in statement 20 in the IP ACL l i st _cond from per mi t
to deny. However, using the modify ip access-list list_cond condition 100 permit command does not
affect the deny action of the ACL condition 100 because it has already been configured:
[ l ocal ] Redback( conf i g- ct x) #ip access-list list_cond
acl-name Name of the ACL to be modified.
condition cond-id ACL condition ID in integer or IP address format. The ID range of values is
1to 4,294,967,295.
permit Applies a permit action.
deny Applies a deny action.
Note If the specified condition ID is already configured (using the condition command in access
control list configuration mode), the modify ip access-list command is ignored. If a condition
ID is configured using the condition command and the changes are saved, any condition ID
that may be currently applied using the modify ip access-list command at runtime is
immediately overwritten.
Command Descriptions
ACL Configuration 12-43
[ l ocal ] Redback( conf i g- access- l i st ) #condition 100 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2005:01:01:01:00 end
2006:01:01:01:01 permit
[ l ocal ] Redback( conf i g- acl - condi t i on) #exit
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 deny tcp any any eq 80 cond 100
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq 81 cond 200
Related Commands
modify policy access-list
Command Descriptions
12-44 IP Services and Security Configuration Guide
modify policy access-list
modify policy access-list acl-name condition cond-id class class-name
Purpose
Modifies, in real time, the action for the specified condition referenced by statements in the policy access
control list (ACL), without requiring reconfiguration of the policy ACL.
Command Mode
exec
Syntax Description
Default
None
Usage Guidelines
Use the modify policy access-list command to modify, in real time, the action for the specified condition
referenced by statements in the policy ACL, without requiring reconfiguration of the policyACL.
Examples
With the following configuration, using the modify policy access-list list_cond condition 200 deny
command will change the action of the ACL condition, 200, in statement 20 in the IP ACL, l i st _cond,
from per mi t to deny. However, using the modify policy access-list list_cond condition 100 permit
command will not affect the deny action of the ACL condition, 100, because it has already been
configured:
[ l ocal ] Redback( conf i g- ct x) #policy access-list list_cond
[ l ocal ] Redback( conf i g- access- l i st ) #condition 100 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2005:01:01:01:00 end
2006:01:01:01:01 permit
[ l ocal ] Redback( conf i g- acl - condi t i on) #exit
acl-name Name of the ACL to be modified.
condition cond-id ACL condition ID in integer or IP address format. The ID range of values is 1
to 4,294,967,295.
class class-name Class name applied to statements in the policy ACL.
Note If the specified condition ID is already configured (using the condition command in access
control list configuration mode), the modify policy access-list command is ignored. If a
condition ID is configured using the condition command and the changes are saved, any
condition ID that may be currently applied using the modify policy access-list command at
runtime is immediately overwritten.
Command Descriptions
ACL Configuration 12-45
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 deny tcp any any eq 80 cond 100
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq 81 cond 200
Related Commands
condition
modify ip access-list
policy access-list
Command Descriptions
12-46 IP Services and Security Configuration Guide
periodic
periodic day... hh:mm to hh:mm {{permit | deny} | class class-name}
no periodic day... hh:mm to hh:mm
Purpose
Creates a periodic time access control list (ACL) condition statement.
Command Mode
ACL condition configuration
Syntax Description
Default
None
Usage Guidelines
Use the periodic command to create a periodic time ACL condition statement that permits or denies
packets, or assigns packets to a class, based on specific date and time ranges. A periodic time ACL
condition is referenced by either an IP ACL statement or a policy ACL statement.
Each ACL condition statement can include up to seven absolute or periodic time statements in any
combination.
Use the no form of this command to delete the periodic time ACL condition statement.
day... One or more days of the week in which the ACL condition is applied.
hh:mm Hour and minute, for each specified day of the week, to start the ACL
condition.
to hh:mm Hour and minute, for each specified day of the week, to stop the ACL
condition.
permit Applies permit action, during the specified time ranges, to all ACL
statements that reference the ACL condition.
deny Applies deny action, during the specified time ranges, to all ACL statements
that reference the ACL condition. Used only with IP ACLs.
class class-name Name of the class assigned to policy ACL statements that reference the ACL
condition. Used only with policy ACLs.
Command Descriptions
ACL Configuration 12-47
Examples
The following example creates a periodic ACL condition statement for the ACL condition, 55, which is
referenced by the policy ACL, pol i cy_acl _2, such that the Bar 003 class name is applied every
Wednesday from 9:00p.m. to 11:00 p.m (21:00 to 23:00 in 24-hour format) to packets assigned to the
Bar 003 class:
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy_acl_2
[ l ocal ] Redback( conf i g- access- l i st ) #condition 55 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic wednesday 21:00 to 23:00 class Bar003
Related Commands
absolute
condition
ip access-list
policy access-list
Command Descriptions
12-48 IP Services and Security Configuration Guide
permit
[seq seq-num] permit [protocol] {src src-wildcard | any | host src} [{cond port | range port end-port}]
[max-sessions limit] [min-sessions limit] [dest dest-wildcard | any | host dest] [cond port |
range port end-port] [length {cond length | range length end-length}] [icmp-type icmp-type
[icmp-code icmp-code]] [igmp-type igmp-type] [dscp eq dscp-value] [established]
[precedence prec-value] [tos tos-value] [class class-name] [condition cond-id]
no seq seq-num
Purpose
Creates an IP or policy access control list (ACL) statement to allow packets that meet the specified criteria.
Command Mode
access control list configuration
Command Descriptions
ACL Configuration 12-49
Syntax Description
seq seq-num Optional. Sequence number for the statement. The range of values is
1to4,294,967,295.
protocol Optional. Number indicating a protocol as specified in RFC 1700, Assigned
Numbers. The range of values is 0 to 255 or one of the keywords listed in
Table12-16.
src Source address to be included in the permit or deny criteria. An IP address in
the form A.B.C.D.
src-wildcard Indication of which bits in the source argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the src-wildcard argument mean that the corresponding bits in the
src argument must match; one-bits in the src-wildcard argument mean that the
corresponding bits in the src argument are ignored.
any Specifies a completely wildcarded source or destination IP address indicating
that IP traffic to or from all IP addresses is to be included in the permit or deny
criteria. Identical to 0.0.0.0 255.255.255.255.
host source Address of a single-host source with no wild-carded address bits. The
host source construct is identical to the src src-wildcard construct if the
wildcard address indicates that all bits should be matched (0.0.0.0).
cond Optional. Matching condition for the port or length argument, according to
one of the keywords listed in Table12-17.
port Optional. Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP) source or destination port. This argument is only available if you
specified TCP or UDP as the protocol. The range of values is 1 to 65,535 or
one of the keywords listed in Table12-18 and Table12-19.
range port end-port Optional. Beginning and ending TCP or UDP source or destination ports that
define a range of port numbers. A packets port must fall within the specified
range to match the criteria. This construct is only available if you specified
TCP or UDP as the protocol. The range of values is 1 to 65,535 or one of the
keywords listed in Table12-18 and Table12-19.
max-sessions limit Optional. Maximum number of sessions allowed for the specified IP address
or IP subnet. This construct is only available for TCP. Use the ip access-list
command with the ssh-and-telnet-acl keyword to apply an IP ACL to packets
associated with an Secured Shell (SSH) or a Telnet server. The range of values
is 1 to 32.
min-sessions limit Optional. Minimum number of sessions allowed for the specified IP address
or IP subnet. This construct is only available if you specify TCP as the
protocol in this command and use the ip access-list command with the
ssh-and-telnet-acl keyword to apply an IP ACL to packets associated with an
SSH or a Telnet server. The range of values is 0 to 32.
The sum of values specified for the min-sessions limit construct for all
specified IP addresses or IP subnets must not exceed 32.
Command Descriptions
12-50 IP Services and Security Configuration Guide
dest Optional. Destination address to be included in the permit or deny criteria. An
IP address in the form A.B.C.D.
dest-wildcard Indication of which bits in the dest argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the dest-wildcard argument mean that the corresponding bits in
the dest argument must match; one-bits in the dest-wildcard argument mean
that the corresponding bits in the dest argument are ignored.
length Optional. Indicates that packet length is to be used as a filter. The packet
length is the length of the network-layer packet, beginning with the IP header.
This is true irrespective of the specified protocol.
length Packet length. The range of values is 20 to 65,535.
range length end-length Packets that fall into the range of specified lengths. Each value (length and
end-length) can be from 20 to 65,535.
host dest Address of a single-host destination with no wildcarded address bits. The
host dest construct is identical to the dest dest-wildcard construct, if the
wildcard address indicates that all bits should be matched (0.0.0.0).
icmp-type icmp-type Optional. Type of Internet Control Message Protocol (ICMP) packet to be
matched. The range of values is 0 to 255 or one of the keywords listed in
Table12-20. This argument is only available if you specify the ICMP
protocol.
icmp-code icmp-code Optional if you use the icmp-type icmp-type construct. A particular ICMP
message code to be matched. The range of values is 0 to 255. This argument is
only accepted if you specified icmp as the protocol argument.
igmp-type igmp-type Optional. Type of Internet Group Management Protocol (IGMP) packet to be
matched. This argument is only accepted if you specified igmp as the protocol
argument The range of values is 0 to 15 or one of the keywords listed in
Table12-21.
dscp eq dscp-value Optional. Packets Differentiated Services Code Point (DSCP) value must be
equal to the value specified in the dscp-value argument to match the criteria.
The range of values is 0 to 63 or one of the keywords listed in Table12-22.
established Optional. Specifies that only established connections are to be matched. This
keyword is only available if you specified tcp for the protocol argument.
precedence prec-value Optional. Precedence value of packets to be considered a match. The range of
values is 0 to 7, 7 being the highest precedence, or one of the keywords listed
in Table12-23.
tos tos-value Optional. Type of service (ToS) to be considered a match. The range of values
is 0 to 15 or one of the keywords listed in Table12-24.
class class-name Optional. Policy-based class name. Available for policy ACLs only.
condition cond-id Optional. ACL condition ID in integer or IP address format. The ID range of
values is 1 to 4,294,967,295.
Command Descriptions
ACL Configuration 12-51
Default
None
Usage Guidelines
Use the permit command to create the IP or policy ACL statement to allow packets that meet the specified
criteria.
The cond port and cond length constructs are mutually exclusive with the range port end-port and
range length end-length constructs.
You can use the optional max-sessions limit and min-sessions limit constructs to specify a maximum or
minimum number of simultaneous SSH or Telnet sessions allowed from an IP address or subnet. These
constructs are available if you use the service ssh server or service telnet server commands with the
access-group keyword to enable the SSH or Telnet protocol and apply the ACL. For statements where the
any keyword is specified for both source and destination, only the max-sessions limit construct applies.
If you specify a limit for both an IP address and the related subnet, the limit for the subnet takes precedence.
Similarly, a limit specified for a larger subnet takes precedence over limits specified for related smaller
subnets. From all sources combined, the SmartEdgeOS supports up to 32 active Telnet and SSH sessions.
Use the no form of this command to delete the statement with the specified sequence number from the
ACL.
Table12-16 lists the valid keyword substitutions for the protocol argument.
Note There is an implicit deny any any statement at the end of every ACL.
Table 12-16 Valid Keyword Substitutions for the protocol Argument
Keyword Definition
ahp Specifies Authentication Header Protocol.
esp Specifies Encapsulation Security Payload.
gre Specifies Generic Routing Encapsulation.
host Specifies host source address.
icmp Specifies Internet Control Message Protocol.
igmp Specifies Internet Group Management Protocol.
ip Specifies any IP protocol.
ipinip Specifies IP-in-IP tunneling.
ospf Specifies Open Shortest Path First.
pcp Specifies Payload Compression Protocol.
pim Specifies Protocol Independent Multicast.
tcp Specifies Transmission Control Protocol.
udp Specifies User Datagram Protocol.
Command Descriptions
12-52 IP Services and Security Configuration Guide
Table12-17 lists the valid keyword substitutions for the cond argument.
Table12-18 lists the valid keyword substitutions for the port argument when it is used to specify a TCP
port.
Table 12-17 Valid Keyword Substitutions for the cond Argument
Keyword Description
eq Specifies that values must be equal to those specified by the port or length argument.
gt Specifies that values must be greater than those specified by the port or length argument.
lt Specifies that values must be less than those specified by the port or length argument.
neq Specifies that values must not be equal to those specified by the port or length argument.
Table 12-18 Valid Keyword Substitutions for the port Argument (TCP Port)
Keyword Definition Corresponding Port Number
bgp Border Gateway Protocol (BGP) 179
chargen Character generator 19
cmd Remote commands (rcmd) 514
daytime Daytime 13
discard Discard 9
domain Domain Name System 53
echo Echo 7
exec Exec (rsh) 512
finger Finger 79
ftp File Transfer Protocol 21
ftp-data FTP data connections (used infrequently) 20
gopher Gopher 70
hostname Network interface card (NIC) hostname server 101
ident Identification protocol 113
irc Internet Relay Chat 194
klogin Kerberos login 543
kshell Kerberos Shell 544
login Login (rlogin) 513
lpd Printer service 515
nntp Network News Transport Protocol 119
pim-auto-rp Protocol Independent Multicast Auto-RP 496
pop2 Post Office Protocol Version 2 109
pop3 Post Office Protocol Version 3 110
Command Descriptions
ACL Configuration 12-53
Table12-19 lists the valid keyword substitutions for the port argument when it is used to specify a UDP
port.
shell Remote command shell 514
smtp Simple Mail Transport Protocol 25
ssh Secure Shell 22
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control
System
49
talk Talk 517
telnet Telnet 23
time Time 37
uucp UNIX-to-UNIX Copy Program 540
whois Nickname 43
www World Wide Web (HTTP) 80
Table 12-19 Valid Keyword Substitutions for the port Argument (UDP Port)
Keyword Definition Corresponding Port Number
biff Biff (Mail Notification, Comsat) 512
bootpc Bootstrap Protocol client 68
bootps Bootstrap Protocol server 67
discard Discard 9
dnsix DNSIX Security Protocol Auditing 195
domain Domain Name System 53
echo Echo 7
isakmp Internet Security Association and Key Management
Protocol (ISAKMP)
500
mobile-ip Mobile IP Registration 434
nameserver IEN116 Name Service (obsolete) 42
netbios-dgm NetBIOS Datagram Service 138
netbios-ns NetBIOS Name Service 137
netbios-ss NetBIOS Session Service 139
ntp Network Time Protocol 123
pim-auto-rp Protocol Independent Multicast Auto-RP 496
Table 12-18 Valid Keyword Substitutions for the port Argument (TCP Port) (continued)
Keyword Definition Corresponding Port Number
Command Descriptions
12-54 IP Services and Security Configuration Guide
Table12-20 lists the valid keyword substitutions for the icmp-type argument.
rip Router Information Protocol (router, in.routed) 520
snmp Simple Network Management Protocol 161
snmptrap SNMP Traps 162
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control System 49
talk Talk 517
tftp Trivial File Transfer Protocol 69
time Time 37
who Who Service (rwho) 513
xdmcp X Display Manager Control Protocol 177
Table 12-20 Valid Keyword Substitutions for the icmp-type Argument
Keyword Description
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
general-parameter-problem General parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for ToS
host-tos-unreachable Host unreachable for ToS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
Table 12-19 Valid Keyword Substitutions for the port Argument (UDP Port) (continued)
Keyword Definition Corresponding Port Number
Command Descriptions
ACL Configuration 12-55
Table12-21 lists the valid keyword substitutions for the igmp-type argument.
log-input Log matches against this entry, including input interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirects
net-redirect Network redirect
net-tos-redirect Network redirect for ToS
net-tos-unreachable Network unreachable for ToS
net-unreachable Network unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisement
router-solicitation Router discovery solicitation
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceeded messages
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given type of service (ToS) value
traceroute Traceroute
ttl-exceeded TTL Exceeded
unreachable All unreachables
Table 12-20 Valid Keyword Substitutions for the icmp-type Argument (continued)
Keyword Description
Command Descriptions
12-56 IP Services and Security Configuration Guide
Table12-22 lists the valid keyword substitutions for the dscp-value argument.
Table12-23 lists the valid keyword substitutions for the prec-value argument.
Table 12-21 Valid Keyword Substitutions for the igmp-type Argument
Keyword Description
dvmrp Specifies Distance-Vector Multicast Routing Protocol.
Host-query Specifies host query.
Host-report Specifies host report.
pim Specifies Protocol Independent Multicast.
Table 12-22 Valid Keyword Substitutions for the dscp-value Argument
Keyword Definition
af11 Assured ForwardingClass 1/Drop precedence 1
af12 Assured ForwardingClass 1/Drop precedence 2
af13 Assured ForwardingClass 1/Drop precedence 3
af21 Assured ForwardingClass 2/Drop precedence 1
af22 Assured ForwardingClass 2/Drop precedence 2
af23 Assured ForwardingClass 2/Drop precedence 3
af31 Assured ForwardingClass 3/Drop precedence 1
af32 Assured ForwardingClass 3/Drop precedence 2
af33 Assured ForwardingClass 3/Drop precedence 3
af41 Assured ForwardingClass 4/Drop precedence 1
af42 Assured ForwardingClass 4/Drop precedence 2
af43 Assured ForwardingClass 4/Drop precedence 3
cs0 Class Selector 0
cs1 Class Selector 1
cs2 Class Selector 2
cs3 Class Selector 3
cs4 Class Selector 4
cs5 Class Selector 5
cs6 Class Selector 6
cs7 Class Selector 7
df Default Forwarding (same as cs0)
ef Expedited Forwarding
Command Descriptions
ACL Configuration 12-57
Table12-24 lists the valid keyword substitutions for the tos-value argument.
Examples
The following example specifies that all IP traffic from subnet 10.25/16 is to be allowed. All other traffic
is dropped because of the implicit deny any any statement at the end of the ACL:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect201
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip 10.25.0.0 0.0.255.255 any
The following example shows how to use the seq keyword to edit the existing qos- acl - 1 ACL, adding
a statement using sequence number 25:
[ l ocal ] Redback#configure
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #policy access-list qos-acl-1
[ l ocal ] Redback( conf i g- access- l i st ) #seq 25 permit tcp 10.10.10.4 0.0.0.0 any eq 80
Related Commands
Table 12-23 Valid Keyword Substitutions for the prec-value Argument
Keyword Description
tine Specifies routine precedence (value=0).
priority Specifies priority precedence (value=1).
immediate Specifies immediate precedence (value=2).
flash Specifies flash precedence (value=3).
flash-override Specifies flash override precedence (value=4).
critical Specifies critical precedence (value=5).
internet Specifies internetwork control precedence (value=6).
network Specifies network control precedence (value=7).
Table 12-24 Valid Keyword Substitutions for the tos-value Argument
Keyword Description
max-reliability Specifies maximum reliable ToS (value=2).
max-throughput Specifies maximum throughput ToS (value=4).
min-delay Specifies minimum delay ToS (value=8).
min-monetary-cost Specifies minimum monetary cost ToS (value=1).
normal Specifies normal ToS (value=0).
ip access-list
policy access-list
resequence ip access-list
resequence policy access-list
Command Descriptions
12-58 IP Services and Security Configuration Guide
policy access-list
policy access-list acl-name
no policy access-list acl-name
Purpose
Creates or selects a policy access control list (ACL) and enters access control list configuration mode.
Command Mode
context configuration
Syntax Description
Default
None
Usage Guidelines
Use the policy access-list command to create or select a policy ACL and to enter access control list
configuration mode.
Use the no form of this command to remove the policy ACL.
Examples
The following example creates a policy ACL to define Web and VOI P traffic types on a circuit, and uses
the policy ACL in a QoS metering policy, marking these packet types as DF and AF11, respectively. All
other traffic is marked as DF also:
[ l ocal ] Redback( conf i g- ct x) #policy access-list QoSACL-1
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq 80 class Web
[ l ocal ] Redback( conf i g- access- l i st ) #permit udp any any eq 1000 class VOIP
[ l ocal ] Redback( conf i g- access- l i st ) #permit any any class default
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #qos policy PolicingAndMarking policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group QoSACL-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp DF
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class VOIP
acl-name Policy ACL name.
Note If a forward policy, Network Address Translation (NAT) policy, or quality of service (QoS)
policy references a policy ACL that does not exist, the reference is ignored.
Command Descriptions
ACL Configuration 12-59
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp AF11
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class default
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp DF
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #port ethernet 3/0
[ l ocal ] Redback( conf i g- por t ) #bind interface FromSubscriber local
[ l ocal ] Redback( conf i g- por t ) #qos policy policing PolicingAndMarking
Related Commands
forward policy
nat policy
permit
qos policy metering
qos policy policing
resequence policy access-list
Command Descriptions
12-60 IP Services and Security Configuration Guide
resequence ip access-list
resequence ip access-list acl-name
Purpose
Reassigns sequence numbers to the entries in the specified IP access control list (ACL) to be in increments
of 10.
Command Mode
context configuration
Syntax Description
Default
No resequencing is performed.
Usage Guidelines
Use the resequence ip access-list command to reassign sequence numbers to the entries in the specified IP
ACL to be in increments of 10. This command is useful if manually assigned sequence numbers have left
no room between entries for additional entries.
Examples
The following example resequences the statements in the ACL, f r emont 1:
[ l ocal ] Redback( conf i g- ct x) #resequence ip access-list fremont1
Related Commands
acl-name Name of the ACL to be resequenced.
ip access-list
Command Descriptions
ACL Configuration 12-61
resequence policy access-list
resequence policy access-list acl-name
Purpose
Reassigns sequence numbers to the entries in the specified policy access control list (ACL) to be in
increments of 10.
Command Mode
context configuration
Syntax Description
Default
No resequencing is performed.
Usage Guidelines
Use the resequence policy access-list command to reassign sequence numbers to the entries in the
specified policy ACL to be in increments of 10. This command is useful if manually assigned sequence
numbers have left no room between entries for additional entries.
Examples
The following example resequences the statements in the policy ACL, oakl and2:
[ l ocal ] Redback( conf i g- ct x) #resequence policy access-list oakland2
Related Commands
acl-name Name of the ACL to be resequenced.
policy access-list
Command Descriptions
12-62 IP Services and Security Configuration Guide
P a r t 5
IP Service Policies
This part describes the tasks and commands used to configure Network Address Translation (NAT)
policies, forward policies, and service policies. It consists of the following chapters:
Chapter 13, NAT Policy Configuration
Chapter 14, Forward Policy Configuration
Chapter 15, Service Policy Configuration
NAT Policy Configuration 13-1
C h a p t e r 1 3
NAT Policy Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS Network Address
Translation (NAT) policy features.
For information about the tasks and commands used to monitor, troubleshoot, and administer NAT policies,
see the NAT Policy Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
Through NAT, hosts using unregistered IP addresses on an internal, private network can connect to hosts
on the Internet, and conversely. NAT translates the private (not globally unique) addresses in the internal
network into public IP addresses before packets are forwarded onto another network. Network Address and
Port Translation (NAPT) translates a private network and its Transmission Control Protocol/User Datagram
Protocol (TCP/UDP) port on the internal network into a public address and its TCP/UDP ports. By using
port multiplexing, NAPT enables multiple hosts on a private network to simultaneously access remote
networks through a single IP address.
NAT policies can contain a combination of static and dynamic translation actions as well as drop and ignore
actions, and can be applied to all packets traveling across a circuit, or to a particular class of packets using
policy access control list (ACL). The default NAT policy action is drop.
Figure13-1 illustrates how NAT translates private source IP addresses to public addresses.
Note NAT policies are not supported for subscriber sessions that use the Layer 2 Tunneling
Protocol (L2TP) and that are terminated at the SmartEdge router when it is acting as an L2TP
network server (LNS). If you inadvertently apply a NAT policy to such a subscriber, the
session comes up because the policy has no effect on it.
Overview
13-2 IP Services and Security Configuration Guide
Figure 13-1 NAT Process
The SmartEdge OS implementation of NAT supports traditional NAT. In a traditional NAT, sessions are
unidirectional, outbound from the private network. Sessions in the opposite direction may be allowed on
an exception basis, using static address maps for preselected hosts. It is assumed that NAT policies are
applied on private interfaces only because applying them on public interfaces would profoundly affect
performance.
The SmartEdge OS implementation of NAT is described in the following sections:
Static Translation
Dynamic Translation
Destination IP Address Translation
Policy ACLs
NAT DMZ
Session Limit Control
Summary
Static Translation
With static translation, the private source IP addresses and TCP or UDP ports and the NAT addresses and
the ports to which they are translated are fixed numbers.
Note NAT is also known as source NAT or SNAT.
Note In this chapter, the terms, incoming and outgoing, refer to the direction of the packets passing
through the interface. The terms, outbound and inbound, refer to the direction of the packet
flow from the private network to the public network, and from the public network to the
private network, respectively.
Overview
NAT Policy Configuration 13-3
Dynamic Translation
With dynamic translation, the SmartEdgeOS translates the private source IP addresses and TCP or UDP
ports to the NAT addresses and ports. At runtime, the SmartEdgeOS selects the NAT addresses and ports
from a pool of global IP addresses (referred to as a NAT pool). With dynamic translation, you can also
modify the period after which translations time out.
NAPT also supports dynamic translation of subsets of TCP/UDP ports, referred to as port blocks. The port
number space of the TCP/UDP ports is divided into 16 port blocks, numbered 0 to 15; each port block
consists of 4,096 port numbers. Port block granularity allows the sharing of a single IP address between
NAT pools, and thus between NAT policies and traffic cards, with each pool having the IP address with a
unique subset of TCP/UDP port blocks assigned to it.
Policy ACLs
A policy ACL defines classes of packets using classification statements (rules). Each policy ACL supports
up to eight unique classes. You can classify a packet according to its IP precedence value, protocol number,
IP source and destination address, Internet Control Message Protocol (ICMP) attributes, Internet Group
Management Protocol (IGMP) attributes, TCP attributes, and UDP attributes.
When you include the destination, drop, ignore, pool, admission-control, and timeout commands (in
NAT policy configuration mode) in a NAT policy, the specified action is applied to all packets traveling
across the interface or subscriber circuit or, if an ACL is referenced, to packets that do not belong to the
classes specified by the ACL and by the NAT policy. These packets are referred to as belonging to the
default class.
When you include the destination, drop, ignore, pool, admission-control, and timeout commands (in
class configuration mode) in a policy ACL, the specified action is applied only to packets belonging to the
specified class.
To configure class-based actions for a circuit, you apply a policy ACL to a NAT policy, specify the action
for each class that you want the policy to take, and then attach the NAT policy to the circuit. For more
information about policy ACLs, see Chapter 12, ACL Configuration.
Note When just the IP address is translated, static NAT is referred to as basic static NAT. Static NAT
includes both basic static NAT and static NAPT.
Note Static translations require manual configuration of the static IP routes and the static IP ARP
entries for the NAT addresses.
Note When just the IP address is translated, dynamic NAT is referred to as basic dynamic NAT.
Dynamic NAT includes both basic dynamic NAT and dynamic NAPT.
Note The pool and timeout commands apply only to dynamic NAT. The admission-control and
destination commands apply only to dynamic NAPT.
Overview
13-4 IP Services and Security Configuration Guide
Destination IP Address Translation
The SmartEdge OS allows you to configure a NAT policy or its class to use a specified destination IP
address instead of the original destination IP address. Using the destination command, you can configure
Destination NAT (DNAT) to redirect traffic destined for the original address to a different specified address.
On the return path, the source address of the incoming traffic is translated to the original destination address
of the outgoing packet, so the returning traffic appears to be sent from the original destination address.
You can enable DNAT with or without the SmartEdge OS having to perform NAT.
You can use DNAT both with and without NAT in the same configuration.
NAT DMZ
The SmartEdge OS also provides support for the demilitarized zone (DMZ) feature in NAT policies. You
can configure a DMZ rule in a NAT policy to translate traffic returning to the SmartEdge router that does
not satisfy any of the conditions for static or dynamic NAT that you have specified in that NAT policy. The
basic NAT specified by the DMZ rule changes the destination IP address of the packet to a fixed private IP
address of a DMZ host server without changing the TCP/UDP port number.
Three types of applications might require a DMZ host server:
You use your own tools to do extensive logging and analysis of the packets that would be dropped by
the NAT policy.
You do not know the exact TCP/UDP port numbers, or there are too many ports, that need to be opened
by static NAPT rules to allow access to applications.
You need a work around for applications that do not work with NAPT, because they use protocols other
than UPD or TCP, or require IP packet fragmentation.
The following differences apply to a private network with a DMZ host server:
A DMZ rule in a NAT policy does not affect non-DMZ hosts on the internal network that use static or
dynamic NAPT, except that returning traffic for dynamic UDP sessions are now subject to source IP
address verification.
Non-DMZ hosts can use basic static or basic dynamic NAT, although such configurations might not
seem practical.
The DMZ host server cannot use basic static NAT, basic dynamic NAT, and dynamic NAPT, but can
still use static NAPT.
Session Limit Control
Session limit control allows you to set session limits independently for TCP, UDP, and ICMP sessions from
the subscriber to the network. The SmartEdge OS does not limit sessions from the network to the
subscriber.
Configuration Tasks
NAT Policy Configuration 13-5
The following restrictions apply to the NAT implementation of session limit control:
Session limit control is a modification of a NAT policy; it applies to any circuit that has that NAT policy
attached.
Session limit control is supported on Ethernet, Gigabit Ethernet, and ATM OC-3 traffic cards.
The SmartEdge OS applies the session limit at the IP level; it is available for LNS circuits, but not when
the SmartEdge router is configured as an L2TP access concentrator (LAC).
You can set a session limit to support up to 65,535 sessions on a circuit.
Summary
The order in which the conditions in a NAT policy are checked to determine the action for a packet is as
follows:
1. The conditions set by the policy static translations.
2. The conditions set by the policy ACL.
3. If the conditions in step1 and step2 are not satisfied, the action for the packet is determined by the
default class action, if the policy ACL exists, or by the NAT policy action.
For more information about NAT, see RFC 3022, Traditional IP Network Address Translator (NAT) and
RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.
Configuration Tasks
Note In this chapter, the terms, session and connection, refer to a request to establish a connection
between a subscriber port (that is, an IP address and port tuple) and a host port (represented
by an IP address and port tuple). These requests can be initiated from a subscriber or from a
host, but you can only enable the SmartEdge OS to limit the requests initiated by the
subscriber or initiated on another system, sent to the subscriber, and accepted by that
subscriber.
When multiple sessions are initiated from the same IP address and port number on the
subscriber side, they are counted as a single connection by the SmartEdgeOS.
Note The sum of the configured session limit control numbers for a traffic card can exceed the
maximum number of sessions (approximately one million) allowed by the amount of memory
on the traffic card. In that case, some circuits might be unable to reach their configured
maximum session limit.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
13-6 IP Services and Security Configuration Guide
To configure NAT policies, perform the tasks described in the following sections:
Configure a NAT Policy with Static Translations
Configure a NAT Policy with a DMZ Host Server
Configure a NAT Policy with Dynamic Translations
Apply a Policy ACL to a NAT Policy
Configure a NAT Policy with Static Translations
To configure a NAT policy with static translations, perform the tasks described in Table13-1.
Configure a NAT Policy with a DMZ Host Server
To configure a NAT policy with a DMZ host server, perform the tasks described in Table13-2.
Table 13-1 Configure a NAT Policy with Traditional Static Translations
# Task Root Command Notes
1. Configure a NAT policy name and access
NAT policy configuration mode.
nat policy Enter this command in context configuration mode.
2. Translate the source IP address for
incoming packets on the interface or the
subscriber circuit to which the NAT policy
will be attached in the private network.
ipstaticin Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is translated in
the reverse direction.
Use the optional tcp or udp keyword to translate the source
address and source port number of the TCP/UDP packets.
3. Translate the source IP address for
outgoing packets on the interface or the
subscriber circuit to which the NAT policy
will be attached in the private network.
ipstaticout Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is translated in
the reverse direction.
4. Translate the destination IP address for
those inbound packets (on the interface
or subscriber circuit to which the NAT
policy will be attached) that do not satisfy
any condition for static or dynamic
translation in the policy.
ipdmz Enter this command in NAT policy configuration mode.
The source IP address is translated in the outbound direction.
5. Optional. Apply a policy ACL. See the Apply a Policy ACL to a NAT Policy section.
6. Attach the policy to an interface or
subscriber, using one of the following
tasks:
To an interface. ipnat Enter this command in interface configuration mode.
To a subscriber record, named profile, or
default profile.
nat policy-name Enter this command in subscriber configuration mode.
Note For information about configuring interfaces and subscribers, see the Interface
Configuration chapter and the Subscriber Configuration chapter, respectively, in the Basic
System Configuration Guide for the SmartEdgeOS.
Configuration Tasks
NAT Policy Configuration 13-7
Configure a NAT Policy with Dynamic Translations
To configure a NAT policy with dynamic translations, perform the tasks described in Table13-3; enter all
commands in NAT policy configuration mode, unless otherwise noted.
Table 13-2 Configure a NAT Policy with a DMZ Host Server
# Task Root Command Notes
1. Configure a NAT policy name and access
NAT policy configuration mode.
nat policy Enter this command in context configuration mode.
2. Translate the destination IP address for
those outgoing packets (on the interface or
subscriber circuit to which the NAT policy will
be attached) that do not satisfy any of the
static or dynamic rules in the policy.
ipdmz Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is
translated in the reverse direction.
3. Attach the policy to an interface or
subscriber, using one of the following tasks:
To an interface. ipnat Enter this command in interface configuration mode.
To a subscriber record, named profile, or
default profile.
nat policy-name Enter this command in subscriber configuration mode.
Table 13-3 Configure a NAT Policy with Dynamic Translations
# Task Root Command Notes
1. Create or select a NAT pool and access NAT
pool configuration mode.
ipnat pool Enter this command in context configuration mode.
Use the napt keyword to indicate that the addresses
associated with the pool will be used for NAPT policies.
Use the multibind keyword to enable the NAT pool to be
applied to multibind interfaces.
2. Configure the IP address, range of IP
addresses, or the IP address with a range of
TCP/UDP port blocks for the NAT pool.
address Enter this command in NAT pool configuration mode.
Enter this command multiple times to configure several IP
addresses, address ranges, and IP addresses with port
blocks for the NAT pool.
3. Create or select a policy and access NAT
policy configuration mode.
nat policy Enter this command in context configuration mode.
4. Optional. Specify the maximum number of
sessions allowed for the specified protocol
for each circuit.
connections
5. Specify the action to take on packets not
associated with a class with one of the
following tasks:
Any of these actions is applied to packets not associated
with a class if a policy ACL is applied to this NAT policy.
Translate the source IP addresses of the
packets using the pool of IP addresses
(created in step 1).
pool
Drop packets. drop
Forward packets without translating their
source IP addresses.
ignore
6. Optional. Modify the period after which
translations time out.
timeout Enter this command only if you have specified the pool
command (in step 5). This timeout is used for packets not
associated with a class, if a policy ACL is applied to this
NAT policy.
Configuration Tasks
13-8 IP Services and Security Configuration Guide
Apply a Policy ACL to a NAT Policy
To apply a policy ACL to packets associated with a dynamic NAT policy and complete the configuration
of the policy, perform the tasks described in Table13-4; enter all commands in policy group class
configuration mode, unless otherwise noted.
7. Optional. Enable session limit control for the
default class for the specified protocol.
admission-control
8. Optional. Overwrites the destination IP
address.
destination
9. Optional. Apply a policy ACL to this policy. See the Apply a Policy ACL to a NAT Policy section.
10. Attach the NAT or NATP policy to an interface
or subscriber, using one of the following
tasks:
To an interface. ipnat Enter this command in interface configuration mode.
To a subscriber record, named profile, or
default profile.
nat policy-name Enter this command in subscriber configuration mode.
Table 13-4 Apply a Policy ACL to a NAT Policy
# Task Root Command Notes
1. Apply a policy ACL to a dynamic NAT policy and
access policy group configuration mode.
access-group Enter this command in NAT policy configuration
mode.
2. Specify a class and access class configuration
mode.
class Enter this command in policy group configuration
mode.
For a class-based action to occur, the class name
must match one of the class names defined in the
policy ACL.
3. Specify the action to take on packets associated
with the class with one of the following tasks:
Enter any of these commands in policy group class
configuration mode.
Translate the source IP addresses of the packets
using the pool of IP addresses.
pool
Drop packets associated with the class. drop
Forward packets associated with the class without
translating their source IP addresses.
ignore
4. Optional. Modify the period after which translations
time out.
timeout Enter this command only if you have specified the
pool command (in step 3). Enter this command in
policy group class configuration mode.
5. Optional. Enable session limit control for this class
for the specified protocol.
admission-control
6. Optional. Overwrites the destination IP address. destination
Table 13-3 Configure a NAT Policy with Dynamic Translations (continued)
# Task Root Command Notes
Configuration Examples
NAT Policy Configuration 13-9
Configuration Examples
This section provides configuration examples for:
NAT Policy with Static Translation
NAT Policy with Static NAPT
NAT Policy with Static Translation and a DMZ Host Server
NAT Policy with Dynamic Translation and an Ignore Action
NAT Policy with Dynamic NAPT and a Drop Action
NAT Policy with Static and Dynamic Translations
NAT Policy with DNAT
NAT Policy with Session Limit Control
NAT Policy with Static Translation
The following example configures a NAT policy with static translations:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.3 100.1.1.3
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos2
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
NAT Policy with Static NAPT
The following example configures a static NAPT policy:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.1.3 80 100.1.1.3 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos2
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
NAT Policy with Static Translation and a DMZ Host Server
The following example configures a NAT policy with static translation, two internal hosts, and a DMZ host
server:
! Conf i gur e cont ext , NAT pol i cy, and i nt er f ace f or pr i vat e net wor k
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip dmz source 10.1.1.1 100.1.1.1 context local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.2 100.1.1.2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.3 100.1.1.3
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
Configuration Examples
13-10 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- ct x) #interface if-private
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
[ l ocal ] Redback( conf i g- i f ) #exit
l ocal ] Redback( conf i g- ct x) #exit
! Conf i gur e cont ext , NAT pol i cy, and i nt er f ace f or publ i c net wor k
[ l ocal ] Redback( conf i g) #context public
[ l ocal ] Redback( conf i g- ct x) #interface if-public
[ l ocal ] Redback( conf i g- i f ) #ip address 100.1.1.1/24
! Conf i gur e an Et her net por t f or t he pr i vat e net wor k
[ l ocal ] Redback( conf i g) #port ethernet 3/1
[ l ocal ] Redback( conf i g- por t ) #bind interface if-private local
[ l ocal ] Redback( conf i g- por t ) #no shutdown
! Conf i gur e an Et her net por t f or t he publ i c net wor k
[ l ocal ] Redback( conf i g) #port ethernet 5/1
[ l ocal ] Redback( conf i g- por t ) #bind interface if-public public
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #exit
Figure13-2 illustrates the network configuration for the example.
Figure 13-2 Private Network with NAT DMZ Host Server
NAT Policy with Dynamic Translation and an Ignore Action
The following example creates a policy ACL and applies it to a NAT policy with dynamic translations in
which all packets except those classified as CLASS3 are ignored (that is, the NAT policy is not applied to
them). All source IP addresses for incoming packets classified as CLASS3 are translated using IP addresses
from the pool _dyn pool:
! Cr eat e t he NAT pool
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn
[ l ocal ] Redback( conf i g- nat - pool ) #address 11.11.11.0/24
[ l ocal ] Redback( conf i g- nat - pool ) #exit
! Cr eat e t he pol i cy ACL
Configuration Examples
NAT Policy Configuration 13-11
[ l ocal ] Redback( conf i g- ct x) #policy access-list NAT-ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip 10.10.10.0 0.0.0.255 class CLASS3
[ l ocal ] Redback( conf i g- access- l i st ) #exit
! Cr eat e t he NAT pol i cy and appl y t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- nat - pool ) #ignore
[ l ocal ] Redback( conf i g- nat - pool ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn local
NAT Policy with Dynamic NAPT and a Drop Action
The following example configures a NAPT policy with dynamic translations in which all packets, except
those classified as CLASS3, are dropped. Source IP addresses and their TCP/UDP ports for packets
classified as CLASS3 are translated using the IP address and its TCP/UDP port blocks 1 to 15 from the
pool _dyn_napt pool:
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn_napt napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 11.11.11.1/32 port-block 1 to 15
[ l ocal ] Redback( conf i g- nat - pool ) #exit
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #drop
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT_ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn_napt local
NAT Policy with Static and Dynamic Translations
The following example configures a NAT policy that uses a combination of static and dynamic, basic NAT
and NAPT, and applies a policy ACL:
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn
[ l ocal ] Redback( conf i g- nat - pool ) #address 100.1.2.0/24
[ l ocal ] Redback( conf i g- nat - pool ) #exit
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn_napt napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 100.1.1.2/32 port-block 1
[ l ocal ] Redback( conf i g- nat - pool ) #exit
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool pool_dyn local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn_napt local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.1.2 80 100.1.1.2 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.3 100.1.1.3
Configuration Examples
13-12 IP Services and Security Configuration Guide
NAT Policy with DNAT
The following example configures a NAT policy that uses DNAT, both with and without NAT, within a
single NAT policy. A predefined destination address is configured for the NAT- CLASS1 and NAT- CLASS2
classes within the NAT policy NAT- POLI CY. For all packets from class NAT- CLASS1, the destination
address of each packet is replaced by 64. 233. 267. 100 so that all packets from class NAT- CLASS1 are
forwarded to that address. On the return path, a reverse translation from 64. 233. 267. 100 to the original
destination address is performed so that the returning traffic appears to be sent from the original destination
address. For the NAT- CLASS2 class, the destination address of each packet is translated exactly the same
way as for class NAT- CLASS1, but the source address is not translated
[ l ocal ] Redback( conf i g- ct x) #nat pol i cy NAT- POLI CY
! Def aul t cl ass
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT- POOL- DEFAULT l ocal
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access- gr oup NAT- ACL
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS1
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #pool NAT- POOL1 l ocal
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS2
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #i gnor e
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
NAT Policy with Session Limit Control
The following example configures a NAT policy that uses session limit control for both the default class
and a subset of named classes. Assuming that packets are not satisfied by both static rules (those are of
higher priority), the following processing takes place:
Packets classified into CLASS2 are NAT-translated with the use of pool 2 addresses and no session
limit control is applied (the default state).
Packets classified into CLASS3 are unchanged and session limit control is applied to TCP sessions with
a maximum number of TCP sessions set to 100.
All other packets (that is, those of the default class) are translated with the use of pool 1 addresses and
session limit control is applied to TCP sessions with a maximum number of TCP sessions set to 100.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.3.3 80
100.1.3.3 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.4.3 80
100.1.3.4 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp 100
! Def aul t cl ass
Note Specify the connections command (in NAT policy configuration mode) for the policy; then
specify the admission-control command for each class (including the default one) for which
you want the session limit to be enforced.
Command Descriptions
NAT Policy Configuration 13-13
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool pool1 local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #timeout tcp
[ l ocal ] Redback( conf i g- pol i cy- nat ) #admission-control tcp
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS2
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool2
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #ignore
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #admission-control tcp
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure NAT policies.
The commands are presented in alphabetical order:
address
admission-control
connections
destination
drop
ignore
ip dmz
ip nat
ip nat pool
ip static in
ip static out
nat policy
nat policy-name
pool
timeout
Command Descriptions
13-14 IP Services and Security Configuration Guide
address
address {ip-addr netmask | ip-addr/prefix-length | start-ip-addr to end-ip-addr | ip-addr/32
port-block start-port-block [to end-port-block]}
no address {ip-addr netmask | ip-addr/prefix-length | start-ip-addr to end-ip-addr}
Purpose
Assigns an IP address, a range of IP addresses, or an IP address with one or more blocks of Transmission
Control Protocol/User Datagram Protocol (TCP/UDP) ports to the Network Address Translation (NAT)
pool.
Command Mode
NAT pool configuration
Syntax Description
Default
All TCP/UDP port numbers for the IP address are assigned to the NAT pool.
Usage Guidelines
Use the address command to assign the IP address and subnet mask, a range of IP addresses, or an IP
address with a range of TCP/UDP ports that will be included in the NAT pool. The TCP/UDP port number
space is divided into 16 blocks. Each block contains 4,096 sequential numbers. Blocks are numbered from
0 to 15. If you specify one or more blocks of TCP/UDP ports, you must specify 32 as the prefix length.
You can enter this command multiple times to assign multiple IP addresses, ranges of IP addresses, and an
IP address with TCP/UDP port blocks to a NAT pool.
Use the no form of this command to remove IP addresses from the NAT pool. If you enter the no form with
an IP address that was configured with the port-block keyword, the IP address and all its configured port
blocks are removed from the NAT pool.
ip-addr netmask IP address and subnet mask.
ip-addr/prefix-length IP address and prefix length.
start-ip-addrtoend-ip-addr Starting IP address to ending IP address.
ip-addr/32 IP address and prefix length when specifying one or more blocks of
TCP/UDP port numbers.
port-block start-port-block Starting port block number. The range of values is 0 to 15.
to end-port-block Optional. Ending port-block number. If not entered, assigns only the
TCP/UDP port numbers in the port block specified by the
start-port-block argument. The range of values is 1 to 15.
Command Descriptions
NAT Policy Configuration 13-15
Examples
The following example configures the NAT pool, NAT- 1, and fills the pool with the IP address,
171. 71. 71. 1, with all its TCP/UDP ports and the IP address, 171. 71. 72. 2, with port blocks 1 to 3:
[ l ocal ] Redback( conf i g) #context ISP
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-1 napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.1/32
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.72.2/32 port-block 1 to 3
Related Commands
ip nat pool
pool
Command Descriptions
13-16 IP Services and Security Configuration Guide
admission-control
admission-control {icmp | tcp | udp}
no admission-control {icmp | tcp | udp}
Purpose
Enables or disables session limit control for the specified protocol.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
Default
Session limit control is disabled for this access control list (ACL) class.
Usage Guidelines
Use the admission-control command to enable session limit control for the specified protocol. Session
limit control applies only to this ACL class in this Network Address Translation (NAT) policy. You can use
this command only when the action in the class is either ignore or pool, and the pool is a Network Access
Port Translation (NAPT) pool.
Use the no form of this command to disable session limit control.
Examples
The following example enables TCP session limit control for the default ACL class in this NAT policy:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp 100
[ l ocal ] Redback( conf i g- pol i cy- nat ) #admission-control tcp
The following example enables TCP session limit control for CLASS3 in this NAT policy:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp 100
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
icmp Specifies the Internet Control Message Protocol (ICMP) as the protocol for which session
limit control is to be enabled.
tcp Specifies the Transmission Control Protocol (TCP) as the protocol for which session limit
control is to be enabled.
udp Specifies the User Datagram Protocol (UDP) as the protocol for which session limit control is
to be enabled.
Command Descriptions
NAT Policy Configuration 13-17
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #ignore
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #admission-control tcp
Related Commands
connections
Command Descriptions
13-18 IP Services and Security Configuration Guide
connections
connections {icmp | tcp | udp} maximum max-sess
no connections {icmp | tcp | udp}
Purpose
Specifies the maximum number of sessions allowed for the specified protocol for each circuit.
Command Mode
NAT policy configuration
Syntax Description
Default
The maximum number of sessions is not specified.
Usage Guidelines
Use the connections command to specify the maximum number of sessions allowed for the specified
protocol for each circuit.
The maximum number that you specify applies to all access control list (ACL) classes, including the default
class, for which you have specified admission control using the admission-control command (in NAT
policy configuration mode).
If the maximum number of sessions for a specific protocol is not specified using this command, the
admission control for that protocol, if specified using the admission-control command (in NAT policy or
policy group class configuration mode), is ignored.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 100 as the maximum number of sessions for each TCP circuit:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp maximum 100
icmp Specifies the Internet Control Message Protocol (ICMP) as the protocol for which
session limit control is to be enabled.
tcp Specifies the Transmission Control Protocol (TCP) as the protocol for which
session limit control is to be enabled.
udp Specifies the User Datagram Protocol (UDP) as the protocol for which session
limit control is to be enabled.
maximum max-sess Maximum number of sessions allowed for this protocol for each circuit to which
you have applied this Network Address Translation (NAT) policy. The range of
values is 1 to 65,535.
Command Descriptions
NAT Policy Configuration 13-19
Related Commands
admission-control
Command Descriptions
13-20 IP Services and Security Configuration Guide
destination
destination ip-addr [context-name]
Purpose
Configures the Network Address Translation (NAT) policy or its class to use the specified IP address in
destination IP address translation or destination NAT (DNAT).
Command Mode
NAT policy configuration
NAT policy class configuration
Syntax Description
Default
No predefined IP address is configured as a destination IP address.
Usage Guidelines
Use the destination command to configure the NAT policy or its class to use the specified IP address in
DNAT. DNAT replaces the original destination IP addresses of all packets or the packets of a specific class
with a predefined IP address.
When a destination IP address is configured for a given class, the SmartEdge router applies this predefined
IP address to all packets of the class.
You can enable DNAT with or without having to perform NAT.
Configuring DNAT without NAT requires that you configure the destination command with the ignore
command.
Use the destination ip-addrr context-name construct to specify that the configured destination IP address
resides within the specified context. Without the name of the context specified, the configured destination
IP address is assumed to be either in the context in which the NAT pool is defined or, if no NAT pool is
defined, in the context in which the NAT policy is defined.
ip-addr Specifies the IP address to replace the original destination address.
context-name Specifies the name of the context in which the configured destination IP address
resides.
Note If you configure DNAT with NAT, the context name specified in the destination command
must be the same as the context name specified in the pool command.
Command Descriptions
NAT Policy Configuration 13-21
Examples
The following example shows how to configure DNAT with NAT. A predefined destination address is
configured for the NAT- CLASS1 class within the NAT policy NAT- POLI CY. For all packets from class
NAT- CLASS1, the destination address of each packet is replaced by 64. 233. 267. 100 so that all packets
from class NAT- CLASS1 are forwarded to that address. On the return path, a reverse translation from
64. 233. 267. 100 to the original destination address is performed so that the returning traffic appears to
be sent from the original destination address:
[ l ocal ] Redback( conf i g- ct x) #nat pol i cy NAT- POLI CY
! Def aul t cl ass
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT- POOL- DEFAULT l ocal
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access- gr oup NAT- ACL
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS1
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #pool NAT- POOL1 l ocal
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
The following example shows how to configure DNAT without NAT. A predefined destination address is
configured for the NAT- CLASS2 class within the NAT policy NAT- POLI CY. For the NAT- CLASS2 class
within the NAT policy NAT- POLI CY, the destination address of each packet is replaced by
64. 233. 267. 100 so that all packets from class NAT- CLASS2 are forwarded to that address. In this
example, the source address is not translated.
[ l ocal ] Redback( conf i g- ct x) #nat pol i cy NAT- POLI CY
! Def aul t cl ass
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT- POOL- DEFAULT l ocal
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access- gr oup NAT- ACL
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS2
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #i gnor e
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
Related Commands
admission-control
drop
ignore
pool
timeout
Command Descriptions
13-22 IP Services and Security Configuration Guide
drop
drop
Purpose
Drops all packets or classes of packets associated with the Network Address Translation (NAT) policy.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
This command has no keywords or arguments.
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the drop command to drop all packets or classes of packets associated with the NAT policy.
Examples
The following example configures the NAT- 1 policy and applies the NAT- ACL- 1 access control list (ACL)
to it. Packets that are classified as NAT- CLASS- 1 will be dropped. All other packets, except those
explicitly defined by the static rule, will be ignored:
[ l ocal ] Redback( conf i g) #context CUSTOMER
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ignore
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.0.0.1 171.71.71.1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
Related Commands
ignore
pool
timeout
Command Descriptions
NAT Policy Configuration 13-23
ignore
ignore
Purpose
Configures the Network Address Translation (NAT) policy or its class to not translate the source IP address
of all packets, or classes of packets, traveling across circuits attached to the interface or subscriber to which
the NAT policy is applied.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
This command has no keywords or arguments.
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the ignore command to configure the Network Address Translation (NAT) policy or its class to not
translate the source IP address of all packets, or classes of packets, traveling across circuits attached to the
interface or subscriber to which the NAT policy is applied.
Examples
The following example configures the NAT- 2 policy and applies the NAT- ACL- 2 access control list (ACL)
to it. Packets that are classified as NAT- CLASS- 2 are ignored; they are forwarded without translation of
the source IP address. All other packets, except those defined in the static rule, are dropped.
[ l ocal ] Redback( conf i g) #context CUSTOMER
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.0.0.1 171.71.71.1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL-2
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-2
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #ignore
Related Commands
drop
pool
timeout
Command Descriptions
13-24 IP Services and Security Configuration Guide
ip dmz
ip dmz source ip-addr nat-addr context ctx-name
no ip dmz source ip-addr nat-addr context ctx-name
Purpose
Configures the source and Network Address Translation (NAT) IP addresses for a demilitarized zone
(DMZ) host server.
Command Mode
NAT policy configuration
Syntax Description
Default
No DMZ host server is configured.
Usage Guidelines
Use the ip dmz command to configure a DMZ host server.
Use the no form of this command to remove the DMZ host server from the configuration.
Examples
The following example configures a DMZ host server with an internal network address, 10. 1. 1. 1, and
an external network address, 201. 1. 1. 1,which are defined in the l ocal context:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #nat policy policy1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip dmz source 10.1.1.1 201.1.1.1 context local
Related Commands
None
source ip-addr Original source IP address for the DMZ host server on the private network.
nat-addr NAT address. The IP address of the DMZ host server on the public network
to which the source IP address is mapped.
context ctx-name Name of the context in which the NAT address of the DMZ host server is
defined for the interface that is used to forward packets after the source IP
address is translated.
Command Descriptions
NAT Policy Configuration 13-25
ip nat
ip nat pol-name
no ip nat pol-name
Purpose
Attaches a Network Address Translation (NAT) policy to packets received or transmitted on any circuit
bound to the specified interface.
Command Mode
interface configuration
Syntax Description
Default
None
Usage Guidelines
Use the ip nat command to attach a NAT policy to packets received or transmitted on any circuit bound to
the specified interface.
Use the no form of this command to remove the NAT policy from the interface.
Examples
The following example translates an IP source address for the p1 NAT policy and applies the policy to
packets traveling across the pos1 interface:
[ l ocal ] Redback( conf i g- ct x) #nat policy p1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.2.3 32.32.32.32
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos1
[ l ocal ] Redback( conf i g- i f ) #ip nat p1
Related Commands
pol-name NAT policy name.
nat policy
nat policy-name
Command Descriptions
13-26 IP Services and Security Configuration Guide
ip nat pool
ip nat pool pool-name [napt [multibind]]
no ip nat pool pool-name [napt [multibind]]
Purpose
Configures a Network Address Translation (NAT) pool name and enters NAT pool configuration mode.
Command Mode
context configuration
Syntax Description
Default
None
Usage Guidelines
Use the ip nat pool command to configure a NAT pool name and to enter NAT pool configuration mode.
Use the no form of this command to remove a NAT pool.
Examples
The following example configures the NAT pool, NAT- POOL- BASI C, with 14 IP addresses
(171. 71. 71. 4 to 171. 71. 71. 7 and 171. 71. 71. 101 to 171. 71. 71. 110):
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-POOL-BASIC
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.4 255.255.255.252
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.101 to 171.71.71.110
Related Commands
pool-name NAT pool name.
napt Optional. Enables support for translation of Transmission Control
Protocol/User Datagram Protocol (TCP/UDP) ports.
multibind Optional. Enables the NAT pool to be applied to multibind interfaces.
address
pool
Command Descriptions
NAT Policy Configuration 13-27
ip static in
ip static in [{tcp | udp}] source ip-addr [port] nat-addr [nat-port] [context ctx-name]
no ip static in [{tcp | udp}] source ip-addr [port] nat-addr [nat-port] [context ctx-name]
Purpose
Translates the source IP address in the private network, and optionally, Transmission Control Protocol/User
Datagram Protocol (TCP/UDP) ports, of incoming packets on the interface to which the Network Address
Translation (NAT) policy is attached. In the reverse direction, translates the destination IP address, and
optionally, TCP/UDP ports, of outgoing packets on the interface.
Command Mode
NAT policy configuration
Syntax Description
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the ip static in command to translate the source IP address in the private network, and optionally,
TCP/UDP ports, of incoming packets on the interface to which the NAT policy is attached. In the reverse
direction, this command translates the destination IP address, and optionally, TCP/UDP ports, of outgoing
packets on the interface.
tcp Optional. Indicates a TCP port.
udp Optional. Indicates a UDP port.
source Indicates the source information.
ip-addr Original source IP address.
port Optional. Original TCP or UDP source port number. The range of values is 1
to 65,535. Required when using the tcp or udp keyword.
nat-addr NAT address. The IP address to which the source IP address is mapped in the
address translation table.
nat-port Optional. TCP or UDP port number to which the source port number is
mapped in the address translation table. The range of values is 1 to 65,535.
Required when using the tcp or udp keyword.
context ctx-name Optional. Context name. Required for intercontext forwarding of packets.
Interfaces in the specified context are used to forward packets after addresses
are translated.
Command Descriptions
13-28 IP Services and Security Configuration Guide
Incoming packets with a source IP address that matches the ip-addr argument use the IP address specified
with the nat-addr argument as their source IP address instead. In the opposite direction, outgoing packets
with a destination IP address that matches the nat-addr argument use the ip-addr argument as the
destination IP address.
If the nat-addr argument overlaps an IP address in a Network Access Port Translation (NAPT) pool, the
static translation takes precedence.
Use the no form of this command to disable the translation of the source IP address and TCP/UDP ports.
Examples
The following example translates the source IP address of packets received on the interface, cust omer 1,
to 2. 2. 2. 2 when the original source address of the packets is 1. 1. 1. 1. At the same time, the destination
address of packets sent out the interface are translated to 1. 1. 1. 1 when the original destination address
of the packets is 2. 2. 2. 2:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 1.1.1.1 2.2.2.2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface customer1
[ l ocal ] Redback( conf i g- i f ) #ip address 1.1.1.254/24
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
Related Commands
ip static out
Command Descriptions
NAT Policy Configuration 13-29
ip static out
ip static out source ip-addr nat-addr
no ip static out source ip-addr nat-addr
Purpose
Translates the source IP address in the private network of outgoing packets on the interface to which the
Network Address Translation (NAT) policy is applied, and in the reverse direction, translates the
destination IP address of incoming packets on the interface.
Command Mode
NAT policy configuration
Syntax Description
Default
If no action is configured for the NAT policy, packets are dropped.
Usage Guidelines
Use the ip static out command to translate the source IP address in the private network of outgoing packets
on the interface to which the NAT policy is applied, and in the reverse direction, to translate the destination
IP address of incoming packets on the interface.
Outgoing packets with a source IP address that match the ip-addr argument use the IP address specified
with the nat-addr argument as their source IP address instead. In the opposite direction, incoming packets
with a destination IP address that matches the nat-addr argument use the ip-addr argument as the
destination IP address.
Use the no form of this command to disable the translation of the IP address.
Examples
The following example translates the IP source address of packets sent out the interface, pos1, to
10. 30. 40. 50 when the original source address of the packets is 64. 64. 64. 64. At the same time, the
destination address of packets coming into the interface are translated to 64. 64. 64. 64 when the
destination address of the packets is 10. 30. 40. 50:
[ l ocal ] Redback( conf i g- ct x) #nat policy p1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static out source 64.64.64.64 10.30.40.50
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
source Indicates the source information.
ip-addr Original source IP address.
nat-addr NAT address. The IP address to which the source IP address is mapped in the
address translation table.
Command Descriptions
13-30 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- ct x) #interface pos1
[ l ocal ] Redback( conf i g- i f ) #ip nat p1
Related Commands
ip static in
Command Descriptions
NAT Policy Configuration 13-31
nat policy
nat policy pol-name [radius-guided]
no nat policy pol-name
Purpose
Configures a Network Address Translation (NAT) policy name and enters NAT policy configuration mode.
Command Mode
context configuration
Syntax Description
Default
None
Usage Guidelines
Use the nat policy command to configure a NAT policy name and enter NAT policy configuration mode.
Use the radius-guided keyword to specify a RADIUS-guided policy and to allow the policy to be modified
by dynamic ACLs. You cannot remove a dynamic policy ACL from the policy after you have configured
it, nor can you change the policy type from static to RADIUS-guided. To remove a dynamic policy ACL
or change its type, delete the policy and then recreate it as a static policy.
Use the no form of this command to remove the NAT policy.
Examples
The following example translates source addresses for NAT policy, p2, which is applied to packets received
on the pos2 interface:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 34.34.34.34 35.35.35.35
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos2
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
pol-name NAT policy name.
radius-guided Optional. Specifies a Remote Authentication Dial-In User Service (RADIUS)
guided policy and allows the policy to be modified by dynamic access control
lists (ACLs).
Command Descriptions
13-32 IP Services and Security Configuration Guide
Related Commands
destination
drop
ignore
ip nat
ip static in
ip static out
nat policy-name
pool
timeout
Command Descriptions
NAT Policy Configuration 13-33
nat policy-name
nat policy-name pol-name
no nat policy-name pol-name
Purpose
Attaches the specified Network Address Translation (NAT) policy name to the subscribers circuit.
Command Mode
subscriber configuration
Syntax Description
Default
None
Usage Guidelines
Use the nat policy-name command to attach the specified NAT policy to the subscribers circuit.
Use the no form of this command to remove the NAT policy from the subscribers circuit.
Examples
The following example attaches the NAT policy, nat - pol - 1, to the circuit attached to the nat - sub
subscribers circuit:
[ l ocal ] Redback( conf i g- ct x) #subscriber name nat-sub
[ l ocal ] Redback( conf i g- sub) #nat policy-name nat-pol-1
Related Commands
pol-name NAT policy name.
drop
ignore
ip nat
ip static in
ip static out
nat policy
pool
timeout
Command Descriptions
13-34 IP Services and Security Configuration Guide
pool
pool nat-pool-name ctx-name
Purpose
Configures the Network Address Translation (NAT) policy or its class to use the specified pool of
IP addresses for source IP address translation.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the pool command to configure the NAT policy or class of packets to use the specified pool of IP
addresses for packet translation.
Examples
The following example configures the NAT policy, NAT- POLI CY, to use the pool, NAT- POOL- DEFAULT,
configured in the I SP context, and configures packets classified as NAT- CLASS- BASI C to use the pool,
NAT- POOL- BASI C, configured in the I SP context:
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-POLICY
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT-POOL-DEFAULT ISP
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-BASIC
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool NAT-POOL-BASIC ISP
Related Commands
nat-pool-name NAT pool name.
ctx-name Name of the context in which the NAT pool is configured.
address
drop
ignore
ip nat pool
timeout
Command Descriptions
NAT Policy Configuration 13-35
timeout
timeout {basic seconds | fin-reset seconds | icmp seconds | syn seconds | tcp seconds | udp seconds}
no timeout {basic | fin-reset | icmp | syn | tcp | udp}
Purpose
Modifies the period after which Network Address Translation NAT times out if no activity occurs.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
Default
For default values, see the Syntax Description section. For the ignore action in a NAT policy, all default
timeouts are 20 seconds.
basic seconds Period, in seconds, after which basic NAT time out. The range of values is 4 to
262,143; the default value is 3,600 (1 hour).
This construct is supported only for basic NAT, not Network Access Port
Translation (NAPT).
fin-reset seconds Period, in seconds, after which NAT for Transmission Control Protocol (TCP)
FINISH and RESET packets time out. The range of values is 4 to 65,535; the default
value is 240.
This construct is supported only by policies using NAPT.
icmp seconds Period, in seconds, after which NAT for Internet Control Message Protocol (ICMP)
packets time out. The range of values is 4 to 65,535; the default value is 60.
This construct is supported only by policies using NAPT.
syn seconds Period, in seconds, after which NAT for TCP SYN packets time out. The range of
values is 4 to 65,535; the default value is 128.
This construct is supported only by policies using NAPT.
tcp seconds Period, in seconds, after which NAT for established TCP connections time out. The
range of values is 4 to 262,143. The default value is 86,400 (24hours).
This construct is supported only by policies using NAPT.
udp seconds Period, in seconds, after which NAT for User Datagram Protocol (UDP) packets
time out. The range of values is 4 to 65,535; the default value is 120.
This construct is supported only by policies using NAPT.
Command Descriptions
13-36 IP Services and Security Configuration Guide
Usage Guidelines
Use the timeout command to modify the period after which NAT time out if no activity occurs. Timeout
applies only if there is relevant translation.
Use the no form of this command to reset the timeout to its default value.
Examples
The following example configures basic NAT to time out after no activity has occurred for 7200 seconds
(2 hours):
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-POOL
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.0/24
[ l ocal ] Redback( conf i g- nat - pool ) #exit
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT-POOL local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #timeout basic 7200
Related Commands
drop
ignore
pool
Forward Policy Configuration 14-1
C h a p t e r 1 4
Forward Policy Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS
quality of service (QoS) features.
For information about other QoS configuration tasks and commands, see the following chapters:
Chapter 16, QoS Rate- and Class-Limiting ConfigurationRate- and class-limiting features
(metering and policing policies)
Chapter 17, QoS Scheduling ConfigurationScheduling features (scheduling policies)
For information about the tasks and commands used to monitor, troubleshoot, and administer QoS, see the
QoSOperations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Note In this chapter, the term, circuit, refers to a port, channel, permanent virtual circuit (PVC), or
link group.
Note In this chapter, the term, first-generation Asynchronous Transfer Mode (ATM) OC traffic
card, refers to a 2-port ATM OC-3c/STM-1c or ATM OC-12c/STM-4c traffic card; similarly,
the term, second-generation ATM OC traffic card, refers to a 2-port ATM OC-3c/STM-1c
media interface card (MIC), 4-port ATM OC-3c/STM-1c or Enhanced ATM OC-12c/STM-4c
traffic card.
The terms, traffic-managed circuit and traffic-managed port, refer to a circuit and port,
respectively, on Fast Ethernet-Gigabit Ethernet (FE-GE), Gigabit Ethernet 3 (GE3) and
Gigabit Ethernet 1020 (GE1020) traffic cards, and Gigabit Ethernet media interface cards (GE
MICs).
Overview
18-2 IP Services and Security Configuration Guide
Overview
The Internet provides only best-effort service, offering no guarantees on when or whether a packet is
delivered to the receiver. However, the SmartEdge OS offers QoS differentiation based on the subscriber
record, the traffic type, and the application. QoSpolicies create and enforce levels of service and bandwidth
rates, and prioritize how packets are scheduled into egress queues.
This section includes the following topics:
Circuit Configuration with QoS Policies
Circuit Groups
Hierarchical Configuration for Traffic-Managed Circuits
Propagation of QoS Across Layer 3 and Layer 2 Networks
Circuit Configuration with QoS Policies
You can attach both a metering and a policing policy to any port, channel, or PVC, to cross-connected ATM
and 802.1Q PVCs, and to link groups. QoS metering and policing policies are described in Chapter 16,
QoS Rate- and Class-Limiting Configuration.
Child circuits can inherit the QoS metering and policing policies attached to a parent circuit below which
the child circuits are configured. To enable a child circuit to inherit its parents metering or policing policy,
configure the keyword inherit or hierarchical on the parent circuit. If you attach a different metering or
policing policy to a child circuit, those policies override the metering or policing policy attached to the
parent circuit unless the policy applied to the parent is configured with the keyword hierarchical. The
keyword hierarchical allows a child circuit that has its own metering or policing policy to inherit its
parents policy and still be subject to its own policy. For more information about policy inheritance, see the
Policy Inheritance in Chapter 16, QoS Rate- and Class-Limiting Configuration..
The following types of inheritance are supported:
802.1Q PVC or tunnel from a parent Ethernet port
802.1Q PVC from a parent 802.1Q tunnel
Point-to-Point Protocol over Ethernet (PPPoE) sessions from a parent 802.1Q PVC
PPP and PPPoE sessions from a parent ATM PVC
You can attach a scheduling policy to individual circuits (that are not cross-connected); however, the type
of scheduling policy depends on the type of traffic card. QoS scheduling policies are described in
Chapter 16, QoS Scheduling Configuration.
You can also attach metering, policing, and scheduling policies to subscriber circuits; the type of scheduling
policy depends on the type of traffic card on which the subscriber session is initiated. Layer 2 Tunneling
Protocol (L2TP) network server (LNS) subscriber sessions are limited to priority weighted fair queuing
Note Inheritance can span multiple levels. For example, a policy configured on a port inherited by
a PVC in turn is inherited by PPPoX sessions configured under the PVC unless they have a
specific policy applied.
Overview
QoS Circuit Configuration 18-3
(PWFQ) policies. To attach a QoS policy of any type to a subscriber circuit, you attach it to the subscriber
record or profile. The system applies the policy to the subscriber circuit (port, channel, or PVC) on which
the session is initiated.
Table18-1 lists the traffic cards and their circuits to which QoS scheduling policies can be attached.
Note You can also configure a subscriber record or profile to reference a hierarchical node on a
traffic-managed port and attach the PWFQ policy to the hierarchical node. For more
information about hierarchical nodes and traffic-managed ports, see the Hierarchical
Configuration for Traffic-Managed Circuits section. For more information about attaching
PWFQ policies to subscriber records and hierarchical nodes, see the Configuration
Guidelines section.
Note Certain restrictions apply to the attachment of a QoS scheduling policy to a port, channel, or
PVC; for detailed usage guidelines for each type of circuit and policy, see the description for
the qospolicyqueuing command (in the appropriate circuit configuration mode).
Restrictions also apply to the configuration of the circuit; for information about configuring
traffic card ports, channels, and circuits, see the ATM, Ethernet, and POS Port
Configuration, the Clear-Channel and Channelized Port and Channel Configuration, the
Circuit Configuration, and the Cross-Connection Configuration chapters in the Ports,
Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
Table 18-1 QoS Scheduling Policy Support for SmartEdge Traffic Cards
Type Traffic Card or MIC Circuit Policy
First-generation ATMOC ATM OC-12c/STM-4c IR (1-port) ATM PVC EDRR or PQ
ATM OC-3c/STM-1c IR (2-port)
Second-generation ATMOC Enhanced ATM OC-12c/STM-4c IR (1-port) ATM PVC ATMWFQ
ATM OC-3c/STM-1c IR (4-port)
ATM DS-3 ATM DS-3 (12-port) ATM PVC ATMWFQ
Ethernet 10/100 Ethernet (12-port) Port, 802.1Q tunnel, 802.1Q PVC EDRR or PQ
Fast Ethernet-Gigabit
Ethernet
FE (60-port) Port, 802.1Q tunnel, 802.1Q PVC EDRR or PQ
GE (2-port)
Gigabit Ethernet GE (4-port) Port, 802.1Q tunnel, 802.1Q PVC EDRR or PQ
Advanced GE (4-port)
10-Gbps GE (10GE) (1-port) Port, 802.1Q tunnel, 802.1Q PVC MDRR
Gigabit Ethernet with traffic
management
GE3 (4-port) Port, 802.1Q tunnel, 802.1Q PVC,
hierarchical node
PWFQ
GE1020 (10-port)
GE1020 (20-port)
GE (2-port, copper)
GE (2-port, optical)
Overview
18-4 IP Services and Security Configuration Guide
Circuit Groups
Circuit groups allow you to group arbitrary PVCs for collective metering, policing, and scheduling. You
can group VLANsfor example, to represent a business entityand apply class-aware or circuit-level rate
limits to the group. In this case, the traffic on all of the member circuits is collectively limited to any
metering, policing, and scheduling rates configured on the circuit group.
Circuit group membership is available for 802.1Q VLANs, 802.1Q PVCs within an 802.1Q tunnel, or a
mix of these circuit types. When hierarchical rate limiting is applied to a circuit group, traffic is first limited
according to any metering or policing policy applied to the member circuit. Subsequently, traffic is limited
again according to any metering or policing policy applied to the circuit group.
Circuit group members cannot themselves have any child circuits configured under them. The following
are specifically precluded in the CLI for circuit-group member PVCs; PVCs with one of these options
already configured cannot join a circuit group:
802.1Q inner PVCs under member 1qtunnel PVCs
The bind authentication option configured with maximum greater than 1
The circuit protocol option configured under multi encapsulation
PDH Channelized DS-3 (3-port) Clear-channel port, DS-1 channel,
Frame Relay PVC
EDRR or PQ
Channelized DS-3 (12-port)
Clear-Channel DS-3 (12-port) Port, Frame Relay PVC
Clear-Channel E3 (6-port)
Channelized E1 (24-port) Clear-channel E1 port,
DS-0 channel group,
Frame Relay PVC
POS OC-192c/STM-64c IR, LR or SR (1-port) Port, Frame Relay PVC EDRR or PQ
OC-48c/STM-16c ER (1-port)
OC-48c/STM-16c LR (1-port)
OC-48c/STM-16c SR (1-port)
OC-12c/STM-4c IR (4-port)
OC-3c/STM-1c IR (8-port)
SDH Channelized STM-1 (3-port)
1
Clear-channel E1 channel,
DS-0 channel group,
Frame Relay PVC
EDRR or PQ
SONET Channelized OC-12 to DS-3 IR (1-port)
2
Clear-channel DS-3 channel,
Frame Relay PVC
EDRR or PQ
Channelized OC-12 to DS-1 IR (1-port)
3
Clear-channel DS-3 channel,
DS-1 channel, Frame Relay PVC
1. The ports on this traffic card support the following Plesiochronous Digital Hierarchy (PDH) channels: DS-0 channel groups and E1 channels.
2. The ports on this traffic card support the following PDH channels: clear-channel DS-3 channels.
3. The ports on this traffic card support the following PDH channels: DS-1 channels and DS-3 channels.
Table 18-1 QoS Scheduling Policy Support for SmartEdge Traffic Cards (continued)
Type Traffic Card or MIC Circuit Policy
Overview
QoS Circuit Configuration 18-5
For information about the circuit-group and circuit-group-member commandsthe core circuit group
commandssee the Circuit Configurations chapter in the Ports, Circuits, and Tunnels Configuration
Guide for the SmartEdgeOS.
Hierarchical Configuration for Traffic-Managed Circuits
Hierarchical configuration provides two functions to support traffic-managed circuits on Gigabit Ethernet
traffic cards that support traffic management:
Hierarchical schedulingPerforms QoS scheduling at the port, 802.1Q tunnel, and 802.1Q PVC levels,
using PWFQ policies.
Hierarchical nodes and node groupsPerforms QoS scheduling and shaping using PWFQ policies for
subscriber sessions assigned to hierarchical nodes.
These functions are described in the following sections:
Hierarchical Scheduling
Hierarchical Nodes and Node Groups
Hierarchical Scheduling
Hierarchical scheduling operates on PWFQ queues in either of two modes: strict and weighted round robin
(WRR). In a PWFQ policy, each queue is assigned a priority and a relative weight, which are used as
follows:
In strict mode, each queue is serviced according to the priority that you assigned to the queue.
In WRR mode, each queue is serviced in round-robin order according to its priority and its traffic share,
as determined by the relative weight that you assigned to the queue.
You can specify hierarchical scheduling at any level (port, 802.1Q tunnel, and 802.1Q PVC) on a
traffic-managed port and on multiple levels. A level that does not have hierarchical scheduling specified
inherits the scheduling specified at the next higher level.
Hierarchical Nodes and Node Groups
A hierarchical node functions as an individual circuit, such as an 802.1Q PVC; you can assign a traffic rate
and attach a PWFQ policy to it. In addition, you can specify the scheduling mode for the queues defined
by the PWFQ policy, either strict or WRR.
Each node is a member of a node group. Like the individual nodes within it, a node group functions as a
circuit, such as an 802.1Q tunnel. You can assign a traffic rate and a scheduling mode (which might not be
the same traffic rate or scheduling mode assigned to any of the nodes within the group) to a node group;
node groups do not support PWFQ policies.
When you configure a subscriber record or profile to reference a hierarchical node, all sessions for that
subscriber are governed by the QoS PWFQ policy attached to that node and to the hierarchical scheduling
for the node and for the node group.
Note Hierarchical nodes and scheduling are supported only on traffic-managed ports and circuits.
Overview
18-6 IP Services and Security Configuration Guide
Propagation of QoS Across Layer 3 and Layer 2 Networks
You can configure the SmartEdge OS to propagate IP Differentiated Services Code Point (DSCP) settings
in Layer 3 packets as they travel across Ethernet virtual LANs (VLANs), Multiprotocol Label Switching
(MPLS) networks, and Layer 2 Tunneling Protocol (L2TP) networks. Conversely, Ethernet 802.1p priority
bits, MPLS experimental (EXP) bits, and DSCP settings in Layer 3 packets encapsulated in L2TP packets
can be propagated across IP networks. DSCP drop precedence settings can be propagated to the ATM cell
loss priority (CLP) bit; however, the reverse is not true.
QoS propagation for a packet uses a packet descriptor (PD) in a SmartEdgeOS data structure that
associates attributes with a forwarded packet that are not stored in the packets actual headers or payload.
The PD includes a three-bit priority field and a three-bit drop-precedence field, as shown in Figure18-1.
The SmartEdge OS uses these PD fields to perform the following functions for an incoming Layer 2 packet:
1. Depending on configuration for the inbound circuit protocol, the SmartEdgeOS populates the PD for
this packet, using one of the following functions::
a. If a QoS propagate from command is configured for the Layer 2 protocol, the SmartEdgeOS copies
the priority bits from the Layer 2 header to the priority field in the PD. If no classification map is
specified, depending on the Layer 2 protocol (MPLS, 802.1Q, or L2TP), the SmartEdgeOS copies
the priority field in the PD to the DSCP bits in the Layer 3 header.
b. If no QoS propagate from command is configured, the SmartEdgeOS copies the three-most
significant DSCP bits from the Layer 3 header in the incoming packet to the priority field in the PD
and the drop precedence settings in that header to the drop field in the PD.
2. If a QoS policing policy, which can include a policy access control list (ACL), that includes a mark
command (of any type) is attached to the inbound circuit, the SmartEdgeOS modifies the bits in the
priority and drop fields in the PD based on the policy.
A decision is made whether to forward the incoming Layer 3 packet to the outbound circuit for further
QoS processing.
Figure 18-1 Propagation of QoS Across Layer 3 and Layer 2 Networks
Note You can also attach a PWFQ policy directly to a subscriber record or profile. However, if you
attach a PWFQ policy to the subscriber record and another PWFQ policy to the hierarchical
node, the policy that you attach to the subscriber record supersedes the policy that you attach
to the hierarchical node.
Overview
QoS Circuit Configuration 18-7
3. If a QoS metering policy (which can include a policy ACL) that includes a mark command (of any type)
is attached to the outbound circuit, the SmartEdgeOS modifies the bits in the qos and drop fields in the
PD based on the policy.
4. The SmartEdgeOS encapsulates the Layer 3 packet in a Layer 2 packet, using one of the following
functions:
a. If a QoS propagate to command is configured for the Layer 2 protocol, the SmartEdgeOS copies
the priority field in the PD to the priority bits in the Layer 2 header.
b. If no QoS propagate to command is configured, the SmartEdgeOS sets the priority bits in the
Layer 2 header to the default (lowest) priority.
5. The SmartEdgeOS uses the priority field in the PD to determine the egress queue for the outgoing
packet, and the drop-precedence field to determine the relative priority within that queue.
The following sections further describe QoS propagation:
Propagation of QoS from IP to ATM
Propagation of QoS Between IP and Ethernet
Propagation of QoS Between IP and MPLS
Propagation of QoS Between IP and L2TP
Propagation of QoS from IP to ATM
The CLP bit in the ATM header of a cell provides a method of controlling the discarding of cells in a
congested ATM environment. A CLP bit can be set to either 0 (default) or 1, and ATM cells with setting of
1 are discarded before cells with a setting of 0. When you use the clpbit propagate qos to atm command
to propagate the DSCP bits from IP packets to the CLP bit, the DSCP bits in the PD are used to determine
if the CLP bit should be set and thus which ATM cells to discard in an ATM congested network. DSCP bits
are mapped to the ATM CLP bit as described in Table18-2.
Table 18-2 Mapping DSCP Bits to the ATM CLP Bit
DSCP ATM CLP Bit
Network Control 0
Reserved 0
EF 0
AF11 AF21, AF31, AF41 0
AF12 AF22, AF32, AF42 1
AF13 AF23, AF33, AF43 1
DF 1
Note This default mapping can be modified using the clbit propagate qos to atm command (in
ATM profile configuration mode) in conjunction with an ATM egress class map.
Overview
18-8 IP Services and Security Configuration Guide
Propagation of QoS Between IP and Ethernet
802.1p priority is carried in virtual LAN (VLAN) tags defined in IEEE 802.1p. A field in the VLAN tag
carries one of eight priority values (3 bits in length), recognizable by Layer 2 devices. This marking
determines the service level the packet receives when crossing an 802.1p-enabled network segment. DSCP
priority bits are mapped to Ethernet 802.1p bits, in either or both directions, depending on whether you
configure the qos propagate from ethernet and qos propagate to ethernet commands (in dot1q profile
configuration mode). As shown in Figure18-2, the following steps occur for an incoming 802.1Q packet:
1. As a 802.1Q packet enters the SmartEdge router, its 802.1p bits are copied to the PD QoS priority field,
if you use the propagate qos from ethernet command (in dot1q profile configuration mode) to
propagate Ethernet 802.1p user priority bits and do not specify a classification map. If you do specify
a classification map, the 802.1p bits are mapped to the PD QoS value.
2. The PD is copied to the DSCP field in the Layer 3 packet, if you use the propagate qos from ethernet
command (in dot1q profile configuration mode) to propagate Ethernet 802.1p user priority bits and do
not specify a classification map.
Figure 18-2 Propagation of QoS Between IP and Ethernet
When the SmartEdgerouter prepares to forward a packet on a 802.1Q virtual LAN (VLAN), the PD
priority value is copied to the 802.1p field of the outgoing packet, if you use the propagate qos to ethernet
command (in dot1q profile configuration mode) to propagate PD priority values.
If you create a classification map using the qos class-map command and reference it in qos propagate to
ethernet syntax, the PD priority value is mapped to the 802.1p field, rather than copied.
Note You can also use the mark dscp, mark priority, and mark precedence commands (in
metering policy or policing policy configuration mode) to indirectly set the ATM CLP bit
when using the clpbit propagate qos to atm command to propagate the DSCP bits from IP
packets to the CLP bit.
Overview
QoS Circuit Configuration 18-9
Propagation of QoS Between IP and MPLS
MPLS EXP bits use one of eight priority values (3 bits in length), recognizable by Layer 2 devices. This
marking determines the service level the packet receives when crossing an MPLS-enabled network
segment. On ingress, MPLS EXP values are mapped to PD priority values, by default. You can modify the
default mapping by doing one of the following:
Specifying a custom mapping using the propagate from mpls command with the class-map map-name
construct (in MPLS router configuration mode)
Specifying to copy the IP header DSCP value to the PD priority value using the egress prefer dscp-qos
command (in MPLS router configuration mode)
On egress, if you use the qos propagate to mpls command (in MPLS router configuration mode), PD bits
are mapped to MPLS EXP bits if you specify a classification map; see Figure18-3.
In addition, the EXP value can be copied to the priority field of the packets IP header DSCP field by
entering the qos propagate from mpls command without specifying a classification map.
Figure 18-3 Propagation of QoS Between IP and MPLS
Overview
18-10 IP Services and Security Configuration Guide
Propagation of QoS Between IP and L2TP
With L2TP packets, the DSCP and the precedence bits of the original IP packet are copied. The downstream
process from the network to the SmartEdge router configured as an LNS to the SmartEdge router
configured as an L2TP access concentrator (LAC) to the subscriber is illustrated in Figure18-4:
Figure 18-4 Propagation of QoS Downstream from the Network
The downstream propagation process follows:
1. At the LNS, the SmartEdge OS copies the DSCP bits from the inner subscriber IP packet header in the
incoming IP packet to the PD priority field.
2. The SmartEdgeOS then copies the priority field to the DSCP bits in the outer L2TP IP packet header,
using the propagate qos to l2tp command (in L2TP peer configuration mode), if configured. If the
command is not configured, it sets the DSCP bits to the default (lowest) priority.
3. The SmartEdge OS selects an egress queue for the L2TP packet, based on the priority field.
4. At the LAC, the SmartEdge OS copies the DSCP bits in the outer L2TP IP packet header to the PD
priority field.
5. The SmartEdgeOS then copies the DSCP bits from the inner subscriber IP packet header to the PD
priority field, using the propagate qos from subscriber command (in L2TP peer configuration mode)
with the downstream keyword, if configured. This operation overwrites the priority field set by step4.
6. The SmartEdge OS selects an egress queue, based on the priority field in the PD.
The upstream process from the subscriber to the SmartEdge router configured as an LAC to the SmartEdge
router configured as an LNS to the network is illustrated in Figure18-5.
Configuration Tasks
QoS Circuit Configuration 18-11
Figure 18-5 Propagation of QoS Upstream from the Subscriber
The upstream propagation process follows:
1. At the LAC, if the propagate qos from subscriber command (in L2TP peer configuration mode) with
the upstream keyword is configured, the SmartEdge OS copies the DSCP bits from the inner subscriber
IP packet header in the incoming IP packet to the priority field in the PD. If the propagate qos from
subscriber command is not configured, it sets the priority field to the default (lowest) priority.
2. The SmartEdgeOS then copies the priority field to the DSCP bits in the outer L2TP IP packet header,
using the propagate qos to l2tp command (in L2TP peer configuration mode), if configured. If the
command is not configured, it sets the DSCP bits to the default priority.
3. The SmartEdge OS selects an egress queue for the L2TP packet based on the priority field.
4. At the LNS, the SmartEdge OS copies the DSCP bits from the outer L2TP IP packet header in the
incoming IP packet to the priority field in the PD.
5. The SmartEdgeOS then copies the priority field to the DSCP bits in the inner subscriber IP packet
header, using the propagate qos from l2tp command (in L2TP peer configuration mode), if configured
with no classification map specified. If this command is not used, the inner subscriber IP packet header
is not altered.
6. The SmartEdge OS selects an egress queue for the IP packet based on the priority field.
Configuration Tasks
To configure circuits for QoS features, perform the tasks described in the following sections:
Configuration Guidelines
Configure an ATM PVC for QoS
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section. You can enter unnumbered tasks in any sequence.
Configuration Tasks
18-12 IP Services and Security Configuration Guide
Configure an Ethernet Circuit for QoS
Configure a PDH Circuit for QoS
Configure a POS Circuit for QoS
Configure Cross-Connected Circuits for QoS
Configure a Subscriber Circuit for QoS
Configure QoS Propagation (Optional)
Configure L2TP for QoS
Configure MPLS for QoS
Attach QoS Policies to a Circuit Group and Assign Members to the Group
Configuration Guidelines
This section includes configuration guidelines that affect more than one command or a combination of
commands:
If you attach an enhanced deficit round-robin (EDRR) or modified deficit round-robin (MDRR) policy
to a PVC, you must also attach it to the port on which you have configured the PVC.
Channelized DS-3 traffic cards support the attachment of EDRR and PQ policies with two to eight
queues to DS-1 channels. However, the total number of queues that are supported on any DS-3 traffic
card is limited to 1,018 queues; 348 of which are reserved by the system and 670 of which are available
for QoS scheduling policies. Therefore, you can configure up to 167 DS-1 channels with 4-queue
policies and up to 83 DS-1 channels with 8-queue policies.
If you attach a PWFQ policy to a hierarchical node and another PWFQ policy directly to the subscriber
record that references that node, the subscriber session is governed by the PWFQ policy attached
directly to the subscriber record.
Subscriber traffic is managed differently with PWFQ policies attached directly to the subscriber record
and attached to the hierarchical node:
If you attach the policy directly to the subscriber record, the traffic for that subscriber has its own
set of queues.
If you reference a hierarchical node that has an attached PWFQ policy, the traffic for that subscriber
shares the queues for that policy with all other subscribers that reference that node.
The following guidelines apply to cross-connected circuits:
When you attach a QoS metering or policing policy to a cross-connected circuit, you can attach a
policy to each individual circuit before or after you make the cross-connection.
You can attach a different metering or policing policy to each circuit.
You can attach both a metering and a policing policy to each circuit.
Scheduling policies are not supported on cross-connected circuits.
The following guidelines apply to Ethernet and 802.1Q link groups:
Configuration Tasks
QoS Circuit Configuration 18-13
You attach a policy to an Ethernet port rather than the link group of which it is a member; you attach
the policy using one of the QoS policy commands (qos policy metering, qos policy policing, qos
policy queuing) in port configuration mode.
You can attach any type of QoS policy that is supported by that type of Ethernet port. These include
metering, policing, EDRR, MDRR, PQ, and PWFQ policies. However, to preserve the operational
characteristics of a link group, attach the same set of policies (metering, policing, and scheduling)
to every constituent port in the link group.
Configure an ATM PVC for QoS
To configure an ATM PVC for QoS, perform the tasks described in the following sections:
Configure a PVC on a First-Generation ATM OC Traffic Card
Configure a PVC on an ATM DS-3 or Second-Generation ATM OC Traffic Card
Configure a PVC on a First-Generation ATM OC Traffic Card
To configure an ATM PVC on a first-generation ATM OC traffic card, perform the tasks described in
Table18-3; enter all commands in ATM PVC configuration mode, unless otherwise noted.
Configure a PVC on an ATM DS-3 or Second-Generation ATM OC Traffic Card
To configure an ATM PVC on a second-generation ATM OC or ATM DS-3 traffic card, perform the tasks
described in Table18-4; enter all commands in ATM PVC configuration mode, unless otherwise noted.
Table 18-3 Configure a PVC on a First Generation ATM OC Traffic Card
Task Root Command Notes
For packets coming into the SmartEdge router,
propagate the CLP bit to PD values in ATM cells.
clpbit propagate qos from atm Enter this command in ATM profile
configuration mode.
For packets going out of the SmartEdge router,
propagate IP DSCP bits to the CLP bit in ATM cells.
clpbit propagate qos to atm Enter this command in ATM profile
configuration mode.
Attach a policing policy. qospolicypolicing
Attach a metering policy. qospolicymetering
Optional. Specify the circuit rate, if different from the
rate specified by the attached metering and policing
policies.
ratecircuit You can specify rates for both inbound and
outbound traffic.
Attach a scheduling policy. qospolicyqueuing Possible policy types are EDRR and PQ.
You must attach an EDRR policy to both the
port and the PVC. To attach the EDRR
policy to the port, enter this command in
ATM OC configuration mode.
Optional. Modify the mode of an EDRR policy
algorithm.
qosmode Enter this command in ATM OC
configuration mode.
By default, the mode is normal. Only one
mode type is supported on a single port.
Configuration Tasks
18-14 IP Services and Security Configuration Guide
Configure an Ethernet Circuit for QoS
To configure a circuit on any Ethernet traffic card for QoS, including any version of a Gigabit Ethernet
traffic card, perform the tasks described in the following sections:
Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for QoS
Configure a Traffic-Managed Port for Hierarchical Scheduling
Configure a Traffic-Managed Port for Hierarchical Nodes
Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for
QoS
To configure an Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet (any version) port, 802.1Q
tunnel, or 802.1Q PVC, perform the tasks described in Table18-5; enter all commands in port or dot1Q
PVC configuration mode, unless otherwise noted.
Table 18-4 Configure a PVC on an ATM DS-3 or Second-Generation ATM OC Traffic Card
Task Root Command Notes
For packets coming into the SmartEdge router,
propagate the CLP bit to PD values in ATM cells.
clpbit propagate qos from atm Enter this command in ATM profile
configuration mode.
For packets going out of the SmartEdge router,
propagate IP DSCP bits to the CLP bit in ATM
cells.
clpbit propagate qos to atm Enter this command in ATM profile
configuration mode.
Attach a policing policy. qospolicypolicing
Attach a metering policy. qospolicymetering
Optional. Specify the circuit rate, if different from
the rate specified by the attached metering and
policing policies.
ratecircuit You can specify rates for both inbound and
outbound traffic.
Attach a scheduling policy to a PVC.
1
1. An ATMWFQ policy cannot be attached to a PVC that is shaped as UBRe.
qospolicyqueuing Only ATMWFQ policies are supported; you
can attach them only to PVCs.
Table 18-5 Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for QoS
Task Root Command Notes
For packets coming into the SmartEdge router,
propagate Ethernet 802.1p user priority bits to IP DSCP
bits.
propagateqosfromethernet Enter this command in dot1q profile
configuration mode.
For packets going out of the SmartEdge router,
propagate IP DSCP bits to Ethernet 802.1p user priority
bits.
propagateqos toethernet Enter this command in dot1q profile
configuration mode.
Assign a priority group to the port, tunnel, or PVC. qospriority The QoS bit setting for packets traveling
across the ingress circuit is not changed by
the priority group assignment.
Not supported for CCOD ranges of 802.1q
PVCs.
Attach an overhead profile to a port or an 802.1Q PVC. qosprofileoverhead
Configuration Tasks
QoS Circuit Configuration 18-15
Configure a Traffic-Managed Port for Hierarchical Scheduling
To configure a traffic-managed port and any 802.1Q tunnels and PVCs configured on it for hierarchical
scheduling with a PWFQ policy, perform the tasks described in Table18-6; enter all commands in port
configuration mode, unless otherwise noted. For information about the dot1q pvc command (in port
configuration mode), see the Circuit Configuration chapter in the Ports, Circuits, and Tunnels
Configuration Guide for the SmartEdgeOS.
Attach a policing policy to the port, tunnel, or PVC. qospolicypolicing
Set the rate for outgoing traffic for a Gigabit Ethernet
port.
qosrate
Attach a metering policy to a port, tunnel, or PVC. qospolicymetering
Attach a scheduling policy to a port, tunnel, or PVC. qospolicyqueuing Possible policy types are EDRR, MDRR,
PQ, and PWFQ.
1
Optional. Specify the circuit rate, if different from the rate
specified by the attached metering and policing policies.
ratecircuit You can specify rates for both inbound and
outbound traffic.
Not supported for CCOD ranges of 802.1q
PVCs.
Optional. Modify the mode of an EDRR policy algorithm. qosmode By default, the mode is normal. Only one
mode type is supported on a single port.
1. EDRR and PQ policies are not supported on traffic-managed circuits; these circuits support only PWFQ policies. MDRR policies are supported only on 10GE
circuits.
Table 18-6 Configure a Traffic-Managed Port for Hierarchical Scheduling
# Task Root Command Notes
1. Set the maximum and minimum rates for the port. qosrate You must specify the maximum rate; the
minimum rate is optional.
2. Specify the scheduling algorithm for the port. qoshierarchical modestrict
3. Attach a PWFQ policy to the port. qospolicyqueuing You can attach a policy to any or all 802.1Q
tunnels and PVCs as well as the port.
4. Create one or more 802.1Q tunnels or PVCs and
access dot1q PVC configuration mode.
dot1q pvc
5. Set the maximum and minimum rates for the
tunnel or PVC.
qosrate Enter this command in dot1q PVC
configuration mode. You must specify the
maximum rate; the minimum rate is optional.
You cannot set a minimum rate if you also
assign a relative weight to this PVC.
6. Assign a relative weight to this PVC. qosweight Enter this command in dot1q PVC
configuration mode. You cannot assign a
relative weight if you also set a minimum
rate for this PVC.
7. Specify the scheduling algorithm for the tunnel or
PVC.
qoshierarchical modestrict Enter this command in dot1q PVC
configuration mode.
Table 18-5 Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for QoS (continued)
Task Root Command Notes
Configuration Tasks
18-16 IP Services and Security Configuration Guide
Configure a Traffic-Managed Port for Hierarchical Nodes
To configure a traffic-managed port for hierarchical nodes, node groups, and attach PWFQ policies to them,
perform the tasks described in Table18-7; enter all commands in port configuration mode, unless otherwise
noted.
8. Attach a PWFQ policy to the tunnel or PVC. qospolicyqueuing Enter this command in dot1q PVC
configuration mode. You can attach a policy
to any or all tunnels and PVCs, as well as
the port.
Table 18-7 Configure a Traffic-Managed Port for Hierarchical Nodes
# Task Root Command Notes
1. Set the maximum and minimum rates for the port. qosrate You must specify the maximum rate; the
minimum rate is optional.
2. Specify the scheduling algorithm for the port. qoshierarchical modestri
ct
3. Create one or more hierarchical node groups and
access hierarchical node group configuration mode.
qosnode-group
4. Set the maximum and minimum rates for the node
groups.
qosrate Enter this command in hierarchical node
group configuration mode. You must specify
the maximum rate; the minimum rate is
optional. You cannot set a minimum rate if you
also assign a relative weight to this node
group.
5. Assign a relative weight to this node group. qosweight Enter this command in hierarchical node
group configuration mode. You cannot assign
a relative weight if you also set a minimum
rate for this node group.
6. Specify the scheduling algorithm for the node
groups.
qoshierarchical modestri
ct
Enter this command in hierarchical node
group configuration mode. The mode need not
be the same as the one you specify for the
port.
7. Create one or more hierarchical nodes and access
hierarchical node configuration mode.
qosnode Enter this command in hierarchical node
group configuration mode.
8. Set the maximum and minimum rates for these
nodes.
qosrate Enter this command in hierarchical node
configuration mode. You must specify the
maximum rate; the minimum rate is optional.
You cannot set a minimum rate if you also
assign a relative weight to this node.
9. Assign a relative weight for these nodes. qosweight Enter this command in hierarchical node
configuration mode. You cannot assign a
relative weight if you also set a minimum rate
for this node.
10. Specify the scheduling algorithm for these nodes. qoshierarchical modestri
ct
Enter this command in hierarchical node
configuration mode. The mode need not be
the same as the one you specify for the port or
node group.
Table 18-6 Configure a Traffic-Managed Port for Hierarchical Scheduling (continued)
# Task Root Command Notes
Configuration Tasks
QoS Circuit Configuration 18-17
Configure a PDH Circuit for QoS
To configure a PDH circuit (port, channel, PVC, or link group) for QoS, perform the tasks described in
Table18-8; enter all commands in DS-0 group, DS-1, DS-3, E1, E3, link group, or Frame Relay PVC
configuration mode (depending on the type of PDH circuit), unless otherwise noted.
Configure a POS Circuit for QoS
To configure a circuit on a Packet over SONET/SDH (POS) traffic card for QoS, perform the tasks
described in Table18-9; enter all commands in port configuration mode.
11. Attach a PWFQ policy to these nodes. qospolicyqueuing Enter this command in hierarchical node
configuration mode. The policy need not be
the same as the one you attach to the port,
tunnel, or PVC.
Table 18-8 Configure a PDH Circuit for QoS
Task Root Command Notes
Assign a priority group. qospriority The QoS bit setting for packets traveling across the ingress
circuit is not changed by the priority group assignment.
Attach a policing policy. qospolicypolicing
Attach a metering policy. qospolicymetering
Optional. Specify the circuit rate, if different from
the rate specified by the attached metering and
policing policies.
ratecircuit You can specify rates for both inbound and outbound traffic.
Attach a scheduling policy. qospolicyqueuing Policy types include EDRR and PQ.
Optional. Modify the mode of an EDRR policy
algorithm.
qosmode By default, the mode is normal. Only one mode type is
supported on a single port.
Table 18-9 Configure a POS Circuit for QoS
Task Root Command Notes
Assign a priority group. qospriority The QoS bit setting for packets traveling across the ingress
circuit is not changed by the priority group assignment.
Attach a policing policy. qospolicypolicing
Attach a metering policy. qospolicymetering
Optional. Specify the circuit rate, if different
from the rate specified by the attached
metering and policing policies.
ratecircuit You can specify rates for both inbound and outbound traffic.
Attach a scheduling policy. qospolicyqueuing Policy types include EDRR and PQ.
Optional. Modify the mode of an EDRR policy
algorithm.
qosmode By default, the mode is normal. Only one mode type is
supported on a single port.
Table 18-7 Configure a Traffic-Managed Port for Hierarchical Nodes (continued)
# Task Root Command Notes
Configuration Tasks
18-18 IP Services and Security Configuration Guide
Configure Cross-Connected Circuits for QoS
To configure a cross-connected circuit for QoS, perform the tasks described in Table18-10. You cannot
attach a scheduling policy to a cross-connected circuit; only metering and policing policies are supported
on either or both circuits.
Configure a Subscriber Circuit for QoS
You configure a subscriber circuit (or an LNS subscriber session) for QoS by configuring the subscriber
record or profile; to configure a subscriber record or profile and thus any circuit on which the subscriber
session is created, perform one or more of the tasks described in Table18-11; enter all commands in
subscriber configuration mode unless otherwise noted.
Note You can perform the tasks in Table18-10 in any order.
Table 18-10 Configure a Cross-Connected Circuit for QoS
Task Root Command Notes
Configure the inbound circuit for QoS with
one of the following tasks:
An inbound ATM PVC. Perform the tasks in Table 18-3 or Table 18-4, but do not attach
a scheduling policy.
An inbound 802.1Q PVC. Perform the tasks in Table 18-6, but do not attach a scheduling
policy.
Configure the outbound circuit for QoS
with one of the following tasks:
An outbound ATM PVC. Perform the tasks in Table 18-3 or Table 18-4, but do not attach
a scheduling policy.
An outbound 802.1Q PVC. qospriority Perform the tasks in Table 18-6, but do not attach a scheduling
policy.
Create the cross-connection between the
inbound and outbound circuits.
xc Enter this command in global configuration mode. For
information about this command, see the Cross-Connection
Configuration chapter in the Ports, Circuits, and Tunnels
Configuration Guide for the SmartEdge OS.
Table 18-11 Configure a Subscriber Circuit for QoS
Task Root Command Notes
Create a reference to a hierarchical node. qosnode-reference
Attach a policing policy. qospolicypolicing
Attach a metering policy. qospolicymetering
Optional. Specify the circuit rate, if different
from the rate specified by the attached
metering and policing policies.
ratecircuit You can specify rates for both inbound and outbound traffic.
Attach a scheduling policy. qospolicyqueuing Policy types include ATMWFQ, EDRR, MDRR, PQ, and
PWFQ. Only PWFQ policies are supported for LNS
subscriber sessions.
Configuration Tasks
QoS Circuit Configuration 18-19
Configure QoS Propagation (Optional)
To create and apply customized classification mappings for QoS bits, perform the tasks described in
Table18-12; enter all commands in class map configuration mode, unless otherwise noted.
Attach an overhead profile to a subscriber
record.
qosprofileoverhead Enter this command in port configuration mode.
Optional. Modify the mode of an EDRR
policy algorithm.
qosmode By default, the mode is normal. Only one mode type is
supported on a single port.
Table 18-12 Configure QoS Propagation
Task Root Command Notes
Create a classification map. qoshierarchical modestrict Enter this command in global
configuration mode.
For information about this
command, see Chapter 16, QoS
Rate- and Class-Limiting
Configuration.
Specify a set of default values for a classification map. mapping-schema For information about this
command, see Chapter 16, QoS
Rate- and Class-Limiting
Configuration.
Specify an initial PD value to assign to ATM packets with
the specified CLP value.
atmtoqos
Translate outgoing PD QoS values to ATM CLP values. qostoatm
For incoming packets with the specified CLP value,
determine the initial PD QoS value from the user priority
bits in the 802.1p VLAN TCI field of the packet header
value.
atm use-ethernet
For incoming packets with the specified CLP value,
determine the initial PD QoS value from the IP ToS field of
the packet header.
atmuse-ip
Translate incoming Ethernet 802.1p values to PD QoS
values.
ethernet toqos
Translate outgoing PD QoS values to Ethernet 802.1p
values.
qostoethernet
For 802.1Q transport PVCs, use the 802.1p value from
either the outer PVC header or the inner PVC header for
propagation between internal PD classification values and
Ethernet.
propagateqostransport use-vlan-heade
r
Enter this command in dot1q
profile configuration mode.
For incoming packets with the specified 802.1p value,
determine the initial PD QoS value from the DSCP value
in the IP header rather than the 802.1p value.
ethernet use-ip
Translate incoming IP header DSCP values to PD QoS
values.
ip to qos
Translate outgoing PD QoS values to IP header DSCP
values.
qostoip
Table 18-11 Configure a Subscriber Circuit for QoS (continued)
Task Root Command Notes
Configuration Tasks
18-20 IP Services and Security Configuration Guide
Configure L2TP for QoS
To configure L2TP for QoS to propagate subscriber DSCP bits in the downstream direction, perform the
tasks described in Table18-13; enter all commands in L2TP peer configuration mode for the default peer.
To configure L2TP for QoS to propagate DSCP bits in the upstream direction, perform the tasks described
in Table18-14; enter all commands in L2TP peer configuration mode for the default peer.
For outgoing packets with the specified PD QoS value,
determine the final header EXP or 802.1p value based on
the IP header DSCP value rather than the PD QoS value.
qosuse-ip
Translate incoming MPLS EXP values to PD QoS values. mpls to qos
Translate outgoing PD QoS values to MPLS header EXP
values.
qostompls
For incoming packets with the specified MPLS EXP
priority label, use the encapsulated Ethernet packets
802.1p priority label to determine the PD value for the
packet.
mplsuse-ethernet
For incoming packets with the specified EXP value,
determine the initial PD QoS value from the IP header
DSCP value rather than the EXP value.
mplsuse-ip
For incoming MPLS EXP packets with an Ethernet VLAN
header, specify the 802.1q-over-MPLS packets to
examine for any header enclosed by the outer VLAN
header.
propagateqosuse-vlan-ethertype Enter this command in MPLS
router configuration mode.
For incoming MPLS packets, use the 802.1p value from
the header of either the outer PVC header or the inner
PVC for propagation from Ethernet to internal PD
classification values.
propagateqosuse-vlan-header Enter this command in MPLS
router configuration mode.
Reference the classification map when configuring
propagation.
propagateqosfromethernetpropagate
qosfromippropagateqosfroml2tppro
pagateqosfrommplspropagateqos
toethernetpropagateqostoippropagat
eqos tol2tppropagateqostompls
Specify the class-map class-map
construct for this function.
Table 18-13 Configure L2TP for QoS in the Downstream Direction
Task Root Command Notes
For network packets the SmartEdge router sends to the LAC
when the router is configured as an LNS, propagate the PD
priority bits to the outer DSCP value.
propagateqos tol2tp
For L2TP IP packets coming into the SmartEdge router when it
is configured as a LAC, propagate the subscriber DSCP bits
from the inner IP packet header to the PD priority bits from the
LNS for the subscriber IP packet.
propagateqosfromsubscriber Specify the downstream
keyword for this function.
Table 18-12 Configure QoS Propagation (continued)
Task Root Command Notes
Configuration Tasks
QoS Circuit Configuration 18-21
Configure MPLS for QoS
To configure MPLS for QoS, perform the tasks described in one of the following sections:
Propagate QoS Using DSCP Bits and MPLS EXP Bits
Propagate QoS Using DSCP Bits Only
Propagate QoS Using DSCP Bits and MPLS EXP Bits
To propagate QoS using DSCP bits to MPLS EXP bits (instead of DSCP bits) and vice versa, perform the
tasks described in Table18-15; enter either or both commands in MPLS router configuration mode.
Propagate QoS Using DSCP Bits Only
To propagate QoS by enabling the use of DSCP bits (instead of MPLS EXP bits) only, perform the task
described in Table18-16.
Table 18-14 Configure L2TP for QoS in the Upstream Direction
Task Root Command Notes
For subscriber IP packets coming into the SmartEdge router
when it is configured as a LAC, propagate the subscriber
DSCP bits in the IP packet header to the PD priority bits for the
subscriber IP packet.
propagateqosfromsubscriber Specify the upstream keyword
for this function.
For network packets the SmartEdge router sends to the LNS
when the router is configured as a LAC, propagate the PD
priority bits to the outer DSCP value.
propagateqos tol2tp
For L2TP packets coming into the SmartEdge router when it is
configured as an LNS, after the outer DSCP bits have been
propagated to the PD priority bits, propagate the PD priority
bits to the subscribers inner DSCP bits.
propagateqosfroml2tp
Table 18-15 Propagate QoS Using DSCP Bits and MPLS EXP Bits
Task Root Command Notes
For packets coming into the SmartEdge router,
propagate MPLS EXP bits to DSCP bits.
propagateqosfrommpls
For packets going out of the SmartEdge router,
propagate PD priority values to MPLS EXP bits.
propagateqostompls
Table 18-16 Propagate QoS Using DSCP Bits Only
Task Root Command Notes
Enable the use of IP header DSCP bits (not MPLS
EXP values) when determining the initial PD priority
value of incoming MPLS packets.
egressprefer dscp-qos Enter this command in MPLS router
configuration mode.
Configuration Examples
18-22 IP Services and Security Configuration Guide
Attach QoS Policies to a Circuit Group and Assign Members to the
Group
To create a circuit group, attach a QoS metering, policing or scheduling policy to it, and then assign
members to the group, perform the tasks described in Table18-17.
Configuration Examples
QoS configuration examples are included in the following sections:
Attaching Rate- and Class-Limiting Policies
Attaching Scheduling Policies
Propagating QoS
Attaching QoS Policies to Circuit Groups
Table 18-17 Attach QoS Policies to a Circuit Group and Assign Members to the Group
# Task Root Command Notes
1. Create a circuit group and assign a specified
name to it.
circuit group Enter this command in global configuration
mode.
For information about this command, see the
Circuit Configurations chapter in the Ports,
Circuits, and Tunnels Configuration Guide for
the SmartEdge OS.
2. Attach a (QoS) metering, policing, or scheduling
policy to the circuit group.
Attach a metering policy. qospolicymetering Enter this command in dot1q PVC configuration
mode.
Attach a policing policy. qospolicypolicing Enter this command in dot1q PVC configuration
mode.
Attach a queuing policy. qospolicyqueuing Enter this command in dot1q PVC configuration
mode.
3. Select an Ethernet port in which the members of
the circuit group are to reside and access port
configuration mode.
port ethernet Enter this command in global configuration
mode.
4. Specify the use of 802.1Q encapsulation for the
Ethernet port.
encapsulation dot1q Enter this command in port configuration mode.
5. Specify the 802.1Q tunnel or one or more static
802.1Q PVCs to be assigned to the specified
circuit group and access dot1q PVC
configuration mode.
dot1q pvc Enter this command in port configuration mode.
6. Specify that the 802.1Q tunnel or PVCs being
configured are members of the specified circuit
group.
circuit-group-member Enter this command in dot1q PVC configuration
mode.
For information about this command, see the
Circuit Configurations chapter in the Ports,
Circuits, and Tunnels Configuration Guide for
the SmartEdge OS.
Configuration Examples
QoS Circuit Configuration 18-23
Attaching Rate- and Class-Limiting Policies
Examples of configuring PVCs and subscriber records for QoS policies are provided in the following
sections:
PVC Configuration
Cross-Connected Circuit Configuration
Subscriber Configuration
PVC Configuration
The following example attaches a metering policy, met er , to an 802.1Q PVC on an Ethernet port:
[ l ocal ] Redback( conf i g) #port ethernet 4/2
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 200
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface if-200 local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy metering meter
Cross-Connected Circuit Configuration
The following example attaches a metering policy, out put , to the inbound circuits of cross-connected
802.1Q PVCs on Ethernet ports:
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 2001
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy metering output
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 2051
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy metering output
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 2101
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy metering output
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
!
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 2001
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 2051
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 2101
!
[ l ocal ] Redback( conf i g) #xc 4/1 vlan-id 2001 to 4/3 vlan-id 2001
[ l ocal ] Redback( conf i g) #xc 4/1 vlan-id 2051 to 4/3 vlan-id 2051
[ l ocal ] Redback( conf i g) #xc 4/1 vlan-id 2101 to 4/3 vlan-id 2101
Configuration Examples
18-24 IP Services and Security Configuration Guide
Subscriber Configuration
The following example attaches a metering policy, met er , to a subscriber record:
[ l ocal ] Redback( conf i g) #subscriber name redback
[ l ocal ] Redback( conf i g- sub) #password redback
[ l ocal ] Redback( conf i g- sub) #qos policy metering meter
Attaching Scheduling Policies
Examples of configuring ports and PVCs for QoS features using scheduling policies are provided in the
following sections:
Port Configuration
PVC Configuration
Overhead Profile Configuration
PWFQ Policy and Hierarchical Shaping
PWFQ Policy and Hierarchical Scheduling
Port Configuration
The following example attaches a PQ policy to a POS port:
[ l ocal ] Redback( conf i g) #port pos 2/1
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing pos-qos
PVC Configuration
The following example attaches a PQ scheduling policy to each of three 802.1Q PVCs:
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 100
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface if-100 local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing PerVcQueuing
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 101
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface if-101 local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing PerVcQueuing
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 102
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface if-102 local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing PerVcQueuing
The following example attaches an EDRR policy, exampl e1, to an ATM PVC and its port on a
first-generation ATM OC traffic card:
[ l ocal ] Redback( conf i g) #port atm 6/1
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing example1
[ l ocal ] Redback( conf i g- at m) #atm pvc 200 300 profile prof1 encaps multi
[ l ocal ] Redback( conf i g- at mpvc) #qos policy queuing example1
Configuration Examples
QoS Circuit Configuration 18-25
Overhead Profile Configuration
The following example allows the child circuits of 802.1Q PVC 100 to inherit the exampl e1 overhead
profile:
[ l ocal ] Redback( conf i g) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 100 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- por t ) #qos profile overhead example1 inherit
PWFQ Policy and Hierarchical Shaping
The following example configures a GE3 port with the home node group with 5 dsl amnodes and attaches
a PWFQ policy to each node:
[ l ocal ] Redback( conf i g) #port ethernet 5/2
[ l ocal ] Redback( conf i g- por t ) #qos rate maximum 100000000
[ l ocal ] Redback( conf i g- por t ) #qos rate minimum 100000
[ l ocal ] Redback( conf i g- por t ) #qos hierarchical mode strict
[ l ocal ] Redback( conf i g- por t ) #qos node-group home 1
[ l ocal ] Redback( conf i g- h- node) #qos node dslam 1 through 5
[ l ocal ] Redback( conf i g- h- node) #qos policy queuing pwfq4
PWFQ Policy and Hierarchical Scheduling
The following example configures a GE3 port and its 802.1Q PVC for hierarchical scheduling and attaches
a PWFQ policy to both the port (pwf q- por t ) and its PVC (pwf q- pvc):
[ l ocal ] Redback( conf i g) #port ethernet 5/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #qos rate maximum 100000000
[ l ocal ] Redback( conf i g- por t ) #qos rate minimum 100000
[ l ocal ] Redback( conf i g- por t ) #qos hierarchical mode strict
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing pwfq-port
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 200
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos rate maximum 10000000
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos rate minimum 10000
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing pwfq-pvc
Propagating QoS
The following example configures 802.1q profile, 8021q- on, to propagate QoS information between IP
and any 802.1Q tunnel or PVC that has that profile assigned to it:
[ l ocal ] Redback( conf i g) #dot1q profile 8201p-on
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #propagate qos from ethernet
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #propagate qos to ethernet
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #exit
The following example propagates QoS on an 802.1Q PVC by configuring it with the 8021p- on profile:
[ l ocal ] Redback( conf i g) #port ethernet 3/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
Configuration Examples
18-26 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 20 profile 8021p-on
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
The following example enables IP QoS information to be propagated to ATM on any ATM PVC or virtual
path (VP) that has the profile, cl p- on, assigned to it:
[ l ocal ] Redback( conf i g) #atm profile clp-on
[ l ocal ] Redback( conf i g- at m- pr of i l e) #clpbit propagate qos to atm
[ l ocal ] Redback( conf i g- at m- pr of i l e) #exit
The following example configures MPLS to propagate QoS in both directions:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mpls
[ l ocal ] Redback( conf i g- mpl s) #propagate qos from mpls
[ l ocal ] Redback( conf i g- mpl s) #propagate qos to mpls
[ l ocal ] Redback( conf i g- mpl s) #exit
The following example creates a classification map exp- t o- pd that maps MPLS experimental EXP
values to QoS PD values on ingress, then applies the classification map to the propagate qos from mpls
command:
[ l ocal ] Redback( conf i g) #qos class-map exp-to-pd mpls in
[ l ocal ] Redback( conf i g- cl ass- map) #mapping-schema 7P1D
[ l ocal ] Redback( conf i g- cl ass- map) #mpls 1 to qos 0x24
[ l ocal ] Redback( conf i g- cl ass- map) #exit
[ l ocal ] Redback( conf i g) #context mycontext
[ l ocal ] Redback( conf i g- ct x) #router mpls
[ l ocal ] Redback( conf i g- mpl s) #propagate qos from mpls class-map exp-to-dscp
[ l ocal ] Redback( conf i g- mpl s) #exit
Attaching QoS Policies to Circuit Groups
The following example shows how to create a circuit group sal esgr oup and attach previously configured
policing and metering policies (gr oup_pol i ci ng_pol i cy and gr oup_met er i ng_pol i cy) to this
circuit group. This example also shows how to assign the 802.1Q PVC tunnels (50 through 60, 30, and 40)
as members of the circuit group. The individual PVCs (or VLANs), 1 to 100, configured under the 802.1Q
tunnel 30 each have their own individual policing policy specified as cvl an_i ndi vi dual _pol i cy.
With the hierarchical keyword configured for the policing policy (gr oup_met er i ng_pol i cy), the
traffic on the individual PVCs are subject to both the child circuit policy (cvl an_i ndi vi dual _pol i cy)
and the parent circuit policy (gr oup_met er i ng_pol i cy):
[ l ocal ] Redback( conf i g) #circuit-group salesgroup
[ l ocal ] Redback( conf i g- ci r cui t - gr oup) #qos policy policing
group_policing_policy hierarchical
[ l ocal ] Redback( conf i g- ci r cui t - gr oup) #qos policy metering
group_metering_policy inherit
[ l ocal ] Redback( conf i g) #port ethernet 12/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 50 through 60
[ l ocal ] Redback( conf i g- dot 1q- pvc) #circuit-group-member salesgroup
Command Descriptions
QoS Circuit Configuration 18-27
[ l ocal ] Redback( conf i g) #port ethernet 12/2
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 30 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 30:1 through 100
[ l ocal ] Redback( conf i g- dot 1q- pvc) #circuit-group-member salesgroup
! Speci f y t hat each 802. 1Q PVC conf i gur ed under t he 802. 1Q t unnel al so
! has i t s own i ndi vi dual pol i ci ng pol i cy ( speci f i ed as
! cvl an_i ndi vi dual _pol i cy) .
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy policing
cvlan_individual_policy
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 40
[ l ocal ] Redback( conf i g- dot 1q- pvc) #circuit-group-member salesgroup
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure QoS policies.
The commands are presented in alphabetical order:
atm to qos
atm use-ethernet
atm use-ip
clpbit propagate qos from atm
clpbit propagate qos to atm
egress prefer dscp-qos
ethernet to qos
ethernet use-ip
ip to qos
mpls to qos
mpls use-ethernet
mpls use-ip
propagate qos from ethernet
propagate qos from ip
propagate qos from l2tp
propagate qos from mpls
propagate qos from subscriber
propagate qos to ethernet
propagate qos to ip
propagate qos to l2tp
propagate qos to mpls
propagate qos transport use-vlan-header
propagate qos use-vlan-ethertype
propagate qos use-vlan-header
qos hierarchical mode strict
qos mode
qos node
qos node-group
qos node-reference
qos policy metering
qos policy policing
qos policy (protocol-rate-limit)
qos policy queuing
qos priority
qos profile overhead
qos rate
qos to atm
qos to ethernet
qos to ip
qos to mpls
qos use-ip
qos weight
rate circuit
Command Descriptions
18-28 IP Services and Security Configuration Guide
atm to qos
atm {clp-value | all} to qos pd-value
{no | default} atm {clp-value | all}
Purpose
Translates Asynchronous Transfer Mode (ATM) cell loss priority (CLP) values into packet descriptor (PD)
quality of service (QoS) values on ingress.
Command Mode
class map configuration
Syntax Description
Default
ATM ingress classification maps use the CLP-to-PD mapping described in Table18-18.
Usage Guidelines
Use the atm to qos command to translate ATM CLP values into PD QoS values on ingress.
clp-value Either 0 or 1, representing the CLP bit in the ATM cell header. If a
packet is composed of multiple ATM cells, the SmartEdgeOS considers
the overall packet CLP value to be 1 if any ATM cell that makes up the
AAL5 packet has the CLP bit set to 1 (for second-generation ATM
traffic cards), or if the final cell, which contains the adaption layer type 5
(AAL5) trailer, has the CLP bit set to 1 (for first-generation ATM traffic
cards).
all Maps all valid values for the source value to the specified target value.
Any existing configuration for the classification map is overridden.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in
three higher-order bits and the packet drop precedence in the three
lower-order bits. You can enter the value in decimal or hexadecimal
format, for example 16 or 0x10. You can also enter a standard
Differentiated Services Code Point (DSCP) marking label as defined in
Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest
priority) to 7 (highest priority), is the relative inverse of the scale used by
the mark priority command. For details on this command, see
Chapter 16, QoS Rate- and Class-Limiting Configuration.
Command Descriptions
QoS Circuit Configuration 18-29
If you specify the all keyword, all valid ATM CLP values are mapped to the specified QoS value. Any
existing configuration for the classification map is overridden. You can use the all keyword to specify a
single default value for both mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the no or default form of this command to revert one or both map entries to the default mapping
described in Table18-18.
Related Commands
Table 18-18 ATM CLP Bits Mapped to the QoS PD Value
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
Value AF Label QoS PD Value
0 1 2 AF11 10
1 0 0 DF 0
atm use-ethernet
ethernet to qos
qos class-map
Command Descriptions
18-30 IP Services and Security Configuration Guide
atm use-ethernet
atm {clp-value | all} use-ethernet [class-map map-name]
{no | default} atm {clp-value | all}
Purpose
Determines initial packet descriptor (PD) values by mapping from the user priority bits in the 802.1p virtual
LAN (VLAN) Tag Control Information (TCI) field of the packet header rather than directly from the
Asynchronous Transfer Mode (ATM) cell loss priority (CLP) value for received ATM packets with the
specified CLP value.
Command Mode
class map configuration
Syntax Description
Default
ATM ingress classification maps use the CLP-to-PD mapping described in Table18-19.
Usage Guidelines
Use the atm use-ethernet command to determine initial PD values by mapping from the user priority bits
in the 802.1p VLAN TCI field of the packet header rather than directly from the ATM CLP value for
received ATM packets with the specified CLP value.
If a packet includes both an outer permanent virtual circuit (PVC) header and an outer PVC Ethernet type
field value of 0x8100 or 0x88a8, the inner PVC 802.1p header determines the PD value. If a packet does
not include an Ethernet VLAN header, the SmartEdgeOS uses the default mapping described in
Table18-19.
clp-value Either 0 or 1, representing the CLP bit in the ATM cell header. If a
packet is composed of multiple ATM cells, the SmartEdgeOS assigns a
CLP value of 1 if any ATM cell that makes up the adaption layer type 5
(AAL5) packet has the CLP bit set to 1 (for second-generation ATM
traffic cards), or if the final cell, which contains the AAL5 trailer, has the
CLP bit set to 1 (for first-generation ATM traffic cards).
all Maps all valid values for the source value to the specified target value.
Any existing configuration for the classification map is overridden.
use-ethernet Enables a secondary mapping lookup using the packets Ethernet 802.1p
bits as input. If no classification map is specified for the secondary
lookup, the default 8P0D mapping is used.
class-map map-name Optional. Name of the secondary classification map.
Command Descriptions
QoS Circuit Configuration 18-31
Only packets with an outer PVC Ethernet type field value of 0x8100 or 0x88a8 are examined for enclosed
inner PVC 802.1p values. The SmartEdgeOS uses the outer PVC 802.1p value to map all other outer PVC
Ethernet types.
If you specify the all keyword, both CLP value entries are mapped to the specified PD value. Any existing
configuration for the classification map is overridden. You can use the all keyword to specify a single
default value for both mapping entries, then override that value for an entry by entering a subsequent
mapping command without this keyword.
If you specify the class-map map-name construct, the resulting mapping uses the specified 802.1p-to-PD
classification map. The secondary classification map must have a value of ethernet for the marking-type
argument and a value of in for the mapping direction. If you do not specify a secondary classification map,
the SmartEdgeOS uses the default 8P0D mapping.
Use the no or default form of this command to revert one or both map entries to the default mapping
described in Table18-19.
Related Commands
Table 18-19 ATM CLP Bits Mapped to the QoS PD Value
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
Value AF Label QoS PD Value
0 1 2 AF11 10
1 0 0 DF 0
atm to qos
atm use-ip
qos class-map
Command Descriptions
18-32 IP Services and Security Configuration Guide
atm use-ip
atm {clp-value | all} [class-map map-name]
{no | default} atm {clp-value | all}
Purpose
Determines initial packet descriptor (PD) values by mapping from the Differentiated Services Code Point
(DSCP) value in the IP packet header rather than Ethernet 802.1p values on ingress for received
Asynchronous Transfer Mode (ATM) packets with the specified cell loss priority (CLP) value.
Command Mode
class map configuration
Syntax Description
Default
ATM ingress classification maps use the CLP-to-PD mapping described in Table18-20.
Usage Guidelines
Use the atm use-ip command to determine initial PD values by mapping from the DSCP value in the IP
packet header rather than Ethernet 802.1p values on ingress for received ATM packets with the specified
CLP value. If a packet does not include an IP header, the SmartEdgeOS uses the default mapping described
in Table18-20.
Only 802.1p packets with an outer PVC Ethernet type field value of 0x8100 or 0x88a8 are examined for
DSCP values in the packet header. The SmartEdgeOS uses the default mapping described in Table18-20
for packets with all other VLAN Ethernet types.
clp-value Either 0 or 1, representing the CLP bit in the ATM cell header. If a
packet is composed of multiple ATM cells, the SmartEdgeOS assigns a
CLP value of 1 if any ATM cell that makes up the adaption layer type 5
(AAL5) packet has the CLP bit set to 1 (for second-generation ATM
traffic cards), or if the final cell, which contains the AAL5 trailer, has the
CLP bit set to 1 (for first-generation ATM traffic cards).
all Maps all valid values for the source value to the specified target value.
Any existing configuration for the classification map is overridden.
use-ip Enables a secondary mapping lookup using the packets DSCP bits as
input. If no classification map is specified for the secondary lookup, the
default DSCP-to-target mapping is used.
class-map map-name Optional. Name of the secondary classification map.
Command Descriptions
QoS Circuit Configuration 18-33
If you specify the all keyword, both PD bits are set to the specified CLP value. Any existing configuration
for the classification map is overridden. You can use the all keyword to specify a single default value for
both mapping entries, then override that value for an entry by entering a subsequent mapping command
without this keyword.
If you specify the class-map map-name construct, the resulting mapping uses the specified DSCP-to-PD
classification map. The secondary classification map must have a value of ip for the marking-type argument
and a value of in for the mapping direction. If you do not specify a secondary classification map, the
SmartEdgeOS copies the DSCP value directly to the internal QoS PD value.
Use the no or default form of this command to revert one or both map entries to the default described in
Table18-20.
Related Commands
Table 18-20 ATM CLP Bits Mapped to the QoS PD Value
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
Value AF Label QoS PD Value
0 1 2 AF11 10
1 0 0 DF 0
atm to qos
atm use-ethernet
qos class-map
Command Descriptions
18-34 IP Services and Security Configuration Guide
clpbit propagate qos from atm
clpbit propagate qos from atm [class-map map-name]
no clpbit propagate qos from atm [class-map map-name]
Purpose
Propagates the cell loss priority (CLP) bit to packet descriptor (PD) values in cells transmitted over
Asynchronous Transfer Mode (ATM) permanent virtual circuits (PVCs) that reference the ATM profile for
incoming packets.
Command Mode
ATM profile configuration
Syntax Description
Default
CLP bit values are not propagated to PD values.
Usage Guidelines
Use the clpbit propagate qos from atm command to propagate the CLP bit to PD values in cells
transmitted over ATM PVCs that reference the ATM profile for incoming packets.
If you use the optional class-map map-name construct to specify a custom mapping schema for packets
transmitted on ATM PVCs that reference the ATM profile, the SmartEdgeOS sets the initial QoS PD value
according to the CLP values in the packets received ATM cell headers. If a packet is composed of multiple
ATM cells, the SmartEdgeOS assigns a CLP value of 1 if any ATM cell that makes up the adaption layer
type 5 (AAL5) packet has the CLP bit set to 1 (for second-generation ATM traffic cards), or if the final cell,
which contains the AAL5 trailer, has the CLP bit set to 1 (for first-generation ATM traffic cards).
If no classification map is specified, the SmartEdgeOS uses the default mapping described in Table18-21.
class-map map-name Optional. Name of an ingress ATM classification map, an alphanumeric
string of up to 39 characters, for defining a custom mapping of CLP
values to quality of service (QoS) PD values.
Note CLP bit priority settings cannot be directly propagated to IP header DSCP bits.
Note For more information about the CLP bit and its use in ATM profiles, see the Circuit
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
Command Descriptions
QoS Circuit Configuration 18-35
Use the no form of this command to disable propagation from the ATM CLPbit to internal QoS
classification values.
Related Commands
Table 18-21 ATM CLP Bits Mapped to the QoS PD Value
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
Value AF Label QoS PD Value
0 1 2 AF11 10
1 0 0 DF 0
clpbit propagate qos to atm
qos class-map
Command Descriptions
18-36 IP Services and Security Configuration Guide
clpbit propagate qos to atm
clpbit propagate qos to atm [class-map map-name]
no clpbit propagate qos to atm [class-map map-name]
Purpose
Propagates the quality of service (QoS) classification values from the internal packet descriptor (PD) to the
cell loss priority (CLP) bit in cells transmitted over Asynchronous Transfer Mode (ATM) permanent virtual
circuits (PVCs) that reference the ATM profile for outgoing packets.
Command Mode
ATM profile configuration
Syntax Description
Default
QoS PD values are not propagated to the ATM CLP bit.
Usage Guidelines
Use the clpbit propagate qos to atm command to propagate the QoS classification values from the internal
PD to the CLP bit in cells transmitted over ATM PVCs that reference the ATM profile for outgoing packets.
QoS PD values are mapped to the ATM CLP bit as described in Table18-22.
class-map map-name Optional. Name of an egress ATM classification map, an alphanumeric
string of up to 39 characters, for mapping Differentiated Services Code
Point (DSCP) bits to CLP bits.
Note For more information about the CLP bit and its use in ATM profiles, see the Circuit
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
Table 18-22 QoS PD Value to ATM CLP Bit Mapping
PD Priority Value PD Drop-Precedence Value AF Label ATM CLP Bit
7 N/A Network Control 0
6 N/A Reserved 0
5 N/A EF 0
4 0-2 AF41 0
4 3-7 AF42, AF43 1
3 0-2 AF31 0
3 3-7 AF32, AF33 1
Command Descriptions
QoS Circuit Configuration 18-37
If you specify a custom mapping schema for the optional class-map map-name construct, packets received
on ATM PVCs that reference the ATM profile have the CLP values of the cells in the AAL5 packet set
according to internal QoS classification values. If you do not specify a classification map, the
SmartEdgeOS uses the default mapping described in Table18-22.
Use the no or default form of this command to restore the default behavior.
Examples
The following example propagates DSCP bits from IP packets to the CLP bit in cells transmitted over
ATM PVCs that reference the ATM profile, l ow_r at e:
[ l ocal ] Redback( conf i g) #atm profile low_rate
[ l ocal ] Redback( conf i g- at m- pr of i l e) #clpbit propagate qos to atm
Related Commands
2 0-2 AF21 0
2 3-7 AF22, AF23 1
1 0-2 AF11 0
1 3-7 AF12, AF13 1
0 N/A DF 1
clpbit propagate qos from atm
qos class-map
Table 18-22 QoS PD Value to ATM CLP Bit Mapping (continued)
PD Priority Value PD Drop-Precedence Value AF Label ATM CLP Bit
Command Descriptions
18-38 IP Services and Security Configuration Guide
egress prefer dscp-qos
egress prefer dscp-qos
no egress prefer dscp-qos
Purpose
Enables the use of only Differentiated Services Code Point (DSCP) bits for queuing at the Multiprotocol
Label Switching (MPLS) egress router.
Command Mode
MPLS router configuration
Syntax Description
This command has no keywords or arguments.
Default
If penultimate hop popping is enabled, the tunnel label is removed at the penultimate hop, and the egress
router uses the Virtual Private Network (VPN) label experimental (EXP) bits for queuing; however, if there
is no VPN label, the egress router uses the DSCP bits for queuing. For more information, see the MPLS
Configuration chapter in the Routing Protocols Configuration Guide for the SmartEdgeOS.
Usage Guidelines
Use the egress prefer dscp-qos command to enable the use of only DSCP bits for queuing at the MPLS
egress router.
Use the no form of this command to return the system to its default behavior.
Examples
The following example enables the use of only DSCP bits for queuing at the egress router:
[ l ocal ] Redback( conf i g- ct x) #router mpls
[ l ocal ] Redback( conf i g- mpl s) #egress prefer dscp-qos
Related Commands
propagate qos from mpls
propagate qos to mpls
Command Descriptions
QoS Circuit Configuration 18-39
ethernet to qos
ethernet {802.1p-value | all} to qos pd-value
default ethernet {802.1p-value | all}
Purpose
Translates Ethernet 802.1p values to packet descriptor (PD) quality of service (QoS) values on ingress.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the ethernet to qos command to define ingress mappings from Ethernet 802.1p values to PD QoS
values.
If you specify the all keyword, all valid 802.1p values are mapped to the specified PD value. Any existing
configuration for the classification map is overridden. You can use the all keyword to specify a single
default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the default form of this command to revert one or all map entries to either the default 8P0D or mapping
schema values, if a mapping schema has been specified.
802.1p-value An integer from 0 (lowest priority) to 7 (highest priority) representing the
contents of the three user priority bits in the 802.1p virtual LAN (VLAN) Tag
Control Information (TCI) field.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order bits.
You can enter the value in decimal or hexadecimal format, for example 16 or
0x10. You can also enter a standard Differentiated Services Code Point
(DSCP) marking label as defined in Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
Command Descriptions
18-40 IP Services and Security Configuration Guide
Examples
The following example defines the classification map 8021p- t o- pd for PD bits on ingress, then maps the
Ethernet 802.1p values 1 and 7 to PD user priority values af 33 and af 21, respectively:
[ l ocal ] Redback( conf i g) #qos class-map 8021p-to-pd ethernet in
[ l ocal ] Redback( conf i g- cl ass- map) #ethernet 1 to qos af33
[ l ocal ] Redback( conf i g- cl ass- map) #ethernet 7 to qos af21
Related Commands
qos hierarchical mode strict
qos to ethernet
Command Descriptions
QoS Circuit Configuration 18-41
ethernet use-ip
ethernet {802.1p-value | all} use-ip [class-map map-name]
default ethernet {802.1p-value | all}
Purpose
For IP packets, determines packet descriptor (PD) values by mapping IP Differentiated Services Code Point
(DSCP) values rather than Ethernet 802.1p values on ingress.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the ethernet use-ip command to set initial PD values based on IP header DSCP bits rather than
Ethernet 802.1p values on ingress.
If you specify the all keyword, all valid 802.1p values are configured to use DSCP-to-PD mapping. Any
existing configuration for the classification map is overridden. You can use the all keyword to specify a
single default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
If you specify the optional class-map map-name construct, the resulting DSCP-to-PD mapping uses the
specified DSCP-to-PD classification map. The secondary classification map must have a value of ip for the
marking-type argument, and a value of in for the mapping direction. If no secondary classification map is
specified, the default DSCP-to-target mapping is used.
Use the default form of this command to revert one or all map entries to either the default 8P0D or mapping
schema values, if a mapping schema has been specified.
802.1p-value An integer from 0 (lowest priority) to 7 (highest priority) representing the
contents of the three user priority bits in the 802.1p virtual LAN (VLAN) Tag
Control Information (TCI) field.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
use-ip Enables a secondary mapping lookup using the packets DSCP bits as input.
If no classification map is specified for the secondary lookup, the default
DSCP-to-target mapping is used.
class-map map-name Optional. Name of the secondary classification map.
Command Descriptions
18-42 IP Services and Security Configuration Guide
Examples
The following example defines the classification map 8021p- t o- pd to determine initial QoS PD values
on ingress, and specifies 7P1D encoding as a default mapping schema. It then overrides the default 7P1D
values for Ethernet 802.1p value 1 with PD value 0x24, and specifies that the IP header DSCP value
determines the initial QoS PD value for packets received with Ethernet 802.1p value 3:
[ l ocal ] Redback( conf i g) #qos class-map 8021p-to-pd ethernet in
[ l ocal ] Redback( conf i g- cl ass- map) #mapping-schema 7P1D
[ l ocal ] Redback( conf i g- cl ass- map) #ethernet 1 to qos 0x24
[ l ocal ] Redback( conf i g- cl ass- map) #ethernet 3 use-ip
Related Commands
mapping-schema
qos hierarchical mode strict
qos to ethernet
Command Descriptions
QoS Circuit Configuration 18-43
ip to qos
ip {dscp-value | all} to qos pd-value
default qos {dscp-value | all}
Purpose
Translates Differentiated Services Code Point (DSCP) values into packet descriptor (PD) quality of service
(QoS) values on ingress.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the ip to qos command to define ingress mappings from IP header values to PD QoS values.
If you specify the all keyword, all valid IP header values are mapped to the specified QoS values. Any
existing configuration for the classification map is overridden. You can use the all keyword to specify a
single default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the default form of this command to revert values for one or all map entries to their default values,
where each DSCP value is mapped to the equal and equivalent PD QoS value.
dscp-value An integer from 0 to 63 representing the contents of the most significant six
bits of the IP header type of service (ToS) field. You can enter the value in
decimal or hexadecimal format, for example 16 or 0x10. You can also enter a
standard DSCP marking label as defined in Table16-21 on page16-71.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order bits.
You can enter the value in decimal or hexadecimal format, for example 16 or
0x10. You can also enter a standard DSCP marking label as defined in
Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
Command Descriptions
18-44 IP Services and Security Configuration Guide
Examples
The following example defines the classification map dscp- t o- pd for PD bits on ingress, then maps all
IP header values to the af 13 PD QoS value. It overrides this default mapping for IP header DSCP values
af 21 and 1, which are mapped to PD QoS values 25 and df respectively:
[ l ocal ] Redback( conf i g) #qos class-map dscp-to-pd ip in
[ l ocal ] Redback( conf i g- cl ass- map) #ip all to qos af13
[ l ocal ] Redback( conf i g- cl ass- map) #ip af21 to qos 25
[ l ocal ] Redback( conf i g- cl ass- map) #ip 1 to qos df
Related Commands
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-45
mpls to qos
mpls {exp-value | all} to qos pd-value
default mpls {exp-value | all}
Purpose
Translates Multiprotocol Label Switching (MPLS) experimental (EXP) values to packet descriptor (PD)
quality of service (QoS) values on ingress.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the mpls to qos command to define ingress mappings from MPLS EXP values to PD QoS values.
If you specify the all keyword, all valid MPLS EXP values are mapped to the specified PD value. Any
existing configuration for the classification map is overridden. You can use the all keyword to specify a
single default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the default form of this command to revert map entries to either the default 8P0D or mapping schema
values, if a mapping schema has been specified.
exp-value An integer from 0 (lowest priority) to 7 (highest priority) representing the
contents of the three EXP bits in the MPLS label header.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order bits.
You can enter the value in decimal or hexadecimal format, for example 16 or
0x10. You can also enter a standard Differentiated Services Code Point
(DSCP) marking label as defined in Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
Command Descriptions
18-46 IP Services and Security Configuration Guide
Examples
The following example defines the classification map exp- t o- pd to determine initial MPLS values on
ingress, defines the default mapping schema using 7P1D values, then maps MPLS EXP value 1 to the PD
value 0x24:
[ l ocal ] Redback( conf i g) #qos class-map exp-to-pd mpls in
[ l ocal ] Redback( conf i g- cl ass- map) #mapping-schema 7P1D
[ l ocal ] Redback( conf i g- cl ass- map) #mpls 1 to qos 0x24
Related Commands
qos hierarchical mode strict
qos to mpls
Command Descriptions
QoS Circuit Configuration 18-47
mpls use-ethernet
mpls {exp-value | all} use-ethernet [class-map map-name]
{no | default} mpls {exp-value | all}
Purpose
Determines initial packet descriptor (PD) values by mapping Ethernet 802.1p values rather than directly
mapping from Multiprotocol Label Switching (MPLS) experimental (EXP) values for received MPLS
packets with the specified EXP value.
Command Mode
class map configuration
Syntax Description
Default
Ingress MPLS classification map entries use the 8P0D EXP-to-PD mapping, where the EXP value is copied
to the PD priority field. The PD drop-precedence field is set to zero.
Usage Guidelines
Use the mpls use-ethernet command to determine initial PD values by mapping Ethernet 802.1p values
rather than directly mapping from MPLS EXP values for received MPLS packets with the specified EXP
value. If a received packet with the specified EXP value does not include an Ethernet header, the
SmartEdgeOS uses the default mapping instead of the specified mapping.
If you specify the all keyword, all valid MPLS EXP values are configured to use the 802.1p-to-PD
mapping. Any existing configuration for the classification map is overridden. You can use the all keyword
to specify a single default value for all the mapping entries, then override that value for a subset of entries
by entering subsequent mapping commands without this keyword.
If you specify the optional class-map map-name construct, the resulting mapping uses the specified
802.1p-to-PD classification map. The secondary classification map must have a value of ethernet for the
marking-type argument and a value of in for the mapping direction. If you do not specify a secondary
classification map, the default mapping is used.
exp-value An integer from 0 (lowest priority) to 7 (highest priority) representing
the contents of the three EXP bits in the MPLS label header.
all Maps all valid values for the source value to the specified target value.
Any existing configuration for the classification map is overridden.
use-ethernet Enables a secondary mapping lookup using the packets 802.1p bits as
input. If no classification map is specified for the secondary lookup, the
default 8P0D 802.1p-to-PD mapping is used.
class-map map-name Optional. Name of the secondary classification map.
Command Descriptions
18-48 IP Services and Security Configuration Guide
Use the no or default form of this command to revert one or all map entries to either the default 8P0D or
mapping schema values, if a mapping schema has been specified.
Related Commands
qos hierarchical mode strict
qos to ethernet
Command Descriptions
QoS Circuit Configuration 18-49
mpls use-ip
mpls {exp-value | all} use-ip [class-map map-name]
default mpls {exp-value | all}
Purpose
Determines packet descriptor (PD) values by mapping Differentiated Services Code Point (DSCP) values
rather than Multiprotocol Label Switching (MPLS) experimental (EXP) values on ingress for IP packets.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the mpls use-ip command to determine PD values by mapping DSCP values rather than MPLS EXP
values on ingress for IP packets.
If you specify the all keyword, all valid EXP values are configured to use the DSCP-to-PD mapping. Any
existing configuration for the classification map is overridden. You can use the all keyword to specify a
single default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
If you specify the optional class-map map-name construct, the resulting mapping uses the specified
DSCP-to-PD classification map. The secondary classification map must have a value of ip for the
marking-type argument, and a value of in for the mapping direction. If you do not specify a secondary
classification map, the default mapping is used.
Use the default form of this command to revert values for one or all map entries to either the default 8P0D
or mapping schema values, if a mapping schema has been specified.
exp-value An integer from 0 (lowest priority) to 7 (highest priority) representing the
contents of the three EXP bits in the MPLS label header.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
class-map map-name Optional. Name of the secondary classification map.
Command Descriptions
18-50 IP Services and Security Configuration Guide
Examples
The following example defines the classification map dscp- t o- pd to determine initial quality of service
(QoS) PD values on ingress, and specifies 7P1D encoding as a default mapping schema. It then overrides
the default 7P1D values for EXP value 1 with PD value 0x24, and specifies the IP header DSCP value to
determine the initial QoS PD value for packets received with EXP value 3. The secondary classification
map exp- t o- dscp is used for translation:
[ l ocal ] Redback( conf i g) #qos class-map dscp-to-pd mpls in
[ l ocal ] Redback( conf i g- cl ass- map) #mapping-schema 7P1D
[ l ocal ] Redback( conf i g- cl ass- map) #mpls 1 to qos 0x24
[ l ocal ] Redback( conf i g- cl ass- map) #mpls 3 use-ip exp-to-dscp
Related Commands
mapping-schema
mpls to qos
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-51
propagate qos from ethernet
propagate qos from ethernet [class-map map-name]
no propagate qos from ethernet [class-map map-name]
Purpose
For incoming packets, propagates Ethernet 802.1p user priority bits to packet descriptor (PD) quality of
service (QoS) bits.
Command Mode
dot1q profile configuration
Syntax Description
Default
Ethernet 802.1p user priority bits are not propagated to DSCP bits.
Usage Guidelines
Use the propagate qos from ethernet command to propagate Ethernet 802.1p user priority bits to PD QoS
bits.
You can use the qos class-map command to define an optional mapping schema. If you specify the
class-map map-name construct for the propagate qos from ethernet command, only the PD QoS values
are affected. If the class-map map-name construct is not specified, the Ethernet 802.1p bits are also copied
to the priority bits of the DSCP field in the IP header.
Use the no form of this command to disable the propagation of Ethernet 802.1p bits to PD QoS bits.
Examples
The following example propagates Ethernet 802.1p user priority bits to DSCP bits for incoming packets for
all 802.1Q PVCs that reference the 802.1Q profile, 8021p- on:
[ l ocal ] Redback( conf i g) #dot1q profile 8021p-on
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #propagate qos from ethernet
class-map map-name Optional. Name of an ingress Ethernet classification map for mapping
Ethernet 802.1p user priority bits to quality of service (QoS) packet
descriptor (PD) values.
Note This command applies to incoming packets transmitted over 802.1Q permanent virtual
circuits (PVCs) that reference the dot1q profile.
Command Descriptions
18-52 IP Services and Security Configuration Guide
Related Commands
propagate qos to ethernet
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-53
propagate qos from ip
propagate qos from ip class-map map-name
no propagate qos from ip class-map map-name
Purpose
Specifies a custom value mapping for propagating the Differentiated Services Code Point (DSCP) bits in
the IP packet header to the packet descriptor (PD) priority bits for incoming IP packets.
Command Mode
subscriber configuration
interface configuration
Syntax Description
Default
DSCP values are copied to the PD values using a default mapping.
Usage Guidelines
Use the propagate qos from ip command to specify a custom value mapping for propagating the DSCP
bits in the IP packet header to the PD priority bits for incoming IP packets. The DSCP bits are modified in
the received IP packet according to the specified classification map. In subscriber configuration mode, this
command allows you to customize the mapping for traffic received on a specific subscriber session. In
interface configuration mode, this command allows you to customize the mapping for all IP traffic received
through the interface. The SmartEdge OS propagates classification values and marks packets before it
applies any metering policy.
Custom classification mappings configured for either a subscriber or an interface affect Layer 3 (IP-routed)
circuits only.
Use the qos class-map command with the ip in keywords (in global configuration mode) to define a
mapping schema to be referenced by the propagate qos from ip command.
You can use the propagate qos from subscriber command (in L2TP peer configuration mode) to copy
DSCP bits to PD values for Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) sessions, then
use the propagate qos from ip command to specify a custom value mapping.
Use the no form of this command to remove a customized DSCP-to-PD mapping.
Examples
The following example customizes the propagation of IP header DSCP values to PD values for incoming
packets of all subscriber sessions in the local context:
[ l ocal ] Redback( conf i g- sub) #qos class-map ip-to-pd ip in
class-map map-name Name of the schema for mapping DSCP bits to PD priority bits.
Command Descriptions
18-54 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- cl ass- map) #ip df to qos af43
[ l ocal ] Redback( conf i g- cl ass- map) #exit
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #propagate qos from ip class-map ip-to-pd
Related Commands
propagate qos from subscriber
qos class-map
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-55
propagate qos from l2tp
propagate qos from l2tp [class-map map-name]
no propagate qos from l2tp [class-map map-name]
Purpose
If no classification map is specified, propagates the packet descriptor (PD) priority bits to the Differentiated
Services Code Point (DSCP) bits of the inner (subscriber) IP header for incoming Layer 2 Tunneling
Protocol (L2TP) packets when the SmartEdge router is configured as an L2TP network server (LNS).
Command Mode
L2TP peer configuration (default peer only)
Syntax Description
Default
The DSCP bits in the incoming L2TP IP packet headers are not propagated to the DSCP bits in subscriber
IP packet headers.
Usage Guidelines
Use the propagate qos from l2tp command to propagate the PD priority bits to the DSCP bits of the inner
(subscriber) IP header if no classification map is specified for incoming L2TP packets when the SmartEdge
router is configured as an LNS. Propagation occurs after the outer IP DSCP bits have been propagated to
the PD priority bits as part of IP forwarding. If you specify a classification map, this command customizes
the default mapping from the outer IP header DSCP value to the PD QoS value and leaves the inner IP
header DSCP value unmodified.
You can use the qos class-map command to define an optional mapping schema. If you do not specify the
class-map map-name construct with the propagate qos from l2tp command, the SmartEdgeOS
overwrites the value in the inner IP header with the DSCP value from the received outer IP header. If you
specify the class-map map-name construct, the SmartEdge OS customizes the default mapping from the
outer IP header DSCP value to the PD QoS value and leaves the inner IP header DSCP value unmodified.
L2TP tunnels are User Datagram Protocol (UDP)/IP-encapsulated circuits that carry subscriber-based IP
traffic encapsulated in Point-to-Point (PPP) sessions between routers. The LNS is the IP termination point
for subscriber traffic. DSCP bits from the L2TP IP packet header can be propagated into subscriber traffic.
class-map map-name Optional. Name of an ingress IP classification map for mapping DSCP values
in the IP packet header to quality of service (QoS) PD values.
Note This propagation occurs only in the upstream direction; this command applies only to a
SmartEdge router that is configured as an LNS as it receives packets from an L2TP access
concentrator (LAC).
Command Descriptions
18-56 IP Services and Security Configuration Guide
Use the no form of this command to disable the propagation of DSCP bits to the inner (subscriber) IP
header or to remove the customized propagation to the QoS PD value.
Examples
The following example propagates DSCP bits from outer L2TP IP packet headers to DSCP bits in inner IP
packet headers:
[ l ocal ] Redback( conf i g- ct x) #l2tp-peer default
[ l ocal ] Redback( conf i g- l 2t p) #propagate qos from l2tp
Related Commands
propagate qos from subscriber
propagate qos to l2tp
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-57
propagate qos from mpls
propagate qos from mpls [class-map map-name] [l2vpn class-map map-name]
no propagate qos from mpls [class-map map-name] [l2vpn class-map map-name]
Purpose
Enables mapping Multiprotocol Label Switching (MPLS) experimental (EXP) bits to Differentiated
Services Code Point (DSCP) bits in the IP header or enables customized mapping of EXP to packet
descriptor (PD) quality of service (QoS) values for incoming packets when the SmartEdgerouter is
configured as a MPLS egress router.
Command Mode
MPLS router configuration
Syntax Description
Default
MPLS EXP bits are not mapped to DSCP bits.
Usage Guidelines
Use the propagate qos from mpls command to enable mapping MPLS EXP bits to DSCP bits in the IP
header or enable customized mapping of EXP to PD QoS values for incoming packets when the
SmartEdgerouter is configured as a MPLS egress router. If the optional class-map map-name construct is
not specified, the EXP bits are also copied to the priority bits of the DSCP field in the IP header.
If you specify the optional class-map map-name construct, the propagate qos from mpls command
specifies a custom value mapping for MPLS EXP bits to PD values. The DSCP bits are unaffected. In this
case, use the qos class-map command to define a mapping schema, then reference the schema using the
class-map map-name construct. If you do not specify a Layer 2 virtual private network (L2VPN)
classification map, the standard classification map applies to both Layer 2 and Layer 3 traffic.
If you specify the optional l2vpn class-map map-name construct with the class-map map-name construct,
the L2VPN classification map applies to Layer 2 traffic and Layer 3 traffic uses the default 8P0D mapping
schema. If you specify both the l2vpn class-map map-name construct and the class-map map-name
construct, Layer 2 traffic uses the L2VPN classification map and Layer 3 traffic uses the standard
classification map.
If you use the mpls use-ethernet command to perform a secondary lookup and the encapsulated packet
contains no virtual LAN (VLAN) header, the PD value is determined by mapping the MPLS EXP value
using the default 8P0D schema.
class-map map-name Optional. Name of the ingress MPLS classification map for
mapping MPLS EXP values to QoS PD values.
l2vpn class-map map-name Optional. Name of the ingress MPLS classification map for
mapping packets received from Layer 2 MPLS VPNs.
Command Descriptions
18-58 IP Services and Security Configuration Guide
Use the no form of this command to disable the mapping of MPLS EXP bits to DSCP bits or remove a
customized EXP-to-PD mapping.
Examples
The following example enables the mapping of MPLS EXP bits to DSCP bits for outgoing packets:
[ l ocal ] Redback( conf i g- ct x) #router mpls
[ l ocal ] Redback( conf i g- mpl s) #propagate qos from mpls
The following example specifies a customized mapping of MPLS EXP bits to PD values by referencing the
existing MPLS ingress classification map exp- t o- pd:
[ l ocal ] Redback( conf i g- ct x) #router mpls
[ l ocal ] Redback( conf i g- mpl s) #propagate qos from mpls class-map exp-to-pd
Related Commands
egress prefer dscp-qos
propagate qos to mpls
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-59
propagate qos from subscriber
propagate qos from subscriber [{upstream | downstream | both}]
no propagate qos from subscriber [{upstream | downstream | both}]
Purpose
For incoming packets when the SmartEdge router is configured as a Layer 2 Tunneling Protocol (L2TP)
access concentrator (LAC), propagates the Differentiated Services Code Point (DSCP) bits in the
subscribers IP packet header to the packet descriptor (PD) priority bits.
Command Mode
L2TP peer configuration (default peer only)
Syntax Description
Default
DSCP bits are not propagated from the incoming subscriber IP packet header to the PD for the subscriber
IP packet.
Usage Guidelines
For incoming packets when the SmartEdge router is configured as a LAC, use the propagate qos from
subscriber command to propagate the DSCP bits in the subscribers IP packet header to the PD priority
bits.
Use the upstream keyword to propagate from inbound packets from the subscriber. Use the downstream
keyword to propagate from inbound packets from the network. Use the both keyword to propagate in both
directions.
The SmartEdgeOS performs a deep packet inspection of inner IP packet headers and copies the DSCP bits
in the IP header. L2TP tunnels are User Datagram Protocol (UDP)/IP-encapsulated circuits that carry
subscriber-based Point-to-Point Protocol (PPP) sessions between routers. On L2TP tunnels, subscriber
IP packets are encapsulated in PPP packets, which themselves are encapsulated in L2TP packets. DSCP
bits can be propagated from inner IP packet headers to outer L2TP IP packet headers, and vice versa. DSCP
bits are propagated between layers of encapsulated packets so that any Layer 3 device located between an
LNS and a LAC can recognize and apply DSCP settings.
Use the no form of this command to disable the propagation of DSCP bits in the specified direction or, if
neither keyword is specified, in both directions.
upstream Optional. Performs the propagation on inbound packets from the subscriber.
downstream Optional. Performs the propagation on inbound packets from the L2TP network
server (LNS).
both Optional. Performs the propagation on inbound packets from the subscriber and
inbound packets from the LNS.
Command Descriptions
18-60 IP Services and Security Configuration Guide
Examples
The following example propagates the DSCP bits in a subscriber IP packet header to the PD for the
subscriber IP packet header in the upstream direction only:
[ l ocal ] Redback( conf i g- ct x) #l2tp-peer default
[ l ocal ] Redback( conf i g- l 2t p) #propagate qos from subscriber upstream
The following example propagates the DSCP bits from subscriber IP packet headers to DSCP bits in L2TP
IP packet headers in both directions:
[ l ocal ] Redback( conf i g- ct x) #l2tp-peer default
[ l ocal ] Redback( conf i g- l 2t p) #propagate qos from subscriber
Related Commands
propagate qos from l2tp
propagate qos to l2tp
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-61
propagate qos to ethernet
propagate qos to ethernet [class-map map-name]
no propagate qos to ethernet [class-map map-name]
Purpose
Propagates packet descriptor (PD) priority values to Ethernet 802.1p user priority bits for outgoing packets.
Command Mode
dot1q profile configuration
Syntax Description
Default
Differentiated Services Code Point (DSCP) bits are not propagated to Ethernet 802.1p user priority bits.
Usage Guidelines
Use the propagate qos to ethernet command to propagate PD priority values to Ethernet 802.1p user
priority bits for outgoing packets.
You can use the qos class-map command to define an optional mapping schema. If you do not specify the
class-map map-name construct for the propagate qos to ethernet command, the default 8P0D mapping
is used.
Use the no form of this command to disable the propagation of DSCP bits.
Examples
The following example propagates DSCP bits from IP packets to Ethernet 802.1p user priority bits for
802.1Q PVCs that reference the 802.1Q profile, 8021p- on:
[ l ocal ] Redback( conf i g) #dot1q profile 8021p-on
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #propagate qos to ethernet
Related Commands
class-map map-name Optional. Name of the egress Ethernet classification map for mapping quality
of service (QoS) PD values to Ethernet 802.1p user priority bits.
Note This command applies to outgoing packets transmitted over 802.1Q permanent virtual circuits
(PVCs) that reference the dot1q profile.
propagate qos from ethernet
qos hierarchical mode strict
Command Descriptions
18-62 IP Services and Security Configuration Guide
propagate qos to ip
propagate qos to ip [class-map map-name]
no propagate qos to ip [class-map map-name]
Purpose
Propagates packet descriptor (PD) priority values in the subscriber IP packet to Differentiated Services
Code Point (DSCP) bits in the IP packet header for outgoing IP packets.
Command Mode
interface configuration
subscriber configuration
Syntax Description
Default
PD values are not propagated to the DSCP bits in the IP packet header.
Usage Guidelines
Use the propagate qos to ip command to propagate PD priority values in the subscriber IP packet to DSCP
bits in the IP packet header for outgoing IP packets. In subscriber configuration mode, this command allows
you to enable propagation or customize mapping for traffic sent on a specific subscriber session. In
interface configuration mode, this command affects all IP traffic transmitted through the interface. The
SmartEdge OS propagates classification values and marks packets before it applies any metering policy.
If you specify the optional class-map map-name construct, the propagate qos to ip command maps PD
values to DSCP bits in the IP packet header. In this case, use the qos class-map command (in global
configuration mode) to define a mapping schema, then reference the schema using the optional class-map
map-name construct.
If you do not specify the class-map map-name construct, PD values are copied directly to DSCP values.
Use the no form of this command to disable the propagation of PD values to DSCP bits.
Custom classification mappings configured for either a subscriber or an interface affect Layer 3 (IP-routed)
circuits only.
Related Commands
class-map map-name Optional. Name of the schema for mapping PD priority bits to DSCP bits in
the IP packet header.
propagate qos from ip
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-63
propagate qos to l2tp
propagate qos to l2tp [class-map map-name]
no propagate qos to l2tp [class-map map-name]
Purpose
For a SmartEdge router configured as a Layer 2 Tunneling Protocol (L2TP) network server (LNS) or an
L2TP access concentrator (LAC), propagates the packet descriptor (PD) priority bits to the outer
Differentiated Services Code Point (DSCP) bits in the IP packet header for outgoing packets.
Command Mode
L2TP peer configuration (default peer only)
Syntax Description
Default
DSCP bits are not propagated from the PD to an L2TP IP packet header.
Usage Guidelines
For a SmartEdge router configured as an L2TP LNS or an LAC, use the propagate qos to l2tp command
to propagates the PD priority bits to the outer DSCP bits for outgoing packets. For the LNS configuration,
the DSCP bits are propagated from the incoming network packet headers, and for the LAC configuration,
the DSCP bits are propagated from the incoming subscriber packet headers.
As an LNS, the PD priority is derived from the subscribers inner DSCP value as part of IP forwarding. As
a LAC, the PD priority defaults to a low priority. If you configure the propagate qos from subscriber
command (in L2TP peer configuration mode) with the upstream keyword, the PD priority is derived from
subscribers inner DSCP value.
L2TP tunnels are User Datagram Protocol (UDP)/IP-encapsulated circuits that carry subscriber-based
Point-to-Point (PPP) sessions between routers. On L2TP tunnels, subscriber IP packets are encapsulated in
PPP packets, which themselves are encapsulated in L2TP packets. DSCP bits are propagated between
layers of encapsulated packets so that any Layer 3 device located between an LNS and a LAC can recognize
and apply DSCP settings.
You can use the qos class-map command (in global configuration mode) to define an optional mapping
schema. If you do not specify the class-map map-name construct for the propagate qos to l2tp command,
the unmodified PD QoS value is copied to the outer DSCP field in the IP header.
Use the no form of this command to disable the propagation of DSCP bits.
class-map map-name Optional. Name of the egress IP classification map for mapping quality of
service (QoS) PD values to DSCP values in the IP packet header.
Command Descriptions
18-64 IP Services and Security Configuration Guide
Examples
The following example propagates DSCP bits from incoming network or subscriber IP packet headers to
L2TP IP packet headers:
[ l ocal ] Redback( conf i g- ct x) #l2tp-peer default
[ l ocal ] Redback( conf i g- l 2t p) #propagate qos to l2tp
Related Commands
propagate qos from l2tp
propagate qos from subscriber
qos hierarchical mode strict
Command Descriptions
QoS Circuit Configuration 18-65
propagate qos to mpls
propagate qos to mpls [class-map map-name] [l2vpn class-map map-name]
no propagate qos to mpls [class-map map-name] [l2vpn class-map map-name]
Purpose
When the SmartEdgerouter is configured as a Multiprotocol Label Switching (MPLS) ingress router,
enables the mapping of packet descriptor (PD) quality of service (QoS) priority values to the MPLS
experimental (MPLS EXP) bits for outgoing packets.
Command Mode
MPLS router configuration
Syntax Description
Default
PD priority values are mapped to the MPLS EXP bits.
Usage Guidelines
When the SmartEdge router is configured as an MPLS ingress router, use the propagate qos to mpls
command to enable the mapping of PD QoS priority values to the MPLS EXP bits for outgoing packets. If
you do not specify the optional class-map map-name construct, the default mapping is used.
If you specify the optional class-map map-name construct, the propagate qos to mpls command specifies
a custom value mapping for PD values to MPLS EXP bits. The Differentiated Services Code Point (DSCP)
values are unaffected. In this case, use the qos class-map command to define a mapping schema, then
reference the schema using the class-map map-name construct. If you do not specify an L2VPN
classification map, the standard classification map applies to both Layer 2 and Layer 3 traffic.
If you specify the optional l2vpn class-map map-name construct without the class-map map-name
construct, the L2VPN classification map applies to Layer 2 traffic. Layer 3 traffic uses the default 8P0D
mapping schema. If you specify both the l2vpn class-map map-name construct and the class-map
map-name construct, Layer 2 traffic uses the L2VPN classification map and Layer 3 traffic uses the
standard classification map.
Use the no form of this command to disable the mapping of PD priority values to MPLS EXP bits.
class-map map-name Optional. Name of the egress MPLS classification map for mapping
QoS PD values to MPLS EXP bits.
l2vpn class-map map-name Optional. Name of the egress MPLS classification map for mapping
packets received from Layer 2 Virtual Private Networks (L2VPNs).
Command Descriptions
18-66 IP Services and Security Configuration Guide
Examples
The following example enables the mapping of the PD values to the MPLS EXP bits at the ingress router:
[ l ocal ] Redback( conf i g- ct x) #router mpls
[ l ocal ] Redback( conf i g- mpl s) #propagate qos to mpls
Related Commands
Note The default behavior of the SmartEdge router is to map DSCP bits to MPLS EXP bits for
outgoing traffic. You can use the propagate qos to mpls command to return the router to its
default behavior (after it has been changed by the no form of this command) or to specify a
custom-mapping using the optional class-map map-name construct.
egress prefer dscp-qos
propagate qos from ethernet
propagate qos to ethernet
Command Descriptions
QoS Circuit Configuration 18-67
propagate qos transport use-vlan-header
propagate qos transport {in | out | both} use-vlan-header {inner | outer | both}
no propagate qos transport {in | out | both} use-vlan-header {inner | outer | both}
Purpose
Specifies whether propagation between packet descriptor (PD) values and Ethernet uses the 802.1p value
from the outer permanent virtual circuit (PVC) header or the inner PVC header, when both are present.
Command Mode
dot1q profile configuration
Syntax Description
Default
The 802.1p value from the inner PVC header is used.
Usage Guidelines
Use the propagate qos transport use-vlan-header command to specify whether propagation between PD
values and Ethernet uses the 802.1p value from the outer PVC header or the inner PVC header, when both
are present. This command applies only to transport ranges defined for 802.1Q PVCs.
Use the no form of this command to revert values.
Related Commands
in Uses the specified VLAN header 802.1p value when propagating 802.1p to PD
for incoming packets.
out Uses the specified VLAN header 802.1p value when propagating 802.1p to PD
for outgoing packets.
both Uses the specified VLAN header 802.1p value for both incoming and outgoing
packets.
inner Uses the 802.1p value from the inner PVC header. This is the default value.
outer Uses the 802.1p value from the outer PVC header.
both Modifies both the inner PVC 802.1p field and the outer PVC 802.1p field with
the same value, if both fields are present. Valid only when the out keyword is
specified (egress propagation only).
propagate qos from ethernet
propagate qos to ethernet
Command Descriptions
18-68 IP Services and Security Configuration Guide
propagate qos use-vlan-ethertype
propagate qos use-vlan-ethertype tunl-type
{no | default} propagate qos use-vlan-ethertype tunl-type
Purpose
Specifies the virtual LAN (VLAN) Ethernet type field that determines whether the packet is examined for
an enclosed IP header and Differentiated Services Code Point (DSCP) value or for an inner VLAN header
and 802.1p value for incoming Multiprotocol Label Switching (MPLS) packets that encapsulate 802.1q
Ethernet frames.
Command Mode
MPLS router configuration
Syntax Description
Default
The 8100 packet type is used.
Usage Guidelines
Use the propagate qos use-vlan-ethertype command to specify the VLAN Ethernet type field that
determines whether the packet is examined for an enclosed IP header and DSCP value or for an inner
VLAN header and 802.1p value for incoming MPLS packets that encapsulate 802.1q Ethernet frames. In
addition to packets with the specified VLAN Ethernet type field, packets with Ethernet type of 0x8100 are
also examined for enclosed header values. The SmartEdgeOS either maps packets with other outer PVC
Ethernet types based on the outer PVC 802.1p value (for the mpls use-ethernet command in class map
configuration mode) or uses the default 8P0D mapping based on the MPLS EXP value (for the mpls use-ip
command in class map configuration mode).
Use the mpls use-ethernet or mpls use-ip command to enable propagation.
Use the no form of this command to disable the use of VLAN header values to identify incoming packets
for propagation.
Use the default form of this command to revert to the default setting.
tunl-type Type of incoming 802.1Q traffic according to one of the following
argument or keywords (in hexadecimal format):
userCustom traffic type; the range of values is 0x0 to 0xffff.
8100Specifies the 8100 packet type; this is the default packet type.
88a8Specifies the 88a8 packet type.
9100Specifies the 9100 packet type.
9200Specifies the 9200 packet type.
Command Descriptions
QoS Circuit Configuration 18-69
Related Commands
mpls use-ethernet
mpls use-ip
Command Descriptions
18-70 IP Services and Security Configuration Guide
propagate qos use-vlan-header
propagate qos use-vlan-header {inner | outer}
{no | default} propagate qos use-vlan-header {inner | outer}
Purpose
Specifies whether 802.1p-to-packet descriptor (PD) propagation uses the 802.1p value from the outer
permanent virtual circuit (PVC) header or the inner PVC header, when both values are present, for
incoming Multiprotocol Label Switching (MPLS) packets that encapsulate 802.1q Ethernet frames.
Command Mode
MPLS router configuration
Syntax Description
Default
The 802.1p value from the inner PVC header is used.
Usage Guidelines
Use the propagate qos use-vlan-header command to specify whether 802.1p-to-PD propagation uses the
802.1p value from the outer PVC header or the inner PVC header, when both values are present, for
incoming MPLS packets that encapsulate 802.1q Ethernet frames.
Use the mpls use-ethernet command (in class map configuration mode) to enable propagation.
Use the no or default form of this command to revert to the default setting, which uses the inner PVC
802.1p value.
Related Commands
inner Uses the 802.1p value from the inner PVC header.
outer Uses the 802.1p value from the outer PVC header.
mpls use-ethernet
Command Descriptions
QoS Circuit Configuration 18-71
qos hierarchical mode strict
qos hierarchical mode strict
{no | default} qos hierarchical mode
Purpose
Specifies the strict priority quality of service (QoS) scheduling algorithm for the traffic-managed port,
802.1Q tunnel, 802.1Q permanent virtual circuit (PVC), hierarchical node group, or hierarchical node on a
traffic-managed port.
Command Mode
dot1q PVC configuration
hierarchical node configuration
hierarchical node group configuration
Syntax Description
This command has no keywords or arguments.
Default
Gigabit Ethernet ports on traffic-managed cards are the top level in the traffic management hierarchy.
Usage Guidelines
Use the qos hierarchical mode strict command to specify the strict priority QoS scheduling algorithm for
the traffic-managed port, 802.1Q tunnel, 802.1Q PVC, hierarchical node group, or hierarchical node on a
traffic-managed port. You can also use the qos rate or qos weight commands (in port or dot1q PVC
configuration mode) to create a node in the QoS hierarchy with the default strict priority mode.
A QoS traffic-managed port is always a node at the top of the hierarchy. The scheduling algorithms service
the QoS queues defined by the priority weighted fair queuing (PWFQ) policy attached to the port, 802.1Q
tunnel, or 802.1Q PVC according to the priority assigned to each queue with the queue priority command
(in PWFQ policy configuration mode). The priority determines the servicing order, and the relative
maximum rate or weight determines the amount of traffic that is transmitted.
For 802.1Q PVCs, you can use this command to configure both static and on-demand PVCs. If you do not
enter this command for an 802.1Q tunnel or PVC, the tunnel or PVC is not part of the QoS traffic
management hierarchy. In this case, a tunnel inherits only the PWFQ policy attached to its port and a PVC
inherits the policy attached to its tunnel, unless you apply a more specific PWFQ policy to the tunnel or
PVC.
Use the no or default form of this command to remove the tunnel or PVC from the hierarchy.
Command Descriptions
18-72 IP Services and Security Configuration Guide
Examples
The following example enables an 802.1Q PVC tunnel as a traffic-managed hierarchical node, with strict
scheduling algorithm:
[ l ocal ] Redback( conf i g) #port ethernet 9/1
[ l ocal ] Redback( conf i g- por t ) # dot1q pvc 10 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos hierarchical mode strict
Related Commands
Note When you first configure the qos hierarchical mode strict, qos rate, or qos weight
command for a dot1q PVC, the SmartEdge OS removes previously configured QoS policy
queuing commands on the circuit or any of its children. Configuring one of these commands
on a circuit group for the first time deletes any QoS policy queuing commands on its existing
members, and adding a member to a circuit group that has a configured L3 command removes
all QoS policy queuing commands configured on the member circuit. To address this issue,
reconfigure these QoS policy queuing commands.
qos policy pwfq
qos rate
qos weight
Command Descriptions
QoS Circuit Configuration 18-73
qos mode
qos mode {alternate | normal | strict}
{no | default} qos mode
Purpose
Defines the mode of the quality of service (QoS) enhanced deficit round-robin (EDRR) policy algorithm.
Command Mode
ATM OC configuration
DS-0 group configuration
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
link group configuration
port configuration
Syntax Description
Default
The mode is normal.
Usage Guidelines
Use the qos mode command to define the mode of the EDRR policy algorithm.
Use the no or default form of this command to return EDRR queuing to normal mode.
alternate Indicates that in every other round, either queue 0 or one of the other queues
configured on the port is serviced, in alternating fashion.
normal Indicates that queue 0 is treated like all other queues on the port. Each queue
receives its share of the ports bandwidth according to the configured
weights. This is the default mode for EDRR policies.
strict Indicates that queue 0 has strict priority over all other queues configured on
the port.
Note Only one EDRR mode type can be supported on a single port.
Command Descriptions
18-74 IP Services and Security Configuration Guide
Examples
The following example configures a st r i ct mode for each configured port on the Ethernet traffic card in
slot 4:
[ l ocal ] Redback( conf i g) #qos policy qos-edrr-test edrr
[ l ocal ] Redback( conf i g- pol i cy- edr r ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #qos mode strict
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 4/2
[ l ocal ] Redback( conf i g- por t ) #qos mode strict
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 4/3
[ l ocal ] Redback( conf i g- por t ) #qos mode strict
Related Commands
qos policy edrr
Command Descriptions
QoS Circuit Configuration 18-75
qos node
qos node node-name idx-start [through idx-end]
no qos node node-name
Purpose
Creates one or more quality of service (QoS) hierarchical nodes as aggregation points for applying traffic
shaping and accesses hierarchical node configuration mode.
Command Mode
hierarchical node group configuration
Syntax Description
Default
No nodes are created.
Usage Guidelines
Use the qos node command to create one or more QoS hierarchical nodes as aggregation points for
applying traffic shaping and access hierarchical node configuration mode.
Each node is uniquely referenced by its name, its node index, its node group, and the index for the node
group.
Use the no form of this command to delete one or more nodes from the configuration.
Examples
The following example creates 10 hierarchical node groups and 50 hierarchical nodes, with 5 nodes in each
node group; the name of each node group is home and the name of each node is dsl am:
[ l ocal ] Redback( conf i g) #port ethernet 5/1
node-name Name of the node.
idx-start Initial index number.
through idx-end Optional. Final index number.
Note This command is available only for traffic-managed ports.
Note The command prompt for the hierarchical node configuration mode is identical to the prompt
for the hierarchical node group configuration mode; see the example in the Examples
section.
Command Descriptions
18-76 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- por t ) #qos node-group home 1 through 10
[ l ocal ] Redback( conf i g- h- node) #qos node dslam 1 through 5
[ l ocal ] Redback( conf i g- h- node) #
Related Commands
qos node-group
qos node-reference
qos policy queuing
Command Descriptions
QoS Circuit Configuration 18-77
qos node-group
qos node-group group-name idx-start [through idx-end]
no qos node-group group-name
Purpose
Creates one or more quality of service (QoS) hierarchical node groups as aggregation points for applying
traffic shaping and accesses hierarchical node group configuration mode.
Command Mode
port configuration
Syntax Description
Default
No node groups are created.
Usage Guidelines
Use the qos node-group command to create one or more QoS hierarchical node groups as aggregation
points for applying traffic shaping and accesses hierarchical node group configuration mode. This
command is available only for traffic-managed ports.
Each node group is uniquely referenced by its name and its index.
Use the no form of this command to delete the node group from the configuration.
Examples
The following example creates 10 hierarchical node groups; the name of each group is home:
[ l ocal ] Redback( conf i g) #port ethernet 5/1
[ l ocal ] Redback( conf i g- por t ) #qos node-group home 1 through 10
[ l ocal ] Redback( conf i g- h- node) #
Related Commands
group-name Name of the node groups.
idx-start Initial index number.
through idx-end Optional. Final index number.
qos node
Command Descriptions
18-78 IP Services and Security Configuration Guide
qos node-reference
qos node-reference node-name node-idx group-name group-idx
no qos node-reference node-name
Purpose
Creates a reference to a quality of service (QoS) hierarchical node in the subscriber record, named
subscriber profile, or default subscriber profile.
Command Mode
subscriber configuration
Syntax Description
Default
No node references are created in any subscriber record, named subscriber profile, or default subscriber
profile.
Usage Guidelines
Use the qos node-reference command to create a reference to a QoS hierarchical node in the subscriber
record, named subscriber profile, or default subscriber profile.
Use the no form of this command to delete the reference from the subscriber record, named subscriber
profile, or default subscriber profile.
Examples
The following example creates a reference to the hierarchical node group, home, with index 1, in which
was created the node, dsl am, with index5, in the subscriber record, j oe:
[ l ocal ] Redback( conf i g) #context subs
[ l ocal ] Redback( conf i g- ct x) #subscriber joe
[ l ocal ] Redback( conf i g- sub) #qos node-reference home 1 dslam 5
Related Commands
node-name Name of the node.
node-idx Node index number.
group-name Name of the node group.
group-idx Node group index number.
qos node
qos node-group
Command Descriptions
QoS Circuit Configuration 18-79
qos policy metering
qos policy metering pol-name [acl-counters] [inherit] [hierarchical]
no qos policy metering pol-name
Purpose
Attaches a metering policy to the specified circuit, port, or subscriber record to be enforced on outbound
packets.
Command Mode
ATM DS-3 configuration
ATM OC configuration
ATM PVC configuration
dot1q PVC configuration
DS-0 group configuration
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
Frame Relay PVC configuration
link group configuration
port configuration
subscriber configuration
Command Descriptions
18-80 IP Services and Security Configuration Guide
Syntax Description
Default
No metering policy is attached to outbound packets on the specified circuit, port, or subscriber record.
Usage Guidelines
Use the qos policy metering command to attach a metering policy to a specified circuit, port, or subscriber
record to be enforced on outbound packets in any of the listed configuration modes, except link group
configuration mode.
pol-name Name of the metering policy to be attached.
acl-counters Optional. Enables per-rule access control list (ACL) statistics for a policy
ACL associated with the policy. Available in all listed configuration modes,
except global configuration.
inherit Optional. Attaches the specified policy as follows:
In port configuration modeUse this policy for any circuit (802.1Q
tunnel, 802.1Q permanent virtual circuit (PVC), and any child circuit
configured on an 802.1Q PVC) that is configured on this Ethernet port,
unless overridden by a quality of service (QoS) metering policy attached to
that circuit.
In dot1Q PVC configuration modeUse this policy for any circuit
configured on this 802.1Q tunnel or PVC (including child circuits), unless
overridden by a QoS metering policy attached to that 802.1Q PVC or child
circuit.
In ATM PVC configuration modeUse this policy for any child circuit
configured on this Asynchronous Transfer Mode (ATM) PVC, unless
overridden by a QoS metering policy attached to that child circuit.
This keyword is available only for Ethernet ports, 802.1Q tunnels and PVCs,
and ATM PVCs.
hierarchical Optional. Attaches the specified policy as follows:
In port configuration modeUse this policy for any circuit (802.1Q
tunnel, 802.1Q permanent virtual circuit (PVC), and any child circuit
configured on an 802.1Q PVC) that is configured on this Ethernet port.
In dot1Q PVC configuration modeUse this policy for any circuit
configured on this 802.1Q tunnel or PVC (including child circuits).
In ATM PVC configuration modeUse this policy for any child circuit
configured on this Asynchronous Transfer Mode (ATM) PVC.
This keyword is available only for Ethernet ports, 802.1Q tunnels and PVCs,
and ATM PVCs.
Command Descriptions
QoS Circuit Configuration 18-81
Use the qos policy metering command in link group configuration mode to attach the policy to a MP or
MFR bundle; use it in port configuration mode to attach the policy to an Ethernet or 802.1Q link group.
When you attach the policy to any type of link group, you effectively attach it to all ports or circuits in the
link group (MP, MFR, Ethernet, or 802.1Q).
For 802.1Q PVCs, this command can be used to configure both static and on-demand PVCs.
Child circuits can inherit the QoS metering and policing policies attached to the parent circuit on which the
child circuits are configured if the keyword inherit or hierarchical is specified on the parent binding. If you
attach a different metering or policing policy to a child circuit, those policies override the metering or
policing policy attached to the parent circuit unless the parent policy applied is configured with the
keyword hierarchical.
By default, using the optional keyword inherit when configuring a metering or policing policy for a parent
circuit results in all of the children of the parent circuit inheriting the parent circuit policy, unless the
children have a more specific policy configured. In this case, rate limiting is applied collectively to the child
circuit and the parent circuit, which means all circuits to which the parent policy is to be applied are
collectively subject to the rate limitations specified in the parent circuits metering or policing policy.
Using the optional keyword hierarchical when configuring a metering or policing policy for a parent
circuit results in applying both the child circuit policy and the parent circuit policy to the traffic on the child
circuit. With hierarchical metering or policing policy, rate limiting is applied on the packets destined for the
child circuit first using the child policy. If the child metering or policing policy includes a drop policy, then
the SmartEdge router drops the appropriate packets if the traffic rate exceeds the rate limit. Those packets
that were not dropped are processed and rate-limited once again, along with all the other packets destined
for the parent circuit, using the parent policy.
Essentially, the child circuit traffic is processed and rate-limited twice and the parent circuits native traffic
is processed and rate-limited once. With hierarchical metering or policing policy enabled, a child is subject
to its own specified rate limitations and then is collectively subject to the rate limitations specified in the
parent circuit metering or policing policy, along with its parent and peers.
Use the no form of this command to remove a metering policy from outbound packets on a circuit, port,
subscriber record, or link group (of any type).
Examples
The following example creates the metering policy, exampl e2, and attaches it to an Ethernet port:
[ l ocal ] Redback( conf i g) #qos policy example2 metering
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #rate 10000 burst 100000
Note Configuring the qos policy metering command on an ATM port has no effect. In order to limit
ATM traffic, configure this command on ATM PVCs.
Note Only one level of hierarchical metering or policing can be applied to a circuit. A circuit can
have a maximum of two policing or metering policies applied: one individual or inherited
through the inherit keyword, and one inherited through the hierarchical keyword. If a circuit
is subject to two "hierarchical" parents (for example, a PPPoX session with a hierarchical
metering binding on its 802.1q PVC parent and a hierarchical metering binding on its Ethernet
port grandparent), only the binding on its closest relative (the PVC in this example) applies.
Command Descriptions
18-82 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed drop
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #exit
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #qos policy metering example2
The following example configures an outbound rate limit for all traffic on a particular port and an individual
rate-limit for each 802.1Q VLAN configured under the port:
[ l ocal ] Redback( conf i g) #qos policy port-hierarchical-policy metering
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #rate 500 burst 50000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed mark priority 6
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #exit
[ l ocal ] Redback( conf i g) #qos policy vlan-individual-policy metering
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #rate 100 burst 10000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #conform mark priority 0
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed mark priority 5
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- met er i ng) #exit
.
.
[ l ocal ] Redback( conf i g) #port ethernet 12/2
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #qos policy metering port-hierarchical-policy
hierarchical
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 30 thr 40 encapsulation
[ l ocal ] Redback( conf i g- por t ) #qos policy metering vlan-individual-policy
Related Commands
qos policy policing
rate circuit
Command Descriptions
QoS Circuit Configuration 18-83
qos policy policing
qos policy policing pol-name [acl-counters] [inherit | hierarchical]
no qos policy policing pol-name
Purpose
Attaches a policing policy to the specified circuit, port, or subscriber record to be enforced on inbound
packets.
Command Mode
ATM DS-3 configuration
ATM OC configuration
ATM PVC configuration
dot1q PVC configuration
DS-0 group configuration
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
Frame Relay PVC configuration
link group configuration
port configuration
subscriber configuration
Command Descriptions
18-84 IP Services and Security Configuration Guide
Syntax Description
Default
No policing policy is attached to inbound packets on the port, circuit, or subscriber record.
Usage Guidelines
Use the qos policy policing command to attach a policing policy to inbound packets on a specific port,
circuit, or subscriber record in any of the listed configuration modes, except link group configuration mode.
pol-name Name of the policing policy to be attached.
acl-counters Optional. Enables per-rule access control list (ACL) statistics for a policy ACL
associated with the policy. Available in all configuration modes, except global
configuration.
inherit Optional. Attaches the specified policy as follows:
In port configuration modeUse this policy for any 802.1Q permanent virtual
circuit (PVC) that is configured on this Ethernet port, unless overridden by a quality
of service (QoS) policing policy attached to that circuit.
In dot1Q PVC configuration modeUse this policy for any 802.1Q tunnel or PVC,
unless overridden by a QoS policing policy attached to the PVC.
In ATM PVC configuration modeUse this policy for any child circuit configured
on this Asynchronous Transfer Mode (ATM) PVC, unless overridden by a QoS
policing policy attached to the child circuit.
This keyword is available only for Ethernet ports, 802.1Q tunnels and PVCs, and ATM
PVCs.
hierarchical Optional. Attaches the specified policy as follows:
In port configuration modeUse this policy for any circuit (802.1Q tunnel, 802.1Q
permanent virtual circuit (PVC), and any child circuit configured on an 802.1Q
PVC) that is configured on this Ethernet port.
In dot1Q PVC configuration modeUse this policy for any circuit configured on
this 802.1Q tunnel or PVC (including child circuits).
In ATM PVC configuration modeUse this policy for any child circuit configured
on this Asynchronous Transfer Mode (ATM) PVC.
This keyword is available only for Ethernet ports, 802.1Q tunnels and PVCs, and
ATM PVCs.
Note Configuring the qos policy policing command on an ATM port has no effect. In order to limit
ATM traffic, configure this command on ATM PVCs.
Command Descriptions
QoS Circuit Configuration 18-85
Use the qos policy policing command in link group configuration mode to attach the policy to a multilink
Point-to-Point Protocol (MP) or Multilink Frame Relay (MFR) bundle; use it in port configuration mode
to attach the policy to an Ethernet or 802.1Q link group. When you attach the policy to any type of link
group, you effectively attach it to all ports or circuits in the link group (MP, MFR, Ethernet, or 802.1Q).
For 802.1Q PVCs, you can use this command to configure both static and on-demand PVCs.
Use the no form of this command to remove a policing policy from inbound packets on a port, circuit,
subscriber record, or link group (of any type).
Examples
The following example creates the exampl e2 policing policy and attaches it to an Ethernet port:
[ l ocal ] Redback( conf i g) #qos policy example2 policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 10000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed drop
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #qos policy policing example2
The following example attaches the Whol ePor t policing policy to a Gigabit Ethernet port, and then
attaches the OneVC policing policy to one of the 802.1Q PVCs. The policy attached to the PVC supersedes
the policy attached to the port. For all the other PVCs on the port, the policy attached to the port takes effect:
[ l ocal ] Redback( conf i g) #qos policy OneVC policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 10000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #conform mark dscp ef
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed mark dscp df
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #qos policy WholePort policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 10000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed drop
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #qos policy policing WholePort
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 100
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface if_100 local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy policing OneVC
The following example configures an inbound rate limit to be enforced on all traffic on a particular 802.1Q
tunnel SVLAN and an individual rate limit for each CVLAN configured under SVLAN:
[ l ocal ] Redback( conf i g) #qos policy svlan-hierarchical-policy policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 1000 burst 50000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed mark priority 6
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #qos policy cvlan-individual-policy policing
Command Descriptions
18-86 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #rate 100 burst 10000
[ l ocal ] Redback( conf i g- pol i cy- r at e) #conform mark priority 0
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exceed mark priority 5
[ l ocal ] Redback( conf i g- pol i cy- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #port ethernet 12/2
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 30 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #$svlan-hierarchical-policy
hierarchical
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 30:1 through 100
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy policing
cvlan-individual-policy
Related Commands
qos policy metering
rate circuit
Command Descriptions
QoS Circuit Configuration 18-87
qos policy (protocol-rate-limit)
qos policy pol-name protocol-rate-limit
no qos policy pol-name protocol-rate-limit
Purpose
Creates a named rate-limiting policy that can be applied to protocol specific packets.
Command Mode
global configuration
subscriber configuration
port configuration
link group configuration
link PVC configuration
dot1q PVC configuration
Syntax Description
Default
No protocol-specific rate-limiting policies exist.
Usage Guidelines
The qos policy (protocol-rate-limit) command creates a named rate-limiting policy that can be applied to
protocol-specific packets.
For information on how to use this command, see Configure ARP Policy to Prevent DoS Attacks on
page2-3 of Chapter 2, ARP Configuration.
Examples
The following example shows the use of the arp rate command to rate-limit incoming ARP packets from
the Ethernet port 5/ 1:
[ l ocal ] Redback( conf i g) #qos policy ARPDOS protocol-rate-limit
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #arp rate 5000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #exit
[ l ocal ] Redback( conf i g) #port ether 5/1
[ l ocal ] Redback( conf i g- por t ) #qos policy protocol-rate-limit ARPDOS
pol-name Specifies the policy name
protocol-rate-limit The named policy is applicable to protocol-specific packets.
Command Descriptions
18-88 IP Services and Security Configuration Guide
The following example shows the use of the arp rate command to rate-limit incoming ARP packets from
subscriber circuits where the default subscriber profile is applied:
[ l ocal ] Redback( conf i g) #qos policy ARPDOS protocol-rate-limit
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #arp rate 5000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #exit
[ l ocal ] Redback( conf i g) #subscriber default
[ l ocal ] Redback( conf i g- sub) #qos policy protocol-rate-limit ARPDOS
Related Commands
None
Command Descriptions
QoS Circuit Configuration 18-89
qos policy queuing
qos policy queuing pol-name
no qos policy queuing pol-name
Purpose
Attaches a quality of service (QoS) scheduling policy to the port, circuit, hierarchical node, or subscriber
record.
Command Mode
ATM DS-3 configuration
ATM OC configuration
ATM PVC configuration
dot1q PVC configuration
DS-0 group configuration
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
Frame Relay PVC configuration
hierarchical node configuration
link group configuration
port configuration
subscriber configuration
Syntax Description
Default
No queuing policy is not attached to the circuit or port.
Usage Guidelines
Use the qos policy queuing command to attach a QoS scheduling policy to the port, circuit, hierarchical
node, or subscriber record.
The specified QoS scheduling policy must already exist. The types of scheduling policies are
Asynchronous Transfer Mode weighted fair queuing (ATMWFQ), enhanced deficit round-robin (EDRR),
modified deficit round-robin (MDRR), priority queuing (PQ), and priority weighted fair queuing (PWFQ).
pol-name Name of the scheduling policy to be attached.
Note Configuring the qos policy queuing command on an ATM port has no effect. In order to limit
ATM traffic, configure this command on ATM PVCs.
Command Descriptions
18-90 IP Services and Security Configuration Guide
Use this command in link group configuration mode to attach the policy to a Multilink Point-to-Point
Protocol (MP) or Multilink Frame Relay (MFR) bundle; use it in port configuration mode to attach the
policy to an Ethernet or 802.1Q link group.
For 802.1Q permanent virtual circuits (PVCs), this command can be used to configure both static and
on-demand PVCs.
Note QoS scheduling policies are not supported on VLAN bridge circuits and Layer 2 Tunneling
Protocol (L2TP) Virtual Private Network (VPN) circuits.
Note ATMWFQ policies are applicable only to ATM PVCs (not ports) on ATM DS-3 and
second-generation ATM OC traffic cards. However, an ATMWFQ policy cannot be attached
to a PVC that is shaped as unspecified bit rate extended (UBRe).
Caution Risk of data loss. Modifying the parameters of an ATMWFQ policy will momentarily
interrupt the traffic on all ATM PVCs using the policy. To reduce the risk, modify an
ATMWFQ policy only when traffic is light.
Note MDRR policies apply to 10 Gigabit Ethernet (10GE) ports and the 802.1Q tunnels and
802.1Q PVCs that are configured on them. They also apply to 10GE ports that are members
of a link group.
Note PWFQ policies are supported only on traffic-managed ports, and the 802.1Q tunnels, 802.1Q
PVCs, and hierarchical nodes configured on them. You can attach the same PWFQ policy to
a port, its 802.1Q tunnels, its PVCs, and its hierarchical nodes; similarly, you can attach
different PWFQ policies to a port, its tunnels, PVCs and hierarchical nodes. For examples,
see the Examples section.
Note Layer 2 Tunneling Protocol (L2TP) network server (LNS) subscriber sessions support only
PWFQ policies; an LNS subscriber session initiated on any type of port except a
traffic-managed port will not be governed by the PWFQ policy attached to the subscriber
record.
Slot redundancy is not supported; if an LNS subscriber session moves to a traffic-managed
port in a different slot, it will no longer be governed by the PWFQ policy attached to the LNS
subscriber session. If the session moves to a different port in the same slot, the PWFQ policy
will resume queuing after a temporary traffic disruption.
Note For first-generation ATM OC traffic cards, you can attach EDRR or PQ policies to both ATM
ports and ATM PVCs. PQ and EDRR policies are not supported on second-generation
ATM OC or ATM DS-3 traffic cards.
Command Descriptions
QoS Circuit Configuration 18-91
Use the no form of this command to remove a QoS scheduling policy from the port, circuit, hierarchical
node, or subscriber record.
Examples
The following example creates a PQ policy and then attaches the policy to a GE3 port:
[ l ocal ] Redback( conf i g) #qos policy example1 pq
[ l ocal ] Redback( conf i g- pol i cy- pq) #exit
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing example1
The following example attaches two PWFQ policies, pwf q1 and pwf q2, to a GE3 port, an 802.1Q tunnel
on that port, and an 802.1Q PVC within that tunnel:
[ l ocal ] Redback( conf i g) #port ethernet 5/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #qos policy queuing pwfq1
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 10 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing pwfq1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 10:20
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing pwfq2
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
Related Commands
Note You can attach only one type of queuing policy to ports and circuits on a single traffic card.
That is, you can attach either ATMWFQ, EDRR, PQ, or PWFQ policies, but not any
combination of these types. You can, however, attach several queuing policies of the same
type to ports, subscribers, and circuits on a single traffic card.
Note To attach an EDRR policy to a circuit, you must also attach the policy at the port level. The
limit on attaching different EDRR policies to ports and circuits on a single traffic card is 15.
Note EDRR and ATMWFQ policies are not supported on link groups.
qos policy atmwfq
qos policy edrr
qos policy mdrr
qos policy pq
qos policy pwfq
rate circuit
Command Descriptions
18-92 IP Services and Security Configuration Guide
qos priority
qos priority group-num
no qos priority group-num
Purpose
Classifies all traffic, including non-IP traffic, on the ingress circuit with a quality of service (QoS) priority
group number.
Command Mode
ATM DS-3 configuration
ATM OC configuration
ATM PVC configuration
dot1q PVC configuration
DS-0 group configuration
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
Frame Relay PVC configuration
link group configuration
port configuration
Syntax Description
Default
By default, no QoS priority is configured and no priority group is assigned to any traffic.
Usage Guidelines
Use the qos priority command to classify all traffic, including non-IP traffic, on the ingress circuit with a
QoS priority group number.
A priority group is an internal value used by the SmartEdge router to determine into which egress queue
the inbound packet should be placed. The type of service (ToS) value, IP Differentiated Services Code Point
(DSCP) value, and Multiprotocol Label Switching (MPLS) experimental (EXP) bits are not changed by this
command. The actual queue number depends upon the number of queues configured on the circuit; see the
num-queues command in Chapter 17, QoS Scheduling Configuration.
group-num Priority group number. The range of values is 0 to 7.
Note If a QoS policy is applied to the same traffic assigned to a QoS priority group, the QoS policy
overrides the qos priority command.
Command Descriptions
QoS Circuit Configuration 18-93
This command is not supported for dynamic 802.1Q permanent virtual circuits (PVCs).
Use the no form of this command to remove a QoS priority configuration and to stop assigning traffic to
the priority group.
Examples
The following example configures a priority of 2 to port 1 on the Ethernet traffic card in slot 13:
[ l ocal ] Redback( conf i g) #port ethernet 13/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface eth-pc05 local
[ l ocal ] Redback( conf i g- por t ) #qos priority 2
Related Commands
Note Configuring the qos priority command on an ATM port has no effect. In order to classify
ATM traffic with a QoS priority group number, configure the qos priority command on ATM
PVCs.
num-queues
qos queue-map
Command Descriptions
18-94 IP Services and Security Configuration Guide
qos profile overhead
qos profile overhead profile-name [inherit]
no qos profile overhead profile-name [inherit]
Purpose
Attaches an overhead profile to a port, an 802.1Q permanent virtual circuit (PVC), or a subscriber record.
Command Mode
dot1q PVC configuration
port configuration
Syntax Description
Default
No overhead profile is attached to a port, an 802.1Q PVC, or a subscriber record.
Usage Guidelines
Use the qos profile overhead command to attach a overhead profile to the port, 802.1Q PVC, or a
subscriber record.
Use the inherit keyword to apply the overhead profile to any child circuit configured on an 802.1Q PVC
that is configured on this Ethernet port (unless it is overridden by a QoS overhead profile attached to that
circuit). If you do not specify the inherit keyword, the child circuits do not inherit the overhead profile of
the parent.
Use the no form of this command to delete an overhead profile from the port, 802.1Q PVC, or subscriber
record.
Examples
The following example allows the child circuits of the 802.1Q PVC to inherit the exampl e1 overhead
profile:
[ l ocal ] Redback( conf i g) #port ethernet 2/1
profile-name Name of the existing overhead profile to be attached to the port or PVC.
inherit Optional. Applies the overhead profile to any child circuit configured on an 802.1Q
PVC that is configured on this Ethernet port (unless it is overridden by a quality of
service [QoS] overhead profile attached to that circuit).
This keyword is available only for Ethernet ports and 802.1Q PVCs.
Note The inherit keyword is not valid when you apply an overhead profile to a subscriber record.
Command Descriptions
QoS Circuit Configuration 18-95
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 100 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- por t ) #qos profile overhead example1 inherit
[ l ocal ] Redback( conf i g- por t ) #exit
Related Commands
qos policy pwfq
rate
Command Descriptions
18-96 IP Services and Security Configuration Guide
qos rate
For traffic-managed ports, or the 802.1Q tunnels or permanent virtual circuits (PVCs) configured on
them, the syntax is:
qos rate {maximum | minimum} kbps
no qos rate {maximum | minimum}
For all other Gigabit Ethernet ports, the syntax is:
qos rate maximum mbps burst bytes
no qos rate maximum
Purpose
Sets the rate for outgoing traffic on a Gigabit Ethernet port, or on an 802.1Q tunnel, 802.1Q PVC, or
hierarchical node group or node configured on a traffic-managed port.
Command Mode
dot1q PVC configuration
hierarchical node configuration
hierarchical node group configuration
port configuration
Syntax Description
Default
Outgoing traffic is transmitted at the full speed of the port.
maximum Specifies the maximum rate for the port, tunnel, PVC, or hierarchical node group, or
hierarchical node.
minimum Specifies the minimum rate for the port; available only for traffic-managed ports and
the 802.1Q tunnels, PVCs, and hierarchical node groups, and hierarchical nodes
configured on them.
kbps Rate in kbps for traffic-managed ports, tunnels, PVCs, and hierarchical node groups.
In hierarchical node and hierarchical node group configuration modes, the range of
values is 64 to 1,000,000; in dot1q PVC and port configuration modes, the range of
values is 10,000 to 1,000,000.
mbps Rate in Mbps for all other Gigabit Ethernet ports. The range of values is 100 to 1,000;
the default value is1,000 (the full speed of the port).
burst bytes Burst tolerance in bytes. For all other Gigabit Ethernet ports except traffic-managed
ports, the range of values is 1 to 1,250,000,000. This construct is not available for
traffic-managed ports.
Command Descriptions
QoS Circuit Configuration 18-97
Usage Guidelines
Use the qos rate command to set the maximum rate for outgoing traffic on a Gigabit Ethernet port, or an
802.1Q tunnel, 802.1Q PVC, or hierarchical node group or node configured on a traffic-managed port. You
can set the burst for any Gigabit Ethernet port, except for a traffic-managed port.
If you have not already entered the qos hierarchical mode strict command (in port or dot1q PVC
configuration mode) for this tunnel or PVC, this command also makes the tunnel or PVC a node in the
hierarchy. A Gigabit Ethernet 3 port is always a node at the top of the hierarchy.
Use the no form of this command to set the port, tunnel, or PVC to the default port rate.
Examples
The following example sets the maximum rate for outgoing traffic for port 1 on the Gigabit Ethernet traffic
card in slot 14 to 600 Mbps with a burst size of 1, 000 bytes:
[ l ocal ] Redback( conf i g) #port ethernet 14/1
[ l ocal ] Redback( conf i g- por t ) #qos rate maximum 600 burst 1000
Related Commands
Note The maximum rate set by this command is the rate at which the port operates; any priority
queuing (PQ), enhanced deficit round-robin (EDRR), or priority weighted fair queuing
(PWFQ) queue or circuit with a PQ, EDRR, or PWFQ policy is limited by the rate specified
by this command for the circuit. Also, the sum of all traffic on the port carried by the queues
belonging to the circuits or subscribers is limited to the rate specified by this command.
Note When you first configure the qos hierarchical mode strict, qos rate, or qos weight
command for a dot1q PVC, the SmartEdge OS removes previously configured QoS policy
queuing commands on the circuit or any of its children. Configuring one of these commands
on a circuit group for the first time deletes any QoS policy queuing commands on its existing
members, and adding a member to a circuit group that has a configured L3 command removes
all QoS policy queuing commands configured on the member circuit. To address this issue,
reconfigure these QoS policy queuing commands.
qos hierarchical mode strict
qos weight
rate
Command Descriptions
18-98 IP Services and Security Configuration Guide
qos to atm
qos {pd-value | all} to atm clp-value
{no | default} qos {clp-value | all}
Purpose
Translates packet descriptor (PD) quality of service (QoS) values to Asynchronous Transfer Mode (ATM)
cell loss priority (CLP) values on egress.
Command Mode
class map configuration
Syntax Description
Default
Egress ATM classification map entries use the default PD-to-CLP mapping described in Table18-23.
Usage Guidelines
Use the qos to atm command to translate PD QoS values to ATM CLP values on egress.
If you specify the all keyword, all valid PD values are mapped to the specified CLP value. Any existing
configuration for the classification map is overridden. You can use the all keyword to specify a single
default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the no or default form of this command to revert values for one or all map entries to their default values
defined in Table18-23.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order
bits. You can enter the value in decimal or hexadecimal format, for example
16 or 0x10. You can also enter a standard Differentiated Services Code
Point (DSCP) marking label as defined in Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
clp-value Either 0 or 1. In case of network congestion, ATM cells marked with a value
of 1 have been tagged to be dropped ahead of those with a value of 0.
Command Descriptions
QoS Circuit Configuration 18-99
Related Commands
Table 18-23 ATM CLP Bits Mapped to the QoS PD Value
ATM CLP Bit
PD Priority
Value
PD Drop-Precedence
Value AF Label QoS PD Value
0 1 2 AF11 10
1 0 0 DF 0
clpbit propagate qos to atm
qos class-map
Command Descriptions
18-100 IP Services and Security Configuration Guide
qos to ethernet
qos {pd-value | all} to ethernet 802.1p-value
default qos {pd-value | all}
Purpose
Translates packet descriptor (PD) quality of service (QoS) values to Ethernet 802.1p values on egress.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the qos to ethernet command to define egress mappings from PD QoS values to Ethernet 802.1p
values.
If you specify the all keyword, all valid PD values are mapped to the specified 802.1p value. Any existing
configuration for the classification map is overridden. You can use the all keyword to specify a single
default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the default form of this command to revert one or all Ethernet 802.1p values to either the default 8P0D
or mapping schema values, if a mapping schema has been specified.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order bits.
You can enter the value in decimal or hexadecimal format, for example 16 or
0x10. You can also enter a standard Differentiated Services Code Point
(DSCP) marking label as defined in Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
802.1p-value An integer from 0 (lowest priority) to 7 (highest priority) representing the
contents of the three user priority bits in the 802.1p virtual LAN (VLAN) Tag
Control Information (TCI) field.
Command Descriptions
QoS Circuit Configuration 18-101
Examples
The following example defines the classification map pd- t o- 8021p for Ethernet 802.1p values on egress,
then maps the af 33 and af 21 PD QoS values to Ethernet 802.1p values 1 and 7, respectively:
[ l ocal ] Redback( conf i g) #qos class-map pd-to-8021p ethernet out
[ l ocal ] Redback( conf i g- cl ass- map) #qos af33 to ethernet 1
[ l ocal ] Redback( conf i g- cl ass- map) #qos af21 to ethernet 7
Related Commands
ethernet to qos
qos hierarchical mode strict
Command Descriptions
18-102 IP Services and Security Configuration Guide
qos to ip
qos {pd-value | all} to ip dscp-value
default qos {dscp-value | all}
Purpose
Translates packet descriptor (PD) quality of service (QoS) values to Differentiated Services Code Point
(DSCP) values in the IP header on egress.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the qos to ip command to translate PD QoS values to DSCP values in the IP header on egress.
If you specify the all keyword, all valid PD values are mapped to the specified IP header values. Any
existing configuration for the classification map is overridden. You can use the all keyword to specify a
single default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the default form of this command to revert values for one or all map entries to their default values,
where each PD QoS value is mapped to the equivalent DSCP value.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order bits.
You can enter the value in decimal or hexadecimal format, for example 16 or
0x10. You can also enter a standard DSCP marking label as defined in
Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
dscp-value An integer from 0 to 63 representing the contents of the most significant six
bits of the Type of Service (ToS) field in the IP header. You can enter the
value in decimal or hexadecimal format, for example 16 or 0x10. You can
also enter a standard DSCP marking label as defined in Table16-21 on
page16-71.
Command Descriptions
QoS Circuit Configuration 18-103
Examples
The following example defines the classification map pd- t o- dscp for IP values on egress, then maps the
af 13 PD QoS value to all DSCP values. It then overrides this mapping for PD QoS values 25 and df ,
which are mapped to DSCP values af 21 and 1, respectively:
[ l ocal ] Redback( conf i g) #qos class-map pd-to-dscp ip out
[ l ocal ] Redback( conf i g- cl ass- map) #qos all to ip af13
[ l ocal ] Redback( conf i g- cl ass- map) #qos 25 to ip af21
[ l ocal ] Redback( conf i g- cl ass- map) #qos df to ip 1
Related Commands
mapping-schema
qos hierarchical mode strict
Command Descriptions
18-104 IP Services and Security Configuration Guide
qos to mpls
qos {pd-value | all} to mpls exp-value
default qos {exp-value | all}
Purpose
Translates packet descriptor (PD) quality of service (QoS) values to Multiprotocol Label Switching
(MPLS) experimental (EXP) values on egress.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the qos to mpls command to define egress mappings from PD QoS values to MPLS EXP values.
If you specify the all keyword, all valid PD values are mapped to the specified MPLS EXP value. Any
existing configuration for the classification map is overridden. You can use the all keyword to specify a
single default value for all the mapping entries, then override that value for a subset of entries by entering
subsequent mapping commands without this keyword.
Use the default form of this command to revert one or all MPLS EXP values to either the default 8P0D or
mapping schema values, if a mapping schema has been specified.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order bits.
You can enter the value in decimal or hexadecimal format, for example 16 or
0x10. You can also enter a standard Differentiated Services Code Point
(DSCP) marking label as defined in Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
exp-value An integer from 0 (lowest priority) to 7 (highest priority) representing the
contents of the three EXP bits in the MPLS label header.
Command Descriptions
QoS Circuit Configuration 18-105
Examples
The following example defines the classification map pd- t o- exp for MPLS values on egress, then maps
the ef and df PD user priority bits to MPLS EXP bits 7 and 1, respectively:
[ l ocal ] Redback( conf i g) #qos class-map pd-to-exp mpls out
[ l ocal ] Redback( conf i g- cl ass- map) #qos ef to mpls 7
[ l ocal ] Redback( conf i g- cl ass- map) #qos df to mpls 1
Related Commands
mpls to qos
qos hierarchical mode strict
Command Descriptions
18-106 IP Services and Security Configuration Guide
qos use-ip
qos {pd-value | all} use-ip [class-map map-name]
default qos {pd-value | all}
Purpose
For IP packets, determines packet descriptor (PD) values by mapping Differentiated Services Code Point
(DSCP) values rather than quality of service (QoS) values on egress.
Command Mode
class map configuration
Syntax Description
Default
None
Usage Guidelines
Use the qos use-ip command to determine the final 802.1p or Multiprotocol Label Switching (MPLS)
experimental (EXP) value based on the DSCP value IP header for a packet with the specified PD QoS value
on egress. Each packet is scheduled according to the PD value, but the MPLS or Ethernet header is marked
with the egress packets DSCP values rather than the PD values.
pd-value An integer from 0 to 63 (six bits), with the packet priority encoded in three
higher-order bits and the packet drop precedence in the three lower-order bits.
You can enter the value in decimal or hexadecimal format, for example 16 or
0x10. You can also enter a standard DSCP marking label as defined in
Table16-21 on page16-71.
The scale used by this command for packet priority, from 0 (lowest priority)
to 7 (highest priority), is the relative inverse of the scale used by the mark
priority command. For details on this command, see Chapter 16, QoS Rate-
and Class-Limiting Configuration.
all Maps all valid values for the source value to the specified target value. Any
existing configuration for the classification map is overridden.
use-ip Enables a secondary mapping lookup using the packets DSCP bits as input.
If no classification map is specified for the secondary lookup, the default
DSCP-to-target mapping is used.
When configuring a classification map for use as a secondary classification
map on egress, omit the use-ip keyword.
class-map map-name Optional. Name of the classification map.
Command Descriptions
QoS Circuit Configuration 18-107
If you specify the all keyword, all PD value entries use DSCP-based mappings. Any existing configuration
for the classification map is overridden. You can use the all keyword to specify a single default value for
all the mapping entries, then override that value for a subset of entries by entering subsequent mapping
commands without this keyword.
If you specify the optional class-map map-name construct, the DSCP values are mapped to 802.1p values
according to the specified secondary classification map. The SmartEdgeOS interprets QoS-to-Ethernet or
Qos-to-MPLS entries as if the QoS value actually specified a DSCP value. For example, the entry
qos 1 t o et her net 2 actually maps DSCP value 1 to 802.1p value 2.
The secondary classification map must have the same values for the marking-type argument and mapping
direction as the primary classification map and cannot include any use-ip classification map entries. If you
do not specify a secondary classification map, the default DSCP-to-target mapping is used.
Use the default form of this command to revert one or all PD values to either the default 8P0D or mapping
schema values, if a mapping schema has been specified.
Examples
The following example defines the classification map pd- t o- exp for MPLS values on egress and
specifies 6P2D as the default mapping schema. Then, it specifies to map PD values to DSCP values rather
than QoS values, using the secondary classification map dscp- t o- exp for translation. Finally, it maps
PD bit af 33 to MPLS bit 4, and QoS bit to the corresponding DSCP value:
[ l ocal ] Redback( conf i g) #qos class-map pd-to-exp mpls out
[ l ocal ] Redback( conf i g- cl ass- map) #mapping-schema 6P2D
[ l ocal ] Redback( conf i g- cl ass- map) #qos all use-ip dscp-to-exp
[ l ocal ] Redback( conf i g- cl ass- map) #qos af33 to mpls 4
[ l ocal ] Redback( conf i g- cl ass- map) #qos 13 use-ip
Related Commands
mapping-schema
qos hierarchical mode strict
qos to ethernet
qos to mpls
Command Descriptions
18-108 IP Services and Security Configuration Guide
qos weight
qos weight weight
no qos weight weight
Purpose
Assigns to this circuit a relative weight that is used to calculate a traffic ratio for all circuits configured on
a traffic-managed port.
Command Mode
dot1q PVC configuration
hierarchical node configuration
hierarchical node group configuration
Syntax Description
Default
All circuits configured on this port have the same weight.
Usage Guidelines
Use the qos weight command to assign to this circuit a relative weight that is used to calculate a traffic ratio
for all circuits configured on a traffic-managed port.
You can assign a relative weight, or you can set a minimum absolute rate, for the circuit, using the qos rate
command (in dot1q PVC, hierarchical node, or hierarchical node group configuration mode), but you
cannot do both; the relative weight and minimum absolute rate are mutually exclusive.
You can assign a relative weight (using this command) and set a maximum absolute rate for the circuit,
using the qos rate command (in dot1q PVC, hierarchical node, or hierarchical node group configuration
mode).
For 802.1Q permanent virtual circuits (PVCs), this command can be used to configure both static and
on-demand PVCs.
Use the no form of this command to specify the default condition.
weight Relative weight that is assigned to this circuit. The range of values is 1 to 4096.
Note When you first configure the qos hierarchical mode strict, qos rate, or qos weight
command for a dot1q PVC, the SmartEdge OS removes previously configured QoS policy
queuing commands on the circuit or any of its children. Configuring one of these commands
on a circuit group for the first time deletes any QoS policy queuing commands on its existing
members, and adding a member to a circuit group that has a configured L3 command removes
all QoS policy queuing commands configured on the member circuit. To address this issue,
reconfigure these QoS policy queuing commands.
Command Descriptions
QoS Circuit Configuration 18-109
Examples
The following example specifies a weight of 3 for the hierarchical nodes dsl am1 through dsl am5:
[ l ocal ] Redback( conf i g) #port ethernet 5/2
[ l ocal ] Redback( conf i g- por t ) #qos rate maximum 100000000
[ l ocal ] Redback( conf i g- por t ) #qos node-group home 1
[ l ocal ] Redback( conf i g- h- node) #qos hierarchical mode strict
[ l ocal ] Redback( conf i g- h- node) #qos node dslam 1 through 5
[ l ocal ] Redback( conf i g- h- node) #qos weight 3
Related Commands
qos rate
weight
Command Descriptions
18-110 IP Services and Security Configuration Guide
rate circuit
rate circuit {in | out} kbps burst bytes [excess-burst bytes]
no rate circuit {in | out}
Purpose
Specifies a different rate for a circuit that has a quality of service (QoS) metering, policing, or priority
weighted fair queuing (PWFQ) policy attached to it.
Command Mode
ATM DS-3 configuration
ATM OC configuration
ATM PVC configuration
dot1q PVC configuration
CLIPS PVC configuration
DS-0 group configuration
DS-1 configuration
DS-3 configuration
E1 configuration
E3 configuration
Frame Relay PVC configuration
link group configuration
port configuration
Syntax Description
Default
The circuit rate is based on the policy rate as specified by the attached QoS policy.
Usage Guidelines
Use the rate circuit command to specify a different rate for a circuit that has a QoS metering, policing, or
PWFQ policy attached to it. The rate that you specify for the circuit overrides the rates specified by the
attached metering, policing, and PWFQ policies.
in Overrides the policy rate specified in the policy attached to this circuit for
incoming packets.
out Overrides the policy rate specified in the policy attached to this circuit for
outgoing packets.
kbps Rate in kilobits per second. The range of values is 5 to 1,000,000.
burst bytes Burst tolerance in bytes. The range of values is 1 to 1,250,000,000.
excess-burst bytes Optional. Excess burst tolerance in bytes. The range of values is 1 to
1,250,000,000.
Command Descriptions
QoS Circuit Configuration 18-111
This command allows you to attach the same policy to a number of circuits, but specify a different rate for
each circuit.
This command is not supported for dynamic 802.1Q permanent virtual circuits (PVCs).
Use the no form of this command to specify the default condition.
Examples
The following example changes the rate for port 1 to 2,000 kbps:
[ l ocal ] Redback( conf i g) #port ethernet 4/1
[ l ocal ] Redback( conf i g- por t ) #qos policy metering example2
[ l ocal ] Redback( conf i g- por t ) #rate circuit out 2000
Related Commands
Note Configuring the rate circuit command on an ATM port has no effect. In order to limit ATM
traffic, configure this command on ATM PVCs.
Note The application of a different rate in either direction occurs only while you have attached the
appropriate QoS policy to the circuit.
qos policy metering
qos policy policing
qos policy queuing
Command Descriptions
18-112 IP Services and Security Configuration Guide
Flow Admission Control Configuration 19-1
C h a p t e r 1 9
Flow Admission Control Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS flow architecture.
It contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
A flow is a unidirectional object that identifies related data packets and enables you to apply a set of
services to a portion of an 802.1Q circuit. Flows provide greater efficiency because you can associate
services to be applied on a portion of the circuit. Without flows, you could apply services to entire groups
of subscribers mapped to a specified circuit. Flow attributes are inherited from any services that are applied
to the relevant circuit.
For information about the commands used to monitor, administer, and troubleshoot flow admission control
features, see the Flow Admission Control Operations chapter in the IP Services and Security Operations
Guide for the SmartEdge OS.
Flow attributes reside in a flow admission control (FAC) profile which is the basic unit of flow
configuration. First you create a FAC profile and then you apply it to an existing circuit from circuit
configuration mode.
A FAC profile controls various attributes pertaining to flow limits, for example, the maximum number of
flows on a circuit.
Note You can apply circuits only to an 802.1Q circuit.
Note If you have fewer than a couple of packets per flow, the benefit realized through flows is less
than the overhead associated with their management.
Overview
19-2 IP Services and Security Configuration Guide
The SmartEdge OS generates a flow when a packet passing through the SmartEdge OS contains attributes
that match specified settings. These settings are the source port, the destination port, the source IP address,
the destination IP address, and the protocol. This quintet of settings is the five-tuple method, a standard used
in flow generation.
To enable flow services on a circuit, you need to have Version 2 of the Packet Processing ASIC (PPA) for
the traffic card on which the circuit resides. All SmartEdge platforms support the flow feature.
The flow feature is further described in the following sections:
Circuit Flow State
Flow Attributes
Circuit Flow State
The flow state of a circuit refers to whether the flow is active or inactive. The flow state of a circuit is
enabled if a FAC profile is currently applied to the circuit.
To change the flow state from inactive to active, you enable a flow, specifying the ID of the circuit you want
to change. To change the flow state from active to inactive, you disable the flow, specifying the ID of the
circuit you want to change. The flow state of a circuit is disabled if a FAC profile is currently applied to the
circuit and you have not enabled flows on the circuit.
Flow Attributes
You can specify a traffic direction when you apply a FAC profile to each circuit: ingress, egress, or
bidirectional. Also, you can control how many flows generate using various time criteria:
Maximum Flows Per Circuit
Burst Flow Creation Rate
Sustained Flow Creation Rate
Figure19-1 displays a typical flow creation rate cycle.
Figure 19-1 Flow Creation Rates
Overview
Flow Admission Control Configuration 19-3
Maximum Flows Per Circuit
The number of flows that can be applied to a circuit is limited. This limit is the maximum flows per circuit.
After the number of flows created reaches this maximum, the SmartEdge OS can create no more flows and
may drop packets.
If the SmartEdge OS creates too many flows, system resources like memory and processing power may be
overtaxed, degrading system performance. Set a meaningful maximum number of flows per circuit to
prevent system performance from degrading.
Creating the right number of flows on a circuit can improve performance because a flow affects the number
of services and the amount of quality of service (QoS) markings on a circuit. Creating the right balance
between too many and too few flows gives you more control over performance-related services on a circuit.
The maximum flows per circuit attribute has no default value. The maximum number of flows per circuit
you can create is 2 million. If more than 2 million flows are created for a circuit, the circuit may become
overloaded.
Burst Flow Creation Rate
You can control the number of flows that are created on a circuit by setting a fixed limit. This limit is the
burst flow creation rate (rate at which flows generate over a short period of time; the number of flows
created in one second). For example, if you set the burst flow creation rate to 100, the SmartEdge OS can
generate up to 100 flows per second. When the number of flows reaches 100, the SmartEdge OS generates
no more flows in that second and waits for the next second before continuing.
High burst flow creation rates can slow circuit performance. If the number of flows created in a second is
too high, system performance degrades. However, by setting the burst flow creation rate value, you can
prevent performance issues.
The burst flow creation rate has no default value. The maximum number of flows you can create in the first
second is 2 million. If more than 2 million flows are created for a circuit in the first second, the circuit may
become overloaded. By setting an optimal burst flow creation rate, you can keep the SmartEdge OS in a
stable state.
Sustained Flow Creation Rate
You can control the number of flows that are created on a circuit over time after the number of flows created
in a second has reached a limit. This setting is the sustained flow creation rate. This setting enables you to
limit flows, which stabilizes the SmartEdge OS. It is useful when the burst flow creation rate is optimal for
a one-second interval, but may overtax system memory over time.
For example, if the burst flow creation rate is 1,000, the circuit may be able to tolerate that many flows
created for a second. However, after four seconds elapse, the circuit may not be able to process the
cumulative number of flows allowed by the maximum flows per circuit value (4,000). To bring the flow
creation rate back to a value the SmartEdge OS can easily manage, configure a sustained flow creation rate
to a value less than 1,000; for example, 200.
When you change the sustained creation rate, the maximum number of flows created per second after the
first second is 200. The flow generation process stops when the maximum flows per circuit value is
reached. In this example, if the maximum flows per circuit value is 2,000, then the flow generation process
lasts six seconds.
Configuration Tasks
19-4 IP Services and Security Configuration Guide
To arrive at this figure, add 1,000 flows in the first second (allowed by the burst flow creation rate), 200 in
each second (allowed by the sustained flow creation rate), reaching a maximum limit of 2,000 after five
seconds. Table19-1 shows the flow creation cycle based on these figures.
The sustained flow creation rate attribute has no default value.The maximum number of flows you can
create in each second after the first second elapses is 2 million. If more than 2 million flows are created for
a circuit after the first second, the circuit may become overloaded.
Configuration Tasks
To configure basic flow architecture, perform the tasks in Table19-2. Enter all commands in flow
configuration mode, unless otherwise noted.
Table 19-1 Flow Creation Cycle
Time Unit (Second) Flow Increment Flow Sum Notes
First 1,000 1,000 Allowed by the burst flow
creation rate.
Second 200 1,200 Allowed by the sustained
flow creation rate.
Third 200 1,400 Allowed by the maximum
flows per circuit value.
Fourth 200 1,600 Allowed by the maximum
flows per circuit value.
Fifth 200 1,800 Allowed by the maximum
flows per circuit value.
Sixth 200 2,000 Allowed by the maximum
flows per circuit value.
Seventh 200 2,200 Disallowed by the
maximum flows per circuit
value.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Table 19-2 Configure a Flow Admission Control Profile
# Task Root Command Notes
1. Create the FAC profile name and access flow
configuration mode.
flow admission-control
profile
Enter this command in global configuration
mode.
2. Optional. Create a maximum number of flows
that can exist on a single circuit.
max-flows-per-circuit
3. Optional. Create a fixed limit in which a flow can
be created in a second.
burst-creation-rate
Configuration Examples
Flow Admission Control Configuration 19-5
Configuration Examples
This section includes the following examples:
Configuring a FAC Profile
Creating a FAC Profile Name and Entering the Mode
Configuring a Maximum Flows Per Circuit Rate
Configuring a Burst Creation Rate
Configuring a Sustained Creation Rate
Applying a FAC Profile to the Current Context
Enabling a FAC Profile on a Circuit
Configuring a FAC Profile
The following example configures a FAC profile to be applied to a circuit:
[ l ocal ] Redback( conf i g) #port ethernet 1/1
[ l ocal ] Redback( conf i g) #flow admission-control profile f1
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #max-flows-per-circuit 1000
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #burst-creation-rate 1000
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #exit
[ l ocal ] Redback( conf i g) #commit
The following example displays output of the flow configuration session:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #show configuration flow
car d ge- 10- por t 1
por t et her net 1/ 1
dot 1q pvc 1
f l ow appl y admi ssi on- cont r ol pr of i l e f 2 out
dot 1q pvc 2
f l ow appl y admi ssi on- cont r ol pr of i l e f 3 i n
dot 1q pvc 5
f l ow appl y admi ssi on- cont r ol pr of i l e f 3 bi di r ect i onal
4. Optional. Create a maximum number of flows
that can be created on a circuit in each second
after a burst creation rate limit has been
reached.
sustained-creation-rate
5. Apply FAC profiles to a circuit. flow apply
admission-control profile
Enter this command in circuit configuration
mode.
6. Enable a FAC profile on a circuit flow enable Enter this command in exec mode.
Table 19-2 Configure a Flow Admission Control Profile (continued)
# Task Root Command Notes
Configuration Examples
19-6 IP Services and Security Configuration Guide
Creating a FAC Profile Name and Entering the Mode
The following example configures a FAC profile name called profile1 and enters flow configuration mode:
[ l ocal ] Redback( conf i g) #flow admission-control profile profile1
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #
Configuring a Maximum Flows Per Circuit Rate
The following example sets the maximum flows allowed per circuit of 20:
[ l ocal ] Redback( conf i g) #flow admission-control profile profile1
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #max-flows-per-circuit 20
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #
Configuring a Burst Creation Rate
The following example sets a flow burst creation rate of 20:
[ l ocal ] Redback( conf i g) #flow admission-control profile profile1
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #burst-creation-rate 20
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #
Configuring a Sustained Creation Rate
The following example sets a flow sustained creation rate of 20:
[ l ocal ] Redback( conf i g) #flow admission-control profile profile1
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #sustained-creation-rate 20
[ l ocal ] Redback( conf i g- f l ow- ac- pr of i l e) #
Applying a FAC Profile to the Current Context
The following example applies FAC profile profile1 to the current circuit after configuring an attribute (for
example, a flow sustained creation rate): use the flow apply admission-control profile command from the
circuit configuration mode:
[ l ocal ] Redback( conf i g) #port ethernet 1/1
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #flow apply admission-control profile1 bidirectional
Enabling a FAC Profile on a Circuit
The following example enables a FAC profile. You may first want to display flow circuits using the show
flow circuit all command to see which flow circuits are available. For details about this command, see the
IP Services and Security Configuration Guide:
[ l ocal ] Redback#show flow circuit all
Ci r cui t FAC I dDi r FAC I dDi r
Command Descriptions
Flow Admission Control Configuration 19-7
- - - - - - - - - - - - - - - - - - - - - - - - - - -
3/ 1: 1023: 63/ 1/ 2/ 819220x40500002i n
[ l ocal ] Redback#f l ow enabl e ci r cui t 3/ 1: 1023: 63/ 1/ 2/ 81922 i n
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure flow
architecture. The commands are presented in alphabetical order:
burst-creation-rate
flow admission-control profile
flow apply admission-control profile
flow enable
flow monitor circuit
max-flows-per-circuit
sustained-creation-rate
Command Descriptions
19-8 IP Services and Security Configuration Guide
burst-creation-rate
burst-creation-rate value
no burst-creation-rate
Purpose
Establishes the number of flows created, per second, on a circuit.
Command Mode
flow configuration
Syntax Description
Default
None
Usage Guidelines
Use the burst-creation-rate command to establish the number of flows created per second.
Use the no form of this command to set the creation rate to the previously set value.
Examples
The following example sets the burst creation rate to 2000:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #burst-creation-rate 2000
Related Commands
value Number of flows created on a circuit in one second. The range of values is 1 to
2097152.
flow admission-control profile
max-flows-per-circuit
sustained-creation-rate
Command Descriptions
Flow Admission Control Configuration 19-9
flow admission-control profile
flow admission-control profile profile
no flow admission-control
Purpose
Creates a flow admission control (FAC) profile and enters flow configuration mode.
Command Mode
global configuration
Syntax Description
Default
No flow admission control profiles are configured.
Usage Guidelines
Use the flow admission-control profile command to create a FAC profile and enter flow configuration
mode. You use this profile to apply flow attributes to a circuit.
Use the no form of this command to remove a FAC profile.
Examples
The following example creates a FAC profile called profile1:
[ l ocal ] Redback( conf i g) #flow admission-control profile profile1
Related Commands
profile Name of the profile.
flow apply admission-control profile
flow enable
Command Descriptions
19-10 IP Services and Security Configuration Guide
flow apply admission-control profile
flow apply admission-control profile name {in | out | bidirectional}
no flow apply admission-control
Purpose
Applies a flow admission control (FAC) profile to a circuit for a specified traffic direction.
Command Mode
circuit configuration
Syntax Description
Default
None
Usage Guidelines
Use the flow apply admission-control profile command to apply a FAC profile to a circuit for a specified
traffic direction.
Use the no form of this command to remove a FAC profile from a circuit.
Examples
The following example applies FAC profile profile1 to bidirectional traffic on circuit dot 1q pvc 1:
[ l ocal ] Redback( conf i g) #port ethernet 1/1
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #flow apply admission-control profile profile1
bidirectional
Related Commands
name Name of the FAC profile.
in Specifies that the FAC profile applies to ingress traffic on the circuit.
out Specifies that the FAC profile applies to egress traffic on the circuit.
bidirectional Specifies that the FAC profile applies to both ingress and egress traffic on the circuit.
flow enable
Command Descriptions
Flow Admission Control Configuration 19-11
flow enable
flow enable circuit circuit-handle direction
no flow enable
Purpose
Enables flows on a circuit.
Command Mode
exec
Syntax Description
Default
Flows are disabled.
Usage Guidelines
Use the flow enable command to enable flows on a circuit.
Use the no form of this command to disable flows on a circuit.
Examples
The following example enables flows on circuit 3/ 1: 1023: 63/ 1/ 2/ 81922:
[ l ocal ] Redback#flow enable circuit 3/1:1023:63/1/2/81922 in
Related Commands
circuit-handle Handle of the circuit to which flows apply. A circuit handle occurs in the following
syntax: slot/port:channel:sub-channel/circuit-id.
slot Chassis slot number of a traffic card to which the circuit is mapped.
port Required if you enter the slot argument. Port number for the circuit.
channel Channel number of the circuit.
sub-channel Sub-channel number of the circuit.
circuit-id Circuit ID number to which flows apply.
direction Direction of the flow on the circuit. The range of value can be in, out, or bidirectional.
flow admission-control profile
flow apply admission-control profile
Command Descriptions
19-12 IP Services and Security Configuration Guide
flow monitor circuit
flow monitor circuit {count | list | log}
no flow monitor circuit
Purpose
Initiates monitoring of flows on a circuit.
Command Mode
flow configuration
Syntax Description
Default
Flows are not monitored.
Usage Guidelines
Use the flow monitor circuit command to initiate monitoring of flows on a circuit.
Use the no form of this command to specify the default condition.
Examples
The following example initiates the counting of flows on a circuit:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #flow monitor circuit count
Related Commands
count Indicates that flows are to be counted on the current circuit.
list Indicates that flows are to be tracked on the current circuit.
log Indicates that flow events are to be logged on the current circuit.
flow admission-control profile
Command Descriptions
Flow Admission Control Configuration 19-13
max-flows-per-circuit
max-flows-per-circuit value
no max-flows-per-circuit
Purpose
Sets the maximum number of flows the system can create on a circuit.
Command Mode
flow configuration
Syntax Description
Default
None
Usage Guidelines
Use the max-flows-per-circuit command to set the maximum number of flows the system can create on a
circuit.
Use the no form of this command to set the rate at the previously set value.
Examples
The following example sets the maximum number of flows the system can generate on the current circuit
to 2000:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #max-flows-per-circuit 2000
Related Commands
value Maximum number of flows the system can create on a circuit. The range of values is 1
to 2097152.
burst-creation-rate
flow admission-control profile
Command Descriptions
19-14 IP Services and Security Configuration Guide
sustained-creation-rate
sustained-creation-rate value
no sustained-creation-rate
Purpose
Sets the number of flows the system can apply to a circuit in each second after the first second elapses.
Command Mode
flow configuration
Syntax Description
Default
None
Usage Guidelines
Use the sustained-creation-rate command to establish the number of flows the system can apply to a
circuit in each second after the first second elapses.
Use the no form of this command to set the rate at the previously set value.
Examples
The following example sets the number of flows applied to a circuit to 1000 in each second after the first
second elapses:
[ l ocal ] Redback( conf i g- ac- pr of i l e) #sustained-creation-rate 1000
Related Commands
value Rate, for each second after the first second, at which the system can create flows over a
sustained period of time. The range of values is 1 to 2097152.
burst-creation-rate
flow admission-control profile
P a r t 7
IP Security
This part describes the tasks and commands used to configure security features, including authentication,
authorization, and accounting (AAA), Remote Authentication Dial-In User Service (RADIUS), Terminal
Access Controller Access Control System Plus (TACACS+), lawful intercept (LI), and key chains. It
consists of the following chapters:
Chapter 20, AAA Configuration
Chapter 21, RADIUS Configuration
Chapter 22, TACACS+Configuration
Chapter 23, Lawful Intercept Configuration
Chapter 24, Key Chain Configuration
AAA Configuration 20-1
C h a p t e r 2 0
AAA Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS authentication,
authorization, and accounting (AAA) features.
For information about the commands used to monitor, troubleshoot, and administer AAA, see the
AAA Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
SmartEdge OS AAA features are described in the following sections:
Authentication
Authorization and Reauthorization
Accounting
Authentication
Authentication features are described in the following sections:
Administrators
Subscribers
Note In the following descriptions, the term controller card refers to the Cross-Connect Route
Processor (XCRP) Controller card (XCRP, XCRP3, or XCRP4), unless otherwise noted. The
term controller carrier card refers to the controller functions on the carrier card within the
SmartEdge100 chassis; these functions are compatible with the XCRP3 Controller card.
Overview
20-2 IP Services and Security Configuration Guide
Administrators
By default, the SmartEdge OS configuration performs administrator authentication. You can also
authenticate administrators through database records on a Remote Authentication Dial-In User Service
(RADIUS) server, through a Terminal Access Controller Access Control System Plus (TACACS+) server,
or through one method, followed by another.
You must configure the IP address of a reachable RADIUS or TACACS+server (or both) in the context in
which the administrator is configured. For information about RADIUS and TACACS+, see Chapter 21,
RADIUS Configuration, and Chapter 22, TACACS+Configuration, respectively.
You can set a maximum limit on the number of administrator sessions that can be simultaneously active in
each context.
Subscribers
Subscriber authentication is described in the following sections:
Authentication Options
Maximum Subscriber Sessions
Limit Subscriber Services
Binding Order
IP Address Assignment
Authentication Options
By default, the SmartEdge OS configuration performs subscriber authentication. You can also authenticate
subscribers through database records on a RADIUS server, or through one method, followed by another.
When the IP address or hostname of the RADIUS server is configured in the SmartEdge OS local context,
global RADIUS authentication is performed. That is, although subscribers may be configured in a
nonlocal context, subscribers in nonlocal contexts are authenticated through the RADIUS server
configured in the local context. With global RADIUS authentication, the RADIUS server returns the
Context-Name vendor-specific attribute (VSA) indicating the name of the particular context to which
subscribers are to be bound.
When the IP address or hostname of the RADIUS server is configured in a context other than the local
context, context-specific RADIUS authentication is performed; that is, only subscribers bound to the
context in which the RADIUS servers IP address or hostname is configured are authenticated.
You can also configure the SmartEdge OS to try authentication through a RADIUS server configured in the
nonlocal context first, with a fallback to a RADIUS server configured in the local context, in case the first
server becomes unavailable. Or, you can configure the SmartEdge OS to try authentication through a
RADIUS server configured in a nonlocal context, with a fallback to the SmartEdge OS configuration.
AAA includes the following Layer 2 Tunneling Protocol (L2TP) attribute-value pairs (AVPs), RADIUS
standard attributes, and Redback
OSRemote Authentication
Dial-In User Service (RADIUS) features.
For information about RADIUS attributes, see AppendixA, RADIUS Attributes.
For information about tasks and commands used to monitor, troubleshoot, and administer RADIUS, see the
RADIUSOperations chapter in the IP Services and Security Operations Guide for the SmartEdge OS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
The RADIUS protocol, which is based on a client/server architecture, enables remote access to networks
and network services. When configured with the IP address or hostname of a RADIUS server, the
SmartEdge router can act as a RADIUS client.
To enable authentication through RADIUS, you must also configure authentication, authorization, and
accounting (AAA) features; for more information, see Chapter 20, AAA Configuration.
This section contains the following topics:
This section contains the following topics:
RADIUS Servers
RADIUS Services Engine
Accounting and Service Accounting Messages
Overview
21-2 IP Services and Security Configuration Guide
RADIUS Servers
RADIUS servers can perform the following functions:
Accounting serverMaintains accounting records for subscribers. The SmartEdgeOS transmits
session start and stop times in Accounting Start and Stop messages to the server.
Authentication serverMaintains authentication records for subscribers. The SmartEdgeOS requests
authentication in Access Request messages before permitting subscribers access.
Accounting and authenticationPerforms the functions of both the accounting and authentication
servers.
The SmartEdgeOS can perform the functions of any of these servers.
In addition to providing authentication, a RADIUS server can collect and store accounting data for
subscriber sessions. You can configure a single server that provides both authentication and accounting
functions, or you can configure separate authentication and accounting servers.
Accounting is the process of tracking activity and network resources used in a subscriber session, including
the number of packets and bytes transmitted during the session. It occurs after the authentication phase in
AAA is complete. Accounting can occur for specific contexts, enabling customers to manage activity in
their individual accounts.
In addition, the AAA accounting feature enables you to track the services used by an Internet site owner,
for example, a wholesaler. When you enable AAA accounting, the router reports user activity to the
RADIUS server in the form of accounting records. Common services tracked through service accounting
are voice and video.
A RADIUS server can also act as a Change of Authorization (CoA) server, allowing dynamic
RADIUS-guided services for subscriber sessions. The SmartEdgeOS supports both RADIUS CoA
messages and disconnect messages. CoA messages can modify the characteristics of existing subscriber
sessions, without loss of service; disconnect messages can terminate subscriber sessions.
For more information about RADIUS messages, see AppendixA, RADIUS Attributes.
Load balancing between multiple servers is valuable if a large number of sessions are established and
terminated every second, and a single RADIUS server is unable to handle the load.
Two load-balancing algorithms are supported:
Strict-priorityRequests are always sent first to the first server configured in the SmartEdge OS. If the
request fails, the requests are sent to the next server and so on.
Round-robin priorityRequests are sent to the server following the one where the last request was sent.
If the SmartEdge OS receives no response from the server, requests are sent to the next server and so on.
RADIUS Services Engine
The RADIUS Services Engine (RSE) is the set of RADIUS-guided features and functions that support
dynamic changes to subscriber services.
Note Throughout this chapter, the term RADIUS server, refers to any of the server types. The terms,
RADIUS accounting server, RADIUS authentication server, and RADIUS CoA server, refer
to servers that support those specific features.
Overview
RADIUS Configuration 21-3
RADIUS-guided services include the following capabilities:
RADIUS-guided HTTP redirectSee Chapter 9, HTTP Redirect Configuration
Dynamic ACLsSee Chapter 12, ACL Configuration
RADIUS-guided forward policiesSee Chapter 14, Forward Policy Configuration
RADIUS-guided NAT policies (attached to received traffic only)See Chapter 13, NAT Policy
Configuration
RADIUS-guided QoS metering and policing policiesSee Chapter 16, QoS Rate- and Class-Limiting
Configuration
RADIUS-guided QoS PWFQ policiesSee Chapter 17, QoS Scheduling Configuration
Dynamic changes to QoS metering, policing, and PWFQ policy optionsSee Chapter 16, QoS Rate-
and Class-Limiting Configuration and Chapter 17, QoS Scheduling Configuration
To support RADIUS-guided services, the SmartEdgeOS uses a service profile that specifies various
service conditions and that activates services and establishes the service conditions for that subscriber
session. It is these service conditions against which the service data in a CoA Request or Access Response
message is matched.
A service condition in a RADIUS-guided service profile can be mandatory or optional. For a mandatory
condition, the RADIUS server must include a value for that condition in the CoA Request or Access
Response message. An optional condition includes a default value in the service profile; the SmartEdgeOS
uses default value if the RADIUS server does not supply a value.
Accounting and Service Accounting Messages
In addition to providing authentication, a RADIUS server collects and stores accounting data for subscriber
sessions. Accounting is the process of tracking activity and network resources used in a subscriber session.
The process tracks the number of packets and bytes transmitted during the session. It occurs after the
authentication phase. Accounting can occur for specific contexts, enabling customers to manage activity in
their individual accounts.
The AAA accounting feature also enables you to track the services used by an Internet site, for example, a
wholesaler. The SmartEdge router reports service activity to the RADIUS server in the form of accounting
records. Common services tracked through service accounting are voice and video.
As part of both general accounting and service accounting, the router generates messages indicating the
states of the accounting process. Common service messages indicate when the router starts and stops
sending service accounting packets to the RADIUS server. For example, when the router initiates
accounting, the router generates a message (with an acct-start message) indicating the accounting process
has begun.
While accounting messages can be helpful to identify accounting states, they create overhead, using system
memory and CPU resources. To manage overhead associated with this activity, SmartEdge enables you to
configure the router to drop RADIUS accounting messages in a specific context. To drop a message, you
specify the message using the attribute command.
Common service messages indicate when the router begins and stops sending service accounting packets
to the RADIUS server. The router sends these packets to the server when the RADIUS Change of
Authorization (CoA) server initiates these actions.
Configuration Tasks
21-4 IP Services and Security Configuration Guide
For general accounting, the router generates the following messages:
access-requestIndicates a client-generated Access-Request message that includes a login and a
password.
acct-start Indicates an Accounting-Request message.
acct-stopIndicates an Access-Request message.
acct-updateAccess-Request message.
For service accounting, the router generates the following messages:
service-acct-stopIndicates that a service accounting process has started.
service-acct-startIndicates that a service accounting process has stopped.
service-acct-updateIndicates that a service accounting process has entered the interim stage.
Figure21-1 shows the flow of service accounting messages.
Figure 21-1 Flow of Service Accounting Messages
Configuration Tasks
To configure RADIUS, perform the tasks described in the following sections:
Configure the Server IP Address or Hostname
Configure an IP Source Address (Optional)
Configure Load Balancing Between RADIUS Servers (Optional)
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
RADIUS Configuration 21-5
Strip the Domain Portion of Structured Usernames (Optional)
Change or Ignore the Server Source Port Value (Optional)
Configure and Assign a RADIUS Policy to a Context (Optional)
Configure and Send Attributes in RADIUS Packets (Optional)
Configure RADIUS-Guided Services (Optional)
Remap Account Termination Codes (Optional)
RADIUS Secret Key, Retry, and Timeout
RADIUS Loopback Interface
Custom RADIUS Policy
Dynamic RADIUS Profile and Forward Policy
Configure the Server IP Address or Hostname
To configure the IP address or hostname of a RADIUS accounting server or RADIUS server, perform the
appropriate task described in Table21-1. Enter all commands in context configuration mode..
Configure an IP Source Address (Optional)
By default, the local IP address of the interface on which RADIUS is transmitted is included in the
IP header of RADIUS packets sent by the SmartEdge router. If you do not want to publish the IP address
of the RADIUS server, configure a loopback interface to appear to be the source address for RADIUS
packets as described in Table21-2.
Table 21-1 Configure the Server IP Address or Hostname
Task Root Command Notes
Configure the RADIUS accounting
server IP address or hostname.
radiusaccountingse
rver
To enable accounting through RADIUS, you must also
enter the aaa accounting subscriber radius
command (in context configuration mode); see
Chapter 20, AAA Configuration.
Configure the RADIUS server IP
address or hostname.
radiusserver To enable authentication through RADIUS, you must
also enter the aaa authentication subscriber radius
command (in context configuration mode); see
Chapter 20, AAA Configuration.
To use the RADIUS server as a CoA server, use the
CoA-server keyword for this command. To configure
an independent CoA server, use the radius coa server
command.
Configure the RADIUS CoA server
IP address or hostname.
radiuscoaserver To configure an independent CoA server, use this
command. To use the RADIUS authentication server as
a CoA server, use the CoA-server keyword for the
radius server command.
Configuration Tasks
21-6 IP Services and Security Configuration Guide
Configure Load Balancing Between RADIUS Servers (Optional)
To load balance between multiple RADIUS accounting or RADIUS servers, perform the appropriate task
described in Table21-3. Enter all commands in context configuration mode.
Modify RADIUS Connection Parameters (Optional)
To configure how the SmartEdge router responds to connections with RADIUS servers, perform the tasks
described in the following sections:
Send Accounting On and Off Messages
Modify RADIUS Timeout Parameters
Send Accounting On and Off Messages
To send accounting on or accounting off messages to any other RADIUS servers that are configured
in the current context when a RADIUS server is added or removed, perform the task described in
Table21-4.
Modify RADIUS Timeout Parameters
RADIUS timeout parameters allow you to configure three different intervals that are used by the system to
manage responses when a RADIUS server is not responding. Table21-5 presents a timeline that describes
the intervals and how you can configure them.
Table 21-2 Configure an IP Source Address
Task Root Command Notes
Configure an IP source
address.
ip source-address radius Enter this command in interface configuration mode.
The interface must be reachable by the RADIUS
server; for command details, see the Interface
Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS
Table 21-3 Configure Load Balancing Between RADIUS Servers
Task Root Command Notes
Specify a load-balancing algorithm to use among multiple
RADIUS accounting servers.
radiusaccountingalgorithm
Specify a load-balancing algorithm to use among multiple
RADIUS servers.
radiusalgorithm
Table 21-4 Send Accounting On and Off Messages
Task Root Command Notes
When an accounting server is added to or removed from
the configuration, send an accounting on or accounting
off message, respectively, to any other RADIUS servers
that are configured in the current context.
radiusaccountingsend-ac
ct-on-off
Enter this command in context
configuration mode. By default,
the SmartEdge OS sends these
messages.
Configuration Tasks
RADIUS Configuration 21-7
To modify the RADIUS timeout parameters that the SmartEdge OS uses for managing the connections to
and from RADIUS servers and RADIUS accounting servers, perform the appropriate tasks described in
Table21-6. Enter all commands in context configuration mode.
Table 21-5 RADIUS Timeout Intervals
Time RADIUS Action Interval Set By
T0 Sends a request to a RADIUS server and sets a time
for interval T1.
radius timeout
radius accounting timeout
T0+T1 T1 expires. Assumes packet is lost or server is
unreachable; sets a timer for interval T2.
radius server-timeout
radius accounting server-timeout
T0+T1+T2 T2 expires. Marks the server as dead and tries
another server; sets a timer for interval T3.
radius deadtime
radius accounting deadtime
T0+T1+T2+T3 T3 expires. Sends another request to the first server.
Table 21-6 Modify RADIUS Timeout Parameters
# Task Root Command Notes
1. Optional. Modify the interval that the
SmartEdge OS waits for a response from a
RADIUS server after sending a packet:
For a RADIUS accounting server. radiusaccountingtimeout
For a RADIUS server. radiustimeout
2. Optional. Modify the maximum number of
retransmission attempts during the timeout
interval:
For a RADIUS accounting server. radiusaccountingmax-retrie
s
For a RADIUS server. radiusmax-retries
3. Optional. Modify the interval that the
SmartEdge OS waits for a response before
marking a non-responsive server dead:
4. For a RADIUS accounting server. radiusaccountingserver-tim
eout
Setting the value to 0
disables the feature.
5. For a RADIUS server. radiusserver-timeout
6. Optional. Modify the interval that the
SmartEdge OS treats a non-responsive server
as dead before trying to reach it again:
For a RADIUS accounting server. radiusaccountingdeadtime Setting this value to 0
disables the feature.
For a RADIUS server. radiusdeadtime
Configuration Tasks
21-8 IP Services and Security Configuration Guide
Strip the Domain Portion of Structured Usernames (Optional)
To specify that the domain portion of structured usernames is to be removed before sending the usernames
to a RADIUS server for authentication, perform the task described in Table21-7.
Change or Ignore the Server Source Port Value (Optional)
To increase the number of outstanding authentication requests per RADIUS server by sending the requests,
using a different source port value, perform the task described in Table21-8.
To enable the SmartEdge OS to ignore the source port sent by a RADIUS server in an Access-Response
message, perform the task described in Table21-9.
Configure and Assign a RADIUS Policy to a Context (Optional)
To configure and assign a RADIUS policy to a context, perform the tasks described in Table21-10.
7. Optional. Modify the number of outstanding
requests that can be sent:
For a RADIUS accounting server. radiusaccountingmax-outst
anding
For a RADIUS server. radiusaccountingmax-outst
anding
Table 21-7 Strip the Domain Portion of Structured Usernames
Task Root Command Notes
Strip the domain portion of structured
usernames.
radiusstrip-domain Enter this command in context
configuration mode.
Table 21-8 Change the Server Source Port Value
Task Root Command Notes
Change the server source port
value.
radiussource-port Enter this command in global configuration mode.
Table 21-9 Ignore the Server Source Port Value
Task Root Command Notes
Ignore the server source port value in
RADIUS Access-Response messages.
radiussource-port Enter this command in context
configuration mode.
Table 21-6 Modify RADIUS Timeout Parameters (continued)
# Task Root Command Notes
Configuration Tasks
RADIUS Configuration 21-9
Configure and Send Attributes in RADIUS Packets (Optional)
To configure and send attributes in RADIUS request packets, perform one or more of the tasks described
in Table21-11. Enter all commands in context configuration mode, unless otherwise noted.
Table 21-10 Configure and Assign a RADIUS Policy to a Context
# Task Root Command Notes
1. Create or modify a RADIUS policy and
access RADIUS policy configuration mode.
radiuspolicy Enter this command in global
configuration mode.
2. Specify the RADIUS attribute or VSA, and
optionally the RADIUS messages, from
which it is to be dropped.
attribute Enter this command in RADIUS policy
configuration mode.
3. Assign the policy to a context. radiuspolicy Enter this command in context
configuration mode.
Table 21-11 Configure and Send Attributes in RADIUS Request Packets
Task Root Command Notes
Send the Acct-Delay-Time attribute in
RADIUS Access-Request and
Accounting-Request packets.
radiusattributeacct-delay-time By default, this attribute is not
sent.
Send the Acct-Session-Id attribute in
RADIUS Access-Request packets.
radiusattributeacct-session-id By default, this attribute is sent
only in Accounting-Request
packets.
Send a Layer 2 Tunneling Protocol (L2TP)
call serial number type value in the
Acct-Tunnel-Connection attribute in
RADIUS packets.
radiusattributeacct-tunnel-connec
tion l2tp-call-serial-num
By default, this attribute is not
sent.
Specify the behavior of the SmartEdge OS
when it receives a RADIUS Filter-Id
attribute that does not specify a direction
and there is an access control list (ACL)
applied to the circuit.
radiusattributefilter-id By default, this attribute is not
sent.
Send the NAS-Identifier attribute in
RADIUS Access-Request and
Accounting-Request packets.
radiusattributenas-identifier By default, this attribute is not
sent.
Send the NAS-IP-Address attribute in
RADIUS Access-Request and
Accounting-Request packets.
radiusattributenas-ip-address By default, this attribute is not
sent.
Modify the format in which the NAS-Port
attribute is sent in RADIUS
Access-Request and Accounting-Request
packets.
radiusattributenas-port By default, this attribute is sent
using the slot-port format.
Modify the format in which the NAS-Port-Id
attribute in RADIUS Access-Request and
Accounting-Request packets.
radiusattributenas-port-id By default, this attribute is sent
using the all format.
Configuration Tasks
21-10 IP Services and Security Configuration Guide
Configure RADIUS-Guided Services (Optional)
To enable RADIUS-guided services for subscriber sessions using a service profile, perform the following
tasks:
To configure how the SmartEdge router responds to connections with RADIUS servers, perform the tasks
described in the following sections:
Configure the RADIUS-Guided Policies for the Service Profile
Configure a RADIUS-Guided Service Profile
Configure the Subscriber Profile or Record
Configure the RADIUS-Guided Policies for the Service Profile
Configure one or more RADIUS-guided policies, such as a forward policy, NAT policy, or QoS metering
or policing policy, to be applied to the subscriber record or profile. These tasks are described in Chapter 13,
Forward Policy Configuration, Chapter 12, NAT Policy Configuration, and Chapter 15, QoS Rate-
and Class-Limiting Configuration, respectively.
Configure a RADIUS-Guided Service Profile
Configure the service profile that references the RADIUS-guided policies that you have configured. To
configure a RADIUS-guided service profile, perform the tasks in Table21-12; enter all commands in
service profile configuration mode, unless otherwise noted.
Modify the value of the NAS-Port-Type
attribute sent in RADIUS Access-Request
and Accounting-Request packets.
radiusattributenas-port-type Enter this command in
ATMprofile, dot1q profile, or
port configuration mode.
By default, this attribute is sent
using a value of either 0 or 5,
indicating an asynchronous
connection through a console
port or a virtual connection
through a transport protocol,
respectively.
Specify the character the SmartEdge OS
uses to separate the fields for the medium
access control (MAC) addresses in the
Redback
provides this
password when the LI license is purchased.
With the right hardware configuration, LI subscriber intercepts persist; that is, they resume after a system
reload, a process restart, or a switchover from the active to the standby controller card in a SmartEdge 400
or SmartEdge 800 router.
Note The persistence feature requires that you have a compact-flash card, either Type I or Type II,
mounted on /md in the external slot on the controller cards, both active and standby, in a
SmartEdge400 or SmartEdge800 router or in the external slot on front panel of the
SmartEdge100 router.
Configuration Tasks
23-2 IP Services and Security Configuration Guide
LI features are restricted. That means that you must have an authorized LI account and log on to the system
using that account, either as an administrator or a user, to perform the following tasks:
Create LI accounts for other administrators
Configure LI features and functions
Display LI configuration information, LI messages, LI command history, and LI status
Start and stop LI intercepts
An LI administrator can perform all system functions; an LI user is limited to LI functions only. The system
functions (commands) that LI administrators and users can perform are limited only by the privilege level
that you assign to the account and the context in which it is configured. There is no restriction on the
privilege level that you assign to either type of LI account. The following examples illustrate possible LI
account configurations:
An LI administrator that is configured in the local context with privilege level 15 can perform any
system function in any context.
An LI administrator that is configured in a non-local context with privilege level 10 can configure any
system function, but only for the non-local context.
An LI user that is configured in the local context with privilege level 10 can configure LI functions (but
not any other system functions) in any context.
An LI user that is configured in a non-local context with privilege level 6 (the default) cannot configure
LI functions (including activating, starting, and stopping intercepts) and cannot view LI configuration
or status in any context, except the one in which the account is configured.
Configuration Tasks
To configure, start, and stop LI features, perform the tasks described in the following sections:
Enable or Disable LI Features and Functions
Configure an LI Account
Configure an LI Profile
Configure Circuits for LI
Start or Stop an Intercept
Note Administrators that are not LI authorized cannot perform any of the listed tasks; however, any
administrator, even those who are not LI authorized, can enable LI features and functions.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
Lawful Intercept Configuration 23-3
Enable or Disable LI Features and Functions
To enable or disable LI features and functions, perform the tasks described in Table23-1.
Configure an LI Account
To configure an LI account, perform the tasks described in Table23-2.
Configure an LI Profile
To configure an LI profile, perform the tasks described in Table23-3; enter all commands in LI profile
configuration mode, unless otherwise noted.
Table 23-1 Configure an LI Profile
# Task Root Command Notes
1. Enable software licensing and access
software license configuration mode.
software license Enter this command in global configuration mode. For more
information about this command, see the Basic System
Configuration chapter in the Basic System Configuration Guide for
the SmartEdge OS.
2. Enable the software license for LI
features and functions.
lawful-intercept Enter this command in software license configuration mode.
Use the no form to disable the software license for LI features and
functions.
Table 23-2 Configure an LI Account
# Task Root Command Notes
1. Create an administrator logon account and
access administrator configuration mode.
administrator Enter this command in context configuration mode. For more
information about this command, see the Context
Configuration chapter in the Basic System Configuration
Guide for the SmartEdge OS.
2. Authorize this administrator as an LI
administrator or user.
command-access Enter this command in administrator configuration mode.
3. Specify general attributes for the account, enter these commands in administrator configuration mode (all attributes are optional):
Specify the initial privilege level for exec
sessions initiated by the administrator.
privilege start For more information about these commands, see the
Context Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS.
Specify the maximum privilege level for the
administrator.
privilege max For more information about these commands, see the
Context Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS.
Specify public key authentication if the
administrator is accessing the SmartEdge
OS CLI through SSH.
public-key For more information about these commands, see the
Context Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS.
Table 23-3 Configure an LI Profile
# Task Root Command Notes
1. Create or select an LI profile and access LI profile
configuration mode.
li-profile Enter this command in global configuration mode.
Use the vendor-specific keyword to create a
vendor-specific profile. See the Usage
Guidelines section for restrictions on
vendor-specific profiles.
Configuration Tasks
23-4 IP Services and Security Configuration Guide
Configure Circuits for LI
To configure circuits on which you can start and stop intercepts, perform the tasks described in Table23-4.
Start or Stop an Intercept
To start or stop an intercept, perform one of the tasks described in Table23-5; enter all commands in exec
mode. These commands are described in the Lawful Intercept Operations chapter in the IP Services and
Security Operations Guide for the SmartEdgeOS.
2. Specify the type of intercept. type
3. Define the transport data section:
Define the transport data section for this LI profile to use
UDP/IP.
transport udp
Define the transport data section for this LI profile to use
a GRE tunnel.
transport gre
Define the specified field in the LI profile header. header Enter this command for each field in the header.
Use the radius-li-hdr keyword for vendor-specific
profiles.
Enable pending intercept requests. pending This command does not apply to intercepts that
were started using the intercept
account-session-id command.
Table 23-4 Configure a Circuit for LI
# Task Root Command Notes
1. Configure the context. For information about configuring contexts, see the
Context Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS.
2. Configure the interfaces for the circuits and the
interface or the GRE tunnel with the output portal
for MD.
For information about configuring interfaces, see the
Interface Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS. For
information about configuring GRE tunnels, see the
Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdge OS. For information about configuring output
portals, see Chapter 14, Forward Policy Configuration.
3. Configure the subscribers. For information about configuring subscribers, see the
Subscriber Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS.
4. Configure the circuits. For information about configuring ports and circuits, see
the ATM, Ethernet, and POS Ports Configuration,
Clear-Channel and Channelized Ports and Channels
Configuration, and Circuits Configuration chapters in
the Ports, Circuits, and Tunnels Configuration Guide for
the SmartEdge OS. For information about binding port,
channels, and circuits, see the Bindings Configuration
chapter in the Ports, Circuits, and Tunnels Configuration
Guide for the SmartEdge OS.
5. Configure one or more IP ACLs to use with the
intercepts.
For information about configuring IP ACLs, see
Chapter 12, ACL Configuration.
Table 23-3 Configure an LI Profile (continued)
# Task Root Command Notes
Configuration Examples
Lawful Intercept Configuration 23-5
You can also start or stop an intercept using a Remote Authentication Dial-in User Service (RADIUS)
Change of Authorization (CoA) server and the RADIUS LI vendor-specific attributes (VSAs) described in
AppendixA, RADIUS Attributes. Including LI VSAs in CoA messages enables you to start and stop
intercepts. For information on configuring a RADIUS CoA server, see Chapter 21, RADIUS
Configuration.
RADIUS LI VSAs can be encoded and decoded using salt-encryption, as specified in the draft RFC,
Salt-Encryption of RADIUS Attributes. When the RADIUS CoA server is configured for salt-encryption,
the SmartEdgeOS detects and handles the encrypted attributes.
Configuration Examples
The following example enables LI features and functions, configures an LI account, a context for
subscribers and interfaces, an ACL, and an LI profile; it then configures the ports and starts an intercept:
! Enabl e LI f eat ur es and f unct i ons
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #software license
[ l ocal ] Redback( conf i g- l i cense) #lawful-intercept password 1234567890
[ l ocal ] Redback( conf i g- l i cense) #exit
! Cr eat e an LI account f or al l cont ext s ( t hat i s, i n t he l ocal cont ext )
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #administrator LI-super
[ l ocal ] Redback( conf i g- admi ni st r at or ) #command-access li-admin
! Conf i gur e t he cont ext and i nt er f aces f or subscr i ber t r af f i c
[ l ocal ] Redback( conf i g) #context isp1
[ l ocal ] Redback( conf i g- ct x) #interface subs multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #ip pool 10.1.1.0/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface egress
[ l ocal ] Redback( conf i g- i f ) #ip address 5.1.1.1/21
[ l ocal ] Redback( conf i g- i f ) #exit
! Conf i gur e t he i nt er f ace t o t he MD- 1 syst em
Table 23-5 Start or Stop an Intercept
Task Root Command Notes
Start or stop an intercept on a specified circuit. intercept circuit Use the no form to stop the intercept.
Start or stop an intercept on a specified account session. intercept account-session-id Use the no form to stop the intercept.
Start or stop an intercept on a specified agent circuit. intercept agent-circuit-id Use the no form to stop the intercept.
Start or stop an intercept for a subscriber by its agent remote
ID.
intercept agent-remote-id Use the no form to stop the intercept.
Start or stop an intercept for a subscriber by its name. intercept subscriber Use the no form to stop the intercept.
Configuration Examples
23-6 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- ct x) #interface toMD
[ l ocal ] Redback( conf i g- i f ) #ip address 1.1.1.1/21
[ l ocal ] Redback( conf i g- i f ) #exit
! Conf i gur e t he i nt er f ace t o t he MD- 2 syst em
[ l ocal ] Redback( conf i g- ct x) #interface tunnel5
[ l ocal ] Redback( conf i g- i f ) #ip address 25.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #gre-peer name test remote 90.1.1.5 local 90.1.1.1
[ l ocal ] Redback( conf i g- i f ) #no shutdown
[ l ocal ] Redback( conf i g- i f ) #exit
! Conf i gur e aut hent i cat i on and a def aul t pr of i l e f or subscr i ber s
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber none
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #ip address pool
[ l ocal ] Redback( conf i g- sub) #exit
! Cr eat e subscr i ber r ecor ds
[ l ocal ] Redback( conf i g- ct x) #subscriber usr5
[ l ocal ] Redback( conf i g- ct x) #subscriber usr6
[ l ocal ] Redback( conf i g- sub) #exit
! Cr eat e an ACL f or t he i nt er cept s
[ l ocal ] Redback( conf i g- ct x) #ip access list acl-both
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip any 5.0.0.0 0.255.255.255
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit ip 100.1.1.0 0.0.0.255 any
[ l ocal ] Redback( conf i g- access- l i st ) #seq 30 deny ip any 200.0.0.0 0.255.255.255
[ l ocal ] Redback( conf i g- access- l i st ) #seq 40 deny ip 201.1.1.0 0.0.0.255 any
[ l ocal ] Redback( conf i g- access- l i st ) #exit
! Conf i gur e t he LI pr of i l es
[ l ocal ] Redback( conf i g) #li-profile li-001
[ l ocal ] Redback( conf i g- l i pr of i l e) #type ip-datagrams
[ l ocal ] Redback( conf i g- l i pr of i l e) #transport udp destination 1.1.1.2 4000 context isp1
source 1.1.1.1 5000
[ l ocal ] Redback( conf i g- l i pr of i l e) #header li-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header acct-session-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header seq-no
[ l ocal ] Redback( conf i g- l i pr of i l e) #header session-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header label Redback SE800
[ l ocal ] Redback( conf i g- l i pr of i l e) #pending
[ l ocal ] Redback( conf i g- l i pr of i l e) #exit
[ l ocal ] Redback( conf i g) #li-profile li-gre
[ l ocal ] Redback( conf i g- l i pr of i l e) #type ip-datagrams
[ l ocal ] Redback( conf i g- l i pr of i l e) #transport gre gre-portal
[ l ocal ] Redback( conf i g- l i pr of i l e) #exit
! Conf i gur e t he por t s f or subscr i ber t r af f i c
[ l ocal ] Redback( conf i g) #port ethernet 5/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
Command Descriptions
Lawful Intercept Configuration 23-7
[ l ocal ] Redback( conf i g- por t ) #bind subscriber usr5@isp1 password pass
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 5/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind subscriber usr6@isp1 password pass
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 5/3
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface egress isp1
[ l ocal ] Redback( conf i g- por t ) #exit
! Conf i gur e t he por t f or MD- 1 t r af f i c
[ l ocal ] Redback( conf i g) #port ethernet 14/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface toMD isp1
[ l ocal ] Redback( conf i g- por t ) #exit
! Conf i gur e t he GRE t unnel f or MD- 2 t r af f i c
[ l ocal ] Redback( conf i g) #tunnel map
[ l ocal ] Redback( t unnel - map) #gre-tunnel test local key 5
[ l ocal ] Redback( conf i g- gr e- t unnel ) #bind interface tunnel5 local
[ l ocal ] Redback( conf i g- gr e- t unnel ) #forward output gre-portal
! St ar t t he subscr i ber usr 5@i sp1 i nt er cept f or bot h i ncomi ng and out goi ng t r af f i c
[ l ocal ] Redback#intercept subscriber usr5@isp1 li-profile li-001 li-id 001 label usr5
traffic acl acl-both
! St ar t t he subscr i ber usr 6@i sp1 i nt er cept f or bot h i ncomi ng and out goi ng t r af f i c wi t h
l i - pr of i l e l i - gr e
[ l ocal ] Redback#intercept subscriber usr6@isp1 li-profile li-gre
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to enable and disable LI
features and functions, create LI accounts, and configure LI features. The commands are presented in
alphabetical order. Commands to start or stop intercepts are described in the Lawful Intercept Operations
chapter in the IP Services and Security Operations Guide for the SmartEdgeOS:
command-access
header
lawful-intercept
li-profile
pending
transport gre
transport udp
type
Command Descriptions
23-8 IP Services and Security Configuration Guide
command-access
command-access {li-admin | li-user}
no command-access
Purpose
Authorizes this administrator as a lawful intercept (LI) administrator or user.
Command Mode
administrator configuration
Syntax Description
Default
The administrator account is not authorized to perform LI functions or view LI configuration information
or status.
Usage Guidelines
Use the command-access command to authorize this administrator as an LI administrator or user. You must
enter this command to allow the administrator account to function as an LI administrator or user. The LI
license must be enabled before you can use this command.
An LI administrator can perform all system functions; an LI user is limited to LI functions only. The system
functions (commands) that LI administrators and users can perform are limited only by the privilege level
that you assign to the account and the context in which the account is configured. There is no restriction on
the privilege level that you assign to either type of LI account. The following examples illustrate possible
LI account configurations:
An LI administrator that is configured in the local context with privilege level 15 can perform any
system function in any context.
An LI administrator that is configured in a non-local context with privilege level 10 cannot configure
any system function, including LI functions, and view system and LI configuration commands and
status.
An LI user that is configured in the local context with privilege level 10 can configure LI functions, start
and stop intercepts, and view LI configuration and status (but not perform any system functions) in any
context.
An LI user that is configured in a non-local context with privilege level 6 (the default) can start and stop
intercepts and view LI status in that context, but cannot configure LI functions and cannot view LI
configuration commands in any context.
Use the no form of this command to remove LI authorization from this account.
li-admin Specifies an LI administrator.
li-user Specifies an LI user.
Command Descriptions
Lawful Intercept Configuration 23-9
Examples
The following example authorizes this account as an LI administrator:
[ l ocal ] Redback( conf i g- ct x) #administrator admin1 password supersecret
[ l ocal ] Redback( conf i g- admi ni st r at or ) #command-access li-admin
Related Commands
lawful-intercept
Command Descriptions
23-10 IP Services and Security Configuration Guide
header
For generic lawful intercept (LI) profiles, the syntax is:
header {label description | acct-session-id | li-id | seq-no | session-id | md-addr | md-port}
no header {label | acct-session-id | li-id | seq-no | session-id | md-addr | md-port}
For vendor-specific LI profiles, the syntax is:
header {radius-li-hdr | md-addr | md-port}
no header {radius-li-hdr | md-addr | md-port}
Purpose
Defines the specified field in the header for this LI profile.
Command Mode
LI profile configuration (15, authorized LI administrator only)
Syntax Description
Default
The header is undefined.
label description Description for this profile. An alphanumeric string with 0 to 15 characters; if
more than one word, enclose it in quotation marks ( ). The description
argument is not entered in the no form.
acct-session-id Specifies a placeholder for an Acct-Session-Id LI header that correlates to an
Acct-Session-Id attribute. The Acct-Session-Id attribute, a RADIUS
accounting ID, is used to identify the start, interim, and stop records in a log
file for a given subscriber.
li-id For generic LI profiles only. Specifies a placeholder for the identifier that you
assign to an intercept when you start it using this LI profile.
seq-no Specifies a placeholder for a system-assigned packet sequence number.
session-id Specifies a placeholder for the system-assigned session identifier.
md-addr Specifies a placeholder for the IP address of the mediation device at run time.
md-port Specifies a placeholder for the port number used by the mediation device at
run time.
radius-li-hdr For vendor-specific profiles only. Specifies a placeholder for a fixed format
LI header provided by the Remote Authentication Dial-In User Service
(RADIUS) server.
Command Descriptions
Lawful Intercept Configuration 23-11
Usage Guidelines
Use the header command to define the specified fields in the header for this LI profile. Use the show li
dictionary command to view details for parameters of the header command. For more information about
the show li dictionary command, see the Lawful Intercept Operations chapter in the IP Services and
Security Operations Guide for the SmartEdgeOS.
Use the acct-session-id keyword to define an Acct-Session-Id LI header field that correlates to an
Acct-Session-Id attribute. The Acct-Session-Id attribute is a unique session RADIUS accounting ID that is
used to match start, interim, and stop records in a log file. The start, interim, and stop records for a given
subscriber session have the same Acct-Session-Id value. The Acct-Session-Id LI header field is 13 bytes,
with the first 8 bytes consisting of a circuit handle (cct-handle), the next byte consisting of a hyphen (-),
and the last 4 bytes consisting of a time stamp that indicates the start time of the subscriber session. For
information about the Acct-Session-Id attribute, see AppendixA, RADIUS Attributes.
Use the md-addr and md-port keywords if the IP address and port number of the mediation device will
be specified when an intercept is started. If the md-addr or md-port keyword is specified in the header
command, values for these header fields must be provided when starting the intercept. If one or more
generic LI profiles and a vendor-specific LI profile are configured on the same SmartEdgerouter, the
values of the md-addr and md-port fields affect both header types.
Use the radius-li-header keyword to define a header for a vendor-specific profile. The set of header fields
is limited to fields defined in the LI dictionary. For vendor-specific profiles, the LI-Identifier
vendor-specific attribute (VSA) is 8 bytes, and its value is the entire LI header. For generic profiles, the
LI-Identifier VSA is 4 bytes, and its value is inserted into the LI header with other header fields. For
information on RADIUS LI VSAs, see AppendixA, RADIUS Attributes.
Use the no form of this command to delete the specified field from the header configuration.
Examples
The following example creates a header for the MD- 001 LI profile:
[ l ocal ] Redback( conf i g) #li-profile MD-001
[ l ocal ] Redback( conf i g- l i pr of i l e) #header li-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header acct-session-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header seq-no
[ l ocal ] Redback( conf i g- l i pr of i l e) #header session-id
[ l ocal ] Redback( conf i g- l i pr of i l e) #header label Redback SE800
Related Commands
li-profile
pending
transport gre
transport udp
type
Command Descriptions
23-12 IP Services and Security Configuration Guide
lawful-intercept
lawful-intercept {encrypted 1 | password} password
no lawful-intercept
Purpose
Enables the software license for lawful intercept (LI) features and functions.
Command Mode
software license configuration
Syntax Description
Default
LI features and functions are disabled.
Usage Guidelines
Use the lawful-intercept command to enable the software license for LI features and functions. You can
specify the password argument in either encrypted or unencrypted form.
Any administrator that is authorized for the local context and that has configuration privileges (level 10 or
above) can enter this command.
Use the no form of this command to disable the software license for LI features and functions. A password
is not required; it is ignored if entered.
Examples
The following example enables LI features and functions:
[ l ocal ] Redback( conf i g) #software license
[ l ocal ] Redback( conf i g- l i cense) #lawful-intercept password LIsuper
Related Commands
None
encrypted 1 Specifies that the password that follows is encrypted.
password Specifies that the password that follows is not encrypted.
password Paid license password that is required to enable LI features and functions. The
password argument is unique for LI and is provided at the time the software
license is paid.
Command Descriptions
Lawful Intercept Configuration 23-13
li-profile
li-profile name [vendor-specific]
no li-profile name
Purpose
Creates or selects a lawful intercept (LI) profile and accesses LI profile configuration mode.
Command Mode
global configuration (15, authorized LI administrator only)
Syntax Description
Default
No LI profiles are created.
Usage Guidelines
Use the li-profile command to create or select an LI profile and access LI profile configuration mode.
Use the vendor-specific keyword to specify that this LI profile is a vendor-specific profile. When this
keyword is specified, the LI header is determined by the Remote Authentication Dial-In User Service
(RADIUS) server. Only one vendor-specific profile can be defined, and the value specified for the name
argument cannot be the same as the name of a generic profile. When entering the header command for a
vendor-specific LI profile, use the vendor-specific syntax to define the LI header.
Use the no form of this command to delete the specified profile.
Examples
The following example creates an LI profile, l i - 001, and accesses LI profile configuration mode:
[ l ocal ] Redback( conf i g) #li-profile li-001
[ l ocal ] Redback( conf i g- l i pr of i l e) #
Related Commands
name Name of the LI profile to be created or selected.
vendor-specific Optional. Specifies that the profile is vendor-specific. Only one
vendor-specific profile can be defined per SmartEdgerouter.
header
pending
transport gre
transport udp
type
Command Descriptions
23-14 IP Services and Security Configuration Guide
pending
pending
no pending
Purpose
Enables pending intercept requests.
Command Mode
LI profile configuration (15, authorized LI administrator only)
Syntax Description
This command has no keywords or arguments.
Default
The system rejects an intercept request if the subscriber circuit to which this profile is attached is down.
Usage Guidelines
Use the pending command to enable pending intercept requests.
When you use the intercept account-session-id command to start an intercept, the pending command does
not apply in the referenced lawful intercept (LI) profile. For more information on the intercept
account-session-id command, see the Lawful Intercept Operations chapter in the IP Services and
Security Operations Guide for the SmartEdgeOS.
Use the no form of this command to specify the default condition (intercept requests are rejected for
subscriber circuits that are down).
Examples
The following example enables pending intercept requests for the l i - 001 profile:
[ l ocal ] Redback( conf i g) #li-profile li-001
[ l ocal ] Redback( conf i g- l i pr of i l e) #pending
Related Commands
header
li-profile
transport gre
transport udp
type
Command Descriptions
Lawful Intercept Configuration 23-15
transport gre
transport gre dest-name
no transport gre
Purpose
Defines the transport section for this lawful intercept (LI) profile to use a Generic Routing Encapsulation
(GRE) tunnel.
Command Mode
LI profile configuration
Syntax Description
Default
The transport section is undefined.
Usage Guidelines
Use the transport gre command to define the transport data section for this LI profile to use a GRE tunnel.
This command and the transport udp command (in LI profile configuration mode) are mutually exclusive.
The dest-name argument defined in the forward output command (in GRE tunnel configuration mode) as
the destination of the intercepted traffic (the mediation device).
Use the no form of this command to delete the data from the transport section in this LI profile.
Examples
The following example defines the transport data section in the header for the l i - 001 profile:
[ l ocal ] Redback( conf i g) #li-profile li-002
[ l ocal ] Redback( conf i g- l i pr of i l e) #transport gre gre-101
Related Commands
dest-name Output destination name for the intercepted traffic.
header
li-profile
pending
type
Command Descriptions
23-16 IP Services and Security Configuration Guide
transport udp
transport udp destination md-ip-addr md-udp-port context ctx-name source src-ip-addr src-udp-port
[{dscp dscp-class | tos tos-value}]
Purpose
Defines the transport data section for this lawful intercept (LI) profile to use the User Datagram Protocol
(UDP) over IP (UDP/IP).
Command Mode
LI profile configuration (15, authorized LI administrator only)
Syntax Description
Default
The transport section is undefined.
Usage Guidelines
Use the transport udp command to define the transport data section for this LI profile to use UDP/IP. This
command and the transport gre command (in LI profile configuration mode) are mutually exclusive.
Use the destination keyword with themd-ip-addr and md-udp-port arguments to specify the IP address
and UDP port for the MD to which the SmartEdge OS sends the intercepted traffic.
destination Specifies the destination address for the mediation device (MD) to which the
SmartEdge OS sends the mirrored traffic.
md-ip-addr IP address for the MD.
md-udp-port UDP port number for the MD. The range of values is 1 to 65535.
context ctx-name Name of the context in which the interface is configured with the destination IP
address.
source Specifies the source address of the mirrored traffic.
src-ip-addr Source IP address of the mirrored traffic.
src-udp-port Source UDP port number of the mirrored traffic. The range of values is 1 to
65535.
dscp dscp-class Optional. Differentiated Services Code Point (DSCP) priority for which the traffic
is mirrored. Values can be:
An integer from 0 to 63.
One of the keywords listed in Table 23-6.
tos tos-value Optional. Type of service (TOS) for which the traffic is mirrored. The range of
values is 0 to 255.
Command Descriptions
Lawful Intercept Configuration 23-17
Use the context ctx-name construct to specify the context in which you have configured an interface with
the destination IP address.
Use the source keyword with the src-ip-addr and src-udp-port arguments to specify the IP address and
UDP port for the IP address and UDP port for the traffic to be intercepted.
If you do not specify the dscp dscp-class or tos tos-value construct, the field defaults to the DSCP class
af41.
Table23-6 lists the keywords for the dscp-class argument.
Examples
The following example defines the transport data section in the l i - 001 profile:
[ l ocal ] Redback( conf i g) #li-profile li-001
[ l ocal ] Redback( conf i g- l i pr of i l e) #transport udp destination 10.1.1.1 2001 context local
source 10.1.1.2 3001 dscp af41
Related Commands
Table 23-6 DSCP Class Keywords
DSCP Class Keyword DSCP Class Keyword
Assured Forwarding (AF) Class 1
/Drop precedence 1
af11 Class Selector 0
(same as default forwarding)
cs0 (same as df)
AF Class 1/Drop precedence 2 af12 Class Selector 1 cs1
AF Class 1/Drop precedence 3 af13 Class Selector 2 cs2
AF Class 2/Drop precedence 1 af21 Class Selector 3 cs3
AF Class 2/Drop precedence 2 af22 Class Selector 4 cs4
AF Class 3/Drop precedence 3 af23 Class Selector 5 cs5
AF Class 3/Drop precedence 1 af31 Class Selector 6 cs6
AF Class 3/Drop precedence 2 af32 Class Selector 7 cs7
AF Class 3/Drop precedence 3 af33 Default Forwarding
(same as Class Selector 0)
df (same as cs0)
AF Class 4/Drop precedence 1 af41 Expedited Forwarding ef
AF Class 4/Drop precedence 2 af42
AF Class 4/Drop precedence 3 af43
header
li-profile
pending
type
Command Descriptions
23-18 IP Services and Security Configuration Guide
type
type ip-datagrams
Purpose
Defines the type of intercept for this lawful intercept (LI) profile.
Command Mode
LI profile configuration (15, authorized LI administrator only)
Syntax Description
Default
None
Usage Guidelines
Use the type command to define the type of intercept for this LI profile.
Examples
The following example defines IP datagrams as the type of traffic to be intercepted:
[ l ocal ] Redback( conf i g) #li-profile li-0001
[ l ocal ] Redback( conf i g- l i pr of i l e) #type ip-datagrams
Related Commands
ip-datagrams Specifies that IP datagrams are to be intercepted.
li-profile
Key Chain Configuration 24-1
C h a p t e r 2 4
Key Chain Configuration
This chapter describes the tasks and commands used to configure SmartEdge
OS.
For information about configuring RADIUS features, see Chapter 20, AAA Configuration.
For more information about RADIUS attributes, see the following documents:
RFC 2865, Remote Authentication Dial In User Service (RADIUS)
RFC 2866, RADIUS Accounting
RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support
RFC 2868, RADIUS Attributes for Tunnel Protocol Support
RFC 2869, RADIUS Extensions
RFC 3576, Dynamic Authorization Extensions to Remote Authentication Dial-In User Service
(RADIUS)
This appendix contains the following sections:
Overview
Supported Standard RADIUS Attributes
Redback VSAs
Redback VSA Support for CCOD Multiencapsulated PVCs in 802.1Q Tunnels
Other VSAs Supported by the SmartEdgeOS
Service Attributes Supported by the SmartEdgeOS
RADIUS Attributes Supported by Mobile IP Services
Overview
Internet Engineering Task Force (IETF) RADIUS attributes are the original set of 255 standard attributes
used to communicate authentication, authorization, and accounting (AAA) information between a client
and a server. Because IETF attributes are standard, the attribute data is predefined and well known so that
Overview
A-2 IP Services and Security Configuration Guide
all clients and servers can exchange AAA information. RADIUS VSAs are derived from one IETF
RADIUS attribute 26, Vendor-Specific, which enables a vendor, in this case, Redback
Networks, to create
an additional 255 attributes.
RADIUS packets and files are described further in the following sections:
RADIUS Packet Format
Packet Types
RADIUS Files
RADIUS Packet Format
FigureA-1 illustrates the format of a RADIUS packet.
Figure A-1 RADIUS Packet Format
TableA-1 describes the fields contained in a RADIUS packet.
Table A-1 RADIUS Packet Fields
Field Description
Code Identifies the RADIUS packet type. The type can be one of the following:
Access-Request (1)
Access-Accept (2)
Access-Reject (3)
Accounting-Request (4)
Accounting-Response (5)
Disconnect-Request (40)
Disconnect-ACK (41)
Disconnect-NAK (42)
CoA-Request (43)
CoA-ACK (44)
CoA-NAK (45)
Identifier Helps the RADIUS server match request and responses and detect duplicate requests.
Length Specifies the length of the entire packet.
Overview
RADIUS Attributes A-3
Packet Types
TableA-2 describes RADIUS packet types.
RADIUS Files
RADIUS files communicate AAA information between a client and server. These files are described in the
following sections:
RADIUS Dictionary File
Authenticator Authenticates the reply from the RADIUS server. There are two types of authenticators:
Request-Authentication (available in Access-Request and Accounting-Request packets)
Response-Authentication (available in Access-Accept, Access Reject, Access-Challenge,
and Accounting-Response packets)
Table A-2 RADIUS Packet Types
Type Description
Access-Request Sent from a client to a RADIUS server. The RADIUS server uses the packet to determine
whether to allow access to a specific network access server (NAS), which permits
subscriber access. Subscribers performing authentication must submit an
Access-Request packet. When an Access-Request packet is received, the RADIUS
server must forward a reply.
Access-Accept Upon receiving an Access-Request packet, the RADIUS server sends an Access-Accept
packet if all attribute values in the Access-Request packet are acceptable.
Access-Reject Upon receiving an Access-Request packet, the RADIUS server sends an Access-Reject
packet if any of the attribute values are not acceptable.
Access-Challenge Upon receiving an Access-Request packet, the RADIUS server can send the client an
Access-Challenge packet, which requires a response. If the client does not know how to
respond, or if the packets are invalid, the RADIUS server discards the packets. If the
client responds to the packet, a new Access-Request packet is sent with the original
Access-Request packet.
Accounting-Request Sent from a client to a RADIUS accounting server. If the RADIUS accounting server
successfully records the Accounting-Request packet, it must submit an
Accounting-Response packet.
Accounting-Response Sent by the RADIUS accounting server to the client to acknowledge that the
Accounting-Request has been received and recorded successfully.
CoA-Request Sent by the RADIUS server to the NAS to dynamically change session authorizations.
CoA-Response Sent by the NAS to the RADIUS server to acknowledge (ACK) a CoA request if the
session authorizations were successfully changed. A NAK is sent if the CoA request is
unsuccessful.
Disconnect-Request Sent by the RADIUS server to the NAS to terminate a session and discard all session
context.
Disconnect-Response Sent by the NAS to the RADIUS server to acknowledge (ACK) a disconnect request if the
session is successfully terminated and the context discarded. A NAK is sent if the
disconnect request is unsuccessful.
Table A-1 RADIUS Packet Fields (continued)
Field Description
Overview
A-4 IP Services and Security Configuration Guide
RADIUS Clients Files
Subscriber Files
RADIUS Dictionary File
TableA-3 describes the information contained in a RADIUS dictionary file.
An integer can be expanded to represent a string. The following example is an integer-based attribute and
its corresponding string values. In this example, the values for VSA 144, Acct-Reason, describe the reason
for sending subscriber accounting packets to the RADIUS server. Each value is represented by an integer:
#
ATTRI BUTE Acct - Reason 144 I nt eger
VALUE AAA_LOAD_ACCT_SESSI ON_UP 1
VALUE AAA_LOAD_ACCT_SESSI ON_DOWN 2
VALUE AAA_LOAD_ACCT_PERI ODI C 3
.
.
RADIUS Clients Files
A clients file contains a list of RADIUS clients allowed to send authentication and accounting requests to
the RADIUS server. To receive authentication, the client name and authentication key sent to the RADIUS
server must be an exact match with the data contained in the clients file; see the following example:
#
Cl i ent Name Key
10. 1. 1. 1 t est
nas- 1 secr et
Subscriber Files
A subscriber file contains an entry for each subscriber that the RADIUS server will authenticate. The first
line in any subscriber file is a user access line; that is, the server must check the attributes on the first line
before it can grant access to the user.
The following example allows the subscriber to access five tunnel attributes:
#
r edback. comPasswor d=r edback Ser vi ce- Type Out bound
Tunnel - Type = : 1: L2TP
Table A-3 RADIUS Dictionary File
Name ID Value Type
ASCII string name of the attribute;
for example, User-Name.
Numerical identification of the
attribute; for example, the
User-Name attribute is 1.
Each attribute can be specified through one of the following
value types:
binary0 to 254 octets.
date32-bit value in big enian order; for example,
seconds since 00:00:00 GMT, J AN. 1, 1970.
ipadd4 octets in network byte order.
integer32-bit value in big endian order (high byte first).
string0 to 253 octets.
Supported Standard RADIUS Attributes
RADIUS Attributes A-5
Tunnel - Medi um- Type = : 1: I P
Tunnel - Ser ver - Endpoi nt = : 1: 10. 0. 0. 1
Tunnel - Passwor d =: 1: wel come
Tunnel - Assi gnment - I D = : 1: nas
Supported Standard RADIUS Attributes
Standard RADIUS attributes appear in the various types of RADIUS messages as described in the
following sections:
Standard RADIUS Attributes in Access and Account Messages
Standard RADIUS Attributes in CoA and Disconnect Messages
Standard RADIUS Attributes That Can Be Reauthorized
Standard RADIUS Attributes in Access and Account Messages
TableA-4 describes the standard RADIUS attributes that are supported by the SmartEdge OS and that can
appear in Access-Request, Account-Request, and Access-Response messages.
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
1 User-Name Yes Yes No String. Name of the user to be authenticated; only used
in Access-Request packets.
2 User-Password Yes No No String. Sent unless using the CHAP-Password attribute.
3 CHAP-Password Yes No No String. Sent in Access-Request packet unless using the
User-Password attribute.
4 NAS-IP-Address Yes Yes No IP address. Specifies an IP source address for RADIUS
packets sent by the SmartEdge router.
This attribute is not sent unless explicitly enabled through
the radius attribute nas-ip-address command (in
context configuration mode); see Chapter 21, RADIUS
Configuration.
5 NAS-Port Yes Yes No Integer. This attribute is sent using the slot-port format.
For details on this format or to modify the format in which
this attribute is sent, see the radius attribute nas-port
command in Chapter 21, RADIUS Configuration.
6 Service-Type Yes Yes Yes Integer. Type of service requested or provided. Values
are:
2=Framed
5=Outbound
6=Administrative
7=NAS Prompt
Supported Standard RADIUS Attributes
A-6 IP Services and Security Configuration Guide
7 Framed-Protocol Yes Yes Yes Integer. The value indicates the framing to be used for
framed access. This attribute must not be used in a user
profile designed for RFC 1483 and RFC 1490 bridged or
routed circuits, or for Telnet sessions. This value is sent
only for Point-to-Point Protocol (PPP) service types. The
value for PPP is 1.
8 Framed-IP-Address Yes Yes Yes IP address. In Accounting-Request packets, returns the
IP address assigned to the subscriber either dynamically
or statically. In Access-Accept packets, a return value of
255.255.255.254 or 0.0.0.0 causes the SmartEdge OS to
assign the subscriber an address from an IP address
pool. This attribute is received in Access-Response
messages and is sent in Access-Request messages
conditioned by the aaa hint ip address command (in
context configuration mode).
9 Framed-IP-Netmask No Yes Yes IP address. Assigns a range of addresses to a subscriber
circuitit is not a netmask in the conventional sense of
determining which address bits are host vs. prefix, and
so on.
11 Filter-Id No Yes Yes String. Specifies that inbound or outbound traffic be
filtered. Use the in:<name> and out:<name> format.
12 Framed-MTU No Yes Yes Integer. Maximum transmission unit (MTU) to be
configured for the user when it is not negotiated by some
other means (such as Point-to-Point Protocol [PPP]). It is
only used in Access-Accept packets.
18 Reply-Message No No Yes String. Text that can be displayed to the user. Multiple
Reply-Message attributes can be included. If any are
displayed, they must be displayed in the same order as
they appear in the packet.
22 Framed-Route No Yes Yes IP address. The format is h.h.h.h/nn g.g.g.g n where:
h.h.h.h=IP address of destination host or network.
nn=optional netmask size in bits (if not present,
defaults to 32).
g.g.g.g=IP address of gateway.
n=Number of hops for this route.
24 State No No Yes Binary String.
25 Class No Yes Yes String. If received, this information must be sent on,
without interpretation, in all subsequent packets sent to
the RADIUS accounting server for that subscriber
session.
26 Vendor-Specific Yes Yes No String. Allows Redback Networks to support its own
VSAs, embedded with the Vendor-Id attribute set to
2352. For the VSAs supported by the SmartEdge OS,
see Table A-7.
27 Session-Timeout No Yes Yes Integer. Sets the maximum number of seconds of service
allowed the subscriber before termination of the session.
Corresponds to the SmartEdge OS timeout command
(in subscriber configuration mode) with the absolute
keyword, except that the attribute requires seconds
instead of minutes. The value 0 indicates that the timeout
is disabled.
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
Supported Standard RADIUS Attributes
RADIUS Attributes A-7
28 Idle-Timeout No Yes Yes Integer. Sets the maximum number of consecutive
seconds of idle connection allowed to the user before
termination of the session. Corresponds to the
SmartEdge OS timeout idle command (in subscriber
configuration mode), except that the attribute calls for
seconds instead of minutes.
30 Called-Station-Id Yes No No String. The telephone number that the call came from.
31 Calling-Station-Id Yes Yes No Dependent on the type of subscriber terminated in the
SmartEdge router:
This attribute is not sent unless explicitly enabled through
the radius attribute calling-station-id command (in
context configuration mode); see Chapter 21, RADIUS
Configuration.
32 NAS-Identifier Yes Yes No String. Value for the system hostname.
33 Proxy_State No Yes No Binary String. Specifies the state sent by the proxy
server.
40 Acct-Status-Type No Yes No Integer. Values can be:
1=Start
2 =Stop
3=Interim-Updated
7=Accounting-On
8=Accounting-Off
9=Tunnel Start
10=Tunnel Stop
12=Link Start
13=Link Stop
15=Reserved for failed
101=Service-Start
102=Service-Stop
103=Service-Interim-Update
41 Acct-Delay-Time No Yes No Integer. Time, in seconds, for which the client has been
trying to send the record.
42 Acct-Input-Octets No Yes No Integer. Number of octets that have been received from
the port over the course of this service being provided.
Can only be present in Accounting-Request records
where the Acct-Status-Type attribute is set to Stop or
Update.
43 Acct-Output-Octets No Yes No Integer. Number of octets that have been sent to the port
in the course of delivering this service. Can only be
present in Accounting-Request records where the
Acct-Status-Type attribute is set to Stop or Update.
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
Supported Standard RADIUS Attributes
A-8 IP Services and Security Configuration Guide
44 Acct-Session-Id Yes Yes No String. Unique session accounting ID to match start and
stop records for in a log file. The start and stop records
for a given subscriber session have the same
Acct-Session-Id attribute value. The format is cct-handle
timestamp.
If service accounting is enabled with VSA 191, this
attribute also includes the service accounting identifier,
which is the service-name that is defined in VSA 190.
The session accounting and service accounting
identifiers are separated by a colon (:).
By default, this attribute is sent in Accounting-Request
packets. To send this attribute in Access-Request
packets, you must use the radius attribute
acct-session-id command (in context configuration
mode); see Chapter 21, RADIUS Configuration.
45 Acct-Authentic No Yes No String. Values are RADIUS and local.
46 Acct-Session-Time No Yes No Integer. Number of seconds for which the user has
received service. Can only be present in
Accounting-Request records where the Acct-Status-Type
attribute is set to Stop or Update.
47 Acct-Input-Packets No Yes No Integer. Number of packets that have been received from
the port over the course of this service being provided to
a framed user. Can only be present in
Accounting-Request records where the Acct-Status-Type
attribute is set to Stop or Update.
48 Acct-Output-Packets No Yes No Integer. Number of packets that have been sent to the
port in the course of delivering this service to a Framed
User. Can only be present in Accounting-Request
records where the Acct-Status-Type attribute is set to
Stop or Update.
49 Acct-Terminate-Cause No Yes No Integer. Value represents the cause of session
termination. Values are:
1=User request
2=Lost carrier
3=Lost service
4=Idle timeout
5=Session timeout
6=Admin reset
8=Port error
9=NAS error
10=NAS request
15=Service unavailable
17=User error
50 Acct-Multi-Session-Id No Yes Yes String. Links multiple related sessions with a unique
accounting ID.
52 Acct-Input-Gigawords No Yes No Integer. Value represents the number of times the
Acct-Input-Octets counter has wrapped around 2^32 in
the course of providing this service. This attribute can
only be present in Accounting-Request records where
the Acct-Status-Type attribute is set to Stop or
Interim-Update.
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
Supported Standard RADIUS Attributes
RADIUS Attributes A-9
53 Acct-Output-Gigawords No Yes No Integer. Value represents the number of times the
Acct-Output-Octets counter has wrapped around 2^32 in
the course of delivering this service. This attribute can
only be present in Accounting-Request records where
the Acct-Status-Type attribute is set to Stop or
Interim-Update.
55 Event-Timestamp No Yes No Integer. Value represents the time this event occurred on
the NAS, in seconds, since J anuary 1, 1970 00:00 UTC.
61 NAS-Port-Type Yes Yes No Integer. The default value is either 0 or 5, indicating an
asynchronous connection through a console port or a
connection through a transport protocol, respectively,
depending on how the subscriber is connected to its
authenticating NAS. The range of values is 0 to 255.
Values 0 to 19 are as follows:
0async
1sync
2ISDN (sync)
3ISDN (async V120)
4ISDN (async V110)
5Virtual
6PIAFS (wireless ISDN used in J apan)
7HDLC (clear-channel)
8X.25
9X.75
10G3_Fax (G.3 Fax)
11SDSL (symmetric DSL)
12ADSL_CAP (asymmetric DSL, Carrierless
Amplitude Phase Modulation)
13ADSL_DMT (asymmetric DSL, discrete
multi-tone)
14IDSL (ISDN digital subscriber line)
15Ethernet
16xDSL (digital subscriber line of unknown type)
17Cable
18Wireless (wirelessOther)
19Wireless_802_11 (wirelessIEEE 802.11)
You can also modify the value of this attribute through the
radius attribute nas-port-type command (in context
configuration mode); see Chapter 21, RADIUS
Configuration.
62 Port-Limit No Yes Yes Integer. Maximum number of sessions a particular
subscriber can have active at one time.
64 Tunnel-Type No Yes Yes Integer. Value indicates the tunneling protocol to be
used. The supported value is 3, which indicates the
Layer 2 Tunneling Protocol (L2TP).
65 Tunnel-Medium-Type No Yes Yes Integer. Value represents the transport medium to use
when creating an L2TP tunnel for protocols that can
operate over multiple transports. The supported value is
1, which indicates IPv4.
66 Tunnel-Client-Endpoint No Yes Yes String. Fully qualified domain name or IP address of the
initiator end of an L2TP tunnel.
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
Supported Standard RADIUS Attributes
A-10 IP Services and Security Configuration Guide
67 Tunnel-Server-Endpoint No Yes Yes String. Fully qualified domain name or IP address of the
server end of an L2TP tunnel.
68 Acct-Tunnel-Connection No Yes No String. Unique accounting ID to easily match start and
stop records in a log file for L2TP sessions. The start and
stop records for a given session will have the same
Acct-Tunnel-Connection attribute value.
69 Tunnel-Password No No Yes String. Password. Only used in Access-Accept packets.
77 Connect-Info Yes Yes No String containing either:
An ATM, 802.1Q, or Frame Relay profile name sent to
the RADIUS server.
The values from L2TP attribute-value pairs (AVPs) 24
and 38 in the Tx/Rx format. Speeds are in
bits-per-second.
80 Message-Authenticator Yes No Yes String. Signs access requests to prevent spoofing.
82 Tunnel-Assignment-ID No Yes Yes String. Used to distinguish between different peers with
configurations that use the same IP address. If no
Tunnel-Client-Endpoint or Tunnel-Server-Endpoint
attribute is supplied with this tag, and if the
Tunnel-Assignment-ID matches the name of a locally
configured peer, the session will be tunneled to that peer.
83 Tunnel-Preference No No Yes String. If more than one set of tunneling attributes is
returned by the RADIUS server to the tunnel initiator, this
attribute should be included in all sets to indicate the
preference assigned to each set; the lower the value for
a set, the more preferable it is.
85 Acct-Interim-Interval No No Yes Integer. The Value field indicates the number of seconds
between each interim update sent from the NAS for this
specific session.
The value must be between 600 and 604,800 seconds (7
days). Any value outside this range logs a message to
the system and the value resets to the corresponding
minimum or maximum allowed value.
Before you set this value, consider the possible impact to
network traffic.
87 NAS-Port-ID Yes Yes No String. By default, this attribute is sent in RADIUS
packets. The default format is:
slot/port [vpi-vci vpi vci |
vlan-id [tunl-vlan-id:]pvc-vlan-id] [pppoe sess-id | clips
sess-id].
where slot and port are each 4 bits and tunl-vlan-id and
pvc-vlan-id are each 12 bits. The tunl-vlan-id field is 0 if it
does not exist.
For example, 4/1 vpi-vci 207 138 pppoe 5.
Use the radius attribute nas-port-id command (in
context configuration mode) to specify another format for
this attribute. This command is described in Chapter 20,
RADIUS Configuration.
89 CUI Yes Yes Yes String. Optional. Chargeable User Identify (CUI).
Identifies users when they roam outside their home
network.
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
Supported Standard RADIUS Attributes
RADIUS Attributes A-11
Standard RADIUS Attributes in CoA and Disconnect Messages
TableA-5 lists the standard RADIUS attributes that can appear in CoA-Request, CoA-Response,
Disconnect-Request, and Disconnect-Response messages. For details about these standard attributes, see
TableA-5.
90 Tunnel-Client-Auth-ID No Yes Yes String. Defines the local hostname provided to remote
tunnel peer (used during tunnel setup). The behavior is
identical to Redback VSA 16, Tunnel-Local-Name.
91 Tunnel-Server-Auth-ID No Yes Yes String. Defines an alias for the remote peer name. The
value of this attribute must match the value of the
hostname AVP that the peer sends in the SCCRQ or
SCCRP message (depending on the tunnel initiator).
242 Ascend_Data_Filter No Yes Yes Binary String.
Table A-5 Standard RADIUS Attributes in CoA and Disconnect Messages
# Attribute Name
Sent in
CoA
Request
Sent in
CoA
Response
Sent in
Disconnect
Request
Sent in
Disconnect
Response Notes
1 User-Name Yes No Yes No
4 NAS-IP-Address Yes No Yes No
5 NAS-Port Yes No Yes No
6 Service-Type Yes Yes
1
Yes Yes1
7 Framed-Protocol Yes No No No
8 Framed-IP-Address Yes No Yes No
9 Framed-IP-Netmask Yes No No No
11 Filter-Id Yes No No No
12 Framed-MTU Yes No No No
18 Reply-Message Yes No Yes No
22 Framed-Route Yes No No No
24 State Yes Yes Yes Yes
25 Class Yes No Yes No
26 Vendor-Specific Yes No Yes No
27 Session-Timeout Yes No No No
28 Idle-Timeout Yes No No No
30 Called-Station-Id Yes No Yes No
31 Calling-Station-Id Yes No Yes No
32 NAS-Identifier Yes No Yes No
Table A-4 Standard RADIUS Attributes Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Receivable
in Access-
Response Notes
Supported Standard RADIUS Attributes
A-12 IP Services and Security Configuration Guide
Standard RADIUS Attributes That Can Be Reauthorized
TableA-6 lists the standard RADIUS attributes that are reauthorized when you enter the reauthorize
command (in exec mode).
33 Proxy_State Yes Yes Yes Yes
44 Acct-Session-Id Yes No Yes No
50 Acct-Multi-Session-Id Yes No Yes No
55 Event-Timestamp Yes Yes Yes Yes
61 NAS-Port-Type Yes No Yes No
62 Port-Limit Yes No No No
64 Tunnel-Type Yes No No No
65 Tunnel-Medium-Type Yes No No No
66 Tunnel-Client-Endpoint Yes No No No
67 Tunnel-Server-Endpoint Yes No No No
69 Tunnel-Password Yes No No No
82 Tunnel-Assignment-ID Yes No No No
83 Tunnel-Preference Yes No No No
85 Acct_Interim_Interval Yes No No No
87 NAS-Port-Id Yes No Yes No
90 Tunnel-Client-Auth-ID Yes No No No
91 Tunnel-Server-Auth-ID Yes No No No
94 Originating-Line-Id Yes No Yes No
96 Framed-Interface-Id Yes No Yes No
101 Error-Cause No Yes1 No Yes
242 Ascend_Data_Filter Yes No No No
1. Sent in NAK message only.
Table A-6 Standard RADIUS Attributes Supported by Reauthorization
# Attribute Name Description
11 Filter-Id Filters inbound or outbound traffic through an access control list (ACL).
25 Class Forwards the information sent by the RADIUS server to the SmartEdge router,
without interpretation, in subsequent accounting messages to the RADIUS
accounting server for that subscriber session.
26 Vendor_Specific Allows Redback Networks to support its own VSAs.
Table A-5 Standard RADIUS Attributes in CoA and Disconnect Messages (continued)
# Attribute Name
Sent in
CoA
Request
Sent in
CoA
Response
Sent in
Disconnect
Request
Sent in
Disconnect
Response Notes
Redback VSAs
RADIUS Attributes A-13
Redback VSAs
Redback VSAs appear in the various types of RADIUS messages as described in the following sections:
Redback VSAs in Access and Account Messages
Redback VSAs in CoA and Disconnect Messages
Redback VSAs That Can Be Reauthorized
VSA 164 Format
VSA 196 Format
Redback VSAs in Access and Account Messages
TableA-7 lists the Redback VSAs that are supported by the SmartEdge OS and that can appear in
Access-Request, Account-Request, and Access-Response messages.
27 Session-Timeout Sets the in-service time allowed before the session terminates.
28 Idle-Timeout Sets the idle time allowed before the session terminates.
85 Acct_Interim_Interval Sets the value to an integer.
242 Ascend_Data_Filter Allows multiple values.
Table A-7 Redback VSAs Supported by the SmartEdge OS
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
1 Client-DNS-Pri No No Yes IP address of the primary DNS server for this
subscribers connection.
2 Client-DNS-Sec No No Yes IP address of the secondary DNS server for this
subscribers connection.
3 DHCP-Max-Leases No Yes Yes Integer. Maximum number of DHCP addresses this
subscriber can allocate to hosts. The range of
values is 1 to 255.
4 Context-Name No Yes Yes Binds the subscriber session to specified context,
overriding the structured username. This
information is only interpreted when global AAA is
enabled.
5 Bridge-Group No No Yes String. Bridge group name; attaches subscriber to
the named bridge group.
6 BG-Aging-Time No No Yes String. bg-name:val; configures bridge aging time
for subscriber attaching to the named bridge group.
7 BG-Path-Cost No No Yes String. bg-name:val; configures bridge path cost for
subscriber attaching to the named bridge group.
Table A-6 Standard RADIUS Attributes Supported by Reauthorization (continued)
# Attribute Name Description
Redback VSAs
A-14 IP Services and Security Configuration Guide
8 BG-Span-Dis No No Yes String. bg-name:val; disables spanning tree for
subscriber attaching to the named bridge group.
The val argument can have the following values:
1 =TRUE
2 =FALSE
9 BG-Trans-BPDU No No Yes String. bg-name:val; sends transparent spanning
tree bridge protocol data units (BPDUs) for a
subscriber attaching to the named bridge group.
The val argument can have the following values:
1 =TRUE
2 =FALSE
10 Rate-Limit-Rate No Yes Yes 4-byte integer. Configures rate limit rate for
subscribers in kbps. Valid range of values is 10 to
1,250,000 kbps. If this parameter is configured, the
Rate-Limit-Burst must also be configured.
11 Rate-Limit-Burst No Yes Yes 4-byte integer. Configures rate limit burst rate for
subscribers in bytes. Valid range of values is 0 to
1,562,500,000 bytes. If this parameter is
configured, the Rate-Limit-Rate must also be
configured.
12 Police-Rate No Yes Yes 4-byte integer. Configures policing rate for
subscribers in kbps. Valid range of values is 10 to
1,250,000 kbps. If this parameter is configured, the
Police-Burst must also be configured.
13 Police-Burst No Yes Yes 4-byte integer. Configures policing burst rate for
subscribers in bytes. Valid range of values is 0 to
1,562,500,000 bytes. If this parameter is
configured, the Police-Rate must also be
configured.
14 Source-Validation No Yes Yes Integer. Enables source validation for subscriber,
according to one of the following values:
1=TRUE
0=FALSE
15 Tunnel-Domain No No Yes Integer. Binds the subscriber to a tunnel based on
the domain name portion of the username,
according to one of the following values:
1=TRUE
0=FALSE
16 Tunnel-Local-Name No No Yes String. Defines the local hostname provided to the
remote peer during tunnel setup.
17 Tunnel-Remote-Name No No Yes String. Defines an alias for the remote peer name.
18 Tunnel-Function No Yes Yes Integer. Determines this tunnel configuration as a
LAC-only endpoint or an LNS endpoint, according
to one of the following values:
1=LAC only
2=LNS only
21 Tunnel-Max-Sessions No Yes Yes Integer. Limits the number of sessions per tunnel
using this tunnel configuration.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-15
22 Tunnel-Max-Tunnels No Yes Yes Integer. Limits the number of tunnels that can be
initiated using this tunnel configuration.
23 Tunnel-Session-Auth No No Yes Integer. Specifies the authentication method to use
during PPP authentication, according to one of the
following values:
1=CHAP
2=PAP
3=CHAP-PAP
24 Tunnel-Window No No Yes Integer. Configures the receive window size for
incoming L2TP messages.
25 Tunnel-Retransmit No No Yes Integer. Specifies the number of times the
SmartEdge router retransmits a control message.
26 Tunnel-Cmd-Timeout No No Yes Integer. Specifies the number of seconds for the
timeout interval between control message
retransmissions.
27 PPPOE-URL No Yes Yes String in PPPoE URL format. Defines the PPPoE
URL that is sent to the remote PPPoE client via the
PADM packet.
28 PPPOE-MOTM No Yes Yes String. Defines the PPPoE MOTM message that is
sent to the remote PPPoE client via the PADM
packet.
29 Tunnel-Group No Yes Yes Integer. Indicates whether this record is a tunnel
group with a list of member peers:
1 =TRUE
0 =FALSE
30 Tunnel-Context No Yes Yes String. Context name. Used in a DNIS peer record,
this attribute specifies the context where the named
peer should be found.
31 Tunnel-Algorithm No No Yes Integer. Specifies the session distribution algorithm
used to choose between the peer configurations in
the RADIUS response. This VSA instructs the
SmartEdge OS on how to interpret standard
RADIUS attribute 83, Tunnel-Preference, according
to one of the following values:
1=Priority
2=Load-Balance
3=Weighted round-robin
32 Tunnel-Deadtime No No Yes Integer. Specifies the number of minutes during
which no sessions are attempted to an L2TP peer
when the peer is down.
33 Mcast-Send No Yes Yes Integer. Defines whether or not the subscriber can
send multicast packets, according to one of the
following values:
1=NO SEND
2=SEND
3=UNSOLICITED SEND
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-16 IP Services and Security Configuration Guide
34 Mcast-Receive No Yes Yes Integer. Defines whether or not the subscriber can
receive multicast packets, according to one of the
following values:
1=NO RECEIVE
2=RECEIVE
35 Mcast-MaxGroups No Yes Yes Integer. Specifies the maximum number of multicast
groups of which the subscriber can be a member.
36 Ip-Address-Pool-Name No Yes Yes String. Name of the interface or IP pool used to
assign an IP pool address to the subscriber.
37 Tunnel-DNIS No Yes Yes Integer. L2TP peer parameter specifying if incoming
sessions from this peer are to be switched based on
the incoming DNIS AVP if present or on the
incoming DNIS AVP only (terminated if no DNIS
AVP is present):
1 =DNIS
2 =DNIS ONLY
38 Medium-Type Yes Yes No Integer. Contains the medium type of the circuit.
The system sets this value to DSL for CLIPS and
PPP subscribers.
39 PVC-Encapsulation-Type No No Yes Integer. Encapsulation type to be applied to the
circuit:
2 =Routed 1483
4 =ATM multi
5 =Bridged 1483
6 =ATM PPP
7 =ATM PPP serial
8 =ATM PPP NLPID
9 =ATM PPP auto
10 =ATM PPPoE
12 =ATM PPP LLC
22 =Ethernet IPoE
23 =Ethernet PPPoE
24 =Ethernet dot1q
26 =Ethernet dot1q pppoe
31 =Ethernet dot1q tunnel pppoe
32 =Ethernet dot1q multi
33 =Ethernet dot1q tunnel multi
40 PVC-Profile-Name No No Yes String. Name of the ATM profile that is assigned to
the subscriber record, a named profile, or the
default profile, using the shaping profile command
(in subscriber configuration mode), to use for this
circuit.
42 Bind-Type No No Yes Integer. Binding type to be applied to this circuit:
1 =authentication
3 =interface
4 =subscriber
14 =autosubscriber
CCOD (circuit creation on demand) circuits
support only subscriber bind types.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-17
43 Bind-Auth-Protocol No No Yes Integer. Authentication protocol to use for this
circuit:
1 =PAP
2 =CHAP
4 =CHAP PAP
5 =AAA-PPP-CHAP-WAIT-PAP
7 =PAP CHAP
44 Bind-Auth-Max-Sessions No No Yes Integer. Maximum number of PPPoE sessions
allowed to be created for this circuit. Also specifies
the same for PPPoE sessions tunneled with
Ethernet encapsulation over L2TP on the LNS.
45 Bind-Bypass-Bypass No No Yes String. Name of the bypass being bound.
46 Bind-Auth-Context No No Yes String. Bind authentication context name. Also
specifies the same for PPPoE sessions tunneled
with Ethernet encapsulation over L2TP on the LNS.
47 Bind-Auth-Service-Grp No No Yes String. Bind authentication service group name.
Also specifies the same for PPPoE sessions
tunneled with Ethernet encapsulation over L2TP on
the LNS.
48 Bind-Bypass-Context No No Yes String. Bind bypass context name.
49 Bind-Int-Context No No Yes String. Bind interface context name. Also specifies
the same for IP bridging sessions tunneled with
Ethernet encapsulation over L2TP on the LNS.
50 Bind-Tun-Context No No Yes String. Bind tunnel context name.
51 Bind-Ses-Context No No Yes String. Bind session context name.
52 Bind-Dot1q-Slot No No Yes Integer. Bind 802.1Q slot number.
53 Bind-Dot1q-Port No No Yes Integer. Bind 802.1Q port number.
54 Bind-Dot1q-Vlan-Tag-Id No No Yes Integer. Bind 802.1Q VLAN tag ID.
55 Bind-Int-Interface-Name No No Yes String. Bind interface name. Also specifies the
same for IP bridging sessions tunneled with
Ethernet encapsulation over L2TP on the LNS.
56 Bind-L2TP-Tunnel-Name No No Yes String. Bind L2TP tunnel name.
57 Bind-L2TP-Flow-Control No No Yes Integer. Bind L2TP flow control.
58 Bind-Sub-User-At-Context No No Yes String. Bind subscriber context name.
59 Bind-Sub-Password No No Yes String. Bind subscriber password.
60 Ip-Host-Addr No No Yes String in the form A.B.C.D hh:hh:hh:hh:hh:hh.
IP host address and MAC address. A space must
separate the IP address from the MAC address.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-18 IP Services and Security Configuration Guide
61 IP-TOS-Field No No Yes Integer. Specifies the value of the IP ToS field. Used
for soft QoS:
0 =normal
1 =min-cost only
2 =max-reliability only
3 =max-reliability plus min-cost
4 =max-throughput only
5 =max-throughput plus min-cost
6 =max-throughput plus max-reliability
7 =max-throughput plus max-reliability plus
min-cost
8 =min-delay only
9 =min-delay plus min-cost
10 =min-delay plus max-reliability
11 =min-delay plus max-reliability plus min-cost
12 =min-delay plus max-throughput
13 =min-delay plus max-throughput plus
min-cost
14 =min-delay plus max-throughput plus
max-reliability
15 =min-delay plus max-throughput plus
max-reliability plus min-cost
62 NAS-Real-Port Yes Yes No Integer. Indicates the port number of the physical
circuit on which the session was received. The
format (in bits) is:
SSSSPPPPCCCCCCCCCCCCCCCCCCCCCCCC
where:
S =Slot
P =Port
C =Circuit (for ATM, 8-bits of VPI, and 16-bits of
VCI)
63 Tunnel-Session-Auth-Ctx No Yes Yes String. L2TP peer parameter that specifies the
name of the context in which all incoming PPP over
L2TP sessions should be authenticated, regardless
of the domain specified in the username.
64 Tunnel-Session-Auth-Service-Grp No Yes Yes String. L2TP peer parameter specifying the service
group (service access control list [ACL]) to be used
for all incoming PPP over L2TP sessions.
65 Tunnel-Rate-Limit-Rate No Yes Yes 4-byte integer. L2TP or GRE peer parameter
specifying the rate-limit rate for a tunnel in kbps.
Valid range of values is 10 to 1,250,000 kbps. If this
parameter is configured, the
Tunnel-Rate-Limit-Burst must also be configured.
66 Tunnel-Rate-Limit-Burst No Yes Yes 4-byte integer. L2TP or GRE peer parameter
specifying the rate-limit burst for a tunnel in bytes.
Valid range of values is 0 to 1,562,500,000 bytes. If
this parameter is configured, the
Tunnel-Rate-Limit-Rate must also be configured.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-19
67 Tunnel-Police-Rate No Yes Yes 4-byte integer. L2TP or GRE peer parameter
specifying the policing rate for a tunnel in kbps.
Valid range of values is 10 to 1,250,000 kbps. If this
parameter is configured, the Tunnel-Police-Burst
must also be configured.
68 Tunnel-Police-Burst No Yes Yes 4-byte integer. L2TP or GRE peer parameter
specifying the policing burst for a tunnel in bytes.
Valid range of values is 0 to 1,562,500,000 bytes. If
this parameter is configured, the
Tunnel-Police-Rate must also be configured.
69 Tunnel-L2F-Second-Password No Yes Yes String. L2F peer parameter specifying the password
string used to authenticate the L2F remote peer.
Note: The Tunnel-Password attribute is used for
authentication in the other direction.
70 ACL-Definition No Yes Yes String. Used to define ACL definitions in the
RADIUS database. The ACL-Name attribute is the
username and the Service-Type attribute must be
set to Access-Control-List. The data content of this
attribute contains ACL definitions similar to the
SmartEdge OS command-line interface (CLI).
71 PPPoE-IP-Route-Add No Yes Yes String. Allows the PPPoE subscriber routing table to
be populated in terms of what routes to be installed
if multiple PPPoE sessions exist. A more granular
set of routes can be achieved when multiple
sessions are active to the client. The format is
h.h.h.h nn g.g.g.g m where:
h.h.h.h=IP address of destination host or network.
nn=optional netmask size in bits (if not present,
defaults to 32).
g.g.g.g=IP address of gateway.
m=Number of hops for this route.
If the first byte of VSA 71 is 121 (classless static
route), then this VSA is used to handle the DHCP
option 121.
72 TTY-Level-Start No No Yes Integer. Indicates the starting privilege level for the
administrator. The range of values is 0 to 15 and the
value must be less than or equal to the value of
TTY-Level-Max.
73 TTY-Level-Max No No Yes Integer. Indicates the maximum privilege level for
the administrator. The range of values is 0 to 15,
and the value must be greater than or equal to the
value of TTY-Level-Start.
74 Tunnel-Checksum No Yes Yes Integer. Enables GRE checksums. When enabled,
a checksum is computed for each outgoing GRE
packet. This allows the remote system to verify the
integrity of each packet. Incoming packets that fail
the checksum are discarded. A value of 1 equals
enabled. Any other value for this attribute equals
disabled.
75 Tunnel-Profile No No Yes String. Attaches a profile to the tunnel. Used when
configuring a tunnel from a RADIUS server. A
Tunnel-Profile attribute in a subscriber record is
ignored.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-20 IP Services and Security Configuration Guide
78 Tunnel-Client-VPN No Yes Yes String. Name of the target context (a virtual private
network [VPN]) on the client side of the tunnel.
Required for GRE. If omitted, the system
automatically sets the value equal to the value set
for the Tunnel-Server-VPN attribute.
79 Tunnel-Server-VPN No Yes Yes String. Name of the target context (VPN) on the
server side of the tunnel.
80 Tunnel-Client-Rhost No Yes Yes String. Normally configured in the ip host command
(in GRE tunnel, or ATM, dot1q, Frame Relay, or link
PVC configuration mode) on the client system. If
omitted, the system uses the value of the
Tunnel-Client-Int-Addr attribute on the server side.
81 Tunnel-Server-Rhost No Yes Yes String. Normally configured in the ip host command
(in PVC configuration mode) on the server system.
If omitted, the system uses the value of the
Tunnel-Server-Int-Addr attribute on the client side.
82 Tunnel-Client-Int-Addr No Yes Yes IP address of the interface to bind in the VPN
context. This address is also used in the ip host
statement on the server system. Required attribute
for GRE.
83 Tunnel-Server-Int-Addr No Yes Yes IP address of the server interface. This address is
also used in the ip host command (in GRE tunnel,
or ATM, dot1q, Frame Relay, or link PVC
configuration mode) on the client system. Required
attribute for GRE.
85 Tunnel-Hello-Timer No No Yes Integer. Hello timer (in seconds) representing the
time the tunnel is silent before it transmits a hello
message. It is configured using the hello-timer
command (in L2TP peer configuration mode).
86 Redback-Reason No Yes No Integer. If the NetOp Policy Manager (PM) sends
the SmartEdge router (through SNMP) a non-zero
clear reason while trying to clear (bounce) the
subscriber session, this clear reason value is sent
to the RADIUS server in the RADIUS accounting
Stop packet in this VSA.
87 Qos-Policy-Policing No Yes Yes String. Attaches a QoS policing policy to the
subscriber session.
88 Qos-Policy-Metering No Yes Yes String. Attaches a QoS metering policy to the
subscriber session.
89 Qos-Policy-Queuing No Yes Yes String. Attaches a QoS queuing policy of any type
supported by the circuit to the subscriber session.
90 Igmp-Service-Profile-Name No Yes Yes String. Name of the IGMP service profile that is
applied to the subscriber session.
91 Subscriber-Profile-Name No Yes Yes Name of the subscriber profile that is applied to the
subscriber session.
92 Forward-Policy No Yes Yes String. Attaches an in or out forward policy to the
subscriber session. The forward policy is in the
following format:
in:forward-policy-name
out:forward-policy-name
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-21
94 Reauth-String No No Yes String. The format is:
I D- t ype; subI D; at t r - num; at t r - val u
e; at t r - num; at t r - val ue. . .
When the I D- t ype is 1, the subI Dis read as a
RADIUS accounting session ID. When the
I D- t ype is 2, the subI Dis read as a name.
The semicolon (; ) acts as a delimiter.
At t r - numis an integer that identifies a RADIUS
attribute. For example, standard RADIUS attribute
11 (Filter-Id) for an access control list (ACL) or
Redback VSA 87 (Qos-Policy-Policing) for a QoS
policing policy. (Redback VSAs include the
Redback prefix, 2352.)
At t r - val ue is the value of the RADIUS
attribute specified by at t r - num.
95 Reauth-More No No Yes Integer. 0 or 1 (False or True).
96 Agent-Remote-Id Yes Yes No String. Used for two types of subscriber sessions:
Incoming CLIPS sessions to the SmartEdge
router from a DHCP relay network. This is
suboption 2 in a DHCP option 82 packet.
PPPoE sessions. Sent by the PPP client in the
PADR.
This attribute can also be set through the radius
attribute calling-station-id and radius attribute
nas-port-id commands in context configuration
mode; see Chapter 21, RADIUS Configuration.
97 Agent-Circuit-Id Yes Yes No String. Used for two types of subscriber sessions:
CLIPS sessions coming into the SmartEdge via a
DHCP relay network. This is suboption 1 in a
DHCP option 82 packet.
PPPoE sessions. Sent by the PPP client in the
PADR.
This attribute can also be set through the radius
attribute calling-station-id and radius attribute
nas-port-id commands in context configuration
mode; see Chapter 21, RADIUS Configuration.
98 Platform-Type Yes Yes No Integer. Indicates the Redback product family from
which the RADIUS access request is sent. The
supported values are:
2=PLATFORM_TYPE_SE800
3=PLATFORM_TYPE_SE400
99 RB-Client-NBNS-Pri No Yes Yes IP address. Configures the IP address of a primary
NetBios Name Server (NBNS) that the subscriber
must use.
100 RB-Client-NBNS-Sec No Yes Yes IP address. Configures the IP address of a
secondary NBNS that the subscriber must use.
101 Shaping-Profile-Name No Yes Yes String. Name of the ATM shaping profile.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-22 IP Services and Security Configuration Guide
104 IP-Interface-Name No Yes Yes String. Interface name. Binds a subscriber to the
specified interface. This VSA is used in conjunction
with VSA 3, DHCP-Max-Leases.
This attribute can also be set through the ip
interface name command (in subscriber
configuration mode); see Chapter 5, DHCP
Configuration.
105 NAT-Policy-Name No Yes Yes String. NAT policy name. Attaches the specified
NAT policy to a subscriber.
106 NPM-Service-Id No No Yes String. Service identifier for a service defined in the
NetOp Policy Manager (PM) database.
107 HTTP-Redirect-Profile-Name No Yes
(alive/
and stop
records
only)
Yes String of up to 32 characters. HTTP redirect profile
name.
108 Bind-Auto-Sub-User No No Yes String. Subscriber name prefix as specified by the
bind auto-subscriber command (in ATM PVC,
CLIPS PVC, or dot1q PVC configuration mode).
The prefix is included in the automatically
generated subscriber name. For more information
about this command and the format for the
automatically generated subscriber name, see the
Bindings Configuration chapter in the Ports,
Circuits, and Tunnels Configuration Guide for the
SmartEdge OS.
109 Bind-Auto-Sub-Context No No Yes String. Name of context in which the subscriber is
bound with the bind auto-subscriber command (in
ATM PVC, CLIPS PVC, or dot1q PVC configuration
mode). For more information about this command,
see the Bindings Configuration chapter in the
Ports, Circuits, and Tunnels Configuration Guide for
the SmartEdge OS.
110 Bind-Auto-Sub-Password No No Yes String. Password prefix as specified by the bind
auto-subscriber command (in ATM PVC, CLIPS
PVC, or dot1q PVC configuration mode). The prefix
is included in the automatically generated
subscriber password. For more information about
this command and the format for the automatically
generated subscriber password, see the Bindings
Configuration chapter in the Ports, Circuits, and
Tunnels Configuration Guide for the
SmartEdge OS.
111 Circuit-Protocol-Encap No Yes Yes Integer. Circuit encapsulation for CCOD child
circuit. The following are the supported values:
27 =PPPoE encapsulation
34 =PPPoE multiencapsulation
35 =PPPoE tunnel multiencapsulation
112 OS-Version Yes Yes No String. Software version number.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-23
113 Session-Traffic-Limit No Yes Yes String. Specifies that inbound, outbound, or
aggregated traffic be limited. Use the in: limit, out:
limit or aggregate: limit format, where limits are in
Kilobytes (KB). The limit values set for inbound and
outbound traffic are independent of each other. The
limit value set for aggregate traffic is the total sum of
both inbound and outbound traffic.
When configuring Session-Traffic-Limit, you can
configure the limit for either of these options:
Inbound traffic, outbound traffic, or both
Aggregate traffic
You cannot configure the limit for aggregate traffic
and for inbound or outbound traffic.
114 QoS-Reference No Yes Yes String. Specifies the node name, the node-name
index, the group name, and the group-name index.
A colon (:) separates the node-name index from the
group name.
125 DHCP-Vendor-Class-Id Yes Yes No String. DHCP option 60 value.
127 DHCP-Vendor-Encap-Options No Yes Yes String. DHCP option 43 values. The format is:
code:value:code:value ....
where:
code =DHCP vendor-encapsulation option
number
value =option data in one of the following
formats::
IP address type =dot notation
Number =decimal integer
ASCII string =ACSII characters without
quotation marks
Binary string =Hex values of bytes separated
by commas (,)
For descriptions of the vendor-encapsulated
options found in RFC 2132, DHCP Options and
BOOTP Vendor Extension, see Table 4-10 to
Table 4-16.
128 Acct-Input-Octets-64 No Yes No Integer. 64-bit value for the Acct-Input-Octets
standard attribute per RFC 2139.
129 Acct-Output-Octets-64 No Yes No Integer. 64-bit value for the Acct-Output-Octets
standard attribute per RFC 2139.
130 Acct-Input-Packets-64 No Yes No Integer. 64-bit value for the Acct-Input-Packets
standard attribute per RFC 2139.
131 Acct-Output-Packets-64 No Yes No Integer. 64-bit value for Acct-Output-Packets
attribute per RFC 2139.
132 Assigned-IP-Address No Yes No IP address. Reports IP addresses assigned to a
subscriber via IP pools or DHCP.
133 Acct-Mcast-In-Octets-64 No Yes No Integer. 64-bit value for the Acct-Mcast-In-Octets
attribute.
134 Acct-Mcast-Out-Octets-64 No Yes No Integer. 64-bit value for the Acct-Mcast-Out-Octets
attribute.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-24 IP Services and Security Configuration Guide
135 Acct-Mcast-In-Packets-64 No Yes No Integer. 64-bit value for the Acct-Mcast-In-Packets
attribute.
136 Acct-Mcast-Out-Packets-64 No Yes No Integer. 64-bit value for the Acct-Mcast-Out-Packets
attribute.
137 LAC-Port Yes Yes No Integer. Contains the circuit handle for the incoming
session on an L2TP LAC. This attribute should be
present for a subscriber on an L2TP tunnel switch
or LNS only. The circuit can be virtual for a PPPoE
session.
138 LAC-Real-Port Yes Yes No Integer. Contains the circuit handle for the real
circuit of an incoming PPPoE session on an L2TP
LAC. This attribute should be present for a
subscriber on an L2TP tunnel switch or LNS only.
139 LAC-Port-Type Yes Yes No Integer. Contains the port type for the incoming
session on an L2TP LAC. This attribute should be
present for a subscriber on an L2TP tunnel switch
or LNS only. The port can be virtual for a PPPoE
session.
Values for port types are:
40 =NAS_PORT_TYPE_10BT
41 =NAS_PORT_TYPE_100BT
42 =NAS_PORT_TYPE_DS3_FR
43 =NAS_PORT_TYPE_DS3_ATM
44 =NAS_PORT_TYPE_OC3
45 =NAS_PORT_TYPE_HSSI
46 =NAS_PORT_TYPE_EIA530
47 =NAS_PORT_TYPE_T1
48 =NAS_PORT_TYPE_CHAN_T3
49 =NAS_PORT_TYPE_DS1_FR
50 =NAS_PORT_TYPE_E3_ATM
51 =NAS_PORT_TYPE_IMA_ATM
52 =NAS_PORT_TYPE_DS3_ATM_2
53 =NAS_PORT_TYPE_OC3_ATM_2
54 =NAS_PORT_TYPE_1000BSX
55 =NAS_PORT_TYPE_E1_FR
56 =NAS_PORT_TYPE_E1_ATM
57 =NAS_PORT_TYPE_E3_FR
58 =NAS_PORT_TYPE_OC3_POS
59 =NAS_PORT_TYPE_OC12_POS
60 =NAS_PORT_TYPE_PPPOE
140 LAC-Real-Port-Type Yes Yes No Integer. Contains the port type for the real circuit of
an incoming PPPoE session on an L2TP LAC. This
attribute should be present for a subscriber on an
L2TP tunnel switch or LNS only.
See VSA 139 for port-type values.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-25
141 Acct-Dyn-Ac-Ent No Yes No String. Used for dynamic redirect ACLs. Specifies
that when a watch access entry is triggered, an
accounting update is generated.
Format for the accounting entry is:
status:direction:access-entry:byte-count:packet
count:
status =ON or OFF. The status is ON when the
dynamic access entry is triggered and OFF when
the dynamic access entry expires.
direction =IN or OUT. Flow of traffic in which the
ACL was applied. Direction is IN for subscriber
traffic destined for the SMS device and OUT for
traffic destined to the subscriber.
access-entry =Triggered dynamic access entry
that caused the update to be generated.
byte-count =Number of bytes that have passed
through the dynamic access entry since it was
triggered.
packet-count =Number of packets that have
passed through the dynamic access entry since it
was triggered.
142 Session-Error-Code No Yes No Integer. 32 bits. Stop record only. Communicates
specific error code information between Redback
devices.
143 Session-Error-Msg No Yes No String. Stop record only. Describes how the session
terminated.
144 Acct-Update-Reason No Yes No Integer. Reason code describing why the
SmartEdge OS generated an accounting packet for
a particular subscriber to RADIUS. Reason code
values are:
1 =AAA_LOAD_ACCT_SESSION_UP
2 =AAA_LOAD_ACCT_SESSION_DOWN
3 =AAA_LOAD_ACCT_PERIODIC
16 =AAA_LOAD_ACCT_VOLUME_INGRESS_
EXCEEDED
17 =AAA_LOAD_ACCT_VOLUME_EGRESS_
EXCEEDED
18 =AAA_LOAD_ACCT_IDLE_TIMEOUT
19 =AAA_LOAD_ACCT_TIME_EXCEEDED
145 Mac-Addr Yes Yes No String. MAC address. The format is 17 octets in
hex. The MAC address is sent for all subscriber
PPPoE sessions. Supported media includes ATM
PVCs, 802.1Q PVCs (tagged or untagged VLANs),
and Ethernet ports.
147 Acct-Mcast-In-Octets No Yes No Integer. Number of inbound multicast octets.
148 Acct-Mcast-Out-Octets No Yes No Integer. Number of outbound multicast octets.
149 Acct-Mcast-In-Packets No Yes No Integer. Number of inbound multicast packets.
150 Acct-Mcast-Out-Packets No Yes No Integer. Number of outbound multicast packets.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-26 IP Services and Security Configuration Guide
151 Reauth-Session-Id No No Yes String. Identifies the reauthorize session request.
The value in this attribute is a string of attributes
and values for the identified subscriber.
156 Qos-Rate-Inbound No Yes Yes String. Changes the inbound QoS rate. The format
is rate:burst:excess-burst; changing the burst and
excess-burst values is optional.
157 Qos-Rate-Outbound No Yes Yes String. Changes the outbound QoS rate. The format
is rate:burst:excess-burst; changing the burst and
excess-burst values is optional.
158 Route-Tag No Yes Yes String. Assigns a route tag to the subscribers IP
address (Framed-IP-Route), as well as the
subscribers route statements (Framed-IP-Route).
159 LI-Id No No Yes String. For lawful interception, identifies the
intercepted target session. The mediation device
ensures that this attribute is unique for all
intercepted sessions. This field can be
salt-encrypted.
160 LI-Md-Address No No Yes String (IP Address Version 4, dotted format). For
lawful interception, specifies the IP address of the
mediation device that receives the duplicated data.
The IP address cannot be 255.255.255.255 or
0.0.0.0. This field can be salt-encrypted.
161 LI-Md-Port No No Yes Integer. For lawful interception, specifies the User
Data Protocol (UDP) port number of the mediation
device that receives the duplicated data. This field
can be salt-encrypted.
162 LI-Action No No Yes Integer. For lawful interception, specifies one of the
following intercept actions:
0Stop interception of a session.
1Start interception of a session.
2No action; a dummy interception is ignored.
Check to see if a subscriber is logged on.
When LI-Action is in Access-Accept packets, only 1
starts the tap. When LI-Action is in CoA-Request
packets, you can enter any action. This field can be
salt-encrypted.
163 LI-Profile Yes No Yes String. For lawful interception, specifies the name of
the LI profile configured on the SmartEdge OS. This
field can be salt-encrypted.
164 Dynamic-Policy-Filter No Yes Yes String. The string consists of a set of ASCII tokens
separated by one or more spaces. No other
characters are allowed. The tokens are shown in a
syntax statement in the 'VSA 164 Format section
along with descriptions of the keywords and
arguments in the syntax table.
165 HTTP-Redirect-URL No Yes Yes String. URL to which the SmartEdge OS redirects
HTTP requests.
166 DSL-Actual-Rate-Up Yes Yes No Integer 32-bit value. The actual DSL rate in the
upstream direction.
167 DSL-Actual-Rate-Down Yes Yes No Integer 32-bit value. The actual DSL rate in the
downstream direction.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-27
168 DSL-Min-Rate-Up Yes Yes No Integer 32-bit value. The minimum DSL rate in the
upstream direction.
169 DSL-Min-Rate-Down Yes Yes No Integer 32-bit value. The minimum DSL rate in the
downstream direction.
170 DSL-Attainable-Rate-Up Yes Yes No Integer 32-bit value. The attainable DSL rate in the
upstream direction.
171 DSL-Attainable-Rate-Down Yes Yes No Integer 32-bit value. The attainable DSL rate in the
downstream direction.
172 DSL-Max-Rate-Up Yes Yes No Integer 32-bit value. The maximum DSL rate in the
upstream direction.
173 DSL-Max-Rate-Down Yes Yes No Integer 32-bit value. The maximum DSL rate in the
downstream direction.
174 DSL-Min-Low-Power-Rate-Up Yes Yes No Integer 32-bit value. The DSL minimum low power
rate in the upstream direction.
175 DSL-Min-Low-Power-Rate-Down Yes Yes No Integer 32-bit value. The DSL minimum low power
rate in the downstream direction.
176 DSL-Max-Inter-Delay-Up Yes Yes No Integer 32-bit value. The maximum DSL
interleaving delay in the upstream direction.
177 DSL-Actual-Inter-Delay-Up Yes Yes No Integer 32-bit value. The actual DSL interleaving
delay in the upstream direction.
178 DSL-Max-Inter-Delay-Down Yes Yes No Integer 32-bit value. The maximum DSL
interleaving delay in the downstream direction.
179 DSL-Actual-Inter-Delay-Down Yes Yes No Integer 32-bit value. The actual DSL interleaving
delay in the downstream direction.
180 DSL-Line-State Yes Yes No Integer 32-bit value. The DLS port state:
1 =SHOWTIME
2 =IDLE
3 =SILENT
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-28 IP Services and Security Configuration Guide
181 DSL-L2-Encapsulation Yes Yes No Integer 32-bit value. The DSL data link protocol and
data link encapsulation:
Data link byte:
0 =ATM AAL5
1 =ETHERNET
Encapsulation byte 1:
1 =Untagged
2 =Ethernet
Encapsulation byte 2:
0 =NA
1 =PPPoA LLC
2 =PPPoA NULL
3 =IPoA LLC
4 =IPoA NULL
5 =Ethernet over AAL5 LLC with FCS
6 =Ethernet over AAL5 LLC without FCS
7 =Ethernet over AAL5 NULL with FCS
8 =Ethernet over AAL5 NULL without FCS
182 DSL-Transmission-System Yes Yes No Integer 32-bit value. The DSL access-loop type of
transmission system:
1 =ADSL1
2 =ADSL2
3 =ADSL2+
4 =VDSL1
5 =VDSL2
6 =SDSL
7 =UNKNOWN
183 DSL-PPPOA-PPPOE-Inter-Work-
Flag
Yes Yes No Integer. PPPoA-to-PPPoE interworking flag.
184 DSL-combined-Line-Info Yes Yes No String. The value of the TLV described in GSMP
Extensions for Layer 2 Control (L2C) Topology
Discovery and Line Configuration, section 5.4.1,
Topology Discovery.
185 DSL-Actual-Rate-Down-Factor Yes Yes No Integer. The rate that can be learned from the
DSLAM or from a PPPoE or DHCP tag, depending
on the configuration of the access-line rate
command (in subscriber configuration mode).
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-29
186 Class-Traffic-Limit No No Yes String. Specifies a traffic volume limit associated
with a specific class when a subscriber session is
initiated. The syntax for the Class-Traffic-Limit VSA
string is [in: | out:] class-name limit, where:
in:Optional. Specifies a traffic volume limit for
traffic inbound to the SmartEdge router. If the
traffic direction (inbound or outbound) is not
specified, the traffic limit is applied to outbound
traffic.
out:Optional. Specifies a traffic volume limit for
traffic outbound from the SmartEdge router.
class-nameClass name with which to associate
the traffic volume limit. The class name must
match an existing policy ACL applied, or being
applied, to the subscriber circuit. If the class
name does not exist, the subscriber circuit is not
torn down during a reauthorization request and
comes up with no effect on the traffic. If the class
name does not have counters in the metering or
policing policy, the subscriber circuit comes up
with no effect on the traffic.
limitTraffic volume limit in KB. A value of 0
specifies an unlimited, unmonitored traffic
volume.
Zero or more Class-Traffic-Limit VSAs can be sent
in an Access-Accept packet to the SmartEdge
router. If the Class-Traffic-Limit VSA is not
configured, the traffic volume is unlimited in both
directions and is not monitored.
187 Acct-Class-In-Octets-64 No Yes No String. The actual inbound class traffic usage. Zero
or more Acct-Class-In-Octets-64 and
Acct-Class-Out-Octets-64 VSA pairs can be sent in
an Acct-Request packet. The syntax for the
Acct-Class-In-Octets-64 string is class-name count,
where:
class-nameClass name for which traffic volume
counts are sent.
count64-bit count of the traffic volume, in KB,
for inbound traffic.
For more information about specifying the traffic
volume limit associated with a specific class when a
subscriber session is initiated, see the Redback
VSA 186, Class-Traffic-Limit.
188 Acct-Class-Out-Octets-64 No Yes No String. The actual outbound class traffic usage.
Zero or more Acct-Class-In-Octets-64 and
Acct-Class-Out-Octets-64 VSA pairs can be sent in
an Acct-Request packet. The syntax for the
Acct-Class-Out-Octets-64 string is class-name
count, where:
class-nameClass name for which traffic volume
counts are sent.
count64-bit count of the traffic volume, in KB,
for inbound traffic.
For more information about specifying the traffic
volume limit associated with a specific class when a
subscriber session is initiated, see the Redback
VSA 186, Class-Traffic-Limit.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-30 IP Services and Security Configuration Guide
189 Flow_FAC_Profile No Yes No String. Specifies the name of a Flow
Admission-Control profile. This attribute is used to
apply flow on the circuit of the configured
subscriber.
The Flow_FAC_Profile attribute can only be
configured under subscriber profile.
190 Service-Name No Yes Yes String. The name of the service to be activated,
together with the following optional fields:
:service idUsed when there is more than one
instance of the same service.
service-parameterZero or more parameters
formatted as name-value pairs. Names and
values are separated by an equals sign (=) with
no spaces around it. Pairs are separated by
spaces. You can also specify service parameters
in VSA 192. See VSA 192 for formatting details.
191 Service-Options No No Yes Integer. Specifies whether or not accounting is
enabled for service management:
ACCT-DISABLED =0x00
ACCT-ENABLED =0x01
192 Service-Parameter No Yes Yes String. Service parameters for a service that is
specified in VSA 190, formatted as name-value
pairs. Names and values are separated by an equal
sign (=) with no spaces around it. Pairs are
separated by spaces. If a parameter needs an
array, the values in the array are separated by
commas (,) with no space between the value and
the comma. If the value is a string that includes
either spaces or commas, enclose the string in
double quotes ().
193 Service-Error-Cause No Yes No Integer. Specifies a service management error
according to one of the following values:
0 =Service success
401 =Unsupported attribute
402 =Missing attribute
404 =Invalid request
506 =Resource unavailable
550 =Generic service error
551 =Service not found
552 =Service already active
553 =Service accounting disabled
554 =Service duplicate parameter
If the RADIUS server does not support this VSA,
the 550, 551, 552, 553, and 554 error codes can be
mapped to the standard Error-Cause attribute 550
(other proxy processing error).
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-31
194 Deactivate-Service-Name No No No String. The service profile name of the service to be
deactivated together with the following optional
fields:
:service idUsed when there is more than one
instance of the same service.
service-parameterZero or more parameters
formatted as name-value pairs. Names and
values are separated by an equals sign (=) with
no spaces around it. Pairs are separated by
spaces.
195 QoS-Overhead No Yes Yes String. Attaches a QoS overhead profile to the
subscriber session. If the overhead profile is
defined in the RADIUS record of the subscriber, the
subscriber has the specified overhead profile when
the subscriber session comes up.
196 Dynamic-QoS-Param No No Yes String.The format varies by QoS parameter. For
more information, see the VSA 196 Format
section.
Zero or more Dynamic-QoS-Param VSAs can be
sent in an Access-Accept or CoA-Request packet to
the SmartEdge router.
199 Double_Authentication No No Yes Integer. The integer value is 1. Indicates that the
session needs one more authentication. It is valid
only if it is received from a global access response.
201 DHCP-Field Yes Yes No Binary. Identifies a standard DHCP client field.
This generic VSA is used to identify standard DHCP
client fields that must be sent in RADIUS
authentication or accounting requests. To
distinguish each supported DHCP client field, a
unique dhcp-sub-field field is used within this VSA
to indicate a specific value that corresponds to a
specific DHCP client field. Currently, this VSA
supports only dhcp-sub-field field of type 1, the
giaddr or gateway address field. A RADIUS server
uses the gateway address field to provide static
routes to clients based on this address.
202 DHCP-Option Yes Yes No Binary. Identifies a DHCP client option.
This VSA is a generic VSA, which is used to identify
various supported DHCP client options that must be
sent in RADIUS authentication or accounting
requests. To distinguish each supported DHCP
client option, a unique dhcp-sub-type field is used
within this VSA to indicate a specific value that
corresponds to a specific DHCP option. Currently,
this VSA supports DHCP options 12 (hostname), 61
(client identifier), and 77 (user class).
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
A-32 IP Services and Security Configuration Guide
Redback VSAs in CoA and Disconnect Messages
TableA-8 lists the Redback VSAs that can appear in CoA-Request, CoA-Response, Disconnect-Request,
and Disconnect-Response messages. For details about these attributes, see TableA-7.
204 Reauth-Service-Name No No No String. The name of the service to be reauthorized,
together with the optional field of
service-parameter. Parameters are formatted as
name-value pairs. Names and values are separated
by an equals sign (=) with no spaces around it.
Pairs are separated by spaces. The service name
and service parameters are separated by spaces.
For example:
Reauth-Service-Name: =voip_service
inLimit=1000 timeout=10
This VSA is used to provide dynamic
reauthorization of the RADIUS service attributes of
an RSE service without bringing the associated
service down. The following are the supported
RADIUS service attributes:
Service-Interim-Accounting
Service-Timeout
Service-Volume-Limit
For more information about these attributes, see the
section Service Attributes Supported by the
SmartEdge OS.
If not all reauthorizable service parameters fit in
VSA 204 due to the limitations of number of
characters you can use in this VSA, you can use
Redback VSA 192, Service-Parameters, to carry
these additional service parameters. You can also
configure VSA 204 to carry only the service name
and VSA 192 carry all the service parameters. See
VSA 192 for formatting details.
If you are using VSA 192 with VSA 204, use a
RADIUS attribute tag to correlate this VSA with
VSA 204. The tag is an arbitrary number you assign
to both VSAs.
For example:
Reaut h- Ser vi ce- Name: 2 = voi p_ser vi ce
Ser vi ce- Par amet er s: 2 = t i meout =1
i nLi mi t =777 out Li mi t =1000
In the above example, 2 is the RADIUS attribute
tag assigned to both VSAs.
Note:
If a CoA-Request message is to include more than
one set of associated VSAs that are tagged with
RADIUS attribute tags, and there exists among
these sets at least one common VSA, ensure that
the RADIUS attribute tag you assign to each set is
unique. Ensuring the uniqueness of each tag allows
the SmartEdge OS to successfully process the
CoA-Request message.
Table A-7 Redback VSAs Supported by the SmartEdge OS (continued)
# VSA Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received
in Access-
Response Notes
Redback VSAs
RADIUS Attributes A-33
Table A-8 Redback VSAs in CoA and Disconnect Messages
# VSA Name
Sent in
CoA
Request
Sent in
CoA
Response
Sent in
Disconnect
Request
Sent in
Disconnect
Response Notes
4 Context_Name Yes No Yes No
33 Mcast_Send Yes No No No
34 Mcast_Receive Yes No No No
35 Mcast_MaxGroups Yes No No No
87 Qos-Policy-Policing Yes Yes
88 Qos-Policy-Metering Yes Yes
89 Qos-Policy-Queuing Yes Yes
90 IGMP_Service_Profile Yes No No No
92 Forward-Policy Yes No No No
94 Reauth_String Yes No No No
95 Reauth_More Yes No No No
96 RBN_Agent_Remote_ID Yes No Yes No
97 RBN_Agent_Circuit_ID Yes No Yes No
101 Shaping_Profile_Name Yes No No No
102 Bridge_Profile Yes No No No
105 Nat_Policy_Name Yes No No No
107 HTTP_Redirect_Profile_Name Yes No No No
112 OS_Version Yes No No No
113 Session_Traffic_Limit Yes No No No
114 Qos_Reference Yes No No No
156 Qos_Rate_Inbound Yes No No No
157 Qos_Rate_Outbound Yes No No No
159 LI_Id Yes No No No
160 LI_Md_Address Yes No No No
161 LI_Md_Port Yes No No No
162 LI_Action Yes No No No
163 LI_Profile Yes No No No
164 Dynamic-Policy-Filter Yes No No No
165 HTTP-Redirect-URL Yes No No No
186 Class_Traffic_Limit Yes No No No
189 Flow_FAC_Profile Yes No No No
190 Service-Name Yes Yes No No
Redback VSAs
A-34 IP Services and Security Configuration Guide
Redback VSAs That Can Be Reauthorized
TableA-9 lists the Redback VSAs that are reauthorized when you enter the reauthorize command (in exec
mode). For details about these VSAs, see TableA-7.
191 Service-Options Yes No No No
192 Service-Parameter Yes No No No
193 Service-Error-Cause No Yes No No
194 Deactivate-Service-Name Yes Yes No No
196 Dynamic-QoS-Param Yes No No No
204 Reauth-Service-Name Yes Yes No No
Table A-9 Redback VSAs Supported by Reauthorization
# VSA Name Description
33 Mcast-Send Defines whether the subscriber can send multicast packets.
34 Mcast-Receive Defines whether the subscriber can receive multicast packets.
35 Mcast-MaxGroups Specifies the maximum number of multicast groups of which the subscriber can be a member.
87 QoS-Policy-Policing Attaches a QoS policing policy to the subscriber session.
88 QoS-Policy-Metering Attaches a QoS metering policy to the subscriber session.
89 QoS-Policy-Queuing Attaches a QoS queuing service profile to the subscriber session.
90 Igmp-Service-Profile Applies an IGMP service profile to the subscriber session.
92 Forward-Policy Attaches an in or out forward policy to the subscriber session.
101 Shaping-Profile-Name Indicates the name of the ATM shaping profile.
102 Bridge-Profile-Name Indicates the name of the bridge profile.
105 Nat_Policy_Name Indicates the NAT policy name. Attaches the specified NAT policy to a subscriber.
107 HTTP-Redirect-Profile-Name Indicates the name of the HTTP redirect profile.
113 Session-Traffic-Limit Specifies that inbound, outbound, or aggregated traffic be limited.
114 Qos_Reference Specifies the node name, node-name index, group name, and group-name index.
A colon (:) separates the node-name index from the group name.
156 Qos_Rate_Inbound Changes the inbound QoS rate; changing the excess burst rate is optional.
157 Qos_Rate_Outbound Changes the outbound QoS rate; changing the excess burst rate is optional.
159 LI_Id For lawful intercept, identifies the intercepted target session. The mediation device enforces
the fact that this attribute is unique for all intercepted sessions. This field can be salt encrypted.
160 LI_Md_Address For lawful intercept, specifies the IP address of the mediation device that receives the
duplicated data. The IP address cannot be 255.255.255.255 or 0.0.0.0. This field can be salt
encrypted.
Table A-8 Redback VSAs in CoA and Disconnect Messages (continued)
# VSA Name
Sent in
CoA
Request
Sent in
CoA
Response
Sent in
Disconnect
Request
Sent in
Disconnect
Response Notes
Redback VSAs
RADIUS Attributes A-35
VSA 164 Format
VSA 164 has the following format:
ip dir action [dstip n.n.n.n[/nn]] [srcip n.n.n.n[/nn]] [{dscp dscp-value | tos tos-value tos-mask}]
[protocol [dstport dst-op dst-port] [srcport src-op src-port] [est]] class class-name service
The keywords and arguments for VSA 164 follow.
161 LI_Md_Port For lawful intercept, specifies the User Datagram Protocol (UDP) port number of the mediation
device that receives the duplicated data. This field can be salt encrypted.
162 LI_Action For lawful intercept, specifies one of the following intercept actions:
0-Stop interception of a session.
1-Start interception of a session.
2-Take no action; a dummy interception is ignored. Check to see if a subscriber is logged on.
163 LI_Profile For lawful intercept, specifies the name of the LI profile configured on the SmartEdge OS. This
field can be salt encrypted.
164 Dynamic_Policy_Filter Specifies a class rule for a dynamic policy ACL.
165 HTTP_Redirect_URL Specifies the URL to which the SmartEdge OS redirects HTTP requests.
186 Class-Traffic-Limit Specifies a traffic volume limit associated with a specific class when a subscriber session is
initiated.
189 Flow_FAC_Profile Specifies flow.
190 Service_Name Carries the service name and parameters required to activate the service.
191 Service_Options Carries the service action, which indicates the action that SmartEdge router should perform.
The enumerated types for this attribute are shown below:
a) ACTIVATE-ENABLED =0x01
b) ACTIVATE-DISABLED =0x00
192 Service_Parameter Carries the parameters required to activate the service.
194 Deactivate_Service_Name
195 Qos_Overhead Attaches a QoS overhead profile to the subscriber session
196 Dynamic_QoS_Param Parameterizes QoS policies
204 Reauth-Service-Name Carries the service name and parameters required to reauthorize the named service.
ip Specifies that the filter applies to IP packets.
dir Specifies the direction of the traffic with one of the following keywords:
inTraffic is inbound to the SmartEdge router.
outTraffic is outbound from the SmartEdge router.
forward Specifies the filter action.
dstip n.n.n.n[/nn Optional. IP address and netmask for the destination port. The range of values
for the netmask is 0 to 32.
Table A-9 Redback VSAs Supported by Reauthorization (continued)
# VSA Name Description
Redback VSAs
A-36 IP Services and Security Configuration Guide
TableA-10 lists the keyword operators for the dst-op and src-op arguments.
srcip n.n.n.n[/nn Optional. IP address and netmask for the source port. The range of values for
the netmask is 0 to 32.
dscp dscp-value Optional. Differentiated Services Code Point (DSCP) value that the packet
must have to be considered a match. The range of values is decimal 0 to 63, a
hexadecimal value listed in TableA-12, or one of the keywords listed in
TableA-12.
tos tos-value tos-mask Optional. Type of service (ToS) that the packet must have to be considered a
match. The range of values for the tos-value argument is decimal 0 to 255 or
the hexadecimal equivalent, but only certain values are allowed. The tos-mask
argument identifies the group of bits in the IP ToS byte; see TableA-13.
protocol Optional. Protocol, according to one of the following keywords:
icmpInternet Control Message Protocol (ICMP)
tcpTransmission Control Protocol (TCP)
udpUser Datagram Protocol (UDP)
ospfOpen Shortest Path First (OSPF) protocol
dstport dst-op dst-port Optional. Comparison operation and port name or number for the destination
port. TableA-10 lists the keywords for the comparison operation (the dst-op
argument). For the dst-port argument, you can specify either a port name or a
port number. TableA-11 lists the keywords for the port name. The range of
values for port number is 1to 1,023.
srcport src-op src-port Optional. Comparison operation and port name or number for the source port.
TableA-10 lists the keywords for the comparison operation (the src-op
argument). For the src-port argument, you can specify either a port name or a
port number. TableA-11 lists the keywords for the port name. The range of
values for port number is 1to1,023.
est Optional. TCP established. This keyword is valid only if you specify the tcp
keyword for the protocol.
class class-name Class name. The format is a string of 1 to 39 case-sensitive printable
characters.
service Type of service policy, according to one of the following keywords:
fwdForward policy
natNetwork Address Translation (NAT) policy
qosQuality of service (QoS) policy (either metering or policing)
Table A-10 Keyword Operators for Comparison Operations
Operator Description
< Port number is less than the specified port number.
= Port name or number matches the specified port name or number.
> Port number is greater than the specified port number.
Redback VSAs
RADIUS Attributes A-37
TableA-11 lists the keywords for the dst-port and src-port arguments in alphabetical order.
TableA-12 lists the keyword and hexadecimal value substitutions for the dscp-value argument.
!= Port name or number does not match the specified port name or number.
Table A-11 Keywords for Destination and Source Port Numbers and Names
Port Name Description
cmd 514/udp; shell command
domain 53/udp, 53/tcp; Domain Name Server
exec 512/tcp; remote process execution
finger 79/udp, 79/tcp; Finger
ftp 21/udp, 21/tcp; FTP
ftp-data 20/udp, 20/tcp; FTP default data
gopher 70/udp, 70/tcp; Gopher
hostname 101/udp, 101/tcp; NIC Host Name Server
kerberos 88/udp, 88/tcp; Kerberos
login 513/tcp; remote login, such as Telnet
nameserver 42/udp, 42/tcp; Host Name Server
nntp 119/udp, 119/tcp; NNTP
ntp 123/tcp, 123/udp; NTP
smtp 25/udp; SMTP
talk 517/udp; similar to a tenex link, but across machine; does not use link protocol; a rendezvous port
from which a tcp connection is established
telnet 23/udp; Telnet
tftp 69/udp; TFTP
www 80/udp, 80/tcp; World Wide Web HTTP
Table A-12 Keyword and Hexadecimal Substitutions for the dscp-value Argument
Keyword Hexadecimal Value Definition
af11 0x0a Assured ForwardingClass 1/Drop precedence 1
af12 0x0c Assured ForwardingClass 1/Drop precedence 2
af13 0x0e Assured ForwardingClass 1/Drop precedence 3
af21 0x12 Assured ForwardingClass 2/Drop precedence 1
af22 0x14 Assured ForwardingClass 2/Drop precedence 2
af23 0x16 Assured ForwardingClass 2/Drop precedence 3
Table A-10 Keyword Operators for Comparison Operations (continued)
Operator Description
Redback VSAs
A-38 IP Services and Security Configuration Guide
TableA-13 lists the definitions for the groups of bits in the IP ToS byte and the value for the tos-mask
argument for each group. ToS values must correspond to the ToS mask so that the value does not have any
bits outside the range of the mask.
af31 0x1a Assured ForwardingClass 3/Drop precedence 1
af32 0x1c Assured ForwardingClass 3/Drop precedence 2
af33 0x1e Assured ForwardingClass 3/Drop precedence 3
af41 0x22 Assured ForwardingClass 4/Drop precedence 1
af42 0x24 Assured ForwardingClass 4/Drop precedence 2
af43 0x26 Assured ForwardingClass 4/Drop precedence 3
cs0 0x00 Class selector 0
cs1 0x08 Class selector 1
cs2 0x10 Class selector 2
cs3 0x18 Class selector 3
cs4 0x20 Class selector 4
cs5 0x28 Class selector 5
cs6 0x30 Class selector 6
cs7 0x38 Class selector 7
df 0x00 Default Forwarding (alternative to cs0)
ef 0x2e Expedited Forwarding
prec1 0x08 Precedence selector 1 (alternative to cs1)
prec2 0x10 Precedence selector 2 (alternative to cs2)
prec3 0x18 Precedence selector 3 (alternative to cs3)
prec4 0x20 Precedence selector 4 (alternative to cs4)
prec5 0x28 Precedence selector 5 (alternative to cs5)
prec6 0x30 Precedence selector 6 (alternative to cs6)
prec7 0x38 Precedence selector 7 (alternative to cs7)
Table A-13 ToS Mask Group Definitions
ToS Group Bit Range Decimal Value Hexadecimal Value
Flags 1 to 4 30 0x1E
Precedence 5 to 7 224 0xE0
Combined 1 to 7 254 0xFE
DSCP 2 to 7 252 0xFC
Table A-12 Keyword and Hexadecimal Substitutions for the dscp-value Argument (continued)
Keyword Hexadecimal Value Definition
Redback VSAs
RADIUS Attributes A-39
If you specify either the dscp dscp-value or the tos tos-value construct in the VSA, you must specify the
construct before you specify any protocol-related options (protocol argument, class keyword).
To display the definition of this VSA, use the show subscribers command with the active keyword (in any
mode) or the show access-group command (in any mode). For more information about the
show subscribers command see the Subscriber Operations chapter in the Basic System Operations
Guide for the SmartEdgeOS. For more information about the show access-group command, see the ACL
Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
Matching criteria consist of Layer 3 and Layer 4 parameters. All parameters are optional; if you omit a
parameter, the parameter has the value any, which means that any packet matches that parameter.
You can specify Layer 4 parameters only if you specify either TCP or UDP as the protocol.
If you do not specify the netmask argument, the system uses a default netmask, which is based on the IP
network class corresponding to the IP address.
You cannot specify 0. 0. 0. 0 as an IP address.
VSA 196 Format
VSA 196 has the following format:
attribute [flag]
attribute Specifies one of the following dynamic quality of service (QoS) parameters:
fwd-in-access-group group-name
meter-class-burst class-name burst-bytes
meter-class-conform class-name {mark-dscp | mark-precedence | mark-priority |
no-action}
meter-class-exceed class-name {mark-dscp | mark-precedence | mark-priority |
drop-qos-priority-group | drop-all | no-action}
meter-class-excess-burst class-name excess-burst-bytes
meter-class-mark class-name {mark-dscp | mark-precedence | mark-priority}
meter-class-rate class-name {rate-absolute kbps | rate-percentage percentage}
meter-class-violate class-name {mark-dscp | mark-precedence | mark-priority |
drop-all | no-action}
police-class-burst class-name burst-bytes
police-class-conform class-name {mark-dscp | mark-precedence | mark-priority |
no-action}
police-class-exceed class-name {mark-dscp | mark-precedence | mark-priority |
drop-qos-priority-group | drop-all | no-action}
police-class-excess-burst class-name excess-burst-bytes
police-class-mark class-name {mark-dscp | mark-precedence | mark-priority}
police-class-rate class-name {rate-absolute kbps | rate-percentage percentage}
police-class-violate class-name {mark-dscp | mark-precedence | mark-priority |
drop-all | no-action}
pwfq-priority-group-rate group-num {rate-absolute kbps | rate-percentage
percentage}
pwfq-queue-priority queue-num {priority-group | weight-value}
pwfq-queue-weight queue-num weight-value
Redback VSA Support for CCOD Multiencapsulated PVCs in 802.1Q Tunnels
A-40 IP Services and Security Configuration Guide
The description of policy refresh command (in exec mode) provides more information on this VSA; for
details, see the AAA Operations chapter in the IP Services and Security Operations Guide for the
SmartEdge OS.
Redback VSA Support for CCOD Multiencapsulated PVCs
in 802.1Q Tunnels
Remote Authentication Dial-In User Service (RADIUS) supports circuit creation on demand (CCOD)
multiencapsulated permanent virtual circuits (PVCs) in 802.1Q tunnels. Multiencapsulated CCOD is used
in a typical scenario in which some subscribers have high-speed Internet service only while others have
voice over IP (VoIP) or Video-on-Demand (VoD) and optionally high-speed Internet. When the SmartEdge
router receives a subscriber request for service, it queries the RADIUS server. The RADIUS server returns
an authorization that informs the SmartEdge router about which type of C-VLAN (customer VLAN)
encapsulation to provision:
For customers subscribed to high-speed Internet services only, RADIUS authorizes the creation of a
PPPoE-encapsulated 802.1Q PVC only
For customers subscribed to high-speed Internet services and have VoIP, VoD, or both, RADIUS
authorizes an on-demand multiencapsulated 802.1Q PVC and a static PPPoE-encapsulated 802.1Q
PVC.
TableA-14 and TableA-15 lists the Redback VSAs that provide support for multiencapsulated CCOD
802.1Q PVCs. For details about these VSAs, see TableA-7.
If the C-VLAN encapsulation type is PPPoE, then the supported RADIUS Redback VSAs in the Access
Accept message are listed in the following table:
flag Optional. Enter the remove keyword to remove a dynamic parameter and
revert the QoS parameter to the default value.
Table A-14 Redback VSAs Supported in PPPoE-Encapsulated 802.1Q PVCs
# VSA Name
39 PVC-Encapsulation-Type
40 PVC-Profile-Name
42 Bind-Type
43 Bind-Auth-Protocol
44 Bind-Auth-Max-Sessions
46 Bind-Auth-Context
89 Qos-Policy-Queuing
97 Agent-Circuit-Id
195 QoS-Overhead
Other VSAs Supported by the SmartEdge OS
RADIUS Attributes A-41
If the C-VLAN encapsulation type is multi, then the supported RADIUS Redback VSAs in the Access
Accept message are listed in the following table:
Other VSAs Supported by the SmartEdge OS
TableA-16 lists other VSAs that the SmartEdgeOS supports. These VSAs require a vendor ID of 529.
Service Attributes Supported by the SmartEdge OS
TableA-17 lists the service attributes that the SmartEdgeOS supports. These attributes appear in service
profiles that a RADIUS server uses to specify the conditions for a subscriber session.
Table A-15 Redback VSAs Supported in Multiencapsulated PVCs in 802.1Q Tunnels
# VSA Name
39 PVC-Encapsulation-Type
40 PVC-Profile-Name
42 Bind-Type
43 Bind-Auth-Protocol
44 Bind-Auth-Max-Sessions
46 Bind-Auth-Context
89 Qos-Policy-Queuing
97 Agent-Circuit-Id
108 Bind-Auto-Sub-User
109 Bind-Auto-Sub-Context
110 Bind-Auto-Sub-Password
111 Circuit-Protocol-Encap
195 QoS-Overhead
Table A-16 Other VSAs Supported by the SmartEdge OS
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
242 Ascend-Data-Filter No Yes Yes Multivalue attribute. An Access-Accept packet
contains multiple binary strings each representing a
rule in an IP access control list (ACL). The rules are
interpreted in the order they are received from the
RADIUS server. If the RADIUS server returns both
the SmartEdge OS Filter-Id and Ascend-Data-Filter
attributes for the same subscriber in the same
direction, the Ascend-Data-Filter attribute is ignored,
the SmartEdge OS Filter-Id attribute is applied in
that direction, and an event message to that effect is
logged.
RADIUS Attributes Supported by Mobile IP Services
A-42 IP Services and Security Configuration Guide
RADIUS Attributes Supported by Mobile IP Services
For Mobile IP services, RADIUS attributes appear in the various types of RADIUS messages, as described
in the following sections:
Standard RADIUS Attributes and Mobile IP Services
3GPP2 RADIUS VSAs
3GPP2 RADIUS VSAs That Can Be Reauthorized
WiMax Forum RADIUS VSAs
WiMax Forum RADIUS VSAs in the CoA
Motorola VSAs
Standard RADIUS Attributes and Mobile IP Services
The following lists the standard Mobile IP service RADIUS attributes that are supported by the SmartEdge
OS and that can appear in Access-Request, Account-Request, and Access-Response messages:
CUI
User-Name
User-Password
NAS-IP-Address
NAS-Port
Framed-IP-Address
Idle-Timeout
Message-Authenticator
NAS-Identifier
Ip-Address-Pool-Name
Table A-17 Service Attributes Supported by the SmartEdge OS
Attribute Name Notes
Service-Interim-Accounting Integer. Number of seconds after which the service accounting counters are
updated. The range of values is 900 to 2147483647.
Before this attribute is sent to the PPA of the SmartEdge router for processing,
the value for the Service-Interim-Accounting attribute is rounded to the nearest
integer that divides by 60 evenly. For example, if 925 is the value for the
Service-Interim-Accounting attribute, the SmartEdge OS rounds this integer to
900, which is a value that divides by 60 evenly.
Service-Timeout Integer. Number of seconds after which a session times out. The range of values
is 60 to 2,147,483,647.
Service-Volume-Limit Integer. Volume of traffic (in KB) in either the upstream or downstream direction
after which a service for a subscriber session has exceeded its volume limit. The
range of values is 0 through 2,147,483,647.
RADIUS Attributes Supported by Mobile IP Services
RADIUS Attributes A-43
Acct-Status-Type
Acct-Input-Octets
Acct-Multi-Session-ID - This identifier is set to the value of the AAA-Session-ID attribute, which is
generated by the AAA server after the mobile node (MN) is successfully authenticated. It is sent by the
Access-Accept message, which is unique for each connectivity service network (CSN), and is used to
match all accounting records within a session.
Acct-Output-Octets
Acct-Session-Id
Acct-Session-Time
Acct-Input-Packets
Acct-Output-Packets
For more information about these attributes, see the Standard RADIUS Attributes in Access and Account
Messages section on pageA-5 and the Standard RADIUS Attributes That Can Be Reauthorized section
on pageA-12.
3GPP2 RADIUS VSAs
TableA-18 describes the Third Generation Partnership Project 2 (3GPP2) RADIUS VSAs used by Mobile
IP services that are supported by the SmartEdge OS and that can appear in Access-Request,
Account-Request, and Access-Response messages. Mobile IP services complies with the following 3GPP2
standard: X.S0011-001-C v3.0, cdma2000 Wireless IP Network Standard: Introduction.
3GPP2 RADIUS VSAs That Can Be Reauthorized
TableA-19 lists the 3GPP2 RADIUS VSAs used by Mobile IP services that are reauthorized when you
enter the reauthorize command (in exec mode).
Note For Mobile IP, the username is the mobile node (MN) Network Access Identifier (NAI).
Table A-18 3GPP2 RADIUS VSAs Supported by the SmartEdge OS
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
7 Home Agent IP Address Yes Yes No IP address of the HA.
57 MN-HA SPI Yes No No Integer. Security Parameter Index (SPI). Sent
when the SPI is changing for the mode node
(MN) along with the HA and MN shared secret
key.
58 MN-HA shared secret key No No Yes Octet string. Shared secret key used for MN and
HA authentication.
79 Foreign Agent Address No Yes No IP address of the foreign agent (FA).
RADIUS Attributes Supported by Mobile IP Services
A-44 IP Services and Security Configuration Guide
WiMax Forum RADIUS VSAs
TableA-20 lists the WiMax Forum RADIUS VSAs supported for Mobile IP and that can appear in
Access-Request, Account-Request, and Access-Response messages.
Table A-19 3GPP2 RADIUS VSAs Supported by Reauthorization
# Attribute Name Description
57 MN-HA SPI Integer. SPI. Sent when the SPI is changing for the MN along with the HA and
MN shared secret key.
58 MN-HA shared secret
key
Octet string. Shared secret key used for MN and HA authentication.
Table A-20 WiMax Forum RADIUS VSAs for Mobile IP Supported by the SmartEdge OS
# Attribute Name
Sent in Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
1 WiMax-Capability Yes No Yes Type-length values (TLVs). Indicates
the capabilities that the home agent
(HA) supports, such as accounting and
hotlining.
TLV ID 1: WiMAX release
TLV ID 2: Accounting capabilities
TLV ID 3: Hotlining capabilities
TLV ID 4: Idle Mode notification
capabilities
The WiMax-Capability attribute is
optionally received in the access
response message.
3 GMT-Time-Zone-Offset No. Yes No Integer. The difference in seconds
between the HA and RADIUS server in
Greenwich Mean Time (GMT). This
information is used to calculate local
time.
The GMT-Time-Zone-Offset attribute is
optionally sent in the Acct-Request
message.
4 AAA-Session-ID No No Yes Binary string. Unique identifier in the
home network for the session set in the
home network AAA server. The
Received in Access-Response is also
received in the CoA.
6 HA-IP-MIP4 Yes Yes No IP address. IP address of the home
agent (HA).
10 MN-HA-MIP4-Key No No Yes Binary string. The shared secret key
used for authentication between the
mobile node (MN) and HA.
RADIUS Attributes Supported by Mobile IP Services
RADIUS Attributes A-45
WiMax Forum RADIUS VSAs in the CoA
TableA-21 lists the WiMax Forum RADIUS VSAs supported for Mobile IP and that can appear in
CoA-Request and CoA-Response messages. For details about these VSAs, see TableA-20.
11 MN-HA-MIP4-SPI Yes No Yes Integer. Security Parameter Index (SPI)
that corresponds to the shared secret
key used for mobile node (MN) and HA
authentication. The HA includes this
attribute in the Access-Request
message to request the corresponding
shared key from the RADIUS server.
The RADIUS server includes this
attribute in the Access-Response
message and when it sends the CoA
message to the HA to indicate that a
new key will be used for subsequent
MN and HA authentication or
reauthentication for an existing mobile
subscriber session.
15 HA-RK-Key No No Yes Octet. Key used to generate FA-HA
keys.
16 HA-RK-SPI Yes
(Optional)
No Yes Integer. SPI associated with
HA-RK-Key.
17 HA-RK-Lifetime No No Yes Integer. Lifetime of the HA-RK-Key.
24 Hotline-Indicator No Yes Yes String. Enables hotlining. Sent by
RADIUS or COA server that is reported
in the session and hotlining accounting
records. The Hotline-Profile-ID and
Hotline-Indicator enable hotlining. For
information about hotlining, see
Chapter 10, Hotlining Configuration.
48 Acct-Input-Packets-Gigawords No Yes No Integer. Incremented when the
standard RADIUS attribute 47,
Acct-Input-Packets, overflows. The
Sent in Acct-Request is optional.
49 Acct-Output-Packets-Gigawords No Yes No Integer. Incremented when the
standard RADIUS attribute 48,
Acct-Output-Packets, overflows. The
Sent in Acct-Request is optional.
53 Hotline-Profile-ID No Yes Yes String. Hotlining profile identifier sent
by RADIUS or CoA server. The
Hotline-Profile-ID and Hotline-Indicator
attributes enable hotlining. For
information about hotlining, see
Chapter 10, Hotlining Configuration.
58 HA-RK-Key-Requested Yes
(if dynamic keys
are required)
No No Integer. Flag indicating that the HA
needs a HA-RK-Key.
Table A-20 WiMax Forum RADIUS VSAs for Mobile IP Supported by the SmartEdge OS (continued)
# Attribute Name
Sent in Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
RADIUS Attributes Supported by Mobile IP Services
A-46 IP Services and Security Configuration Guide
Motorola VSAs
TableA-22 lists the Motorola VSAs supported for Mobile IP and that can appear in Access-Request,
Account-Request, and Access-Response messages.
Table A-21 WiMax Forum RADIUS VSAs for Mobile IP Supported by the SmartEdge OS
# Attribute Name
Sent in CoA
Request
Sent in CoA
Response Notes
10 MN-HA-MIP4-Key Yes No
11 MN-HA-MIP4-SPI Yes. No
24 Hotline-Indicator Yes No String. Sent by RADIUS or CoA server that is reported
in the session and hotlining accounting records. A CoA
containing a Hotline-Profile-ID without an
accompanying Hotline-Indicator deactivates hotlining
for that profile. For information about hotlining, see
Chapter 10, Hotlining Configuration.
53 Hotline-Profile-ID Yes. No String. Hotlining profile identifier sent by RADIUS or
CoA. A CoA containing a Hotline-Profile-ID without an
accompanying Hotline-Indicator deactivates hotlining
for that profile. For information about hotlining, see
Chapter 10, Hotlining Configuration.
Table A-22 Motorola VSAs for Mobile IP Supported by the SmartEdge OS
# Attribute Name
Sent in
Access-
Request
Sent in
Acct-
Request
Received in
Access-
Response Notes
67 FA-HA-Key No No Yes Encrypted string. The FA-HA-key is used by
the FA to create an FA-HA authentication
extension. This field is protected with an
encryption algorithm defined in RFC 2868,
RADIUS Attributes for Tunnel Protocol
Support, for Tunnel-Password.
68 FA-HA-Lifetime No. No Yes Integer. The amount of time in seconds that
this FA-HA-key can be used after it is fetched.
69 FA-HA-SPI Yes
(Optional)
No Yes Integer. The SPI for the FA-HA-key.
The FA-HA-SPI may be sent in the Access
Request to the AAA server if the foreign agent
(FA) does not have a matching key
corresponding to the key used by the home
agent (HA) in a registration revocation
message.
TACACS+ Attribute-Value Pairs B-1
A p p e n d i x B
TACACS+ Attribute-Value Pairs
Terminal Access Controller Access Control System Plus (TACACS+) attribute-value pairs (AVPs) are used
to define specific administrator and command-line interface (CLI) command authentication, authorization,
and accounting (AAA) elements for user profiles that are stored on a TACACS+server.
For information about configuring TACACS+features, see Chapter 22, TACACS+Configuration.
This appendix contains the following sections:
TACACS+Authentication and Authorization AVPs
TACACS+Administrator Accounting AVPs
TACACS+Command Accounting AVPs
TACACS+ Authentication and Authorization AVPs
TableB-1 describes TACACS+authentication and authorization AVPs supported by the SmartEdge
OS.
TACACS+ Administrator Accounting AVPs
TableB-2 describes the TACACS+administrator accounting AVPs supported by the SmartEdgeOS.
Table B-1 TACACS+ Authentication and Authorization AV Pairs
Attribute Description
cmd=x Administrator shell command. Indicates the command name for the command to be
issued. This attribute can only be specified if service=shell.
cmd-arg=x Argument used with an administrator shell command. Indicates the argument name to
be used with the command. Multiple cmd-arg attributes can be specified and cmd-arg
attributes are order dependent.
priv-lvl=x When received in an administrator authorization response from the server, sets the
starting privilege level for the administrator.
service=x Service used by the administrator.
TACACS+ Command Accounting AVPs
B-2 IP Services and Security Configuration Guide
TACACS+ Command Accounting AVPs
TableB-3 describes the TACACS+command accounting AVPs supported by the SmartEdgeOS.
Table B-2 TACACS+ Administrator Accounting AV Pairs
Attribute Description
service=shell Service used by the administrator.
start_time=x Time at which the administrator logged onto the SmartEdge OS. The format is in number of
seconds since 12:00 a.m. J anuary 1, 1970.
stop_time=x Time at which the administrator logged off the SmartEdge OS. The format is in number of
seconds since 12:00 a.m., J anuary 1, 1970.
task_id=x Start and stop records for the same event must have matching (unique) task ID numbers.
timezone=x Time zone abbreviation for all time stamps included in this packet.
Table B-3 TACACS+ Command Accounting AV Pairs
Attribute Description
cmd=x Command issued by the administrator. Includes all supported CLI commands.
priv-lvl=x Privilege level associated with the command being issued.
start_time=x Time at which the command is issued.
service=shell Service used by the administrator.
task_id=x Start and stop records for the same event must have matching (unique) task ID numbers.
timezone=x Time zone abbreviation for all timestamps included in this packet.
Index 1
Index
Numerics
3GGP2 RADIUS VSAs
Mobile IP services, A-43
3GPP2 RADIUS VSAs authorized
Mobile IP services, A-43
802.1Q PVCs
specifying DSL line for subscribers, 6-5, 6-7
802.1Q Tunnel
mapping tunnel to DSL line, 6-5
specifying DSLAM ANI, slot, port, 6-5
specifying DSL line for subscribers, 6-5
A
AAA (authentication, authorization, and accounting)
administrator
accounting, 20-14
authentication, 20-8
assigning preferred IP addresses, 20-9
CLI commands
accounting, 20-14
authorization, 20-12
examples
subscriber authentication, 20-17
subscriber reauthorization, 20-18
L2TP accounting
context-specific, 20-17
global, 20-16
two-stage, 20-17
L2TP peer authorization, 20-12
structured username formats, 20-8
subscriber accounting
context-specific, 20-15
global, 20-14
two-stage, 20-16
subscriber authentication
disabling, 20-11
last-resort context, 20-11
local configuration, 20-10
RADIUS, context-specific, 20-10
RADIUS, context-specific, then global, 20-11
RADIUS, followed by SmartEdge OS, 20-11
RADIUS, global, 20-10
subscriber circuits
assigning IP addresses, 20-9
assigning routes, 20-7
subscriber reauthorization, configuring, 20-12
subscriber sessions, limiting number of, 20-7
access control list configuration mode, described, 1-14
Acct-Authentic attribute, A-8
Acct-Class-In-Octets-64 VSA, A-29
Acct-Class-Out-Octets-64 VSA, A-29
Acct-Delay-Time attribute, A-7
Acct-Dyn-Ac-Ent VSA, A-25
Acct-Input-Gigawords attribute, A-8
Acct-Input-Octets-64 VSA, A-23
Acct-Input-Octets attribute, A-7
Acct-Input-Packets-64 VSA, A-23
Acct-Input-Packets attribute, A-8
Acct-Interim-Interval attribute, A-10
Acct-Mcast-In-Octets-64 VSA, A-23
Acct-Mcast-In-Octets VSA, A-25
Acct-Mcast-In-Packets-64 VSA, A-24
Acct-Mcast-In-Packets VSA, A-25
Acct-Mcast-Out-Octets-64 VSA, A-23
Acct-Mcast-Out-Octets VSA, A-25
Acct-Mcast-Out-Packets-64 VSA, A-24
Acct-Mcast-Out-Packets VSA, A-25
Acct-Output-Gigawords attribute, A-9
Acct-Output-Octets-64 VSA, A-23
Acct-Output-Octets attribute, A-7
Acct-Output-Packets-64 VSA, A-23
Acct-Output-Packets attribute, A-8
Acct-Session-Id attribute, A-8
Acct-Session-Time attribute, A-8
Acct-Status-Type attribute, A-7
Acct-Terminate-Cause attribute, A-8
Acct-Tunnel-Connection attribute, A-10
Acct-Update-Reason VSA, A-25
2 IP Services and Security Configuration Guide
ACL condition configuration mode, described, 1-14
ACL-Definition VSA, A-19
ACLs (access control lists)
enabling ACL counters for subscribers, 12-9
examples
attaching an IP ACL to an interface, 12-13
configuring a forward policy ACL, 12-13
configuring a NAT policy ACL, 12-13
configuring a QoS policy ACL, 12-14
modifying an IP ACL, 12-11
resequencing statements in an IP ACL, 12-11
ACLs (access control lists), IP
absolute conditions
creating, 12-8
modifying in real time, 12-9
applying to
a context, 12-8
an interface, 12-8
a subscriber, 12-8
conditions, creating, 12-8
creating or selecting, 12-8
deny statements, creating, 12-8
described, 12-1
description, creating, 12-8
periodic conditions
creating, 12-8
modifying in real time, 12-9
permit statements, creating, 12-8
resequencing statements, 12-8
ACLs (access control lists), policy
absolute conditions
creating, 12-9
modifying in real time, 12-10
applying to
a forward policy, 14-3
a NAT policy with dynamic translations, 13-8
a QoS metering policy, 16-12
a QoS policing policy, 16-12
condition ID, creating, 12-9
creating or selecting, 12-9
described, 12-3
description, creating, 12-9
periodic conditions
creating, 12-9
modifying in real time, 12-10
permit statements, creating, 12-9
resequencing statements, 12-9
administrator configuration mode, described, 1-14
Agent-Circuit-Id VSA, A-21, A-40, A-41
Agent-Remote-Id VSA, A-21
ANCP (Access Node Control Protocol)
mapping 802.1Q tunnel to DSL line, 6-5
overriding rates specified by QoS policies, 6-5
overriding rates using DSLAM data, 6-5
specifying DSLAM ANI, slot, port, 6-5
specifying DSL line for subscribers, 6-5, 6-7
ANCP (Access Node Control Protocol) neighbor peers
creating profile for, 6-4
specifying interface for ANCP sessions, 6-4
specifying IP address for, 6-4
specifying name for, 6-4
specifying TCP remote port for, 6-4
ANCP (Access Node Control Protocol) routers
assigning ID for SmartEdge router, 6-4
assigning TCP local port for, 6-4
creating, 6-4
specifying keepalive interval and retries for, 6-4
ANCP configuration mode, described, 1-14
ANCP neighbor configuration mode, described, 1-14
ARP (Address Resolution Protocol)
configuring the router to prevent DoS attacks, 2-4
disabling, 2-2
enabling
ARP, 2-2
proxy ARP, 2-2
secured ARP, 2-2
examples, 2-4
preventing DoS attacks, 2-3
table entries
creating static, 2-3
deleting expired, 2-3
incomplete, setting a maximum, 2-3
modifying the lifespan of, 2-3
ARP and DHCP, 5-2
Ascend-Data-Filter attribute, A-41
Assigned-IP-Address VSA, A-23
ATM DS-3 configuration mode, described, 1-14
ATM OC configuration mode, described, 1-14
ATM profile configuration mode, described, 1-14
ATM PVC configuration mode, described, 1-14
ATMWFQ policy configuration mode, described, 1-14
attributes
standard RADIUS, A-5
vendor-specific Redback, A-13
autonomous address configuration flag, specifying, 3-12
AVPs (attribute-value pairs), TACACS+, B-1
B
BG-Aging-time VSA, A-13
BG-Path-Cost VSA, A-13
BG-Trans-BPDU VSA, A-14
Bind-Auth-Context VSA, A-17, A-40, A-41
Bind-Auth-Max-Sessions VSA, A-17, A-40, A-41
Bind-Auth-Protocol VSA, A-17, A-40, A-41
Bind-Auth-Service-Grp VSA, A-17
Bind-Auto-Sub-Context VSA, A-22, A-41
Bind-Auto-Sub-Password VSA, A-22, A-41
Index 3
Bind-Auto-Sub-User VSA, A-22, A-41
Bind-Bypass-Bypass VSA, A-17
Bind-Bypass-Context VSA, A-17
Bind-Dot1q-Port VSA, A-17
Bind-Dot1q-Slot VSA, A-17
Bind-Dot1q-Vlan-Tag-Id VSA, A-17
Bind-Int-Context VSA, A-17
Bind-Int-Interface-Name VSA, A-17
Bind-L2TP-Flow-Control VSA, A-17
Bind-L2TP-Tunnel-Name VSA, A-17
Bind-Ses-Context VSA, A-17
Bind-Sub-Password VSA, A-17
Bind-Sub-User-At-Context VSA, A-17
Bind-Tun-Context VSA, A-17
Bind-Type VSA, A-16, A-40, A-41
Bridge-Group VSA, A-13, A-14
burst flow creation rate, 19-3
C
Called-Station-Id attribute, A-7
Calling-Station-Id attribute, A-7
card configuration mode, described, 1-14
CHAP-Password attribute, A-5
Circuit groups
assigning members to, 18-22
attaching QoS policies to, 18-22, 18-26
hierarchical rate limiting, 18-4
Circuit groups, described, 18-4
Circuit-Protocol-Id VSA, A-22, A-41
Class attribute, A-6
classification mappings, creating, 16-13
Class-Traffic-Limit VSA, A-29
CLI (command-line interface) syntax, 1-14
Client-DNS-Pri VSA, A-13
Client-DNS-Sec VSA, A-13
CLIPS
dynamic CLIPS client, 5-2
CLIPS and DHCP, 5-2
CLIPS PVC configuration mode, described, 1-14
congestion map configuration mode, described, 1-14
Connect-Info attribute, A-10
context configuration mode, described, 1-14
Context-Name VSA, A-13
D
Deactivate-Service-Name VSA, A-31
Destination NAT, described, 13-4, 13-20
DHCP (Dynamic Host Configuration Protocol)
configuring the router to prevent DoS attacks, 5-7
described, 5-1
examples
IP source address, 5-21
proxy, dynamic, 5-16
proxy, static, 5-18
RADIUS, 5-19
external server
adding options to packets, 5-6
assigning to server group, 5-5
configuring subscriber circuits to use, 5-7
forwarding all, 5-5
forwarding discover packets, 5-5
hostname, assigning, 5-5
IP address for, 5-5
maximum hops, 5-5
minimum wait, 5-5
NAK suppression, 5-6
retries, 5-6
standby, forwarding to, 5-5
interfaces
external proxy server, 5-6
external relay server, 5-6
IP address for the giaddr field, 5-6
IP source address for external server, 5-6
internal server
assigning subnet IP addresses, 5-5
creating static mapping between subnet and vendor
class ID, 5-4
creating static mapping for IP address, 5-5
creating static mapping with MAC address, 5-5
creating subnet, 5-4
default lease time, specifying global setting, 5-4
default lease time, specifying subnet setting, 5-5
duplicate MAC addresses, allowing, 5-4
enabling context for, 5-4
enabling interface for, 5-4
maximum lease time, specifying global setting, 5-4
offer lease time, specifying global setting, 5-4
options, specifying global setting, 5-4
specifying boot loader image file, 5-4
specifying global settings, 5-4
specifying maximum number of IP addresses, 5-5
specifying server for boot loader image file, 5-4
specifying subnet settings, 5-5
threshold, enabling monitoring of leases, 5-4
DHCP giaddr configuration mode, described, 1-14
DHCP-Max-Leases VSA, A-13
DHCP relay server configuration mode, described, 1-14
DHCP server configuration mode, described, 1-14
DHCP subnet configuration mode, described, 1-14
DHCP-Vendor-Class-Id VSA, A-23
DHCP-Vendor-Encap-Option VSA, A-23
disabling and enabling
MN access to an FA, 8-8
DNS (Domain Name System)
creating domain names, 11-2
described, 11-1
enabling, 11-2
4 IP Services and Security Configuration Guide
examples, 11-3
host table, creating static entries, 11-3
specifying server IP addresses for, 11-2
subscribers, 11-2
dot1q profile configuration mode, described, 1-14
dot1q PVC configuration mode, described, 1-14
dropping packets
associated with a class, 14-4
not associated with a class, 14-3
DS-0 group configuration mode, described, 1-14
DS-1 configuration mode, described, 1-14
DS-3 configuration mode, described, 1-14
DSCP (Differentiated Services Code Point)
marking incoming packets
conforming, 16-11
exceeding, 16-11
priority assignment, 16-11
violating, 16-11
marking outgoing packets
conforming, 16-10
exceeding, 16-10
priority assignment, 16-9
violating, 16-10
propagating
first-generation ATM to PD, 18-13
IP and L2TP, 18-20
IP and MPLS, 18-21
IP from Ethernet, 18-14
IP to Ethernet, 18-14
IP to first-generation ATM, 18-13
IP to second-generation ATM, 18-14
second-generation ATM to PD, 18-14
DSL-Actual-Inter-Delay-Down VSA, A-27
DSL-Actual-Inter-Delay-Up VSA, A-27
DSL-Actual-Rate-Down-Factor VSA, A-28
DSL-Actual-Rate-Down VSA, A-26
DSL-Actual-Rate-Up VSA, A-26
DSL-Attainable-Rate-Down VSA, A-27
DSL-Attainable-Rate-Up VSA, A-27
DSL-combined-Line-Info VSA, A-28
DSL-L2-Encapsulation VSA, A-28
DSL-Line-State VSA, A-27
DSL-Max-Inter-Delay-Down VSA, A-27
DSL-Max-Inter-Delay-Up VSA, A-27
DSL-Max-Rate-Down VSA, A-27
DSL-Max-Rate-Up VSA, A-27
DSL-Min-Low-Power-Rate-Down VSA, A-27
DSL-Min-Low-Power-Rate-Up VSA, A-27
DSL-Min-Rate-Down VSA, A-27
DSL-Min-Rate-Up VSA, A-27
DSL-PPPOA-PPPOE-Inter-Work-Flag VSA, A-28
DSL-Transmission-System VSA, A-28
dynamic CLIPS client, 5-2
Dynamic NAT, described, 13-3
Dynamic-Policy-Filter VSA, A-26
Dynamic Tunnel Profile configuration mode,
described, 1-14
E
E1 configuration mode, described, 1-14
E3 configuration mode, described, 1-14
EDRR policy configuration mode, described, 1-14
EPD (early packet discard) parameters, ATMWFQ
policies, 17-11
Event-Timestamp attribute, A-9
exec mode, described, 1-14
F
FAC (flow admission control) profile
applying profiles to a circuit, 19-5
attributes, 19-2
burst flow creation rate, 19-3
circuit flow state, 19-4
configuring a FAC profile, 19-4
configuring burst creation rate, 19-4
configuring maximum flows per circuit, 19-4
configuring sustained creation rate, 19-5
controlling circuits, 19-1
creation rates, 19-2
criteria for generating, 19-2
definition, 19-1
enabling a FAC profile on a circuit, 19-5
five tuple, 19-2
flow creation cycle, 19-4
generation, 19-2
hardware requirements, 19-2
limits, 19-1
maximum flows per circuit, 19-3
sustained flow creation rate, 19-3
FA configuration mode, described, 1-14
Filter-Id attribute, A-6
flow configuration mode, described, 1-15
flow creation cycle, 19-4
forwarding all, 5-5
forwarding discover packets, 5-5
forward policies
applying a policy ACL, 14-3
classifying packets, 14-4
creating or selecting, 14-3
destination port, specifying, 14-3
dropping packets
associated with a class, 14-4
not associated with a class, 14-3
examples
combination of mirror, redirect, and drop, 14-10
dropping packets, 14-8
mirroring packets, 14-4
Index 5
redirecting packets, 14-6
mirroring packets
associated with a class, 14-4
not associated with a class, 14-3
redirecting packets
associated with a class, 14-4
not associated with a class, 14-3
forward policy configuration mode, described, 1-15
Forward-Policy VSA, A-20
Framed-IP-Address attribute, A-6
Framed-IP-Netmask attribute, A-6
Framed-MTU attribute, A-6
Framed-Protocol attribute, A-6
Framed-Route attribute, A-6
Frame Relay PVC configuration mode, described, 1-15
G
global configuration mode, described, 1-15
GRE tunnel configuration mode, described, 1-15
H
HA peer configuration mode, described, 1-15
hierachical rate limiting
circuit groups, 18-4
hierarchical metering, 16-6, 16-52, 18-2
hierarchical node configuration mode, described, 1-15
hierarchical node group configuration mode,
described, 1-15
hierarchical policing, 16-52
hotlining, 10-1
HTTP redirect
attaching
a forward policy to a subscriber circuit, 9-4, 10-4
the redirect profile to a subscriber, 9-3
configuring
forward policy, 9-4, 10-4
IP ACL for subscriber access, 9-2
policy ACL, 9-3, 10-4
redirect profile, 9-3
subscriber access, 9-2
subscriber authentication, 9-2
subscriber reauthorization, 9-2
URL, 9-3
described, 9-1
examples, 9-4
server
enabling, 9-2, 10-3
port number, modifying, 9-2, 10-3
HTTP redirect profile mode, described, 1-15
HTTP-Redirect-Profile-Name VSA, A-22
HTTP redirect server configuration mode, described, 1-15
HTTP-Redirect-URL VSA, A-26
I
Idle-Timeout attribute, A-7
Igmp-Service-Profile VSA, A-20
interface configuration mode, described, 1-15
Ip-Address-Pool-Name VSA, A-16
Ip-Host-Addr VSA, A-17
IP-Interface VSA, A-22
IP-TOS-Field VSA, A-18
K
key chain configuration mode, described, 1-15
key chains
creating a description, 24-2
enabling for use with
IS-IS, 24-3
Mobile IP, 24-3
OSPF, 24-3
VRRP, 24-3
examples, 24-4
specifying
key ID, 24-2
key string, 24-3
send lifetime, 24-3
L
L2TP (Layer 2 Tunneling Protocol)
accounting
context-specific, 20-17
global, 20-16
two-stage, 20-17
propagating QoS, 18-20
l2tp peer configuration mode, described, 1-15
LAC-Port-Type VSA, A-24
LAC-Port VSA, A-24
LAC-Real-Port-Type VSA, A-24
LAC-Real-Port VSA, A-24
LI (lawful intercept)
accessing software license configuration mode, 23-3
accounts, creating, 23-3
configuring circuits for
contexts, 23-4
interfaces, 23-4
subscribers, 23-4
described, 23-1
examples, 23-5
features and functions, enabling and disabling, 23-3
profiles
configuring circuits, 23-4
configuring IP ACL for, 23-4
creating, 23-3
defining header fields, 23-4
defining transport data section, 23-4
enabling pending intercept requests, 23-4
6 IP Services and Security Configuration Guide
specifying intercept type, 23-4
starting circuit or subscriber intercepts, 23-5
starting subscriber intercepts, 23-5
stopping circuit or subscriber intercepts, 23-5
stopping subscriber intercepts, 23-5
LI-Action VSA, A-26
LI-Identifier VSA, A-26
LI-Md-Address VSA, A-26
LI-Md-Port VSA, A-26
link group configuration mode, described, 1-15
LI profile configuration mode, described, 1-15
LI-Profile VSA, A-26
M
Mac-Addr VSA, A-25
maximum flows per circuit, 19-3
maximum hops, external DHCP server, 5-5
maximum lease time, specifying subnet setting, 5-5
Mcast-MaxGroups VSA, A-16
Mcast-Receive VSA, A-16
Mcast-Send VSA, A-15
MDRR policy configuration mode, described, 1-15
Medium-Type VSA, A-16
metering policy configuration mode, described, 1-15
minimum wait, external DHCP server, 5-5
mirroring packets
associated with a class, 14-4
not associated with a class, 14-3
Mobile IP configuration mode, described, 1-15
Mobile IP interface configuration mode, described, 1-15
Mobile IP services
binding Ethernet ports and circuits, 7-11
CoA context and interfaces, described, 7-5
configuring advertising tunnel type, 7-10
configuring a key string, 7-9
configuring authentication, 7-11
configuring default authentication, 7-10
configuring Ethernet ports and circuits, 7-11
configuring GRE tunnels, 7-12
configuring IP-in-IP tunnels, 7-12
configuring registration revocation, 7-10
creating a key chain, 7-9
creating a Mobile IP router, 7-9
creating an FA instance, 7-10
creating CoA contexts, 7-8
creating CoA interfaces, 7-8
creating FA contexts, 7-8
creating FA contexts, described, 7-5
creating HA peer instance, 7-10
creating HA VPN contexts, 7-9
creating interfaces, 7-8
creating tunnel interfaces, 7-9
deployment scenarios
described, 7-5
for mobile ISPs, 7-6
network, 7-6
network with private IP addresses, 7-6
network with public IP addresses, 7-6
network with some private IP addresses, 7-6
disabling and enabling
FA instances, 7-12
HA peers, 7-12
MN access to an FA, 7-12
enabling MN location detection, 7-10
enabling mobile IP services on a context
HA peers, 7-10
MNs, 7-11
FA instances, described, 1-5
FA instances supported, 7-4
forwarding non-Mobile IP traffic, 7-10
HA peer instances, described, 1-5
HA peers instances supported, 7-4
HA VPN contexts, described, 7-5
selecting a context for an FA instance
described, 7-9
MN access, 7-11
selecting an existing interface for MN access, 7-11
selecting an FA instance, 7-10
selecting the context, 7-10
selecting the key chain context, 7-9
specifying a SPI, 7-9
specifying HA VPN context, 7-11
specifying MN message forwarding criteria, 7-10
specifying the care of interface for a FA instance, 7-10
specifying the maximum interval, 7-11
specifying the maximum lifetime, 7-11
specifying the maximum pending registrations, 7-11
specifying the maximum registration lifetime, 7-11
specifying the minimum interval, 7-11
typical FA network, described, 7-4
typical network, described, 1-6
mobile IP services
configuring advertising tunnel type
HA instance, 8-6
configuring a key string
HA instance, 8-6
configuring authentication
FA peer, 8-7
configuring default authentication
HA, 8-6
configuring GRE tunnels
FA peers, 8-8
configuring IP-in-IP tunnels
FA peers, 8-8
configuring maximum registration lifetime
HA, 8-6
configuring MN subscribers, 8-7
Index 7
configuring regisration revocation
HA, 8-6
configuring replay tolerance
HA, 8-6
creating a key chain
HA, 8-6
creating an HA instance, 8-6
creating CoA contexts
HA instances, 8-5
creating FA contexts
peers, 8-5
creating FA peers, 8-7
creating interfaces
FA peers, 8-5
HA local addresses, 8-6
disabling and enabling
FA peers, 8-8
HA instances, 8-8
dynamic tunnel profile, FA Peer, 8-7
enabling a context for an HA instance, 8-6
enabling mobile IP services for FA peer, 8-7
selecting the context
HA instances, 8-6
selecting the context for an HA instance
described, 8-6
FA peers, 8-7
selecting the HA instance for FA peers, 8-7
specifying an SPI
HA, 8-6
MPLS (Multiprotocol Label Switching)
propagating QoS, 18-21
using only DSCP for queuing, 18-21
MPLS router configuration mode, described, 1-15
N
NAK suppression, external DHCP server, 5-6
NAS-Identifier attribute, A-7
NAS-IP-Address attribute, A-5
NAS-Port attribute, A-5
NAS-Port-Id attribute, A-10
NAS-Port-Type attribute, A-9
NAS-Real-Port VSA, A-18
NAT (Network Address Translation) policies
and Session limit control, 13-5
described, 13-1
DMZ, 13-4
dynamic, 13-3
dynamic translations
applying a policy ACL, 13-8
attaching a policy, 13-8
configuration tasks, 13-7
creating or selecting a policy, 13-7
creating or selecting a pool, 13-7
dropping a class of packets, 13-8
dropping or ignoring packets, 13-7
enabling session limit control, default class, 13-8
enabling session limit control, named class, 13-8
overwriting destination IP address, 13-8
specifying a class, 13-8
specifying a maximum number of sessions, 13-7
specifying a pool, 13-7
specifying IP addresses for a pool, 13-7
specifying the class timeout, 13-8
specifying the pool for a class of packets, 13-8
specifying timeout, 13-7
examples
combination of all translation types, 13-11
dynamic translations, 13-10
NAPT with dynamic translations, 13-11
NAPT with static translations, 13-9
static translations, 13-9
with Destination NAT, 13-12
ignore source IP address translation, 13-23
order of application to packets, 13-5
source NAT, 13-2
static, 13-2
static translations, configuring, 13-6
using policy ACLs with, described, 13-3
NAT DMZ, described, 13-4
NAT policy configuration mode, described, 1-15
NAT-Policy-Name VSA, A-22
NAT pool configuration mode, described, 1-15
ND (Neighbor Discovery) protocol
examples, 3-4
ND router
configuring global settings for, 3-3
creating, 3-3
creating interface for, 3-3
creating or selecting context for, 3-3
specifying IPv6 interface address for, 3-3
ND router interface
configuring interface settings for, 3-3
configuring prefixes for, 3-3
selecting context for, 3-3
selecting interface for, 3-3
selecting ND router for, 3-3
specifying static neighbors for, 3-3
Preferred Lifetime, 3-10
prefixes, configuring, 3-12
RA messages
configuration flags, 3-14
Reachable Time, 3-16
Router Lifetime, 3-14
Retrans Timer, 3-8
Valid Lifetime, 3-19
ND router configuration mode, described, 1-15
ND router interface configuration mode, described, 1-15
8 IP Services and Security Configuration Guide
NPM-Service-Id VSA, A-22
NTP (Network Time Protocol)
accessing NTP configuration mode, 4-2
configuring
peer synchronization, 4-2
server synchronization, 4-2
enabling slowsync, 4-2
examples, 4-2
NTP configuration mode, described, 1-15
num-queues configuration mode, described, 1-15
O
offer lease time, specifying subnet setting, 5-5
on-link flag, specifying, 3-12
options, specifying subnet setting, 5-5
OS-Version VSA, A-22
overhead profile configuration mode, described, 1-15
overhead type configuration mode, described, 1-15
P
parameter array loop configuration mode, described, 1-15
Platform-Type VSA, A-21
Police-Burst VSA, A-14
Police-Rate VSA, A-14
policing policy configuration mode, described, 1-15
policy ACL class configuration mode, described, 1-15
policy ACL configuration mode, described, 1-15
policy class rate configuration mode, described, 1-16
policy rate configuration mode, described, 1-16
port configuration mode, described, 1-16
Port-Limit attribute, A-9
PPPoE-IP-Route-Add VSA, A-19
PPPOE-MOTM VSA, A-15
PPPOE-URL VSA, A-15
PQ policy configuration mode, described, 1-16
Preferred Lifetime, specifying, 3-10
Prefix Information option, configuring
autonomous address configuration flag, 3-12
on-link flag, prefix specific, 3-12
Preferred Lifetime, 3-12
Valid Lifetime
interfaces, 3-13
ND router, 3-19
priority groups, customizing queue maps for, 17-9
propagating QoS
classification maps
creating, 16-13, 18-19
mapping 802.1p values to QoS values, 18-19
mapping DSCP values to QoS values, 18-19
mapping EXP values to QoS values, 18-20
mapping QoS values to 802.1p values, 18-19, 18-20
mapping QoS values to ATM CLP values, 18-19
mapping QoS values to DSCP values, 18-19
mapping QoS values to EXP values, 18-20
referencing, 18-20
specifying default values, 18-19
using DSCP values, 18-19, 18-20
first-generation ATM to PD, 18-13
IP from Ethernet, 18-14
IP from MPLS, 18-21
IP to Ethernet, 18-14
IP to first-generation ATM, 18-13
IP to MPLS, 18-21
IP to second-generation ATM, 18-14
L2TP
inbound packets, downstream direction, 18-21
inbound packets, to an LAC, 18-21
inbound packets, to an LNS, 18-20
inbound packets, upstream direction, 18-20
outbound packets, from an LNS, 18-21
outbound packets, upstream direction, 18-21
second-generation ATM to PD, 18-14
propagating QoS, described
IP and Ethernet, 18-8
IP and L2TP, 18-10
IP and MPLS, 18-9
IP to ATM, 18-7
types of settings, 18-6
protocol policy configuration mode, described, 1-16
proxy ARP, enabling, 2-2
PVC-Encapsulation-Type VSA, A-16, A-40, A-41
PVC-Profile-Name VSA, A-16, A-40, A-41
Q
QoS
classifying packets using ACLs, described, 16-2
DSCP bits, marking incoming packets
conforming, 16-11
exceeding, 16-11
priority, 16-11
violating, 16-11
DSCP bits, marking outgoing packets
conforming, 16-10
exceeding, 16-10
priority, 16-9
violating, 16-10
QoS (quality of service)
circuit groups, 18-4
classifying traffic with priority groups
Ethernet circuits, 18-14
PDH circuits, 18-17
POS circuits, 18-17
congestion avoidance maps
creating or selecting, 17-10
described, 17-6, 17-8
setting exponential weight for, 17-10
Index 9
setting RED parameters for, 17-10
congestion management, described, 17-6, 17-8
EDRR algorithm mode, defining for
Ethernet circuits, 18-15
first-generation ATM PVCs, 18-13
PDH circuits, 18-17
POS circuits, 18-17
subscriber circuits, 18-19
high-level view of QoS traffic, 16-8
Mapping child policy class to parent class, 16-6
marking, described, 16-3
metering and policing policy inheritance,
described, 16-6
policy ACLs, described, 16-2
priority groups
customizing queue maps for, 17-9
priority groups, described, 16-2
propagating
described, 18-6
first-generation ATM to PD, 18-13
IP from Ethernet, 18-14
IP to Ethernet, 18-14
IP to first-generation ATM, 18-13
IP to second-generation ATM, 18-14
second-generation ATM to PD, 18-14
queue depth, described, 17-8
queue maps
creating, 17-9
described, 17-2
mapping priority groups to queues, 17-9
specifying the number of queues for, 17-9
queue rates, described, 17-8
rate-limiting, described, 16-3
setting the rate for outgoing traffic, 18-15
QoS (quality of service), classification mappings, 16-13
QoS (quality of service), examples
ATMWFQ policy, 17-15
congestion avoidance map, 17-15, 17-21
EDRR policy
attaching, 18-24
configuring, 17-16
hierarchical scheduling, 18-25
hierarchical shaping, 18-25
MDRR policy, configuring, 17-16
metering policies, attaching
cross-connected circuits, 18-23
PVCs, 18-23
subscribers, 18-24
overhead profile, 18-25
policing policies
circuit-based marking, 16-14
circuit-based rate-limiting, 16-14
class and rate-limiting, 16-14
rate-limiting and marking, 16-15
PQ policies
attaching, 18-24
backbone application, 17-18
rate-limiting, 17-17
PWFQ policies
attaching to node, 18-25
attaching to port and PVC, 18-25
configuring, 17-19
ports, 18-25
QoS propagation, 18-25
queue maps, 17-14
RED parameters, 17-16
QoS (quality of service), hierarchical scheduling,
configuring
ports
attaching PWFQ policy, 18-15
scheduling algorithm for, 18-15
setting rates for, 18-15
tunnels and PVCs
attaching PWFQ policy, 18-16
scheduling algorithm, 18-15
setting rates for, 18-15
QoS (quality of service), hierarchical shaping, configuring
node groups
creating, 18-16
for subscriber circuits, 18-16
scheduling algorithm for, 18-16
setting rates for, 18-16
nodes
attaching PWFQ policy, 18-17
creating, 18-16
scheduling algorithm for, 18-16
setting rates for, 18-16
ports
scheduling algorithm for, 18-16
setting rates for, 18-16
subscriber circuits, creating reference to node, 18-18
QoS (quality of service), overhead profile
assign encaps-factor, 17-14
assign rate-factor for specific overhead profile, 17-14
configuring data types, 17-13
creating, 17-13
creating a default rate-factor, 17-13
creating a encaps-access-line, 17-13
creating a reserved value, 17-13
creating reserve value for specified profile, 17-14
QoS (quality of service), overhead profile policies
scheduling policies, attaching to
subscriber circuits, 18-19
QoS (quality of service), policies
ATMWFQ policies
assigning a congestion avoidance map to, 17-10
assigning a queue map to, 17-10
attaching to second-generation ATM PVCs, 18-14
10 IP Services and Security Configuration Guide
creating the name of, 17-10
defining the algorithm mode for, 17-10
described, 17-5
setting EPD parameters for, 17-11
specifying the number of queues for, 17-10
specifying the traffic weight for, 17-10
congestion avoidance maps, specifying the queue depth
for, 17-10
EDRR policies
assigning a queue map to, 17-11
creating the name of, 17-11
described, 17-3
modifying the traffic weight for, 17-11
setting a rate limit for, 17-11
specifying RED parameters for, 17-11
specifying the depth of each queue, 17-11
specifying the number of queues for, 17-11
MDRR policies
assigning a congestion avoidance map to, 17-12
assigning a queue map to, 17-12
creating the name of, 17-12
modifying the traffic weight for, 17-12
setting a rate limit for, 17-12
specifying the number of queues for, 17-12
specifying the scheduling algorithm, 17-12
metering policies
creating or selecting, 16-9
marking outgoing packets, 16-9
rate-limiting outgoing packets, 16-9
metering policies, attaching to
cross-connected circuits, 18-18
Ethernet circuits, 18-15
first-generation ATM PVCs, 18-13
PDH circuits, 18-17
POS circuits, 18-17
second-generation ATM PVCs, 18-14
subscriber circuits, 18-18
overhead profile, attaching to Ethernet circuits, 18-14
policing policies
applying a policy ACL, 16-12
creating or selecting, 16-11
described, 16-2
marking incoming packets, 16-11
rate-limiting incoming packets, 16-11
policing policies, attaching to
cross-connected circuits, 18-18
Ethernet circuits, 18-15
first-generation ATM PVCs, 18-13
PDH circuits, 18-17
POS circuits, 18-17
second-generation ATM PVCs, 18-14
subscriber circuits, 18-18
PQ policies
assigning a queue map to, 17-12
creating the name of, 17-12
described, 17-3
setting a rate limit per queue, 17-12
specifying RED parameters for, 17-12
specifying the number of queues for, 17-12
specifying the queue depth for, 17-12
PWFQ policies
assigning a congestion avoidance map to, 17-13
assigning a queue map to, 17-13
creating the name of, 17-13
defining the algorithm mode for, 17-13
described, 17-5
setting rate and burst for priority groups, 17-13
setting rate limits, 17-13
setting relative weight, 17-13
specifying the number of queues for, 17-13
scheduling policies, attaching to
Ethernet circuits, 18-15
first-generation ATM PVCs, 18-13
PDH circuits, 18-17
POS circuits, 18-17
scheduling policies, attaching to subscriber
circuits, 18-18
scheduling policies, circuits supported, 18-3
scheduling policies, described
ATMWFQ, 17-5
EDRR, 17-3
PQ, 17-3
PWFQ, 17-5
specifying circuit rate
802.1Q tunnels and PVCs, 18-15
ATM DS-3 PVCs, 18-14
Ethernet and GE ports, 18-15
first-generation ATM OC PVCs, 18-13
link groups and PVCs, 18-17
PDH ports and channels, 18-17
POS ports, 18-17
second-generation ATM OC PVCs, 18-14
subscriber circuits, 18-18
QoS, hierarchical shaping, configuring nodes for subscriber
circuits, 18-16
QoS, policies
metering policies
applying a policy ACL, 16-12
described, 16-2
QoS-Overhead VSA, A-31, A-40, A-41
Qos-Policy-Metering VSA, A-20
Qos-Policy-Policing VSA, A-20
Qos-Policy-Queuing VSA, A-20, A-40, A-41
Qos-Rate-Inbound VSA, A-26
Qos-Rate-Outbound VSA, A-26
QoS-Reference VSA, A-23
queue map configuration mode, described, 1-16
Index 11
R
RA (Router Advertisement) messages
Managed address configuration flag, 3-14
Other stateful configuration flag, 3-14
Reachable Time, 3-16
Router Lifetime, 3-14
RADIUS (Remote Authentication Dial-In User Service)
accounting servers
accounting messages, sending, 21-6
configuring hostname or IP address, 21-5
configuring load balancing, 21-6
described, 21-2, 21-3
modifying number of requests, 21-8
modifying number of retransmissions, 21-7
timeout, deadtime, 21-7
timeout, lost packet, 21-7
timeout, server dead, 21-7
timeout, server unreachable, 21-7
account termination error code, remapping, 21-11
attributes
standard, A-5
attributes, 3GPP2 VSAs that can be reauthorized, A-43
attributes, Filter-Id, 21-9
attributes, sending in request packets
Acct-Delay-Time, 21-9
Acct-Session-Id, 21-9
NAS-Identifier attribute, 21-9
NAS-IP-Address attribute, 21-9
NAS-Port, 21-9
NAS-Port-ID, 21-9
NAS-Port-Type, 21-10
attributes, specifying separator character, 21-10
attributes, standard
in CoA and Disconnect messages, A-11
that can be reauthorized, A-12
attributes, VSA, A-13
in CoA and Disconnect messages, A-32
that can be reauthorized, A-34
authentication servers
configuring hostname or IP address, 21-5
configuring load balancing, 21-6
described, 21-2, 21-3
authentication service profile
counters for service accounting, specifying, 21-11
creating or selecting the context for, 21-10
RADIUS and Redback attributes, specifying, 21-11
service parameters, specifying, 21-11
service profile, creating or selecting, 21-10
CoA servers, configuring hostname or IP address, 21-5
described, 21-1
examples, 19-5, 21-12
increasing number of server ports, 21-8
policies
assigning to a context, 21-9
creating or modifying, 21-9
specifying attributes to be dropped, 21-9
servers
modifying number of requests, 21-8
modifying number of retransmissions, 21-7
timeout, dead time, 21-7
timeout, lost packet, 21-7
timeout, server dead, 21-7
timeout, server unreachable, 21-7
service profile
Dynamic-Policy-Filter attribute for, 21-20
Dynamic-QoS-Param attribute for, 21-20
Filter-Id attribute for, 21-20
Forward-Policy attribute for, 21-20
HTTP-Redirect-URL attribute for, 21-20
Qos-Policy-Metering attribute for, 21-20
Qos-Policy-Policing attribute for, 21-20
Qos-Policy-Queuing attribute for, 21-20
Service-Interim-Acct-Interval attribute for, 21-20,
A-42
Service-Timeout attribute for, 21-20, A-42
Service-Volume-Limit attribute for, 21-20, A-42
source address, configuring, 21-6
stripping domain from username, 21-8
RADIUS and DHCP, 5-3
RADIUS attributes
Mobile IP services, A-42
RADIUS policy configuration mode, described, 1-16
RADIUS Remote Authentication Dial-In User Service)
attributes, Redback prefix for VSAs, A-6
radius service profile configuration mode, described, 1-16
rate-Limit-Burst VSA, A-14
Rate-Limit-rate VSA, A-14
RB-Client-NBNS-Pri VSA, A-21
RB-Client-NBNS-Sec VSA, A-21
Reauth-More VSA, A-21
Reauth-Session-Id VSA, A-26
Reauth-String VSA, A-21
RED (random early detection) parameters
ATMWFQ policies, 17-10
EDRR policies, 17-11
MDRR policies, 17-12
PQ policies, 17-12
PWFQ policies, 17-13
Redback Reason VSA, A-20
redirecting packets
associated with a class, 14-4
not associated with a class, 14-3
Reply-Message attribute, A-6
Retrans Timer, 3-8
retries, external DHCP server, 5-6
Route-Tag VSA, A-26
12 IP Services and Security Configuration Guide
S
secured ARP, enabling, 2-2
server group, assigning external DHCP server to, 5-5
Service-Error-Cause VSA, A-30
Service-Name VSA, A-30
Service-Options VSA, A-30
Service-Parameter VSA, A-30
service policies
attaching to subscriber sessions, 15-2
configuring
allowable contexts or domains, 15-2
denied contexts or domains, 15-2
policy name, 15-2
described, 15-1
examples, 15-3
service policy configuration mode, described, 1-16
Service-Type attribute, A-5
Session-Error-Code VSA, A-25
Session-Error-Msg VSA, A-25
Session Limit Control, described, 13-4
Session-Timeout attribute, A-6
Session-Traffic-Limit VSA, A-23
Shaping-Profile-Name VSA, A-21
software license configuration mode, described, 1-16
Source NAT (SNAT), 13-2
Source-Validation VSA, A-14
Standard RADIUS attributes
Mobile IP services, A-42
standby server, forwarding to, 5-5
Static NAT, described, 13-2
Sub-Profile-Name VSA, A-20
subscriber configuration mode, described, 1-16
subscribers, overriding rates specified by QoS policies, 6-5
subscribers, overriding rates using DSLAM data, 6-5
sustained flow creation rate, 19-3
T
TACACS+(Terminal Access Controller Access Control
System Plus)
AVPs, B-1
configuring IP address or hostname, 22-3
described, 22-1
examples, 22-3
modifying deadtime interval, 22-3
modifying number of maximum retries, 22-3
modifying server identifier, 22-3
modifying timeout, 22-3
source address, configuring, 22-3
stripping the domain portion of a username, 22-3
terminate error cause configuration mode, described, 1-16
traffic cards, listed, 5-63, 18-3
Tunnel-Algorithm VSA, A-15
Tunnel-Assignment-Id attribute, A-10
Tunnel-Checksum VSA, A-19
Tunnel-Client-Auth-Id attribute, A-11
Tunnel-Client-Endpoint attribute, A-9
Tunnel-Client-Int-Addr VSA, A-20
Tunnel-Client-Rhost VSA, A-20
Tunnel-Client-VPN VSA, A-20
Tunnel-Cmd-Timeout VSA, A-15
Tunnel-Context VSA, A-15
Tunnel-Deadtime VSA, A-15
Tunnel-DNIS VSA, A-16
Tunnel-Domain VSA, A-14
Tunnel-Function VSA, A-14
Tunnel-Group VSA, A-15
Tunnel-Hello-Timer VSA, A-20
Tunnel-L2F-Second-Password VSA, A-19
Tunnel-Local-Name VSA, A-14
tunnel map configuration mode, described, 1-16
Tunnel-Max-Sessions VSA, A-14
Tunnel-Max-Tunnels VSA, A-15
Tunnel-Medium-Type attribute, A-9
Tunnel-Password attribute, A-10
Tunnel-Police-Burst VSA, A-19
Tunnel-Police-Rate VSA, A-19
Tunnel-Preference attribute, A-10
Tunnel-Profile VSA, A-19
Tunnel-Rate-Limit-Burst VSA, A-18
Tunnel-Rate-Limit-Rate VSA, A-18
Tunnel-Remote-Name VSA, A-14
Tunnel-Retransmit VSA, A-15
Tunnel-Server-Auth-Id, A-11
Tunnel-Server-Endpoint attribute, A-10
Tunnel-Server-Int-Addr VSA, A-20
Tunnel-Server-Rhost VSA, A-20
Tunnel-Server-VPN VSA, A-20
Tunnel-Session-Auth-Ctx VSA, A-18
Tunnel-Session-Auth-Service-Grp VSA, A-18
Tunnel-Session-Auth VSA, A-15
Tunnel-Type attribute, A-9
Tunnel-Window VSA, A-15
U
URL, HTTP redirect, 9-3
User-Name attribute, A-5
User-Password attribute, A-5
V
Vendor-Specific attribute, A-6
VSAs (vendor-specific attributes), Redback
listed, A-13
prefix for, A-6
Index of Commands 1
Index of Commands
A
aaa accounting administrator, 20-20
aaa accounting commands, 20-22
aaa accounting event, 20-24
aaa accounting l2tp, 20-26
aaa accounting reauthorization subscriber, 20-29
aaa accounting subscriber, 20-31
aaa accounting suppress-acct-on-fail, 20-34
aaa authentication administrator, 20-36
aaa authentication subscriber, 20-40
aaa authorization commands, 20-43
aaa authorization tunnel, 20-45
aaa double-authentication subscriber radius, 20-46
aaa encrypted-password default, 20-48
aaa global accounting event, 20-49
aaa global accounting l2tp-session, 20-51
aaa global accounting reauthorization subscriber, 20-53
aaa global accounting subscriber, 20-55
aaa global authentication subscriber, 20-57
aaa global maximum subscriber, 20-59
aaa global reject empty-username, 20-61
aaa global update subscriber, 20-64
aaa hint ip-address, 20-66
aaa ip-pool allocation first-available, 20-68
aaa last-resort, 20-69
aaa maximum subscriber, 20-71
aaa password, 20-73
aaa provision binding-order, 20-75
aaa provision route, 20-77
aaa rate-report-factor, 20-78
aaa reauthorization bulk, 20-80
aaa update subscriber, 20-82
aaa username-format, 20-84
absolute, 12-16
accept-lifetime, 24-5
access-group, 12-18
access-line access-node-id, 6-12
access-line adjust, 6-9
access-line agent-circuit-id, 6-10
access-line rate, 6-14
access-list, 12-20
accounting, 21-16
address, 13-14
admin-access-group, 12-21
admission-control, 13-16
advertise max-interval, 7-16
advertise max-lifetime, 7-17
advertise min-interval, 7-18
advertise tunnel-type, 7-19
allow, 15-5
allow-duplicate-mac, 5-22
arp rate, 2-6
atm to qos, 18-28
atm use-ethernet, 18-30
atm use-ip, 18-32
attribute, 21-18
authentication, 7-20
HA instance and FA peer, 8-10
B
bootp-enable-auto, 5-23
bootp-filename, 5-24
boot-siaddr, 5-25
broadcast-discover, 5-26
burst-creation-rate, 19-8
C
care-of-address, 7-22
class, 12-23
class-group, 16-17
clear-df, 7-23
clpbit propagate qos from atm, 18-34
clpbit propagate qos to atm, 18-36
command, 5-69
command-access, 23-8
condition, 12-25
conform mark dscp, 16-19
conform mark precedence, 16-22
2 IP Services and Security Configuration Guide
conform mark priority, 16-24
conform no-action, 16-27
congestion-map, 17-22
connections, 13-18
D
default-lease-time, 5-27
deny, 12-27, 15-7
description, 12-37
destination, 13-20
dhcp max-addrs, 5-28
dhcp proxy, 5-30
dhcp relay, 5-32
dhcp relay option, 5-34
dhcp relay server, 5-36
dhcp relay server retries, 5-38
dhcp relay suppress-nak, 5-39
dhcp server, 5-40
dhcp server policy, 5-42
dns, 11-4
drop
forward policies, 14-14
NAT policies, 13-22
dynamic-tunnel-profile, 7-24, 8-12
E
egress prefer dscp-qos, 18-38
encaps-access-line, 17-23
encrypt, 9-7
ethernet to qos, 18-39
ethernet use-ip, 18-41
exceed drop, 16-28
exceed mark dscp, 16-30
exceed mark precedence, 16-33
exceed mark priority, 16-35
exceed no-action, 16-38
F
flow admission-control profile, 19-9
flow apply admission-control profile, 19-10
flow enable, 19-11
flow monitor circuit, 19-12
foreach, 21-23
foreign-agent, 7-27
foreign-agent-peer, 8-15
forward-all, 5-43
forwarding scheme, 7-28
forwarding traffic, 7-29
forward output, 14-16
forward policy, 14-18
forward policy in, 14-19
forward policy out, 14-21
G
gre mtu, 7-30
H
header, 23-10
hold-time, 7-31
home-agent, 8-16
home-agent-peer, 7-32
http-redirect profile, 9-9
http-redirect server, 9-11
I
ignore, 13-23
interface
ANCP protocol, 6-16
Mobile IP interface configuration, 7-33
ND protocol, 3-5
ip access-group, 12-38
ip access-list, 12-40
ip arp, 2-7
ip arp arpa, 2-9
ip arp delete-expired, 2-10
ip arp maximum incomplete-entries, 2-11
ip arp proxy-arp, 2-12
ip arp secured-arp, 2-14
ip arp timeout, 2-16
ip dmz, 13-24
ip domain-lookup, 11-5
ip domain-name, 11-6
ip host, 11-7
ip interface, 5-44
ipip mtu, 7-34
ip name-servers, 11-8
ip nat, 13-25
ip nat pool, 13-26
ip static in, 13-27
ip static out, 13-29
ip subscriber arp, 2-17
ip to qos, 18-43
ipv6 host, 11-9
ipv6 name-servers, 11-10
K
keepalive, 6-17
key-chain description, 24-7
key-chain key-id, 24-8
key-string, 24-10
L
lawful-intercept, 23-12
li-profile, 23-13
llc-xid-processing, 7-35
Index of Commands 3
local-address, 8-17
M
mac-address, 5-46
mapping-schema, 16-40
mark dscp, 16-45
mark precedence, 16-47
mark priority, 16-49
max-flows-per-circuit, 19-13
max-hops, 5-47
max-lease-time, 5-48
max-pending-registrations, 7-36
min-wait, 5-49
mirror destination, 14-23
modify ip access-list, 12-42
modify policy access-list, 12-44
mpls to qos, 18-45
mpls use-ethernet, 18-47
mpls use-ip, 18-49
N
nat policy, 13-31
nat policy-name, 13-33
neighbor, 3-7
neighbor profile, 6-19
ns-retry-interval, 3-8
ntp mode, 4-4
ntp peer, 4-5
ntp server, 4-7
num-queues, 17-26
O
offer-lease-time, 5-50
option, 5-51
option-82, 5-57
out, 21-80
P
parameter, 21-25
parent-class, 16-52
peer id, 6-20
peer ip-address, 6-21
pending, 23-14
periodic, 12-46
permit, 12-48
policy access-list, 12-58
pool, 13-34
port, 9-12
preferred-lifetime, 3-10
prefix, 3-12
propagate qos from ethernet, 18-51
propagate qos from ip, 18-53
propagate qos from l2tp, 18-55
propagate qos from mpls, 18-57
propagate qos from subscriber, 18-59
propagate qos to ethernet, 18-61
propagate qos to ip, 18-62
propagate qos to l2tp, 18-63
propagate qos to mpls, 18-65
propagate qos transport use-vlan-header, 18-67
propagate qos use-vlan-ethertype, 18-68
propagate qos use-vlan-header, 18-70
Q
qos class, 16-54
qos class-definition, 16-56
qos class-map, 16-57
qos congestion-avoidance-map, 17-28
qos hierarchical mode strict, 18-71
qos mode, 17-30, 18-73
qos node, 18-75
qos node-group, 18-77
qos node-reference, 18-78
qos policy atmwfq, 17-31
qos policy edrr, 17-33
qos policy mdrr, 17-35
qos policy metering, 16-59
attaching, 18-79
qos policy policing, 16-61
attaching, 18-83
qos policy pq, 17-37
qos policy protocol-rate-limit, 18-87
qos policy pwfq, 17-39
qos policy queuing, 18-89
qos priority, 18-92
qos profile overhead, 18-94
creating, 17-40
selecting, 17-40
qos queue-map, 17-41
qos rate, 18-96
qos to atm, 18-98
qos to ethernet, 18-100
qos to ip, 18-102
qos to mpls, 18-104
qos use-ip, 18-106
qos weight, 18-108
queue 0 mode, 17-43
queue congestion epd, 17-44
queue depth, 17-46
queue exponential-weight, 17-48
queue-map, 17-50
queue priority, 17-51
queue priority-group, 17-54
queue rate, 17-56
queue red, 17-57
4 IP Services and Security Configuration Guide
queue weight, 17-62
R
ra, 3-14
radius accounting algorithm, 21-28
radius accounting deadtime, 21-29
radius accounting max-outstanding, 21-31
radius accounting max-retries, 21-32
radius accounting send-acct-on-off, 21-33
radius accounting server, 21-35
radius accounting server-timeout, 21-37
radius accounting timeout, 21-38
radius algorithm, 21-39
radius attribute acct-delay-time, 21-40
radius attribute acct-session-id, 21-42
radius attribute acct-terminate-remap, 21-43
radius attribute acct-tunnel-connection
l2tp-call-serial-num, 21-44
radius attribute calling-station-id, 21-46
radius attribute filter-id, 21-50
radius attribute nas-identifier, 21-52
radius attribute nas-ip-address, 21-53
radius attribute nas-port, 21-54
radius attribute nas-port-id, 21-58
radius attribute nas-port-type, 21-61
radius attribute vendor-specific, 21-63
radius coa server, 21-64
radius deadtime, 21-67
radius max-outstanding, 21-69
radius max-retries, 21-70
radius policy, 21-71
radius server, 21-73
radius server-timeout, 21-75
radius service profile, 21-76
radius source-port, 21-77
radius strip-domain, 21-79
radius timeout, 21-80
range, 5-59
rate, 16-63
EDRR and PWFQ policies, 17-64
rate-adjust dhcp pwfq, 5-61
rate-calculation, 16-66
rate circuit, 18-110
rate-factor, 17-66
rate-limit dhcp, 5-63
rate percentage, 16-67
rbak-term-ec, 21-81
reachable-time, 3-16
redirect destination circuit, 14-25
redirect destination local, 9-13
redirect destination next-hop, 14-26
registration max-lifetime, 7-37
HA, 8-19
replay-tolerance, 8-20
resequence ip access-list, 12-60
resequence policy access-list, 12-61
reserved, 17-68
revocation, 7-38
HA, 8-21
router ancp, 6-22
router mobile-ip, 7-40
HA, 8-23
router nd, 3-18
S
send-lifetime, 24-11
server-group, 5-65
service-policy, 15-9
session-action, 20-86
shutdown, 8-24
FA configuration, 7-41
HA peer configuration, 7-41
Mobile IP interface configuration, 7-41
slowsync, 4-9
spi, 24-13
standby, 5-66
subnet, 5-67
sustained-creation-rate, 19-14
system-id, 6-23
T
tacacs+deadtime, 22-5
tacacs+identifier, 22-7
tacacs+max-retries, 22-8
tacacs+server, 22-10
tacacs+strip-domain, 22-12
tacacs+timeout, 22-13
tcp-port local, 6-24
tcp-port remote, 6-25
time-out, 7-43
timeout, 13-35
transport gre, 23-15
transport udp, 23-16
tunnel-type, 8-25
type, 17-70, 23-18
U
url, 9-15
user-class-id, 5-71
V
valid-lifetime, 3-19
vendor-class, 5-73
vendor-class-id, 5-75
violate drop, 16-69
Index of Commands 5
violate mark dscp, 16-71
violate mark precedence, 16-74
violate mark priority, 16-76
violate no-action, 16-79
vpn-context, 7-44
W
weight, 17-72
6 IP Services and Security Configuration Guide
Index of Command Modes 1
Index of Command Modes
A
access control list configuration mode
condition, 12-25
deny, 12-27
description, 12-37
permit, 12-48
ACL condition configuration mode
absolute, 12-16
periodic, 12-46
administrator configuration mode
command-access, 23-8
ANCP configuration mode
keepalive, 6-17
neighbor profile, 6-19
system-id, 6-23
tcp-port local, 6-24
ANCP neighbor configuration mode
access-line rate, 6-14
interface, 6-16
peer id, 6-20
peer ip-address, 6-21
tcp-port remote, 6-25
ATM DS-3 configuration mode
forward policy in, 14-19
forward policy out, 14-21
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
rate circuit, 18-110
ATM OC configuration mode
forward policy in, 14-19
forward policy out, 14-21
qos mode, 18-73
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
rate circuit, 18-110
ATM profile configuration mode
clpbit propagate qos from atm, 18-34
clpbit propagate qos to atm, 18-36
radius attribute nas-port-type, 21-61
ATM PVC configuration mode
forward policy in, 14-19
forward policy out, 14-21
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
rate circuit, 18-110
ATMWFQ policy configuration mode
num-queues, 17-26
queue 0 mode, 17-43
queue congestion epd, 17-44
queue-map, 17-50
queue weight, 17-62
C
card configuration mode
rate-limit dhcp, 5-63
circuit configuration mode
flow apply admission-control profile, 19-10
class definition configuration mode
qos class, 16-54
class map configuration mode
atm to qos, 18-28
atm use-ethernet, 18-30
atm use-ip, 18-32
ethernet to qos, 18-39
ethernet use-ip, 18-41
ip to qos, 18-43
mapping-schema, 16-40
mpls to qos, 18-45
mpls use-ethernet, 18-47
mpls use-ip, 18-49
qos class-map, 18-39
qos to atm, 18-98
2 IP Services and Security Configuration Guide
qos to ethernet, 18-100
qos to ip, 18-102
qos to mpls, 18-104
qos use-ip, 18-106
CLIPS PVC configuration mode
rate circuit, 18-110
congestion map configuration mode
queue depth, 17-46
queue exponential-weight, 17-48
queue red, 17-57
context configuration mode
aaa accounting administrator, 20-20
aaa accounting commands, 20-22
aaa accounting event, 20-24
aaa accounting l2tp, 20-26
aaa accounting reauthorization subscriber, 20-29
aaa accounting subscriber, 20-31
aaa accounting suppress-acct-on-fail, 20-34
aaa authentication administrator, 20-36
aaa authentication subscriber, 20-40
aaa authorization commands, 20-43
aaa authorization tunnel, 20-45
aaa double-authentication subscriber radius, 20-46
aaa encrypted-password default, 20-48
aaa hint ip-address, 20-66
aaa maximum subscriber, 20-71
aaa password, 20-73
aaa provision binding-order, 20-75
aaa provision route, 20-77
aaa rate-report-factor, 20-78
aaa reauthorization bulk, 20-80
aaa update subscriber, 20-82
admin-access-group, 12-21
arp rate, 2-6
dhcp relay option, 5-34
dhcp relay server, 5-36
dhcp relay server retries, 5-38
dhcp relay suppress-nak, 5-39
dhcp server policy, 5-42
encrypt, 9-7
http-redirect profile, 9-9
ip access-list, 12-40
ip arp, 2-7
ip arp maximum incomplete-entries, 2-11
ip domain-lookup, 11-5
ip domain-name, 11-6
ip host, 11-7
ip name-servers, 11-8
ip nat pool, 13-26
ipv6 host, 11-9
ipv6 name-servers, 11-10
key-chain description, 24-7
key-chain key-id, 24-8
nat policy, 13-31
policy access-list, 12-58
radius accounting algorithm, 21-28
radius accounting deadtime, 21-29
radius accounting max-outstanding, 21-31
radius accounting max-retries, 21-32
radius accounting send-acct-on-off, 21-33
radius accounting server, 21-35
radius accounting server-timeout, 21-37
radius accounting timeout, 21-38
radius algorithm, 21-39
radius attribute acct-delay-time, 21-40
radius attribute acct-session-id, 21-42
radius attribute acct-tunnel-connection, 21-44
radius attribute calling-station-id, 21-46
radius attribute filter-id, 21-50
radius attribute nas-identifer, 21-52
radius attribute nas-ip-address, 21-53
radius attribute nas-port, 21-54
radius attribute nas-port-id, 21-58
radius attribute nas-port-type, 21-61
radius attribute vendor-specific, 21-63
radius coa server, 21-64
radius deadtime, 21-67
radius max-outstanding, 21-69
radius max-retries, 21-70
radius policy, 21-71
radius server, 21-73
radius server-timeout, 21-75
radius service profile, 21-76
radius strip-domain, 21-79
radius timeout, 21-80
resequence ip access-list, 12-60
resequence policy access-list, 12-61
router ancp, 6-22
router mobile-ip, 7-40, 8-23
router nd, 3-18
subnet, 5-67
tacacs+deadtime, 22-5
tacacs+identifier, 22-7
tacacs+max-retries, 22-8
tacacs+server, 22-10
tacacs+strip-domain, 22-12
tacacs+timeout, 22-13
D
DHCP giaddr configuration mode
user-class-id, 5-71
vendor-class-id, 5-75
DHCP relay server configuration mode
broadcast-discover, 5-26
forward-all, 5-43
max-hops, 5-47
min-wait, 5-49
Index of Command Modes 3
server-group, 5-65
standby, 5-66
DHCP server configuration mode
allow-duplicate-mac, 5-22
bootp-enable-auto, 5-23
bootp-filename, 5-24
boot-siaddr, 5-25
default-lease-time, 5-27
max-lease-time, 5-48
offer-lease-time, 5-50
option, 5-51
threshold, 5-69
vendor-class, 5-73
DHCP subnet configuration mode
mac-address, 5-46
max-lease-time, 5-48
offer-lease-time, 5-50
option, 5-51
option-82, 5-57
range, 5-59
dot1q profile configuration mode
propagate qos from ethernet, 18-51
propagate qos to ethernet, 18-61
propagate qos transport use-vlan-header, 18-67
radius attribute nas-port-type, 21-61
dot1q PVC configuration mode
access-line access-node-id, 6-12
access-line agent-circuit-id, 6-10
forward policy in, 14-19
forward policy out, 14-21
qos policy metering, 18-79
qos policy policing, 18-83
qos policy protocol-rate-limit, 18-87
qos policy queuing, 18-89
qos priority, 18-92
qos profile overhead, 18-94
qos rate, 18-96
qos weight, 18-108
rate circuit, 18-110
DS-0 group configuration mode
forward policy in, 14-19
forward policy out, 14-21
qos mode, 18-73
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
rate circuit, 18-110
DS-1 configuration mode
forward policy in, 14-19
forward policy out, 14-21
qos mode, 18-73
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
rate circuit, 18-110
DS-3 configuration mode
forward policy in, 14-19
forward policy out, 14-21
qos mode, 18-73
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
dynamic tunnel profile configuration mode
clear-df (dynamic tunnel), 7-23
gre mtu, 7-30
hold-time, 7-31
ipip mtu, 7-34
time-out, 7-43
E
E1 configuration mode
forward policy in, 14-19
forward policy out, 14-21
qos mode, 18-73
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
rate circuit, 18-110
E3 configuration mode
forward policy in, 14-19
forward policy out, 14-21
qos mode, 18-73
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
rate circuit, 18-110
EDRR policy configuration mode
num-queues, 17-26
queue depth, 17-46
queue-map, 17-50
queue red, 17-57
queue weight, 17-62
exec mode
flow enable, 19-11
modify ip access-list, 12-42
modify policy access-list, 12-44
F
FA configuration mode
advertise tunnel-type, 7-19
authentication, 7-20
care-of-address, 7-22
4 IP Services and Security Configuration Guide
forwarding scheme, 7-28
forwarding traffic, 7-29
home-agent-peer, 7-32
llc-xid-processing, 7-35
revocation, 7-38
shutdown, 7-41
FA peer configuration mode
authentication, 8-10
shutdown, 8-24
flow configuration mode
burst-creation-rate, 19-8
flow monitor circuit, 19-12
max-flows-per-circuit, 19-13
sustained-creation-rate, 19-14
forward policy configuration mode
access-group, 12-18
drop, 14-14
mirror destination, 14-23
redirect destination circuit, 14-25
redirect destination local, 9-13
redirect destination next-hop, 14-26
Frame Relay PVC configuration mode
forward output, 14-16
forward policy in, 14-19
forward policy out, 14-21
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
qos priority, 18-92
rate circuit, 18-110
G
global configuration mode
aaa global accounting event, 20-49
aaa global accounting l2tp-session, 20-51
aaa global accounting reauthorization subscriber, 20-53
aaa global accounting subscriber, 20-55
aaa global authentication subscriber, 20-57
aaa global maximum subscriber, 20-59
aaa global reject empty-username, 20-61
aaa global update subscriber, 20-64
aaa last-resort, 20-69
aaa username-format, 20-84
flow admission-control profile, 19-9
forward policy, 14-18
http-redirect server, 9-11
li-profile, 23-13
ntp mode, 4-4
ntp peer, 4-5
ntp server, 4-7
qos class-definition, 16-56
qos class-map, 16-57
qos congestion-avoidance-map, 17-28
qos policy atmwfq, 17-31
qos policy edrr, 17-33
qos policy mdrr, 17-35
qos policy metering, 16-59
qos policy policing, 16-61
qos policy pq, 17-37
qos policy protocol-rate-limit, 18-87
qos policy pwfq, 17-39
qos profile overhead, 17-40
qos queue-map, 17-41
radius attribute acct-terminate-cause remap, 21-43
radius policy, 21-71
radius source-port, 21-77
service-policy, 15-7, 15-9
GRE tunnel configuration mode
forward output, 14-16
H
HA configuration mode
advertise, 8-25
authentication, 8-10
foreign-agent-peer, 8-15
local-address, 8-17
registration max-lifetime, 8-19
replay-tolerance, 8-20
revocation, 8-21
shutdown, 8-24
HA peer configuration mode
authentication, 7-20
max-pending-registrations, 7-36
shutdown, 7-41
vpn-context, 7-44
hierarchical node configuration mode
qos hierarchical mode strict, 18-71
qos policy queuing, 18-89
qos rate, 18-96
qos weight, 18-108
hierarchical node group configuration mode
qos hierarchical mode strict, 18-71
qos node, 18-75
qos rate, 18-96
qos weight, 18-108
HTTP redirect profile configuration mode
url, 9-15
HTTP redirect server configuration mode
port, 9-12
I
interface configuration mode
dhcp proxy, 5-30
dhcp relay, 5-32
dhcp server, 5-40
ip access-group, 12-38
Index of Command Modes 5
ip arp arpa, 2-9
ip arp delete-expired, 2-10
ip arp proxy-arp, 2-12
ip arp secured-arp, 2-14
ip arp timeout, 2-16
ip nat, 13-25
propagate qos to ip, 18-62
shutdown, 7-41
K
key chain configuration mode
accept-lifetime, 24-5
key-string, 24-10
send-lifetime, 24-11
spi, 24-13
L
L2TP peer configuration mode
propagate qos from l2tp, 18-55
propagate qos from subscriber, 18-59
propagate qos to l2tp, 18-63
link group configuration mode
qos mode, 18-39, 18-41, 18-73
qos policy metering, 18-79
qos policy policing, 18-83
qos policy protocol-rate-limit, 18-87
qos policy queuing, 18-89
qos priority, 18-92
link-group configuration mode
rate circuit, 18-110
link PVC configuration mode
qos policy protocol-rate-limit, 18-87
LI profile configuration mode
pending, 23-14
transport gre, 23-15
transport udp, 23-16
type, 23-18
M
MDRR configuration mode
qos mode, 17-30
metering policy configuration mode
class-group, 16-17
mark dscp, 16-45
mark precedence, 16-47
mark priority, 16-49
rate, 16-63
rate-calculation, 16-66
Mobile IP configuration mode
dynamic-tunnel-profile, 7-24, 8-12
foreign-agent, 7-27
home-agent, 8-16
interface, 7-33
Mobile IP interface configuration mode
advertise max-interval, 7-16
advertise max-lifetime, 7-17
advertise min-interval, 7-18
registration max-lifetime, 7-37
MPLS router configuration mode
egress prefer dscp-qos, 18-38
propagate qos from mpls, 18-57
propagate qos to mpls, 18-65
propagate qos use-vlan-ethertype, 18-68
propagate qos use-vlan-header, 18-70
N
NAT policy configuration mode
access-group, 12-18
admission-control, 13-16
connections, 13-18
destination, 13-20
drop, 13-22
ignore, 13-23
ip dmz, 13-24
ip static in, 13-27
ip static out, 13-29
pool, 13-34
timeout, 13-35
NAT policy group class configuration mode
destination, 13-20
NAT pool configuration mode
address, 13-14
ND router configuration mode
interface, 3-5
ns-retry-interval, 3-8
preferred-lifetime, 3-10
ra, 3-14
reachable-time, 3-16
valid-lifetime, 3-19
ND router interface configuration mode
neighbor, 3-7
ns-retry-interval, 3-8
preferred-lifetime, 3-10
prefix, 3-12
ra, 3-14
reachable-time, 3-16
valid-lifetime, 3-19
NTP configuration mode
slowsync, 4-9
num-queues configuration mode
queue priority, 17-51
O
overhead profile configuration mode
encaps-factor-default, 17-23
rate-factor, 17-66
6 IP Services and Security Configuration Guide
reserved, 17-68
type, 17-70
overhead type configuration mode
rate-factor, 17-66
reserved, 17-68
P
policing policy configuration mode
class-group, 16-17
mark dscp, 16-45
mark precedence, 16-47
mark priority, 16-49
rate, 16-63
rate-calculation, 16-66
policy class rate configuration mode
conform mark dscp, 16-19
conform mark precedence, 16-22
conform mark priority, 16-24
conform no-action, 16-27
exceed drop, 16-28
exceed mark dscp, 16-30
exceed mark precedence, 16-33
exceed mark priority, 16-35
exceed no-action, 16-38
violate drop, 16-69
violate mark dscp, 16-71
violate mark precedence, 16-74
violate mark priority, 16-76
violate no-action, 16-79
policy group class configuration mode
admission-control, 13-16
drop
forward policies, 14-14
NAT policies, 13-22
ignore, 13-23
mark dscp, 16-45
mark precedence, 16-47
mark priority, 16-49
mirror destination, 14-23
parent-class, 16-52
pool, 13-34
rate, 16-63
rate percentage, 16-67
redirect destination circuit, 14-25
redirect destination local, 9-13
redirect destination next-hop, 14-26
timeout, 13-35
policy group configuration mode
class, 12-23
policy rate configuration mode
conform mark dscp, 16-19
conform mark precedence, 16-22
conform mark priority, 16-24
conform no-action, 16-27
exceed drop, 16-28
exceed mark dscp, 16-30
exceed mark precedence, 16-33
exceed mark priority, 16-35
exceed no-action, 16-38
violate drop, 16-69
violate mark dscp, 16-71
violate mark precedence, 16-74
violate mark priority, 16-76
violate no-action, 16-79
port configuration mode
forward output, 14-16
forward policy in, 14-19
forward policy out, 14-21
qos hierarchical mode strict, 18-71
qos mode, 18-73
qos node-group, 18-77
qos policy metering, 18-79
qos policy policing, 18-83
qos policy protocol-rate-limit, 18-87
qos policy queuing, 18-89
qos priority, 18-92
qos profile overhead, 18-94
qos rate, 18-96
radius attribute nas-port-type, 21-61
rate circuit, 18-110
PQ policy configuration mode
num-queues, 17-26
queue depth, 17-46
queue-map, 17-50
queue rate, 17-56
queue red, 17-57
PWFQ policy configuration mode
congestion-map, 17-22
num-queues, 17-26
queue-map, 17-50
queue priority, 17-51
queue priority-group, 17-54
weight, 17-72
Q
QoS metering policy configuration mode
access-group, 12-18
QoS policing policy configuration mode
access-group, 12-18
queue map configuration mode
num-queues, 17-26
R
RADIUS policy configuration mode
attribute, 21-18
Index of Command Modes 7
S
service policy configuration mode
allow, 15-5
attribute, 21-18
service profile configuration mode
accounting, 21-16
foreach, 21-23
parameter, 21-25
software license configuration mode
lawful-intercept, 23-12
subscriber configuration mode
access-line adjust, 6-9
access-list, 12-20
dhcp max-addrs, 5-28
dns, 11-4
forward policy in, 14-19
forward policy out, 14-21
http-redirect profile, 9-9
ip access-group, 12-38
ip interface, 5-44
ip subscriber arp, 2-17
nat policy-name, 13-33
propagate qos from ip, 18-53
propagate qos to ip, 18-62
qos node-reference, 18-78
qos policy metering, 18-79
qos policy policing, 18-83
qos policy queuing, 18-89
rate-adjust dhcp pwfq, 5-61
session-action, 20-86
subscriber confiuration mode
qos policy protocol-rate-limit, 18-87
sustained-creation-rate, 19-14
T
terminate error cause configuration mode
rbak-term-ec, 21-81
8 IP Services and Security Configuration Guide