|
COMMAND DESCRIPTION 1/190 82-CRA 119 1170/1-V1 Uen A | |
Copyright
© Copyright Ericsson AB 2009. All rights reserved.
Disclaimer
No part of this document may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademark List
| SmartEdge | is a registered trademark of Telefonaktiebolaget L M Ericsson. | |
| NetOp | is a trademark of Telefonaktiebolaget L M Ericsson. |
Commands starting with numbers and symbols through commands starting with “al” are included.
?
Displays brief system help on the available commands or command options.
all modes
This command has no keywords or arguments.
None
Use the ? command to display brief system help on the available commands or command options.
To list all valid commands available in the current mode, enter a question mark (?) at the system prompt.
To list the associated keywords or arguments for a command, enter the ? command in place of a keyword or argument on the command line. This form of help is called full help, because it lists the keywords or arguments that apply to the command based on the full command, keywords, and arguments you have already entered.
To obtain a list of commands or keywords that begin with a particular character string, enter the abbreviated command or keyword immediately followed by the ? command. This form of help is called partial help, because it lists only the commands or keywords that begin with the abbreviation you entered.
The following example displays exec commands available for a user with a privilege level of 6 (> prompt):
[local]Redback>?
atm ATM Operations debug Modify debugging parameters disable Drop into disable user mode edit Edit a file with vi enable Modify command mode privilege exit Exit exec mode help Description of the interactive help system monitor Monitor information more Display the contents of a file mrinfo Request multicast router information mtrace Trace reverse multicast path from source to receiver no Disable an interactive option ping Packet Internet Groper Command show Show running system information ssh Execute SSH/SSHD commands talk talk to user telnet Telnet to a host terminal Modify terminal settings traceroute Trace route to destination
The following example displays how to use partial help to display all commands (in global configuration mode) that begin with the character sequence sy:
[local]Redback(config)#sy? system system clock-source
The following example displays how to use full help to display the next argument of a partially complete system clock command (in global configuration mode):
[local]Redback(config)#system clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone [local]Redback(config-ctx)#system clock
The following example displays the first few commands available for an administrator with a default privilege level of 6 (> prompt):
[local]Redback>? bulkstats Manage bulk statistics collection file disable Drop into disable administrator mode enable Modify command mode privilege ...
The following example shows how to use partial help to display all commands (in global configuration mode) that begin with the character sequence sy:
[local]Redback(config)#sy? system system clock-source
The following example shows how to use full help to display the next argument of a partially complete system clock command (in global configuration mode):
[local]Redback(config)#system clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone [local]Redback(config-ctx)#system clock
aaa accounting administrator {radius |tacacs+}
{no | default} aaa accounting administrator {radius | tacacs+}
Enables accounting messages for administrator sessions.
context configuration
radius |
Specifies that accounting messages are to be sent to a Remote Authentication Dial-In User Service (RADIUS) server. |
tacacs+ |
Specifies that accounting messages are to be sent to a Terminal Access Controller Access Control System Plus (TACACS+) server. |
Accounting is disabled.
Use the aaa accounting administrator command to enable accounting messages for administrator sessions. Messages can be sent to a RADIUS or TACACS+ server.
You must configure at least one accounting server in the current context before any messages can be sent to it:
Use the no or default form of this command to disable RADIUS or TACACS+ accounting messages for administrator sessions.
The following example shows how to enable TACACS+ accounting messages for administrator sessions for the local context:
[local]Redback(config-ctx)#aaa accounting administrator tacacs+
The following example shows how to enable RADIUS accounting messages for administrator sessions for the local context:
[local]Redback(config-ctx)#aaa accounting administrator radius
aaa accounting commandsleveltacacs+ [exceptexcept-level ]
{no | default} aaa accounting commandslevel
Specifies that accounting messages are sent to a Terminal Access Controller Access Control System Plus (TACACS+) server whenever an administrator enters commands at the specified privilege level (or higher).
context configuration
level |
Command privilege level. The range of values is 0 to 15. |
tacacs+ |
Indicates that a TACACS+ server must record commands for accounting. |
except except-level |
Optional. Command privilege level that will not be sent to the server for accounting. The range of values is 1 to 15. The value for this argument must be greater than that specified for the level argument. |
No TACACS+ accounting of commands is required.
Use the aaa accounting commands command to specify that accounting messages are sent to a TACACS+ server whenever an administrator enters commands at the specified privilege level (or higher).
To use TACACS+, you must configure the IP address or hostname of a TACACS+ server in the context in which commands are accessed. To configure the server’s IP address or hostname, use the tacacs+ server command (in context configuration mode); see Configuring TACACS+.
For information about default privilege levels for commands and how to modify command privilege levels, see Performing Basic Configuration Tasks.
Use the no or default form of this command to disable the sending of accounting messages to the TACACS+ server.
The following example sends accounting messages to a TACACS+ server for commands that are configured with a privilege level of 6 or greater with the exception of privilege level 15:
[local]Redback(config-ctx)#aaa accounting commands 6 tacacs+ except 15
aaa accounting event {dhcp | reauthorization | ancp}
{no | default} aaa accounting event {dhcp | reauthorization | ancp}
Enables accounting messages for Dynamic Host Configuration Protocol (DHCP) leases, reauthorization information, or Access Node Control Protocol (ANCP) events for subscriber sessions in the current context to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the same context.
context configuration
dhcp |
Enables accounting messages to be sent whenever a DHCP lease is created or released. |
reauthorization |
Enables accounting messages to be sent for subscriber reauthorization sessions. Information sent provides details about subscriber circuits after reauthorization is complete. |
ancp |
Enables accounting messages to be sent whenever an ANCP event is received. Information sent provides details from the digital subscriber line access multiplexer (DSLAM) about changes to the subscriber DSL, such as a rate change. |
RADIUS-based accounting is disabled.
Use the aaa accounting event command to enable accounting messages for DHCP leases, reauthorization information, or ANCP events for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context.
If an ANCP event occurs when no subscriber session is on the line, no accounting message is sent.
Use no or default form of this command to disable sending of RADIUS-based accounting messages.
The following example enables accounting messages for reauthorization information for subscriber sessions in the corpA context to be sent to the RADIUS accounting server with an IP address or hostname in the same context:
[local]Redback(config)#context corpA [local]Redback(config-ctx)#aaa accounting event reauthorization
aaa accounting l2tp session {none | radius | global}
{no | default} aaa accounting l2tp session {radius | global}
Enables accounting messages for L2TP tunnels:
aaa accounting l2tp tunnel {none | radius}
{no | default} aaa accounting l2tp tunnel
Enables accounting messages for Layer 2 Tunneling Protocol (L2TP) tunnels, or sessions in L2TP tunnels, or both, for the current context, to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. Enables accounting messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context, local context, or both contexts.
none |
Disables RADIUS-based accounting. |
radius |
Enables RADIUS-based accounting. |
global |
Enables global RADIUS-based accounting (without global RADIUS authentication) for sessions in L2TP tunnels. |
RADIUS-based accounting is disabled.
Use the aaa accounting l2tp to enable accounting messages for L2TP tunnels, or sessions in L2TP tunnels, or both, for the current context, to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. You can also enable accounting messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context, local context, or both contexts.
Use the aaa accounting l2tp tunnel command with the radius keyword to enable accounting messages for L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. Use the aaa accounting l2tp command with the session and radius keywords to enable accounting messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. Both implementations of the aaa accounting l2tp command here reflect context-level L2TP accounting.
Use the aaa accounting l2tp command with the session and global keywords to enable accounting messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. This implementation reflects global-level L2TP accounting.
Two-stage accounting permits data for all contexts to be sent to both the RADIUS accounting servers in the local context for global-level accounting and any RADIUS accounting servers in the context to which the subscriber is bound for context-level accounting. Enabling two-stage accounting for L2TP tunnels requires that you configure one or more RADIUS accounting servers in the local context and configure one or more RADIUS accounting servers in a nonlocal context or current context. You must also configure global L2TP accounting and global authentication. With two-stage accounting for sessions in L2TP tunnels, global authentication is optional. To enable two-stage accounting with global authentication, configure the aaa accounting l2tp command (in context configuration mode) with the radius keyword and the aaa global accounting l2tp-session command (in global configuration mode). To enable two-stage accounting without global authentication, use the aaa accounting l2tp command with the session, radius, and global keywords. The global keyword allows accounting to be performed without global authentication.
If the SmartEdge® router is acting as an L2TP network server (LNS) in a context, the accounting data is for the LNS; if it is acting as an L2TP access concentrator (LAC), the accounting data is for the LAC. If the SmartEdge router is acting as a tunnel switch, both sets of accounting data are sent to the RADIUS server; in this case, each set of data is tagged as follows:
Use the no or default form of this command or the none keyword to disable the sending of RADIUS accounting messages.
The following example enables accounting messages for L2TP tunnels in the siteA context to be sent to the RADIUS accounting server configured in the siteA context:
[local]Redback(config)#context siteA [local]Redback(config-ctx)#aaa accounting l2tp radius
The following example enables accounting messages for sessions in L2TP tunnels in the siteB context to be sent to the RADIUS accounting server configured in the local context:
[local]Redback(config)#context local [local]Redback(config-ctx)#radius accounting server 1.1.1.1 key my_key . . . [local]Redback(config)#context siteB [local]Redback(config-ctx)#aaa accounting l2tp global
aaa accounting reauthorization subscriber {none | radius}
{no | default} aaa accounting reauthorization subscriber
Enables accounting messages for the reauthorize command entered in the current context in exec mode to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the same context.
context configuration
none |
Disables RADIUS-based accounting. |
radius |
Enables RADIUS-based accounting messages to be sent. |
RADIUS-based accounting is disabled.
Use the aaa accounting reauthorization command to enable accounting messages for the reauthorize command entered in the current context in exec mode to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context.
Use the no or default form of this command or the none keyword to disable the sending of RADIUS accounting messages.
The following example enables accounting messages for subscriber reauthorization in the corpA context to be sent to the RADIUS server configured in the corpA context:
[local]Redback(config)#context corpA [local]Redback(config-ctx)#aaa accounting reauthorization radius
aaa accounting subscriber {none | radius [attribute-guided] | global}
{no | default} aaa accounting subscriber {radius | global}
Enables accounting messages for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context (for context-level subscriber accounting), in the local context (for global-level subscriber accounting), or in both contexts (for context- and global-level subscriber accounting).
none |
Disables RADIUS-based accounting. |
radius |
Enables RADIUS-based accounting. |
attribute-guided |
Enables attribute-guided RADIUS-based accounting; ensures that the RADIUS accounting server can send and receive accounting packets. Accounting packets are sent to a subscriber only when the Accounting-Mode VSA is present in the authentication response received from the subscriber. |
global |
Enables global RADIUS-based accounting (without global RADIUS authentication). |
RADIUS-based accounting is disabled.
Use the aaa accounting subscriber command to enable accounting messages for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context (for context-level subscriber accounting), in the local context (for global-level subscriber accounting), or in both contexts (for context- and global-level subscriber accounting).
Use the aaa accounting subscriber command with the radius keyword to enable accounting messages for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context.
Use the aaa accounting subscriber command with the global keyword to enable accounting messages for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.
To enable two-stage accounting, configure one or more RADIUS accounting servers in a nonlocal context and configure one or more RADIUS accounting servers in the local context. With two-stage accounting, global authentication is optional. To enable two-stage accounting with global authentication, configure global authentication by using the radius keyword with the aaa authentication subscriber command (in context configuration mode) and the aaa global authentication subscriber command (in global configuration mode). To enable two-stage accounting without global authentication, configure the keywords radius and global with the aaa accounting subscriber command. In two-stage accounting, data for all contexts is sent to both the RADIUS accounting servers in the local context and to any RADIUS accounting servers in the context to which the subscriber is bound.
Use the no or default form of this command or the none keyword to disable the sending of RADIUS accounting messages.
The following example enables accounting messages for subscriber sessions in the siteA context to be sent to the RADIUS accounting server configured in the siteA context:
[local]Redback(config)#context siteA [local]Redback(config-ctx)#aaa accounting subscriber radius
The following example enables accounting messages for subscriber sessions in the siteB context to be sent to the RADIUS accounting server configured in the local context and to the RADIUS accounting server configured in the siteB context:
[local]Redback(config)#context local [local]Redback(config-ctx)#radius accounting server 1.1.1.1 key my_key . . . [local]Redback(config)#context siteB [local]Redback(config-ctx)#aaa accounting subscriber radius global
The following example shows how to configure RADIUS-based attribute-guided accounting. This configuration is used if the accounting_mode is set for the subscriber:
[local]Redback(config-ctx)#radius accounting server 1.1.1.1 key redback [local]Redback(config-ctx)#aaa accounting subscriber radius attribute-guided
aaa accounting suppress-acct-on-fail [except-for error-cond]
{no | default} aaa accounting suppress-acct-on-fail [except-for error-cond]
Suppresses the sending of accounting messages to Remote Authentication Dial-In User Service (RADIUS) servers when a subscriber session cannot be established.
context configuration
except-for error-cond |
Optional. Error condition for which accounting messages are not suppressed, according to one of the following keywords or constructs:
|
RADIUS-based accounting is disabled. When RADIUS-based accounting is enabled using the aaa accounting subscriber command (in context configuration mode), the operating system always sends an accounting record when a subscriber session cannot be established.
Use the aaa accounting suppress-acct-on-fail command to suppress the sending of accounting messages to RADIUS accounting servers when a subscriber session cannot be established due to an authentication problem, a changed IP address, and so on.
You can specify either or both of the error conditions for which accounting messages are not suppressed.
Use the no or default form of this command to always suppress the sending of accounting messages when an error condition occurs.
The following example suppresses accounting messages sent to RADIUS accounting servers except when the L2TP peer for a subscriber session cannot be reached and the session not established:
[local]Redback(config-ctx)#aaa accounting suppress-acct-on-fail except-for no-l2tp-peer
aaa authentication administrator {[{console | vty}] {method[method[method]]}} | maximum sessions num-sess
{no | default} aaa authentication administrator {[{console | vty}] {method[method[method]]}} | maximum
Prioritizes the methods available for authenticating administrators, or modifies the maximum number of administrator sessions that can be simultaneously active.
context configuration
console |
Optional. Enables the specified administrator authentication method on the console port. |
vty |
Optional. Enables the specified administrator authentication method on a vty port, which is a virtual terminal port used for remote console access. |
method |
Authentication method, according to one of the following keywords:
One method is required. Specifying a second or third method is optional. Separate each value with a space. |
maximum sessions num-sess |
Maximum number of administrator sessions that can be active simultaneously. The range of values is 0 to 32. For the local context, the default value is 10. For nonlocal contexts, the default value is 1. The total number of active Telnet, Secure Shell (SSH), or both types of administrator sessions must be fewer than or equal to 100 for all configured contexts. In addition, one administrator session is supported for the console port. |
Authentication is performed by the SmartEdge router configuration and is permitted on both the console port and vty ports. For the local context, the number of administrator sessions that can be simultaneously active is 10; for nonlocal contexts, it is 0 or 1 (0 when no administrators are configured; 1 when administrators are configured).
Use the aaa authentication administrator command to prioritize the available administrator authentication methods or modify the maximum number of administrator sessions that can be simultaneously active. If you use this command to prioritize the available administrator authentication methods, you can configure a port type for each specified authentication method.
Authentication methods are attempted in the order in which you enter the keywords. For example, if you enter the radius keyword first, followed by the tacacs+ keyword, followed by the local keyword, authentication is first attempted by the RADIUS server, then by the TACACS+ server, and, finally, by the local configuration.
The maximum number of administrator SSH sessions that can be simultaneously active for all configured contexts can be configured through the ssh server full-drop command (in global configuration mode); the default value is 20. If there are active Telnet sessions, the maximum number of global SSH sessions is limited to the maximum number of SSH sessions configured through the ssh server full-drop command, minus the number of active Telnet sessions in all contexts.
Use the no or default form of this command to return to using only the SmartEdge router configuration for authentication of administrators.
The following example shows how to configure the console port of a SmartEdge router to authenticate administrators through a RADIUS server with the SmartEdge router configuration authentication (local database) as a backup:
[local]Redback(config-ctx)#aaa authentication administrator console radius local
The following example shows how to configure a vty port on a SmartEdge router to authenticate administrators through a TACACS+ server:
[local]Redback(config-ctx)#aaa authentication administrator vty tacacs+
The following example shows how to modify the number of administrator sessions that can be simultaneously active in the local context from 10 (the default) to 15:
[local]Redback(config-ctx)#aaa authentication administrator maximum sessions 15
aaa authentication subscriber {global | local [{global | none | radius [{global | local | none}] | none | radius}}
{ no | default} aaa authentication subscriber
Authenticates subscribers through the SmartEdge router configuration or through one or more Remote Authentication Dial-In User Service (RADIUS) server databases.
context configuration
global |
When used alone, authenticates subscribers through one or more RADIUS servers with IP addresses or hostnames configured in the local context. When used as an optional keyword following local, first attempts subscriber authentication through the SmartEdge router configuration in the current context. In the event that no corresponding subscriber record is found in the local database, authenticates subscribers through one or more RADIUS servers with IP addresses or hostnames configured in the local context. When used as an optional keyword following radius, first attempts subscriber authentication through one or more RADIUS servers with IP addresses or hostnames configured in the current context. If those RADIUS servers are not reachable, authenticates subscribers through one or more RADIUS servers with IP addresses or hostnames configured in the local context. |
local |
When used alone, authenticates subscribers through the SmartEdge router configuration in the current context. When used as an optional keyword following radius, authenticates subscribers through one or more RADIUS servers with IP addresses or hostnames configured in the current context. If the RADIUS servers are not reachable, authenticates subscribers through the SmartEdge router configuration in the current context. |
none |
When used alone, specifies that authentication of subscribers is not required—all access succeeds. When used as an optional keyword following local, subscribers are first authenticated through the SmartEdge router configuration. In the event that no corresponding subscriber record is found in the local database, access succeeds. |
radius |
When used alone, authenticates subscribers by one or more RADIUS servers with IP addresses or hostnames in the current context. When used as an optional keyword following local, first attempts subscriber authentication through the SmartEdge router configuration in the current context. In the event that no corresponding subscriber record is found in the local database, authenticates subscribers by one or more RADIUS servers with IP addresses or hostnames in the current context. |
Subscribers are authenticated by the SmartEdge router configuration.
Use the aaa authentication subscriber command to authenticate subscribers through the SmartEdge router configuration or through one or more RADIUS server databases.
The SmartEdge router configuration is also referred to as the “local database,” which is simply a set of commands, such as the subscriber command (in context configuration mode) and the password command (in subscriber configuration mode).
With RADIUS, the database records of the RADIUS server are used to authenticate subscribers. The IP address or hostname of one or more RADIUS servers can be configured in the “local” context or in the context to which the subscriber’s circuit is to be bound. Each context can use its own set of RADIUS servers for authentication. Alternatively, a context can be configured to use the RADIUS servers with IP addresses or hostnames configured in the “local” context—this is known as “global authentication.”
With global authentication, the RADIUS servers are expected to return the Context-Name vendor-specific attribute (VSA) that indicates the particular context to which the subscriber is to be bound. You can also configure the SmartEdge router to try authentication through one or more RADIUS servers with IP addresses or hostnames configured in the current context first, with a fallback to the global RADIUS server or to the local database, in case the RADIUS server configured in the current context becomes unreachable.
To disable authentication of subscribers, use the none keyword with this command. Do this only when subscriber authentication is not required, such as when Dynamic Host Configuration Protocol (DHCP) is used to obtain IP addresses for subscribers’ hosts.
| Caution! | ||
|
Risk of security breach. With the aaa authentication subscriber
none command, the SmartEdge router does not read any of the
subscriber records configured, except for the default subscriber record.
This means that individual subscriber usernames and passwords are
not authenticated by the SmartEdge router. Therefore, IP addresses,
routes, and Address Resolution Protocol (ARP) entries within individual
subscriber records are not installed. Verify your network security
setup before using the aaa authentication subscriber none command.
| ||
Use the no or default form of this command to authenticate subscribers through the SmartEdge router configuration.
The following example authenticates subscriber sessions for the siteB context by first using the RADIUS server configured within the context, followed by the SmartEdge router configuration for the context should the RADIUS server become unreachable:
[local]Redback(config)#context siteB [local]Redback(config-ctx)#radius server 10.2.3.4 key TopSecret [local]Redback(config-ctx)#aaa authentication subscriber radius local
aaa authorization commands leveltacacs+ [none] [except except-level]
{no | default} aaa authorization commands level
Specifies that commands with a matching privilege level (or higher) require authorization through Terminal Access Controller Access Control System Plus (TACACS+).
context configuration
level |
Privilege level. The range of values is 0 to 15. A user account with a privilege level that matches or is greater than the value of the level argument must be authorized by TACACS+ before the user can enter SmartEdge router CLI commands set to this privilege level. |
tacacs+ |
Enforces authorization through TACACS+. |
none |
Optional. Disables authorization if the server is unavailable. |
except except-level |
Optional. Command privilege level that will not be sent to the server for authorization. The range of values is 1 to 15. The value for this argument must be greater than that specified for the level argument. |
Commands do not require authorization through TACACS+.
Use the aaa authorization commands command to specify that commands with a matching privilege level (or higher) require authorization through TACACS+.
| Caution! | ||
|
Risk of administrative failure. If a TACACS+ server has not been
set up and configured before this command is issued, you may not have
authorization to use commands on your SmartEdge
router. To reduce the risk, you must first configure the IP
address or hostname of a TACACS+ server in the context in which commands
are accessed. To do so, enter the tacacs+ server command
(in context configuration mode); for more information, see Configuring TACACS+.
| ||
| Caution! | ||
|
Risk of administrative failure. If you have configured authorization
without the none keyword and the TACACS+ server is
not available, you might not have authorization to use commands on
your SmartEdge router. To reduce
the risk, always include the none keyword when entering
this command.
| ||
| Caution! | ||
|
Risk of administrative failure. If the administrator record on
the TACACS+ server is set up to authorize only a limited set of commands,
the administrator might not be allowed to perform critical tasks using
the SmartEdge router. To reduce the
risk, we recommend, therefore, that you configure at least one administrator
record on the TACACS+ server that has authorization to access all
commands.
| ||
Use the no or default form of this command to disable the requirement for TACACS+ authorization.
The following example requires TACACS+ authorization in the restricted context for the use of commands with privilege levels of 10 or higher with the exception of privilege level 15:
[restricted]Redback(config)#configure [restricted]Redback(config-ctx)#aaa authorization commands 10 except 15
aaa authorization tunnel {local | radius}
{no | default}aaa authorization tunnel {local | radius}
Specifies the type of authorization for Layer 2 Tunneling Protocol (L2TP) peers.
context configuration
local |
Specifies that L2TP peers are authorized by the local configuration. |
radius |
Specifies that L2TP peers are authorized by a Remote Authentication Dial-In User Service (RADIUS) server. |
L2TP peers are authorized by the SmartEdge router configuration.
Use the aaa authorization tunnel command to specify the type of authorization for L2TP peers.
Use the no or default form of this command to specify the default behavior.
The following example configures the local context to authorize L2TP peers by a RADIUS server:
[local]Redback(config)#context local [local]Redback(config-ctx)#aaa authorization tunnel radius
aaa double-authentication subscriber radius [none [profile profile-name]]
no aaa double-authentication subscriber radius [none [profile profile-name]]
Reauthenticates subscribers through the specified Remote Authentication Dial-In User Service (RADIUS) server database.
none |
Optional. Specifies that no second authentication is to take place, if the RADIUS server is unavailable. |
profile profile-name |
Optional. Defines a local profile used when the second RADIUS server is unavailable. This is also is referred to as the fallback profile. |
Subscribers are authenticated one time, either through the SmartEdge router configuration or through one of the RADIUS server databases.
Use the aaa double-authentication subscriber radius command to specify to subscribers reauthentication through the specified RADIUS server database, and optionally, to define a local profile to be used when the second RADIUS server is unavailable.
RADIUS provisioning is enhanced so that subscribers can be authenticated twice without a RADIUS proxy server. Subscribers are first authenticated by a global RADIUS server and then by the RADIUS server for the binding context.
When the SmartEdge router receives the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) Auth-Req packet, it sends a RADIUS Access-Request packet to the global RADIUS server configured for the local context. If the Access-Accept packet returned by the RADIUS server indicates that the subscriber is to be reauthenticated, the SmartEdge router sends a second Access-Request packet to the RADIUS server for the binding (nonlocal) context specified by the global server. Depending on the response of the second server, the session is either terminated or tunneled using a list of attributes consolidated from both RADIUS responses. Attribute values received from the second RADIUS server override values received from the first server and values configured locally in the nonlocal context.
If the configured authentication failover method is none and the second RADIUS server is unavailable, the subscriber is provisioned using the local profile (specified with the profile keyword) plus the attributes received from the first RADIUS server, and the subscriber is not reauthenticated.
The following is the order of attribute processing:
Use the no form of this command to disable the requirement for reauthenticating subscribers through the specified RADIUS server database.
The following example configures the context ISP3 to reauthenticate its subscriber sessions using the RADIUS server with the IP address 155.53.44.181 configured in the local context:
[local]Redback(config-ctx)#aaa global authentication subscriber radius [local]Redback(config)#context local [local]Redback(config-ctx)#radius accounting server 155.53.44.181 encrypted-key 3828082561D6BDD6 [local]Redback(config)#context ISP3 [local]Redback(config-ctx)#aaa authentication subscriber global [local]Redback(config-ctx)#aaa double-authentication subscriber radius none profile last [local]Redback(config-ctx)#radius server 155.53.44.181 encrypted-key 3828082561D6BDD6 oldports subscriber profile last [local]Redback(config-sub)#ip address pool
aaa encrypted-password default password
no aaa encrypted-password default
Changes the default AAA authentication and authorization password to the specified encrypted password.
password |
Alphanumeric string representing a default authentication and authorization password. This password is encrypted. Control characters are not allowed. |
The default AAA authentication and authorization password is “Redback”.
Use the aaa encrypted-password default command to change the default authentication and authorization password to the specified encrypted password. This new default AAA password is saved in the encrypted form as well. When you enter the show configuration command, the display shows the default AAA password in the encrypted form.
Use the no form of this command to restore the default password of “Redback”.
The following example shows how to configure the new default AAA encrypted password of F9BFC75FC9F3F8AD:
[local]Redback(config-ctx)#aaa encrypted-password default F9BFC75FC9F3F8AD
aaa global accounting event {dhcp | reauthorization | ancp}
{no | default} aaa global accounting event {dhcp | reauthorization | ancp}
Enables accounting messages for Dynamic Host Configuration Protocol (DHCP) leases, reauthorization information, or Access Node Control Protocol (ANCP) events for subscriber sessions in all contexts to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.
global configuration
dhcp |
Enables accounting messages to be sent whenever a DHCP lease is created or released. |
reauthorization |
Enables accounting messages to be sent for subscriber reauthorization sessions. The information sent in the messages provides details about subscriber circuits after reauthorization is completed. |
ancp |
Enables accounting messages to be sent whenever an ANCP event is received. The information sent in the messages provides details from the digital subscriber line (DSL) access multiplexer (DSLAM) about changes, such as a rate change, to the subscriber DSL. |
RADIUS-based accounting is disabled.
Use the aaa global accounting event command to enable accounting messages for DHCP leases, reauthorization information, or ANCP events for subscriber sessions in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.
If an ANCP event occurs when no subscriber session is on the line, no accounting message is sent.
Use the no or default form of this command to disable RADIUS-based accounting.
The following example enables accounting messages for reauthorization information for subscriber sessions in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context:
[local]Redback(config)#aaa global accounting event reauthorization
aaa global accounting l2tp-session radius context local
{no | default} aaa global accounting l2tp-session
Enables accounting messages for Layer 2 Tunneling Protocol (L2TP) tunnels or sessions in L2TP tunnels in all contexts to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.
radius context local |
Indicates accounting messages are sent by RADIUS accounting servers with IP addresses or hostnames configured in the local context. |
The SmartEdge router does not send accounting messages to a RADIUS server.
Use the aaa global accounting l2tp-session command to enable accounting messages for L2TP tunnels or sessions in L2TP tunnels in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.
Use the no or default form of this command to return the system to its default behavior of performing accounting based on the SmartEdge router configuration.
The following example configures the system to send accounting messages for L2TP sessions in all contexts to one or more RADIUS servers with IP addresses or hostnames configured in the local context:
[local]Redback(config)#aaa global accounting l2tp-session radius context local
aaa global accounting reauthorization subscriber radius context local
{no | default} aaa global accounting reauthorization subscriber
Enables accounting messages for the reauthorize command entered in any context in exec mode to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.
global configuration
radius context local |
Indicates accounting messages are sent by RADIUS accounting servers with IP addresses or hostnames configured in the local context. |
RADIUS-based accounting is disabled.
Use the aaa global accounting reauthorization subscriber command to enable accounting messages for the reauthorize command entered in any context in exec mode to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. These messages indicate that subscriber reauthorization has been completed.
Use the no or default form of this command to return the system to its default behavior of performing accounting based on the SmartEdge router configuration.
The following example configures the system to send accounting messages for subscriber reauthorization in all contexts to one or more RADIUS servers with IP addresses or hostnames configured in the local context:
[local]Redback(config)#aaa global accounting reauthorization subscriber radius context local
aaa global accounting subscriber radius context local
{no | default} aaa global accounting subscriber
Enables accounting messages for subscriber sessions in all contexts to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.
radius context local |
Indicates accounting messages are sent by RADIUS accounting servers with IP addresses or hostnames configured in the local context. |
The SmartEdge router does not send subscriber session accounting messages to a RADIUS server.
Use the aaa global accounting subscriber command to enable accounting messages for subscriber sessions in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.
Use the no or default form of this command to return the system to its default behavior of performing accounting based on the SmartEdge router configuration.
The following example configures the system to send accounting messages for subscriber sessions in all contexts to one or more RADIUS servers with IP addresses or hostnames configured in the local context:
[local]Redback(config)#aaa global accounting subscriber radius context local
aaa global authentication subscriber radius context local
{no | default} aaa global authentication subscriber
Enables global subscriber authentication through one or more Remote Authentication Dial-In User Service (RADIUS) servers with IP addresses or hostnames configured in the local context.
radius context local |
Indicates authentication is performed by the RADIUS servers with IP addresses or hostnames configured in the local context. |
The SmartEdge router does not send subscriber authentication messages to a RADIUS server.
Use the aaa global authentication subscriber command to enable global subscriber authentication through one or more RADIUS servers with IP addresses or hostnames configured in the local context.
Use the no or default form of this command to disable global subscriber authentication.
The following example configures the context siteA to globally authenticate its subscriber sessions using the RADIUS server with the IP address of 10.2.3.4 configured in the local context:
[local]Redback(config)#aaa global authentication subscriber radius context local [local]Redback(config)#context local [local]Redback(config-ctx)#radius server 10.2.3.4 key TopSecret [local]Redback(config)#context siteA [local]Redback(config-ctx)#aaa authentication subscriber global
aaa global maximum subscriber active count
{no | default} aaa global maximum subscriber
Limits the total number of subscriber sessions that can be simultaneously active in all configured contexts.
global configuration
active count |
Maximum number of subscriber sessions that can be simultaneously active. The value of the count argument depends on the purchased subscriber license, the SmartEdge router platform, and the controller card. Table 1 lists the possible values. |
There is no limit to the number of subscriber sessions that can be simultaneously active in all configured contexts.
Use the aaa global maximum subscriber command to limit the total number of subscriber sessions that can be simultaneously active in all configured contexts.
Table 1 lists the values for the active count construct.
|
SmartEdge Router |
Controller Card |
Value |
|---|---|---|
SmartEdge 100 router |
Controller carrier card |
16,000 |
SmartEdge 400 router |
XCRP XCRP3 with base license XCRP3 with upgrade XCRP4 |
16, 000 16,000 32,000 250,000 |
SmartEdge 800 router |
XCRP XCRP3 with base license XCRP3 with upgrade XCRP4 |
16,000 16,000 48,000 250,000 |
SmartEdge 1200 router |
XCRP XCRP3 with base license XCRP3 with upgrade XCRP4 |
16,000 16,000 48,000 250,000 |
Use the no or default form of this command to restore the default of no limit to the number of subscriber sessions.
The following example sets the maximum number of simultaneous active subscriber sessions for all configured contexts to 12000:
[local]Redback(config)#aaa global maximum subscriber active 12000
aaa global reject empty-username
no aaa global reject empty-username
Suppresses Remote Authentication Dial-In User Service (RADIUS) Access-Request messages when no username is specified.
global configuration
This command has no keywords or arguments.
The SmartEdge router sends RADIUS Access-Request messages to the RADIUS server regardless of whether a username is specified.
Use the aaa global reject empty-username command to suppress RADIUS Access-Request messages when no username is specified. The relevant attribute in the Access-Request message is the User-Name attribute. The operating system logs an informational message that identifies the circuit, then discards the Access-Request packet.
Use the no form of this command to restore the default behavior of sending Access-Request messages to the RADIUS server regardless of whether a username is specified.
The following example configures the SmartEdge router to suppress Access-Request messages when no username is specified:
[local]Redback(config)#aaa global reject empty-username
aaa global session-id-count
no aaa global session-id-count
Changes the account session ID rules to comply with the requirements of vendor-specific equipment.
This command has no keywords or arguments.
By default, vendor-specific account session ID rules are disabled.
Use the aaa global session-id-count command to change the account session ID rules to comply with the requirements of vendor-specific equipment. When you apply this command, the SmartEdge router enforces the following rules:
The operating system supports this feature in the following environments:
To use this feature, configure the RADIUS and RADIUS accounting on an SmartEdge router, and then configure a RADIUS accounting server.
Use the no form of this command to reset the aaa global session-id-count command to the default account session ID rules.
The following example shows how to globally configure the SmartEdge router so that the account session ID rules comply with the requirements of vendor-specific equipment:
[local]Redback(config)#aaa global session-id-count
aaa global update subscriber interval
{no | default} aaa global update subscriber
Sends updated accounting records for subscribers in all contexts to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.
interval |
Period (in minutes) between accounting updates. The range of values is 10 to 10,080. |
This authentication, authorization, and accounting (AAA) feature is disabled.
Use the aaa global update subscriber command to send updated accounting records for subscribers in all contexts to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.
Use the no or default form of this command to disable subscriber account updating.
The following example globally configures an update to be sent for all subscribers in the system when each subscriber’s session comes up, and every 20 minutes thereafter, for as long as the subscriber session lasts:
[local]Redback(config)#aaa global update subscriber 20
aaa hint ip-address
no aaa hint ip-address
Enables the SmartEdge router to notify the Remote Authentication Dial-In User Service (RADIUS) server that the IP address in the Framed-IP-Address attribute is the preferred IP address.
This command has no keywords or arguments.
This feature is disabled.
Use the aaa hint ip-address command to enable the SmartEdge router to notify the RADIUS server that the IP address in the Framed-IP-Address attribute is the preferred IP address.
This feature applies only to subscribers that you have configured using the ip address (subscriber) command (in subscriber configuration mode) with the pool keyword. The SmartEdge router selects an unused IP address from the pool and sends it to the RADIUS server in an Access-Request message. The ip address (subscriber) command does not apply to subscribers who are configured for SmartEdge router authentication.
The IP address selected from the unnamed IP pool is a hint to the RADIUS server that the selected address is preferred. The RADIUS server can choose to honor the hint or override it with a different IP address. The SmartEdge router uses the address only if the RADIUS server confirms that it is acceptable; the SmartEdge router action corresponding to the RADIUS response is described in the IP Address Assignment section.
Use the no form of this command to disable this feature.
The following example enables this feature in the customers context:
[local]Redback(config)#context customers [local]Redback(config-cxt)#aaa hint ip-address
aaa ip-pool allocation first-available
no aaa ip-pool allocation first-available
default fault aaa ip-pool allocation
Specifies that the SmartEdge router uses a first-available algorithm to allocate IP addresses to subscribers.
This command has no keywords or arguments.
The SmartEdge router uses a round-robin algorithm to allocate IP addresses to subscribers.
Use the aaa ip-pool allocation first-available command to specify that the SmartEdge router uses a first-available algorithm to allocate IP addresses to subscribers.
When the SmartEdge router receives a request for an IP address, by default it uses the round-robin method to select an address from the IP pool. The round-robin method begins its search where the last search ended; that is, the SmartEdge router checks whether the first address in the IP pool following the last allocated IP address is available. If this address is unavailable, the SmartEdge router checks the next address until either an available address is assigned or the pool is exhausted.
In the first-available method, the search for an available IP address always begins with the first address in the pool.
Use the no or default form of this command to revert to the default behavior.
The following example specifies that the SmartEdge router uses a first-available algorithm to allocate subscriber IP addresses:
[local]Redback(config)#aaa ip-pool first-available
aaa last-resort context ctx-name [append]
no aaa last-resort
Specifies the context in which authentication of a subscriber should be attempted if the subscriber name does not contain a valid domain or context that has been configured in the system.
global configuration
context ctx-name |
Name of the last resort context. |
append |
Optional. Appends the @ symbol and context name to the subscriber’s name. |
No last resort context is configured.
Use the aaa last-resort command to specify the context in which authentication of a subscriber name is to be attempted whenever the domain portion of the subscriber name provided cannot be matched to any configured context or domain.
At the time you enter this command, the SmartEdge router does not check to ensure you specify a valid context. When a subscriber attempts to connect, and the SmartEdge router attempts to validate the subscriber in the last resort context, an error message displays if the context does not exist.
Only one last resort context can be in effect at a time. To change the last resort context, create a new one and it overwrites the existing one.
Use the no form of this command to remove the last resort context.
The following configuration assumes three contexts: california, nevada, and otherstates. A username, jill@arizona, is submitted for authentication, but there is no configured arizona context. The following example configures the system in such a way that jill@arizona would be submitted for authentication in the otherstates context:
[local]Redback(config)#aaa last-resort context otherstates
aaa maximum subscriber active count
{no | default} aaa maximum subscriber
Limits the number of subscriber sessions that can be simultaneously active in a given context.
active count |
Maximum number of subscriber sessions that can be simultaneously active. The value of the count argument is dependent on the purchased subscriber license, the SmartEdge router platform, and the controller card. Table 2 lists the possible values. |
There is no limit to the number of subscriber sessions that can be simultaneously active in a given context.
Use the aaa maximum subscriber command to limit the number of subscriber sessions that can be simultaneously active in a given context.
Table 2 lists the values for the active count construct.
|
SmartEdge Router |
Controller Card |
Value |
|---|---|---|
SmartEdge 100 router |
Controller carrier card |
16,000 |
SmartEdge 400 router |
XCRP XCRP3 with base license XCRP3 with upgrade XCRP4 |
16, 000 16,000 32,000 250,000 |
SmartEdge 800 router |
XCRP XCRP3 with base license XCRP3 with upgrade XCRP4 |
16,000 16,000 48,000 250,000 |
SmartEdge 1200 router |
XCRP XCRP3 with base license XCRP3 with upgrade XCRP4 |
16,000 16,000 48,000 250,000 |
Use the no or default form of this command to restore the default of no limit to the number of subscriber sessions.
The following example sets the maximum number of simultaneous active subscriber sessions for the local context to 100:
[local]Redback(config)#context local [local]Redback(config-ctx)#aaa maximum subscriber active 100
aaa password {default password [disable-subscriber] | disable-subscriber}
no aaa password default
Changes the default authentication and authorization password for the authentication, authorization, and accounting (AAA) to the specified password. It also disables the default authentication and authorization password on the subscriber circuits.
default password |
Changes the default authentication and authorization password to the specified password. The password is an alphanumeric string and is plaintext. Control characters are not allowed. |
disable-subscriber |
Disables the default authentication and authorization password on the subscriber circuits. |
The default authentication and authorization password is “Redback”.
Use the aaa password command to change the default authentication and authorization password for the AAA or disable the default authentication and authorization password on subscriber circuits. To change the default authentication and authorization password to a specified password, use the default keyword with the aaa password command. This new default password is saved in the encrypted form. When you enter the show configuration command, the display shows the default AAA password in the encrypted form.
To disable the default authentication and authorization password on subscriber circuits, use the disable-subscriber keyword with the aaa password command.
Use the no form of this command to restore the default password of “Redback”.
The following example shows how to configure the new default AAA password of secret123:
[local]Redback(config-ctx)#aaa password default secret123
The following example shows how to configure the new default AAA password of secret123 and disable this default AAA password on the subscriber circuits:
[local]Redback(config-ctx)#aaa password default secret123 disable-subscriber
aaa provision binding-order ip-address-attr l2tp-attr
no aaa provision binding-order ip-address-attr l2tp-attr
Changes the default order in which the SmartEdge router searches for the Remote Authentication Dial-In User Service (RADIUS) and Layer 2 Tunneling Protocol (L2TP) attributes to find the IP address be used to bind a subscriber circuit.
ip-address-attr |
Uses the IP address in the Framed-IP-Address attribute in the authentication message received from a RADIUS server. |
l2tp-attr |
Uses the IP address in the Sub-Address attribute value pair (AVP) in the incoming call request (ICRQ) message received from the L2TP access concentrator (LAC) peer. |
The SmartEdge router searches for the L2TP attribute before searching for the RADIUS attribute.
Use the aaa provision binding-order command to change the default order in which the SmartEdge router searches for the RADIUS and L2TP attributes to find the IP address to be used to bind a subscriber circuit. The circuit binding has been created using the bind authentication command (in the circuit’s configuration mode).
Use this command to enable the SmartEdge router to look for the RADIUS Framed-IP-Address attribute before looking at the L2TP Sub-Address AVP. If the Framed-IP-Address attribute does not exist, the L2TP ICRQ message is examined for the Sub-Address AVP. If the Sub-Address AVP does not exist, the session is not brought up.
Use the no form of this command to specify the default order.
For more information about using the bind authentication command to create a dynamic binding, see Configuring Bindings.
The following example specifies that the IP address (and its interface) in the RADIUS record be used to bind a subscriber circuit:
[local]Redback(config-ctx)#aaa provision binding-order ip-address-attr l2tp-attr
aaa provision route ip-netmask encapsulation encaps-type [use-frame-route]
{no | default} aaa provision route ip-netmask [use-frame-route]
Enables the SmartEdge router to assign one or a range of IP addresses specified by the subscriber IP netmask in the RADIUS Framed-IP-Netmask attribute to a PPP or PPPoE subscriber. This command also installs the IP netmask as a subnet route for the subscriber in the route table.
ip-netmask |
Installs the subscriber ip-netmask as subnet route in the route table. |
encapsulation encaps-type |
Encapsulation type, according to one of the following keywords:
|
use-frame-route |
Assigns one ip address specified within the IP of the subscriber IP netmask to the PPP or PPPoE subscriber. This keyword also installs the IP netmask as subnet route in the route table for the entire address space specified in the IP netmask. |
The Framed-IP-Netmask attribute is ignored.
Use the aaa provision route command to enable the SmartEdge router to assign one or a range of IP addresses specified by the subscriber IP netmask in the RADIUS Framed-IP-Netmask attribute to a PPP or PPPoE subscriber. This command also installs the IP netmask as a subnet route for the subscriber in the route table.
If you configure the use-frame-route keyword with the aaa provision route command, the subscriber is assigned one IP address specified in the Framed-IP-Netmask attribute. Otherwise, the entire range of addresses specified by IP netmask is assigned to the subscriber.
Use the no or default form of this command to revert to the default behavior.
The following example show how to enable a direct connection to PPP routers:
[local]Redback(config)#context remote [local]Redback(config-ctx)#aaa provision route ip-netmask encapsulation ppp
The following example shows how to enable a direct connection to a PPPoE router with a Class B network behind it:
[local]Redback(config)#context abcremote [local]Redback(config-ctx)#aaa provision route ip-netmask encapsulation pppoe use-frame-route
aaa rate-report-factor {adsl1 | adsl2 | adsl2+ | vdsl1 | vdsl2 | sdsl | unknown} percentage
no aaa rate-report-factor
Multiplies the raw digital subscriber line (DSL) data rate by a factor and reports the result for one or more line types as the subscriber traffic rate in Remote Authentication Dial-In User Service (RADIUS) and Layer 2 Tunneling Protocol (L2TP) messages.
context configuration
adsl1 |
Specifies an asymmetric DSL line type. |
adsl2 |
Specifies an asymmetric DSL line type. |
adsl2+ |
Specifies an asymmetric DSL line type. |
vdsl1 |
Specifies a very high DSL line type. |
vdsl2 |
Specifies a very high DSL line type. |
sdsl |
Specifies an asymmetric DSL line type. |
unknown |
Specifies an unknown DSL line type. |
percentage |
Factor by which you want to multiply the data rate prior to sending the RADIUS message. |
No rate adjustment is calculated for any DSL line type.
Use the aaa rate-report-factor command to multiply the raw DSL data rate by a factor and report the result for one or more line types as the subscriber traffic rate in RADIUS and L2TP messages.
Access nodes send raw data rates of one or more DSL line types to the SmartEdge router; however, only a portion of the raw data rate is available for subscriber traffic. You can configure the SmartEdge router to multiply the raw data rate for each type of DSL line by a specific percentage.
The magnitude of the adjustment can differ by DSL line type. For this reason, you can specify a different factor for each possible line type. You must issue this command once for each line type that you expect connected access nodes to use.
The SmartEdge router sends the adjusted rate in RADIUS vendor-specific attribute (VSA) 185, DSL_Actual_Rate_Down_Factor and L2TP (Tx) Connect Speed attribute-value pair (AVP) 24 attributes. If you do not specify a factor for a specific line type, an unaltered learned rate for that line type is sent in the attributes.
Use the no form of this command to revert to the default behavior.
The following example enables the SmartEdge router to multiply the DSL line type data rate for ADSL1 by 80% prior to sending a RADIUS accounting message:
[local]Redback(config-ctx)#aaa rate-report-factor adsl1 80
aaa reauthorization bulk {global | none | radius}
{no | default} aaa reauthorization bulk
Configures subscriber reauthorization so that attribute changes can be dynamically applied to active subscriber sessions, without requiring Point-to-Point Protocol (PPP) renegotiation and without interrupting or dropping active sessions.
context configuration
global |
Enables reauthorization of all subscribers in the current context through one or more Remote Authentication Dial-In User Service (RADIUS) servers with IP addresses or hostnames configured in the local context. |
none |
Disables subscriber reauthorization. |
radius |
Enables reauthorization of subscribers in the current context through one or more RADIUS servers with IP addresses or hostnames in the same context. |
None
Use the aaa reauthorization bulk command to configure subscriber reauthorization so that attribute changes can be dynamically applied to active subscriber sessions, without requiring PPP renegotiation and without interrupting or dropping active sessions. After this command has been enabled, enter the reauthorize command (in exec mode) to initiate subscriber reauthorization.
The standard RADIUS attributes and Redback VSAs that are supported with dynamic subscriber reauthorization are listed in RADIUS Attributes.
Use the no or default form of this command to disable dynamic subscriber reauthorization.
The following example enables the global reauthorization of all subscribers in the SmartEdge router:
[local]Redback(config)#context local [local]Redback(config-ctx)#aaa reauthorization bulk global
The following is an example of a subscriber record on a RADIUS server. The subscriber has requested a new service that is translated to a particular session timeout value:
#reauth of absolute timeout
reauth-501@local User-Password==”redback”
Service-Type=Outbound-User,
Reauth_String=”2;pppoe1@local;27;1000;”
Before the administrator enters the reauthorize command (in exec mode), the subscriber record appears as:
[local]Redback>show subscribers active
pppoe1@local
Circuit 13/1 vpi-vci 0 33
Internal Circuit 13/1:1023:63/1/2/22
Current port-limit unlimited
ip address 10.1.1.4
In the following example, the administrator enters the reauthorize command (in exec mode) and the subscriber session is reauthorized with the new timeout attribute added:
[local]Redback>reauthorize username pppoe1@local
[local]Redback>show subscribers active
pppoe1@local
Circuit 13/1 vpi-vci 0 33
Internal Circuit 13/1:1023:63/1/2/22
Current port-limit unlimited
ip address 10.1.1.4
timeout absolute 1000
aaa update subscriber interval
{no | default} aaa update subscriber
Sends updated accounting records for subscriber sessions in the current context to one or more Remote Authentication Dial-In User Service (RADIUS) servers with IP addresses or hostnames configured in the same context.
interval |
Period (in minutes) between accounting updates. The range of values is 10 to 10,080. |
Updates for subscriber accounts are not performed.
Use the aaa update subscriber command to send updated accounting records for subscriber sessions in the current context to one or more RADIUS servers with IP addresses or hostnames configured in the same context.
Use the no or default form of this command to disable subscriber account updating.
The following example configures an update to be sent every 20 minutes, for as long as the subscriber session lasts:
[local]Redback(config-ctx)#aaa update subscriber 20
aaa username-format {domain | username} separator [rightmost-separator]
no aaa username-format {domain | username} separator [rightmost-separator]
Defines one or more schemas for matching the format of structured usernames.
domain |
Specifies that the domain portion of the structured username is to precede the user portion. |
username |
Specifies that the user portion of the structured username is to precede the domain portion. |
separator |
Character that separates the user portion of the structured username from the domain portion. The possible characters are %, -, @, _, \\, #, and /. To designate a backslash (\), you must enter it on the command line as two backslashes (\\). A single backslash has a reserved meaning in the SmartEdge router. A maximum of six characters can be used in a single schema. |
rightmost-separator |
Specifies that the far right (rightmost) character within a structured username that contains multiple separators is to be treated as the separator character. |
If no username formats are specified with this command, the SmartEdge router default format of username@domain-name is checked for a format match.
Use the aaa username-format command to define one or more schemas for matching the format of structured usernames. A username can be for a subscriber or an administrator.
You can use this command multiple times to create a list of formats against which an incoming username is matched. The first format configured is checked first for a match, then the second, and so on until a match is found or until the configured username formats are exhausted.
Use the rightmost-separator keyword with the aaa username-format command when you have multiple separators within a structured username; for example, joe@gold@example.com. If the rightmost-separator keyword is configured, the SmartEdge router treats the far right (rightmost) separator character as the separator that divides the user portion of the structured username from the domain portion.
If no username formats are explicitly defined with the aaa username-format command, the SmartEdge router checks the default format of username@domain-name for a match.
Use the no form of this command to remove the specified format from those considered to be valid structured-username formats.
The following example configures a structured-username format with the subscriber name specified first, separated from its domain by the % symbol:
[local]Redback(config)#aaa username-format username %
In this example, for a subscriber, joe, configured in the local context, the SmartEdge router checks for a match against the structured-username joe%local.
The following example configures a structured-username format with the domain name specified first, separated from the subscriber name by the / symbol:
[local]Redback(config)#aaa username-format domain /
In this example, for a subscriber, joe, configured in the local context, the SmartEdge router checks for a match against the format local/joe.
The following example shows how to configure a structured-username format with the domain name specified first, separated from the subscriber name using the far right (rightmost) separator, a @ symbol:
[local]Redback(config)#aaa username-format domain @ rightmost-separator
In this example, for a username, local@example.com@joe, the SmartEdge router checks for the far right separator, a @ symbol. For this username, the subscriber name is joe and the context is local@example.com.
abort
Deletes an outstanding database transaction.
This command has no keywords or arguments.
None
Use the abort command to delete an outstanding database transaction, which includes all configuration commands entered since the beginning of the configuration session, or since the latest abort or commit command.
In any configuration mode, this command deletes the database transaction for the current configuration session; a new database transaction is started for the configuration session, and subsequent commands entered in the session are part of the new transaction.
| Caution! | ||
|
Risk of data loss. When you use the abort command
(in any configuration mode) to delete the current transaction, all
configuration information associated with the transaction is deleted
and cannot be recovered. To minimize the risk, save your configuration
before and after you enter the transaction commands, and do not abort
the transaction without ensuring that you do not need the commands
in it.
| ||
The following example deletes the current database transaction:
[local]Redback#abort
absolute start yyyy:mm:dd:hh:mm end yyyy:mm:dd:hh:mm [:ss] {{permit | deny} | class class-name}
no absolute start yyyy:mm:dd:hh:mm end yyyy:mm:dd:hh:mm
Creates an absolute time access control list (ACL) condition statement.
ACL condition configuration
start yyyy:mm:dd:hh:mm [:ss] |
Date and time to start the ACL condition. Arguments are defined as follows:
|
end yyyy:mm:dd:hh:mm [:ss] |
Date and time to stop the ACL condition. Arguments are defined as follows:
|
permit |
Applies a permit action to packets processed during the specified time range. |
deny |
Applies a deny action to packets processed during the specified time range. Used only with IP ACLs. |
class class-name |
Name of the class assigned to policy ACL statements that reference the ACL condition. Used only with policy ACLs. |
No ACL condition statements are configured.
Use the absolute command to create an absolute time ACL condition statement that, when referenced in an IP ACL statement, permits or denies packets, based on specific date and time ranges. Use this command to create an absolute time ACL conditional statement that, when referenced in a policy ACL statement, assigns a class name to packets.
Use the no form of this command to delete the absolute time ACL condition statement.
The following example creates an absolute time ACL condition statement for the ACL condition 500, which is referenced in the policy ACL, policy-acl-forward. The absolute time ACL condition applies the Bar003 class name to all policy ACL statements that reference the ACL condition during the time interval beginning on December 15, 2003 at 9:00 p.m. (21:00) and ending on the same day at 11:00 p.m. (23:00):
[local]Redback(config-ctx)#policy access-list policy-acl-forward [local]Redback(config-access-list)#condition 500 time-range [local]Redback(config-acl-condition)#absolute start 2003:12:15:21:00 end 2003:12:15:23:00 class Bar003
accept filter prefix-list
no accept filter prefix-list
Advertises to a Border Gateway Protocol (BGP) peer that a BGP speaker can accept address prefix-based route filtering from a peer.
BGP neighbor configuration
This command has no keywords or arguments.
The command is disabled.
Use the accept filter prefix-list command to advertise to a BGP peer that a BGP speaker can accept address prefix-based route filtering from a peer. Use this command to save resources and avoid the generation, transmission, and processing of unnecessary routing updates.
When this command is enabled, and if the BGP peer advertises its preference to send address prefixed-based filtering (through the send filter prefix-list command in BGP neighbor configuration mode), the remote peer sends its inbound address prefix-based filtering to the local BGP speaker. The local BGP speaker uses the received address prefix-based filtering along with its local routing policies to determine whether routes should be advertised to the peer.
Use the show bgp neighbor ip-address received prefix-filter command to display address prefix-based route filtering configuration information.
Use the no form of this command to disable a BGP speaker from accepting route filtering from a peer.
For further information, see the Internet Drafts, Cooperative Route Filtering Capability for BGP-4, draft-ietf-idr-route-filter-03.txt, and Address Prefix Based Outbound Route Filter for BGP-4, draft-chen-bgp-prefix-orf-02.txt.
The following example enables the SmartEdge router to accept address prefix-based route filtering from the BGP peer at IP address 10.1.1.1:
[local]Redback(config-bgp)#neighbor 10.1.1.1 external [local]Redback(config-bgp-neighbor)#accept filter prefix-list
accept-lifetime start-datetime [{duration seconds | infinite | stop-datetime}]
no accept-lifetime start-datetime [{duration seconds | infinite | stop-datetime}]
Establishes a start date and time for accepting the key, and optionally, a stop time for accepting the key.
key chain configuration
start-datetime |
Date and time to start accepting the key being configured. Must be in the format yyyy:mm:dd:hh:mm[:ss]. For more information about the format of this argument, see the Usage Guidelines section. |
duration seconds |
Optional. Number of seconds to continue accepting the key. The range of values is 1 to 2,147,483,646. |
infinite |
Optional. Specifies that the key is to be accepted indefinitely. |
stop-datetime |
Optional. Date and time to stop accepting the key being configured. Must be in the format yyyy:mm:dd:hh:mm[:ss]. For more information about the format of this argument, see the Usage Guidelines section. |
If you do not issue this command, the key is accepted starting immediately and continues to be accepted indefinitely. If you do not specify a duration when issuing this command, the key is accepted indefinitely.
Use the accept-lifetime command to specify when the key being configured is to be accepted. The format of the start-datetime and stop-datetime arguments is yyyy:mm:dd:hh:mm[:ss] and is defined as follows:
If you issue the accept-lifetime command without any optional constructs, the key is accepted starting with the date and time that you specify and continues to be accepted indefinitely. You can replace an existing accept lifetime value by issuing the accept-lifetime command again and specifying new values.
Use the no form of this command to specify that the key is no longer to be accepted.
The following example establishes a lifetime acceptance of January 25, 2002 at one minute and one second after 4:00 a.m. The key continues to be accepted indefinitely:
[local]Redback(config-key-chain)#accept-lifetime 2002:01:25:04:01:01
The following example establishes a lifetime acceptance of January 25, 2002 at exactly midnight, and specifies that the key is to be accepted for 30 minutes (1800 seconds):
[local]Redback(config-key-chain)#accept-lifetime 2002:01:25:00:00 duration 1800
access-group [acl-name] [ctx-name]
no access-group [acl-name] [ctx-name]
Applies a policy access control list (ACL) to a class-based policy (forward policy, Network Address Translation [NAT] policy, or quality of service [QoS] policy) and enters policy group configuration mode.
acl-name |
Optional. Name of the policy ACL created using the policy access-list command (in context configuration mode); required to apply or remove a static policy ACL. |
ctx-name |
Optional. Name of the context in which the policy ACL was created; required to apply or remove a static policy ACL to or from a forward or QoS policy. For a NAT policy, the context defaults to the context of the NAT policy. |
None
Use the access-group command to apply a policy ACL to a class-based policy (forward policy, NAT policy, or QoS policy) and enter policy group configuration mode.
If the class-based policy is Remote Authentication Dial-In User Service (RADIUS)-guided, the policy ACL can be dynamic or static:
If you include the acl-name argument, you must also include the ctx-name argument when you apply a static policy ACL to a forward policy or QoS policy. For a NAT policy, you need only enter the acl-name argument; the context defaults to the context of the NAT policy.
You can apply a dynamic policy ACL in addition to a static policy ACL. However, the static policy ACL takes precedence over the dynamic policy ACL.
Use the no form of this command to remove a static policy ACL from a specified policy.
To remove a policy ACL from a RADIUS-guided policy, you must delete the RADIUS-guided policy and then recreate it.
The following example applies the myacl policy ACL to the GE-in QoS policing policy. The myacl ACL has one class, voip, and packets in this class are marked with the Differentiated Service Code Point (DSCP) code af13:
[local]Redback(config)#qos policy GE-in policing [local]Redback(config-policy-policing)#access-group myacl local [local]Redback(config-policy-group)#class voip [local]Redback(config-policy-group-class)#mark dscp af13
The following example applies the forward policy, RedirectPolicy, as specified by the rules in the policy ACL PBR_Redirect_ACL. The PBR_Redirect_ACL access group has one class, Web, and packets in this class are redirected to the next hop in the route at IP address 100.1.1.0:
[local]Redback(config)#forward policy RedirectPolicy [local]Redback(config-policy-frwd)#access-group PBR_Redirect_ACL local [local]Redback(config-policy-group)#class Web [local]Redback(config-policy-group-class)#redirect destination next-hop 100.1.1.0
access-group acg-name [count]
no access-group acg-name
Configures an IGMP profile to filter IGMP control messages that are received by an associated bridge so that nonmatching packets are not processed.
acg-name |
Access group whose messages you want to filter. |
count |
Enables counting of access-list matches. When counting is enabled, each incoming packet scans an associated access list for a pattern that matches the incoming packet. If a match occurs, the packet is counted. Use the show igmp snooping access-group command to display the count of access list matches for a particular group. |
IGMP control message filtering and access-list match counting are disabled, and every incoming packet is processed.
Use the access-group command to filter IGMP control messages that are received by an associated bridge so that nonmatching packets are not processed.
The optional count keyword enables access-list match counting. Use the show igmp snooping access-group command to display the count of access list matches for a particular group.
Use the no form of this command to disable IGMP control message filtering.
The following example show how to configure IGMP message filtering in the sanjose1 IGMP snooping profile. Bridges that reference the sanjose1 IGMP profile filter received IGMP messages:
[local]Redback #configure [local]Redback(config)#igmp snooping profile sanjose1 [local]Redback(config-igmp-snooping-profile)# access-group acl1
access-list {count counter-type | log ip}
no access-list {count counter-type | log ip}
Enables access control list (ACL) counters or logging for the default subscriber profile, this named subscriber profile, or this named subscriber record.
count counter-type |
ACL counter type, according to one of the following keywords:
|
log ip |
Enables logging of dropped counters for IP ACL. |
ACL counters are not enabled for any subscriber records or profiles.
Use the access-list command to enable ACL counters or logging for the default subscriber profile, this named subscriber profile, or this named subscriber record.
Use the no form of this command to disable ACL counters for the default subscriber profile, this named subscriber profile, or this named subscriber record.
The following example enables ACL IP counters for the default subscriber profile:
[local]Redback(config)#context local [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#access-list count ip
access-line access-node-id ani slotport slot/port
no access-line
Specifies the agent circuit ID that the system uses to match an incoming Access Node Control Protocol (ANCP) message to a digital subscriber line (DSL).
ani |
Access node identifier (ANI). Alphanumeric string. |
slotport slot/port |
Slot and port of the DSL access multiplexer (DSLAM). This string must not include any spaces. |
No agent circuit ID is specified for the circuit.
Use the access-line access-node-id command to specify the agent circuit ID that the system uses to match an incoming ANCP message to a DSL. This command identifies a unique configured agent circuit ID to be associated with an 802.1Q PVC or 802.1Q tunnel. The data contained in the message is applied to the circuit that matches the specified agent circuit ID. The agent circuit ID received from the DSLAM is either unformatted (a “blind string”) or it can conform to one of the formats specified in DSL Forum Specification TR-101, R-124, as follows:
In the formatted version, the ANI field is always a blind string that identifies the DSLAM ANI; the SmartEdge router stores but does not process this string; it only searches for a space that terminates the string. The slot/port field is also a blind string; the SmartEdge router searches for a colon (:) that terminates the field, discards the colon and the remaining text, and stores the remaining string.
Use the ani argument to specify the DSLAM ANI portion of the agent circuit ID to which the incoming DSLAM ANIs are matched; use the slotport slot/port construct to specify the DSLAM slot and port. To match incoming agent circuit IDs, duplicate the incoming format used by the DSLAM.
The total number of characters in the values for the ani and slotport fields must be fewer than 63.
Use the no form of this command to specify the default condition.
The following examples of incoming DSLAM messages do not match; the reason is provided:
10.101.90.4/0.0.0.0 foo 3/2:bar |
Invalid line type “foo” |
10.101.90.4/0.0.0.0 atmxx 3/2:2.3 |
Invalid line type “atmxx” |
10.101.90.4/0.0.0.0atm 3/2:2.3 |
No space before “atm” |
10.101.90.4/0.0.0.0-atm 3/2:2.3 |
“-” instead of space before “atm” |
10.101.90.4/0.0.0.0 atm 3/2#2.3 |
# instead of colon after the port |
10.101.90.4/0.0.0.0 atm 3/2 2.3 |
Space instead of colon after the port |
10.101.90.4/0.0.0.0 atm 3/22 |
Wrong port number |
The following example specifies an agent circuit ID to which incoming DSLAM messages are matched:
[local]Redback(config-dot1q-pvc)#dot1q pvc 1:1 encapsulation pppoe [local]Redback(config-dot1q-pvc)#access-line access-node-id 10.101.90.4/0.0.0.0 slotport 3/2
The following examples of incoming DSLAM messages match:
10.101.90.4/0.0.0.0 atm 3/2:2.3 10.101.90.4/0.0.0.0 eth 3/2:7
The following example specifies the agent circuit ID for the circuit tagged as pvc 200 with the profile pwfq. The PVC is a tunnel indicated by the specification of encapsulation 1qtunnel keywords with the doct1q pvc command:
[local]Redback(config)#port ethernet 2/1 [local]Redback(config-port)#encapsulation dot1q [local]Redback(config-dot1q-pvc)#dot1q pvc 200 profile pwfq encapsulation 1qtunnel [local]Redback(config-dot1q-pvc)#access-line access-node-id 10.101.80.3/0.0.0.0 slotport 3/2
access-line adjust {cvlan | subscriber}
no access-line adjust {cvlan | subscriber}
Overrides the rates specified by the quality of service (QoS) policies attached to this subscriber record, named profile, or the default profile with the rates learned from the digital subscriber line (DSL) access multiplexer (DSLAM).
cvlan |
Applies the rate learned from the DSLAM to the port, 802.1Q tunnel, or 802.1Q permanent virtual circuit (PVC) to which the QoS policy is attached. |
subscriber |
Applies rate information learned from the DSLAM to the subscriber circuit. This is the default. |
The rate learned from the DSLAM is applied to the subscriber circuit.
Use the access-line adjust command to override the rates specified by the QoS policies attached to this subscriber record, named profile, or the default profile with the rates learned from the DSLAM. The system applies the DSLAM rate.
Use the no form of this command to specify the default condition.
The following example overrides the rate specified by any QoS policy attached to the default subscriber profile:
[local]Redback(config)#context isp2 [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#access-line adjust subscriber
access-line agent-circuit-id string
no access-line agent-circuit-id string
Specifies the agent circuit ID that the system uses to match an incoming ANCP message to a circuit.
dot1q PVC configuration
string |
Agent circuit ID. A text string with up to 63 printable characters; enclose the string in quotation marks (“ ”) if the string includes spaces. |
No agent circuit ID is specified for a DSL on this circuit. The SmartEdge router can learn this information from a Point-to-Point Protocol (PPP) over Ethernet (PPPoE) tag or a Dynamic Host Control Protocol (DHCP) option 82 tag.
Use the access-line agent-circuit-id command to specify the agent circuit ID that the system uses to match an ANCP message to a circuit, which can be either an 802.1Q PVC or 802.1Q tunnel. An incoming ANCP message contains an agent circuit ID. The data contained in this message is applied to the circuit that matches that agent circuit ID. The agent circuit ID received from the DSL access multiplexer (DSLAM) must match the text string exactly.
If the value learned from a subscriber session on this DSL differs from the configured value for the string argument, the system generates an error log message and uses the configured value.
Use the no form of this command to specify the default condition.
The following example specifies the agent circuit ID for all subscriber sessions:
[local]Redback(config)#port ethernet 2/1 [local]Redback(config-port)#encapsulation dot1q [local]Redback(config-port)#dot1q pvc 100 [local]Redback(config-dot1q-pvc)#access-line agent-circuit-id “dslam-10.1.1.1 dot1q 2/1:1:1”
The following example shows how to specify the agent circuit ID for the circuit tagged as pvc 100 with the profile pwfq. The PVC is a tunnel indicated by the specification of encapsulation 1qtunnel:
[local]Redback(config)#port ethernet 3/1 [local]Redback(config-port)#encapsulation dot1q [local]Redback(config-port)#dot1q pvc 100 profile pwfq encapsulation 1qtunnel [local]Redback(config-dot1q-pvc)#access-line agent-circuit-id “10.2.1.1 eth 3/1:100”
access-line rate {in | out [metering | queuing]} [ancp]
no access-line rate {in |out}
Overrides the rates specified by the quality of service (QoS) policies attached to subscriber session or 802.1q VLAN with the rates learned from the neighbor peer (DSLAM) through Access Node Control Protocol (ANCP) or Point-to-Point Protocol over Ethernet (PPPoE), Point-to-Point Protocol over ATM (PPPoA), or Dynamic Host Configuration Protocol (DHCP) TR-101 tags.
in |
Applies the inbound rate to the QoS policing policy attached to applicable subscribers sessions or 802.1q VLANs. |
out |
Applies the outbound rate to the outbound QoS policies attached to applicable subscribers sessions or 802.1q VLANs (QoS metering, queuing, or both policies). |
metering |
Specifies that the rate adjustment in the outbound direction is applied only to the QoS metering policies attached to the applicable circuit. |
queuing |
Specifies that the rate adjustment in the outbound direction is applied only to the QoS PWFQ policies attached to the applicable circuit. PWFQ is the only type of QoS queuing policy that currently supports learned rate adjustments. |
ancp |
Optional. Ignores any rate update information received through TR-101 and only apply rate updates learned through ANCP. |
The system does not use the learned rates to override the rates specified by the attached QoS policies.
In the subscriber configuration mode, use the access-line rate command to override the rates specified by the QoS policies attached to the applicable subscriber session(s) with the rates learned from the neighbor peer (DSLAM) through ANCP or TR-101 PPPoE, PPPoA, or DHCP tags.
In the subscriber and dot1q profile configuration modes, use the access-line rate out metering command to specify that the learned outbound line rate should only be used to override the rate of any QoS metering policy attached to the applicable circuit. In the subscriber and dot1q profile configuration modes, use the access-line rate out queuing command to specify that the learned outbound line rate should only be used to override the rate of any QoS PWFQ policy attached to the applicable circuit. If access-line rate out is specified without either the metering or queuing keyword, then the outbound rate adjustments are applied to both QoS metering and PWFQ policies of the applicable circuit.
When the same QoS rate of a circuit is subject to modification from both ANCP and a RADIUS VSA such as 196, 156, or 157, the lower of the last ANCP rate received and the relevant VSA rate are applied to the circuit.
In dot1q profile configuration mode, use the access-line rate command to override the rates specified by the QoS policies attached to a 802.1q VLAN circuit that is subject to the dot1q profile. This command overrides the rates specified by any applicable QoS policies with the learned rates from the neighbor peer (DSLAM).
If the parent circuit of the subscriber circuit has a QoS policy, then the learned rate can be applied to the QoS policy attached to the parent circuit by specifying the access-line adjust cvlan command. Otherwise, the learned rate is applied to the circuit with the associated circuit agent ID.
Use the no form of this command to disable use of learned rates to override the rates specified by the attached QoS policies.
The following example shows how to enable the system to use learned outbound rates to override any metering and PWFQ rates in the out direction for the isp1 subscriber profile in the access7 context, but only if the rate is learned from ANCP:
[local]Redback(config)#context access7 [local]Redback(config-ctx)#subscriber profile isp1 [local]Redback(config-sub)#access-line rate out ancp
The following example shows how to enable the system to use learned inbound rates to override any policing rate and learned outbound rates to override any metering and PWFQ rates for the 802.1 PVCs subject to dot1q profile named adjust_all:
[local]Redback(config-ctx)#dot1q profile adjust_all [local]Redback(config-dot1q-profile)#access-line rate in [local]Redback(config-dot1q-profile)#access-line rate out
The following example shows how to enable the system to use learned outbound rates to override the rates of any QoS PWFQ policies for the 802.1 PVCs subject to dot1q profile named adjust_pwfq:
[local]Redback(config-ctx)#dot1q profile adjust_pwfq [local]Redback(config-dot1q-profile)#access-line rate out queuing
accounting {in | out} pol-type {variable-name | “class-name-1 [class-name-2]...”}
no accounting {in | out} pol-type {variable-name | “class-name-1 [class-name-2]...”}
Enables accounting for the specified policy and class.
in |
Enables accounting for traffic received by the SmartEdge router. |
out |
Enables accounting for traffic transmitted by the SmartEdge router. |
pol-type |
Type of policy for which accounting is enabled, according to one of the following keywords:
|
class-name-n |
Class name that you have specified in the policy. You can specify up to eight class names, separated by spaces. Double quotation marks (“ ”) must surround the string of one to eight class names. |
variable-name |
Specifies the variable name using the parameter value command that contains a reference to a dynamic class or classes that are specified in the profile. The $ symbol must be the first character of the variable name. |
Accounting is disabled for all policies and classes.
Use the accounting command to enable accounting for the specified policy and class.
Use the no form of this command to disable accounting for the specified policy and class.
The following example enables accounting for incoming traffic in the redirect class:
[local]Redback(config-ctx)#radius service profile redirect [local]Redback(config-svc-profile)#accounting in fwd redirect
The following example enables accounting for incoming traffic in the dynamic_service profile. The $class_bearer variable, which is configured using the parameter command, contains references to the dynamic classes. In the following example, D1 and D2 are the names of the predefined classes:
[local]Redback(config-ctx)#radius service profile dynamic_service [local]Redback(config-ctx)#parameter value %dynamic_class_qos_in “D1 D2” [local]Redback(config-ctx)#parameter value %dynamic_class_qos_in [local]Redback(config-svc-profile)#accounting qos in $class_bearer
active-timeout timeout-value
no active-timeout timeout-value
Configures the active timeout setting for flows that use the specified profile, in seconds.
flow IP profile configuration
timeout-value |
Configures the active timeout setting for ling-lived flows, in seconds. If the idle timeout period has not already passed, then a flow is considered complete (expired) when the active timeout period passes, and a flow record is created and exported to the Layer 2 cache. Range is from 15 to 1800 seconds. |
The default timeout value is 1800 seconds (30 minutes).
Use the active-timeout command to configure the active timeout setting for flows that use this profile, in seconds.
A flow expires when either of the following occurs:
When a flow expires, a flow record is created and exported to the Layer 2 cache.
Use the no form of this command to return the active timeout value to the default setting of 1800 seconds.
The following example shows how to configure the active timeout to 1000 seconds for flows that use the profile c1:
[local]Redback)#configure [local]Redback)(config)#flow ip profile c1 [local]Redback(config-flow-ip-profile)#active-timeout 1000
address {ip-addr netmask | ip-addr/prefix-length | start-ip-addr to end-ip-addr | ip-addr/32 port-block start-port-block [to end-port-block]}
no address {ip-addr netmask | ip-addr/prefix-length | start-ip-addr to end-ip-addr}
Assigns an IP address, a range of IP addresses, or an IP address with one or more blocks of Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports to the Network Address Translation (NAT) pool.
NAT pool configuration
ip-addr netmask |
IP address and subnet mask. |
ip-addr/prefix-length |
IP address and prefix length. |
start-ip-addr to end-ip-addr |
Starting IP address to ending IP address. |
ip-addr/32 |
IP address and prefix length when specifying one or more blocks of TCP/UDP port numbers. |
port-block start-port-block |
Starting port block number. The range of values is 0 to 15. |
to end-port-block |
Optional. Ending port-block number. If not entered, assigns only the TCP/UDP port numbers in the port block specified by the start-port-block argument. The range of values is 1 to 15. |
All TCP/UDP port numbers for the IP address are assigned to the NAT pool.
Use the address command to assign the IP address and subnet mask, a range of IP addresses, or an IP address with a range of TCP/UDP ports that will be included in the NAT pool. The TCP/UDP port number space is divided into 16 blocks. Each block contains 4,096 sequential numbers. Blocks are numbered from 0 to 15. If you specify one or more blocks of TCP/UDP ports, you must specify 32 as the prefix length.
You can enter this command multiple times to assign multiple IP addresses, ranges of IP addresses, and an IP address with TCP/UDP port blocks to a NAT pool.
Use the no form of this command to remove IP addresses from the NAT pool. If you enter the no form with an IP address that was configured with the port-block keyword, the IP address and all its configured port blocks are removed from the NAT pool.
The following example configures the NAT pool, NAT-1, and fills the pool with the IP address, 171.71.71.1, with all its TCP/UDP ports and the IP address, 171.71.72.2, with port blocks 1 to 3:
[local]Redback(config)#context ISP [local]Redback(config-ctx)#ip nat pool NAT-1 napt [local]Redback(config-nat-pool)#address 171.71.71.1/32 [local]Redback(config-nat-pool)#address 171.71.72.2/32 port-block 1 to 3
address-family {ipv4 {unicast | multicast} | ipv6 unicast }
no address-family {ipv4 {unicast | multicast} | ipv6 unicast}
Configures multitopology Intermediate System-to-Intermediate System (IS-IS) routing.
When entered in IS-IS router configuration mode, enables an address family for the IS-IS instance and enters IS-IS address family configuration mode.
When entered in IS-IS interface configuration mode, enables an address family for the IS-IS interface and enters IS-IS interface address family configuration mode.
ipv4 |
Specifies the IP Version 4 (IPv4) address family. |
unicast |
Specifies the unicast subfamily to enable unicast topology. Disables the unicast topology when used in the no form of this command. |
multicast |
Specifies the multicast subfamily to enable multicast topology. Disables the multicast topology when used in the no form of this command. Not available with the ipv6 keyword. |
ipv6 |
Specifies the IP Version 6 (IPv6) address family. |
When an IS-IS instance is created, the IPv4 unicast address family is enabled on the IS-IS instance. IPv4 multicast and IPv6 address families are disabled.
When IS-IS is enabled on an interface, the IPv4 unicast address family is enabled on the interface. IPv4 multicast and IPv6 address families are disabled.
Use the address-family command to configure multitopology IS-IS routing. Enter this command in IS-IS interface configuration mode to enable an address family on an interface; enter it in IS-IS router configuration mode to enable an address family on an instance. Before an interface can participate in the routing for an address family, that address family must be enabled for both the instance and interface.
The multitopology IS-IS feature can generate multiple address families (topologies) for IS-IS; for example, it can enable one for an IPv4 unicast network, one for an IPv4 multicast network, and one for an IPv6 unicast network. Enter this command multiple times on a single interface or instance to create different topologies.
Multitopology IS-IS routing is useful when multiple address families are needed; for example, the reverse path forwarding (RPF) checks used by the IPv4 multicast routing protocol can use its own Interior Gateway Protocol (IGP) routing table instead of using the IPv4 unicast routing table.
The SmartEdge router supports IPv6 IS-IS routing in multitopology mode only. If you enable the IPv6 address family using this command and have any routers in the area operating in single-topology mode, use the multi-topology transition command (in IS-IS address family configuration mode) to maintain IPv6 connectivity until all routers in the area are upgraded to multitopology mode.
For more information on multitopology IS-IS, see the Internet Draft, M-ISIS: Multi Topology Routing in IS-IS, draft-ietf-isis-wg-multi-topology-06.txt.
Use the no form of this command in IS-IS interface configuration mode to disable an address family on an ISIS interface.
Use the no form of this command in IS-IS router configuration mode to disable an address family on an IS-IS instance.
The following example enables the IPv4 unicast and IPv4 multicast address families in the IS-IS instance isis1, enables the IPv4 unicast and IPv4 multicast address families on the fa4/1 interface, enables the IPv4 unicast address family only on the fa4/2 interface, and enables IPv4 multicast only on the fa4/3 interface:
[local]Redback(config-ctx)#router isis isis1 [local]Redback(config-isis)#address-family ipv4 unicast [local]Redback(config-isis-af)#exit [local]Redback(config-isis)#address-family ipv4 multicast [local]Redback(config-isis-af)#exit [local]Redback(config-isis)#interface fa4/1 [local]Redback(config-isis-if)#address-family ipv4 unicast [local]Redback(config-isis-if-af)#exit [local]Redback(config-isis-if)#address-family ipv4 multicast [local]Redback(config-isis-if-af)#exit [local]Redback(config-isis-if)#exit [local]Redback(config-isis)#interface fa4/2 [local]Redback(config-isis-if)#address-family ipv4 unicast [local]Redback(config-isis-if-af)#exit [local]Redback(config-isis-if)#exit [local]Redback(config-isis)#interface fa4/3 [local]Redback(config-isis-if)#no address-family ipv4 unicast [local]Redback(config-isis-if)#address-family ipv4 multicast [local]Redback(config-isis-if-af)#exit [local]Redback(config-isis-if)#exit
The following example shows how to enable the IPv4 unicast and IPv6 unicast address families in the isis2 IS-IS instance, IPv4 unicast and IPv6 unicast address families on the fa4/1 interface, IPv4 unicast address family only on the fa4/2 interface, and IPv6 unicast only on the fa4/3 interface:
[local]Redback(config-ctx)#router isis isis2 [local]Redback(config-isis)#address-family ipv4 unicast [local]Redback(config-isis-af)#exit [local]Redback(config-isis)#address-family ipv6 unicast [local]Redback(config-isis-af)#exit [local]Redback(config-isis)#interface fa4/1 [local]Redback(config-isis-if)#address-family ipv4 unicast [local]Redback(config-isis-if-af)#exit [local]Redback(config-isis-if)#address-family ipv6 unicast [local]Redback(config-isis-if-af)#exit [local]Redback(config-isis-if)#exit [local]Redback(config-isis)#interface fa4/2 [local]Redback(config-isis-if)#address-family ipv4 unicast [local]Redback(config-isis-if-af)#exit [local]Redback(config-isis-if)#exit [local]Redback(config-isis)#interface fa4/3 [local]Redback(config-isis-if)#no address-family ipv4 unicast [local]Redback(config-isis-if)#address-family ipv6 unicast [local]Redback(config-isis-if-af)#exit [local]Redback(config-isis-if)#exit
address-family ipv4 {multicast | unicast}
no address-family ipv4 {multicast | unicast}
When entered in BGP router configuration mode, specifies the use of standard IP Version 4 (IPv4) multicast or unicast address prefixes for the Border Gateway Protocol (BGP) routing instance and enters BGP address family configuration mode.
When entered in BGP neighbor configuration mode, this command specifies the use of IPv4 multicast or unicast address prefixes for the specified BGP neighbor, and enters BGP neighbor address family configuration mode.
When entered in BGP peer group configuration mode, this command specifies the use of IPv4 multicast or unicast address prefixes for the specified BGP peer group, and enters BGP peer group address family configuration mode.
multicast |
Specifies multicast address prefixes. |
unicast |
Specifies unicast address prefixes. |
When entered in BGP router configuration mode, this command has no default setting.
When entered in BGP neighbor configuration mode or BGP peer group configuration mode, address prefixes are set to IPv4 multicast.
Use the address-family ipv4 command in BGP router configuration mode to specify the use of standard IPv4 unicast or multicast address prefixes for the BGP routing instance, and to enter BGP address family configuration mode. The aggregate-address, dampening, flap-statistics, network, and redistribute commands are available in BGP address family configuration mode. Routes are sent to BGP neighbors that have corresponding address family attributes.
Use the address-family ipv4 command in BGP neighbor configuration mode to specify the use of IPv4 unicast or multicast address prefixes for the BGP neighbor, and to enter BGP neighbor address family configuration mode. The commands that configure the routing policies used with neighbors, as-path-list, default-originate, prefix-list, maximum prefix, remove-private-as, route-map, and route-reflector-client, are available in BGP neighbor address family configuration mode. To be established a BGP session, you must configure a neighbor with corresponding address family attributes.
Use the address-family ipv4 command in BGP peer group configuration mode to specify the use of IPv4 multicast or unicast address prefixes, and to enter BGP peer group address family configuration mode. The commands that configure routing policies used with members of a peer group, as-path-list, default-originate, prefix-list, maximum prefix, remove-private-as, and route-map, are available in BGP peer group address family configuration mode.
Use the no form of this command to remove BGP address family attributes for the specified BGP instance or neighbor.
The following example illustrates the BGP routing process running in autonomous system 100. In this example, the network 20.0.0.0/8 advertises BGP routing updates which are sent in unicast mode, while Open Shortest Path First (OSPF) routes are redistributed into the BGP routing domain as multicast routes. The SmartEdge router is a unicast BGP peer with the neighbor at IP address 102.210.210.1 and is a multicast peer with the neighbor at IP address 68.68.68.68. Inbound prefix list perf1 and outbound route map map2 are applied in unicast mode to the neighbor at IP address 102.210.210.1:
[local]Redback(config)#context local [local]Redback(config-ctx)#router bgp 100 [local]Redback(config-bgp)#address-family ipv4 unicast [local]Redback(config-bgp-af)#network 20.0.0.0/8 [local]Redback(config-bgp-af)#exit [local]Redback(config-bgp)#address-family ipv4 multicast [local]Redback(config-bgp-af)#redistribute ospf 100 [local]Redback(config-bgp-af)#exit [local]Redback(config-bgp)#neighbor 102.210.210.1 external [local]Redback(config-bgp-neighbor)#address-family ipv4 unicast [local]Redback(config-bgp-peer-af)#prefix-list pref1 in [local]Redback(config-bgp-peer-af)#route-map map2 out [local]Redback(config-bgp-peer-af)#exit [local]Redback(config-bgp-neighbor)#exit [local]Redback(config-bgp)#neighbor 68.68.68.68 external [local]Redback(config-bgp-neighbor)#remote-as 300 [local]Redback(config-bgp-neighbor)#address-family ipv4 multicast
address-family ipv4 vpn
When entered in BGP router configuration mode, enables Virtual Private Network (VPN)-IP Version 4 (IPv4) prefixes for a Border Gateway Protocol (BGP) routing instance and enters BGP address family configuration mode.
When entered in BGP neighbor configuration mode, enables VPN-IPv4 prefixes for a specified BGP neighbor and enters BGP neighbor address family configuration mode.
When entered in BGP peer group configuration mode, enables VPN-IPv4 prefixes for a specified BGP peer group and enters BGP peer group address family configuration mode.
This command has no keywords or arguments.
None
Use the address-family ipv4 vpn command in BGP configuration mode to specify the use of VPN-IPv4 prefixes for a BGP routing instance, and to enter BGP address family configuration mode.
Use the address-family ipv4 vpn command in BGP neighbor configuration mode to specify the use of VPN-IPv4 prefixes for a BGP neighbor in an internal BGP (iBGP) session, and to enter BGP neighbor address family configuration mode.
Use the address-family ipv4 vpn command in BGP peer group configuration mode to specify the use of VPN-IPv4 prefixes for a specified BGP peer group, and to enter BGP peer group address family configuration mode.
The following example specifies the use of route flap statistics collection for VPN-IPv4 prefixes, and enables the address family for the BGP neighbor, 102.210.210.1:
[local]Redback(config)#context local [local]Redback(config-ctx)#router bgp 100 [local]Redback(config-bgp)#address-family ipv4 vpn [local]Redback(config-bgp-af)#flap-statistics [local]Redback(config-bgp-af)#exit [local]Redback(config-bgp)#neighbor 102.210.210.1 internal [local]Redback(config-bgp-neighbor)#address-family ipv4 vpn
address-family ipv6 unicast
no address-family ipv6 unicast
When entered in BGP router configuration mode, specifies the use of IP Version 6 (IPv6) unicast address prefixes for the Border Gateway Protocol (BGP) routing instance and enters BGP address family configuration mode.
When entered in BGP neighbor configuration mode, specifies the use of IPv6 unicast address prefixes for the specified BGP neighbor, and enters BGP neighbor address family configuration mode.
When entered in BGP peer group configuration mode, specifies the use of IPv6 unicast address prefixes for the specified BGP peer group, and enters BGP peer group address family configuration mode.
This command has no keywords or arguments.
When entered in BGP router configuration mode, this command has no default setting.
When entered in BGP neighbor configuration mode or BGP peer group configuration mode, address prefixes are set to IPv6 unicast.
Use the address-family ipv6 unicast command in BGP router configuration mode to specify the use of standard IPv6 unicast address prefixes for the BGP routing instance, and to enter BGP address family configuration mode. Routes are sent to BGP neighbors that have corresponding address family attributes.
Use the address-family ipv6 unicast command in BGP neighbor configuration mode to specify the use of IPv6 unicast address prefixes for the BGP neighbor, and to enter BGP neighbor address family configuration mode. To established a BGP session, you must configure a neighbor with corresponding address family attributes.
Use the address-family ipv6 unicast command in BGP peer group configuration mode to specify the use of IPv6 unicast address prefixes, and to enter BGP peer group address family configuration mode.
Use the no form of this command to remove BGP address family attributes for the specified BGP instance or neighbor.
The following example illustrates the BGP routing process running in autonomous system 100. In this example, the network, AF26:3344:ADF7:77B5::2000/128, advertises BGP routing updates that are sent in IPv6 unicast mode:
[local]PE1(config)#context local
[local]PE1(config-ctx)#router bgp 100
[local]PE1(config-bgp)#neighbor 10.10.10.2 internal
[local]PE1(config-bgp-neighbor)#address-family ipv6 unicast
[local]PE1(config-bgp-neighbor)#end
address-family ipv6 vpn
no address-family ipv6 vpn
Enables the transport of labeled IPv6 VPN routes over an IPv4 network on a BGP neighbor.
This command has no keywords or arguments.
The IPv6 VPN address-family is disabled for BGP routes.
Use the address-family ipv6 vpn command to enable the transport of labeled IPv6 VPN routes over an IPv4 network on a BGP neighbor.
Use the no form of this command to disable the transport of labeled IPv6 VPN routes over an IPv4 network on a BGP neighbor.
The following example enables the transport of labeled IPv6 VPN routes over an IPv4 network on an internal neighbor with IP address 10.10.10.2. First, the transport of IPv6 routes over the MPLS IPv4 network is enabled:
[local]PE1(config)#context local
[local]PE1(config-ctx)#router bgp 100
[local]PE1(config-bgp)#address-family ipv6 vpn
[local]PE1(config-bgp)#end
Next, the IPv6 VPN address family is globally enabled for BGP:
[local]PE1(config)#context local
[local]PE1(config-ctx)#router bgp 100
[local]PE1(config-bgp)#neighbor 10.10.10.2 internal
[local]PE1(config-bgp-neighbor)#address-family ipv6 vpn
[local]PE1(config-bgp-neighbor)#end
admin-access-group “acl-name1 acl-name2 acl-name3...” in [count] [log]
no admin-access-group {“ ” | “acl-name1 acl-name2 acl-name3...”}in [count] [log]
Applies access control to all inbound packets delivered to the kernel, regardless of the interface through which packets are received.
context configuration
acl-name |
Name of the IP ACL being applied. You can configure up to ten ACL names in one administrative access group list. You must enclose multiple ACL names in quotation marks and separate ACL names with one or more spaces. Each IP ACL name can be up to 39 alphanumeric characters long. However, ensure that the total number of characters for all ACL names referenced in the access group does not exceed 255. If you want to use ten ACLs, create names that are 24 or fewer characters long. A colon (:) is not allowed in ACL names. |
in |
Specifies that the IP ACL is to be applied to incoming packets. |
count |
Optional. Enables ACL packet counting. |
log |
Optional. Enables ACL packet logging. |
No administrative access control is applied.
Use the admin-access-group command to apply access control to all inbound packets delivered to the kernel, regardless of the interface through which packets are received. This is referred to as administrative access control and is used with IP ACLs only.
If you configure multiple ACLs in an IP access group, the SmartEdge router applies the ACLs in the order they appear within the access group to produce a specific filtering behavior. The SmartEdge router appends an implicit deny ip any any rule after all configured rules are applied.
| Caution! | ||
|
Risk of security breach. Administrative access control is context-specific.
To ensure that all inbound packets are filtered before being delivered
to the kernel, you must apply an administrative ACL to each context
that is configured.
| ||
When you use the count keyword, the system keeps track of the number of packet matches that occur. When you use the log keyword, the system keeps track of the number of packets that were denied as a result of the ACL. Count and log information is displayed in the output of the show access-group command.
| Caution! | ||
|
Risk of system performance impact. By default, counting and logging
of packets is disabled because these functions have an impact on system
performance. To reduce the risk, we recommend that you only enable
logging or counting when required for diagnostic purposes.
| ||
Use the no form of this command to remove the application of an ACL to traffic inbound to the kernel. Enter empty quotations marks (“ ”) to remove all associated ACL names. If you want to delete one or more (but not all) ACLs, enter their names in quotation marks.
The following example applies the test_2 and filter_3 ACLs to inbound traffic for the local context:
[local]Redback(config-ctx)#admin-access-group “test_2 filter_3” in count log
The following example removes all ACLs from the administrative access group for the local context:
[local]Redback(config-ctx)#no admin-access-group “ ” in count log
The following example removes the ACL ktraffic from the administrative access group for the local context:
[local]Redback(config-ctx)#no admin-access-group “ktraffic” in
To specify inclusion and exclusion criteria for traffic engineering (TE) link administrative groups, use the following syntax in Resource Reservation Protocol (RSVP) constraint configuration mode:
admin-group {exclude | include-any | include-all} attribute-name
no admin-group
To specify an interface on which administrative groups are valid on your label-switched path (LSP), use the following syntax in RSVP interface configuration mode:
admin-group attribute-name
no admin-group
In RSVP constraint configuration mode, specifies inclusion and exclusion criteria for TE link administrative groups during Constraint Shortest Path First (CSPF) calculation. In RSVP interface configuration mode, specifies an interface on which administrative groups are valid on the LSP.
exclude |
Defines an administrative group to be excluded from the LSP. |
include-any |
Defines an administrative group to be included in the LSP if it contains any of the attributes in the set. |
include-all |
Defines an administrative group to be included in the LSP if it contains all of the attributes in the set. |
attribute-name |
Administrative group that is defined typically by a color. |
No administrative group attribute is associated with a constraint or an interface.
In RSVP constraint configuration mode, use the admin group command to specify inclusion and exclusion criteria for TE link administrative groups. Any link that is present in the exclude and include lists is excluded from the include list before the Shortest Path First (SPF) calculation is applied. For example, if you specify link 10.1.1.1 in an exclude and include list, the CSPF algorithm excludes the link 10.1.1.1 before the SPF calculation is applied.
In RSVP interface configuration mode, use the admin group command to specify an interface on which administrative groups are valid on the LSP. You first specify link attributes using the attribute command (in link-attribute configuration mode) before you configure your administrative group.
With CSPF, you configure administrative groups that are associated with an LSP. You typically use link colors as values when configuring administrative groups. Each value is associated with a specific class that you define. You can define up to 32 link attributes: 32 values (0 to 31). The path names and their corresponding values must be the same on all routers within a single Multiprotocol Label Switching (MPLS) TE domain.
Use the no form of this command to remove the administrative group from a constraint or an interface.
The following example shows how to specify that the administrative group red be included in the LSP in RSVP constraint configuration mode:
[local]Redback#configure [local]Redback(config)#context local [local]Redback(config-ctx)#router rsvp [local]Redback(config-rsvp)#constraint constraint1 [local]Redback(config-rsvp-constr)#admin-group include red
The following example shows how to specify which administrative groups are valid on the LSP:
[local]Redback#configure [local]Redback(config)#context local [local]Redback(config-ctx)#router rsvp [local]Redback(config-rsvp)#interface interface1 [local]Redback(config-rsvp-if)#admin-group red
administrator admin-name [{encrypted 1 password} | {password password}]
no administrator admin-name
Creates an administrator logon account, or selects an existing one for modification, and enters administrator configuration mode.
context configuration
admin-name |
Alphanumeric string representing a new or existing administrator. |
encrypted 1 password |
Optional. Alphanumeric string representing an encrypted type 1 password for the administrator account. Required only when configuring a new administrator account. |
password password |
Optional. Alphanumeric string representing an unencrypted password for the administrator account. Required only when configuring a new administrator account. |
No administrator accounts are defined.
Use the administrator command to create an administrator logon account, or select an existing one for modification, and enter administrator configuration mode. When creating a new administrator account, you must specify a password using either the encrypted 1 password or password password construct. When specifying an existing administrator account, a password is not required.
This command also secures the console port and enables remote access to the system. Administrators can log on directly to the console, or through a Telnet or Secure Shell (SSH) session.
You can enter an unencrypted password with embedded spaces by enclosing the entire password in double quotation marks; for example, "This is a Password with Spaces".
When the system generates the configuration, all administrator passwords are encrypted. Passwords are never displayed in readable text.
Use the no form of this command to remove the specified administrator account.
The following example configures an administrator with an administrator name of admin1 and a password of supersecret:
[local]Redback(config-ctx)#administrator admin1 password supersecret [local]Redback(config-administrator)#
admission-control {icmp | tcp | udp}
no admission-control {icmp | tcp | udp}
Enables or disables session limit control for the specified protocol.
icmp |
Specifies the Internet Control Message Protocol (ICMP) as the protocol for which session limit control is to be enabled. |
tcp |
Specifies the Transmission Control Protocol (TCP) as the protocol for which session limit control is to be enabled. |
udp |
Specifies the User Datagram Protocol (UDP) as the protocol for which session limit control is to be enabled. |
Session limit control is disabled for this access control list (ACL) class.
Use the admission-control command to enable session limit control for the specified protocol. Session limit control applies only to this ACL class in this Network Address Translation (NAT) policy. You can use this command only when the action in the class is either ignore or pool, and the pool is a Network Access Port Translation (NAPT) pool.
Use the no form of this command to disable session limit control.
The following example enables TCP session limit control for the default ACL class in this NAT policy:
[local]Redback(config-policy-nat)#connections tcp 100 [local]Redback(config-policy-nat)#admission-control tcp
The following example enables TCP session limit control for CLASS3 in this NAT policy:
[local]Redback(config-policy-nat)#connections tcp 100 [local]Redback(config-policy-nat)#access-group NAT-ACL [local]Redback(config-policy-group)#class CLASS3 [local]Redback(config-policy-group-class)#ignore [local]Redback(config-policy-group-class)#admission-control tcp
advertise ip-addr [interval seconds] [node-group group-name] [port node-discovery-port-num]
no advertise ip-addr
Enables the SmartEdge router to
send advertisement packets to the NetOp
Element Management
System (EMS) server.
ip-addr |
IP address of the NetOp EMS server. |
interval seconds |
Optional. Interval, in seconds, between sending advertising packets. The range of values is 10 to 86,400 (24 hours); the default value is 60. |
node-group group-name |
Optional. Text string identifying the group to which the SmartEdge router is to be assigned. If not specified, no group assignment is made. |
port node-discovery-port-num |
Optional. Port number on the NetOp EMS server that is used to listen for node advertisement packets. The range is 1 to 65, 535; the default value is 6,580. |
No advertisement packets are sent by the SmartEdge router.
Use the advertise command to enable the sending of advertisement packets to the NetOp EMS server from the SmartEdge router. The receipt of an advertise packet allows the NetOp EMS server to auto-discover the SmartEdge router.
The SmartEdge router sends advertise packets at the specified interval. When the NetOp EMS server receives an advertise packet, the NetOp EMS server connects to the SmartEdge router, which then stops sending advertise packets. If the SmartEdge router loses communication with the NetOp EMS server, the SmartEdge router starts sending advertise packets again, unless the administrator enters the no form of this command.
By default, the hostname of each SmartEdge router is “Redback,” and this is the node name that is sent in the advertisement packet. To specify a different node name in the advertisement packet, use the system hostname command in global configuration mode.
Use the node-group group-name construct to specify a group to which the SmartEdge router is to be assigned. If you do not specify a group, then the SmartEdge router is added to the NetOp inventory database.
If the port is not the default, use the port node-discovery-port-num construct to specify the port on the NetOp EMS server that listens for Discovery packets. This port is not the port on the NetOp EMS server that connects to the SmartEdge router.
Use the no form of this command to disable the sending of advertising packets.
The following example enables communication with the NetOp EMS server and sends an advertising packet every 45 seconds:
[local]Redback(config)#netop [local]Redback(config-netop)#advertise 10.1.1.1 interval 45 node-group G10 port 6080
advertise-interval {interval | millisecond interval}
{no | default} advertise-interval
Configures the interval at which Virtual Router Redundancy Protocol (VRRP) advertisements are sent out from the specified interface.
VRRP configuration
interval |
Amount of time, in seconds, between VRRP advertisements. The range of values is 1 to 254; the default value is 1. |
millisecond interval |
Amount of time, in milliseconds, between VRRP advertisements. The range of values is 100 to 999.(1) |
(1) This construct is supported
for IPv4 only.
VRRP advertisements are sent out every second.
Use the advertise-interval command to determine the frequency of VRRP advertisements sent from the specified interface. This command is useful for troubleshooting misconfigured routers.
VRRP fast advertisement (using the millisecond interval construct) is supported for IPv4 only. If millisecond granularity is configured, VRRP authentication is not supported.
Use the no or default form of this command to return the interval to its default value of 1.
The following example configures the interface, eth0, to send VRRP advertisements every 20 seconds:
[local]Redback(config)#interface eth0 [local]Redback(config-if)#vrrp 1 owner [local]Redback(config-vrrp)#advertise-interval 20
advertise max-interval max-int
no advertise max-interval max-int
Specifies the maximum interval between advertisement messages sent by the foreign-agent (FA) instance to the mobile nodes (MNs).
max-int |
Maximum interval (in seconds) between advertisement messages. The range of values is 4 to 1800 seconds; the default value is 600 seconds (10 minutes). |
The maximum interval between advertisement messages is 600 seconds.
Use the advertise max-interval command specify the maximum interval between advertisement messages sent by the FA instance or HA instance to the mobile nodes.
Use the no form of this command to specify the default condition.
The following example specifies 300 seconds as the maximum interval between advertisement messages:
[local]Redback(config)#context fa [local]Redback(config-ctx)#router mobile-ip [local]Redback(config-mip)#interface mn-access [local]Redback(config-mip-if)#advertise max-interval 300
advertise max-lifetime max-life
no advertise max-lifetime max-life
Specifies the maximum amount of time that an advertisement message sent by the foreign-agent (FA) instance to the mobile node (MN) is valid in the absence of further advertisement messages.
max-lifetime max-life |
Amount of time (in seconds) that an advertisement message is valid in the absence of further advertisement messages. The minimum value equals the value of the max-int argument set by the advertise max-interval command (in Mobile IP interface configuration mode); the maximum value is 9000 seconds (150 minutes). The default value is three times the value of the max-int argument set by the advertise max-interval command. |
The maximum advertisement lifetime is three times the value of the max-int argument set by the advertise max-interval command.
Use the advertise max-lifetime command to specify the maximum amount of time that an advertisement message sent by the FA instance or HA instance to the mobile node is valid in the absence of further advertisement messages.
Use the no form of this command to specify the default condition.
The following example specifies 900 seconds as the maximum lifetime of an advertisement message:
[local]Redback(config)#context fa [local]Redback(config-ctx)#router mobile-ip [local]Redback(config-mip)#interface mn-access [local]Redback(config-mip-if)#advertise max-lifetime 900
advertise min-interval min-int
no advertise min-interval min-int
Specifies the minimum interval between advertisement messages sent by the foreign-agent (FA) instance to the mobile node (MN).
min-int |
Minimum interval (in seconds) between advertisement messages. The range of values is 3 to 1800 seconds; the default value is 0.75 times the value of the max-int argument for the advertise max-interval command (in Mobile IP interface configuration mode). |
The minimum advertisement interval is 0.75 times the value of the max-int argument for the advertise max-interval command.
Use the advertise min-interval command to specify the minimum interval between advertisement messages sent by the FA instance or HA instance to the mobile node.
Use the no form of this command to specify the default condition.
The following example specifies 200 seconds as the minimum interval between advertisement messages:
[local]Redback(config)#context fa [local]Redback(config-ctx)#router mobile-ip [local]Redback(config-mip)#interface mn-access [local]Redback(config-mip-if)#advertise min-interval 200
advertise tunnel-type gre
no advertise tunnel-type gre
Advertises Generic Routing Encapsulation (GRE) tunnel types sent by the foreign-agent (FA) instance to mobile nodes (MNs).
gre |
Specifies that Generic Routing Encapsulation (GRE) tunnels are advertised to mobile nodes. |
IP-in-IP tunnels are advertised implicitly; no GRE tunnel types are advertised.
Use the advertise tunnel-type command to advertise GRE tunnel types in the mobility agent advertisement extension in the ICMP Router Advertisement (RA) message.
Use the no form of this command to specify the default condition.
The following example advertises the GRE tunnel type:
[local]Redback(config)#context fa [local]Redback(config-ctx)#router mobile-ip [local]Redback(config-mip)#foreign-agent [local]Redback(config-mip-fa)#advertise tunnel-type gre
advertisement-interval interval
no advertisement-interval interval
Modifies the minimum interval at which Border Gateway Protocol (BGP) routing updates are sent to the specified neighbor or members of the specified peer group.
interval |
Minimum interval, in seconds, at which BGP routing updates are sent. The range of values is 1 to 600. For external BGP (eBGP), the default value is 30. For internal BGP (iBGP), the default value is 5. |
The default advertisement interval is 30 seconds for eBGP and 5 seconds for iBGP.
Use the advertisement-interval command to set the minimum interval at which BGP routing updates are sent to the specified neighbor or members of the specified peer group.
Use the no form of this command to restore the advertisement interval to its default value.
The following example sends unicast routing updates every 60 seconds to the neighbor at IP address 102.210.210.1:
[local]Redback(config)#context local [local]Redback(config-ctx)#router bgp 64001 [local]Redback(config-bgp)#neighbor 102.210.210.1 external [local]Redback(config-bgp-neighbor)#advertisement-interval 60 [local]Redback(config-bgp-neighbor)#address-family ipv4 unicast [local]Redback(config-bgp-peer-af)#
The following example displays output from the show bgp neighbor command for the configuration in the previous example:
[local]Redback>show bgp neighbor 10.100.1.102 BGP neighbor: 102.210.210.1, remote AS: 64001, internal link Version: 4, router identifier: 102.210.210.1 State: Established for 00:30:10 . . . Minimum time between advertisement runs: 60 secs
aggregate-address {ip-addr/prefix-length | ipv6-addr/prefix-length} [as-set] [component-map map-name] [attribute-map map-name] [summary-only]
no aggregate-address {ip-addr/prefix-length | ipv6-addr/prefix-length} [as-set] [component-map map-name] [attribute-map map-name] [summary-only]
Creates an aggregate entry in the Border Gateway Protocol (BGP) database for the BGP address family.
BGP address family configuration
ip-addr/prefix-length |
Specifies the IP address, in the form A.B.C.D, and the prefix length, separated by the slash (/) character. The range of values for the prefix-length argument is 0 to 32. |
ipv6-addr/prefix-length |
Specifies the IP Version 6 (IPv6) address, in the form A:B:C:D:E:F:G:H, and the prefix length, separated by the slash (/) character. The range of values for the prefix-length argument is 0 to 128. |
as-set |
Optional. Generates autonomous system (AS) set path information. |
component-map map-name |
Optional. Name of the route map used to select the routes to create an aggregate entry. |
attribute-map map-name |
Optional. Name of the route map used to set the attribute of the aggregate route. |
summary-only |
Optional. Suppress the advertisement of specific routes to all neighbors. When you include the summary-only keyword, only the aggregate address is advertised to the neighbors. |
The command is disabled.
Use the aggregate-address command to create an aggregate entry in a unicast or multicast BGP database for the BGP address family. You can implement aggregate routing in BGP by either redistributing an aggregate route into the BGP routing domain or by using this feature.
Use this command with no arguments to create an aggregate entry in the BGP routing table when any more-specific BGP routes that fall into the specified range are available. The origin of the aggregate route is advertised as the local autonomous system.
Use the as-set keyword to create an aggregate entry in the BGP routing table and to advertise the origin of the aggregate route as an AS_SET consisting of all elements contained in all paths that are being summarized. Do not use this form of the command when aggregating many paths, because this route must be continually updated as autonomous system path reachability information for the summarized routes changes.
Use the summary-only keyword to create an aggregate address entry (for example, 10.0.0.0/7) but suppress the advertisement of more specific routes to all neighbors. In this case, only the aggregate address is advertised to the neighbors.
Use the no form of this command to remove an aggregate entry.
The following example creates an aggregate entry in the BGP routing table as long as there are more-specific routes in the 11.0.0.0/8 address block:
[local]Redack(config)#context local [local]Redack(config-ctx)#router bgp 64000 [local]Redback(config-bgp)#address-family ipv4 unicast [local]Redback(config-bgp-af)#aggregate-address 11.0.0.0/8
aggregation-cache-size number-of-entries
no aggregation-cache-size number-of-entries
Configures the maximum aggregation cache size for flows in an RFlow profile.
flow IP profile configuration
number-of-entries |
Maximum number of entries that can be stored in the aggregation cache at one time. This determines how much information is reported when you access the RFlow data. Range is from 1024 through 32768 entries. |
The default number of entries that can be stored in the aggregation cache at one time is 4096.
Use the aggregation-cache-size command to configure the maximum aggregation cache size for flows in an RFlow profile.
Use the no form of this command to return the aggregation cache to a default maximum size of 4096 entries.
The following example shows how to configure the flow aggregation cache maximum size to 1024 entries in the RFlow profile c1:
[local]Redback#configure [local]Redback(config)#flow ip profile p1 [local]Redback(config-flow-ip-profile)#aggregation-cache-size 1024
aging-time aging-time
{no | default} aging-time
Specifies the minimum time after which inactive learned medium access control (MAC) addresses are deleted for all circuits that are bound to an interface that is associated with this bridge.
aging-time |
Address age time (in seconds). The range is 10 to 1,000,000; the default value is 300 seconds. |
The aging time is 300 seconds (5 minutes).
Use the aging-time command to specify the minimum time after which inactive learned MAC addresses are deleted for all circuits that are bound to an interface that is associated with this bridge.
The actual aging time depends on the value of the aging-time argument:
Use the no or default form of this command to specify the default aging time for all circuits.
The following example shows how to specify an aging time of 18,000 seconds (5 hours):
[local]Redback(config)#context bridge [local]Redback(config-ctx)#bridge isp1 [local]Redback(config-bridge)#aging-time 18000
alarm low-partition-space raise-at raise_percentage clear-at clear_percentage
{no | default} alarm low-partition-space
SSE partition configuration
raise-at raise_percentage |
Partition capacity (%) at which to trigger an alarm. Range: 50 to 100. |
clear-at clear_percentage |
Partition capacity (%) at which to clear an alarm. The clear_percentage value must be smaller than or equal to the raise_percentage value. Range: 10 to 100. |
An alarm is triggered when the partition is 80% full and cleared when the partition is 70% full.
Generates an alarm when partition space is low.
[local]Redback(config)#sse group sse_group_1 [local]Redback(config-SE-group)#partition p01 size 5 disk 1 [local]Redback(config-SE-partition)#alarm low-partition-space raise-at 70 clear-at 65
alarm-report-only path-alarm-types
{no | default} alarm-report-only path-alarm-types
Enables the Packet over SONET/SDH (POS) or Asynchronous Transfer Mode Optical Carrier (ATM OC) port to remain up when the SmartEdge router receives the specified alarms.
path-alarm-types |
The type or types of alarms that are allowed without shutdown of the ATM OC or POS port. Enter any combination of the following keywords:
|
The reception of a path alarm causes the SmartEdge router to shut down the port.
Use the alarm-report-only command to enable the port to remain up when the SmartEdge router receives the specified alarms. Ignoring an alarm does not completely mask it. When you configure this command for a particular alarm, the system still logs the alarm and displays it in the show port command (with the detail keyword), but the SmartEdge router does not shut down the port. You can use successive calls to this command to cumulatively build a list of alarms that do not trigger a port shutdown.
This command applies only to POS and ATM OC ports.
Use the no or default form of this command to specify which alarm or alarms cause the SmartEdge router to shut down the port.
To view the state of alarm reporting, use the show configuration command (in any mode) or use the show port detail command (in any mode).
The following example shows how to enable atm port 1/1 to remain functional even if the SmartEdge router receives a PLM-P alarm:
[local]Redback(config)#port atm 1/1 [local]Redback(config-atm-oc)#alarm-report-only plm-p
algorithm {priority | load-balance | weighted-round-robin}
{default | no} algorithm
Assigns the algorithm used to distribute Point-to-Point Protocol (PPP) sessions among the peers in a Layer 2 Tunneling Protocol (L2TP) group.
priority |
Assigns the next session to the highest priority peer that has not been labeled “dead”. |
load-balance |
Assigns the next session to the peer that has the fewest sessions. |
weighted-round-robin |
Assigns the next session based on calculated priority (weight). |
The algorithm is set to strict priority.
Use the algorithm command to assign the algorithm used to distribute PPP sessions among the peers in an L2TP group. The three algorithm keywords represent distinctly different strategies for session distribution.
Use the priority keyword to assign a strict priority algorithm. Using this algorithm, sessions are directed to the peer with the highest priority until connection with that peer is no longer possible; then sessions are directed to the peer with the next highest priority. With this algorithm, you can assign a preference value to each peer using the peer command in L2TP group configuration mode; a peer with a preference value of 1 has the highest priority. Peers with equal preference values are assigned sessions using load balancing.
Use the load-balance keyword to assign a load-balancing algorithm. Using this algorithm, the next session is directed to the peer with the fewest sessions. The result is that the sessions are distributed across the peers equally. The peers may still have priorities assigned, but they are ignored.
Use the weighted-round-robin keyword assign a weighted-round-robin algorithm to calculate the priority. Using this algorithm, sessions are directed to the peer with the highest calculated priority until connection with that peer is no longer possible; then sessions are directed to the peer with the highest calculated priority. With this algorithm, you can assign a weight value to each peer using the peer command in L2TP group configuration mode; the weight value is used to calculate the priority. The peer with the lowest priority receives the most sessions.
Each algorithm is subject to the maximum number of tunnels and the maximum number of sessions (specified with the max-tunnels and max-sessions commands in L2TP peer configuration mode, respectively) configured for the peers that are members of the group. For example, if the strict priority algorithm is specified and the maximum sessions limit is reached on the highest priority peer, additional sessions are sent to the next highest priority peer.
For more information about configuring RADIUS, see the Configuring RADIUS.
Use the default or no form of this command to set the algorithm to strict priority.
The following example shows how to create an L2TP group, group1, with L2TP peer members, 1peer and 2peer.
First, the L2TP group, group1, is created. Two peer members, 1peer and 2peer, are then established as members of the group, and the group is configured to use strict-priority session distribution:
[local]Redback(config-ctx)#12tp-group name group1 [local]Redback(config-l2tp-group)#algorithm priority [local]Redback(config-l2tp-group)#peer name 1peer preference 10 [local]Redback(config-l2tp-group)#peer name 2peer preference 20
With strict-priority distribution, sessions with usernames of the form user@group1 are tunneled to 1peer (because it has a lower preference value), as long as 1peer is reachable and its maximum sessions threshold has not been exceeded. If 1peer becomes unreachable or its maximum sessions threshold is reached, sessions are tunneled to 2peer.
If the load-balance keyword was used instead of the priority keyword, the first session of the form user@group1 would be tunneled to 1peer, and the next session for the same group would be tunneled to 2peer, balancing the session count between them, unless one peer becomes unreachable or the maximum sessions threshold is reached.
alias {exec | inherit | mode} alias-name command-string
no alias {exec | inherit | mode} alias-name
Defines an alias for a command.
global configuration
exec |
Specifies that the macro be available (in exec mode). |
inherit |
Defines the alias in all modes. |
mode |
Configuration mode in which the alias is available; see Table 4 for exceptions. |
alias-name |
Alias name. |
command-string |
Command string to be substituted for the alias. |
None
Use the alias command to define an alias for a command. A command alias is a character string that you can use in place of a command string. Aliases are typically used to create shortcuts for frequently used commands. When aliases are defined, the software examines each command for a match in the alias table. If the system finds an alias match, it replaces the alias with the associated command string prior to processing the command.
Table 4 lists all mode prompt and keyword exceptions for the alias command. Except for those listed in Table 4, the keyword for the mode argument is the command mode prompt. For a list of all keywords, see the command-line interface (CLI) online Help.
|
Mode Description |
Mode Prompt |
Mode Keyword |
|---|---|---|
Network Address Translation (NAT) access control list |
policy-acl |
nat-policy-acl |
NAT access control list class |
policy-acl-class |
nat-policy-acl-class |
| Caution! | ||
|
Risk of disabled commands. It is possible to create an alias that
disables existing commands. To reduce the risk, use care when you
define aliases. Avoid defining an alias name that is a SmartEdge router command keyword or a partial
keyword. Aliases apply to all users on a system.
| ||
You can bypass alias processing for a single command by beginning a command line with the backslash (\) character.
Use the no form of this command to remove an alias.
The following example defines the alias, sc, (in exec mode) as show configuration:
[local]Redback(config)#alias exec sc show configuration [local]Redback>sc Building configuration... Current configuration: ! ! Configuration last changed by user 'test' at Wed Jan 29 11:20:03 2003 ! context local port ethernet 7/1 ! end
The following example shows how the definition of an alias can cause unexpected problems. The first example defines the alias, sh, (in all modes) as show configuration:
[local]Redback(config)#alias inherit sh show configuration
As a result, show chassis command is disabled; the show chassis command is interpreted to mean show configuration chassis, which results in an error.
For more information on the show configuration command, see Using the CLI.
The following example demonstrates the use of the backslash character (\) to disable alias processing for the command:
[local]Redback>\sh chassis
allow {context name ctx-name | domain name name | pppoe service-name name | dhcp hostname name}
no allow {context name ctx-name | domain name name | pppoe service-name name | dhcp hostname name}
Allows access to the specified context, Point-to-Point over Ethernet (PPPoE) service, or domain for PPPoE subscriber sessions that are attached to the service policy. This command also allows a DHCP client host access to the circuit that is associated with the service policy.
context name ctx-name |
Allows subscriber sessions access to the specified context. |
domain name name |
Allows subscriber sessions access to the specified domain. |
pppoe service-name name |
Allows PPPoE Active Discovery Initiation (PADI) or PPPoE Active Discovery Request (PADR) packets access to the specified PPPoE service. |
dhcp hostname name |
Allows the specified DHCP client host access to the circuit that is associated with the service policy. |
None
Use the allow command to allow access to the specified context, PPPoE service, or domain for subscriber PPPoE sessions that are attached to the service policy. You can also use the allow command to allow a DHCP client host to access the circuit that is associated with the service policy.
Any DHCP hosts, contexts, PPPoE services, or domains that are not explicitly specified by this command are implicitly denied. Note that the SmartEdge router does not support both allow and deny in the same service profile.
Use the no form of this command to remove access to the specified context, PPPoE service, or domain. Or, you can use the no form of this command to remove a configuration that allows a DHCP client host to access the circuit that is associated with the service policy.
The following example shows how to create a service policy called local-only, which allows subscribers access to the local context and denies access to all other contexts:
[local]Redback(config)#service-policy name local-only [local]Redback(config-policy-svc)#allow context name local
The following example shows how to create a service policy called AllowVoice, which allows the PPPoE service named voice and denies all other PPPoE services:
[local]Redback(config)#service-policy name AllowVoice [local]Redback(config-policy-svc)#allow pppoe service-name voice
The following example shows how to create a service policy called allowhosts, which allows the DHCP client hosts named group2, group3, and group7 to access the circuit that is associated with the specified service policy and denies all other DHCP client hosts access to the given circuit:
[local]Redback(config)#service-policy name allowhosts [local]Redback(config-policy-svc)#allow dhcp hostname group2 [local]Redback(config-policy-svc)#allow dhcp hostname group3 [local]Redback(config-policy-svc)#allow dhcp hostname group7
allow-duplicate-mac
no allow-duplicate-mac
Allows Dynamic Host Control Protocol (DHCP) server subscribers and a clientless IP service selection (CLIPS) subscriber to share the same medium access control (MAC) address.
This command has no keywords or arguments.
Duplicate MAC addresses are not allowed.
Use the allow-duplicate-mac command to allow DHCP server subscribers and a CLIPS subscriber to share the same MAC address.
Use the no form of this command to specify the default condition.
The following example enables DHCP clients with the same MAC address to be assigned IP addresses on different circuits for the DHCP internal server in the dhcp context:
[local]Redback(config)#context dhcp [local]Redback(config-ctx)#dhcp server policy [local]Redback(config-dhcp-server)#allow-duplicate-mac