Contents

1   Command Descriptions

Commands starting with numbers and symbols through commands starting with “al” are included.

1.1   ?

1.1.1   Purpose

Displays brief system help on the available commands or command options.

1.1.2   Command Mode

All modes

1.1.3   Syntax Description

This command has no keywords or arguments.

1.1.4   Default

None

1.1.5   Usage Guidelines

Use the ? command to display brief system help on the available commands or command options.

To list all valid commands available in the current mode, enter a question mark (?) at the system prompt.

To list the associated keywords or arguments for a command, enter the ? command in place of a keyword or argument on the command line. This form of help is called full help, because it lists the keywords or arguments that apply to the command based on the full command, keywords, and arguments you have already entered.

To obtain a list of commands or keywords that begin with a particular character string, enter the abbreviated command or keyword immediately followed by the ? command. This form of help is called partial help, because it lists only the commands or keywords that begin with the abbreviation you entered.

Note:  

To enter the ? character as part of a command, when it is not a request for online Help, enter the Esc character followed by the ? character.

1.1.6   Examples

The following example displays exec commands available for a user with a privilege level of 6 (> prompt):

[local]Redback>?

  atm         ATM Operations
  debug       Modify debugging parameters
  disable     Drop into disable user mode
  edit        Edit a file with vi
  enable      Modify command mode privilege
  exit        Exit exec mode
  help        Description of the interactive help system
  monitor     Monitor information
  more        Display the contents of a file
  mrinfo      Request multicast router information
  mtrace      Trace reverse multicast path from source to receiver
  no          Disable an interactive option
  ping        Packet Internet Groper Command
  show        Show running system information
  ssh         Execute SSH/SSHD commands
  talk        talk to user
  telnet      Telnet to a host
  terminal    Modify terminal settings
  traceroute  Trace route to destination

The following example displays how to use partial help to display all commands (in global configuration mode) that begin with the character sequence sy:

[local]Redback(config)#sy?


  system    system clock-source

The following example displays how to use full help to display the next argument of a partially complete system clock command (in global configuration mode):

[local]Redback(config)#system clock ?


  summer-time   Configure summer (daylight savings) time
  timezone      Configure time zone
[local]Redback(config-ctx)#system clock

The following example displays the first few commands available for an administrator with a default privilege level of 6 (> prompt):

[local]Redback>?


bulkstats       Manage bulk statistics collection file
disable         Drop into disable administrator mode
enable          Modify command mode privilege
...

The following example shows how to use partial help to display all commands (in global configuration mode) that begin with the character sequence sy:

[local]Redback(config)#sy?


  system    system clock-source

The following example shows how to use full help to display the next argument of a partially complete system clock command (in global configuration mode):

[local]Redback(config)#system clock ?

  summer-time   Configure summer (daylight savings) time
  timezone      Configure time zone


[local]Redback(config-ctx)#system clock

1.2   aaa accounting administrator

1.2.1   Purpose

Enables accounting messages for administrator sessions.

1.2.2   Command Mode

Context configuration

1.2.3   Syntax Description

1.2.4   Default

Accounting is disabled.

1.2.5   Usage Guidelines

Use the aaa accounting administrator command to enable accounting messages for administrator sessions. Messages can be sent to a RADIUS or TACACS+ server.

You must configure at least one accounting server in the current context before any messages can be sent to it:

• To configure a TACACS+ server, use the tacacs+ server command (in context configuration mode); for more information, see Configuring TACACS+.
• To configure a RADIUS server, use the radius server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no or default form of this command to disable RADIUS or TACACS+ accounting messages for administrator sessions.

1.2.6   Examples

The following example shows how to enable TACACS+ accounting messages for administrator sessions for the local context:

[local]Redback(config-ctx)#aaa accounting administrator tacacs+ 

The following example shows how to enable RADIUS accounting messages for administrator sessions for the local context:

[local]Redback(config-ctx)#aaa accounting administrator radius

1.3   aaa accounting commands

1.3.1   Purpose

Specifies that accounting messages are sent to a Terminal Access Controller Access Control System Plus (TACACS+) server whenever an administrator enters commands at the specified privilege level (or higher).

1.3.2   Command Mode

Context configuration

1.3.3   Syntax Description

1.3.4   Default

No TACACS+ accounting of commands is required.

1.3.5   Usage Guidelines

Use the aaa accounting commands command to specify that accounting messages are sent to a TACACS+ server whenever an administrator enters commands at the specified privilege level (or higher).

To use TACACS+, you must configure the IP address or hostname of a TACACS+ server in the context in which commands are accessed. To configure the server’s IP address or hostname, use the tacacs+ server command (in context configuration mode); see Configuring TACACS+.

For information about default privilege levels for commands and how to modify command privilege levels, see Performing Basic Configuration Tasks.

Use the no or default form of this command to disable the sending of accounting messages to the TACACS+ server.

1.3.6   Examples

The following example shows how to send accounting messages to a TACACS+ server for commands that are configured with a privilege level of 6 or greater with the exception of privilege level 15:

[local]Redback(config-ctx)#aaa accounting commands 6 tacacs+ except 15

1.4   aaa accounting event

1.4.1   Purpose

Enables accounting messages for Dynamic Host Configuration Protocol (DHCP) leases, reauthorization information, or Access Node Control Protocol (ANCP) events for subscriber sessions in the current context to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the same context.

1.4.2   Command Mode

Context configuration

1.4.3   Syntax Description

1.4.4   Default

RADIUS-based accounting is disabled.

1.4.5   Usage Guidelines

Use the aaa accounting event command to enable accounting messages for DHCP leases, reauthorization information, or ANCP events for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context.

Note:  

You must configure at least one RADIUS accounting server in the current context before any messages can be sent to it. To configure the server, use the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

If an ANCP event occurs when no subscriber session is on the line, no accounting message is sent.

Use no or default form of this command to disable sending of RADIUS-based accounting messages.

1.4.6   Examples

The following example shows how to enable accounting messages for reauthorization information for subscriber sessions in the corpA context to be sent to the RADIUS accounting server with an IP address or hostname in the same context:

[local]Redback(config)#context corpA
[local]Redback(config-ctx)#aaa accounting event reauthorization

1.5   aaa accounting l2tp

1.5.1   Purpose

Enables accounting messages for Layer 2 Tunneling Protocol (L2TP) tunnels, or sessions in L2TP tunnels, or both, for the current context, to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. Enables accounting messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context, local context, or both contexts.

1.5.2   Command Mode

Context configuration

1.5.3   Syntax Description

1.5.4   Default

RADIUS-based accounting is disabled.

1.5.5   Usage Guidelines

Use the aaa accounting l2tp to enable accounting messages for L2TP tunnels, or sessions in L2TP tunnels, or both, for the current context, to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. You can also enable accounting messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context, local context, or both contexts.

Use the aaa accounting l2tp tunnel command with the radius keyword to enable accounting messages for L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. Use the aaa accounting l2tp command with the session and radius keywords to enable accounting messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. Both implementations of the aaa accounting l2tp command here reflect context-level L2TP accounting.

Use the aaa accounting l2tp command with the session and global keywords to enable accounting messages for sessions in L2TP tunnels for the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. This implementation reflects global-level L2TP accounting.

Note:  

If enabling context-level L2TP accounting, you must configure at least one RADIUS accounting server in the current context before any messages can be sent to it. If enabling global-level L2TP accounting, you must configure at least one RADIUS accounting server in the local context before any messages can be sent to it. To configure the server, use the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

Two-stage accounting permits data for all contexts to be sent to both the RADIUS accounting servers in the local context for global-level accounting and any RADIUS accounting servers in the context to which the subscriber is bound for context-level accounting. Enabling two-stage accounting for L2TP tunnels requires that you configure one or more RADIUS accounting servers in the local context and configure one or more RADIUS accounting servers in a nonlocal context or current context. You must also configure global L2TP accounting and global authentication. With two-stage accounting for sessions in L2TP tunnels, global authentication is optional. To enable two-stage accounting with global authentication, configure the aaa accounting l2tp command (in context configuration mode) with the radius keyword and the aaa global accounting l2tp-session command (in global configuration mode). To enable two-stage accounting without global authentication, use the aaa accounting l2tp command with the session, radius, and global keywords. The global keyword allows accounting to be performed without global authentication.

Note:  

When using global-level L2TP accounting, you must enable global L2TP accounting; use the aaa global accounting l2tp-session command.

Note:  

If the SmartEdge® router is acting as an L2TP network server (LNS) in a context, the accounting data is for the LNS; if it is acting as an L2TP access concentrator (LAC), the accounting data is for the LAC. If the SmartEdge router is acting as a tunnel switch, both sets of accounting data are sent to the RADIUS server; in this case, each set of data is tagged as follows:

• LNS accounting data (facing the LAC)—tag 1
• LAC accounting data (facing the LNS)—tag 2

Use the no or default form of this command or the none keyword to disable the sending of RADIUS accounting messages.

1.5.6   Examples

The following example shows how to enable accounting messages for L2TP tunnels in the siteA context to be sent to the RADIUS accounting server configured in the siteA context:

[local]Redback(config)#context siteA
[local]Redback(config-ctx)#aaa accounting l2tp radius

The following example shows how to enable accounting messages for sessions in L2TP tunnels in the siteB context to be sent to the RADIUS accounting server configured in the local context:

[local]Redback(config)#context local
[local]Redback(config-ctx)#radius accounting server 1.1.1.1 key my_key
.
.
.
[local]Redback(config)#context siteB
[local]Redback(config-ctx)#aaa accounting l2tp global

1.6   aaa accounting reauthorization subscriber

1.6.1   Purpose

Enables accounting messages for the reauthorize command entered in the current context in exec mode to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the same context.

1.6.2   Command Mode

Context configuration

1.6.3   Syntax Description

1.6.4   Default

RADIUS-based accounting is disabled.

1.6.5   Usage Guidelines

Use the aaa accounting reauthorization command to enable accounting messages for the reauthorize command entered in the current context in exec mode to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context.

Note:  

You must configure at least one RADIUS accounting server in the current context before any messages can be sent to it. To configure the server, use the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no or default form of this command or the none keyword to disable the sending of RADIUS accounting messages.

1.6.6   Examples

The following example shows how to enable accounting messages for subscriber reauthorization in the corpA context to be sent to the RADIUS server configured in the corpA context:

[local]Redback(config)#context corpA
[local]Redback(config-ctx)#aaa accounting reauthorization radius

1.7   aaa accounting subscriber

1.7.1   Purpose

Enables accounting messages for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context (for context-level subscriber accounting), in the local context (for global-level subscriber accounting), or in both contexts (for context- and global-level subscriber accounting).

1.7.2   Command Mode

Context configuration

1.7.3   Syntax Description

1.7.4   Default

RADIUS-based accounting is disabled.

1.7.5   Usage Guidelines

Use the aaa accounting subscriber command to enable accounting messages for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context (for context-level subscriber accounting), in the local context (for global-level subscriber accounting), or in both contexts (for context- and global-level subscriber accounting).

Use the aaa accounting subscriber command with the radius keyword to enable accounting messages for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context.

Use the aaa accounting subscriber command with the global keyword to enable accounting messages for subscriber sessions in the current context to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.

Note:  

If enabling context-level subscriber accounting, you must configure at least one RADIUS accounting server in the current context before any messages can be sent to the server. If enabling global-level subscriber accounting, you must configure at least one RADIUS accounting server in the local context before any messages can be sent to the server. To configure the server, use the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

To enable two-stage accounting, configure one or more RADIUS accounting servers in a nonlocal context and configure one or more RADIUS accounting servers in the local context. With two-stage accounting, global authentication is optional. To enable two-stage accounting with global authentication, configure global authentication by using the radius keyword with the aaa authentication subscriber command (in context configuration mode) and the aaa global authentication subscriber command (in global configuration mode). To enable two-stage accounting without global authentication, configure the keywords radius and global with the aaa accounting subscriber command. In two-stage accounting, data for all contexts is sent to both the RADIUS accounting servers in the local context and to any RADIUS accounting servers in the context to which the subscriber is bound.

Note:  

To use global-level subscriber accounting, you must enable it; use the aaa global accounting subscriber command.

Note:  

The aaa accounting subscriber command can only enable the sending of accounting packets that include packet and byte counts for a circuit if the counters command is configured in the Asynchronous Transfer Mode (ATM) profile referenced by the circuit to which the subscriber is bound; for more information about ATM profiles, see Configuring Circuits.

Note:  

The SmartEdge router does not send the RADIUS accounting packet for a Point-to-Point Protocol (PPP) subscriber until the session completes the IP Control Protocol (IPCP) stage of PPP. Delaying the start record ensures that standard RADIUS attribute 8, Framed-IP-Address, is populated.

Use the no or default form of this command or the none keyword to disable the sending of RADIUS accounting messages.

1.7.6   Examples

The following example shows how to enable accounting messages for subscriber sessions in the siteA context to be sent to the RADIUS accounting server configured in the siteA context:

[local]Redback(config)#context siteA
[local]Redback(config-ctx)#aaa accounting subscriber radius

The following example shows how to enable accounting messages for subscriber sessions in the siteB context to be sent to the RADIUS accounting server configured in the local context and to the RADIUS accounting server configured in the siteB context:

[local]Redback(config)#context local
[local]Redback(config-ctx)#radius accounting server 1.1.1.1 key my_key
.
.
.
[local]Redback(config)#context siteB
[local]Redback(config-ctx)#aaa accounting subscriber radius global

The following example shows how to configure RADIUS-based attribute-guided accounting. This configuration is used if the accounting_mode is set for the subscriber:

[local]Redback(config-ctx)#radius accounting server 1.1.1.1 key redback
[local]Redback(config-ctx)#aaa accounting subscriber radius attribute-guided

1.8   aaa accounting suppress-acct-on-fail

1.8.1   Purpose

Suppresses the sending of accounting messages to Remote Authentication Dial-In User Service (RADIUS) servers when a subscriber session cannot be established.

1.8.2   Command Mode

Context configuration

1.8.3   Syntax Description

1.8.4   Default

RADIUS-based accounting is disabled. When RADIUS-based accounting is enabled using the aaa accounting subscriber command (in context configuration mode), the operating system always sends an accounting record when a subscriber session cannot be established.

1.8.5   Usage Guidelines

Use the aaa accounting suppress-acct-on-fail command to suppress the sending of accounting messages to RADIUS accounting servers when a subscriber session cannot be established due to an authentication problem, a changed IP address, and so on.

You can specify either or both of the error conditions for which accounting messages are not suppressed.

Use the no or default form of this command to always suppress the sending of accounting messages when an error condition occurs.

1.8.6   Examples

The following example shows how to suppress accounting messages sent to RADIUS accounting servers except when the L2TP peer for a subscriber session cannot be reached and the session not established:

[local]Redback(config-ctx)#aaa accounting suppress-acct-on-fail 
except-for no-l2tp-peer

1.9   aaa authentication administrator

1.9.1   Purpose

Prioritizes the methods available for authenticating administrators, or modifies the maximum number of administrator sessions that can be simultaneously active.

1.9.2   Command Mode

Context configuration

1.9.3   Syntax Description

1.9.4   Default

Authentication is performed by the SmartEdge router configuration and is permitted on both the console port and vty ports. For the local context, the number of administrator sessions that can be simultaneously active is 10; for nonlocal contexts, it is 0 or 1 (0 when no administrators are configured; 1 when administrators are configured).

1.9.5   Usage Guidelines

Use the aaa authentication administrator command to prioritize the available administrator authentication methods or modify the maximum number of administrator sessions that can be simultaneously active. If you use this command to prioritize the available administrator authentication methods, you can configure a port type for each specified authentication method.

Authentication methods are attempted in the order in which you enter the keywords. For example, if you enter the radius keyword first, followed by the tacacs+ keyword, followed by the local keyword, authentication is first attempted by the RADIUS server, then by the TACACS+ server, and, finally, by the local configuration.

Note:  

If a RADIUS or TACACS+ server rejects the authentication of an administrator, authentication is not attempted by the next method. If, however, the RADIUS or TACACS+ server is unavailable or unreachable, authentication is attempted by the next method. Authentication by the SmartEdge router configuration is always available as a fallback, even when the local keyword is not specified. If the SmartEdge router configuration rejects an administrator, authentication is not attempted by the next method.

Note:  

Do not use both console and vty keywords within the same command line. It is not supported. This functionally is equivalent to the default behavior.

Note:  

To use RADIUS, the IP address or hostname of at least one RADIUS server must be configured in the context to which the administrator is to be bound. To configure the server’s IP address or hostname, use the radius server command (in context configuration mode); for more information, see Configuring RADIUS. To use TACACS+, the IP address or hostname of a TACACS+ server must be configured in the context to which the administrator is to be bound. To configure the server’s IP address or hostname, use the tacacs+ server command (in context configuration mode); for more information, see Configuring RADIUS.

Note:  

The total number of simultaneous, active Telnet and SSH administrator sessions must be less than or equal to 20 on the system as a whole (that is, for all configured contexts).

The maximum number of administrator SSH sessions that can be simultaneously active for all configured contexts can be configured through the ssh server full-drop command (in global configuration mode); the default value is 20. If there are active Telnet sessions, the maximum number of global SSH sessions is limited to the maximum number of SSH sessions configured through the ssh server full-drop command, minus the number of active Telnet sessions in all contexts.

Use the no or default form of this command to return to using only the SmartEdge router configuration for authentication of administrators.

1.9.6   Examples

The following example shows how to configure the console port of a SmartEdge router to authenticate administrators through a RADIUS server with the SmartEdge router configuration authentication (local database) as a backup:

[local]Redback(config-ctx)#aaa authentication administrator console 
radius local

The following example shows how to configure a vty port on a SmartEdge router to authenticate administrators through a TACACS+ server:

[local]Redback(config-ctx)#aaa authentication administrator vty tacacs+

The following example shows how to modify the number of administrator sessions that can be simultaneously active in the local context from 10 (the default) to 15:

[local]Redback(config-ctx)#aaa authentication administrator maximum 
sessions 15

1.10   aaa authentication subscriber

1.10.1   Purpose

Authenticates subscribers through the SmartEdge router configuration or through one or more Remote Authentication Dial-In User Service (RADIUS) server databases.

1.10.2   Command Mode

Context configuration

1.10.3   Syntax Description

1.10.4   Default

Subscribers are authenticated by the SmartEdge router configuration.

1.10.5   Usage Guidelines

Use the aaa authentication subscriber command to authenticate subscribers through the SmartEdge router configuration or through one or more RADIUS server databases.

The SmartEdge router configuration is also referred to as the “local database,” which is simply a set of commands, such as the subscriber command (in context configuration mode) and the password command (in subscriber configuration mode).

With RADIUS, the database records of the RADIUS server are used to authenticate subscribers. The IP address or hostname of one or more RADIUS servers can be configured in the “local” context or in the context to which the subscriber’s circuit is to be bound. Each context can use its own set of RADIUS servers for authentication. Alternatively, a context can be configured to use the RADIUS servers with IP addresses or hostnames configured in the “local” context—this is known as “global authentication.”

With global authentication, the RADIUS servers are expected to return the Context-Name vendor-specific attribute (VSA) that indicates the particular context to which the subscriber is to be bound. You can also configure the SmartEdge router to try authentication through one or more RADIUS servers with IP addresses or hostnames configured in the current context first, with a fallback to the global RADIUS server or to the local database, in case the RADIUS server configured in the current context becomes unreachable.

Note:  

To use RADIUS, the IP address or hostname of at least one RADIUS server must be configured in the local context or in the context to which the subscriber is to be bound. To configure the server’s IP address or hostname, use the radius server command (in context configuration mode); for more information, see Configuring RADIUS.

To disable authentication of subscribers, use the none keyword with this command. Do this only when subscriber authentication is not required, such as when Dynamic Host Configuration Protocol (DHCP) is used to obtain IP addresses for subscribers’ hosts.

Use the no or default form of this command to authenticate subscribers through the SmartEdge router configuration.

1.10.6   Examples

The following example authenticates subscriber sessions for the siteB context by first using the RADIUS server configured within the context, followed by the SmartEdge router configuration for the context should the RADIUS server become unreachable:

[local]Redback(config)#context siteB
[local]Redback(config-ctx)#radius server 10.2.3.4 key TopSecret 
[local]Redback(config-ctx)#aaa authentication subscriber radius local

1.11   aaa authorization commands

1.11.1   Purpose

Specifies that commands with a matching privilege level (or higher) require authorization through Terminal Access Controller Access Control System Plus (TACACS+).

1.11.2   Command Mode

Context configuration

1.11.3   Syntax Description

1.11.4   Default

Commands do not require authorization through TACACS+.

1.11.5   Usage Guidelines

Use the aaa authorization commands command to specify that commands with a matching privilege level (or higher) require authorization through TACACS+.

Note:  

For information about default command privilege levels and how to modify them, see Performing Basic System Tasks.

Use the no or default form of this command to disable the requirement for TACACS+ authorization.

1.11.6   Examples

The following example shows how to specify that TACACS+ authorization is required in the restricted context for the use of commands with privilege levels of 10 or higher with the exception of privilege level 15:

[restricted]Redback(config)#configure
[restricted]Redback(config-ctx)#aaa authorization commands 10 except 15

1.12   aaa authorization tunnel

1.12.1   Purpose

Specifies the type of authorization for Layer 2 Tunneling Protocol (L2TP) peers.

1.12.2   Command Mode

Context configuration

1.12.3   Syntax Description

1.12.4   Default

L2TP peers are authorized by the SmartEdge router configuration.

1.12.5   Usage Guidelines

Use the aaa authorization tunnel command to specify the type of authorization for L2TP peers.

Use the no or default form of this command to specify the default behavior.

1.12.6   Examples

The following example shows how to configure the local context to authorize L2TP peers by a RADIUS server:

[local]Redback(config)#context local
[local]Redback(config-ctx)#aaa authorization tunnel radius

1.13   aaa double-authentication subscriber radius

1.13.1   Purpose

Reauthenticates subscribers through the specified Remote Authentication Dial-In User Service (RADIUS) server database.

1.13.2   Command Mode

Context configuration

1.13.3   Syntax Description

1.13.4   Default

Subscribers are authenticated one time, either through the SmartEdge router configuration or through one of the RADIUS server databases.

1.13.5   Usage Guidelines

Use the aaa double-authentication subscriber radius command to specify to subscribers reauthentication through the specified RADIUS server database, and optionally, to define a local profile to be used when the second RADIUS server is unavailable.

RADIUS provisioning is enhanced so that subscribers can be authenticated twice without a RADIUS proxy server. Subscribers are first authenticated by a global RADIUS server and then by the RADIUS server for the binding context.

When the SmartEdge router receives the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) Auth-Req packet, it sends a RADIUS Access-Request packet to the global RADIUS server configured for the local context. If the Access-Accept packet returned by the RADIUS server indicates that the subscriber is to be reauthenticated, the SmartEdge router sends a second Access-Request packet to the RADIUS server for the binding (nonlocal) context specified by the global server. Depending on the response of the second server, the session is either terminated or tunneled using a list of attributes consolidated from both RADIUS responses. Attribute values received from the second RADIUS server override values received from the first server and values configured locally in the nonlocal context.

If the configured authentication failover method is none and the second RADIUS server is unavailable, the subscriber is provisioned using the local profile (specified with the profile keyword) plus the attributes received from the first RADIUS server, and the subscriber is not reauthenticated.

Note:  

The following is the order of attribute processing:

• Service Provider RADIUS
• Global RADIUS
• Service Provider defined profile (local or fallback profile)
• Service Provider default subscriber profile

Use the no form of this command to disable the requirement for reauthenticating subscribers through the specified RADIUS server database.

1.13.6   Examples

The following example shows how to configure the context ISP3 to reauthenticate its subscriber sessions using the RADIUS server with the IP address 155.53.44.181 configured in the local context:

[local]Redback(config-ctx)#aaa global authentication subscriber radius 
[local]Redback(config)#context local
[local]Redback(config-ctx)#radius accounting server 155.53.44.181 
encrypted-key 3828082561D6BDD6
[local]Redback(config)#context ISP3
[local]Redback(config-ctx)#aaa authentication subscriber global
[local]Redback(config-ctx)#aaa double-authentication subscriber 
radius none profile last
[local]Redback(config-ctx)#radius server 155.53.44.181 encrypted-key 
3828082561D6BDD6 oldports subscriber profile last
[local]Redback(config-sub)#ip address pool

1.14   aaa encrypted-password default

1.14.1   Purpose

Changes the default AAA authentication and authorization password to the specified encrypted password.

1.14.2   Command Mode

Context configuration

1.14.3   Syntax Description

1.14.4   Default

The default AAA authentication and authorization password is “Redback”.

1.14.5   Usage Guidelines

Use the aaa encrypted-password default command to change the default authentication and authorization password to the specified encrypted password. This new default AAA password is saved in the encrypted form as well. When you enter the show configuration command, the display shows the default AAA password in the encrypted form.

Use the no form of this command to restore the default password of “Redback”.

1.14.6   Examples

The following example shows how to configure the new default AAA encrypted password of F9BFC75FC9F3F8AD:

[local]Redback(config-ctx)#aaa encrypted-password default F9BFC75FC9F3F8AD

1.15   aaa global accounting event

1.15.1   Purpose

Enables accounting messages for Dynamic Host Configuration Protocol (DHCP) leases, reauthorization information, or Access Node Control Protocol (ANCP) events for subscriber sessions in all contexts to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.

1.15.2   Command Mode

Global configuration

1.15.3   Syntax Description

1.15.4   Default

RADIUS-based accounting is disabled.

1.15.5   Usage Guidelines

Use the aaa global accounting event command to enable accounting messages for DHCP leases, reauthorization information, or ANCP events for subscriber sessions in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.

If an ANCP event occurs when no subscriber session is on the line, no accounting message is sent.

Use the no or default form of this command to disable RADIUS-based accounting.

1.15.6   Examples

The following example shows how to enable accounting messages for reauthorization information for subscriber sessions in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context:

[local]Redback(config)#aaa global accounting event reauthorization

1.16   aaa global accounting l2tp-session

1.16.1   Purpose

Enables accounting messages for Layer 2 Tunneling Protocol (L2TP) tunnels or sessions in L2TP tunnels in all contexts to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.

1.16.2   Command Mode

Global configuration

1.16.3   Syntax Description

1.16.4   Default

The SmartEdge router does not send accounting messages to a RADIUS server.

1.16.5   Usage Guidelines

Use the aaa global accounting l2tp-session command to enable accounting messages for L2TP tunnels or sessions in L2TP tunnels in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.

Note:  

To use RADIUS, you must configure the IP address or hostname of at least one RADIUS accounting server in the local context. To configure the server’s IP address or hostname, enter the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no or default form of this command to return the system to its default behavior of performing accounting based on the SmartEdge router configuration.

1.16.6   Examples

The following example shows how to configure the system to send accounting messages for L2TP sessions in all contexts to one or more RADIUS servers with IP addresses or hostnames configured in the local context:

[local]Redback(config)#aaa global accounting l2tp-session radius context local

1.17   aaa global accounting reauthorization subscriber

1.17.1   Purpose

Enables accounting messages for the reauthorize command entered in any context in exec mode to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.

1.17.2   Command Mode

Global configuration

1.17.3   Syntax Description

1.17.4   Default

RADIUS-based accounting is disabled.

1.17.5   Usage Guidelines

Use the aaa global accounting reauthorization subscriber command to enable accounting messages for the reauthorize command entered in any context in exec mode to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. These messages indicate that subscriber reauthorization has been completed.

Note:  

To use RADIUS, you must configure the IP address or hostname of at least one RADIUS accounting server in the local context. To configure the server’s IP address or hostname, enter the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no or default form of this command to return the system to its default behavior of performing accounting based on the SmartEdge router configuration.

1.17.6   Examples

The following example shows how to configure the system to send accounting messages for subscriber reauthorization in all contexts to one or more RADIUS servers with IP addresses or hostnames configured in the local context:

[local]Redback(config)#aaa global accounting reauthorization subscriber 
radius context local

1.18   aaa global accounting subscriber

1.18.1   Purpose

Enables accounting messages for subscriber sessions in all contexts to be sent to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.

1.18.2   Command Mode

Global configuration

1.18.3   Syntax Description

1.18.4   Default

The SmartEdge router does not send subscriber session accounting messages to a RADIUS server.

1.18.5   Usage Guidelines

Use the aaa global accounting subscriber command to enable accounting messages for subscriber sessions in all contexts to be sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.

Note:  

To use RADIUS, you must configure the IP address or hostname of at least one RADIUS accounting server in the local context. To configure the server’s IP address or hostname, enter the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no or default form of this command to return the system to its default behavior of performing accounting based on the SmartEdge router configuration.

1.18.6   Examples

The following example shows how to configure the system to send accounting messages for subscriber sessions in all contexts to one or more RADIUS servers with IP addresses or hostnames configured in the local context:

[local]Redback(config)#aaa global accounting subscriber radius context 
local

1.19   aaa global authentication subscriber

1.19.1   Purpose

Enables global subscriber authentication through one or more Remote Authentication Dial-In User Service (RADIUS) servers with IP addresses or hostnames configured in the local context.

1.19.2   Command Mode

Global configuration

1.19.3   Syntax Description

1.19.4   Default

The SmartEdge router does not send subscriber authentication messages to a RADIUS server.

1.19.5   Usage Guidelines

Use the aaa global authentication subscriber command to enable global subscriber authentication through one or more RADIUS servers with IP addresses or hostnames configured in the local context.

Note:  

To use RADIUS, you must configure the IP address or hostname of at least one RADIUS server in the local context. To configure the server’s IP address or hostname, enter the radius server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no or default form of this command to disable global subscriber authentication.

1.19.6   Examples

The following example shows how to configure the context siteA to globally authenticate its subscriber sessions using the RADIUS server with the IP address of 10.2.3.4 configured in the local context:

[local]Redback(config)#aaa global authentication subscriber radius context local
[local]Redback(config)#context local
[local]Redback(config-ctx)#radius server 10.2.3.4 key TopSecret 
[local]Redback(config)#context siteA
[local]Redback(config-ctx)#aaa authentication subscriber global

1.20   aaa global reject empty-username

1.20.1   Purpose

Suppresses Remote Authentication Dial-In User Service (RADIUS) Access-Request messages when no username is specified.

1.20.2   Command Mode

Global configuration

1.20.3   Syntax Description

This command has no keywords or arguments.

1.20.4   Default

The SmartEdge router sends RADIUS Access-Request messages to the RADIUS server regardless of whether a username is specified.

1.20.5   Usage Guidelines

Use the aaa global reject empty-username command to suppress RADIUS Access-Request messages when no username is specified. The relevant attribute in the Access-Request message is the User-Name attribute. The operating system logs an informational message that identifies the circuit, then discards the Access-Request packet.

Use the no form of this command to restore the default behavior of sending Access-Request messages to the RADIUS server regardless of whether a username is specified.

1.20.6   Examples

The following example shows how to configure the SmartEdge router to suppress Access-Request messages when no username is specified:

[local]Redback(config)#aaa global reject empty-username

1.21   aaa global route-download

1.21.1   Purpose

Configures a global route download server.

1.21.2   Command Mode

Global configuration

1.21.3   Syntax Description

This command has no keywords or arguments.

1.21.4   Default

The SmartEdge router does not send route download messages to a RADIUS server.

1.21.5   Usage Guidelines

This command is used to enable the global route download method.

1.21.6   Examples

The following example shows how to initiate route download in the aaa global mode:

[local]Redback(config)#aaa global route-download context local

1.22   aaa global session-id-count

1.22.1   Purpose

Changes the account session ID rules to comply with the requirements of vendor-specific equipment.

1.22.2   Command Mode

Global configuration

1.22.3   Syntax Description

This command has no keywords or arguments.

1.22.4   Default

By default, vendor-specific account session ID rules are disabled.

1.22.5   Usage Guidelines

Use the aaa global session-id-count command to change the account session ID rules to comply with the requirements of vendor-specific equipment. When you apply this command, the SmartEdge router enforces the following rules:

• The account session ID attribute is a unique hexadecimal number.
• The first session is number zero (0) and subsequent sessions increment by one (1) until the value FFFFFFFF is reached. Upon process restart or failover, the count of the session begins with the value after the previous value is reached.
• After the value FFFFFFFF is reached, renumbering from zero begins.
• When the SmartEdge router receives an accounting request, it sends an account session ID.

The operating system supports this feature in the following environments:

• L2TP (LAC/LNS)
• PPPoE
• PPPoA
• PPPoEoA
• PPPoEoE

To use this feature, configure the RADIUS and RADIUS accounting on an SmartEdge router, and then configure a RADIUS accounting server.

Use the no or the default form of this command to reset the aaa global session-id-count command to the default account session ID rules.

1.22.6   Examples

The following example shows how to globally configure the SmartEdge router so that the account session ID rules comply with the requirements of vendor-specific equipment:

[local]Redback(config)#aaa global session-id-count

1.23   aaa global update subscriber

1.23.1   Purpose

Sends updated accounting records for subscribers in all contexts to one or more Remote Authentication Dial-In User Service (RADIUS) accounting servers with IP addresses or hostnames configured in the local context.

1.23.2   Command Mode

Global configuration

1.23.3   Syntax Description

1.23.4   Default

This authentication, authorization, and accounting (AAA) feature is disabled.

1.23.5   Usage Guidelines

Use the aaa global update subscriber command to send updated accounting records for subscribers in all contexts to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.

Note:  

You must configure accounting using the aaa global accounting subscriber command (in global configuration mode).

Note:  

To use RADIUS, you must configure the IP address or hostname of at least one RADIUS accounting server in the local context. To configure the server’s IP address or hostname, enter the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no or default form of this command to disable subscriber account updating.

1.23.6   Examples

The following example shows how to globally configure an update to be sent for all subscribers in the system when each subscriber’s session comes up, and every 20 minutes thereafter, for as long as the subscriber session lasts:

[local]Redback(config)#aaa global update subscriber 20

1.24   aaa hint ip-address

1.24.1   Purpose

Enables the SmartEdge router to notify the Remote Authentication Dial-In User Service (RADIUS) server that the IP address in the Framed-IP-Address attribute is the preferred IP address.

1.24.2   Command Mode

Context configuration

1.24.3   Syntax Description

This command has no keywords or arguments.

1.24.4   Default

This feature is disabled.

1.24.5   Usage Guidelines

Use the aaa hint ip-address command to enable the SmartEdge router to notify the RADIUS server that the IP address in the Framed-IP-Address attribute is the preferred IP address.

This feature applies only to subscribers that you have configured using the ip address (subscriber) command (in subscriber configuration mode) with the pool keyword. The SmartEdge router selects an unused IP address from the pool and sends it to the RADIUS server in an Access-Request message. The ip address (subscriber) command does not apply to subscribers who are configured for SmartEdge router authentication.

The IP address selected from the unnamed IP pool is a hint to the RADIUS server that the selected address is preferred. The RADIUS server can choose to honor the hint or override it with a different IP address. The SmartEdge router uses the address only if the RADIUS server confirms that it is acceptable; the SmartEdge router action corresponding to the RADIUS response is described in the IP Address Assignment section.

Note:  

This command is not available if you have enabled global subscriber authentication using the aaa global authentication subscriber command (in global configuration mode).

Use the no form of this command to disable this feature.

1.24.6   Examples

The following example shows how to enable this feature in the customers context:

[local]Redback(config)#context customers
[local]Redback(config-cxt)#aaa hint ip-address

1.25   aaa ip-pool allocation first-available

1.25.1   Purpose

Specifies that the SmartEdge router uses a first-available algorithm to allocate IP addresses to subscribers.

1.25.2   Command Mode

Global configuration

1.25.3   Syntax Description

This command has no keywords or arguments.

1.25.4   Default

The SmartEdge router uses a round-robin algorithm to allocate IP addresses to subscribers.

1.25.5   Usage Guidelines

Use the aaa ip-pool allocation first-available command to specify that the SmartEdge router uses a first-available algorithm to allocate IP addresses to subscribers.

When the SmartEdge router receives a request for an IP address, by default it uses the round-robin method to select an address from the IP pool. The round-robin method begins its search where the last search ended; that is, the SmartEdge router checks whether the first address in the IP pool following the last allocated IP address is available. If this address is unavailable, the SmartEdge router checks the next address until either an available address is assigned or the pool is exhausted.

In the first-available method, the search for an available IP address always begins with the first address in the pool.

Use the no or default form of this command to revert to the default behavior.

1.25.6   Examples

The following example shows how to specify that the SmartEdge router uses a first-available algorithm to allocate subscriber IP addresses:

[local]Redback(config)#aaa ip-pool first-available

1.26   aaa last-resort

1.26.1   Purpose

Specifies the context in which authentication of a subscriber should be attempted if the subscriber name does not contain a valid domain or context that has been configured in the system.

1.26.2   Command Mode

Global configuration

1.26.3   Syntax Description

1.26.4   Default

No last resort context is configured.

1.26.5   Usage Guidelines

Use the aaa last-resort command to specify the context in which authentication of a subscriber name is to be attempted whenever the domain portion of the subscriber name provided cannot be matched to any configured context or domain.

At the time you enter this command, the SmartEdge router does not check to ensure you specify a valid context. When a subscriber attempts to connect, and the SmartEdge router attempts to validate the subscriber in the last resort context, an error message displays if the context does not exist.

Only one last resort context can be in effect at a time. To change the last resort context, create a new one and it overwrites the existing one.

Note:  

To use Remote Authentication Dial-In User Service (RADIUS), the IP address or hostname of at least one RADIUS server must be configured in the last resort context. To configure the server’s IP address or hostname, enter the radius server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no form of this command to remove the last resort context.

1.26.6   Examples

The following configuration example assumes three contexts: california, nevada, and otherstates. A username, jill@arizona, is submitted for authentication, but there is no configured arizona context. The following example configures the system in such a way that jill@arizona would be submitted for authentication in the otherstates context:

[local]Redback(config)#aaa last-resort context otherstates

1.27   aaa maximum subscriber

1.27.1   Purpose

Limits the number of subscriber sessions that can be simultaneously active in a given context.

1.27.2   Command Mode

Context configuration

1.27.3   Syntax Description

1.27.4   Default

There is no limit to the number of subscriber sessions that can be simultaneously active in a given context.

1.27.5   Usage Guidelines

Use the aaa maximum subscriber command to limit the number of subscriber sessions that can be simultaneously active in a given context.

Table 1 lists the values for the active count construct.

Note:  

The subscriber command (in software license configuration mode) specifies the maximum number of active subscriber sessions.

Use the no or default form of this command to restore the default of no limit to the number of subscriber sessions.

1.27.6   Examples

The following example shows how to set the maximum number of simultaneous active subscriber sessions for the local context to 100:

[local]Redback(config)#context local
[local]Redback(config-ctx)#aaa maximum subscriber active 100

1.28   aaa password

1.28.1   Purpose

Changes the default authentication and authorization password for the authentication, authorization, and accounting (AAA) to the specified password. It also disables the default authentication and authorization password on the subscriber circuits.

1.28.2   Command Mode

Context configuration

1.28.3   Syntax Description

1.28.4   Default

The default authentication and authorization password is “Redback”.

1.28.5   Usage Guidelines

Use the aaa password command to change the default authentication and authorization password for the AAA or disable the default authentication and authorization password on subscriber circuits. To change the default authentication and authorization password to a specified password, use the default keyword with the aaa password command. This new default password is saved in the encrypted form. When you enter the show configuration command, the display shows the default AAA password in the encrypted form.

To disable the default authentication and authorization password on subscriber circuits, use the disable-subscriber keyword with the aaa password command.

Use the no form of this command to restore the default password of “Redback”.

1.28.6   Examples

The following example shows how to configure the new default AAA password of secret123:

[local]Redback(config-ctx)#aaa password default secret123

The following example shows how to configure the new default AAA password of secret123 and disable this default AAA password on the subscriber circuits:

[local]Redback(config-ctx)#aaa password default secret123 disable-subscriber

1.29   aaa provision binding-order

1.29.1   Purpose

Changes the default order in which the SmartEdge router searches for the Remote Authentication Dial-In User Service (RADIUS) and Layer 2 Tunneling Protocol (L2TP) attributes to find the IP address be used to bind a subscriber circuit.

1.29.2   Command Mode

Context configuration

1.29.3   Syntax Description

1.29.4   Default

The SmartEdge router searches for the L2TP attribute before searching for the RADIUS attribute.

1.29.5   Usage Guidelines

Use the aaa provision binding-order command to change the default order in which the SmartEdge router searches for the RADIUS and L2TP attributes to find the IP address to be used to bind a subscriber circuit. The circuit binding has been created using the bind authentication command (in the circuit’s configuration mode).

Use this command to enable the SmartEdge router to look for the RADIUS Framed-IP-Address attribute before looking at the L2TP Sub-Address AVP. If the Framed-IP-Address attribute does not exist, the L2TP ICRQ message is examined for the Sub-Address AVP. If the Sub-Address AVP does not exist, the session is not brought up.

Use the no form of this command to specify the default order.

For more information about using the bind authentication command to create a dynamic binding, see Configuring Bindings.

1.29.6   Examples

The following example shows how to specify that the IP address (and its interface) in the RADIUS record be used to bind a subscriber circuit:

[local]Redback(config-ctx)#aaa provision binding-order ip-address-attr 
l2tp-attr

1.30   aaa provision route

1.30.1   Purpose

Enables the SmartEdge router to assign one or a range of IP addresses specified by the subscriber IP netmask in the RADIUS Framed-IP-Netmask attribute to a PPP or PPPoE subscriber. This command also installs the IP netmask as a subnet route for the subscriber in the route table.

1.30.2   Command Mode

Context configuration

1.30.3   Syntax Description

1.30.4   Default

The Framed-IP-Netmask attribute is ignored.

1.30.5   Usage Guidelines

Use the aaa provision route command to enable the SmartEdge router to assign one or a range of IP addresses specified by the subscriber IP netmask in the RADIUS Framed-IP-Netmask attribute to a PPP or PPPoE subscriber. This command also installs the IP netmask as a subnet route for the subscriber in the route table.

If you configure the use-framed-route keyword with the aaa provision route command, the subscriber is assigned one IP address specified in the Framed-IP-Netmask attribute. Otherwise, the entire range of addresses specified by IP netmask is assigned to the subscriber.

Note:  

The SmartEdge router currently can assign up to an entire Class C address to subscribers. If the IP netmask in the Framed-IP-Netmask attribute is greater than a Class C address, use the use-framed-route keyword. This keyword allows the operating system to support subscribers that have Class B network behind them.

Use the no or default form of this command to revert to the default behavior.

1.30.6   Examples

The following example shows how to enable a direct connection to PPP routers:

[local]Redback(config)#context remote
[local]Redback(config-ctx)#aaa provision route ip-netmask encapsulation ppp

The following example shows how to enable a direct connection to a PPPoE router with a Class B network behind it:

[local]Redback(config)#context abcremote
[local]Redback(config-ctx)#aaa provision route ip-netmask encapsulation pppoe use-framed-route

1.31   aaa rate-report-factor

1.31.1   Purpose

Multiplies the raw digital subscriber line (DSL) data rate by a factor and reports the result for one or more line types as the subscriber traffic rate in Remote Authentication Dial-In User Service (RADIUS) and Layer 2 Tunneling Protocol (L2TP) messages.

1.31.2   Command Mode

Context configuration

1.31.3   Syntax Description

1.31.4   Default

No rate adjustment is calculated for any DSL line type.

1.31.5   Usage Guidelines

Use the aaa rate-report-factor command to multiply the raw DSL data rate by a factor and report the result for one or more line types as the subscriber traffic rate in RADIUS and L2TP messages.

Access nodes send raw data rates of one or more DSL line types to the SmartEdge router; however, only a portion of the raw data rate is available for subscriber traffic. You can configure the SmartEdge router to multiply the raw data rate for each type of DSL line by a specific percentage.

The magnitude of the adjustment can differ by DSL line type. For this reason, you can specify a different factor for each possible line type. You must issue this command once for each line type that you expect connected access nodes to use.

The SmartEdge router sends the adjusted rate in RADIUS vendor-specific attribute (VSA) 185, DSL_Actual_Rate_Down_Factor and L2TP (Tx) Connect Speed attribute-value pair (AVP) 24 attributes. If you do not specify a factor for a specific line type, an unaltered learned rate for that line type is sent in the attributes.

Note:  

This command adjusts only the reported rates for the mentioned attributes. It does not affect data rates used for traffic shaping or quality of service (QoS) policies. QoS policies use the raw rates combined with more precise encapsulation information to achieve proper metering and shaping.

Use the no form of this command to revert to the default behavior.

1.31.6   Examples

The following example shows how to enable the SmartEdge router to multiply the DSL line type data rate for ADSL1 by 80% prior to sending a RADIUS accounting message:

[local]Redback(config-ctx)#aaa rate-report-factor adsl1 80

1.32   aaa reauthorization bulk

1.32.1   Purpose

Configures subscriber reauthorization so that attribute changes can be dynamically applied to active subscriber sessions, without requiring Point-to-Point Protocol (PPP) renegotiation and without interrupting or dropping active sessions.

1.32.2   Command Mode

Context configuration

1.32.3   Syntax Description

1.32.4   Default

None

1.32.5   Usage Guidelines

Use the aaa reauthorization bulk command to configure subscriber reauthorization so that attribute changes can be dynamically applied to active subscriber sessions, without requiring PPP renegotiation and without interrupting or dropping active sessions. After this command has been enabled, enter the reauthorize command (in exec mode) to initiate subscriber reauthorization.

The standard RADIUS attributes and Redback VSAs that are supported with dynamic subscriber reauthorization are listed in RADIUS Attributes.

Note:  

The SmartEdge router appends the context name to the subscriber name when sending reauthorization messages; for example, joe@local.

Note:  

You must configure at least one RADIUS server in the local or the current context before any messages can be sent to it. To configure the server, enter the radius server command (in context configuration mode); for more information, see Configuring RADIUS.

Note:  

To enable RADIUS authentication, you must enter the aaa authentication subscriber command (in context configuration mode).

Use the no or default form of this command to disable dynamic subscriber reauthorization.

1.32.6   Examples

The following example shows how to enable the global reauthorization of all subscribers in the SmartEdge router:

[local]Redback(config)#context local
[local]Redback(config-ctx)#aaa reauthorization bulk global

The following is an example of a subscriber record on a RADIUS server. The subscriber has requested a new service that is translated to a particular session timeout value:

#reauth of absolute timeout
reauth-501@local User-Password==”redback”
    Service-Type=Outbound-User,
    Reauth_String=”2;pppoe1@local;27;1000;”

Before the administrator enters the reauthorize command (in exec mode), the subscriber record appears as:

[local]Redback>show subscribers active


pppoe1@local
    Circuit 13/1 vpi-vci 0 33
    Internal Circuit 13/1:1023:63/1/2/22
    Current port-limit unlimited
    ip address 10.1.1.4 

In the following example, the administrator enters the reauthorize command (in exec mode) and the subscriber session is reauthorized with the new timeout attribute added:

[local]Redback>reauthorize username pppoe1@local
[local]Redback>show subscribers active


pppoe1@local
    Circuit 13/1 vpi-vci 0 33
    Internal Circuit 13/1:1023:63/1/2/22
    Current port-limit unlimited
    ip address 10.1.1.4 
    timeout absolute 1000

1.33   aaa route-download

1.33.1   Purpose

Enables AAA route download on the SmartEdge router. The route-download functionality is disabled by default. The mandatory parameter radius or global specifies the route-download method.

1.33.2   Command Mode

Context configuration

1.33.3   Syntax Description

1.33.4   Default

The default interval is 720 minutes. The default cost is 0.

1.33.5   Examples

Use the following command to configure route download using the radius method, with default parameters:

[local]Redback(config-ctx)#aaa route-download radius

1.34   aaa update subscriber

1.34.1   Purpose

Sends updated accounting records for subscriber sessions in the current context to one or more Remote Authentication Dial-In User Service (RADIUS) servers with IP addresses or hostnames configured in the same context.

1.34.2   Command Mode

Context configuration

1.34.3   Syntax Description

1.34.4   Default

Updates for subscriber accounts are not performed.

1.34.5   Usage Guidelines

Use the aaa update subscriber command to send updated accounting records for subscriber sessions in the current context to one or more RADIUS servers with IP addresses or hostnames configured in the same context.

Note:  

You must configure accounting using the aaa accounting subscriber command (in context configuration mode) with the radius keyword.

Note:  

To use RADIUS, the IP address or hostname of at least one RADIUS accounting server must be configured in the context to which the subscriber is to be bound. To configure the server’s IP address or hostname, enter the radius accounting server command (in context configuration mode); for more information, see Configuring RADIUS.

Use the no or default form of this command to disable subscriber account updating.

1.34.6   Examples

The following example shows how to configure an update to be sent every 20 minutes, for as long as the subscriber session lasts:

[local]Redback(config-ctx)#aaa update subscriber 20

1.35   aaa username-format

1.35.1   Purpose

Defines one or more schemas for matching the format of structured usernames.

1.35.2   Command Mode

Global configuration

1.35.3   Syntax Description

1.35.4   Default

If no username formats are specified with this command, the SmartEdge router default format of username@domain-name is checked for a format match.

1.35.5   Usage Guidelines

Use the aaa username-format command to define one or more schemas for matching the format of structured usernames. A username can be for a subscriber or an administrator.

You can use this command multiple times to create a list of formats against which an incoming username is matched. The first format configured is checked first for a match, then the second, and so on until a match is found or until the configured username formats are exhausted.

Use the rightmost-separator keyword with the aaa username-format command when you have multiple separators within a structured username; for example, joe@gold@example.com. If the rightmost-separator keyword is configured, the SmartEdge router treats the far right (rightmost) separator character as the separator that divides the user portion of the structured username from the domain portion.

If no username formats are explicitly defined with the aaa username-format command, the SmartEdge router checks the default format of username@domain-name for a match.

Use the no form of this command to remove the specified format from those considered to be valid structured-username formats.

1.35.6   Examples

The following example shows how to configure a structured-username format with the subscriber name specified first, separated from its domain by the % symbol:

[local]Redback(config)#aaa username-format username %

In this example, for a subscriber, joe, configured in the local context, the SmartEdge router checks for a match against the structured-username joe%local.

The following example shows how to configure a structured-username format with the domain name specified first, separated from the subscriber name by the / symbol:

[local]Redback(config)#aaa username-format domain /

In this example, for a subscriber, joe, configured in the local context, the SmartEdge router checks for a match against the format local/joe.

The following example shows how to configure a structured-username format with the domain name specified first, separated from the subscriber name using the far right (rightmost) separator, a @ symbol:

[local]Redback(config)#aaa username-format domain @ rightmost-separator

In this example, for a username, local@example.com@joe, the SmartEdge router checks for the far right separator, a @ symbol. For this username, the subscriber name is joe and the context is local@example.com.

1.36   abort

1.36.1   Purpose

Deletes an outstanding database transaction.

1.36.2   Command Mode

All configuration modes

1.36.3   Syntax Description

This command has no keywords or arguments.

1.36.4   Default

None

1.36.5   Usage Guidelines

Use the abort command to delete an outstanding database transaction, which includes all configuration commands entered since the beginning of the configuration session, or since the latest abort or commit command.

In any configuration mode, this command deletes the database transaction for the current configuration session; a new database transaction is started for the configuration session, and subsequent commands entered in the session are part of the new transaction.

1.36.6   Examples

The following example shows how to delete the current database transaction:

[local]Redback#abort

1.37   absolute

1.37.1   Purpose

Creates an absolute time access control list (ACL) condition statement.

1.37.2   Command Mode

ACL condition configuration

1.37.3   Syntax Description

1.37.4   Default

No ACL condition statements are configured.

1.37.5   Usage Guidelines

Use the absolute command to create an absolute time ACL condition statement that, when referenced in an IP ACL statement, permits or denies packets, based on specific date and time ranges. Use this command to create an absolute time ACL conditional statement that, when referenced in a policy ACL statement, assigns a class name to packets.

Use the no form of this command to delete the absolute time ACL condition statement.

1.37.6   Examples

The following example shows how to create an absolute time ACL condition statement for the ACL condition 500, which is referenced in the policy ACL, policy-acl-forward. The absolute time ACL condition applies the Bar003 class name to all policy ACL statements that reference the ACL condition during the time interval beginning on December 15, 2003 at 9:00 p.m. (21:00) and ending on the same day at 11:00 p.m. (23:00):

[local]Redback(config-ctx)#policy access-list policy-acl-forward
[local]Redback(config-access-list)#condition 500 time-range
[local]Redback(config-acl-condition)#absolute start 2003:12:15:21:00 end 
2003:12:15:23:00 class Bar003

1.38   accept filter prefix-list

1.38.1   Purpose

Advertises to a Border Gateway Protocol (BGP) peer that a BGP speaker can accept address prefix-based route filtering from a peer.

1.38.2   Command Mode

BGP neighbor configuration

1.38.3   Syntax Description

This command has no keywords or arguments.

1.38.4   Default

The command is disabled.

1.38.5   Usage Guidelines

Use the accept filter prefix-list command to advertise to a BGP peer that a BGP speaker can accept address prefix-based route filtering from a peer. Use this command to save resources and avoid the generation, transmission, and processing of unnecessary routing updates.

When this command is enabled, and if the BGP peer advertises its preference to send address prefixed-based filtering (through the send filter prefix-list command in BGP neighbor configuration mode), the remote peer sends its inbound address prefix-based filtering to the local BGP speaker. The local BGP speaker uses the received address prefix-based filtering along with its local routing policies to determine whether routes should be advertised to the peer.

Note:  

This command cannot be enabled on a BGP neighbor that is part of a peer group because this feature cannot be customized for individual members inside of a peer group.

Use the show bgp neighbor ip-address received prefix-filter command to display address prefix-based route filtering configuration information.

Use the no form of this command to disable a BGP speaker from accepting route filtering from a peer.

For further information, see the Internet Drafts, Cooperative Route Filtering Capability for BGP-4, draft-ietf-idr-route-filter-03.txt, and Address Prefix Based Outbound Route Filter for BGP-4, draft-chen-bgp-prefix-orf-02.txt.

1.38.6   Examples

The following example shows how to enable the SmartEdge router to accept address prefix-based route filtering from the BGP peer at IP address 10.1.1.1:

[local]Redback(config-bgp)#neighbor 10.1.1.1 external
[local]Redback(config-bgp-neighbor)#accept filter prefix-list

1.39   accept-lifetime

1.39.1   Purpose

Establishes a start date and time for accepting the key, and optionally, a stop time for accepting the key.

1.39.2   Command Mode

Key chain configuration

1.39.3   Syntax Description

1.39.4   Default

If you do not issue this command, the key is accepted starting immediately and continues to be accepted indefinitely. If you do not specify a duration when issuing this command, the key is accepted indefinitely.

1.39.5   Usage Guidelines

Use the accept-lifetime command to specify when the key being configured is to be accepted. The format of the start-datetime and stop-datetime arguments is yyyy:mm:dd:hh:mm[:ss] and is defined as follows:

• yyyy = The year in four digits (for example, 2003).
• mm = The month of the year in two digits (for example, 01). The range of values is 1 to 12.
• dd = The day of the month in two digits (for example, 24). The range of values is 1 to 31.
• hh = The hour of the day in two digits (for example, 23). The range of values is 0 to 23.
• mm = The minute of the hour in two digits (for example, 59). The range of values is 0 to 59.
• ss = Optional. The second of the minute in two digits (for example, 55). The range of values is 0 to 59.

If you issue the accept-lifetime command without any optional constructs, the key is accepted starting with the date and time that you specify and continues to be accepted indefinitely. You can replace an existing accept lifetime value by issuing the accept-lifetime command again and specifying new values.

Use the no form of this command to specify that the key is no longer to be accepted.

1.39.6   Examples

The following example shows how to establish a lifetime acceptance of January 25, 2002 at one minute and one second after 4:00 a.m. The key continues to be accepted indefinitely:

[local]Redback(config-key-chain)#accept-lifetime 2002:01:25:04:01:01

The following example shows how to establish a lifetime acceptance of January 25, 2002 at exactly midnight, and specify that the key is to be accepted for 30 minutes (1800 seconds):

[local]Redback(config-key-chain)#accept-lifetime 2002:01:25:00:00 duration 1800

1.40   access-group

1.40.1   Purpose

Applies a policy access control list (ACL) to a class-based policy (forward policy, Network Address Translation [NAT] policy, or quality of service [QoS] policy) and enters policy group configuration mode.

1.40.2   Command Mode

• Forward policy configuration
• Metering policy configuration
• NAT policy configuration
• Policing policy configuration

1.40.3   Syntax Description

1.40.4   Default

None

1.40.5   Usage Guidelines

Use the access-group command to apply a policy ACL to a class-based policy (forward policy, NAT policy, or QoS policy) and enter policy group configuration mode.

If the class-based policy is RADIUS-guided, the policy ACL can be dynamic or static:

• A dynamic policy ACL is one that the SmartEdge router applies to the class-based policy using the rules specified in an instance of vendor-specific attribute (VSA) 164 that has been downloaded from the RADIUS server. In this case, use this command without specifying the name of the policy ACL.
• A static policy ACL is one that you apply to the class-based policy. In this case, you must specify the name of the policy ACL.

If you include the acl-name argument, you must also include the ctx-name argument when you apply a static policy ACL to a forward policy or QoS policy. For a NAT policy, you need only enter the acl-name argument; the context defaults to the context of the NAT policy.

You can apply a dynamic policy ACL in addition to a static policy ACL. However, the static policy ACL takes precedence over the dynamic policy ACL.

Note:  

The names of the IP and policy ACLs in the output of the show access-group command (in any mode) include a prefix: “ADF” for dynamic IP ACLs and “DPF” for dynamic policy ACLs.

Use the no form of this command to remove a static policy ACL from a specified policy.

To remove a policy ACL from a RADIUS-guided policy, you must delete the RADIUS-guided policy and then recreate it.

1.40.6   Examples

The following example shows how to apply the myacl policy ACL to the GE-in QoS policing policy. The myacl ACL has one class, voip, and packets in this class are marked with the Differentiated Service Code Point (DSCP) code af13:

[local]Redback(config)#qos policy GE-in policing
[local]Redback(config-policy-policing)#access-group myacl local
[local]Redback(config-policy-group)#class voip
[local]Redback(config-policy-group-class)#mark dscp af13

The following example shows how to apply the forward policy, RedirectPolicy, as specified by the rules in the policy ACL PBR_Redirect_ACL. The PBR_Redirect_ACL access group has one class, Web, and packets in this class are redirected to the next hop in the route at IP address 100.1.1.0:

[local]Redback(config)#forward policy RedirectPolicy
[local]Redback(config-policy-frwd)#access-group PBR_Redirect_ACL local
[local]Redback(config-policy-group)#class Web
[local]Redback(config-policy-group-class)#redirect destination next-hop 
100.1.1.0

1.41   access-group (IGMP Snooping)

1.41.1   Purpose

Configures an IGMP profile to filter IGMP control messages that are received by an associated bridge so that nonmatching packets are not processed.

1.41.2   Command Mode

IGMP snooping profile configuration

1.41.3   Syntax Description

1.41.4   Default

IGMP control message filtering and access-list match counting are disabled, and every incoming packet is processed.

1.41.5   Usage Guidelines

Use the access-group command to filter IGMP control messages that are received by an associated bridge so that nonmatching packets are not processed.

The optional count keyword enables access-list match counting. Use the show igmp snooping access-group command to display the count of access list matches for a particular group.

Use the no form of this command to disable IGMP control message filtering.

1.41.6   Examples

The following example shows how to configure IGMP message filtering in the sanjose1 IGMP snooping profile. Bridges that reference the sanjose1 IGMP profile filter received IGMP messages:

[local]Redback #configure
[local]Redback(config)#igmp snooping profile sanjose1
[local]Redback(config-igmp-snooping-profile)# access-group acl1

1.42   access-list

1.42.1   Purpose

Enables access control list (ACL) counters or logging for the default subscriber profile, this named subscriber profile, or this named subscriber record.

1.42.2   Command Mode

Subscriber configuration

1.42.3   Syntax Description

1.42.4   Default

ACL counters are not enabled for any subscriber records or profiles.

1.42.5   Usage Guidelines

Use the access-list command to enable ACL counters or logging for the default subscriber profile, this named subscriber profile, or this named subscriber record.

Use the no form of this command to disable ACL counters for the default subscriber profile, this named subscriber profile, or this named subscriber record.

1.42.6   Examples

The following example shows how to enable ACL IP counters for the default subscriber profile:

[local]Redback(config)#context local
[local]Redback(config-ctx)#subscriber default
[local]Redback(config-sub)#access-list count ip

1.43   access-line access-node-id

1.43.1   Purpose

Specifies the agent circuit ID that the system uses to match an incoming Access Node Control Protocol (ANCP) message to a digital subscriber line (DSL).

1.43.2   Command Mode

dot1q PVC configuration

1.43.3   Syntax Description

1.43.4   Default

No agent circuit ID is specified for the circuit.

1.43.5   Usage Guidelines

Use the access-line access-node-id command to specify the agent circuit ID that the system uses to match an incoming ANCP message to a DSL. This command identifies a unique configured agent circuit ID to be associated with an 802.1Q PVC or 802.1Q tunnel. The data contained in the message is applied to the circuit that matches the specified agent circuit ID. The agent circuit ID received from the DSLAM is either unformatted (a “blind string”) or it can conform to one of the formats specified in DSL Forum Specification TR-101, R-124, as follows:

• For ATM DSLs—ANI atm slot/port:vpi.vci
• For Ethernet DSLs—ANI eth slot/port[:vlan-id]

In the formatted version, the ANI field is always a blind string that identifies the DSLAM ANI; the SmartEdge router stores but does not process this string; it only searches for a space that terminates the string. The slot/port field is also a blind string; the SmartEdge router searches for a colon (:) that terminates the field, discards the colon and the remaining text, and stores the remaining string.

Use the ani argument to specify the DSLAM ANI portion of the agent circuit ID to which the incoming DSLAM ANIs are matched; use the slotport slot/port construct to specify the DSLAM slot and port. To match incoming agent circuit IDs, duplicate the incoming format used by the DSLAM.

The total number of characters in the values for the ani and slotport fields must be fewer than 63.

Use the no form of this command to specify the default condition.

The following examples of incoming DSLAM messages do not match; the reason is provided:

1.43.6   Examples

The following example shows how to specify an agent circuit ID to which incoming DSLAM messages are matched:

[local]Redback(config-dot1q-pvc)#dot1q pvc 1:1 encapsulation pppoe
[local]Redback(config-dot1q-pvc)#access-line access-node-id 
"10.101.90.4/0.0.0.0" slotport "3/2"

The following examples of incoming DSLAM messages match:

10.101.90.4/0.0.0.0 atm 3/2:2.3
10.101.90.4/0.0.0.0 eth 3/2:7

The following example specifies the agent circuit ID for the circuit tagged as pvc 200 with the profile pwfq. The PVC is a tunnel indicated by the specification of encapsulation 1qtunnel keywords with the doct1q pvc command:

[local]Redback(config)#port ethernet 2/1
[local]Redback(config-port)#encapsulation dot1q
[local]Redback(config-dot1q-pvc)#dot1q pvc 200 profile pwfq encapsulation 1qtunnel
[local]Redback(config-dot1q-pvc)#access-line access-node-id 
"10.101.80.3/0.0.0.0" slotport "3/2"

1.44   access-line adjust

1.44.1   Purpose

Overrides the rates specified by the quality of service (QoS) policies attached to this subscriber record, named profile, or the default profile with the rates learned from the digital subscriber line (DSL) access multiplexer (DSLAM).

1.44.2   Command Mode

Subscriber configuration

1.44.3   Syntax Description

1.44.4   Default

The rate learned from the DSLAM is applied to the subscriber circuit.

1.44.5   Usage Guidelines

Use the access-line adjust command to override the rates specified by the QoS policies attached to this subscriber record, named profile, or the default profile with the rates learned from the DSLAM. The system applies the DSLAM rate.

Use the no form of this command to specify the default condition.

1.44.6   Examples

The following example shows how to override the rate specified by any QoS policy attached to the default subscriber profile:

[local]Redback(config)#context isp2
[local]Redback(config-ctx)#subscriber default
[local]Redback(config-sub)#access-line adjust subscriber

1.45   access-line agent-circuit-id

1.45.1   Purpose

Specifies the agent circuit ID that the system uses to match an incoming ANCP message to a circuit.

1.45.2   Command Mode

dot1q PVC configuration

1.45.3   Syntax Description

1.45.4   Default

No agent circuit ID is specified for a DSL on this circuit. The SmartEdge router can learn this information from a Point-to-Point Protocol (PPP) over Ethernet (PPPoE) tag or a Dynamic Host Control Protocol (DHCP) option 82 tag.

1.45.5   Usage Guidelines

Use the access-line agent-circuit-id command to specify the agent circuit ID that the system uses to match an ANCP message to a circuit, which can be either an 802.1Q PVC or 802.1Q tunnel. An incoming ANCP message contains an agent circuit ID. The data contained in this message is applied to the circuit that matches that agent circuit ID. The agent circuit ID received from the DSL access multiplexer (DSLAM) must match the text string exactly.

If the value learned from a subscriber session on this DSL differs from the configured value for the string argument, the system generates an error log message and uses the configured value.

Note:  

For a more flexible approach to matching an ANCP message to a circuit, use the access-line access-node-id command (in dot1q PVC configuration mode).

Use the no form of this command to specify the default condition.

1.45.6   Examples

The following example shows how to specify the agent circuit ID for all subscriber sessions:

[local]Redback(config)#port ethernet 2/1
[local]Redback(config-port)#encapsulation dot1q
[local]Redback(config-port)#dot1q pvc 100
[local]Redback(config-dot1q-pvc)#access-line agent-circuit-id 
“dslam-10.1.1.1 dot1q 2/1:1:1”

The following example shows how to specify the agent circuit ID for the circuit tagged as pvc 100 with the profile pwfq. The PVC is a tunnel indicated by the specification of encapsulation 1qtunnel:

[local]Redback(config)#port ethernet 3/1
[local]Redback(config-port)#encapsulation dot1q
[local]Redback(config-port)#dot1q pvc 100 profile pwfq encapsulation 1qtunnel
[local]Redback(config-dot1q-pvc)#access-line agent-circuit-id 
“10.2.1.1 eth 3/1:100”

1.46   access-line rate

1.46.1   Purpose

Overrides the rates specified by the quality of service (QoS) policies attached to subscriber session or 802.1q VLAN with the rates learned from the neighbor peer (DSLAM) through Access Node Control Protocol (ANCP) or Point-to-Point Protocol over Ethernet (PPPoE), Point-to-Point Protocol over ATM (PPPoA), or Dynamic Host Configuration Protocol (DHCP) TR-101 tags.

1.46.2   Command Mode

• Subscriber configuration
• dot1q profile configuration

1.46.3   Syntax Description

1.46.4   Default

The system does not use the learned rates to override the rates specified by the attached QoS policies.

1.46.5   Usage Guidelines

In the subscriber configuration mode, use the access-line rate command to override the rates specified by the QoS policies attached to the applicable subscriber session(s) with the rates learned from the neighbor peer (DSLAM) through ANCP or TR-101 PPPoE, PPPoA, or DHCP tags.

Note:  

The QoS policy itself is not modified, only the terms of its enforcement on the particular circuit(s) to which the learned rates are applied.

Note:  

The SmartEdge router learns the rate to be applied from the Actual-Data-Rate-Downstream in the General Switch Management Protocol (GSMP) port-up message or from the Point-to-Point Protocol over Ethernet (PPPoE) or Dynamic Host Configuration Protocol (DHCP) option according to TR-101. If the ancp keyword is specified with the access-line rate command, the SmartEdge router learns the rate from ANCP. Otherwise, the SmartEdge router may also learn the rate from the Point-to-Point Protocol over Ethernet (PPPoE) or Dynamic Host Configuration Protocol (DHCP) option.

In the subscriber and dot1q profile configuration modes, use the access-line rate out metering command to specify that the learned outbound line rate should only be used to override the rate of any QoS metering policy attached to the applicable circuit. In the subscriber and dot1q profile configuration modes, use the access-line rate out queuing command to specify that the learned outbound line rate should only be used to override the rate of any QoS PWFQ policy attached to the applicable circuit. If access-line rate out is specified without either the metering or queuing keyword, then the outbound rate adjustments are applied to both QoS metering and PWFQ policies of the applicable circuit.

When the same QoS rate of a circuit is subject to modification from both ANCP and a RADIUS VSA such as 196, 156, or 157, the lower of the last ANCP rate received and the relevant VSA rate are applied to the circuit.

Note:  

More than one instance of the access-line rate command may be specified in a single subscriber or dot1q profile configuration record. However, only one instance of access-line rate out may be specified (with or without the parameters).

Note:  

When you configure the number of subscriber sessions to be limited to one session for each VLAN through the use of the bind auth maximum command (where max = 1), the SmartEdge router merges the two circuits so that the subscriber session and the parent VLAN share the same circuit. In this scenario, when a QoS PWFQ policy is applied on the circuit and a metering policy is applied under the subscriber configuration, by default outbound line rate adjustments are applied to both the metering rate on the subscriber session and the PWFQ rate configured on the VLAN. By using either the access-line rate out queuing or access-line rate out metering command, you can selectively update a PWFQ policy binding applied on the VLAN configuration or a metering policy binding provided through the RADIUS attributes of a subscriber.

In dot1q profile configuration mode, use the access-line rate command to override the rates specified by the QoS policies attached to a 802.1q VLAN circuit that is subject to the dot1q profile. This command overrides the rates specified by any applicable QoS policies with the learned rates from the neighbor peer (DSLAM).

If the parent circuit of the subscriber circuit has a QoS policy, then the learned rate can be applied to the QoS policy attached to the parent circuit by specifying the access-line adjust cvlan command. Otherwise, the learned rate is applied to the circuit with the associated circuit agent ID.

Use the no form of this command to disable use of learned rates to override the rates specified by the attached QoS policies.

1.46.6   Examples

The following example shows how to enable the system to use learned outbound rates to override any metering and PWFQ rates in the out direction for the isp1 subscriber profile in the access7 context, but only if the rate is learned from ANCP:

[local]Redback(config)#context access7
[local]Redback(config-ctx)#subscriber profile isp1
[local]Redback(config-sub)#access-line rate out ancp

The following example shows how to enable the system to use learned inbound rates to override any policing rate and learned outbound rates to override any metering and PWFQ rates for the 802.1 PVCs subject to dot1q profile named adjust_all:

[local]Redback(config-ctx)#dot1q profile adjust_all
[local]Redback(config-dot1q-profile)#access-line rate in
[local]Redback(config-dot1q-profile)#access-line rate out

The following example shows how to enable the system to use learned outbound rates to override the rates of any QoS PWFQ policies for the 802.1 PVCs subject to dot1q profile named adjust_pwfq:

[local]Redback(config-ctx)#dot1q profile adjust_pwfq
[local]Redback(config-dot1q-profile)#access-line rate out queuing

1.47   accounting

1.47.1   Purpose

Enables accounting for the specified policy and class.

1.47.2   Command Mode

Service profile configuration

1.47.3   Syntax Description

1.47.4   Default

Accounting is disabled for all policies and classes.

1.47.5   Usage Guidelines

Use the accounting command to enable accounting for the specified policy and class.

Note:  

Forward policies do not support accounting for transmitted traffic.

Use the no form of this command to disable accounting for the specified policy and class.

1.47.6   Examples

The following example shows how to enable accounting for incoming traffic in the redirect class:

[local]Redback(config-ctx)#radius service profile redirect
[local]Redback(config-svc-profile)#accounting in fwd redirect

The following example enables accounting for incoming traffic in the dynamic_service profile. The $class_bearervariable, which is configured using the parameter command, contains references to the dynamic classes. In the following example, D1 and D2 are the names of the predefined classes:

[local]Redback(config-ctx)#radius service profile dynamic_service
[local]Redback(config-ctx)#parameter value %dynamic_class_qos_in “D1 D2”
[local]Redback(config-ctx)#parameter value %dynamic_class_qos_in
[local]Redback(config-svc-profile)#accounting qos in $class_bearer

1.48   active-timeout

1.48.1   Purpose

Configures the active timeout setting for flows that use the specified profile, in seconds.

1.48.2   Command Mode

Flow IP profile configuration

1.48.3   Syntax Description

1.48.4   Default

The default timeout value is 1800 seconds (30 minutes).

1.48.5   Usage Guidelines

Use the active-timeout command to configure the active timeout setting for flows that use this profile, in seconds.

A flow expires when either of the following occurs:

• The idle timeout period passed
• The active timeout period passes

When a flow expires, a flow record is created and exported to the Layer 2 cache.

Use the no form of this command to return the active timeout value to the default setting of 1800 seconds.

1.48.6   Examples

The following example shows how to configure the active timeout to 1000 seconds for flows that use the profile c1:

[local]Redback)#configure
[local]Redback)(config)#flow ip profile c1
[local]Redback(config-flow-ip-profile)#active-timeout 1000

1.49   address

1.49.1   Purpose

Assigns an IP address, a range of IP addresses, or an IP address with one or more blocks of Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports to the Network Address Translation (NAT) pool.

1.49.2   Command Mode

NAT pool configuration

1.49.3   Syntax Description

1.49.4   Default

All TCP/UDP port numbers for the IP address are assigned to the NAT pool.

1.49.5   Usage Guidelines

Use the address command to assign the IP address and subnet mask, a range of IP addresses, or an IP address with a range of TCP/UDP ports that will be included in the NAT pool. The TCP/UDP port number space is divided into 16 blocks. Each block contains 4,096 sequential numbers. Blocks are numbered from 0 to 15. If you specify one or more blocks of TCP/UDP ports, you must specify 32 as the prefix length.

You can enter this command multiple times to assign multiple IP addresses, ranges of IP addresses, and an IP address with TCP/UDP port blocks to a NAT pool.

Use the no form of this command to remove IP addresses from the NAT pool. If you enter the no form with an IP address that was configured with the port-block keyword, the IP address and all its configured port blocks are removed from the NAT pool.

1.49.6   Examples

The following example shows how to configure the NAT pool, NAT-1, and fill the pool with the IP address, 171.71.71.1, with all its TCP/UDP ports and the IP address, 171.71.72.2, with port blocks 1 to 3:

[local]Redback(config)#context ISP
[local]Redback(config-ctx)#ip nat pool NAT-1 napt
[local]Redback(config-nat-pool)#address 171.71.71.1/32
[local]Redback(config-nat-pool)#address 171.71.72.2/32 port-block 1 to 3

1.50   address-family (IS-IS)

1.50.1   Purpose

Configures multitopology Intermediate System-to-Intermediate System (IS-IS) routing.

When entered in IS-IS router configuration mode, enables an address family for the IS-IS instance and enters IS-IS address family configuration mode.

When entered in IS-IS interface configuration mode, enables an address family for the IS-IS interface and enters IS-IS interface address family configuration mode.

1.50.2   Command Mode

• IS-IS interface configuration
• IS-IS router configuration

1.50.3   Syntax Description

1.50.4   Default

When an IS-IS instance is created, the IPv4 unicast address family is enabled on the IS-IS instance. IPv4 multicast and IPv6 address families are disabled.

When IS-IS is enabled on an interface, the IPv4 unicast address family is enabled on the interface. IPv4 multicast and IPv6 address families are disabled.

1.50.5   Usage Guidelines

Use the address-family command to configure multitopology IS-IS routing. Enter this command in IS-IS interface configuration mode to enable an address family on an interface; enter it in IS-IS router configuration mode to enable an address family on an instance. Before an interface can participate in the routing for an address family, that address family must be enabled for both the instance and interface.

The multitopology IS-IS feature can generate multiple address families (topologies) for IS-IS; for example, it can enable one for an IPv4 unicast network, one for an IPv4 multicast network, and one for an IPv6 unicast network. Enter this command multiple times on a single interface or instance to create different topologies.

Multitopology IS-IS routing is useful when multiple address families are needed; for example, the reverse path forwarding (RPF) checks used by the IPv4 multicast routing protocol can use its own Interior Gateway Protocol (IGP) routing table instead of using the IPv4 unicast routing table.

The SmartEdge router supports IPv6 IS-IS routing in multitopology mode only. If you enable the IPv6 address family using this command and have any routers in the area operating in single-topology mode, use the multi-topology transition command (in IS-IS address family configuration mode) to maintain IPv6 connectivity until all routers in the area are upgraded to multitopology mode.

For more information on multitopology IS-IS, see the Internet Draft, M-ISIS: Multi Topology Routing in IS-IS, draft-ietf-isis-wg-multi-topology-06.txt.

Note:  

If you do not want the IPv4 unicast address family enabled on an IS-IS instance (it is enabled by default), explicitly disable it using the no address-family command in IS-IS router configuration mode.

Use the no form of this command in IS-IS interface configuration mode to disable an address family on an ISIS interface.

Use the no form of this command in IS-IS router configuration mode to disable an address family on an IS-IS instance.

1.50.6   Examples

The following example shows how to enable the IPv4 unicast and IPv4 multicast address families in the IS-IS instance isis1, enable the IPv4 unicast and IPv4 multicast address families on the fa4/1 interface, enable the IPv4 unicast address family only on the fa4/2 interface, and enable IPv4 multicast only on the fa4/3 interface:

[local]Redback(config-ctx)#router isis isis1
[local]Redback(config-isis)#address-family ipv4 unicast
[local]Redback(config-isis-af)#exit
[local]Redback(config-isis)#address-family ipv4 multicast
[local]Redback(config-isis-af)#exit
[local]Redback(config-isis)#interface fa4/1
[local]Redback(config-isis-if)#address-family ipv4 unicast
[local]Redback(config-isis-if-af)#exit
[local]Redback(config-isis-if)#address-family ipv4 multicast
[local]Redback(config-isis-if-af)#exit
[local]Redback(config-isis-if)#exit
[local]Redback(config-isis)#interface fa4/2
[local]Redback(config-isis-if)#address-family ipv4 unicast
[local]Redback(config-isis-if-af)#exit
[local]Redback(config-isis-if)#exit
[local]Redback(config-isis)#interface fa4/3
[local]Redback(config-isis-if)#no address-family ipv4 unicast
[local]Redback(config-isis-if)#address-family ipv4 multicast
[local]Redback(config-isis-if-af)#exit
[local]Redback(config-isis-if)#exit

The following example shows how to enable the IPv4 unicast and IPv6 unicast address families in the isis2 IS-IS instance, IPv4 unicast and IPv6 unicast address families on the fa4/1 interface, IPv4 unicast address family only on the fa4/2 interface, and IPv6 unicast only on the fa4/3 interface:

[local]Redback(config-ctx)#router isis isis2
[local]Redback(config-isis)#address-family ipv4 unicast
[local]Redback(config-isis-af)#exit
[local]Redback(config-isis)#address-family ipv6 unicast
[local]Redback(config-isis-af)#exit
[local]Redback(config-isis)#interface fa4/1
[local]Redback(config-isis-if)#address-family ipv4 unicast
[local]Redback(config-isis-if-af)#exit
[local]Redback(config-isis-if)#address-family ipv6 unicast
[local]Redback(config-isis-if-af)#exit
[local]Redback(config-isis-if)#exit
[local]Redback(config-isis)#interface fa4/2
[local]Redback(config-isis-if)#address-family ipv4 unicast
[local]Redback(config-isis-if-af)#exit
[local]Redback(config-isis-if)#exit
[local]Redback(config-isis)#interface fa4/3
[local]Redback(config-isis-if)#no address-family ipv4 unicast
[local]Redback(config-isis-if)#address-family ipv6 unicast
[local]Redback(config-isis-if-af)#exit
[local]Redback(config-isis-if)#exit

1.51   address-family ipv4 (Multicast and Unicast)

1.51.1   Purpose

When entered in BGP router configuration mode, specifies the use of standard IP Version 4 (IPv4) multicast or unicast address prefixes for the Border Gateway Protocol (BGP) routing instance and enters BGP address family configuration mode.

When entered in BGP neighbor configuration mode, this command specifies the use of IPv4 multicast or unicast address prefixes for the specified BGP neighbor, and enters BGP neighbor address family configuration mode.

When entered in BGP peer group configuration mode, this command specifies the use of IPv4 multicast or unicast address prefixes for the specified BGP peer group, and enters BGP peer group address family configuration mode.

1.51.2   Command Mode

• BGP neighbor configuration
• BGP peer group configuration
• BGP router configuration

1.51.3   Syntax Description

1.51.4   Default

When entered in BGP router configuration mode, this command has no default setting.

When entered in BGP neighbor configuration mode or BGP peer group configuration mode, address prefixes are set to IPv4 multicast.

1.51.5   Usage Guidelines

Use the address-family ipv4 command in BGP router configuration mode to specify the use of standard IPv4 unicast or multicast address prefixes for the BGP routing instance, and to enter BGP address family configuration mode. The aggregate-address, dampening, flap-statistics, network, and redistribute commands are available in BGP address family configuration mode. Routes are sent to BGP neighbors that have corresponding address family attributes.

Use the address-family ipv4 command in BGP neighbor configuration mode to specify the use of IPv4 unicast or multicast address prefixes for the BGP neighbor, and to enter BGP neighbor address family configuration mode. The commands that configure the routing policies used with neighbors, as-path-list, default-originate, prefix-list, maximum prefix, remove-private-as, route-map, and route-reflector-client, are available in BGP neighbor address family configuration mode. To be established a BGP session, you must configure a neighbor with corresponding address family attributes.

Use the address-family ipv4 command in BGP peer group configuration mode to specify the use of IPv4 multicast or unicast address prefixes, and to enter BGP peer group address family configuration mode. The commands that configure routing policies used with members of a peer group, as-path-list, default-originate, prefix-list, maximum prefix, remove-private-as, and route-map, are available in BGP peer group address family configuration mode.

Use the no form of this command to remove BGP address family attributes for the specified BGP instance or neighbor.

1.51.6   Examples

The following example illustrates the BGP routing process running in autonomous system 100. In this example, the network 20.0.0.0/8 advertises BGP routing updates which are sent in unicast mode, while Open Shortest Path First (OSPF) routes are redistributed into the BGP routing domain as multicast routes. The SmartEdge router is a unicast BGP peer with the neighbor at IP address 102.210.210.1 and is a multicast peer with the neighbor at IP address 68.68.68.68. Inbound prefix list perf1 and outbound route map map2 are applied in unicast mode to the neighbor at IP address 102.210.210.1:

[local]Redback(config)#context local
[local]Redback(config-ctx)#router bgp 100
[local]Redback(config-bgp)#address-family ipv4 unicast
[local]Redback(config-bgp-af)#network 20.0.0.0/8
[local]Redback(config-bgp-af)#exit
[local]Redback(config-bgp)#address-family ipv4 multicast
[local]Redback(config-bgp-af)#redistribute ospf 100
[local]Redback(config-bgp-af)#exit
[local]Redback(config-bgp)#neighbor 102.210.210.1 external
[local]Redback(config-bgp-neighbor)#address-family ipv4 unicast
[local]Redback(config-bgp-peer-af)#prefix-list pref1 in
[local]Redback(config-bgp-peer-af)#route-map map2 out
[local]Redback(config-bgp-peer-af)#exit
[local]Redback(config-bgp-neighbor)#exit
[local]Redback(config-bgp)#neighbor 68.68.68.68 external
[local]Redback(config-bgp-neighbor)#remote-as 300
[local]Redback(config-bgp-neighbor)#address-family ipv4 multicast

1.52   address-family ipv4 vpn

1.52.1   Purpose

When entered in BGP router configuration mode, enables Virtual Private Network (VPN)-IP Version 4 (IPv4) prefixes for a Border Gateway Protocol (BGP) routing instance and enters BGP address family configuration mode.

When entered in BGP neighbor configuration mode, enables VPN-IPv4 prefixes for a specified BGP neighbor and enters BGP neighbor address family configuration mode.

When entered in BGP peer group configuration mode, enables VPN-IPv4 prefixes for a specified BGP peer group and enters BGP peer group address family configuration mode.

1.52.2   Command Mode

• BGP neighbor configuration
• BGP peer group configuration
• BGP router configuration

1.52.3   Syntax Description

This command has no keywords or arguments.

1.52.4   Default

None

1.52.5   Usage Guidelines

Use the address-family ipv4 vpn command in BGP configuration mode to specify the use of VPN-IPv4 prefixes for a BGP routing instance, and to enter BGP address family configuration mode.

Use the address-family ipv4 vpn command in BGP neighbor configuration mode to specify the use of VPN-IPv4 prefixes for a BGP neighbor in an internal BGP (iBGP) session, and to enter BGP neighbor address family configuration mode.

Use the address-family ipv4 vpn command in BGP peer group configuration mode to specify the use of VPN-IPv4 prefixes for a specified BGP peer group, and to enter BGP peer group address family configuration mode.

Note:  

The address-family ipv4 vpn command cannot be used in non-local contexts.

1.52.6   Examples

The following example shows how to specify the use of route flap statistics collection for VPN-IPv4 prefixes, and enable the address family for the BGP neighbor, 102.210.210.1:

[local]Redback(config)#context local
[local]Redback(config-ctx)#router bgp 100
[local]Redback(config-bgp)#address-family ipv4 vpn
[local]Redback(config-bgp-af)#flap-statistics
[local]Redback(config-bgp-af)#exit
[local]Redback(config-bgp)#neighbor 102.210.210.1 internal
[local]Redback(config-bgp-neighbor)#address-family ipv4 vpn

1.53   address-family ipv6 unicast

1.53.1   Purpose

When entered in BGP router configuration mode, specifies the use of IP Version 6 (IPv6) unicast address prefixes for the Border Gateway Protocol (BGP) routing instance and enters BGP address family configuration mode.

When entered in BGP neighbor configuration mode, specifies the use of IPv6 unicast address prefixes for the specified BGP neighbor, and enters BGP neighbor address family configuration mode.

When entered in BGP peer group configuration mode, specifies the use of IPv6 unicast address prefixes for the specified BGP peer group, and enters BGP peer group address family configuration mode.

1.53.2   Command Mode

• BGP neighbor configuration
• BGP peer group configuration
• BGP router configuration

1.53.3   Syntax Description

This command has no keywords or arguments.

1.53.4   Default

When entered in BGP router configuration mode, this command has no default setting.

When entered in BGP neighbor configuration mode or BGP peer group configuration mode, address prefixes are set to IPv6 unicast.

1.53.5   Usage Guidelines

Use the address-family ipv6 unicast command in BGP router configuration mode to specify the use of standard IPv6 unicast address prefixes for the BGP routing instance, and to enter BGP address family configuration mode. Routes are sent to BGP neighbors that have corresponding address family attributes.

Use the address-family ipv6 unicast command in BGP neighbor configuration mode to specify the use of IPv6 unicast address prefixes for the BGP neighbor, and to enter BGP neighbor address family configuration mode. To established a BGP session, you must configure a neighbor with corresponding address family attributes.

Use the address-family ipv6 unicast command in BGP peer group configuration mode to specify the use of IPv6 unicast address prefixes, and to enter BGP peer group address family configuration mode.

Use the no form of this command to remove BGP address family attributes for the specified BGP instance or neighbor.

1.53.6   Examples

The following example illustrates the BGP routing process running in autonomous system 100. In this example, the network, AF26:3344:ADF7:77B5::2000/128, advertises BGP routing updates that are sent in IPv6 unicast mode:

[local]PE1(config)#context local

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#neighbor 10.10.10.2 internal

[local]PE1(config-bgp-neighbor)#address-family ipv6 unicast

[local]PE1(config-bgp-neighbor)#end

1.54   address-family ipv6 vpn

1.54.1   Purpose

Enables the transport of labeled IPv6 VPN routes over an IPv4 network on a BGP neighbor.

1.54.2   Command Mode

• BGP neighbor configuration
• BGP peer group configuration
• BGP router configuration

1.54.3   Syntax Description

This command has no keywords or arguments.

1.54.4   Default

The IPv6 VPN address-family is disabled for BGP routes.

1.54.5   Usage Guidelines

Use the address-family ipv6 vpn command to enable the transport of labeled IPv6 VPN routes over an IPv4 network on a BGP neighbor.

Note:  

The address-family ipv6 vpn command can be configured in the local context only. Only unicast address families can be configured in the VPN context.

Use the no form of this command to disable the transport of labeled IPv6 VPN routes over an IPv4 network on a BGP neighbor.

1.54.6   Examples

The following example shows how to enable the transport of labeled IPv6 VPN routes over an IPv4 network on an internal neighbor with IP address 10.10.10.2. First, the transport of IPv6 routes over the MPLS IPv4 network is enabled:

[local]PE1(config)#context local

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#address-family ipv6 vpn

[local]PE1(config-bgp)#end

Next, the IPv6 VPN address family is globally enabled for BGP:

[local]PE1(config)#context local

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#neighbor 10.10.10.2 internal

[local]PE1(config-bgp-neighbor)#address-family ipv6 vpn

[local]PE1(config-bgp-neighbor)#end

1.55   admin-access-group

1.55.1   Purpose

Applies access control to all inbound packets delivered to the kernel, regardless of the interface through which packets are received.

1.55.2   Command Mode

Context configuration

1.55.3   Syntax Description

1.55.4   Default

No administrative access control is applied.

1.55.5   Usage Guidelines

Use the admin-access-group command to apply access control to all inbound packets delivered to the kernel, regardless of the interface through which packets are received. This is referred to as administrative access control and is used with IP ACLs only.

If you configure multiple ACLs in an IP access group, the SmartEdge router applies the ACLs in the order they appear within the access group to produce a specific filtering behavior. The SmartEdge router appends an implicit deny ip any any rule after all configured rules are applied.

When you use the count keyword, the system keeps track of the number of packet matches that occur. When you use the log keyword, the system keeps track of the number of packets that were denied as a result of the ACL. Count and log information is displayed in the output of the show access-group command.

Use the no form of this command to remove the application of an ACL to traffic inbound to the kernel. Enter empty quotations marks (“ ”) to remove all associated ACL names. If you want to delete one or more (but not all) ACLs, enter their names in quotation marks.

1.55.6   Examples

The following example shows how to apply the test_2 and filter_3 ACLs to inbound traffic for the local context:

[local]Redback(config-ctx)#admin-access-group “test_2 filter_3” in count log

The following example shows how to remove all ACLs from the administrative access group for the local context:

[local]Redback(config-ctx)#no admin-access-group “ ” in count log

The following example shows how to remove the ACL ktraffic from the administrative access group for the local context:

[local]Redback(config-ctx)#no admin-access-group “ktraffic” in

1.56   admin-group

1.56.1   Purpose

In RSVP constraint configuration mode, specifies inclusion and exclusion criteria for TE link administrative groups during Constraint Shortest Path First (CSPF) calculation. In RSVP interface configuration mode, specifies an interface on which administrative groups are valid on the LSP.

1.56.2   Command Mode

• RSVP constraint configuration
• RSVP interface configuration

1.56.3   Syntax Description

1.56.4   Default

No administrative group attribute is associated with a constraint or an interface.

1.56.5   Usage Guidelines

In RSVP constraint configuration mode, use the admin group command to specify inclusion and exclusion criteria for TE link administrative groups. Any link that is present in the exclude and include lists is excluded from the include list before the Shortest Path First (SPF) calculation is applied. For example, if you specify link 10.1.1.1 in an exclude and include list, the CSPF algorithm excludes the link 10.1.1.1 before the SPF calculation is applied.

In RSVP interface configuration mode, use the admin group command to specify an interface on which administrative groups are valid on the LSP. You first specify link attributes using the attribute command (in link-attribute configuration mode) before you configure your administrative group.

With CSPF, you configure administrative groups that are associated with an LSP. You typically use link colors as values when configuring administrative groups. Each value is associated with a specific class that you define. You can define up to 32 link attributes: 32 values (0 to 31). The path names and their corresponding values must be the same on all routers within a single Multiprotocol Label Switching (MPLS) TE domain.

Use the no form of this command to remove the administrative group from a constraint or an interface.

1.56.6   Examples

The following example shows how to specify that the administrative group red be included in the LSP in RSVP constraint configuration mode:

[local]Redback#configure
[local]Redback(config)#context local
[local]Redback(config-ctx)#router rsvp
[local]Redback(config-rsvp)#constraint constraint1
[local]Redback(config-rsvp-constr)#admin-group include red

The following example shows how to specify which administrative groups are valid on the LSP:

[local]Redback#configure
[local]Redback(config)#context local
[local]Redback(config-ctx)#router rsvp
[local]Redback(config-rsvp)#interface interface1
[local]Redback(config-rsvp-if)#admin-group red

1.57   administrator

1.57.1   Purpose

Creates an administrator logon account, or selects an existing one for modification, and enters administrator configuration mode.

1.57.2   Command Mode

Context configuration

1.57.3   Syntax Description

1.57.4   Default

No administrator accounts are defined.

1.57.5   Usage Guidelines

Use the administrator command to create an administrator logon account, or select an existing one for modification, and enter administrator configuration mode. When creating a new administrator account, you must specify a password using either the encrypted 1 password or password password construct. When specifying an existing administrator account, a password is not required.

This command also secures the console port and enables remote access to the system. Administrators can log on directly to the console, or through a Telnet or Secure Shell (SSH) session.

You can enter an unencrypted password with embedded spaces by enclosing the entire password in double quotation marks; for example, "This is a Password with Spaces".

When the system generates the configuration, all administrator passwords are encrypted. Passwords are never displayed in readable text.

Use the no form of this command to remove the specified administrator account.

1.57.6   Examples

The following example shows how to configure an administrator with an administrator name of admin1 and a password of supersecret:

[local]Redback(config-ctx)#administrator admin1 password supersecret
[local]Redback(config-administrator)#

1.58   admission-control

1.58.1   Purpose

Enables or disables session limit control for the specified protocol.

1.58.2   Command Mode

• NAT policy configuration
• Policy group class configuration

1.58.3   Syntax Description

1.58.4   Default

Session limit control is disabled for this access control list (ACL) class.

1.58.5   Usage Guidelines

Use the admission-control command to enable session limit control for the specified protocol. Session limit control applies only to this ACL class in this Network Address Translation (NAT) policy. You can use this command only when the action in the class is either ignore or pool, and the pool is a Network Access Port Translation (NAPT) pool.

Use the no form of this command to disable session limit control.

1.58.6   Examples

The following example shows how to enable TCP session limit control for the default ACL class in this NAT policy:

[local]Redback(config-policy-nat)#connections tcp 100
[local]Redback(config-policy-nat)#admission-control tcp

The following example shows how to enable TCP session limit control for CLASS3 in this NAT policy:

[local]Redback(config-policy-nat)#connections tcp 100
[local]Redback(config-policy-nat)#access-group NAT-ACL
[local]Redback(config-policy-group)#class CLASS3
[local]Redback(config-policy-group-class)#ignore
[local]Redback(config-policy-group-class)#admission-control tcp

1.59   advertise