Вы находитесь на странице: 1из 1024

Corporate Headquarters

Redback Networks Inc.


100 Headquarters Drive
San J ose, CA 95134-1362
USA
http://www.redback.com
Tel: +1 408 750 5000

IP Services and Security Configuration Guide
SmartEdge OS
Release Number 6.1.4
Part Number 220-0829-01
1996 to 2008, Redback Networks Inc. All rights reserved.
Redback Networks
Redback and SmartEdge are trademarks registered at the U.S. Patent & Trademark Office and in other countries. AOS, NetOp, SMS, and User Intelligent Networks are
trademarks or service marks of Redback Networks Inc. All other products or services mentioned are the trademarks, service marks, registered trademarks or registered service
marks of their respective owners. All rights in copyright arereserved to the copyright owner. Company and product names are trademarks or registered trademarks of their
respective owners. Neither the name of any third party software developer nor the names of its contributors may beused to endorse or promote products derived fromthis
software without specific prior written permission of such third party.
Rights and Restrictions
All statements, specifications, recommendations, and technical information contained are current or planned as of the date of publication of this document. They are reliableas of
the timeof this writing and are presented without warranty of any kind, expressed or implied. In aneffort to continuously improvethe product and add features, Redback
Networks Inc. (Redback) reserves the right to changeany specifications contained in this document without prior notice of any kind.
Redback shall not be liable for technical or editorial errors or omissions which may occur in this document. Redback shall not be liable for any indirect, special, incidental or
consequential damages resulting fromthe furnishing, performance, or use of this document.
Third Party Software
The following third party software may be included with this Software and portions of the Software are subject to the following terms and conditions and copyright notices:
Licensed under the Apache License, Version 2.0; you may not use this fileexcept in compliance with the license. You may obtain a copy of the license at
http://www.apache.org/licenses/LICENSE-2.0; Copyright 1996 - 2008, Daniel Stenberg, <daniel@haxx.se>.; Copyright 2002 by NETAPHOR SOFTWARE INC.; portions of
the Software were written by Gary Watson and obtained under the Creative Commons Attribution-Share Alike 3.0 License; EMANATE/LiteSNMP Research International
Inc.; OpenSymphony Software License, Version 1.1 2001-2004 The OpenSymphony Group; Copyright <year>The FreeType Project (www.freetype.org), all rights
reserved; 1995-1998 by The Regents of the University of Michigan, all rights reserved. Copyright 1995-2002 J ean-loup Gailly and Mark Adler; Copyright 2000-2003
Intel Corporation; Copyright 1998-2003 Daniel Veillard; Copyright 2001-2002 Daniel Veillard; Copyright 2001-2002 Thomas Broyer, CharlieBozeman and Daniel
Veillard; Copyright 1998-2000 The OpenSSL Project; Copyright 1990, RSA Data Security, Inc.; Copyright 1989 Carnegie Mellon University; Copyright 1995 Eric
Rosenquist, Strata Software Limited; Copyright 1991 Gregory M. Christy; Copyright 1997-2005 University of Cambridge; Copyright 1996-2005, The PostgreSQL Global
Development Group; Copyright 1994, The Regents of the University of California; Copyright 2001, Dr. Brian Gladman; <brg@gladman.uk.net>, Worcester, UK; Copyright
1998-2003 Carnegie Mellon University; portions of this work are fromthe Free Software Foundation, more information can be found at www.gnu.org/software/libiconv;
portions of the codeare fromopenSSH, www.openssh.com; OpenSSL 1998-2003 The OpenSSL Project; NuSoap Web Services Toolkit for PHP 2002 NuSphere
Corporation; portions of this material may bedistributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (thelatest version is
presently available at http://www.opencontent.org/openpub/; Point-to-Point Protocol (PPP) 1989 Carnegie-Mellon University; Copyright 1992, 1993, 1994, 1997 Henry
Spencer; Copyright 1989, 1991, 1999 Free Software Foundation, Inc.; portions of the Software are subject to the Mozilla Public License Version 1.1 (the "License"); you may
not use this file except in compliance with the License. You may obtain a copy of the License at http://www.mozilla.org/MPL/ Ginger Alliance; libpng library 1995-2004;
FreeType library 1996-2000; J ava 2003-2008 Sun Microsystems; ISC Dhcpd 3.0p12 1995-1999 Internet Software Consortium- DHCP; Ip Filter 2003 Darren Reed;
Perl Kit 1989-1999 Larry Wall; VxWorks 1984-2000, Wind River Systems Inc.; Dynamic Host Configuration Protocol (DHCP) 1997-1998 The Internet Software
Consortium; portions of the Redback SmartEdge Operating Systemuse cyrptographic software written by Eric Young (eay@cyrptosoft.com); Redback adaptation and
implementation of UDP and TCP protocols developed by the University of California Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system
1982, 1986, 1988, 1990, 1993, 1995 The Regents of the University of California. All advertising materials mentioning features or use of this Software must display the following
acknowledgement: "This product includes software developed by the University of California, Berkeley and its contributors."
This Software includes software developed by Sun Microsystems, Inc. Internet Software Consortium, Larry Wall, the Appache Software Foundation, the Free Software
Foundation, their contributors and other third parties. All such software is provided "AS IS," without any warranty of any kind. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MECHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT ARE HEREBY EXCLUDED. LICENSOR AND ITS CONTRIBUTORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY
LICENSEE AS A RESULT OF USING, MODIFYING, OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL LICENSOR OR ITS
CONTRIBUTORS BE LIABLE FOR ANY LOST REVENUE, LOST PROFIT, OR LOST DATA, OR FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL OR
PUNTITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OR INABILITY TO USE THE
SOFTWARE, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This Softwareconsists of voluntary contributions made by many
individuals on behalf of the Apache Software Foundation. Portions of this Software are based upon public domain software originally written at the National Center for
Supercomputing Applications, University of Illinois, Urbana-Champaign. The portions of this Software developed by Larry Wall and/or the Free Software Foundation may be
distributed and are subject to the GNU General Public Licenseas published by the Free Software Foundation.
FCC Notice
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference
to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference
at their own expense:
1. MODIFICATIONSTheFCC requires the user to be notified that any changes or modifications made to this device that are not expressly approved by Redback could void
the users authority to operate the equipment.
2. CABLESConnection to this devicemust be madewith shielded cables with metallic RFI/EMI connector hoods to maintain compliance with FCC Rules and Regulations.
(This statement only applies to copper cables, Ethernet, DS-3, E1, T1, and so forth. It does not apply to fiber cables.)`
3. POWER CORD SET REQUIREMENTSThe power cord set used with the Systemmust meet the requirements of the country, whether it is 100-120 or 220-264 VAC. For
the U.S. and Canada, the cord set must be UL Listed and CSA Certified and suitable for the input current of the system.
VCCI Class A Statement
European Community Mark
The marking on this product signifies that it meets all relevant European Union directives.
China RoHS Information
All Redback Networks products built on or after March 1, 2007 conformto the Peoples Republic of Chinas Management Methods for Controlling Pollution by Electronic
Information Products (Ministry of Information Industry Order #39), also known as China RoHS.
As required by China RoHS, the following tables summarize which of the 6 regulated substances are found in Redback Networks products and their location.
China RoHS also requires that manufacturers determine an Environmental Protection Use Period (EPUP), which has been defined as the termduring which toxic and hazardous
substances or elements contained in electronic information products will not leak out or mutate.
Redback Networks has determined that the EPUP for this product is 25 years fromthe date of manufactureand indicates this period on the product and/or packaging with the logo
shown below.
The date of manufacture can be found on the product packaging label, or determined fromthe product serial number. The week and year of manufacture can be determined from
the 6th though 9th digits of the 14 digit product serial number, xxxxxWWYYxxxxx, where WW represents the week of the year (01 =first week of year) and YY represents the
year (07=2007). For example, 0207 means that the unit was manufactured in the 2nd week of J anuary 2007.
WEEE Policy
Redback Networks products are fully compliant with Directive 2002/96/EC on Waste Electrical and Electronic Equipment (WEEE) for all applicable geographies in the European
Union. In accordance with the requirements of the WEEE Directive, Redback Networks has since August 13, 2005 labeled products placed on the market with the WEEE symbol,
a crossed-out wheelie bin symbol with a black rectangle underneath, as shown below.
The presence of the WEEE symbol on a product or on its packaging indicates that you must not dispose of that itemin the normal unsorted municipal waste stream. Instead, it is
your responsibility to dispose of that product by returning it to a collection point that is designated for the recycling of electrical and electronic equipment waste.
Contact the reseller where the product was originally purchased and provide details of the product in question. The reseller will confirmwhether the product is within the scope
of the recycling programand then arrange for shipment of the product to the designated recycling location for proper recycling/disposal.
If you are unable to locate the original reseller or need additional information, please contact Redback Networks at weee-info@redback.com. Additional information on the
Redback Networks WEEE policy is available at http://www.redback.com.
Safety Notices
Redback equipment has the following safety notices.
Laser Equipment
Class 1 Laser ProductProduct is certified by the manufacturer to comply with DHHS Rule 21 Subchapter J .
Caution! Use of controls or adjustments of performance or procedures other than those specified herein may result in hazardous radiation exposure.
Caution! Invisible laser radiation when an optical interface is open.
Lithium Battery Warnings
It is recommended that, when required, Redback replace the lithiumbattery.
Warning! Do not mutilate, puncture, or dispose of batteries in fire. The batteries can burst or explode, releasing hazardous chemicals. Discard used batteries according to the
manufacturers instructions and in accordancewith your local regulations.
Warning Danger of explosion if battery is incorrectly replaced. Replace only with the same or equivalent type as recommended by themanufacturers instructions.
Varning Eksplosionsfara vid felaktigt batteribyte. Anvnd samma batterityp eller en ekvivalent typ somrekommenderas av apparattillverkaren. Kassera anvnt batteri enligt
fabrikantens instruktion.
Advarsel! LithiumbatteriEksplosionsfare ved fejlagtig hndtering. Udskiftning m kun ske med batteri af sammefabrikat og type. Levr det brugte batteri tilbage
tilleverandren.
Variotus Paristo voi rjht, jos seon virheellisesti asennettu. Vaihda paristo ainoastaan valmistajan suosittelemaan tyyppiin. Hvit kytetty paristo valmistajan ohjeiden
mikaisesti.
Advarsel Eksplosjonsfare ved feilaktig skifteav batteri. Benytt samme batteritype eller en tilsvarende type anbefait av apparatfabrikanten. Brukte batterier kasseres i henhold til
fabrikantens instruksjoner.
Waarschwing! Bij dit produkt zijn batterijen geleverd. Wanneer deze leeg zijn, moet u ze niet weggooien maar inleveren als KCA.
Contents vii
Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxviii
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxviii
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Command Modes and Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Task Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Online Navigation Aids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Ordering Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Order Additional Copies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii
Complete the Online Redback Networks Documentation Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii
Provide Direct Feedback on Specific Product Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii
Part 1: Introduction
Chapter 1: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
SmartEdge OS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
IP Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Neighbor Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
Access Node Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4
IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
HTTP Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Hotlining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Mobile IP (Wireless) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Conditional ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
Dynamic ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6
viii IP Services and Security Configuration Guide
IP Service Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Forward Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Network Address Translation Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Service Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Classification, Marking, and Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Priority Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Policy Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
QoS Policing and Metering Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Queue Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Priority Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Enhanced Deficit Round Robin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Modified Deficit Round Robin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Asynchronous Transfer Mode Weighted Fair Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Priority Weighted Fair Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Hierarchical Nodes and Node Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Congestion Management and Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Flow Admission Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Authentication, Authorization, and Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Remote Authentication Dial-In User Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Terminal Access Controller Access Control System Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Key Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Lawful Intercept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Command Mode Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Part 2: IP Service Protocols
Chapter 2: ARP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Enable ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Enable Secured ARP (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Enable Proxy ARP (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Configure Static Entries in the ARP Table (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configure the Automatic Deletion of ARP Entries (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Set a Maximum Number of Incomplete ARP Entries (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configure ARP Policy to Prevent DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
arp rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
ip arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
iparp arpa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
iparpdelete-expired . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
iparpmaximumincomplete-entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
ip arp proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
iparp secured-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
ip arp timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
ip subscriber arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Contents ix
Chapter 3: ND Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7
ns-retry-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8
preferred-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-10
prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-12
ra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
reachable-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16
router nd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18
valid-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-19
Chapter 4: NTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1
Configure the NTP Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Configure NTP Peer Associations (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Configure Slowsync (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3
ntpmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-4
ntppeer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-5
ntpserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-7
slowsync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-9
Chapter 5: DHCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1
ARP and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-2
CLIPS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-2
RADIUS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-3
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-3
Configure an Internal DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-4
Configure an External DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-5
Configure a Context for an External DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-6
Configure an Interface for an External DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-6
Configure Subscriber Hosts for DHCP Address Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7
Configure a Traffic Card to Prevent DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7
DHCP Internal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-8
DHCP Proxy and Maximum Address Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-9
Subscriber Bindings to DHCP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-10
Using Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-10
Using RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-14
DHCP Proxy Through Dynamic Subscriber Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-16
DHCP Proxy Through Static Interface Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-18
DHCP Proxy Through RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-19
Loopback Interface as DHCP Source Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-21
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-21
allow-duplicate-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-22
bootp-enable-auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-23
bootp-filename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-24
x IP Services and Security Configuration Guide
bootp-siaddr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
broadcast-discover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26
default-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27
dhcpmax-addrs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
dhcpproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30
dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32
dhcp relay option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34
dhcprelayserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36
dhcprelayserver retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38
dhcprelaysuppress-nak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39
dhcpserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
dhcpserver policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42
forward-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43
ip interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44
mac-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46
max-hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47
max-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-48
min-wait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49
offer-lease-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-50
option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-51
option-82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-57
range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59
rate-adjust dhcp pwfq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61
rate-limit dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-63
server-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-65
standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-66
subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-67
threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-69
user-class-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-71
vendor-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-73
vendor-class-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-75
Chapter 6: ANCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
ANCP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Configure the ANCP Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Configure an ANCP Neighbor Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Map an 802.1Q PVC to a DSL Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Map an 802.1Q Tunnel to a DSL Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Configure a Subscriber Record for ANCP Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
access-lineadjust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
access-lineagent-circuit-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
access-lineaccess-node-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12
access-linerate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
keepalive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
neighbor profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
peer id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
peer ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21
router ancp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
system-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Contents xi
tcp-port local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-24
tcp-port remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-25
Part 3: Mobile IP Services
Chapter 7: Mobile IP Foreign Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Mobile IP Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Mobile Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Home Agent Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-2
Foreign Agent Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-3
Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-3
Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-4
Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-5
Home Agent Without Overlapping IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Some Home Agents Use Private IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Any Home Agent Can Use Private IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Home Agents Can Be Grouped for Each Mobile IP Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-6
SmartEdge Router Provides Wholesale Mobile IP Services for Other Providers . . . . . . . . . . . . . . . . . . . . . . . . .7-6
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7
Mobile IP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8
Create the Contexts and Interfaces for Mobile IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8
Configure a Key Chain Authentication Between a FA and HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-9
Configure an FA Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-9
Configure an HA Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-10
Configure a Mobile IP Interface for MN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-11
Configure the MN Access to an FA Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-11
Configure the Mobile IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Enable or Disable an FA Instance, an HA Peer, or MN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Single FA Instance and HA Peer with IP-in-IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Single FA Instance with Multiple HA Peers and IP-in-IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-13
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-15
advertisemax-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-16
advertisemax-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-17
advertisemin-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18
advertisetunnel-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-19
authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20
care-of-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-22
clear-df (dynamic tunnel) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-23
dynamic-tunnel-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-24
foreign-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-27
forwardingscheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-28
forwardingtraffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-29
gre mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
hold-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-31
home-agent-peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
ipip mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-34
llc-xid-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-35
max-pending-registrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-36
xii IP Services and Security Configuration Guide
registrationmax-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37
revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-38
router mobile-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-40
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-41
time-out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-43
vpn-context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-44
Chapter 8: Mobile IP Home Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Mobile IP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Create the Contexts and Interfaces for Mobile IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Configure a Key Chain for FA-HA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Configure an HA Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Configure an FA Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
Configure an MN Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
Configure AAA for MN Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
Configure the Mobile IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Enable or Disable an HA Instance or FA Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
dynamic-tunnel-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
foreign-agent-peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
home-agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
local-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
registrationmax-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
replay-tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
router mobile-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24
tunnel-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
Part 4: IP Services
Chapter 9: HTTP Redirect Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Configure Subscriber Authentication and Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Configure an IP ACL and Apply It to Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Configure the HTTP Server on the Active Controller Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Configure and Attach an HTTP Redirect Profile to Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Configure a Policy ACL That Classifies HTTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Configure and Attach a Forward Policy to Redirect HTTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
encrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
http-redirect profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
http-redirect server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Contents xiii
port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-12
redirect destinationlocal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-13
url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-15
Chapter 10: Hotlining Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3
Configure the Local HTTP Server on the Active Controller Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3
Configure a RADIUS Server Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Configure a Policy ACL That Classifies HTTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Configure a Forward Policy to Redirect HTTP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Configure Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5
Hotlining Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5
RADIUS Entry Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-6
Chapter 11: DNS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-2
Configure DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-2
Enable DNS to Establish Subscriber Sessions (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-2
Configure Static Hostname-to-IP Address Mappings (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-3
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-3
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-3
dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-4
ip domain-lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-5
ip domain-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-6
ip host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-7
ip name-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-8
ipv6 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-9
ipv6name-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-10
Chapter 12: ACL Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-1
IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-1
IP ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-2
IP ACL Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-2
IP ACL Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-3
Dynamic IP Filter ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-3
Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-3
Policy ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
Dynamic Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
Policy ACL Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
Policy ACL Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-4
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-5
Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-5
Static IP and Policy ACL Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-5
IP ACL Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-6
Policy ACL Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-6
Guidelines for RADIUS-Guided Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-7
VSA 164 Guidelines for Dynamic Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-7
Configure an IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-8
Apply an IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-8
Enable ACL Counters or Logging for a Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-9
xiv IP Services and Security Configuration Guide
Modify IP ACL Conditions in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
Configure a Policy ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
Apply a Policy ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Modify Policy ACL Conditions in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Configure an ACL Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Add an ACL Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Resequence ACL Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11
Configure an Absolute Time Condition Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
Configure a Periodic Time Condition Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
Configure an IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13
Configure a Policy ACL Associated with a Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13
Configure a Policy ACL Associated with a NAT Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13
Configure a Policy ACL Associated with a QoS Policing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15
absolute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18
access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
admin-access-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-23
condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-25
deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-27
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-37
ipaccess-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-38
ipaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-40
modifyipaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-42
modifypolicyaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-44
periodic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-46
permit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48
policyaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-58
resequenceipaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-60
resequencepolicyaccess-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-61
Part 5: IP Service Policies
Chapter 13: NAT Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
Dynamic Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Policy ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Destination IP Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
NAT DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Session Limit Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-5
Configure a NAT Policy with Static Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Configure a NAT Policy with a DMZ Host Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Configure a NAT Policy with Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Apply a Policy ACL to a NAT Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-8
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
NAT Policy with Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
NAT Policy with Static NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
NAT Policy with Static Translation and a DMZ Host Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
Contents xv
NAT Policy with Dynamic Translation and an Ignore Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-10
NAT Policy with Dynamic NAPT and a Drop Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-11
NAT Policy with Static and Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-11
NAT Policy with DNAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-12
NAT Policy with Session Limit Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-12
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-13
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-14
admission-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-16
connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-18
destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-20
drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-22
ignore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-23
ipdmz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-24
ipnat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-25
ipnat pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-26
ipstaticin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-27
ipstaticout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-29
nat policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-31
nat policy-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-33
pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-34
timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-35
Chapter 14: Forward Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-1
Circuit-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-2
Class-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-2
Circuit- and Class-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-2
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-2
Configure a Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-3
Apply a Policy ACL to a Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-3
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-4
Traffic Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-4
Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-6
Traffic Drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-8
Combination of Traffic Mirror, Redirect, and Drop in One Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-10
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-13
drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-14
forwardoutput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-16
forward policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-18
forwardpolicy in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-19
forward policy out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-21
mirror destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-23
redirect destinationcircuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-25
redirect destinationnext-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-26
Chapter 15: Service Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-2
Configure a Service Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-2
Attach a Service Policy to Subscriber Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-2
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15-3
xvi IP Services and Security Configuration Guide
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4
allow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5
deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7
service-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-9
Part 6: IP Quality of Service Policies
Chapter 16: QoS Rate- and Class-Limiting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
Priority Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
Policy Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
QoS Policing and Metering Class Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
Circuit-Based Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
Circuit-Based Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
Class-Based Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Class-Based Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Circuit-Based and Class-Based Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Single Rate Three-Color Markers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5
Policy Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6
Mapping a Child Policy Class to a Parent Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9
Policy Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9
Configure a Metering Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-9
Configure a Policing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-11
Apply a Policy ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-12
Customize Classification Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-13
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-13
Circuit-Based Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14
Circuit-Based Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14
Class-Based and Circuit-Based Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-16
class-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-17
conformmark dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-19
conformmark precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-22
conformmark priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-24
conformno-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-27
exceeddrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-28
exceedmark dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-30
exceedmark precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-33
exceedmark priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-35
exceedno-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-38
mapping-schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-40
mark dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-45
mark precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-47
mark priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-49
parent-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-52
qosclass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-54
qosclass-definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-56
qosclass-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-57
qospolicymetering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-59
qospolicypolicing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-61
rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-63
Contents xvii
rate-calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-66
ratepercentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-67
violatedrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-69
violatemark dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-71
violatemark precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-74
violatemark priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-76
violateno-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16-79
Chapter 17: QoS Scheduling Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-2
Queue Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-2
Priority Queuing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-3
Enhanced Deficit Round-Robin Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-3
Modified Deficit Round-Robin Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-4
Asynchronous Transfer Mode Weighted Fair Queuing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-5
Priority Weighted Fair Queuing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-5
Congestion Management and Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-6
Random Early Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-6
Early Packet Discard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-7
Multidrop Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-7
Congestion Avoidance Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-7
Queue Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-8
Queue Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-8
Overhead Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-8
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-9
Configure a Queue Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-9
Configure a Congestion Avoidance Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-9
Configure an ATMWFQ Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-10
Configure an EDRR Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-11
Configure an MDRR Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-12
Configure a PQ Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-12
Configure a PWFQ Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-13
Configure an Overhead Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-13
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-14
Queue Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-14
Congestion Avoidance Map for Multidrop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-15
ATMWFQ Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-15
EDRR Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-16
MDRR Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-16
PQ Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-16
RED Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-16
Rate-Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-17
Backbone Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
PWFQ Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-18
Strict Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-19
Normal Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-19
Strict +Normal Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-19
Strict +Normal Priority with Maximum Priority-Group Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-20
Strict +Normal Priority with Maximum and Minimum Bandwidths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-20
Overhead Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-21
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-21
congestion-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-22
encaps-access-line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-23
num-queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17-26
xviii IP Services and Security Configuration Guide
qoscongestion-avoidance-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-28
qosmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-30
qospolicyatmwfq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-31
qospolicyedrr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-33
qospolicymdrr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-35
qospolicypq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-37
qospolicypwfq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-39
qosprofileoverhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-40
qosqueue-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-41
queue0mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-43
queuecongestionepd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-44
queuedepth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-46
queueexponential-weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-48
queue-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-50
queuepriority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-51
queuepriority-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-54
queuerate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-56
queuered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-57
queueweight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-62
rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-64
rate-factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-66
reserved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-68
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-70
weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-72
Chapter 18: QoS Circuit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2
Circuit Configuration with QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2
Circuit Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-4
Hierarchical Configuration for Traffic-Managed Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Hierarchical Nodes and Node Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Propagation of QoS Across Layer 3 and Layer 2 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-6
Propagation of QoS from IP to ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-7
Propagation of QoS Between IP and Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-8
Propagation of QoS Between IP and MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-9
Propagation of QoS Between IP and L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-10
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-11
Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-12
Configure an ATM PVC for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-13
Configure a PVC on a First-Generation ATM OC Traffic Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-13
Configure a PVC on an ATM DS-3 or Second-Generation ATM OC Traffic Card . . . . . . . . . . . . . . . . . . . . . 18-13
Configure an Ethernet Circuit for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-14
Configure Any Ethernet, Fast Ethernet-Gigabit Ethernet, or Gigabit Ethernet Circuit for QoS . . . . . . . . . . . . 18-14
Configure a Traffic-Managed Port for Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-15
Configure a Traffic-Managed Port for Hierarchical Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-16
Configure a PDH Circuit for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-17
Configure a POS Circuit for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-17
Configure Cross-Connected Circuits for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-18
Configure a Subscriber Circuit for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-18
Configure QoS Propagation (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-19
Configure L2TP for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-20
Contents xix
Configure MPLS for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-21
Propagate QoS Using DSCP Bits and MPLS EXP Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-21
Propagate QoS Using DSCP Bits Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-21
Attach QoS Policies to a Circuit Group and Assign Members to the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-22
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-22
Attaching Rate- and Class-Limiting Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-23
PVC Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-23
Cross-Connected Circuit Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-23
Subscriber Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-24
Attaching Scheduling Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-24
Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-24
PVC Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-24
Overhead Profile Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-25
PWFQ Policy and Hierarchical Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-25
PWFQ Policy and Hierarchical Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-25
Propagating QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-25
Attaching QoS Policies to Circuit Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-26
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-27
atmtoqos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-28
atm use-ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-30
atmuse-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-32
clpbit propagate qos from atm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-34
clpbit propagate qos to atm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-36
egressprefer dscp-qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-38
ethernet toqos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-39
ethernet use-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-41
ip to qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-43
mpls to qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-45
mplsuse-ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-47
mplsuse-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-49
propagateqosfromethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-51
propagateqosfromip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-53
propagateqosfroml2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-55
propagateqosfrommpls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-57
propagateqosfromsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-59
propagateqos toethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-61
propagateqostoip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-62
propagateqos tol2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-63
propagateqostompls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-65
propagateqostransport use-vlan-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-67
propagateqosuse-vlan-ethertype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-68
propagateqosuse-vlan-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-70
qoshierarchical modestrict . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-71
qosmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-73
qosnode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-75
qosnode-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-77
qosnode-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-78
qospolicymetering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-79
qospolicypolicing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-83
qos policy (protocol-rate-limit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-87
qospolicyqueuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-89
qospriority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-92
qosprofileoverhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-94
qosrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18-96
xx IP Services and Security Configuration Guide
qostoatm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-98
qostoethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-100
qostoip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-102
qostompls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-104
qosuse-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-106
qosweight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-108
ratecircuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-110
Chapter 19: Flow Admission Control Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1
Circuit Flow State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-2
Flow Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-2
Maximum Flows Per Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-3
Burst Flow Creation Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-3
Sustained Flow Creation Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-3
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-4
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-5
Configuring a FAC Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-5
Creating a FAC Profile Name and Entering the Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Configuring a Maximum Flows Per Circuit Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Configuring a Burst Creation Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Configuring a Sustained Creation Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Applying a FAC Profile to the Current Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Enabling a FAC Profile on a Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-6
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-7
burst-creation-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-8
flow admission-control profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-9
flow apply admission-control profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-10
flow enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-11
flow monitor circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-12
max-flows-per-circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-13
sustained-creation-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-14
Part 7: IP Security
Chapter 20: AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1
Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-2
Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-2
Authorization and Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-4
CLI Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-4
Dynamic Subscriber Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-4
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-5
CLI Commands Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-5
Administrator Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-5
Subscriber Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-5
L2TP Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-6
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-6
Configure Global AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-7
Limit the Number of Active Administrator Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-7
Limit the Number of Active Subscriber Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-7
Enable a Direct Connection for Subscriber Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-7
Contents xxi
Define Structured Username Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Require Username for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Configure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Configure Administrator Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-8
Configure Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-9
Disable Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-11
Configure Authorization and Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-12
Configure CLI Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-12
Configure L2TP Peer Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-12
Configure Dynamic Subscriber Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-12
Configure Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-13
Configure CLI Commands Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-14
Configure Administrator Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-14
Configure Subscriber Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-14
Configure L2TP Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-16
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-17
Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-17
Subscriber Reauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-18
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-19
aaaaccountingadministrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-20
aaaaccountingcommands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-22
aaaaccountingevent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-24
aaaaccountingl2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-26
aaaaccountingreauthorizationsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-29
aaaaccountingsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-31
aaaaccountingsuppress-acct-on-fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-34
aaaauthenticationadministrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-36
aaaauthenticationsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-40
aaaauthorizationcommands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-43
aaaauthorizationtunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-45
aaadouble-authenticationsubscriber radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-46
aaaencrypted-passworddefault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-48
aaaglobal accountingevent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-49
aaaglobal accountingl2tp-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-51
aaaglobal accountingreauthorizationsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-53
aaaglobal accountingsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-55
aaaglobal authenticationsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-57
aaaglobal maximumsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-59
aaaglobal reject empty-username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-61
aaaglobal session-id-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-62
aaaglobal updatesubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-64
aaahint ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-66
aaaip-pool allocation first-available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-68
aaalast-resort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-69
aaamaximumsubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-71
aaapassword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-73
aaaprovisionbinding-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-75
aaaprovisionroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-77
aaarate-report-factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-78
aaareauthorizationbulk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-80
aaaupdatesubscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-82
aaausername-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-84
session-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20-86
xxii IP Services and Security Configuration Guide
Chapter 21: RADIUS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-1
RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-2
RADIUS Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-2
Accounting and Service Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-3
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-4
Configure the Server IP Address or Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-5
Configure an IP Source Address (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-5
Configure Load Balancing Between RADIUS Servers (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-6
Modify RADIUS Connection Parameters (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-6
Send Accounting On and Off Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-6
Modify RADIUS Timeout Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-6
Strip the Domain Portion of Structured Usernames (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-8
Change or Ignore the Server Source Port Value (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-8
Configure and Assign a RADIUS Policy to a Context (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-8
Configure and Send Attributes in RADIUS Packets (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-9
Configure RADIUS-Guided Services (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-10
Configure the RADIUS-Guided Policies for the Service Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-10
Configure a RADIUS-Guided Service Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-10
Configure the Subscriber Profile or Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-11
Remap Account Termination Codes (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-11
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-12
RADIUS Secret Key, Retry, and Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-12
RADIUS Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-12
Custom RADIUS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-12
Dynamic RADIUS Profile and Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-13
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-15
accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-16
attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-18
foreach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-23
parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-25
radiusaccountingalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-28
radiusaccountingdeadtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-29
radiusaccountingmax-outstanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-31
radiusaccountingmax-retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-32
radiusaccountingsend-acct-on-off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-33
radiusaccountingserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-35
radiusaccountingserver-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-37
radiusaccountingtimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-38
radiusalgorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-39
radiusattributeacct-delay-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-40
radiusattributeacct-session-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-42
radiusattributeacct-terminate-causeremap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-43
radiusattributeacct-tunnel-connection l2tp-call-serial-num . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-44
radiusattributecalling-station-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-46
radiusattributefilter-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-50
radiusattributenas-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-52
radiusattributenas-ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-53
radiusattributenas-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-54
radiusattributenas-port-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-58
radiusattributenas-port-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-61
radiusattributevendor-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-63
radiuscoaserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-64
radiusdeadtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21-67
Contents xxiii
radiusmax-outstanding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-69
radiusmax-retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-70
radiuspolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-71
radiusserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-73
radiusserver-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-75
radiusserviceprofile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-76
radiussource-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-77
radiusstrip-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-79
radiustimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-80
rbak-term-ec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21-81
Chapter 22: TACACS+ Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-2
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-3
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-4
tacacs+deadtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-5
tacacs+identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-7
tacacs+max-retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-8
tacacs+server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-10
tacacs+strip-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-12
tacacs+timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22-13
Chapter 23: Lawful Intercept Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-2
Enable or Disable LI Features and Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-3
Configure an LI Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-3
Configure an LI Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-3
Configure Circuits for LI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-4
Start or Stop an Intercept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-4
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-5
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-7
command-access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-8
header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-10
lawful-intercept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-12
li-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-13
pending . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-14
transport gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-15
transport udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-16
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23-18
Chapter 24: Key Chain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-1
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-1
Configure a Key Chain Name and Description (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-2
Configure a Key Chain Name and ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-2
Configure a Security Parameter Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-2
Configure a Key String . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-3
Limit the Lifespan of a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-3
Enable Key Chain Authentication with Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-3
Enable Key Chain Authentication with Mobile IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24-3
xxiv IP Services and Security Configuration Guide
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-4
Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-4
accept-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-5
key-chaindescription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-7
key-chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-8
key-string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-10
send-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-11
spi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-13
Part 8: Appendixes
Appendix A: RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
RADIUS Packet Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Packet Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
RADIUS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
RADIUS Dictionary File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
RADIUS Clients Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Subscriber Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Supported Standard RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Standard RADIUS Attributes in Access and Account Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Standard RADIUS Attributes in CoA and Disconnect Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11
Standard RADIUS Attributes That Can Be Reauthorized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12
Redback VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-13
Redback VSAs in Access and Account Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-13
Redback VSAs in CoA and Disconnect Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-32
Redback VSAs That Can Be Reauthorized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-34
VSA 164 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-35
VSA 196 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-39
Redback VSA Support for CCOD Multiencapsulated PVCs in 802.1Q Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-40
Other VSAs Supported by the SmartEdgeOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41
Service Attributes Supported by the SmartEdgeOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-41
RADIUS Attributes Supported by Mobile IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42
Standard RADIUS Attributes and Mobile IP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-42
3GPP2 RADIUS VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-43
3GPP2 RADIUS VSAs That Can Be Reauthorized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-43
WiMax Forum RADIUS VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-44
WiMax Forum RADIUS VSAs in the CoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-45
Motorola VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-46
Appendix B: TACACS+ Attribute-Value Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
TACACS+Authentication and Authorization AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
TACACS+Administrator Accounting AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
TACACS+Command Accounting AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Index of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Index of Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Guide xxv
About This Guide
This guide describes the tasks and commands used to configure SmartEdge

OS IP services and security


features.
The following features are described in this guide:
Address Resolution Protocol (ARP)
Neighbor Discovery (ND) protocol for IPv6 routers
Network Time Protocol (NTP)
Dynamic Host Configuration Protocol (DHCP)
Access Node Control Protocol (ANCP)
Domain Name System (DNS)
HTTP redirect, access control lists (ACLs)
Hotlining
Forward policies
Network Address Translation (NAT) policies
Mobile IP services
Service policies
Quality of service (QoS) policies
Flow admission control (FAC) profiles
Authentication, authorization, and accounting (AAA)
Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller Access Control System Plus (TACACS+)
Key chains
Lawful intercept (LI)
This preface contains the following sections:
Related Publications
Intended Audience
Related Publications
xxvi IP Services and Security Configuration Guide
Organization
Conventions
Ordering Documentation
Related Publications
In parallel with this guide, use the IP Services and Security Operations Guide for the SmartEdgeOS which
describes the tasks and commands used to monitor, administer, and troubleshoot IP services and security
features.
Use these guides in conjunction with the following publications:
Basic System Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following SmartEdge OS features: how to use
the SmartEdge command-line interface (CLI), configuration file management, access to the system;
basic system parameters; contexts, interfaces, and subscribers; and system-wide management features,
such as logging facilities.
IP Services and Security Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following SmartEdge OS features: Address
Resolution Protocol (ARP), Neighbor Discovery (ND) protocol for IPv6 routers, Network Time
Protocol (NTP), Dynamic Host Configuration Protocol (DHCP), Access Node Control Protocol
(ANCP), Domain Name System (DNS), HTTP redirect, hotlining, access control lists (ACLs), forward
policies, Network Address Translation (NAT) policies, Mobile IP services, service policies, quality of
service (QoS) policies, flow admission control (FAC) profiles, authentication, authorization, and
accounting (AAA), Remote Authentication Dial-In User Service (RADIUS), Terminal Access
Controller Access Control System Plus (TACACS+), key chains, and lawful intercept (LI).
Network Management Guide for the SmartEdge OS
Describes the tasks and commands used to configure, monitor, administer, and troubleshoot the
following SmartEdge OS: system-wide management features, including bulk statistics (bulkstats),
Simple Network Management Protocol (SNMP), Remote Monitoring (RMON) functions, and detailed
information about notifications and object identifiers (OIDs) for Redback

Networks Enterprise MIBs.


Commands include show commands and commands used to configure bulkstats, SNMP, and RMON
features.
Ports, Circuits, and Tunnels Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following SmartEdge OS features: cards;
ports; channels; Automatic Protection Switching (APS); circuits, including permanent virtual circuits
(PVCs); Link Aggregation Control Protocol (LACP) features; clientless IP service selection (CLIPS)
circuits; Point-to-Point Protocol (PPP) and PPP over Ethernet (PPPoE) information; link aggregation;
bridging; cross-connections between circuits; IP-in-IP tunnels, overlay tunnels (IPv6 over IP Version 4
[IPv4]), Generic Routing Encapsulation (GRE) tunnels (including IP Version 6 [IPv6] over GRE
tunnels), Layer 2 Tunneling Protocol (L2TP) tunnels; static and dynamic bindings between ports,
channels, subchannels, and circuits to interfaces, either directly or indirectly.
Related Publications
About This Guide xxvii
RFlow Guide for the SmartEdge OS
Describes the commands and procedures used to configure, monitor, administer, and troubleshoot
RFlow on the SmartEdge OS.
Routing Protocols Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following SmartEdge OS features: static IP
routing; dynamically verified static routing (DVSR); Virtual Router Redundancy Protocol (VRRP);
Routing Information Protocol (RIP) and RIP next generation (RIPng); Open Shortest Path First (OSPF)
and OSPF Version 3 (OSPFv3); Border Gateway Protocol (BGP); BGP/Multiprotocol Label Switching
Virtual Private Networks (BGP/MPLS VPNs); Intermediate System-to-Intermediate System (IS-IS);
Bidirectional Forwarding Detection (BFD); IP multicast, including Internet Group Management
Protocol (IGMP), Multicast Source Discovery Protocol (MSDP), and Protocol Independent Multicast
(PIM); routing policies; MPLS; Layer 2 Virtual Private Networks (L2VPNs); Virtual Private LAN
Services (VPLS); and Label Distribution Protocol (LDP). BGP, OSPFv3, RIPng, and routing policies
include tasks and commands that provide limited support for IPv6 routing.
Session Border Controller Configuration Guide for the SmartEdge OS
Describes the tasks and commands used to configure the following Session Border Controller (SBC)
features and services on the SmartEdge OS: unified SBC features and services include number analysis,
call routing, registration routing, adjacencies, media IP and authentication, authorization, and
accounting (AAA) subscriber record; distributed SBC features and services include media gateway
timers, media gateway attributes, media gateway controllers, and media IP.
Basic System Operations Guide for the SmartEdge OS
Describes the tasks and commands used to monitor, administer, and troubleshoot the SmartEdge OS
features described in the Basic System Configuration Guide; commands include all clear, debug,
monitor, process, and show commands that monitor and test system-wide functions and features, such
as software processes.
IP Services and Security Operations Guide for the SmartEdge OS
Describes the tasks and commands used to monitor, administer, and troubleshoot the SmartEdge OS
features described in the IP Services and Security Configuration Guide; commands include all clear,
debug, and show commands, along with other operations-based commands.
Ports, Circuits, and Tunnels Operations Guide for the SmartEdge OS
Describes the tasks and commands used to monitor, administer, and troubleshoot the SmartEdge OS
features described in the Ports, Circuits, and Tunnels Configuration Guide; commands include all
clear, debug, monitor, and show commands, along with other operations-based commands, such as
device management and on-demand diagnostics.
Routing Protocols Operations Guide for the SmartEdge OS
Describes the tasks and commands used to monitor, administer, and troubleshoot the SmartEdge OS
features described in the Routing Protocols Configuration Guide; commands include all clear, debug,
monitor, process, and show commands, along with other operations-based commands.
Session Border Controller Operations Guide for the SmartEdge OS
Describes the tasks and commands used to monitor, administer, and troubleshoot the Session Border
Controller (SBC) features and services on the SmartEdge OS that are described in the Session Border
Controller Configuration Guide; commands include all clear, debug, and show commands, along with
other operations-based commands.
Intended Audience
xxviii IP Services and Security Configuration Guide
SmartEdge 100 Router Hardware Guide
Describes the SmartEdge 100 hardware and provides site preparation information and installation,
monitoring, and maintenance procedures for the chassis and media interface cards (MICs).
SmartEdge400 Router Hardware Guide
Describes the SmartEdge 400 hardware and provides site preparation information and installation,
monitoring, and maintenance procedures for the chassis and cards.
SmartEdge 800 Router Hardware Guide
Describes the SmartEdge 800 hardware and provides site preparation information and installation,
monitoring, and maintenance procedures for the chassis and cards.
SmartEdge 1200 Router Hardware Guide
Describes the SmartEdge 1200 hardware and provides site preparation information and installation,
monitoring, and maintenance procedures for the chassis and cards.
Intended Audience
This guide is intended for system and network administrators experienced in access and internetwork
administration.
Organization
This guide is organized as follows:
Part 1, Introduction
Describes the SmartEdge OS IP services and security features.
Part 2, IP Service Protocols
Describes the tasks and commands used to configure ARP, the ND protocol, NTP, DHCP, and ANCP.
Part 3, Mobile IP Services
Describes the tasks and commands used to configure Mobile IP services.
Part 4, IP Services
Describes the tasks and commands used to configure HTTP redirect, hotlining, DNS, and ACLs for IP
services and policies.
Part 4, IP Services
Describes the tasks and commands used to configure NAT policies, forward policies, and service
policies.
Part 6, IP Quality of Service Policies
Describes the tasks and commands used to configure QoS policies, ports, channels, circuits, and
applications for QoS functions, and FAC profiles.
Conventions
About This Guide xxix
Part 7, IP Security
Describes the tasks and commands used to configure security features, including AAA, RADIUS,
TACACS+, lawful intercepts, and key chains.
Part 8, Appendixes
Describes attributes used with RADIUS and attribute-value pairs (AVPs) used with TACACS+.
Conventions
This guide uses special conventions for the following elements:
Command Modes and Privilege Levels
Command Syntax
Examples
Task Tables
Online Navigation Aids
Command Modes and Privilege Levels
Commands are entered in exec mode or in one of many configuration modes. By default, the majority of
commands in exec mode have a privilege level of 3, while commands in any configuration mode have a
privilege level of 10. Exceptions are noted in parentheses ( ) in the Command Mode section in any
command description; for example, exec (15).
For a list of command modes and a figure displaying the command mode hierarchy, see the Command
Mode Hierarchy section in Chapter 1, Overview.
For detailed information about command modes and privilege levels, see the User Interface section (in
the Overview chapter) in the Basic System Configuration Guide for the SmartEdgeOS.
Command Syntax
Table1 lists the descriptions of the elements used in a command syntax statement.
Note This guide has three indexes: an index of tasks and features, an index of commands, and an
index of command modes.
Table 1 Command Syntax Terminology
Syntax Element Definition Example Fragment
Argument An item for which you must supply a value. slot
Construct A combination of:
A keyword and its argument.
Two or more keywords that cannot be specified independently.
Two or more arguments that cannot be specified independently.
:
min-wait seconds
line fdl ansi
src src-wildcard
Conventions
xxx IP Services and Security Configuration Guide
Table2 describes separator characters used in command syntax statements.
The following guidelines apply to separator characters in Table2:
The separator character between the prefix and suffix names in a structured username is configurable;
the @ character is the default and is used in command syntax throughout this guide.
Separator characters act as one-character keywords; therefore, they are always shown in bold.
Table3 lists the characters and formats used in command syntax statements.
Examples
Examples use the following conventions:
Keyword An optional or a required item that must be entered exactly as
shown.
all
Table 2 Separator Characters in Command Syntax
Character Use Example Fragment
@ Separates a prefix name from a suffix name. sub-name@ctx-name
/ Separates a slot from a port, an IP address from a prefix length, and fields in URLs. slot[/port]
{ip-addr | /prefix-length}
/device[/directory]/filename.ext
: Separates a port from a channel and a channel from a subchannel. port[:chan-num]
ds3-chan-num[:ds1-chan-num]
- Separates a starting value from an ending value. start-end
| Separates output modifiers from keywords and arguments in show commands.
1
1. For more information about the use of the pipe ( | ) character, see the Using the CLIchapter in the Basic System Configuration Guide for the SmartEdge OS.
showconfiguration | include port
Table 3 Text Formats and Characters in Command Syntax
Convention Example
Commands and keywords are indicated in bold. no ip unnumbered
Arguments for which you must supply values are indicated in italics. banner login delimited-text
Square brackets ([ ]) indicate optional arguments, keywords, and
constructs within scripts or commands.
show clock [universal]
enable [level]
Alternative arguments, keywords, and constructs within commands are
separated by the pipe character ( | ).
public-key {DSA | RSA}[after-key existing-key | position
key-position] {new-key | ftp url}
Alternative but required arguments, keywords, and constructs are
shown within grouped braces ({}) and are separated by the pipe
character ( | ).
debug ssh {all | ssh-general | sshd-detail | sshd-general}
ipaddress ip-addr {netmask | /prefix-length}[secondary]
Optional and required arguments, keywords, and constructs can be
nested with grouped braces and square brackets, where the syntax
requires such format.
enable authentication {none | method [method [method]]}
Table 1 Command Syntax Terminology (continued)
Syntax Element Definition Example Fragment
Conventions
About This Guide xxxi
System prompts are of the form [ cont ext ] host name( mode) #, [ cont ext ] host name#, or
[ cont ext ] host name>.
In this case, cont ext indicates the current context, host name represents the configured name of the
SmartEdge system, and mode indicates the string for the current configuration mode, if applicable.
Whether the prompt includes the #or the >symbol depends on the privilege level. For further
information on privilege levels, see the User Interface section (in the Overview chapter) in the
Basic System Configuration Guide for the SmartEdgeOS.
For example, the prompt in the l ocal context on the Redback system in cont ext configuration
mode is:
[ l ocal ] Redback( conf i g- ct x) #
Information displayed by the system is in Courier font.
Information that you enter is in Courier bold font.
Task Tables
Tasks to configure features are described in task tables under the Configuration Tasks section in each
chapter. The command syntax displays only the root command, which is hyperlinked to the location where
the complete command syntax is described in the Command Descriptions section of each chapter.
Table4 shows an example of a configuration task table.
Online Navigation Aids
To aid in accessing information in the online format for this guide, the following types of cross-references
are hyperlinks:
Cross-references to chapters, sections, tables, and figures in the text
Lists of section headings within a chapter or an appendix
Commands listed in the Related Commands section at the end of each command description
Entries in the table of contents
Entries in indexes
Table 4 Configuration Task Table Example
Task Root Command Notes
Assign a priority group. qos priority The QoS bit setting for packets traveling across the ingress
circuit is not changed by the priority group assignment.
Attach a policing policy. qos policy policing
Attach a metering policy. qos policy metering
Attach a scheduling policy. qos policy queuing Policy types include EDRR and PQ.
Optional. Modify the mode of an EDRR
policy algorithm.
qos mode By default, the mode is normal. Only one mode type is
supported on a single port.
Ordering Documentation
xxxii IP Services and Security Configuration Guide
Ordering Documentation
Redback documentation is available on a CD-ROM that ships with the following Redback products:
SMS products
SmartEdge router products
NetOp Element Management System [EMS] and NetOp Policy Manager [PM] products
The following sections describe how to order additional copies and provide feedback:
Order Additional Copies
Complete the Online Redback Networks Documentation Survey
Provide Direct Feedback on Specific Product Documentation
We appreciate your comments.
Order Additional Copies
To order additional copies of the documentation CD-ROM or printed and bound books, perform the
following steps:
1. Log on to the Redback Networks Support web site at http://support.redback.com, enter a username and
password, and click Login.
If you do not have a username and password, consult your Redback Networks support representative,
or send an e-mail to supportlogin@redback.com with a copy of the show hardware command output,
your contact name, company name, address, and telephone number.
2. Click one of the Redback products at the bottom of the web page, click Documentation on the
navigation bar, then click To Order Books on the navigation bar.
Complete the Online Redback Networks Documentation Survey
To complete the online Redback Networks Documentation Survey, perform the following steps:
1. On the Documentation web page, click Feedback on the navigation bar.
2. Complete and submit the feedback form.
3. Documentation on the navigation bar, then click To Order Books on the navigation bar.
Provide Direct Feedback on Specific Product Documentation
To provide feedback on a documentation issue related to the SmartEdgeOS send e-mail to
seos-router-docs@redback.com.
Note Hyperlinks in PDF files appear the same as regular text; however, your cursor changes from
an open hand icon to a pointing finger icon when you move your cursor over a hyperlink.
P a r t 1
Introduction
This part describes SmartEdge

OS IP services and security features and consists of:


Chapter 1, Overview
Overview 1-1
C h a p t e r 1
Overview
This chapter provides an overview of SmartEdge

OS IP services and security features and lists the relevant


command-line interface (CLI) modes in the following sections:
SmartEdge OS Architecture
IP Protocols
IP Services
IP Service Policies
Quality of Service
Security
Command Mode Hierarchy
SmartEdge OS Architecture
The SmartEdge OS is based on a general-purpose operating system that works in conjunction with the
ASIC-based SmartEdge hardware products to provide a scalable and robust multiservice platform. The
SmartEdge OS performs the route processing and other control functions, and runs on the controller card.
The packet forwarding function is performed by Packet Processing ASICs (PPAs) on the individual traffic
cards. Each major system component (see Table1-1) runs as a separate process in the system.
Note In the following descriptions, the term, controller card, applies to the Cross-Connect Route
Processor (XCRP) or the XCRP Version 3 (XCRP3) Controller card, unless otherwise noted.
The terms, traffic-managed circuit and traffic-managed port, refer to a circuit and port,
respectively, on Fast Ethernet-Gigabit Ethernet (FE-GE), Gigabit Ethernet 3 (GE3) and
Gigabit Ethernet 1020 (GE1020) traffic cards, or Gigabit Ethernet media interface cards (GE
MICs).
Table 1-1 SmartEdge OS Components
System Component Function
Authentication, authorization, and
accounting (AAA)
Forces all authentication requests and accounting updates to a single
set of Remote Authentication Dial-In User Service (RADIUS) servers.
NetBSD kernel Provides a lean and stable base for the SmartEdge OS.
SmartEdge OS Architecture
1-2 IP Services and Security Configuration Guide
Figure1-1 illustrates the SmartEdge OS architecture.
Figure 1-1 SmartEdge OS Architecture
Process Manager (PM) Monitors and controls the operation of the other processes in the
system.
Router Configuration Manager (RCM) Controls all system configurations using a transaction-oriented
database.
Interface and Circuit State Manager (ISM) Monitors and disseminates the state of all interfaces, ports, and
circuits in the system.
Routing protocols Run as an independent processes, maintaining independent Routing
Information Bases (RIBs). The routing processes send the routing
information to the central RIB.
RIB Downloads forwarding tables to the traffic cards.
Feature modules Run as independent processes, each in its own protected address
space.
Traffic card Includes the PPA ASICs, which contain the Forwarding Information
Base (FIB) and forwarding code.
Table 1-1 SmartEdge OS Components (continued)
System Component Function
IP Protocols
Overview 1-3
IP Protocols
The SmartEdge OS provides the IP protocols described in the following sections:
Address Resolution Protocol
Neighbor Discovery Protocol
Network Time Protocol
Dynamic Host Configuration Protocol
Access Node Control Protocol
Address Resolution Protocol
The SmartEdge OS implementation of the Address Resolution Protocol (ARP) is consistent with RFC 826,
An Ethernet Address Resolution Protocol, also called Converting Network Protocol Addresses to 48.bit
Ethernet Address for Transmission on Ethernet Hardware. In addition, the SmartEdge OS provides a
configurable ARP entry-age timer and the option to automatically delete expired dynamic ARP entries.
Neighbor Discovery Protocol
SmartEdge routers use the Neighbor Discovery (ND) protocol for IP Version 6 (IPv6) to determine the
link-layer addresses for neighbors known to reside on attached links and to quickly purge cached values
that become invalid. The IPv6 ND protocol corresponds to a combination of the IPv4 ARP and Internet
Control Message Protocol (ICMP) Router Discovery. The ND protocol is described in RFC 2461, Neighbor
Discovery for IP Version 6 (IPv6).
IPv6 is a new version of the Internet Protocol, designed as the successor to IP Version 4 (IPv4). IPv6 is fully
described in RFC 2460, Internet Protocol, Version 6 (IPv6) Specification. The changes from IPv4 to IPv6
include:
Increase in address size from 32 bits to 128 bits
Simplified header
Extensible header with optional extension headers
Designed to co-exist with IPv4
Uses multicast addresses instead of broadcast addresses
For a description of IPv6 addressing and the types of IPv6 addresses, see RFC 3513, Internet Protocol
Version 6 (IPv6) Addressing Architecture.
Note When IPv6 addresses are not referenced or explicitly specified, the term, IP address, can refer
generally to IPv4 addresses, IPv6 addresses, or IP addressing. In instances where IPv6
addresses are referenced or explicitly specified, the term, IP address, refers only to IPv4
addresses.
IP Protocols
1-4 IP Services and Security Configuration Guide
Network Time Protocol
The SmartEdge OS supports versions 1, 2, and 3 of the Network Time Protocol (NTP). On the SmartEdge
router, NTP operates in client mode only, meaning that the router can be synchronized by a remote NTP
server, but the remote server cannot be synchronized by the router.
Dynamic Host Configuration Protocol
The SmartEdge router provides three types of Dynamic Host Configuration Protocol (DHCP) support:
External DHCP relay server
In relay mode, the SmartEdge router acts as an intermediary between the DHCP server and the
subscriber. The router forwards requests from the subscribers PC to the DHCP server and relays the
servers responses back to the subscribers PC.
External DHCP proxy server
In proxy mode, the SmartEdge router provides responses directly to the subscriber requests. Each
subscriber sees the router as the DHCP server, and as such, sends all DHCP negotiations, including
IP address release and renewal, to the router, which then relays the information to the DHCP server.
Essentially, the proxy feature enables the router to track IP address lease times and other DHCP
information more closely. With Remote Authentication Dial-In User Service (RADIUS) authentication,
an accounting record is sent from the SmartEdge router to RADIUS every time an IP address is assigned
or released.
Internal DHCP server
The SmartEdge router provides the functions of the DHCP server; no communications are sent to an
external DHCP server.
Access Node Control Protocol
The ANCP is a communications control protocol that allows the SmartEdge router to communicate with
an access node and gather information about the parameters for the individual access lines on the access
node.
The ANCP is an out-of-band control protocol that does not interfere with the subscriber sessions that are
carried on the access lines. Beneath the ANCP the SmartEdge router uses the General Switch Management
Protocol (GSMP) version3 (GSMPv3) to communicate with the ANCP neighbor peers; GSMPv3
messages are encapsulated using the Transmission Control Protocol (TCP).
Note Before using NTP, the SmartEdge router must first be configured with the IP address of one
or multiple NTP servers.
Note Before using an external DHCP server, the SmartEdge OS must first be configured with the
IP address or hostname of one or multiple external DHCP servers. DHCP servers are
configured on a per-context basis, with a limit of one server per context.
IP Services
Overview 1-5
IP Services
The SmartEdge OS provides the IP services described in the following sections:
Domain Name System
HTTP Redirect
Hotlining
Mobile IP (Wireless)
Access Control Lists
Domain Name System
The Domain Name System (DNS) enables subscribers to access devices using hostnames, instead of
IP addresses. When a command refers to a hostname, the SmartEdgeOS consults the local host table for
mappings. If the information is not in the table, the router generates a DNS query to resolve the hostname.
DNS is enabled on a per-context basis, with one domain name allowed per context.
HTTP Redirect
HTTP redirect enables service providers to interrupt subscriber HTTP sessions and to redirect them to a
preconfigured URL. Applications include the ability to require customer registration, to direct customers
to web sites for downloading virus protection software, and to advertise new services or software updates.
An HTTP redirect profile containing a redirect URL is attached to subscriber records, and a forward policy
redirects HTTP traffic to the lightweight HTTP server on the controller card attached to the subscriber
circuit. The forward policy that performs the redirection is removed through a subscriber reauthorization
mechanism.
Hotlining
Hotlining allows WiMAX operators to redirect subscribers to a portal controlled by a service provider. This
portal can be used for service registration, updates, and service advertisements, and to address issues that
require immediate attention, such as virus attacks and missed payments. When hotlining is complete, the
subscriber is released from the hotlined state (released from the portal) and directed to the original
destination.
Mobile IP (Wireless)
Mobile IP services allow the SmartEdge router to act as one or more foreign agents (FAs). Each
communicates with its associated home-agent (HA) peers that support the mobile subscribers, which are
referred to as mobile nodes (MNs). Each FA has a care-of address (CoA) that the system uses as the
termination address for the tunnel to an HA peer.
The MNs connect to the FA through one or more base transceiver stations (BTSs) using Ethernet circuits.
MNs can move to different BTSs, depending on their locations.
IP Services
1-6 IP Services and Security Configuration Guide
MNs communicate with the SmartEdge router (the FA) over Ethernet-based circuits, using a context that
you configure for the FA. The system routes the MN traffic to each external HA peer using a Generic
Routing Encapsulation (GRE) tunnel circuit or an IP-in-IP tunnel. Each HA peer uses a different tunnel.
Traffic from an HA peer is routed back to the MNs associated with that HA peer using the same tunnel
circuit.
Access Control Lists
The SmartEdge OS supports IP access control lists (ACLs) and policy ACLs as described in the following
sections:
IP ACLs
Policy ACLs
Conditional ACLs
Dynamic ACLs
IP ACLs
IP ACLs are lists of packet filters. Based on the criteria specified in the IP ACLs associated with the packet,
the SmartEdge OS decides whether the packet should be forwarded or dropped. IP ACLs filter packets
through the use of deny and permit, or seq deny and seq permit statements. IP ACLs are applied interfaces
and contexts and affect packets on all circuits bound to the interface or all administrative packets on a
context.
Policy ACLs
Policy ACLs are lists of packet filters, packet classifications, or both. Based on criteria specified in the
policy ACLs associated with the packet, the SmartEdge OS decides whether the packet should be
forwarded, dropped, or assigned a class name. Policy ACLs filter packets, classify packets, or perform both
actions, through the use of permit and seq permit statements. Policy ACLs can be applied to forward
policies, to NAT policies, and to quality of service (QoS) metering and policing policies.
Conditional ACLs
You can configure both IP ACLs and policy ACLs with time-based conditions that filter or classify packets
for a specified time period. In addition, you can modify time-based conditions in real-time, without
modifying the configuration file for the SmartEdgeOS.
Dynamic ACLs
Dynamic ACLs allow the SmartEdgeOS to apply an IP or policy ACL sent from a RADIUS server using
vendor-specific attributes (VSAs) 242 and 164 to a circuit or policy.
IP Service Policies
Overview 1-7
IP Service Policies
The SmartEdge OS provides the IP service policies described in the following sections:
Forward Policies
Network Address Translation Policies
Service Policies
Forward Policies
Forward policies support IP traffic mirroring, redirect, and drop. IP traffic mirroring copies packets
traveling across a circuit and forwards the duplicated packets to a designated outgoing port. IP traffic
redirect forwards IP packets to IP addresses that are different than their original destination. IP traffic drop
determines which particular packets should be dropped, rather than forwarded.
Network Address Translation Policies
Through Network Address Translation (NAT) policies, hosts using unregistered IP addresses on private
networks can connect to hosts on the Internet and vice versa. NAT translates the private (not globally
unique) addresses in the internal network into legal addresses before packets are forwarded onto another
network.
Service Policies
Service policies determine the context, or contexts that Point-to-Point Protocol (PPP)- and PPP over
Ethernet (PPPoE) subscribers can access by verifying the domain or context name associated with
subscriber records.
A service policy can be attached to any PPP- or PPPoE-encapsulated subscriber circuit, including
PPP-encapsulated Layer 2 Tunneling Protocol (L2TP) tunnels.
Quality of Service
The SmartEdgeOS provides the QoS features described in the following sections:
Classification, Marking, and Rate-Limiting
Scheduling
Flow Admission Control
Quality of Service
1-8 IP Services and Security Configuration Guide
Classification, Marking, and Rate-Limiting
The SmartEdge OS classifies, marks, and rate-limits incoming packets as described in these sections:
Priority Groups
Policy Access Control Lists
QoS Policing and Metering Policies
Priority Groups
A priority group number assignment enables you to classify all traffic, including non-IP traffic, on an
ingress circuit. A priority group is an internal value used by the SmartEdge router to determine into which
egress queue the inbound packet should be placed. The type of service (ToS) value, Differentiated Services
Code Point (DSCP) value, and Multiprotocol Label Switching (MPLS) experimental (EXP) bits are not
changed by this command. The actual queue depends upon the number of queues configured on the circuit.
Policy Access Control Lists
A classification filter is configured through a policy ACL. Each policy ACL supports up to eight unique
classes. Packets can be classified according to IP precedence value, protocol number, IP source and
destination address, ICMP attributes, Internet Group Management Protocol (IGMP) attributes,
Transmission Control Protocol (TCP) attributes, and User Datagram Protocol (UDP) attributes.
A policy ACL can be applied to incoming or outgoing packets on a port, circuit, or for a subscriber profile.
A policy ACL is applied to incoming packets through a QoS policing policy and to outgoing packets
through a QoS metering policy.
QoS Policing and Metering Policies
A QoS policing policy marks, rate-limits, or performs both actions on incoming packets, while a QoS
metering policy does the same for outgoing packets. Both types of policies can be applied at one of two
levels or at both levels simultaneously. One level of application applies to all packets on a particular circuit.
Another level of application applies to only a particular class of packets traveling across the circuit. The
class is configured through a policy ACL.
Scheduling
After classification, marking, and rate-limiting occurs on an incoming packet, the packet is placed into an
output queue for servicing by an egress traffic cards scheduler. The SmartEdge OS supports up to eight
queues per circuit. Queues are serviced according to a queue map scheme, a QoS scheduling policy, or both,
as described in the following sections:
Queue Maps
Priority Queuing
Enhanced Deficit Round Robin
Modified Deficit Round Robin
Asynchronous Transfer Mode Weighted Fair Queuing
Quality of Service
Overview 1-9
Priority Weighted Fair Queuing
Hierarchical Scheduling
Hierarchical Nodes and Node Groups
Congestion Management and Avoidance
Queue Maps
The SmartEdge OS assigns factory preset, or default, mapping of a priority group to a particular egress
queue, according to the number of queues configured on a circuit. You can configure queue maps to
override the default mapping of packets into egress queues. You can apply queue maps along with any of
the four QoS scheduling policies.
Priority Queuing
With a priority queuing (PQ) scheduling policy, the output queues on a circuit are serviced in strict priority
order; that is, packets waiting in the highest-priority queue (queue 0) are serviced until that queue is empty,
then packets waiting in the second-highest priority queue are serviced (queue 1), and so on. Under
congestion, PQ allows the highest priority traffic to get through, at the expense of lower-priority traffic.
Enhanced Deficit Round Robin
The enhanced deficit round-robin (EDRR) scheduling policy can operate in one of three modes: normal,
strict, or alternate. In normal mode, queue 0 is treated like all other queues on a circuit. Each queue receives
its share of the circuits bandwidth according to the weight assigned to the queue. In strict mode, queue 0
always has priority over all other queues configured on a circuit. In alternate mode, in every other round,
either queue0 or one of the other queues on the circuit is served, in alternating fashion.
Modified Deficit Round Robin
Like the EDRR scheduling policy, the modified deficit round-robin (MDRR) scheduling policy can operate
in one of three modes: EDRR normal and strict modes and PQ strict priority queuing mode. For the EDRR
modes, MDRR supports circuit rate limits; for the PQ strict priority queuing mode, MDRR supports two,
four, or eight queues on a circuit.
Asynchronous Transfer Mode Weighted Fair Queuing
The Asynchronous Transfer Mode weighted fair queuing (ATMWFQ) scheduling policy can operate in one
of two modes: alternate or strict. In either mode, an MDRR algorithm is used to implement class-based
WFQ.
In alternate mode, the servicing of queues alternates between queue 0 and the remaining queues. Queue 0
is served, then the next queue is served. Queue 0 is served again, and the next queue in turn is served, and
so on. For example, if there are four queues configured, the order of servicing will be q0, q1, q0, q2, q0,
q3, q0, q1, and so on. In strict mode, high-priority queue 0 is serviced immediately and then the other
queues are serviced in a round-robin fashion.
Quality of Service
1-10 IP Services and Security Configuration Guide
Priority Weighted Fair Queuing
Priority weighted fair queuing (PWFQ) policies use a priority- and a weight-based algorithm to implement
hierarchical QoS-aware scheduling. Each queue in the policy includes both a priority and a relative weight,
which control how each queue is serviced. Inside the PWFQ policy, priority takes precedence, and for
queues placed at the same priority, the individual configured weight defines how the queue is used in the
scheduling decision.
With PWFQ policies, you can configure different congestion behaviors that depend on the DSCP values of
the packets in a queue; this feature is referred to as multidrop precedence. Multidrop precedence supports
up to three profiles for each queue, and each profile defines a different congestion behavior for one or more
DSCP values.
Hierarchical Scheduling
Hierarchical scheduling provides the means to perform QoS scheduling at the port, 802.1Q tunnel, and
802.1Q permanent virtual circuits (PVC) levels, using PWFQ policies. Hierarchical scheduling operates on
PWFQ queues in either of two modes: strict or WRR. In strict mode, each queue is serviced according to
the priority you assigned to the queue. In WRR mode, each queue is serviced in round-robin order
according to its priority and its traffic share, as determined by the relative weight.
Hierarchical Nodes and Node Groups
A hierarchical node functions as an individual circuit, such as an 802.1Q PVC; you can assign a traffic rate
and attach a PWFQ policy to it. In addition, you can specify the scheduling mode for the queues defined
by the PWFQ policy, either strict or WRR.
Each node is a member of a node group. You can assign a traffic rate and a scheduling mode (which might
not be the same traffic rate or scheduling mode assigned to any of the nodes within the group) to a node
group. When a subscriber record is assigned to a hierarchical node, all sessions for that subscriber are
governed by the QoS shaping configured for the node and for the node group.
Congestion Management and Avoidance
The SmartEdge OS employs the following congestion avoidance features with scheduling policies:
Random Early Detection
Queue Depth
Queue Rates
Note PWFQ policies are supported only for traffic-managed ports and circuits.
Note Hierarchical nodes and node groups are supported only on traffic-managed ports and circuits.
Security
Overview 1-11
Random Early Detection
With PQ, EDRR, and ATMWFQ policies, you can configure random early detection (RED) parameters to
manage buffer utilization under congestion by signaling to sources of traffic that the network is on the verge
of entering a congested state, rather than waiting until the network is actually congested.
Queue Depth
With EDRR and PQ policies, you can modify the number of packets that are allowed in each queue
configured on a circuit.
Queue Rates
With PQ and EDRR policies, you can configure a rate limit, which specifies a long-term, nominal average
bit rate for the queuing policy and uses a burst tolerance to specify the number of bytes allowed above the
configured rate. In PQ policies, the rate is controlled per individual queue, while in EDRR policies, the rate
is a combined traffic rate for all queues in the policy. A reasonable guideline for burst tolerance is 10 times
the link maximum transmission unit (MTU).
Flow Admission Control
A flow is a unidirectional object that identifies related data packets and enables you to apply a set of
services to a portion of a circuit. Without flows, you could only apply services to entire groups of
subscribers mapped to a specified circuit. All attributes on a flow inherit from the services applied to the
circuit to which the flow applies.
All attributes applied using flow features reside in a flow admission control (FAC) profile, which is the
basic unit of flow configuration. First you create a FAC profile, and then you apply it to an existing circuit
from circuit configuration mode.
Security
The SmartEdge OS provides the security features described in the following sections:
Authentication, Authorization, and Accounting
Remote Authentication Dial-In User Service
Terminal Access Controller Access Control System Plus
Key Chains
Lawful Intercept
Security
1-12 IP Services and Security Configuration Guide
Authentication, Authorization, and Accounting
The SmartEdge OS uses authentication, authorization, and accounting (AAA) to authenticate subscribers
through database records kept in one of these locations:
Locally in the SmartEdge OS through subscriber commands
On a RADIUS server or set of servers
The first location is the local database, which is a set of subscriber configuration mode commands entered
through the SmartEdge OS CLI. The local database provides what is known as local authentication. The
second location is the RADIUS servers database, which contains the subscriber records. The SmartEdge
OS, configured with the IP address or hostname of the RADIUS server, relies on the database records of
the server to authenticate subscribers.
Each SmartEdge OS context can use the IP address or hostname of a RADIUS configured within its context
for authenticationthis is known as context-specific RADIUS authentication. Alternatively, a context can
be configured to use the IP address or hostname of the RADIUS server in the local contextthis is known
as global authentication. With global authentication, the RADIUS server is expected to return the
Context-Name vendor-specific attribute (VSA) that indicates the particular context to which the subscriber
is to be bound. You can also configure the SmartEdge router to try authentication through the RADIUS
server configured in the current context first, with a fallback to the global RADIUS server or to the local
database, in case the RADIUS server in the current context becomes unreachable.
The SmartEdge OS supports subscriber session reauthorization, so that a subscribers attributes can be
updated dynamically, without requiring renegotiation for a current subscriber session and without dropping
the session. The updates to the subscriber record are made immediately without interruption.
Subscriber accounting tracks RADIUS-based messages for subscriber sessions. The data can be sent to a
set of RADIUS servers in the local context, a set of RADIUS servers in another context, or both. This last
case is called two-stage accounting, where, for example, a wholesaler can send a copy of accounting data
to his own RADIUS server and to an upstream service providers RADIUS server, allowing end-of-period
accounting data to be reconciled and validated by both parties.
Remote Authentication Dial-In User Service
RADIUS is based on a client/server architecture. The SmartEdge OS can be configured to act as a RADIUS
client. The use of RADIUS replaces the need for local configuration of user records, although we
recommend a local configuration in case the remote server is unreachable.
If your network topology requires separate RADIUS accounting servers for billing or load-balancing
purposes, you can also configure one or more RADIUS accounting servers, which then take over the
accounting functions from the RADIUS servers. The SmartEdge OS can send RADIUS accounting data to
a global set of RADIUS servers, a context-specific set of RADIUS servers, or both. This last case is referred
to as two-stage accounting.
Note RADIUS servers are context specific, with a limit of five servers for each context.
Command Mode Hierarchy
Overview 1-13
Terminal Access Controller Access Control System Plus
The Terminal Access Controller Access Control System Plus (TACACS+) protocol secures remote access
to networks and network services and is based on a client/server architecture. The SmartEdge router can be
configured to act as a TACACS+client. The use of TACACS+replaces the need for local configuration of
user records, although we recommend a local configuration in case the remote server is unreachable. The
SmartEdge OS supports the TACACS+features of OPIE, S/Key, and secureID.
Key Chains
Key chains allow you to control authentication keys used by various routing protocols in the system.
Currently, the SmartEdge OS supports the use of key chains with the Open Shortest Path First (OSPF),
Intermediate System-to-Intermediate System (IS-IS), and Virtual Router Redundancy Protocol (VRRP)
routing protocols. In the configuration process, you establish a name for each key chain, and an
identification for each key within the key chain.
Lawful Intercept
Lawful intercept (LI) enables service providers to mirror subscriber packets and send them to a mediation
system, which can be anywhere in the network. The SmartEdge OS can mirror packets from any circuit in
the system, at the ingress or egress point, and send the mirrored packets to the mediation system using a
User Datagram Protocol (UDP)/IP session.
Command Mode Hierarchy
Command modes exist in a hierarchy; that is, you must access the higher-level command mode before you
can access a lower-level command mode in the same chain.
Note Before using TACACS+, the SmartEdge router must first be configured with the IP address
or hostname of one or multiple TACACS+servers. TACACS+servers are configured on a
per-context basis, with a limit of six servers per context.
Note For modes relevant to basic system features, see the Overview chapter in the Basic System
Configuration Guide for the SmartEdgeOS. For modes relevant to configuring ports, circuits,
and tunnels, see the Overview chapter in the Ports, Circuits, and Tunnels Configuration
Guide for the SmartEdgeOS. For modes relevant to routing protocol features, see the
Overview chapter in the Routing Protocols Configuration Guide for the SmartEdgeOS.
Command Mode Hierarchy
1-14 IP Services and Security Configuration Guide
Table1-2 lists the command modes (in alphabetical order) that are relevant to IP services and security
features. It includes the commands to access each mode and the command-line prompt for each mode.
Table 1-2 Command Modes and Prompts
Mode Name Commands Used to Access Command-Line Prompt
exec (user logon) #or >
ANCP router ancp command from context configuration mode (config-ancp)#
ANCP neighbor ancp neighbor command from ANCP configuration mode (config-ancp-neighbor)#
access control list ip access-list and policy access-list commands from context
configuration mode
(config-access-list)#
ACL condition condition time-range command from access control list configuration
mode
(config-acl-condition)#
administrator administrator command from context configuration mode (config-administrator)#
ATM DS-3 port atm command from global configuration mode (config-atm-ds3)#
ATM OC port atm command from global configuration mode (config-atm-oc)#
ATM profile atm profile command from global configuration mode (config-atm-profile)#
ATM PVC atm pvc command from ATM OC and ATM DS-3 configuration modes (config-atm-pvc)#
ATMWFQ policy qos policy atmwfq command from global configuration mode (config-policy-atmwfq)#
card card command from global configuration mode (config-card)#
CLIPS PVC clips pvc command from ATM PVC, dot1q PVC, and port configuration
modes
(config-clips-pvc)#
congestion map qos congestion-avoidance-map command from global configuration
mode
(config-congestion-map)#
context context command from global configuration mode (config-ctx)#
DHCP giaddr dhcp relay or dhcp proxy command from interface configuration mode (config-dhcp-giaddr)#
DHCP relay server dhcp relay server command from context configuration mode (config-dhcp-relay)#
DHCP server dhcp server command from context configuration mode (config-dhcp-server)#
DHCP subnet subnet command from context configuration mode (config-dhcp-subnet)#
dynamic tunnel profile dynamic tunnel profile command from Mobile IP configuration mode (config-mip-dyn-tun1-profile)#
dot1q profile dot1q profile command from global configuration mode (config-dot1q-profile)#
dot1q PVC dot1q pvc command from port configuration mode (config-dot1q-pvc)#
DS-0 group port ds0s command from global configuration mode (config-ds0-group)#
DS-1 port ds1 command from global configuration mode (config-ds1)#
DS-3 port channelized-ds3 and port ds3 commands from global configuration
mode
(config-ds3)#
E1 port e1 command from global configuration mode (config-e1)#
E3 port e3 command from global configuration mode (config-e3)#
EDRR policy qos policy edrr command from global configuration mode (config-policy-edrr)#
FA foreign-agent command from Mobile IP configuration mode (config-fa)#
Command Mode Hierarchy
Overview 1-15
flow flow admission-control profile command from global configuration mode (config-ac-profile)#
forward policy forward policy command from global configuration mode (config-policy-frwd)#
Frame Relay PVC frame-relay pvc command from DS-0 group, DS-1, DS-3, E1, E3, and
port configuration modes
(config-fr-pvc)#
global configure command from exec mode (config)#
GRE tunnel gre-tunnel command from tunnel map configuration mode (config-gre-tunnel)#
HA peer home-agent-peer command from FA configuration mode (config-ha-peer)#
hierarchical node group hierarchical node-group command from port configuration mode (config-h-node)#
hierarchical node
1
hierarchical qos node command from hierarchical node group
configuration mode
(config-h-node)#
HTTP redirect profile http-redirect profile command from context configuration mode (config-hr-profile)#
HTTP redirect server http-redirect server command from global configuration mode (config-hr-server)#
interface interface command from context configuration mode (config-if)#
key chain key-chain command from context configuration mode (config-key-chain)#
L2TP peer l2tp-peer command from context configuration mode (config-l2tp)#
link group link-group command from global configuration mode (config-link-group)#
LI profile li-profile command from global configuration mode (config-liprofile)#
MDRR policy qos policy mdrr command from global configuration mode (config-policy-mdrr)#
metering policy qos policy metering command from global configuration mode (config-policy-metering)#
Mobile IP router mobile-ip command from context configuration mode (config-mip)#
Mobile IP interface interface command from Mobile IP configuration mode (config-mip-if)#
MPLS router router mpls command from context configuration mode (config-mpls)#
NAT policy nat policy command from context configuration mode (config-policy-nat)#
NAT pool ip nat pool command from context configuration mode (config-nat-pool)#
ND router router nd command from context configuration mode (config-nd)#
ND router interface interface command from ND router configuration mode (config-nd-if)#
NTP ntp mode command from global configuration mode (config-ntp)#
num-queues num-queue command from queue map configuration mode (config-num-queues)#
overhead profile qos profile overhead command from global configuration mode (config-profile-overhead)#
overhead type type command from the overhead profile configuration mode (config-type-overhead)#
parameter array loop foreach command from service profile configuration mode (config-param-array-loop)#
policing policy qos policy policing command from global configuration mode (config-policy-policing)#
policy group access-group command from forward policy, NAT policy, metering policy,
and policing policy configuration modes
(config-policy-group)#
policy group class class command from policy group configuration mode (config-policy-group-class)#
Table 1-2 Command Modes and Prompts (continued)
Mode Name Commands Used to Access Command-Line Prompt
Command Mode Hierarchy
1-16 IP Services and Security Configuration Guide
Figure1-2 shows the hierarchy of the command modes that are used to configure IP services and security
features.
policy class rate rate command from policy group class configuration mode (config-policy-class-rate)#
policy rate rate command from metering policy and policing policy configuration
modes
(config-policy-rate)#
port port channelized-OC12, port ethernet, and port pos commands from
global configuration mode
(config-port)#
PQ policy qos policy pq command from global configuration mode (config-policy-pq)#
protocol policy qos policy (protocol-rate-limit) command from global configuration mode (config-policy-protocol)#
PWFQ policy qos policy pwfq command from global configuration mode (config-policy-pwfq)#
queue map qos queue-map command from global configuration mode (config-queue-map)#
RADIUS policy radius policy command from global configuration mode (config-rad-policy)#
radius service profile radius service profile command from context configuration mode (config-service-profile)#
service policy service-policy command from global configuration mode (config-policy-svc)#
software license software license command from global configuration mode (config-license)#
subscriber subscriber command from context configuration mode (config-sub)#
terminate error cause radius attribute acct-terminate-cause remap command in global
configuration mode
(config-term-ec)#
tunnel map tunnel map command from global configuration mode (config-tunnel-map)#
1. The prompt for this configuration mode is identical to the prompt for the hierarchical node group configuration mode.
Table 1-2 Command Modes and Prompts (continued)
Mode Name Commands Used to Access Command-Line Prompt
Command Mode Hierarchy
Overview 1-17
Figure 1-2 Command Modes Related to IP Services and Security Features
Command Mode Hierarchy
1-18 IP Services and Security Configuration Guide
P a r t 2
IP Service Protocols
This part describes the tasks and commands used to configure Address Resolution Protocol (ARP), the
Neighbor Discovery (ND) protocol, Network Time Protocol (NTP), Dynamic Host Configuration Protocol
(DHCP), and Access Node Control Protocol (ANCP). It consists of the following chapters:
Chapter 2, ARP Configuration
Chapter 3, ND Configuration
Chapter 4, NTP Configuration
Chapter 5, DHCP Configuration
Chapter 6, ANCP Configuration
ARP Configuration 2-1
C h a p t e r 2
ARP Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS Address Resolution
Protocol (ARP) features.
For information about the tasks and commands used to monitor, troubleshoot, and administer ARP features,
see the ARP Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
The SmartEdge OS supports RFC 826, An Ethernet Address Resolution Protocol, also called, Converting
Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. In
addition, the SmartEdge OS supports the following features:
A configurable ARP entry age timer
The option to enable automatic deletion of dynamic ARP entries (as opposed to automatic refresh of the
ARP table)
The static IP ARP entry mapping of a unicast IP address to a multicast medium access control (MAC)
address
Configuration Tasks
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
2-2 IP Services and Security Configuration Guide
To configure ARP, perform the tasks described in the following sections:
Enable ARP
Enable Secured ARP (Optional)
Enable Proxy ARP (Optional)
Configure Static Entries in the ARP Table (Optional)
Configure the Automatic Deletion of ARP Entries (Optional)
Set a Maximum Number of Incomplete ARP Entries (Optional)
Configure ARP Policy to Prevent DoS Attacks
Enable ARP
To enable ARP, perform the task described in Table2-1.
Enable Secured ARP (Optional)
To enable secured ARP, perform the task described in Table2-2. You can enable either secured ARP or
proxy ARP on an interface.
Enable Proxy ARP (Optional)
To enable proxy ARP, perform the task described in Table2-3. You can enable either secured ARP or proxy
ARP on an interface.
Table 2-1 Enable ARP
Task Root Command Notes
Enable ARP. iparp arpa Enter this command in interface configuration mode.
By default, ARP is already enabled. Use the no form of this command to disable ARP.
Table 2-2 Enable Secured ARP (Optional)
Task Root Command Notes
Enable secured ARP. iparp secured-arp Enter this command in interface configuration mode.
ARP must be enabled before you can enable secured ARP.
Table 2-3 Enable Proxy ARP (Optional)
Task Root Command Notes
Enable proxy ARP. ip arp proxy-arp Enter this command in interface configuration mode.
ARP must be enabled before you can enable proxy ARP.
Configuration Tasks
ARP Configuration 2-3
Configure Static Entries in the ARP Table (Optional)
To configure static entries in the ARP table, perform the appropriate task described in Table2-4. If you use
both commands to specify the same IP address and MAC address, the most recently updated command
takes precedence.
Configure the Automatic Deletion of ARP Entries (Optional)
To configure the automatic deletion of ARP table entries, perform the tasks described in Table2-5; enter
all commands in interface configuration mode.
Set a Maximum Number of Incomplete ARP Entries (Optional)
When requesting the MAC address that corresponds to a particular IP address for a subscriber circuit, the
SmartEdge OS creates an incomplete entry in the ARP table and sends an ARP request packet. On reply,
the entry is updated and completed. By default, the maximum number of incomplete entries that are
allowed in the ARP table is 4,294,967,295.
To set a maximum allowable number of incomplete entries, perform the task described in Table2-6.
Configure ARP Policy to Prevent DoS Attacks
To configure a subscriber circuit or port to prevent denial of service (DoS) attacks, perform the tasks
described in Table2-7.
Table 2-4 Configure Static Entries in the ARP Table (Optional)
Task Root Command Notes
Configure an entry in the ARP table for a subscriber
whose host cannot (or is not configured to) respond to
ARP requests.
ip subscriber arp Enter this command in subscriber configuration mode.
Configure an entry in the ARP table. ip arp Enter this command in context configuration mode.
Table 2-5 Configure the Automatic Deletion of ARP Entries
Task Root Command Notes
Configure the automatic deletion of ARP
entries.
iparpdelete-expired
Modify the length of time entries remain in the
ARP table before being automatically deleted.
ip arp timeout Optional. When you enable the ip arp delete-expired
command, entries are deleted after 60 minutes by default.
Table 2-6 Set a Maximum Number of Incomplete ARP Entries (Optional)
Task Root Command Notes
Set a maximum allowable number of
incomplete ARP entries.
iparpmaximumincomplete-entries Enter this command in context configuration mode.
Configuration Examples
2-4 IP Services and Security Configuration Guide
Configuration Examples
The following example enables secured ARP on the interface, i nt f - 1:
[ l ocal ] Redback( conf i g- ct x) #interface intf-1
[ l ocal ] Redback( conf i g- i f ) #ip arp secured-arp
The following example creates a static entry in the ARP table for IP address, 31. 22. 213. 124, and
associates the IP address with the MAC address, 43: 3: 23: 32: 12: 82. After 4 minutes (240 seconds),
any ARP entry associated with the i nt f - 2 interface is deleted from the ARP table:
[ l ocal ] Redback( conf i g- ct x) #ip arp 31.22.213.124 43:32:23:32:12:82
[ l ocal ] Redback( conf i g- ct x) #interface intf-2
[ l ocal ] Redback( conf i g- i f ) #ip arp delete-expired
[ l ocal ] Redback( conf i g- i f ) #ip arp timeout 240
Table 2-7 Configure a Subscriber Circuit or Circuits or Port to Prevent DoS ARP Attacks
# Task Root Command Notes
1. Enter protocol policy configuration mode qos policy (protocol-rate-limit) Global configuration mode
2. Create a rate limit and burst threshold on
incoming ARP packets.
arp rate Protocol policy configuration mode
3. To configure a port for prevention of DoS ARP
attacks, enter the port configuration mode.
port Global configuration mode
Apply ARP policy to port. qos policy (protocol-rate-limit) Port configuration mode
4. To configure a subscriber circuit or circuits for
prevention of DoS ARP attacks, enter the
configuration mode for the default subscriber
profile, a named subscriber profile, or an
individual subscriber record.
subscriber Context configuration mode
See the Basic System Configuration
Guide for information on this
command.
Apply ARP policy to subscriber profile or
individual subscriber record.
qos policy (protocol-rate-limit) Subscriber configuration mode
5. To configure a 802.1Q PVC for prevention of DoS
ARP, enter the Dot1Q PVC configuration mode.
port
encapsulation
dot1q pvc
Enter the encapsulation command
with the dot1q keyword.
Apply ARP policy to 802.1Q PVC. qos policy (protocol-rate-limit) Dot1Q PVC configuration mode
6. To configure an access link group or aggregated
802.1Q pseudocircuit in an access link group for
prevention of DoS ARP, enter the access link
group configuration mode or link PVC
configuration mode within the link group.
link-group
encapsulation
dot1q pvc
Enter the link-group command with the
access keyword.
Enter the encapsulation command
with the dot1q keyword.
Apply ARP policy to access link group or
aggregated 802.1Q pseudocircuit.
qos policy (protocol-rate-limit) Access link-group configuration mode
or aggregated link PVC configuration
mode.
Command Descriptions
ARP Configuration 2-5
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure ARP features.
The commands are presented in alphabetical order:
arp rate
ip arp
ip arp arpa
ip arp delete-expired
ip arp maximum incomplete-entries
ip arp proxy-arp
ip arp secured-arp
ip arp timeout
ip subscriber arp
Command Descriptions
2-6 IP Services and Security Configuration Guide
arp rate
arp rate pps burst packets
Purpose
Creates a rate limit and burst threshold on incoming ARP packets.
Command Mode
protocol policy
Syntax Description
Default
No ARP rate limit.
Usage Guidelines
The arp rate command creates a rate limit and burst threshold on ARP packets.
Examples
The following example shows the use of the arp rate command to rate-limit incoming ARP packets from
Ethernet port 5/ 1:
[ l ocal ] Redback( conf i g) #qos policy ARPDOS protocol-rate-limit
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #arp rate 5000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #exit
[ l ocal ] Redback( conf i g) #port ether 5/1
[ l ocal ] Redback( conf i g- por t ) #qos policy protocol-rate-limit ARPDOS
The following example shows the use of the arp rate command to rate-limit incoming ARP packets from
default subscriber circuits:
[ l ocal ] Redback( conf i g) #qos policy ARPDOS protocol-rate-limit
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #arp rate 5000 burst 100000
[ l ocal ] Redback( conf i g- pol i cy- pr ot ocol ) #exit
[ l ocal ] Redback( conf i g) #subscriber default
[ l ocal ] Redback( conf i g- sub) #qos policy protocol-rate-limit ARPDOS
Related Commands
None
pps Rate in packets per second. The range of values is 1 to 2,500,000.
burst packets Burst tolerance in packets. The range of values is 1 to 25,000,000.
Command Descriptions
ARP Configuration 2-7
ip arp
ip arp ip-addr mac-addr [alias]
no ip arp ip-addr mac-addr [alias]
Purpose
Associates an IP address with a medium access control (MAC) address and creates a corresponding entry
in the Address Resolution Protocol (ARP) table.
Command Mode
context configuration
Syntax Description
Default
No entry is created in the ARP table.
Usage Guidelines
Use the ip arp command to associate an IP address with a MAC address and create a corresponding entry
in the ARP table.
Use the no form of this command to remove an entry from the configuration and from the ARP table.
Examples
The following example associates IP address, 31. 22. 213. 124, with the MAC address,
00: 30: 23: 32: 12: 82, and creates a corresponding entry in the ARP table:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #ip arp 31.22.213.124 00:30:23:32:12:82
ip-addr Host IP address in the form A.B.C.D.
mac-addr MAC address of the host in the form hh:hh:hh:hh:hh:hh.
alias Optional. Configures the system to respond to ARP requests for the IP
address.
Note If you enter both this command and the ip subscriber arp command (in subscriber
configuration mode) and specify the same IP address and MAC address, the most recently
updated command takes precedence. Only the circuit and interface are updated in the ARP
table.
Command Descriptions
2-8 IP Services and Security Configuration Guide
Related Commands
ip subscriber arp
Command Descriptions
ARP Configuration 2-9
ip arp arpa
ip arp arpa
{no | default}ip arp arpa
Purpose
Enables the standard Address Resolution Protocol (ARP) on this interface.
Command Mode
interface configuration
Syntax Description
This command has no keywords or arguments.
Default
Standard ARP is enabled.
Usage Guidelines
Use the ip arp arpa command to enable standard ARP on this interface.
Use the no form of this command to disable standard ARP on this interface.
Use the default form of this command to enable standard ARP on this interface.
Examples
The following example disables standard ARP on the t oTor ont o interface at IP address, 10. 20. 1. 1:
[ l ocal ] Redback( conf i g- ct x) #interface toToronto
[ l ocal ] Redback( conf i g- i f ) #ip address 10.20.1.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #no ip arp arpa
Related Commands
ip arp
Command Descriptions
2-10 IP Services and Security Configuration Guide
ip arp delete-expired
ip arp delete-expired
{no | default}ip arp delete-expired
Purpose
Enables the automatic deletion of expired dynamic Address Resolution Protocol (ARP) entries associated
with this interface from the ARP table.
Command Mode
interface configuration
Syntax Description
This command has no keywords or arguments.
Default
Automatic deletion is disabled.
Usage Guidelines
Use the ip arp delete-expired command to enable the automatic deletion of expired dynamic ARP entries
associated with this interface from the ARP table. Entries are deleted after they have been in the ARP table
for the amount of time specified by the ip arp timeout command (in interface configuration mode). If the
ip arp timeout command is not configured, the default value of 3,600 seconds (60 minutes) is used.
If you do not enable automatic deletion of expired dynamic ARP entries, expired entries are treated
differently depending on the value of the seconds argument in theip arp timeout command. If the value
of the seconds argument is greater than 70, an ARP entry is refreshed unless no ARP reply is received in
response to the refresh request packet. In that case, the entry is removed from the cache. If the value of the
seconds argument is less than 70, expired entries are removed from the cache.
Use the no or default form of this command to disable the automatic deletion of expired entries.
Examples
The following example configures the system to automatically delete expired dynamic ARP entries on the
toBoston interface at IP address, 10. 30. 2. 1:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface toBoston
[ l ocal ] Redback( conf i g- i f ) #ip address 10.30.2.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #ip arp delete-expired
Related Commands
ip arp maximum incomplete-entries ip arp timeout
Command Descriptions
ARP Configuration 2-11
ip arp maximum incomplete-entries
ip arp maximum incomplete-entries num-entries
{no | default}ip arp maximum incomplete-entries
Purpose
Sets a maximum allowable number of incomplete entries for subscriber circuits that can exist in the
Address Resolution Protocol (ARP) table for the context.
Command Mode
context configuration
Syntax Description
Default
The maximum number of incomplete entries for subscriber circuits in the ARP table is 4,294,967,295.
Usage Guidelines
Use the ip arp maximum incomplete-entries command to set a maximum allowable number of
incomplete entries for subscriber circuits that can exist in the ARP table for the context.
When requesting the medium access control (MAC) address that corresponds to a particular IP address, the
SmartEdge OS creates an incomplete entry in the ARP table and sends an ARP request packet. On reply,
the entry is updated and complete.
Use the no or default form of this command to return to the default setting of a maximum of 4,294,967,295
incomplete entries for subscriber circuits in the ARP table.
Examples
The following example limits the number of incomplete entries in the ARP table to 250 for the l ocal
context:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #ip arp maximum 250
Related Commands
num-entries Maximum number of incomplete entries in the ARP table. The range of
values is 1 to 4,294,967,295; the default value is 4,294,967,295.
ip arp delete-expired
ip arp timeout
Command Descriptions
2-12 IP Services and Security Configuration Guide
ip arp proxy-arp
ip arp proxy-arp [always]
{no | default}ip arp proxy-arp
Purpose
Enables the proxy Address Resolution Protocol (ARP) on this interface.
Command Mode
interface configuration
Syntax Description
Default
Proxy ARP is disabled.
Usage Guidelines
Use the ip arp proxy-arp command to enable proxy ARP on this interface. When enabled, the SmartEdge
router acts as an ARP proxy for hosts that are not on the same interface as the ARP request sender.
Proxy ARP and secured ARP are mutually exclusive services for an interface; enabling either service for
an interface automatically disables the other service for that interface.
Use the always keyword to enable proxy ARP for multiple hosts that reside on the same circuit; if not
specified, this capability is limited to hosts on individual circuits.
Use the no or default form of this command to disable proxy ARP on this interface.
Examples
The following example enables proxy ARP on the f r omBost on interface at IP address, 10. 2. 3. 4, for
all hosts on the circuit:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface fromBoston
[ l ocal ] Redback( conf i g- i f ) #ip address 10.2.3.4 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #ip arp proxy-arp always
always Optional. Indicates that proxy ARP must be functional for multiple hosts on the same
circuit.
Note You must enable standard ARP on this interface before you can enable proxy ARP; by default,
standard ARP is enabled.
Note To disable only the support for multiple hosts on the same circuit, you must first disable proxy
ARP, and then enable it without the always keyword.
Command Descriptions
ARP Configuration 2-13
Related Commands
ip arp arpa
Command Descriptions
2-14 IP Services and Security Configuration Guide
ip arp secured-arp
ip arp secured-arp [always]
{no | default} ip arp secured-arp
Purpose
Enables the secured Address Resolution Protocol (ARP) on a specified interface.
Command Mode
interface configuration
Syntax Description
Default
Secured ARP is disabled.
Usage Guidelines
Use the ip arp secured-arp command to enable secured ARP on a specified interface.
Secured ARP and proxy ARP are mutually exclusive services for an interface; enabling either service for
an interface automatically disables the other service for the same interface.
Use the always keyword to enable secured ARP for multiple hosts that reside on the same circuit; if not
specified, this capability is limited to hosts on individual circuits.
When secured ARP is enabled, ARP requests received on an interface are not answered unless the request
comes from the circuit known to contain the requesting host. ARP requests are sent by the interface only
on the circuit known to contain the target host, and are not flooded to all circuits bound to an interface.
Use the no or default form of this command to disable secured ARP on this interface.
always Optional. Indicates that proxy ARP must be functional for multiple hosts on the same
circuit.
Note You must enable standard ARP on this interface before you can enable secured ARP; by
default, standard ARP is enabled.
Note To disable only the support for multiple hosts on the same circuit, you must first disable
secured ARP, and then enable it without the always keyword.
Command Descriptions
ARP Configuration 2-15
Examples
The following example enables secured ARP on the interface, sec- ar p, at IP address, 10. 1. 1. 1, for all
hosts on the circuit:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface sec-arp
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #ip arp secured-arp always
Related Commands
ip arp arpa
Command Descriptions
2-16 IP Services and Security Configuration Guide
ip arp timeout
ip arp timeout seconds
{no | default}ip arp timeout
Purpose
Configures how long Address Resolution Protocol (ARP) entries remain in the ARP table before automatic
deletion (if configured).
Command Mode
interface configuration
Syntax Description
Default
ARP entries remain in the table for 3,600 seconds (one hour).
Usage Guidelines
Use the ip arp timeout command to specify how long ARP entries remain in the ARP table.
If you do not use the ip arp delete-expired command (in interface configuration mode) to enable the
automatic deletion of expired dynamic ARP entries, expired entries are treated differently depending on the
value of the seconds argument in theip arp timeout command. If the value of the seconds argument is
greater than 70, an ARP entry is refreshed unless no ARP reply is received in response to the refresh request
packet. In that case, the entry is removed from the cache. If the value of the seconds argument is less than
70, expired entries are removed from the cache.
Use the no or default form of this command to restore the timeout setting to its default value of 3,600
seconds.
Examples
The following example sets the ARP timeout value for the t oTor ont o interface at IP address,
10. 30. 2. 1, to two hours (7200 seconds):
[ l ocal ] Redback( conf i g- ct x) #interface toToronto
[ l ocal ] Redback( conf i g- i f ) #ip address 10.30.2.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #ip arp timeout 7200
Related Commands
seconds Number of seconds after which an ARP entry is deleted from the ARP table.
The range of values is 0 to 4,294,967; the default value is 3,600.
ip arp arpa
ip arp delete-expired
ip arp proxy-arp
Command Descriptions
ARP Configuration 2-17
ip subscriber arp
ip subscriber arp ip-addr mac-addr
no ip subscriber arp ip-addr
Purpose
Creates an entry in the Address Resolution Protocol (ARP) cache for a subscriber whose host cannot (or is
not configured to) respond to ARP requests.
Command Mode
subscriber configuration
Syntax Description
Default
None
Usage Guidelines
Use theip subscriber arp command to create an entry in the ARP cache for a subscriber whose host cannot
(or is not configured to) respond to ARP requests.
Use the no form of this command to remove the specified entry.
Examples
The following example configures an ARP cache entry for a host with IP address, 10. 1. 1. 1, and
hardware address, d3: 9f : 23: 46: 77: 13, for the NoGr okARPs subscriber. The entry is installed into the
ARP cache of the appropriate interface when the circuit is brought up:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #subscriber name NoGrokARPs
ip-addr IP address of the subscribers host.
mac-addr Medium access control (MAC) address of the subscribers host.
Note This command is available only if you are configuring a named subscriber record and is only
relevant for circuits with RFC 1483 bridged-encapsulation.
Note If you enter both the ip subscriber arp and the ip arp commands (in subscriber and context
configuration modes, respectively), and specify the same IP address and MAC address, the
most recently updated command takes precedence. Only the circuit and interface are updated
in the ARP table.
Command Descriptions
2-18 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- sub) #ip address 10.1.1.1
[ l ocal ] Redback( conf i g- sub) #ip subscriber arp 10.1.1.1 d3:9f:23:46:77:13
Related Commands
ip arp
ND Configuration 3-1
C h a p t e r 3
ND Configuration
The SmartEdge

routers use the Neighbor Discovery (ND) protocol for IP Version 6 (IPv6) to determine
the link-layer addresses for neighbors known to reside on attached links and to quickly purge cached values
that become invalid. This chapter describes the tasks and commands used to configure the ND protocol
through the SmartEdge OS.
For information about the tasks and commands used to monitor, troubleshoot, and administer the ND
protocol, see the NDOperations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
The IPv6 ND protocol for the SmartEdge OS corresponds to a combination of the IPv4 Address Resolution
Protocol (ARP) and Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDP). The
ND protocol is described in RFC 2461, Neighbor Discovery for IP Version 6 (IPv6).
The ND protocol provides many improvements over the IPv4 set of protocols, some of which are included
here:
Router advertisement messages carry link-layer addresses; no additional packet exchange is needed to
resolve the router's link-layer address.
Note When IPv6 addresses are not referenced or explicitly specified, the term, IP address, can refer
generally to IP Version 4 (IPv4) addresses, IPv6 addresses, or IP addressing. In instances
where IPv6 addresses are referenced or explicitly specified, the term, IP address, refers only
to IPv4 addresses. For a description of IPv6 addressing and the types of IPv6 addresses, see
RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture.
Configuration Tasks
3-2 IP Services and Security Configuration Guide
Router advertisement messages carry prefixes for a link; there is no need to have a separate mechanism
to configure the netmask.
Router advertisement messages enable address autoconfiguration.
Routers can advertise an maximum transmission unit (MTU) for use on the link, ensuring that all nodes
use the same MTU value on links that lack a well-defined MTU.
Address resolution multicasts are spread over 4 billion (2^32) multicast addresses, greatly reducing
address resolution related interrupts on nodes other than the target node. Moreover, non-IPv6 routers
should not be interrupted at all.
Multiple prefixes can be associated with the same link. Routers can be configured to omit some or all
prefixes from Router Advertisement messages. In such cases, hosts assume that destinations are off-link
and send traffic to routers.
Neighbor Unreachability Detection is part of the base protocol, significantly improving the robustness
of packet delivery in the presence of failing routers, partially failing or partitioned links, and nodes that
change their link-layer addresses.
Unlike ARP, ND detects half-link failures (using Neighbor Unreachability Detection) and avoids
sending traffic to neighbors with which two-way connectivity is absent.
Unlike in IPv4 Router Discovery, the Router Advertisement messages do not contain a preference field.
The preference field is not needed to handle routers of different stability; the Neighbor Unreachability
Detection detects a dead router and switches to a working one.
Requiring the hop limit to be equal to 255 makes ND immune to off-link senders that accidentally or
intentionally send ND messages. In IPv4, off-link senders can send Router Advertisement messages.
Placing address resolution at the ICMP layer makes the ND protocol more media-independent than
ARP and makes it possible to use standard IP authentication and security mechanisms as appropriate.
Configuration Tasks
To configure an ND router, perform the tasks described in Table3-1; enter all commands in ND router
configuration mode, unless otherwise noted. For more information about the context, interface, and ipv6
address commands (in global, context, and interface configuration modes, respectively), see the Context
Configuration and Interface Configuration chapters in the Basic System Configuration Guide for the
SmartEdgeOS.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
ND Configuration 3-3
To configure an interface for an ND router, perform the tasks described in Table3-2; enter all commands
in ND router interface configuration mode, unless otherwise noted.
Table 3-1 Configure an ND Router
# Task Root Command Notes
1. Create or select the context for the ND router. context Enter this command in global
configuration mode.
2. Create the interface for the ND router. interface Enter this command in context
configuration mode.
3. Specify an IPv6 IP address for the interface. ipv6 address Enter this command in interface
configuration mode.
4. Create the ND router and access ND router configuration
mode.
router nd Enter this command in context
configuration mode.
5. Optional. Configure global settings for the ND router using one
or more of the following tasks, in any order:
Specify the value for the Retrans Timer field. ns-retry-interval
Specify the value for the Preferred Lifetime field. preferred-lifetime
Configure RA messages. ra You can enter this command multiple
times to configure different parameters.
Specify the value for the Reachable Time field. reachable-time
Specify the value for the Valid Lifetime field. valid-lifetime
Table 3-2 Configure an ND Router Interface
# Task Root Command Notes
1. Select the context for the ND router. context Enter this command in global
configuration mode.
2. Select the ND router and access ND router configuration
mode.
router nd Enter this command in context
configuration mode.
3. Select an existing interface and access ND router interface
configuration mode.
interface Enter this command in ND router
configuration mode.
4. Optional Configure the settings for this interface using one or
more of the following tasks, in any order:
Unspecified settings default to the ND
router global settings.
Specify the value for the Retrans Timer field. ns-retry-interval
Specify the value for the Preferred Lifetime field. preferred-lifetime
Configure RA messages. ra You can enter this command multiple
times to configure different parameters.
Specify the value for the Reachable Time field. reachable-time
Specify the value for the Valid Lifetime field. valid-lifetime
5. Specify a static neighbor for this interface. neighbor You can enter this command multiple
times.
6. Configure a prefix to be advertised for this interface. prefix You can enter this command multiple
times.
Configuration Examples
3-4 IP Services and Security Configuration Guide
Configuration Examples
The following example configures an ND router in the l ocal context and the i nt 1 interface for the ND
router:
! Cr eat e or sel ect t he cont ext
[ l ocal ] Redback( conf i g) #context local
! Cr eat e t he i nt er f ace wi t h an I Pv6 I P addr ess
[ l ocal ] Redback( conf i g- ct x) #interface int1
[ l ocal ] Redback( conf i g- i f ) #ipv6 address 2005::1/64
[ l ocal ] Redback( conf i g- i f ) #exit
! Cr eat e t he ND r out er ; speci f y gl obal par amet er s f or al l ND i nt er f aces i n t hi s cont ext
! The gl obal set t i ngs over r i de t he def aul t set t i ngs
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 100
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 43200
[ l ocal ] Redback( conf i g- nd) #ra interval 60
[ l ocal ] Redback( conf i g- nd) #ra lifetime 360
[ l ocal ] Redback( conf i g- nd- i f ) #reachable-time 1800
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 43200
! Sel ect an i nt er f ace
[ l ocal ] Redback( conf i g- nd) #interface int1
! Speci f y i nt er f ace- speci f i c par amet er s; t he i nt er f ace set t i ngs over r i de t he gl obal
set t i ngs
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 20
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 2880
[ l ocal ] Redback( conf i g- nd- i f ) #ra suppress
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 2880
! Speci f y one or mor e st at i c nei ghbor s f or t hi s i nt er f ace
[ l ocal ] Redback( conf i g- nd- i f ) #neighbor 2006::1/64 00:30:88:00:0a:30
! Speci f y one or mor e pr ef i xes and t hei r par amet er s; t he pr ef i x set t i ngs over r i de t he
i nt er f ace set t i ngs
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 2006::1/64 no-autoconfig no-onlink
preferred-lifetime 360 valid-lifetime 360
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 2007::/112
[ l ocal ] Redback( conf i g- ct x) #
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure the ND
protocol. The commands are presented in alphabetical order:
interface
neighbor
ns-retry-interval
preferred-lifetime
prefix
ra
reachable-time
router nd
valid-lifetime
Command Descriptions
ND Configuration 3-5
interface
interface if-name [disable-on-address-collision]
no interface if-name
Purpose
Selects the interface to be configured for the Neighbor Discovery (ND) protocol and accesses ND router
interface configuration mode.
Command Mode
ND router configuration
Syntax Description
Default
None
Usage Guidelines
Use the interface command to select the interface to be configured for the ND router protocol and access
ND router interface configuration mode.
You must have already created the interface with the interface command (in context configuration mode).
You must also have assigned an IPv6 IP address to it with the ipv6 address command (in interface
configuration mode). Both commands are described in the Interface Configuration chapter in the Basic
System Configuration Guide for the SmartEdgeOS.
The interface inherits the default ND parameters and any global ND parameters that you have configured
for the ND router. To configure an ND parameter specific to this interface, enter the appropriate command
in ND router interface configuration mode.
Use the disable-on-address-collision keyword to shut down the interface if an IP address collision occurs.
The system brings up the interface after the collision is no longer detected.
Use the no form of this command to delete the ND router configuration for the specified interface.
Examples
The following example selects the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #
if-name Name of the ND router interface.
disable-on-address-collision Optional. Shuts down the interface if an IP address collision occurs.
The default is not to shut down the interface.
Command Descriptions
3-6 IP Services and Security Configuration Guide
Related Commands
neighbor
preferred-lifetime
prefix
ra
reachable-time
router nd
valid-lifetime
Command Descriptions
ND Configuration 3-7
neighbor
neighbor ipv6-addr mac-addr
no neighbor ipv6-addr mac-addr
Purpose
Specifies a static neighbor for this Neighbor Discovery (ND) router interface.
Command Mode
ND router interface configuration
Syntax Description
Default
No static neighbors are specified for any interface.
Usage Guidelines
Use the neighbor command to specify a static neighbor for this ND router interface. Enter this command
multiple times to configure more than one neighbor.
Use the no form of this command to delete the neighbor from the configuration for this ND router interface.
Examples
The following example specifies a neighbor with IPv6 address, 2006: : 1/ 112, and MAC address,
00: 30: 88: 00: 0a: 30, for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #neighbor 2006::1/112 00:30:88:00:0a:30
Related Commands
ipv6-addr IPv6 address for this neighbor in the format A:B:C:D:E:F:G:H.
mac-addr Medium access control (MAC) address for this neighbor.
prefix
ra
reachable-time
Command Descriptions
3-8 IP Services and Security Configuration Guide
ns-retry-interval
ns-retry-interval retrans-timer
{no | default} ns-retry-interval
Purpose
Specifies the value for the Retrans Timer field.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
The Retrans Timer field is 0 (unspecified).
Usage Guidelines
Use the ns-retry-interval command to specify the value for the Retrans Timer field. In ND router
configuration mode, this command specifies the global value for all interfaces; in ND router interface
mode, it specifies the value for this Neighbor Discovery (ND) router interface. If specified, the setting for
the interface overrides the global setting.
Use the no or default form of this command to specify the default value for the Retrans Timer field.
Examples
The following example specifies 100 milliseconds for the Retrans Timer field for the ND router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 100
The following example specifies 20 milliseconds for the Retrans Timer field for the ND router interface,
i nt 1, which overrides the global setting:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #ns-retry-interval 20
retrans-timer Value for the Retrans Timer field (in milliseconds). The range of values is
0to 4,294,967,295; the default value is 0.
Command Descriptions
ND Configuration 3-9
Related Commands
None
Command Descriptions
3-10 IP Services and Security Configuration Guide
preferred-lifetime
preferred-lifetime preferred-lifetime
{no | default} preferred-lifetime
Purpose
Specifies the value for the Preferred Lifetime field.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
The preferred lifetime is seven days.
Usage Guidelines
Use the preferred-lifetime command to specify the value for the Preferred Lifetime field. In ND router
configuration mode, this command specifies the global value for all interfaces; in ND router interface
mode, it specifies the value for this Neighbor Discovery (ND) router interface. If specified, the setting for
the interface overrides the global setting.
Use the no or default form of this command to specify the default value.
Examples
The following example specifies a preferred lifetime of 43200 seconds (12 hours) for all interfaces for this
ND router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 43200
The following example specifies a preferred lifetime of 2880 seconds (48 minutes) for the i nt 1 ND router
interface, which overrides the global setting:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #preferred-lifetime 2880
preferred-lifetime Value for the Preferred Lifetime field (in seconds). The range of values is 0to
4,294,967,295; the default value is 604,800 seconds (7 days).
Command Descriptions
ND Configuration 3-11
Related Commands
prefix
valid-lifetime
Command Descriptions
3-12 IP Services and Security Configuration Guide
prefix
prefix ipv6-prefix/length [no-autoconfig] [no-onlink] [preferred-lifetime preferred-lifetime]
[valid-lifetime valid-lifetime]
{no | default} prefix ipv6-prefix/length
Purpose
Configures a prefix to be advertised for this Neighbor Discovery (ND) router interface.
Command Mode
ND router interface configuration
Syntax Description
Default
No prefix is configured for any ND router interface.
Usage Guidelines
Use the prefix command to configure a prefix to be advertised for this ND router interface. Enter this
command multiple times to configure more than one prefix.
Use the optional keywords and constructs to define the fields in the Prefix Information option for this
prefix:
no-autoconfigSets the autonomous address configuration flag in the Prefix Information option to
FALSE.
no-onlinkSets the on-link flag to FALSE.
preferred-lifetimeSpecifies the value for the Preferred Lifetime field.
ipv6-prefix Prefix for the IPv6 address for this ND router interface in the
format A:B:C:D:E:F:G:H.
length Number of prefix bits. The range of values is 0 to 128.
no-autoconfig Optional. Sets the autonomous address configuration flag to not
use this prefix for automatic configuration; this is the default.
no-onlink Optional. Sets the on-link flag to not use this prefix for on-link
determination; this is the default.
preferred-lifetime preferred-lifetime Optional. Preferred lifetime for this prefix (in seconds). The
range of values is 0to 4,294,967,295; the default value is
604,800 seconds (7 days).
valid-lifetime valid-lifetime Optional. Valid lifetime for this prefix (in seconds). The range
of values is 0to 4,294,967,295; the default value is 2,592,000
seconds (30 days).
Command Descriptions
ND Configuration 3-13
valid-lifetimeSpecifies the value for the Valid Lifetime field.
The values for the preferred-lifetime preferred-lifetime and valid-lifetime valid-lifetime constructs
override the values for the interface that you specified with the preferred-lifetime and valid-lifetime
commands (in ND router interface configuration mode).
Use the no or default form of this command to delete the specified prefix from this interface configuration.
Examples
The following example configures the 5555: bbbb: : 22/ 64 prefix for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #prefix 5555:bbbb::22/64 no-autoconfig no-onlink
preferred-lifetime 360 valid-lifetime 360
Related Commands
preferred-lifetime
ra
valid-lifetime
Command Descriptions
3-14 IP Services and Security Configuration Guide
ra
When entered in ND router configuration mode, the syntax is:
ra {interval ra-interval | lifetime ra-lifetime | managed-config | other-config | suppress}
{no | default}ra {interval | lifetime | managed-config | other-config | suppress}
When entered in ND router interface configuration mode, the syntax is:
ra {enable | interval ra-interval | lifetime ra-lifetime | managed-config | other-config | suppress}
{no | default}ra {enable | interval | lifetime | managed-config | other-config | suppress}
Purpose
Configures options and settings for router advertisement (RA) messages.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
RA messages are not configured for any ND router or ND router interface.
Usage Guidelines
Use the ra command to configure options and settings for RA messages. In ND router configuration mode,
this command configures RA for all interfaces; in ND router interface mode, it configures RA for this ND
router interface. If specified, the interface parameters override the global parameters. Enter this command
multiple times to configure more than one parameter.
enable Enables the sending of RA messages for this Neighbor Discovery (ND)
router interface. This keyword is not available in ND router configuration
mode.
interval ra-interval Optional. RA interval between transmissions (in seconds). The range of
values is 5 to 600; the default value is 200 seconds.
lifetime ra-lifetime Optional. RA lifetime (in seconds). The range of values is 30 to 36,000; the
default value is 1,800 seconds.
managed-config Optional. Sets the managed-address configuration flag in RA messages to
TRUE; the default value is not set (FALSE).
other-config Optional. Sets the other-stateful configuration flag in RA messages to TRUE;
the default value is not set (FALSE).
suppress Optional. Specifies that RA messages be suppressed; the default value is not
suppressed.
Command Descriptions
ND Configuration 3-15
Use the no or default form of this command to remove RA messages from the configuration for this ND
router or ND router interface.
Examples
The following example configures RA for this ND router with a retransmission interval of 60 seconds and
a lifetime of six minutes (360 seconds):
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #ra interval 60
[ l ocal ] Redback( conf i g- nd) #ra lifetime 360
The following example suppresses RA for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #ra suppress
Related Commands
prefix
reachable-time
Command Descriptions
3-16 IP Services and Security Configuration Guide
reachable-time
reachable-time duration
{no | default} reachable-time
Purpose
Specifies the value for the Reachable Time field in Router Advertisement (RA) messages.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
The duration is unspecified in any RA messages.
Usage Guidelines
Use the reachable-time command to specify the value for the Reachable Time field in RA messages. This
value is the time this Neighbor Discovery (ND) router or ND router interface assumes that a neighbor is
reachable. In ND router configuration mode, this command specifies the global value for all interfaces; in
ND router interface mode, it specifies the value for this ND router interface. If specified, the parameters for
an interface override the global parameters.
Use the no or default form of this command to specify the default duration.
Examples
The following example specifies a reachable time of 1800 milliseconds for all interfaces for the ND router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #reachable-time 1800
The following example specifies a reachable time of 3600 milliseconds for the i nt 1 ND router interface:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #reachable-time 3600
duration Value for the Reachable Time field (in milliseconds). The range of values is 0 to
3,600,000; the default value is 0 (unspecified).
Command Descriptions
ND Configuration 3-17
Related Commands
neighbor
ra
Command Descriptions
3-18 IP Services and Security Configuration Guide
router nd
router nd
no router nd
Purpose
Creates or selects a Neighbor Discovery (ND) router and accesses ND router configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
No ND router is created.
Usage Guidelines
Use the router nd command to create or select an ND router and access ND router configuration mode.
You can create a single ND router in each context.
Use the no form of this command to remove the ND router from the configuration; the no form also
removes the ND-specific configuration from any interfaces in this context.
Examples
The following example creates an ND router in the l ocal context:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
Related Commands
interface
Command Descriptions
ND Configuration 3-19
valid-lifetime
valid-lifetime lifetime
{no | default} valid-lifetime
Purpose
Specifies the value for the Valid Lifetime field in the Prefix Information option.
Command Mode
ND router configuration
ND router interface configuration
Syntax Description
Default
The valid lifetime is 30 days.
Usage Guidelines
Use the valid-lifetime command to specify the value for the Valid Lifetime field in the Prefix Information
option. In ND router configuration mode, this command specifies the global value for all interfaces; in ND
router interface mode, it specifies the value for this ND router interface. If specified, the setting for the
interface overrides the global setting.
Use the no or default form of this command to specify the default condition.
Examples
The following example specifies a valid lifetime of 43200 seconds (12 hours) for all interfaces for this ND
router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 43200
The following example specifies a valid lifetime of 2880 seconds (48 minutes) for the i nt 1 ND router
interface, which overrides the global setting:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router nd
[ l ocal ] Redback( conf i g- nd) #interface int1
[ l ocal ] Redback( conf i g- nd- i f ) #valid-lifetime 2880
lifetime Value for the Valid Lifetime field (in seconds). The range of values is 0to
4,294,967,295; the default value is 2,592,000 seconds (30 days).
Command Descriptions
3-20 IP Services and Security Configuration Guide
Related Commands
preferred-lifetime
prefix
NTP Configuration 4-1
C h a p t e r 4
NTP Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS Network Time Protocol


(NTP) features.
For information about the task and commands used to monitor, troubleshoot, and administer NTP features,
see the NTP Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
NTP exchanges timekeeping information between servers and clients via the Internet to synchronize
clocks. NTP makes estimates based on several variables, including network delay, dispersion of packet
exchanges, and clock offset. Extremely reliable sources, such as radio clocks and Global Positioning
System (GPS) satellite timing receivers, act as primary servers. Company or campus servers can act as
secondary time servers. To reduce overhead, secondary servers distribute time to attached local hosts.
The SmartEdge OS supports NTP as described in RFC 1305, Network Time Protocol. Although the default
version is Version 3, the SmartEdge OS also supports versions 1 and 2. On a SmartEdge router, NTP
operates in client mode only. The SmartEdge router can be synchronized by a remote NTP server, but the
remote server cannot be synchronized by the SmartEdge router.
Configuration Tasks
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Examples
4-2 IP Services and Security Configuration Guide
To configure NTP, perform the tasks described in the following sections:
Configure the NTP Server IP Address
Configure NTP Peer Associations (Optional)
Configure Slowsync (Optional)
Configure the NTP Server IP Address
To configure the NTP server IP address, perform the task described in Table4-1.
Configure NTP Peer Associations (Optional)
To configure NTP peer associations, perform the task described in Table4-2.
Configure Slowsync (Optional)
To configure the SmartEdge router to slowly adjust its local clock rate to compensate for differences with
a remote NTP clock source, perform the tasks described in Table4-3.
Configuration Examples
The following example configures the NTP client on the SmartEdge router to synchronize with a remote
NTP server at IP address 10. 1. 1. 1:
[ l ocal ] Redback( conf i g) #ntp server 10.1.1.1
Table 4-1 Configure the NTP Server IP Address
Task Root Command Notes
Configure the SmartEdge router to synchronize to a remote
NTP server.
ntpserver Enter this command in global configuration mode.
Table 4-2 Configure NTP Peer Associations
Task Root Command Notes
Configure the peer association for symmetric
synchronization of the SmartEdge router time and remote
NTP peer time.
ntppeer Enter this command in global configuration mode.
Table 4-3 Configure Slowsync
# Task Root Command Notes
1. Access NTP configuration mode. ntpmode Enter this command in global configuration mode.
2. Configure slowsync. slowsync Enter this command in NTP configuration mode.
Command Descriptions
NTP Configuration 4-3
The following commands configure the NTP client on the SmartEdge router to use multiple remote NTP
servers as synchronization sources. In this case, the preferred server is at IP address, 20. 1. 1. 1.
Symmetric synchronization is also enabled, using the NTP peer with IP address, 155. 53. 32. 75:
[ l ocal ] Redback#config
[ l ocal ] Redback( conf i g) #ntp server 10.1.1.1
[ l ocal ] Redback( conf i g) #ntp server 20.1.1.1 prefer
[ l ocal ] Redback( conf i g) #ntp peer 155.53.32.75
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure NTP. The
commands are presented in alphabetical order:
ntp mode
ntp peer
ntp server
slowsync
Command Descriptions
4-4 IP Services and Security Configuration Guide
ntp mode
ntp mode
Purpose
Enters NTP configuration mode.
Command Mode
global configuration
Syntax Description
This command has no keywords or arguments.
Default
None
Usage Guidelines
Use the ntp mode command to enter NTP configuration mode.
Examples
The following example changes the mode from global configuration to NTP configuration:
[ l ocal ] Redback( conf i g) #ntp mode
[ l ocal ] Redback( conf i g- nt p) #
Related Commands
slowsync
Command Descriptions
NTP Configuration 4-5
ntp peer
ntp peer ip-addr [context ctx-name] [prefer] [source if-name] [version ver-num]
no ntp peer [ip-addr]
Purpose
Configures peer association for symmetric synchronization of the SmartEdge router time and remote
Network Time Protocol (NTP) peer time.
Command Mode
global configuration
Syntax Description
Default
The context for the NTP peer is the local context. The NTP version is Version 3.
Usage Guidelines
Use the ntp peer command to configure a peer association for symmetric synchronization of the
SmartEdge router time and remote NTP peer time.
Use the no form of this command to disable NTP services on the peer device.
Examples
The following example configures the SmartEdge router to symmetrically synchronize with the remote
NTP peer at IP address, 155. 53. 32. 75. The peer is also marked as the preferred peer:
[ l ocal ] Redback( conf i g) #ntp peer 155.53.32.75 prefer
ip-addr IP address of the remote NTP peer. Optional when used with the no form of
this command.
context ctx-name Optional. Context in which the destination address is reachable. This
construct is used when the NTP peer must be reached through a context other
than local.
prefer Optional. Marks the NTP peer as the preferred peer when multiple NTP peers
are configured.
source if-name Optional. SmartEdge interface that is to be used for NTP traffic.
version ver-num Optional. NTP version. Version options are 1, 2, and 3; the default value is 3.
Caution Risk of data loss. If you use the no form without specifying the IP address of a specific peer,
all existing NTP peer associations are removed. To reduce the risk, of losing NTP peer
associations, always specify the IP address when using the no form.
Command Descriptions
4-6 IP Services and Security Configuration Guide
Related Commands
ntp server
slowsync
Command Descriptions
NTP Configuration 4-7
ntp server
ntp server ip-addr [context ctx-name] [prefer] [source if-name] [version ver-num]
no ntp server [ip-addr]
Purpose
Configures the SmartEdge router to synchronize to a remote Network Time Protocol (NTP) server.
Command Mode
global configuration
Syntax Description
Default
NTP is disabled.
Usage Guidelines
Use the ntp server command to start the NTP daemon and configure the SmartEdge router to synchronize
to a remote NTP server.
Use the no form of this command to disable NTP services on the device. If you use the no form without
specifying the IP address of a specific server, all existing NTP server associations are removed.
Examples
The following example configures the NTP client to synchronize with an NTP remote server at IP address,
155. 53. 12. 12, and makes it the preferred server:
[ l ocal ] Redback( conf i g) #ntp server 155.53.12.12 prefer
ip-addr IP address of the remote NTP server. Optional when used with the no form of
this command.
context ctx-name Optional. Context in which the destination address is reachable. This construct
is used when the NTP server must be reached through a context other than
local.
prefer Optional. Marks the NTP server as the preferred server when multiple NTP
servers are configured.
source if-name Optional. SmartEdge interface that is to be used for NTP traffic.
version ver-num Optional. NTP version. Version options are 1, 2, and 3; the default value is 3.
Note A remote NTP client cannot synchronize with the SmartEdge router.
Command Descriptions
4-8 IP Services and Security Configuration Guide
Related Commands
ntp peer
slowsync
Command Descriptions
NTP Configuration 4-9
slowsync
slowsync
{no | default} slowsync
Purpose
Configures the SmartEdge router to slowly adjust its local clock rate to compensate for differences with a
remote Network Time Protocol (NTP) clock source.
Command Mode
NTP configuration
Syntax Description
This command has no keywords or arguments.
Default
Gradual adjustment of the local clock rate is disabled.
Usage Guidelines
Use the slowsync command to configure the SmartEdge router to slowly adjust its local clock rate to
compensate for differences with a remote NTP clock source.
This command changes the rate of the SmartEdge OS clock so that it gradually converges with the NTP
server clockprovided the initial difference in time between the two clocks is less than 16minutes. If the
time difference is more than 16 minutes, synchronization does not occur.
The NTP daemon adjusts the SmartEdge router clock within a few minutes if the difference between the
SmartEdge router clock and the remote NTP server is greater than 5seconds (and less than 16 minutes).
This adjustment occurs within the first five minutes after the NTP daemon is started.
Use the no or default form of this command to disable gradual adjustment of the local clock rate.
Examples
The following example enables the gradual adjustment of the local clock rate:
[ l ocal ] Redback( conf i g- nt p) #slowsync
Related Commands
ntp peer
ntp server
Command Descriptions
4-10 IP Services and Security Configuration Guide
DHCP Configuration 5-1
C h a p t e r 5
DHCP Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS Dynamic Host
Configuration Protocol (DHCP) features.
For information about the commands used to monitor, troubleshoot, and administer DHCP features, see the
DHCP Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
DHCP dynamically configures IP address information for subscriber hosts. The SmartEdge OS provides
three types of DHCP support:
DHCP relay server
The SmartEdge router acts as an intermediary between an external DHCP server and the subscriber
(client). The router forwards requests from the subscriber to the DHCP server and relays the servers
responses back to the subscriber.
DHCP proxy server
The SmartEdge router provides responses directly to subscriber requests. Each subscriber sees the
router as the DHCP server, and as such, sends all DHCP negotiations, including IP address release and
renewal, to the router, which then relays the information to the external DHCP server. The proxy feature
enables the router to maintain IP address lease timers.
DHCP internal
The SmartEdge router provides the functions of the DHCP server; no communications are sent to an
external DHCP server.
DHCP is described in the following RFCs:
RFC 2131Dynamic Host Configuration Protocol
Overview
5-2 IP Services and Security Configuration Guide
RFC 2132DHCP Options and BOOTP Vendor Extensions
RFC 3004The User Class Option for DHCP
For more information about RADIUS, see Chapter 21, RADIUS Configuration. For information about
Redback

VSAs, see Chapter A, RADIUS Attributes.


The DCHP features are described in the following sections:
ARP and DHCP
CLIPS and DHCP
RADIUS and DHCP
ARP and DHCP
For every valid DHCP response received from or transmitted to a subscriber, an entry is created in the
Address Resolution Protocol (ARP) table. The entry includes the IP address that is assigned to the
requesting medium access control (MAC) address and the incoming circuit on which the DHCP request is
received. All entries are secured ARP entries. Because entries are cached in the ARP table, the SmartEdge
router can route downstream packets to the correct outgoing interface. For more information about ARP,
see Chapter 2, ARP Configuration.
CLIPS and DHCP
Clientless IP service selection (CLIPS) exclusion allows you to configure DHCP sessions on ports and
PVCs that you have also configured for dynamic CLIPS sessions. With CLIPS exclusion, you can specify
which sessions are DHCP hosts; all other sessions are dynamic CLIPS sessions. CLIPS exclusion applies
only the DCHP proxy and internal servers. For more information about configuring CLIPS exclusion, see
the CLIPS Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS
The SmartEdge router supports residential gateways (RGs) with DHCP relay capability to be used as
dynamic CLIPS clients. These RGs can then function as DHCP relay agents for the home network devices
connected to the RG. (An RG connects network-enabled devices on a home network to the Internet.)
Without this function, you must configure each RG by manually assigning it an IP address enabling it to be
used as a DHCP relay agent.
The following must occur before the SmartEdge router can support RGs with DHCP relay capability to be
used as dynamic CLIPS clients:
1. You must configure the RG as a DHCP client.
2. After the RG is assigned an IP address from a DHCP server, the RG must then operate as a DHCP relay
agent.
After the CLIPS session of an RG is established, the home network devices can establish their own CLIPS
sessions using the DHCP relay agent. The CLIPS sessions for the home network devices are independent
of the CLIPS session for the RG.
Note DHCP, in all modes, maintains host entries only for multibind interfaces.
Configuration Tasks
DHCP Configuration 5-3
To configure the SmartEdge router to support an RG as a dynamic CLIPS client, configure dynamic CLIPS
circuits on the SmartEdge router. For instructions on how to configure dynamic CLIPS circuits on the
SmartEdge router, follow the steps in the Configuring Dynamic CLIPS Circuits section in the CLIPS
Configuration chapter of the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS
The SmartEdge router supports DHCP discovery with duplicate MAC addresses for CLIPS subscribers.
This enables different CLIPS subscribers to use the same MAC address, if the DHCP discover packet
contains a unique GIADDR address. In general, DHCP determines the uniqueness of a subscriber based on
both the MAC and GIADDR addresses instead of just the MAC address.
RADIUS and DHCP
When Remote Authentication Dial-In User Service (RADIUS) authentication is enabled, the SmartEdge
router sends an accounting record to a RADIUS server each time an IP address is assigned or released.
If the SmartEdge router is acting as a DHCP proxy or internal server for CLIPS subscribers, the vendor
class identifier that is received in the DHCP discover packet for the CLIPS session is sent in the RADIUS
Access-Request and Accounting-Request packets to the RADIUS server, using Redback vendor-specific
attribute (VSA) 125.
Configuration Tasks
To configure DHCP features, perform the tasks described in the following sections:
Configure an Internal DHCP Server
Configure an External DHCP Server
Configure a Context for an External DHCP Server
Configure an Interface for an External DHCP Server
Configure Subscriber Hosts for DHCP Address Functions
Configure a Traffic Card to Prevent DoS Attacks
Note In this configuration, the DHCP server assigns the IP addresses to the RG and the home
network devices on the same subnet.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
5-4 IP Services and Security Configuration Guide
Configure an Internal DHCP Server
To configure the SmartEdge OS to act as an internal DHCP server, perform the tasks described in Table5-1.
Table 5-1 Configure an Internal DHCP Server
# Task Root Command Notes
1. Create or select the context for the DHCP internal
server and access context configuration mode.
context Enter this command in global configuration
mode. This command is documented in the
Context Configuration chapter in the Basic
System Configuration Guide for the
SmartEdge OS
2. Create or select the interface for the DHCP internal
server and access interface configuration mode.
interface Enter this command in context configuration
mode. Specify the multibind keyword.
This command is documented in the Interface
Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS
3. Assign one or more IP addresses to this interface. ip address Enter this command in interface configuration
mode.
This command is documented in the Interface
Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS
4. Enable this interface for internal DHCP server
support and assign an IP address for its support.
dhcpserver Enter this command in interface configuration
mode.
5. Enable internal DHCP server functions in this
context and access DHCP server configuration
mode.
dhcpserver policy Enter this command in context configuration
mode.
6. Specify global settings for the DHCP server and all
its subnets, using one or more of the following tasks:
Enter these commands in DHCP server
configuration mode.
Specify the default lease time. default-lease-time
Specify the maximum lease time. max-lease-time
Specify the offer lease time. offer-lease-time
Enable the monitoring and reporting of available
DCHP leases at the context level for minimum and
maximum threshold values.
threshold
Enable DHCP clients with the same MAC address to
be assigned IP addresses on different circuits.
allow-duplicate-mac
Specify one or more DHCP options. option Enter this command multiple times to specify as
many options as you require.
Specify the filename of the boot loader image file. bootp-filename
Specify the IP address that the boot loader client
uses to download the boot loader image file.
bootp-siaddr
Create a static mapping between a subnet and the
specified vendor class ID.
vendor-class
7. Create a subnet for the DHCP server and access
DHCP subnet configuration mode.
subnet Enter this command in DHCP server
configuration mode.
Configuration Tasks
DHCP Configuration 5-5
Configure an External DHCP Server
To configure an external DHCP relay or proxy server, perform the tasks described in Table5-2; enter all
commands in DHCP relay server configuration mode, unless otherwise noted.
8. Optional. Configure this subnet, using one or more
of the following tasks:
Enter all commands in DHCP subnet
configuration mode.
Assign a range of IP addresses to this subnet. range
Create a static mapping between a MAC address
and an IP address in this subnet.
mac-address
Create a static mapping between the agent circuit id
subfield or the agent remote id subfield in the option
82 field and an IP address.
option-82
Specify the maximum number of IP addresses
allowed for an agent circuit id.
option-82
Specify the default lease time for this subnet. default-lease-time These settings override the global settings for
this subnet.
Specify the maximum lease time for this subnet. max-lease-time
Specify the offer lease time for this subnet. offer-lease-time
Specify one or more DHCP options for this subnet. option Enter this command multiple times to specify as
many options as you require.
Table 5-2 Configure an External DHCP Server
# Task Root Command Notes
1. Configure an external DHCP server, and enter
DHCP relay server configuration mode.
dhcprelayserver Enter this command in context configuration
mode.
You can configure only one DHCP server IP
address in a single context.
2. Configure the maximum hop count allowed for
DHCP requests.
max-hops
3. Configure the interval, in seconds, to wait before
forwarding requests to the DHCP server.
min-wait
4. Assign the DHCP server to a DHCP server group. server-group
5. Specify forwarding for DCHP messages, using one
of the following tasks:
Forward packets to all other DHCP servers in the
DHCP server group.
forward-all
Forward DHCP discover packets to other configured
servers in the DHCP server group.
broadcast-discover
Forward packets to a standby DHCP server. standby
Table 5-1 Configure an Internal DHCP Server (continued)
# Task Root Command Notes
Configuration Tasks
5-6 IP Services and Security Configuration Guide
Configure a Context for an External DHCP Server
To configure a context for an external DHCP relay or proxy server, perform the tasks described in
Table5-3; enter all commands in context configuration mode.
Configure an Interface for an External DHCP Server
To configure an interface for an external DHCP relay or proxy server, perform the tasks described in
Table5-4; enter all commands in interface configuration mode, unless otherwise noted.
Table 5-3 Configure a Context for an External DHCP Server
Task Root Command Notes
Specify the number of attempts and the interval to
wait for each attempt when trying to reach an
external DHCP server before it is marked
unreachable.
dhcprelayserver retries
Disable the sending of a DHCPNAK message if the
SmartEdge OS receives a DHCPREQUEST
message for which it does not have an entry.
dhcprelaysuppress-nak
Optional. Add the DHCP relay information option to
packets.
dhcp relay option The DHCP relay information option is described in
RFC 3046, DHCP Relay Agent Information Option.
Table 5-4 Configure an Interface for an External DHCP Server
# Task Root Command Notes
1. Enable the interface for an external DHCP
server, using one of the following tasks:
Enable the interface to relay DHCP messages
to an external DHCP server, and access DHCP
giaddr configuration mode.
dhcp relay These commands are mutually exclusive. If you are
configuring CLIPS, you must use the dhcp proxy
command.
The value for the max-dhcp-addrs argument used with
these commands works in conjunction with the
max-sub-addrs value specified in the dhcp max-addr
command (in subscriber configuration mode); see the
Configure Subscriber Hosts for DHCP Address
Functions section.
Enable the interface to act as a proxy between
subscribers and an external DHCP server, and
access DHCP giaddr configuration mode.
dhcpproxy
2. Optional. Configure an IP source address. ipsource-address The interface address that you specify with this
command must be reachable by the external DHCP
server. You must specify the dhcp-server keyword.
For more information about this command, see the
Interface Configuration chapter in the Basic System
Configuration Guide for the SmartEdge OS
3. Specify an IP address for the giaddr field for
DHCP packets that match the specified
vendor-class-id.
vendor-class-id Enter this command in DHCP giaddr configuration
mode. You can enter either of these commands
multiple times to specify multiple vendor-class IDs.
Note By default, the IP address of the interface on which DHCP messages are transmitted is sent
in DHCP packets. To not publish this IP address, configure an interface (typically loopback)
to appear to be the source address for DHCP packets.
Configuration Examples
DHCP Configuration 5-7
Configure Subscriber Hosts for DHCP Address Functions
To configure subscriber hosts for DHCP address functions, perform the tasks described in Table5-5; enter
all commands in subscriber configuration mode.
Configure a Traffic Card to Prevent DoS Attacks
To configure a traffic card to prevent denial of service (DoS) attacks, perform the task described in
Table5-6; enter the command in card configuration mode.
Configuration Examples
This following sections provide DHCP configuration examples:
DHCP Internal Server
DHCP Proxy and Maximum Address Support
Subscriber Bindings to DHCP Interfaces
DHCP Proxy Through Dynamic Subscriber Bindings
DHCP Proxy Through Static Interface Bindings
DHCP Proxy Through RADIUS
Loopback Interface as DHCP Source Address
Table 5-5 Configure Subscriber Hosts for DHCP Address Functions
Task Root Command Notes
Optional. Configure hosts to use DHCP to
dynamically acquire address information for a
subscriber circuit and set a maximum number of IP
addresses that can be assigned to hosts associated
with the circuit.
dhcpmax-addrs You can also configure this information in the subscriber
record through the RADIUS database instead of through this
command. Use Redback VSA 3, DHCP-Max-Leases, for the
maximum number of IP addresses; see Chapter A,
RADIUS Attributes.
Optional. Configure hosts to use a specific DHCP
interface to acquire address information for a
subscriber circuit.
ip interface You must configure the subscriber record or profile with the
dhcp max-addrs command.
You must enable the specified interface for DHCP proxy or
DHCP relay; see the Configure an Interface for an External
DHCP Server section.
You can also configure this information in the subscriber
record through the RADIUS database instead of through this
command. Use Redback VSA 104, IP-Interface-Name; see
Chapter A, RADIUS Attributes.
Table 5-6 Configure a Traffic Card to Prevent DoS Attacks
Task Root Command Notes
Optional. Enable rate limiting and specify the rate
and burst limits for DHCP or PADI packets to
prevent DoS attacks.
rate-limit dhcp
Configuration Examples
5-8 IP Services and Security Configuration Guide
DHCP Internal Server
The following example configures an internal DHCP server and two subnets:
! Cr eat e t he cont ext and t he i nt er f ace.
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #interface dhcp-if multibind
! Assi gn t wo subnet s t o t he i nt er f ace
[ l ocal ] Redback( conf i g- i f ) #ip address 12.1.1.0/24
[ l ocal ] Redback( conf i g- i f ) #ip address 13.1.1.0/24 secondary
! Enabl e t he i nt er f ace f or i nt er nal DHCP f unct i ons and assi gn an I P addr ess t o i t .
[ l ocal ] Redback( conf i g- i f ) #dhcp server 12.1.1.1
[ l ocal ] Redback( conf i g- i f ) #exit
! Enabl e t he cont ext f or i nt er nal DHCP ser ver f unct i ons.
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
! Speci f y gl obal set t i ngs f or t he i nt er nal DHCP ser ver and al l i t s subnet s.
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #allow-duplicate-mac
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #default-lease-time 14400
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #maximum-lease-time 172800
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #offer-lease-time 300
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #option domain-name redback.com
! Speci f y t he boot l oader i mage f i l e and t he ser ver I P addr ess wher e i t can be f ound
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-filename of1267.bin
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-siaddr 200.1.1.0
! Cr eat e an unnamed subnet and conf i gur e i t .
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 13.1.1.1/24
[ l ocal ] Redback( conf i g- dhcp- subnet ) #range 13.1.1.50 13.1.1.99
! Over r i de t he gl obal set t i ngs f or t hese opt i ons.
[ l ocal ] Redback( conf i g- dhcp- subnet ) #default-lease-time 3600
[ l ocal ] Redback( conf i g- dhcp- subnet ) #maximum-lease-time 14400
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option domain-name cool.com
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option domain-name-servers 12.1.1.254
[ l ocal ] Redback( conf i g- dhcp- subnet ) #exit
! Cr eat e a named subnet and conf i gur e i t .
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 13.1.1.100/24 name sub2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #range 13.1.1.150 13.1.1.199
! Cr eat e st at i c mappi ngs f or t hi s named subnet
[ l ocal ] Redback( conf i g- dhcp- subnet ) #mac-address 02:12:34:56:78:90 ip-address 13.1.1.2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option-82 circuit-id 4:1 vlan 102 offset 3
ip-address 13.1.1.3
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option-82 circuit-id 4:1 vlan 102 offset 3
max-addresses 10
Configuration Examples
DHCP Configuration 5-9
! Over r i de t he gl obal set t i ng f or t hi s opt i on.
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option domain-name hot.com
[ l ocal ] Redback( conf i g- dhcp- subnet ) #exit
! Cr eat e a st at i c mappi ng f or t hi s named subnet
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #vendor-class abc-client offset 5 subnet sub2
DHCP Proxy and Maximum Address Support
The following example illustrates how the value for the max-sub-addr argument for the dhcp max-addr
command (in subscriber configuration mode) works in conjunction with the value for the max-dhcp-addr
argument for the dhcp proxy command (in interface configuration mode). In this example, the number of
DHCP clients that can be supported on the DHCP proxy multibind interface at IP address, 120. 1. 1. 1, is
restricted to 10, with the dhcp proxy command. The first four subscribers, each with a value of 1 for
max-sub-addrs, can be authenticated and a circuit can be brought up for each of them. However, subscriber
sub5 cannot be authenticated because its max-sub-addr value is 10, which exceeds the remaining number
of addresses available on the interface, which is now 6:
[ l ocal ] Redback( conf i g- ct x) #interface subscriber multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 120.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 10
[ l ocal ] Redback( conf i g- i f ) #ip arp timeout 120
[ l ocal ] Redback( conf i g- i f ) #ip arp delete-expired
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface to-dhcp-server
[ l ocal ] Redback( conf i g- i f ) #ip address 100.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub1
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub2
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- Ct x) #subscriber name sub3
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub4
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub5
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 10
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 100.1.1.156
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option
Configuration Examples
5-10 IP Services and Security Configuration Guide
Subscriber Bindings to DHCP Interfaces
Two examples of binding subscribers to DHCP interfaces are described in the following sections:
Using Local Authentication
Using RADIUS Authentication
Using Local Authentication
The following example binds subscribers to DHCP interfaces using the ip interface command (in
subscriber configuration mode) with local authentication:
[ l ocal ] Redback( conf i g) #context atm_subs
[ l ocal ] Redback( conf i g- ct x) #interface bronze multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 120.1.3.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 65535
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface gold multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 120.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 100
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface silver multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 120.1.2.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 10
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber profile gold
[ l ocal ] Redback( conf i g- sub) #ip interface name gold
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber profile silver
[ l ocal ] Redback( conf i g- sub) #ip interface name silver
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber profile bronze
[ l ocal ] Redback( conf i g- sub) #ip interface name bronze
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub1
[ l ocal ] Redback( conf i g- sub) #profile gold
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 10
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub2
[ l ocal ] Redback( conf i g- sub) #profile silver
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 10
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub3
[ l ocal ] Redback( conf i g- sub) #profile bronze
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 10
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #port atm 1/4
[ l ocal ] Redback( conf i g- at m- oc) #no shutdown
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 101 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub1@atm_subs
Configuration Examples
DHCP Configuration 5-11
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 102 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub2@atm_subs
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 103 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub3@atm_subs
The following example displays information about these subscriber circuits:
[ at m_subs] Redback>show subscribers active
sub1@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 101
I nt er nal Ci r cui t 1/ 4: 1: 63/ 1/ 2/ 24579
Cur r ent por t - l i mi t unl i mi t ed
pr of i l e gol d ( appl i ed)
dhcp max- addr s 10 ( appl i ed)
i p i nt er f ace gol d ( appl i ed)
sub2@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 102
I nt er nal Ci r cui t 1/ 4: 1: 63/ 1/ 2/ 24580
Cur r ent por t - l i mi t unl i mi t ed
pr of i l e si l ver ( appl i ed)
dhcp max- addr s 10 ( appl i ed)
i p i nt er f ace si l ver ( appl i ed)
sub3@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 103
I nt er nal Ci r cui t 1/ 4: 1: 63/ 1/ 2/ 24581
Cur r ent por t - l i mi t unl i mi t ed
pr of i l e br onze ( appl i ed)
dhcp max- addr s 10 ( appl i ed)
i p i nt er f ace br onze ( appl i ed)
The following example displays information about the DHCP hosts after they have been established on the
active subscriber circuits:
[ at m_subs] Redback>show subscribers active
sub1@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 101
I nt er nal Ci r cui t 1/ 4: 1: 63/ 1/ 2/ 24579
Cur r ent por t - l i mi t unl i mi t ed
pr of i l e gol d ( appl i ed)
dhcp max- addr s 10 ( appl i ed)
i p i nt er f ace gol d ( appl i ed)
I P host ent r i es i nst al l ed by DHCP: ( max_addr 10 cur _ent i es 10)
120. 1. 1. 199 00: dd: 00: 00: 00: 0a
120. 1. 1. 191 00: dd: 00: 00: 00: 09
120. 1. 1. 192 00: dd: 00: 00: 00: 08
120. 1. 1. 200 00: dd: 00: 00: 00: 07
120. 1. 1. 194 00: dd: 00: 00: 00: 05
Configuration Examples
5-12 IP Services and Security Configuration Guide
120. 1. 1. 193 00: dd: 00: 00: 00: 06
120. 1. 1. 196 00: dd: 00: 00: 00: 03
120. 1. 1. 195 00: dd: 00: 00: 00: 04
120. 1. 1. 197 00: dd: 00: 00: 00: 02
120. 1. 1. 198 00: dd: 00: 00: 00: 01
sub2@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 102
I nt er nal Ci r cui t 1/ 4: 1: 63/ 1/ 2/ 24580
Cur r ent por t - l i mi t unl i mi t ed
pr of i l e si l ver ( appl i ed)
dhcp max- addr s 10 ( appl i ed)
i p i nt er f ace si l ver ( appl i ed)
I P host ent r i es i nst al l ed by DHCP: ( max_addr 10 cur _ent i es 10)
120. 1. 2. 191 00: dd: 00: 00: 00: 14
120. 1. 2. 192 00: dd: 00: 00: 00: 13
120. 1. 2. 193 00: dd: 00: 00: 00: 12
120. 1. 2. 194 00: dd: 00: 00: 00: 11
120. 1. 2. 195 00: dd: 00: 00: 00: 10
120. 1. 2. 196 00: dd: 00: 00: 00: 0f
120. 1. 2. 197 00: dd: 00: 00: 00: 0e
120. 1. 2. 198 00: dd: 00: 00: 00: 0d
120. 1. 2. 199 00: dd: 00: 00: 00: 0c
120. 1. 2. 200 00: dd: 00: 00: 00: 0b
sub3@at m_subs
Ci r cui t 1/ 4: 1 vpi - vci 0 103
I nt er nal Ci r cui t 1/ 4: 1: 63/ 1/ 2/ 24581
Cur r ent por t - l i mi t unl i mi t ed
pr of i l e br onze ( appl i ed)
dhcp max- addr s 10 ( appl i ed)
i p i nt er f ace br onze ( appl i ed)
I P host ent r i es i nst al l ed by DHCP: ( max_addr 10 cur _ent i es 10)
120. 1. 3. 191 00: dd: 00: 00: 00: 1e
120. 1. 3. 192 00: dd: 00: 00: 00: 1d
120. 1. 3. 193 00: dd: 00: 00: 00: 1c
120. 1. 3. 194 00: dd: 00: 00: 00: 1b
120. 1. 3. 195 00: dd: 00: 00: 00: 1a
120. 1. 3. 196 00: dd: 00: 00: 00: 19
120. 1. 3. 197 00: dd: 00: 00: 00: 18
120. 1. 3. 198 00: dd: 00: 00: 00: 17
120. 1. 3. 199 00: dd: 00: 00: 00: 16
120. 1. 3. 200 00: dd: 00: 00: 00: 15
The following example displays DHCP relay host information for this configuration:
[ at m_subs] Redback>show dhcp relay hosts
Ci r cui t Host Har dwar e addr ess
Lease Tt l Ti mest amp Rel ay/ Pr oxy Cont ext
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 198 00: dd: 00: 00: 00: 01
Configuration Examples
DHCP Configuration 5-13
1800 1709 Thu Nov 8 09: 16: 21 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 197 00: dd: 00: 00: 00: 02
1800 1710 Thu Nov 8 09: 16: 22 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 195 00: dd: 00: 00: 00: 04
1800 1713 Thu Nov 8 09: 16: 24 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 196 00: dd: 00: 00: 00: 03
1800 1713 Thu Nov 8 09: 16: 24 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 193 00: dd: 00: 00: 00: 06
1800 1711 Thu Nov 8 09: 16: 22 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 194 00: dd: 00: 00: 00: 05
1800 1712 Thu Nov 8 09: 16: 23 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 200 00: dd: 00: 00: 00: 07
1800 1712 Thu Nov 8 09: 16: 23 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 192 00: dd: 00: 00: 00: 08
1800 1711 Thu Nov 8 09: 16: 22 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 191 00: dd: 00: 00: 00: 09
1800 1711 Thu Nov 8 09: 16: 22 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 101 120. 1. 1. 199 00: dd: 00: 00: 00: 0a
1800 1711 Thu Nov 8 09: 16: 23 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 197 00: dd: 00: 00: 00: 0e
1800 1717 Thu Nov 8 09: 16: 28 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 200 00: dd: 00: 00: 00: 0b
1800 1713 Thu Nov 8 09: 16: 25 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 199 00: dd: 00: 00: 00: 0c
1800 1716 Thu Nov 8 09: 16: 28 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 198 00: dd: 00: 00: 00: 0d
1800 1716 Thu Nov 8 09: 16: 27 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 196 00: dd: 00: 00: 00: 0f
1800 1716 Thu Nov 8 09: 16: 27 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 195 00: dd: 00: 00: 00: 10
1800 1715 Thu Nov 8 09: 16: 27 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 194 00: dd: 00: 00: 00: 11
1800 1717 Thu Nov 8 09: 16: 28 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 193 00: dd: 00: 00: 00: 12
1800 1718 Thu Nov 8 09: 16: 29 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 192 00: dd: 00: 00: 00: 13
1800 1717 Thu Nov 8 09: 16: 29 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 102 120. 1. 2. 191 00: dd: 00: 00: 00: 14
1800 1719 Thu Nov 8 09: 16: 30 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 200 00: dd: 00: 00: 00: 15
1800 1718 Thu Nov 8 09: 16: 30 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 199 00: dd: 00: 00: 00: 16
1800 1720 Thu Nov 8 09: 16: 32 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 198 00: dd: 00: 00: 00: 17
1800 1721 Thu Nov 8 09: 16: 32 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 197 00: dd: 00: 00: 00: 18
1800 1721 Thu Nov 8 09: 16: 32 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 196 00: dd: 00: 00: 00: 19
1800 1722 Thu Nov 8 09: 16: 33 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 195 00: dd: 00: 00: 00: 1a
1800 1723 Thu Nov 8 09: 16: 34 2005 Pr oxy at m_subs
Configuration Examples
5-14 IP Services and Security Configuration Guide
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 194 00: dd: 00: 00: 00: 1b
1800 1721 Thu Nov 8 09: 16: 33 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 193 00: dd: 00: 00: 00: 1c
1800 1722 Thu Nov 8 09: 16: 33 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 192 00: dd: 00: 00: 00: 1d
1800 1722 Thu Nov 8 09: 16: 33 2005 Pr oxy at m_subs
1/ 4: 1 vpi - vci 0 103 120. 1. 3. 191 00: dd: 00: 00: 00: 1e
1800 1723 Thu Nov 8 09: 16: 34 2005 Pr oxy at m_subs
Using RADIUS Authentication
The following example binds subscribers to DHCP interfaces, using the ip interface command (in
subscriber configuration mode) with RADIUS authentication:
[ l ocal ] Redback( conf i g) #context atm_subs
[ l ocal ] Redback( conf i g- ct x) #interface bronze multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 120.1.3.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 100
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface gold multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 120.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 100
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface silver multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 120.1.2.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 100
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface to-linux-server
[ l ocal ] Redback( conf i g- i f ) #ip address 108.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface to-sms-server
[ l ocal ] Redback( conf i g- i f ) #ip address 100.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #radius server 108.1.1.157 key mpls4
[ l ocal ] Redback( conf i g- ct x) #radius max-retries 5
[ l ocal ] Redback( conf i g- ct x) #radius timeout 5
[ l ocal ] Redback( conf i g- ct x) #radius algorithm round-robin
[ l ocal ] Redback( conf i g- ct x) #radius accounting algorithm round-robin
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber radius
[ l ocal ] Redback( conf i g- ct x) #aaa accounting subscriber radius
[ l ocal ] Redback( conf i g- ct x) #aaa accounting event dhcp
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 108.1.1.157 key mpls4
[ l ocal ] Redback( conf i g- ct x) #subscriber profile gold
[ l ocal ] Redback( conf i g- sub) #ip interface name gold
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber profile silver
[ l ocal ] Redback( conf i g- sub) #ip interface name silver
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber profile bronze
[ l ocal ] Redback( conf i g- sub) #ip interface name bronze
[ l ocal ] Redback( conf i g- sub) #exit
Configuration Examples
DHCP Configuration 5-15
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 108.1.1.157
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #card atm-oc3-4-port 1
[ l ocal ] Redback( conf i g) #port atm 1/4
[ l ocal ] Redback( conf i g- at m- oc) #no shutdown
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 101 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub1@atm_subs password test
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 102 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub2@atm_subs password test
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 103 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub3@atm_subs password test
The following example displays the RADIUS subscriber files:
sub1@at m_subs Passwor d = "t est "
Ser vi ce- Type = Fr amed- User ,
RB- I P- I nt er f ace- Name = gol d,
RB- DHCP- Max- Leases = 10,
RB- Cont ext - Name = at m_subs
sub2@at m_subs Passwor d = "t est "
Ser vi ce- Type = Fr amed- User ,
RB- I P- I nt er f ace- Name = si l ver ,
RB- DHCP- Max- Leases = 10,
RB- Cont ext - Name = at m_subs
sub3@at m_subs Passwor d = "t est "
Ser vi ce- Type = Fr amed- User ,
RB- I P- I nt er f ace- Name = br onze,
RB- DHCP- Max- Leases = 10,
RB- Cont ext - Name = at m_subs
In the RADIUS dictionary, the relevant attribute is:
VENDORATTR 2352 RB- I P- I nt er f ace- Name 104 st r i ng
One of the sample Accounting-Alive packets with the RADIUS IP interface attribute is:
Code: Account i ng- Request
I dent i f i er : 38
Aut hent i c: ' l <199>[ <151><142><192>@<0><15><175>KCO}<163>
At t r i but es:
User - Name = " sub3@at m_subs"
Acct - St at us- Type = Al i ve
Acct - Sessi on- I d = " 0003003F3000601C- 40757C65"
Ser vi ce- Type = Fr amed- User
NAS- I dent i f i er = " mpl s4"
Configuration Examples
5-16 IP Services and Security Configuration Guide
NAS- Por t = 17039424
NAS- Por t - Type = Sync
NAS- Por t - I d = " 1/ 4 vpi - vci 0 103"
Connect - I nf o = " a1"
RB- Pl at f or m- I D = Smar t Edge
Acct - Aut hent i c = RADI US
RB- I P- I nt er f ace- Name = " br onze"
RB- DHCP- Max- Leases = 10
Acct - Sessi on- Ti me = 105
Acct - I nput - Packet s = 32
Acct - Out put - Packet s = 26
Acct - I nput - Oct et s = 7733
Acct - Out put - Oct et s = 5388
Acct - I nput - Gi gawor ds = 0
Acct - Out put - Gi gawor ds = 0
RB- Acct - I nput - Packet s- 64 = 0x20
RB- Acct - Out put - Packet s- 64 = 0x1a
RB- Acct - I nput - Oct et s- 64 = 0x1e35
DHCP Proxy Through Dynamic Subscriber Bindings
The following example configures DHCP proxy through dynamic subscriber bindings:
[ l ocal ] Redback( conf i g) #context dyn-sub-bindings
[ l ocal ] Redback( conf i g- ct x) #interface dyn-sub-if multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 100.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 251
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface to-dhcp-server
[ l ocal ] Redback( conf i g- i f ) #ip address 108.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub21
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub22
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub23
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub24
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub25
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub101
[ l ocal ] Redback( conf i g- sub) #password test
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub102
Configuration Examples
DHCP Configuration 5-17
[ l ocal ] Redback( conf i g- sub) #password test
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub103
[ l ocal ] Redback( conf i g- sub) #password test
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub104
[ l ocal ] Redback( conf i g- sub) #password test
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub105
[ l ocal ] Redback( conf i g- sub) #password test
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 1
[ l ocal ] Redback( conf i g- sub) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 108.1.1.156
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #atm profile a1
[ l ocal ] Redback( conf i g- at m- pr of i l e) #shaping ubr
[ l ocal ] Redback( conf i g- at m- pr of i l e) #exit
[ l ocal ] Redback( conf i g) #card atm-oc3-4-port 5
[ l ocal ] Redback( conf i g- car d) #exit
[ l ocal ] Redback( conf i g) #port atm 5/2
[ l ocal ] Redback( conf i g- at m- oc) #no shutdown
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 101 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub101@subscriber password test
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 102 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub102@subscriber password test
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 103 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub103@subscriber password test
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 104 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub104@subscriber password test
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 0 105 profile a1 encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber sub105@subscriber password test
[ l ocal ] Redback( conf i g- at m- pvc) #exit
[ l ocal ] Redback( conf i g- at m- oc) #exit
[ l ocal ] Redback( conf i g) #port ethernet 9/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface to-dhcp-server subscriber
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 9/2
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 21
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub21@subscriber
Configuration Examples
5-18 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 22
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub22@subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 23
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub23@subscriber
[ l ocal ] Redback( conf i g- dot 1q- vc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 24
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub24@subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 25
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub25@subscriber
DHCP Proxy Through Static Interface Bindings
The following example configures DHCP proxy through static interface bindings:
[ l ocal ] Redback( conf i g) #context non-subscriber
[ l ocal ] Redback( conf i g- ct x) #interface non-subscriber multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 100.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 1000
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface to-dhcp-server
[ l ocal ] Redback( conf i g- i f ) #ip address 108.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface vlan.1 multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 121.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 250
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface vlan.10 multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 130.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 250
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 108.1.1.156
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #port ethernet 9/2
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface vlan.1 non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 10
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface vlan.10 non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 11 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 12 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
Configuration Examples
DHCP Configuration 5-19
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 13 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 14 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 15 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 16 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 17 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 18 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 19 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 20 encaps multi
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface non-subscriber non-subscriber
DHCP Proxy Through RADIUS
The following example configures DHCP proxy through RADIUS:
[ l ocal ] Redback( conf i g) #no service multiple-contexts
[ l ocal ] RedBeck( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface loop1 loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 11.200.1.1/32
[ l ocal ] Redback( conf i g- i f ) #ip source-address dhcp-server
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface subscriber multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 100.1.0.1/16
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 50
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface to-cisco-dhcp-server
[ l ocal ] Redback( conf i g- i f ) #ip address 108.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #radius server 108.1.1.157 key dhcp
[ l ocal ] Redback( conf i g- ct x) #aaa authentication subscriber radius
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 108.1.1.156
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #card ether-12-port 9
[ l ocal ] Redback( conf i g- car d) #exit
[ l ocal ] Redback( conf i g) #port ethernet 9/1
Configuration Examples
5-20 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface to-cisco-dhcp-server local
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 9/2
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub1@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 2
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub2@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 3
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub3@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 4
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub4@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 5
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub5@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 6
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub6@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 7
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub7@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 8
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub8@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 9
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub9@local password test
[ l ocal ] Redback( conf i g- dot 1q- pvc) #exit
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 10
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind subscriber sub10@local password test
The following output displays sample content from the RADIUS server file used in this example:
sub1@l ocal Passwor d = "t est "
Ser vi ce- Type = Fr amed- User ,
DHCP_Max_Leases = 1
sub2@l ocal Passwor d = "t est "
Ser vi ce- Type = Fr amed- User ,
DHCP_Max_Leases = 1
sub3@l ocal Passwor d = "t est "
Ser vi ce- Type = Fr amed- User ,
DHCP_Max_Leases = 1
sub4@l ocal Passwor d = "t est "
Ser vi ce- Type = Fr amed- User ,
DHCP_Max_Leases = 1
Command Descriptions
DHCP Configuration 5-21
Loopback Interface as DHCP Source Address
The following example shows that the IP address of the interface connected to the external DHCP server
is 108. 1. 1. 1; however, a loopback interface is configured with another IP address, which is sent to the
DHCP server as the source IP address for DHCP packets:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface to-dhcp-server
[ l ocal ] Redback( conf i g- i f ) #ip address 108.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface loop1 loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 11.200.1.1/32
[ l ocal ] Redback( conf i g- i f ) #ip source-address dhcp-server
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure DHCP features.
The commands are presented in alphabetical order.:
allow-duplicate-mac
bootp-enable-auto
bootp-filename
bootp-siaddr
broadcast-discover
default-lease-time
dhcp max-addrs
dhcp proxy
dhcp relay
dhcp relay option
dhcp relay server
dhcp relay server retries
dhcp relay suppress-nak
dhcp server
dhcp server policy
forward-all
ip interface
mac-address
max-hops
max-lease-time
min-wait
offer-lease-time
option
option-82
range
rate-adjust dhcp pwfq
rate-limit dhcp
server-group
standby
subnet
threshold
user-class-id
vendor-class
vendor-class-id
Command Descriptions
5-22 IP Services and Security Configuration Guide
allow-duplicate-mac
allow-duplicate-mac
no allow-duplicate-mac
Purpose
Allows Dynamic Host Control Protocol (DHCP) server subscribers and a clientless IP service selection
(CLIPS) subscriber to share the same medium access control (MAC) address.
Command Mode
DHCP server configuration
Syntax Description
This command has no keywords or arguments.
Default
Duplicate MAC addresses are not allowed.
Usage Guidelines
Use the allow-duplicate-mac command to allow DHCP server subscribers and a CLIPS subscriber to share
the same MAC address.
Use the no form of this command to specify the default condition.
Examples
The following example enables DHCP clients with the same MAC address to be assigned IP addresses on
different circuits for the DHCP internal server in the dhcp context:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #allow-duplicate-mac
Related Commands
None
Command Descriptions
DHCP Configuration 5-23
bootp-enable-auto
bootp-enable-auto
no bootp-enable-auto
Purpose
Enables the assignment of IP addresses from subnet ranges.
Command Mode
DHCP server configuration
Syntax Description
This command has no keywords or arguments.
Default
The assignment of IP addresses from subnet ranges is not enabled.
Usage Guidelines
Use the bootp-enable-auto command to enable the assignment of IP addresses from subnet ranges.
If you do not enter this command, then you must enter the mac-address command (in DHCP subnet
configuration mode); it is required for the DHCP server to assign IP addresses for BOOTP clients. If you
enter this command, then you need not enter the mac-address command.
Use the no form of this command to specify the default condition.
Examples
The following example specifies the boot loader image file for the SmartEdge router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-enable-auto
Related Commands
Note The Bootstrap Protocol (BOOTP) allows certain systems to automatically discover network
configuration information and boot information. The Dynamic Host Configuration Protocol
(DHCP) is an extension of BOOTP that defines a protocol for passing configuration
information to hosts on a Transmission Control Protocol (TCP)/IP network. For more
information about BOOTP and DHCP, see RFC 2131, Dynamic Host Configuration Protocol.
mac-address
Command Descriptions
5-24 IP Services and Security Configuration Guide
bootp-filename
bootp-filename bootfile-name
no bootp-filename bootfile-name
Purpose
Specifies the filename of the boot loader image file.
Command Mode
DHCP server configuration
Syntax Description
Default
No boot loader image is specified.
Usage Guidelines
Use the bootp-filename command to specify the filename of the boot loader image file. The boot loader
image file is run when the system is reloaded or powered on.
Use the no form of this command to specify the default condition.
Examples
The following example specifies the boot loader image file for the SmartEdge router:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-filename of1267.bin
Related Commands
bootfile-name Name of the boot loader image file.
Note The Bootstrap Protocol (BOOTP) allows certain systems to automatically discover network
configuration information and boot information. The Dynamic Host Configuration Protocol
(DHCP) is an extension of BOOTP that defines a protocol for passing configuration
information to hosts on a Transmission Control Protocol (TCP)/IP network. For more
information about BOOTP and DHCP, see RFC 2131, Dynamic Host Configuration Protocol.
bootp-siaddr
Command Descriptions
DHCP Configuration 5-25
bootp-siaddr
bootp-siaddr ip-addr
no bootp-siaddr ip-addr
Purpose
Specifies the IP address that the boot loader client uses to download the boot loader image file.
Command Mode
DHCP server configuration
Syntax Description
Default
No IP address is specified.
Usage Guidelines
Use the bootp-siaddr command to specify the IP address that the boot loader client uses to download the
boot loader image file.
Use the no form of this command to specify the default condition.
Examples
The following example specifies the IP address for the SmartEdge router with the boot loader image file:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #bootp-siaddr 200.1.1.0
Related Commands
ip-addr IP address the boot loader client uses.
Note The Bootstrap Protocol (BOOTP) allows certain systems to automatically discover network
configuration information and boot information. The Dynamic Host Configuration Protocol
(DHCP) is an extension of BOOTP that defines a protocol for passing configuration
information to hosts on a Transmission Control Protocol (TCP)/IP network. The servers IP
address (SIADDR) field in the DHCP packet specifies the address of the server to use in the
next step of the client's bootstrap process. For more information about BOOTP, DHCP, and
SIADDR see RFC 2131, Dynamic Host Configuration Protocol.
bootp-filename
Command Descriptions
5-26 IP Services and Security Configuration Guide
broadcast-discover
broadcast-discover
no broadcast-discover
Purpose
Sends Dynamic Host Configuration Protocol (DHCP) discover packets to other configured servers in a
DHCP server group.
Command Mode
DHCP relay server configuration
Syntax Description
This command has no keywords or arguments.
Default
The DHCP client sends discover packets only to the DHCP server in the server group that last responded
to the client.
Usage Guidelines
Use the broadcast-discover command to send DHCP discover packets to other configured servers in a
DHCP server group.
The DHCP relay server always sends initial DHCP discover packets to all DHCP servers in a DHCP server
group. By default, it sends subsequent discover packets only to the server that last responded. Servers
configured with this command also receive subsequent DHCP discover packets from all clients that have
existing sessions with other servers in the group. If the server that last responded to the client is unavailable,
another server in the group can respond.
Use the no form of this command to revert to the default behavior.
Examples
The following example configures the DHCP relay server, cor p1, to send DHCP discover packets to all
configured servers in the DHCP server group:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server corp1
[ l ocal ] Redback( conf i g- dhcp- r el ay) #broadcast-discover
Related Commands
dhcp relay server
forward-all
Command Descriptions
DHCP Configuration 5-27
default-lease-time
default-lease-time seconds
no default-lease-time
Purpose
Specifies the default lease time for this Dynamic Host Configuration Protocol (DHCP) server or one of its
subnets.
Command Mode
DHCP server configuration
DHCP subnet configuration
Syntax Description
Default
The default length of time is two hours.
Usage Guidelines
Use the default-lease-time command to specify the default lease time for the DHCP server or one of its
subnets. In DHCP server configuration mode, this command specifies the default lease time for all subnets;
in DHCP subnet configuration mode, it specifies the default lease time for that subnet. The value you
specify for a subnet overrides the global value for the server.
Use the no form of this command to specify the default value.
Examples
The following example specifies a default lease time of 4 hours (14000) for the DHCP server and all its
subnets:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #default-lease-time 14400
Related Commands
seconds Length of time for the default lease. The range of values is 900 (15 minutes) to
31,536,000 (one year).
max-lease-time
offer-lease-time
subnet
threshold
Command Descriptions
5-28 IP Services and Security Configuration Guide
dhcp max-addrs
dhcp max-addrs max-sub-addrs
no dhcp max-addrs
Purpose
Indicates that associated hosts are to use Dynamic Host Configuration Protocol (DHCP) to dynamically
acquire address information for the subscribers circuit, and sets a maximum number of IP addresses that
the SmartEdge OS expects the external DHCP server to assign to hosts associated with the circuit.
Command Mode
subscriber configuration
Syntax Description
Default
None
Usage Guidelines
Use the dhcp max-addrs command to indicate that associated hosts are to use DHCP to dynamically
acquire address information for the subscribers circuit, and to set a maximum number of IP addresses that
the SmartEdge OS expects the external DHCP server to assign to hosts associated with the circuit.
For non-CLIPS subscribers, the SmartEdge OS deducts the value of the max-sub-addrs argument from the
value for the max-dhcp-addrs argument that you configured for a DHCP proxy or DHCP relay interface,
using the dhcp proxy or dhcp relay commands (in interface configuration mode), available at the time a
subscriber is bound to a circuit. When the value for the max-dhcp-addrs argument for a DHCP proxy or
DHCP relay interface reaches 0, that interface is no longer available for subscriber bindings.
For dynamic CLIPS subscribers, you must configure the subscriber record or profile with no IP address and
specify 1 as the value for the max-sub-addrs argument; for information about CLIPS, see the CLIPS
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS
Use the no form of this command to disable the use of DHCP for the subscribers circuit.
max-sub-addrs Maximum number of unique IP addresses the SmartEdge OS expects the external
DHCP server to assign to hosts associated with a given subscriber circuit. The range of
values is 1 to 100.
For dynamic clientless IP service selection (CLIPS) subscribers, the value for the
max-sub-addrs argument must be 1.
Command Descriptions
DHCP Configuration 5-29
Examples
The following example configures the subscriber, dhcp- t est , to expect a total of 8 IP addresses that can
be assigned at any time:
[ l ocal ] Redback( conf i g- ct x) #subscriber name dhcp-test
[ l ocal ] Redback( conf i g- sub) #dhcp max-addrs 8
Related Commands
Note If you configure a subscriber record with a dhcp max-addrs command and with one or more
static IP host addresses, using the ip address command (in interface configuration mode), the
static IP addresses always take precedence; the associated circuit is bound to an interface on
the basis of the static IP addresses. If you configure the record with a dhcp max-addrs
command, and you do not configure any static addresses for it, the associated circuit is bound
to the first available interface with capacity for this subscriber.
dhcp proxy
dhcp relay
dhcp relay server
Command Descriptions
5-30 IP Services and Security Configuration Guide
dhcp proxy
dhcp proxy max-dhcp-addrs [server-group name]
no dhcp proxy
Purpose
Enables this interface to act as proxy between subscribers and an external Dynamic Host Configuration
Protocol (DHCP) server, and access DHCP giaddr configuration mode.
Command Mode
interface configuration
Syntax Description
Default
DHCP proxy is disabled.
Usage Guidelines
Use the dhcp proxy command to enable this interface to act as a proxy between subscribers and an external
DHCP server, and access DHCP giaddr configuration mode.
When you enable DHCP proxy, the interface relays all DHCP packets, including the release and renewal
of IP addresses for subscriber sessions, between the DHCP server and the subscriber. To the subscriber, the
SmartEdge router appears to be the DHCP server.
The SmartEdge OS uses the value for the max-dhcp-addrs argument to load balance between IP addresses
from multiple pools. When you configure the SmartEdge OS for subscriber DHCP proxy, the value of the
max-dhcp-addrs argument indicates the total number of subscriber requests that will be forwarded on the
interface.
The SmartEdge OS deducts the max-sub-addrs value for the dhcp max-addrs command (in subscriber
configuration mode) from the current value for max-dhcp-addrs argument for the DHCP proxy interface at
the time a subscriber is bound to a circuit using that interface. When the value of max-dhcp-addrs for a
DHCP proxy interface reaches 0, that interface is no longer available for subscriber bindings.
Use the no form of this command to disable DHCP proxy on the interface.
max-dhcp-addrs Maximum number of IP addresses available on the interface. The range of values
is 1 to 65,535.
server-group name Optional. DHCP server group. Forwards all DHCP requests received on the
interface to all DHCP servers in the specified server group.
Note You can configure an interface to act as either a DHCP relay or a DHCP proxy; the dhcp relay
and dhcp proxy commands are mutually exclusive.
Command Descriptions
DHCP Configuration 5-31
Examples
The following example enables the pr oxy1 interface to act as a DHCP proxy for the DHCP server at
IP address, 10. 30. 40. 50:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 10.30.40.50
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #interface proxy1
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.2.3 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 253
Related Commands
Note For the dhcp proxy command to take effect, you must configure an external DCHP server,
using the dhcp relay server command in the context in which the interface is configured.
dhcp max-addrs
dhcp relay
dhcp relay server
Command Descriptions
5-32 IP Services and Security Configuration Guide
dhcp relay
dhcp relay max-dhcp-addrs [server-group group-name]
no dhcp relay
Purpose
Enables this interface to relay Dynamic Host Configuration Protocol (DHCP) messages to an external
DHCP server, and access DHCP giaddr configuration mode.
Command Mode
interface configuration
Syntax Description
Default
DHCP relay is disabled.
Usage Guidelines
Use the dhcp relay command to enable this interface to relay DHCP messages to an external DHCP server,
and access DHCP giaddr configuration mode.
The SmartEdge OS uses the value for the max-dhcp-addrs argument to load balance between IP addresses
from multiple pools. When you configure the SmartEdge OS for subscriber DHCP relay, the value of the
max-dhcp-addrs argument indicates the total number of subscriber requests that can be forwarded on the
interface.
The value of the max-sub-addrs argument for the dhcp max-addrs command (in subscriber configuration
mode) is deducted from the max-dhcp-addrs value configured for a DHCP relay interface available at the
time a subscriber is bound to a circuit on that interface. When the value of max-dhcp-addrs for a DHCP
relay interface reaches 0, that interface is no longer available for subscriber bindings.
Use the no form of this command to disable DHCP relay on the interface.
max-dhcp-addrs Maximum number of IP addresses available on the interface. The range
of values is 0 to 65,535.
server-group group-name Optional. DHCP server group. Forwards all DHCP requests received on
the interface to all DHCP servers in the specified server group.
Note You can configure an interface to act as either a DHCP relay or a DHCP proxy; the dhcp relay
and dhcp proxy commands are mutually exclusive.
Note For the dhcp relay command to take effect, you must configure an external DCHP server,
using the dhcp relay server command in the context in which the interface is configured.
Command Descriptions
DHCP Configuration 5-33
Examples
The following example enables DHCP relay on interface et h1, which is configured with a total of 253 IP
addresses that can be allocated by the DHCP server at any time from the 10. 1. 1. 0 subnet:
[ l ocal ] Redback( conf i g- ct x) #interface eth1
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.0 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #dhcp relay 253
[ l ocal ] Redback( conf i g- dhcp- gi addr ) #
Related Commands
dhcp max-addrs
dhcp proxy
dhcp relay server
Command Descriptions
5-34 IP Services and Security Configuration Guide
dhcp relay option
dhcp relay option [hostname [separator character]]
no dhcp relay option [hostname [separator character]]
Purpose
Enables the sending of Dynamic Host Configuration Protocol (DHCP) options in DHCP packets relayed
by the interfaces in the specified context.
Command Mode
context configuration
Syntax Description
Default
DHCP options are not sent.
Usage Guidelines
Use the dhcp relay option command to enable the sending of DHCP options in all DHCP packets that are
relayed by the interfaces in the specified context.
On some networks, DHCP is used to dynamically configure IP address information for subscriber hosts.
The SmartEdge router can act as a relay or as a proxy for DHCP servers. DHCP is typically used with
RFC 1483 bridge-encapsulated circuits, as opposed to Point-to-Point Protocol (PPP) circuits.
The SmartEdge OS can use DHCP relay options to help track DHCP requests. Some options can also
enhance the DHCP servers function. The DHCP relay options are described in RFC 3046, DHCP Relay
Agent Information Option.
In order for relay options to take effect, you must enable DHCP relay for the context, using the
dhcp relay server command (in context configuration mode), and for an interface, using the dhcp relay
or dhcp proxy command (in interface configuration mode). You must also configure subscriber records,
using the dhcp max-addrs command (in subscriber configuration mode) to indicate that associated hosts
are to use DHCP relay to dynamically acquire address information.
Use the no form of this command to disable the sending of DHCP options.
hostname Optional. Prepends the SmartEdge router hostname to the agent circuit id
field of DHCP option 82. The SmartEdge OS uses the hostname that you
have configured using the system hostname command (in context
configuration mode). If you have not configured the hostname, the
SmartEdge OS uses the default hostname of Redback.
separator character Optional. Character that separates the elements of the attribute string.
Changes the character that separates the hostname from the circuit id field of
DCHP option 82. The default separator character is the colon (:).
Command Descriptions
DHCP Configuration 5-35
Examples
The following example enables the sending of DHCP relay options:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 10.30.40.50
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option
The following example prepends the system hostname, SE800, to the agent circuit id field of DHCP option
82 and, by default, uses the colon (:) to separate the hostname from the circuit id field:
[ l ocal ] Redback( conf i g) #server hostname SE800
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 108.1.1.157
[ l ocal ] Redback( conf i g- dhcp- r el ay) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp relay option hostname
The DHCP servers lease log for this configuration would be similar to the following example:
l ease 120. 1. 3. 191 {
st ar t s 2 2005/ 11/ 08 10: 05: 21;
ends 2 2005/ 11/ 08 10: 35: 21;
bi ndi ng st at e act i ve
net x bi ndi ng st at e f r ee
har dwar e et her net 00: dd: 00: 00: 00: 1e;
ui d \ 001\ 006\ 000\ 335\ 000\ 000\ 000\ 036;
opt i on agent . ci r cui t - i d SE800: 1/ 4 vpi - vci 0 103;
}
Related Commands
dhcp proxy
dhcp relay
dhcp relay server
Command Descriptions
5-36 IP Services and Security Configuration Guide
dhcp relay server
dhcp relay server {ip-addr | hostname} [max-hops count] [min-wait interval]
no dhcp relay server {ip-addr | hostname} [max-hops count] [min-wait interval]
Purpose
Configures an external Dynamic Host Configuration Protocol (DHCP) server and enters DHCP relay server
configuration mode.
Command Mode
context configuration
Syntax Description
Default
Disabled
Usage Guidelines
Use the dhcp relay server command to configure an external DHCP server and enter DHCP relay server
configuration mode. You can configure up to five external DHCP servers in each context.
If you have configured Remote Authentication Dial-In User Service (RADIUS) authentication, the
SmartEdge OS sends an accounting record to RADIUS every time DCHP assigns or releases an IP address.
To indicate that associated hosts are to use DHCP relay to dynamically acquire address information, you
must configure the subscriber default profile, a named profile, or subscriber records with the
dhcp max-addrs command (in subscriber configuration mode).
Use the no form of this command to disable the DHCP server.
ip-addr IP address of the DHCP server.
hostname Hostname of the DHCP server.
max-hops count Optional. Maximum number of hops allowed for requests. The range of
values for the count argument is 1 to 16.
min-wait interval Optional. Minimum time, in seconds, to wait before forwarding requests to
the DHCP server. The range of values for the interval argument is 0 to 60.
Note For the dhcp relay server command to take effect, you must also enable DHCP relay or
DHCP proxy on an interface in the same context, using the dhcp proxy or dhcp relay
command (in interface configuration mode).
Command Descriptions
DHCP Configuration 5-37
Examples
The following example configures an external DHCP server at IP address, 10. 30. 40. 50, and enters
DHCP relay server configuration mode:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 10.30.40.50
[ l ocal ] Redback( conf i g- dhcp- r el ay) #
Related Commands
broadcast-discover
dhcp max-addrs
dhcp proxy
dhcp relay
dhcp relay server retries
max-hops
min-wait
server-group
standby
Command Descriptions
5-38 IP Services and Security Configuration Guide
dhcp relay server retries
dhcp relay server retries count timeout interval
no dhcp relay server retries count timeout interval
Purpose
Specifies the number of attempts and the interval to wait for each attempt when trying to reach an external
Dynamic Host Configuration Protocol (DHCP) server before it is marked unreachable.
Command Mode
context configuration
Syntax Description
Default
Up to three attempts are made to reach a DHCP server, with a wait interval of 30 seconds for each attempt.
Usage Guidelines
Use the dhcp relay server retries command to specify the number of attempts and the interval to wait for
each attempt when trying to reach an external DHCP server before it is marked unreachable.
If the interval expires without receiving a reply from the DHCP server, another DHCP request is sent to the
DHCP server until the maximum consecutive number of attempts has been reached. If the interval expires
after the last attempt without reaching the DHCP server, then the DHCP server is marked unreachable.
Use the no form of this command to specify the default conditions.
Examples
The following example configures the SmartEdge router to make up to 5 attempts to reach a DHCP server,
with a wait interval of 15 seconds for each attempt:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server retries 5 timeout 15
[ l ocal ] Redback( conf i g- ct x) #
Related Commands
count Maximum consecutive number of times to attempt reaching the DHCP
server; the default value is3.
timeout interval Interval, in seconds, to wait for a reply after a DHCP request packet is sent.
The default value for the interval argument is 30.
dhcp relay server
Command Descriptions
DHCP Configuration 5-39
dhcp relay suppress-nak
dhcp relay suppress-nak
no dhcp relay suppress-nak
Purpose
Disables the sending of a DHCPNAK message when the SmartEdge OS receives a DHCPREQUEST
message for which it does not have an entry.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
A DHCPNAK message is always sent.
Usage Guidelines
Use the dhcp relay suppress-nak command to disable the sending of a DHCPNAK message when the
SmartEdge OS receives a DHCPREQUEST message for which it does not have an entry. In this case, the
request is dropped.
Use the no form of this command to enable the default condition.
Examples
The following example disables the sending of a DHCPNAK message:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay suppress-nak
Related Commands
None
Command Descriptions
5-40 IP Services and Security Configuration Guide
dhcp server
dhcp server {interface | ip-addr}
no dhcp server {interface | ip-addr}
Purpose
Enables this interface for internal Dynamic Host Configuration Protocol (DHCP) server support and
assigns the IP address to be used for this support.
Command Mode
interface configuration
Syntax Description
Default
No internal DHCP servers are created.
Usage Guidelines
Use the dhcp server command to enable this interface for internal DHCP server support and assign the IP
address to be used for this support.
For information about the context command (in global configuration mode), the interface command (in
context configuration mode), and the ip address command (in interface configuration mode), see the
Context Configuration and Interface Configuration chapters, respectively, in the Basic System
Configuration Guide for the SmartEdgeOS
Use the no form of this command to delete the internal DHCP server.
interface Assigns the primary IP address of the interface to the DHCP server.
ip-addr One of the secondary IP addresses assigned to the interface.
Note The actual choice of an IP address for the internal DHCP server is made by authentication,
authorization, and accounting (AAA), subject to any static mappings, subnets, and ranges that
you have configured for the server.
Note IP pools on an interface can be used to provide addresses for the DHCP server. If there is no
range of values specified on a DHCP subnet, the DHCP server takes the IP addresses from the
IP pool defined in the interface command. This IP pool can also be used by the DHCP server
and PPP subscribers on the same interface.
Command Descriptions
DHCP Configuration 5-41
Examples
The following example creates an internal DHCP server using the secondary IP address for the dhcp- i f
interface in the dhcp context:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #interface dhcp-if multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 12.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #ip address 13.1.1.1/24 secondary
[ l ocal ] Redback( conf i g- i f ) #dhcp server 13.1.1.1
Related Commands
dhcp server policy
Command Descriptions
5-42 IP Services and Security Configuration Guide
dhcp server policy
dhcp server policy
no dhcp server policy
Purpose
Enables internal Dynamic Host Configuration Protocol (DHCP) server functions in this context and
accesses DHCP server configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
Internal DHCP server functions are disabled for this context.
Usage Guidelines
Use the dhcp server policy command to enable internal DHCP server functions in this context and access
DHCP server configuration mode.
Use the no form of this command to disable internal DHCP server functions.
Examples
The following example enables DHCP server functions in the dhcp context:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #
Related Commands
Note IP pools on an interface can be used to provide addresses for the DHCP server. If there is no
range of values specified on a DHCP subnet, the DHCP server takes the IP addresses from the
IP pool defined in the interface command. This IP pool can also be used by the DHCP server
and PPP subscribers on the same interface.
dhcp server
Command Descriptions
DHCP Configuration 5-43
forward-all
forward-all
no forward-all
Purpose
Forwards packets to all other external Dynamic Host Configuration Protocol (DHCP) servers in a DHCP
server group.
Command Mode
DHCP relay server configuration
Syntax Description
This command has no keywords or arguments.
Default
Packets are not forwarded to the other DHCP servers in the DHCP server group.
Usage Guidelines
When a DHCP server is unreachable, DHCP request packets can be forwarded to all other DHCP servers
in its DHCP server group. Use the forward-all command to forward packets to all other DHCP servers in
a server group.
Use the no form of this command to disable the forward all option.
Examples
The following example forwards packets to all other DHCP servers in DHCP server group, i nt - gr p,
when the DHCP server, 10. 30. 40. 50, is unreachable:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 10.30.40.50
[ l ocal ] Redback( conf i g- dhcp- r el ay) #server-group int-grp
[ l ocal ] Redback( conf i g- dhcp- r el ay) #forward-all
Related Commands
Note When the DHCP server is unreachable, you can either forward packets to all other DHCP
servers in its DHCP server group or forward packets to its standby DHCP server, but not both;
the forward-all and standby commands are mutually exclusive.
broadcast-discover
dhcp relay server
server-group
standby
Command Descriptions
5-44 IP Services and Security Configuration Guide
ip interface
ip interface name if-name
no ip interface name if-name
Purpose
Configure hosts to use a specific Dynamic Host Configuration Protocol (DHCP) interface to acquire
address information for a subscribers circuit.
Command Mode
subscriber configuration
Syntax Description
Default
The subscriber is bound to the first available DHCP interface.
Usage Guidelines
Use the ip interface command to configure hosts to use a specific DHCP interface to acquire address
information for a subscribers circuit.
You must enable the specified interface for DHCP proxy or DHCP relay using the dhcp proxy or
dhcp relay command (in interface configuration mode), respectively.
You must use the dhcp max-addr command (in subscriber configuration mode) to enable hosts to acquire
address information for the subscribers circuit.
Use the no form of this command to restore the default condition where the subscriber is bound to the first
available DHCP interface.
Examples
The following example creates an interface and specifies that hosts use the DHCP i f - dhcp interface to
acquire address information for the circuit used by the sub- dhcp subscriber:
[ l ocal ] Redback( conf i g- ct x) #interface name if-dhcp
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1 255.255.255.0
[ l ocal ] Redback( conf i g- i f ) #dhcp relay
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #subscriber name sub-dhcp
[ l ocal ] Redback( conf i g- sub) #dhcp max-addr 3
[ l ocal ] Redback( conf i g- sub) #ip interface name if-dhcp
name if-name DHCP interface name.
Command Descriptions
DHCP Configuration 5-45
Related Commands
None
Command Descriptions
5-46 IP Services and Security Configuration Guide
mac-address
mac-address mac-addr ip-address ip-addr
no mac-address mac-addr ip-address ip-addr
Purpose
Creates a static mapping between a medium access control (MAC) address and an IP address in this subnet.
Command Mode
DHCP subnet configuration
Syntax Description
Default
No mapping exists between the MAC address and an IP address.
Usage Guidelines
Use the mac-address command to create a static mapping between a MAC address and an IP address in
this subnet.
The value for the ip-addr argument must be an IP address within this subnet, but not within any range of
IP addresses that you have specified using the range command (in DHCP subnet configuration mode).
Use the no form of this command to specify the default condition.
Examples
The following example creates a static mapping between a MAC address and an IP address:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 12.1.1.0/24 name sub2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #range 12.1.1.50 12.1.1.100
[ l ocal ] Redback( conf i g- dhcp- subnet ) #mac-address 02:12:34:56:78:90 ip-address 12.1.1.10
Related Commands
mac-addr MAC address for the subnet.
ip-addressip-addr IP address to which the MAC address is to be mapped.
range
subnet
Command Descriptions
DHCP Configuration 5-47
max-hops
max-hops count
{no | default} max-hops count
Purpose
Configures the maximum hop count allowed for Dynamic Host Configuration Protocol (DHCP) requests.
Command Mode
DHCP relay server configuration
Syntax Description
Default
The maximum hop count is four.
Usage Guidelines
Use the max-hops command to configure the maximum hop count allowed for DHCP requests.
Use the no or default form of this command to return to the default DHCP relay server maximum hop count
of four.
Examples
The following example configures a maximum of 12 hops allowed for DHCP requests to DHCP server,
10. 30. 40. 50:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 10.30.40.50
[ l ocal ] Redback( conf i g- dhcp- r el ay) #max-hops 12
[ l ocal ] Redback( conf i g- dhcp- r el ay) #
Related Commands
count Hop count. The range of values is 1 to 16.
dhcp max-addrs
dhcp proxy
dhcp relay
dhcp relay server
forward-all
min-wait
server-group
standby
Command Descriptions
5-48 IP Services and Security Configuration Guide
max-lease-time
max-lease-time seconds
no max-lease-time seconds
Purpose
Specifies the maximum allowed time for the lease for this internal Dynamic Host Configuration Protocol
(DHCP) server or one of its subnets.
Command Mode
DHCP server configuration
DHCP subnet configuration
Syntax Description
Default
The maximum lease time is 24 hours.
Usage Guidelines
Use the max-lease-time command to specify the maximum allowed lease time for this internal DHCP
server or one of its subnets. Enter this command in DHCP server configuration mode to specify the
maximum allowed lease time for all subnets; enter it in DHCP subnet configuration mode to specify the
maximum allowed lease time for that subnet. The value that you specify for a subnet overrides the global
value for the server.
Use the no form of this command to specify the default value for the maximum allowed lease time.
Examples
The following example specifies a maximum allowed lease time of 48 hours (172800) for the DHCP
server and all its subnets:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #maximum-lease-time 172800
Related Commands
seconds Maximum allowed time for the lease (in seconds). The range of values is 900
(15minutes) to 31,536,000 (one year).
default-lease-time
offer-lease-time
subnet
threshold
Command Descriptions
DHCP Configuration 5-49
min-wait
min-wait interval
{no | default} min-wait interval
Purpose
Configures the interval, in seconds, to wait before forwarding requests to the Dynamic Host Configuration
Protocol (DHCP) server.
Command Mode
DHCP relay server configuration
Syntax Description
Default
The wait interval is 0 seconds.
Usage Guidelines
Use the min-wait command to configure the interval, in seconds, to wait before forwarding requests to the
DHCP server.
Use the no or default form of this command to return to the default DHCP relay server minimum wait
interval of 0 seconds.
Examples
The following example configures a wait interval of 45 seconds for DHCP relay server, 10. 30. 40. 50:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 10.30.40.50
[ l ocal ] Redback( conf i g- dhcp- r el ay) #min-wait 45
[ l ocal ] Redback( conf i g- dhcp- r el ay) #
Related Commands
interval Wait interval in seconds. The range of values is 0 to 60.
dhcp relay server
forward-all
max-hops
server-group
standby
Command Descriptions
5-50 IP Services and Security Configuration Guide
offer-lease-time
offer-lease-time seconds
no offer-lease-time seconds
Purpose
Specifies the offer lease time for this internal Dynamic Host Configuration Protocol (DHCP) server or one
of its subnets.
Command Mode
DHCP server configuration
DHCP subnet configuration
Syntax Description
Default
The default value for the offer lease time is two minutes.
Usage Guidelines
Use the offer-lease-time command to specify the offer lease time for the DHCP server or one of its subnets.
When entered in DHCP server configuration mode, specifies the offer lease time for the server and all its
subnets; when entered in DHCP subnet configuration mode, specifies offer lease time for that subnet. The
value specified for a subnet overrides the global value for the server.
Use the no form of this command to specify the default value for the offer lease time.
Examples
The following example specifies an offer lease time of 5 minutes (300) for the DHCP server and all its
subnets:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #offer-lease-time 300
Related Commands
seconds Length of time for the default lease. The range of values is 60 (one minute) to 360
(one hour).
default-lease-time
max-lease-time
subnet
threshold
Command Descriptions
DHCP Configuration 5-51
option
option {opt-num | opt-name} opt-arg1 [opt-arg2 [opt-arg3 [opt-arg4]]]
no option {opt-num | opt-name}
Purpose
Specifies an option for this internal Dynamic Host Configuration Protocol (DHCP) server or one of its
subnets.
Command Mode
DHCP server configuration
DHCP subnet configuration
Syntax Description
Default
No DHCP options are specified for the DHCP server or for any of its subnets.
Usage Guidelines
Use the option command to specify an option for this internal DHCP server or for one of its subnets. When
you enter this command in DHCP server configuration mode, it specifies the DHCP option for the server
and all its subnets; when you enter it in DHCP subnet configuration mode, it specifies the option for that
subnet. The value specified for a subnet overrides the global value for the server.
You can enter this command multiple times to specify as many different DHCP options as you require.
Succeeding entries for the same DHCP option overwrite any previously entered value.
You can specify up to four IP addresses for a DHCP option that requires an IP address. If the DHCP option
also requires an netmask argument in addition to the IP address, you can specify up to two IP addresses and
their netmask arguments.
RFC 2132, DHCP Options and BOOTP Vendor Extensions, Section 3 through Section 9 describe the option
numbers, names, and arguments. Table5-7 to Table5-13 list this data for the options in each section;
options are listed by code within each table.
Use the no form of this command to remove the option from the internal DHCP server or subnet
configuration.
opt-num DHCP option number; the range of values is 1 to 125. Table5-7 to Table5-13
list the option numbers.
opt-name DHCP option name. Table5-7 to Table5-13 list the option names.
opt-arg1 First argument for the DHCP option. Table5-7 to Table5-13 list the arguments
for the DHCP options.
opt-arg2 ... opt-arg4 Optional. Additional values for a DHCP option with an IP address argument. If
opt-arg1 is an IP address, you can specify up to three additional IP addresses.
Command Descriptions
5-52 IP Services and Security Configuration Guide
Note DHCP can send RADIUS-specified vendor-encapsulated options to the DHCP client.
RADIUS sends the vendor-encapsulated options using the Redback vendor-specific attribute
(VSA) 127 (DHCP-Vendor-Encap-Options). For more information about the format for VSA
127, see TableA-7 in Chapter A, RADIUS Attributes.
Table 5-7 RFC 1497 Vendor Extensions
Option
Code Name Argument Argument Description Option Description
1 subnet-mask netmask Netmask in the format E.F.G.H. Configure the subnet mask supplied to
the client.
2 time-offset seconds Signed integer; the range of values is
2,147,483,648 to +2,147,483,648.
Configure the time offset value.
3 router ip-addr IP address in the format A.B.C.D. Configure the router that the client can
use.
4 time-server ip-addr IP address in the format A.B.C.D. Configure the time server.
5 ien116-name-server ip-addr IP address in the format A.B.C.D. Configure the IEN116 name server.
6 domain-name-server ip-addr IP address in the format A.B.C.D. Configure the domain name server.
7 log-server ip-addr IP address in the format A.B.C.D. Configure the log server.
8 cookie-server ip-addr IP address in the format A.B.C.D. Configure the cookie server.
9 lpr-server ip-addr IP address in the format A.B.C.D. Configure the line printer (LPR) server.
10 impress-server ip-addr IP address in the format A.B.C.D. Configure the impress server.
11 resource-location-server ip-addr IP address in the format A.B.C.D. Configure the resource location server.
12 host-name name Name of the host. Configure the hostname, which can
include its domain name.
13 boot-size size File size in 512-octet blocks; the
range of values is 0 to 65,535.
Configure the size of the boot file.
14 merit-dump path Path, including the filename. Configure the path to the merit dump file.
15 domain-name dom-name Domain name; must be
redback.com (without quotes).
Configure the domain name.
16 swap-server ip-addr IP address in the format A.B.C.D. Configure the swap server.
17 root-path path Path to the root disk. Configure the path to the root disk.
18 extensions-path path Path to the extensions. Configure the extensions path.
Table 5-8 IP Layer Parameters for a Host
Option
Num Name Argument Argument Description Option Description
19 ip-forwarding boolean-flag 0Disables IP layer for forwarding.
1Enables IP layer for forwarding.
Configure IP forwarding.
20 non-local-source-routing boolean-flag 0Disables forwarding of datagrams
with nonlocal source routes.
1Enables forwarding of datagrams
with nonlocal source routes.
Configure non-local source
routing.
Command Descriptions
DHCP Configuration 5-53
21 policy-filter ip-addr
netmask
IP address in the format A.B.C.D.
Netmask in the format E.F.G.H.
Configure a policy filter.
22 max-dgram-reassembly max-size Maximum size of any datagram that needs
reassembly; the range of values is 0 to
65,535.
Configure the maximum size for
datagram reassembly.
23 default-ip-ttl seconds The range of values is 0 to 255. Configure the default IP
time-to-live value.
24 path-mtu-aging-timeout seconds The range of values is 0 to 4,294,967,295. Configure the timeout value to
use when aging path maximum
transmission units (MTUs).
25 path-mtu-plateau-table mtu The range of values is 0 to 65,535. Configure the table of MTU sizes
for use when performing Path
MTU discovery.
Table 5-9 IP Layer Parameters for an Interface
Option
Num Name Argument Argument Description Description
26 interface-mtu mtu The range of values is 0 to 65,535. Configure the interface
MTU.
27 all-subnets-local boolean-flag 0Some subnets can have smaller MTUs.
1All subnets share the same MTU.
Configure all subnets are
local.
28 broadcast-address ip-addr IP address in the format A.B.C.D. Configure the broadcast IP
address.
29 perform-mask-discovery boolean-flag 0Client does not perform mask discovery.
1Client performs mask discovery.
Configure mask discovery.
30 mask-supplier boolean-flag 0Client should not respond.
1Client should respond.
Configure the mask supplier.
31 router-discovery boolean-flag 0Client should perform router discovery.
1Client should not perform router discovery.
Configure router discovery.
32 router-solicitation-address ip-addr IP address in the format A.B.C.D. Configure the router
solicitation IP address.
33 static-route ip-addr
netmask
IP address in the format A.B.C.D.
Netmask in the format E.F.G.H.
Configure the static route.
Table 5-10 Link Layer Parameters for an Interface
Option
Num Name Argument Argument Description Description
34 trailer-encapsulation boolean-flag 0Client should not attempt to use trailers.
1Client should attempt to use trailers.
Configure trailer encapsulation.
Table 5-8 IP Layer Parameters for a Host (continued)
Option
Num Name Argument Argument Description Option Description
Command Descriptions
5-54 IP Services and Security Configuration Guide
35 arp-cache-timeout seconds The range of values is 0 to 4,294,967,295. Configure the Address Resolution
Protocol (ARP) cache timeout.
36 ieee802-3-encapsulation boolean-flag 0Client should use Ethernet version 2
encapsulation (RFC 894
1
).
1Client should use Ethernet IEEE 802.3
encapsulation (RFC 1042
2
).
Specify Ethernet encapsulation.
1. RFC 894, Standard for the Transmission of IP Datagrams over Ethernet Networks
2. RFC 1042, Standard for the Transmission of IP Datagrams over IEEE 802 Ethernet Networks
Table 5-11 TCP Parameters
Option
Num Name Argument Argument Description Description
37 default-tcp-ttl seconds The range of values is 0 to 255. Configure the default Transmission
Control Protocol (TCP) time-to-live
value.
38 tcp-keepalive-interval seconds The range of values is 0 to 4,294,967,295. Configure the TCP keepalive interval.
39 tcp-keepalive-garbage boolean-flag 0Client should not send garbage octet.
1Client should send garbage octet.
Configure the use of a TCP keepalive
garbage octet.
Table 5-12 Application and Service Parameters
Option
Num Name Argument Argument Description Description
40 nis-domain dom-name NIS domain. Configure the Network Information
Server (NIS) domain.
41 nis-server ip-addr IP address in the format
A.B.C.D.
Configure the NIS server.
42 ntp-server ip-addr IP address in the format
A.B.C.D.
Configure the Network Time Protocol
(NTP) server.
43 vendor-encapsulated-options Can be:
numeric num
string name
:
numOption number.
nameOption name.
Configure a vendor-encapsulated option.
44 netbios-name-server ip-addr IP address in the format
A.B.C.D.
Configure the NetBIOS name server.
45 netbios-dd-server ip-addr IP address in the format
A.B.C.D.
Configure the NetBIOS datagram
distribution (DD) server.
46 netbios-node-type type The range of values is 0 to
255.
Configure the NetBIOS node type.
47 netbios-scope scope NetBIOS scope parameter. Configure the NetBIOS scope parameter,
as specified in RFCs 1001
1
and 1002
2
.
48 font-server ip-addr IP address in the format
A.B.C.D.
Configure the font server.
49 x-display-manager ip-addr IP address in the format
A.B.C.D.
Configure the X window system display
manager.
Table 5-10 Link Layer Parameters for an Interface (continued)
Option
Num Name Argument Argument Description Description
Command Descriptions
DHCP Configuration 5-55
Examples
The following example specifies the options for an internal DHCP server (and its subnets), which are
overridden by the options for the sub2 subnet:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
! Speci f y gl obal opt i ons ( t hese appl y t o al l subnet s)
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #option domain-name redback.com
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #option domain-name-server 10.1.1.254
! Cr eat e a subnet ; speci f y opt i ons f or t hi s subnet , whi ch over r i de t he gl obal set t i ngs
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 10.1.1.1/24 name sub2
64 nisplus-domain dom-name NIS+domain. Configure the NIS+domain.
65 nisplus-server ip-addr IP address in the format
A.B.C.D.
Configure the NIS+server.
68 mobile-ip-home-agent ip-addr IP address in the format
A.B.C.D.
Configure the mobile IP home agent.
69 smtp-server ip-addr IP address in the format
A.B.C.D.
Configure the Simple Mail Transport
Protocol (SMTP) server.
70 pop-server ip-addr IP address in the format
A.B.C.D.
Configure the Post Office Protocol
(POP3) server.
71 nntp-server ip-addr IP address in the format
A.B.C.D.
Configure the Network News Transport
Protocol (NNTP) server.
72 www-server ip-addr IP address in the format
A.B.C.D.
Configure the WWW server.
73 finger-server ip-addr IP address in the format
A.B.C.D.
Configure the finger server.
74 irc-server ip-addr IP address in the format
A.B.C.D.
Configure the default Internet Relay Chat
(IRC) server.
75 streettalk-server ip-addr IP address in the format
A.B.C.D.
Configure the StreetTalk server.
76 streettalk-directory-assistance-
server
ip-addr IP address in the format
A.B.C.D.
Configure the StreetTalk directory
assistance (STDA) server.
1. RFC 1001, Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods
2. RFC 1002, Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Detailed Specifications
Table 5-13 DHCP Extension Parameters
Option
Num Name Argument Argument Description Description
66 tftp-server-name name TFTP server name. Configure the Trivial File Transfer Protocol
(TFTP) server.
67 bootfile-name name Boot filename. Configure the name of the boot loader image
file.
Table 5-12 Application and Service Parameters (continued)
Option
Num Name Argument Argument Description Description
Command Descriptions
5-56 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option router 10.1.1.1
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option domain-name hot.com
The following example adds a second IP address for the r out er option in the sub2 subnet configuration
and includes option 21 (policy-filter) with two IP addresses and their netmasks:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 10.1.1.1/24 name sub2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option router 10.1.1.1 10.1.1.2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option 21 10.1.1.23 255.255.255.255 10.1.1.33
255.255.255.255
Related Commands
subnet
Command Descriptions
DHCP Configuration 5-57
option-82
To specify the circuit agent ID, the syntax is:
option-82 circuit-id string [offset position] {ip-address ip-addr | max-addresses num-addr}
no option-82 circuit-id string [offset position] {ip-address ip-addr | max-addresses num-addr}
To specify the remote agent ID, the syntax is:
option-82 remote-id string [offset position] ip-address ip-addr
no option-82 remote-id string
Purpose
Creates a static mapping between the Agent-Circuit-Id subfield or the Agent-Remote-Id subfield in the
option 82 field and an IP address.
Command Mode
DHCP subnet configuration
Syntax Description
Default
No static mapping is created between an option 82 subfield and any IP address.
circuit-id string Circuit agent ID. A text string, with up to 255 printable characters; enclose
the string in quotation marks ( ) if the string includes spaces.
remote-id string Remote agent ID. A text string, with up to 255 printable characters; enclose
the string in quotation marks ( ) if the string includes spaces.
offset position Optional. Position of the starting octet in the option 82 subfield which is to
be matched with the specified string argument, according to one of the
following formats:
+n or nStarting octet is the nth octet in the received Id. The matching
operation is performed on the nth and succeeding octets for the length of
the string specified by the value of the string argument.
nStarting octet is the last octet in the received Id minus the previous
(n1) octets. The matching operation is performed on the succeeding
octets for the length of the string specified by the value of the string
argument.
The default value is 1 (the first octet). You can also specify the first octet
with a value of 0.
ip-address ip-addr IP address to which the option 82 subfield is to be mapped.
max-addresses
num-addr
Maximum number of IP addresses permitted for the specified circuit agent
ID.
Command Descriptions
5-58 IP Services and Security Configuration Guide
Usage Guidelines
Use the option-82 command to create a static mapping between the Agent-Circuit-Id subfield or the
Agent-Remote-Id subfield in the option 82 field and an IP address. The option 82 field is sent in the DHCP
discover packet.
The value for the ip-addr argument must be an IP address within this subnet, but not within any range of
IP addresses that you have specified using the range command (in DHCP subnet configuration mode).
You can specify the remote agent ID and the circuit agent ID in Redback vendor-specific attributes (VSAs)
96 and 97, respectively, using the radius attribute calling-station-id and radius attribute nas-port-id
commands (in context configuration mode). Redback VSAs are described in AppendixA, RADIUS
Attributes.
Use the no form of this command to delete the static mapping.
Examples
The following example creates a static mapping between option 82 Agent-Circuit-Id subfield,
4: 1 vl an 102, and the 12. 1. 1. 11 IP address:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 12.1.1.0/24 name sub2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #range 12.1.1.50 12.1.1.100
[ l ocal ] Redback( conf i g- dhcp- subnet ) #mac-address 02:12:34:56:78:90 ip-address 12.1.1.10
[ l ocal ] Redback( conf i g- dhcp- subnet ) #option-82 circuit-id 4:1 vlan 102 offset 3
ip-address 12.1.1.11
Related Commands
mac-address
radius attribute acct-tunnel-connection l2tp-call-serial-num
radius attribute nas-port-id
range
Command Descriptions
DHCP Configuration 5-59
range
range start-ip-addr end-ip-addr [threshold [falling min-threshold] [rising max-threshold] [trap]
[log]]
no range start-ip-addr end-ip-addr
Purpose
Assigns a range of IP addresses to this Dynamic Host Configuration Protocol (DHCP) subnet.
Command Mode
DHCP subnet configuration
Syntax Description
Default
No range of IP addresses is assigned to any subnet.
Usage Guidelines
Use the range command to assign a range of IP addresses to this DHCP subnet.
The values of the start-ip-addr and end-ip-addr arguments must be within the subnet of IP addresses that
you have assigned to this subnet using the subnet command (in DHCP server configuration mode).
Use the optional threshold keyword to enable the monitoring and reporting of available leases at the range
level and specify rising and falling values that can trigger an SNMP trap and log message.
You can enter either or both of the falling min-threshold and rising max-threshold constructs in any order.
You can enter either or both of the trap and log keywords in any order for either construct.
Use the no form of this command to delete the range from the subnet configuration.
start-ip-addr Starting IP address of the range.
end-ip-addr Ending IP address of the range.
threshold Optional. Enables threshold monitoring and reporting at the range level.
falling min-threshold Optional. Threshold for the minimum falling number of available leases at
which point a trap or a log message is sent if configured.
rising max-threshold Optional. Threshold for the maximum rising number of available leases.
trap Optional. Sends a Simple Network Management Protocol (SNMP) trap on
reaching the threshold value.
log Optional. Sends a log message on reaching the threshold value.
Command Descriptions
5-60 IP Services and Security Configuration Guide
Examples
The following example assigns a range of IP addresses to the sub2 subnet; it also enables the monitoring
and reporting of available leases for this subnet and triggers an SNMP trap when the number of available
leases is decreasing and reaches 100:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 13.1.1.1/24 name sub2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #range 13.1.1.50 13.1.1.100 threshold falling 100
trap
Related Commands
subnet
threshold
Command Descriptions
DHCP Configuration 5-61
rate-adjust dhcp pwfq
rate-adjust dhcp pwfq kbps priority-group group-num
no rate-adjust dhcp pwfq kbps priority-group group-num
Purpose
Adjusts the enforcement of a priority weighted fair queuing (PWFQ) policy on a circuit based on whether
the subscriber is granted a Dynamic Host Configuration Protocol (DHCP) lease.
Command Mode
subscriber configuration
Syntax Description
Default
No DHCP-based rate adjustments are applied to the subscriber.
Usage Guidelines
Use the rate-adjust dhcp pwfq command to adjust how a PWFQ policy is enforced on a circuit based on
whether the subscriber is granted a DHCP lease. When a lease request is granted to a device on a circuit
that has this attribute applied, the enforced bandwidth for the specified priority group rate is decremented
by the specified amount in (kilobits per second) kbps. If there is no priority group rate configured for the
policy, the rate is less than the minimal enforceable value (64 kbps), or the rate adjustment is not applied
to the subscriber.
Once applied, the rate adjustment persists until the DHCP lease is released or expires. At this time, the rate
enforced is restored to its full configured value.
This command might be useful for an IPTV in which Remote Multicast Replication (RMR) is being used.
When a set-top box (STB) configured as a static subscriber on an 802.1q VLAN comes online and requests
an IP address, the PWFQ policy enforced on the VLAN can be adjusted to account for the multicast
bandwidth required for IPTV traffic.
Use the no form to remove currently configured DHCP rate adjustment commands and return the
subscriber record to the default state (no rate adjustments will be made in response to DHCP lease events).
kbps Rate in kilobits per second. The range of values is 1 to 1000000.
group-num Priority group number. The range of values is 0 to 7.
Note To use this command, you must have a quality of service (QoS) PWFQ policy bound to the
subscriber session circuit. The policy must include an absolute rate value configured for the
specified priority group. You cannot use percentage to specify the rate. For information about
the qos policy pwfq and queue priority-group commands, see the QoS Scheduling
Configuration chapter in the IP Services and Security Configuration Guide.
Command Descriptions
5-62 IP Services and Security Configuration Guide
Examples
The following example shows how to adjust a PWFQ policy for subscriber st b1:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #subscriber name stb1
[ l ocal ] Redback( conf i g- sub) #password pass
[ l ocal ] Redback( conf i g- sub) #dhcp max-addr 1
[ l ocal ] Redback( conf i g- sub) #rate-adjust dhcp pwfq 3000 priority-group 3
Related Commands
qos policy pwfq queue priority-group
Command Descriptions
DHCP Configuration 5-63
rate-limit dhcp
rate-limit dhcp rate-limit burst burst-limit
{no | default} rate-limit {padi | dhcp}
Purpose
Enables rate limiting and specifies the rate and burst limits for Dynamic Host Configuration Protocol
(DHCP) packets that arrive at the SmartEdge router.
Command Mode
card configuration
Syntax Description
Default
Rate limiting for packets is enabled using the default rate and burst values.
Usage Guidelines
Use the rate-limit command to enable rate limiting and specify the rate and burst limits for DHCP packets
that arrive at the SmartEdge router. By specifying the rate and burst limit values, you can establish finer
control over the rate of these kinds of subscriber sessions.
Use the show rate-limit card command (in any mode) to display the current configuration of rate limiting.
This command is described in the Ports, Circuits, and Tunnels Operations Guide for the SmartEdge OS.
Table5-14 shows the traffic cards supported for the rate-limit dhcp command.
rate-limit Maximum rate in packets per second (pps) at which the packets can be
received. The range of values is 0 to 4294967295 pps; the default value is
4294967295 pps.
burst burst-limit Maximum number of packets that can be received during a short burst. The
range of values is 0 to 4294967295 pps; the default value is 4294967295 pps.
Note You cannot configure the rate limit and burst limit values independently.
Table 5-14 Traffic Cards Supported for the rate-limit dhcp Command
Type Traffic Cards Supported
ATM ATM OC-12c/STM-4c IR (1-port)
Enhanced ATM OC-12c/STM-4c IR (1-port)
ATM OC-3c/STM-1c IR (2-port and 4-port)
ATM DS-3 (12-port)
1
Command Descriptions
5-64 IP Services and Security Configuration Guide
Use the no form of this command to disable rate limiting.
Use the default form of this command to set the rate and burst limits to default values.
Examples
The following example configures the rate limit for DHCP packets to 500 and the burst limit to 999:
[ l ocal ] Redback( conf i g- car d) #rate-limit dhcp 500 burst 999
Related Commands
None
Ethernet Gigabit Ethernet (4-port)
Advanced Gigabit Ethernet (4-port)
Gigabit Ethernet 3 (4-port)
Gigabit Ethernet 1020 (10-port and 20-port)
10 Gigabit Ethernet (1-port,10-Gbps)
1. The ATM DS-3 traffic card is not supported on the SmartEdge 800s chassis.
Table 5-14 Traffic Cards Supported for the rate-limit dhcp Command (continued)
Type Traffic Cards Supported
Command Descriptions
DHCP Configuration 5-65
server-group
server-group group-name
no server-group
Purpose
Assigns a Dynamic Host Configuration Protocol (DHCP) server to a DHCP server group.
Command Mode
DHCP relay server configuration
Syntax Description
Default
DHCP servers are assigned to the default DHCP server group.
Usage Guidelines
Use the server-group command to assign a DHCP server to a DHCP server group.
Use the no form of this command to assign a DHCP server to the default server group.
Examples
The following example assigns DHCP server, dser ver 7, to the i nt - gr p DHCP server group:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server dserver7
[ l ocal ] Redback( conf i g- dhcp- r el ay) #server-group int-grp
[ l ocal ] Redback( conf i g- dhcp- r el ay) #
Related Commands
group-name DHCP server group name.
dhcp relay server
forward-all
standby
Command Descriptions
5-66 IP Services and Security Configuration Guide
standby
standby {ip-addr | hostname}
no standby {ip-addr | hostname}
Purpose
Configures the IP address or hostname of a standby Dynamic Host Configuration Protocol (DHCP) server.
Command Mode
DHCP relay server configuration
Syntax Description
Default
No standby DHCP server is assigned.
Usage Guidelines
Use the standby command to configure the IP address or hostname of a standby DHCP server.
Use the no form of this command to remove the assignment of the standby DHCP server.
Examples
The following example configures 10. 30. 40. 55 as the IP address for the standby DHCP server, where
192. 168. 1. 10 is the IP address for the associated primary DHCP server:
[ l ocal ] Redback( conf i g- ct x) #dhcp relay server 192.168.1.10
[ l ocal ] Redback( conf i g- dhcp- r el ay) #standby 10.30.40.55
[ l ocal ] Redback( conf i g- dhcp- r el ay) #
Related Commands
ip-addr IP address of the standby DHCP server.
hostname Hostname of the standby DHCP server.
Note When a DHCP server is unreachable, you either forward packets to its standby DHCP server,
or forward packets to all other DHCP servers in a DHCP server group, but not both; the
standby and forward-all commands are mutually exclusive.
dhcp relay server
forward-all
server-group
Command Descriptions
DHCP Configuration 5-67
subnet
subnet ip-addr/subnet-mask [name subnet-name]
no subnet ip-addr/subnet-mask [name subnet-name]
Purpose
Creates a subnet for this internal Dynamic Host Configuration Protocol (DHCP) server and accesses DHCP
subnet configuration mode.
Command Mode
DHCP server configuration
Syntax Description
Default
No subnets are created for any DHCP server.
Usage Guidelines
Use the subnet command to create a subnet for this internal DHCP server and access DHCP subnet
configuration mode.
The value of the ip-addr and subnet-mask arguments must match the value of one of the ip-addr and
subnet-mask arguments that you specified, using the ip address command (in interface configuration
mode), for the interface that you enabled for this DHCP server, using the dhcp server command (in
interface configuration mode). For more information about the ip address command, see the Interface
Configuration chapter in the Basic System Configuration Guide for the SmartEdgeOS
Use the name subnet-name construct to assign a unique name to this subnet.
Use the no form of this command to delete the subnet from the DHCP server configuration.
Examples
The following example creates the sub2 subnet:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp-if multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 12.1.1.0/24
[ l ocal ] Redback( conf i g- i f ) #ip address 13.1.1.1/24 secondary
[ l ocal ] Redback( conf i g- i f ) #dhcp server 13.1.1.1
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
ip-addr/subnet-mask IP address and subnet mask for this subnet.
name subnet-name Optional. Name of the subnet; it must be unique.
Command Descriptions
5-68 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #subnet 12.1.1.0/24 name sub2
[ l ocal ] Redback( conf i g- dhcp- subnet ) #
Related Commands
default-lease-time
mac-address
max-lease-time
offer-lease-time
option
option-82
range
vendor-class
Command Descriptions
DHCP Configuration 5-69
threshold
threshold [falling min-threshold [trap] [log]] [rising max-threshold [trap] [log]]
no threshold
Purpose
Enables the monitoring and reporting of available Dynamic Host Configuration Protocol (DHCP) leases at
the context level for minimum and maximum threshold values.
Command Mode
DHCP server configuration
Syntax Description
Default
Monitoring and reporting of available DHCP leases at the context level is disabled.
Usage Guidelines
Use the threshold command to enable the monitoring and reporting of available DHCP leases at the context
level for minimum and maximum threshold values.
You can enter either or both of the falling min-threshold and rising max-threshold constructs in any order.
You can enter either or both of the trap and log keywords in any order for either construct.
Use the no form of this command to disable monitoring and reporting of available DHCP leases at the
context level.
Examples
The following example enables the monitoring and reporting of available leases at the context level and
triggers an SNMP trap when the number of available leases is decreasing and reaches 400:
[ l ocal ] Redback( conf i g) #context dhcp
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #threshold falling 400 trap
falling min-threshold Optional. Threshold for the minimum number of available leases at which
point a trap or a log message is sent if configured.
rising max-threshold Optional. Threshold for the maximum number of available leases.
trap Optional. Sends a Simple Network Management Protocol (SNMP) trap on
reaching the threshold value.
log Optional. Sends a log message on reaching the threshold value.
Command Descriptions
5-70 IP Services and Security Configuration Guide
Related Commands
range
Command Descriptions
DHCP Configuration 5-71
user-class-id
user-class-id user-class-id [offset position] giaddr ip-addr
no user-class-id user-class-id
Purpose
Specifies an IP address for the giaddr field in the header of Dynamic Host Configuration Protocol (DHCP)
packets for the specified user class ID (option 77) field.
Command Mode
DHCP giaddr configuration
Syntax Description
Default
The giaddr field is set to the primary IP address of the interface.
Usage Guidelines
Use the user-class-id command to specify the IP address for the giaddr field in the header of DHCP packets
for the specified user class ID (option 77) field. Option 77 is described in RFC 3004, The User Class Option
for DHCP.
When the SmartEdge router receives a DHCP discover packet, the SmartEdge OS performs a matching
operation, comparing the contents of the option 77 field, starting at the octet within the field, as specified
by the value of the position argument, with the string specified by the value of the user-class-id argument.
user-class-id Identifier to be matched against the contents of the DHCP option 77 ID field in
DHCP discover packets, in one of the formats given in the Usage Guidelines
section, for which this IP address is intended.
offset position Optional. Position of the starting octet in the option 77 field which is to be matched
with the specified user-class-id argument, according to one of the following
formats:
+n or nStarting octet is the nth octet in the received ID. The matching
operation is performed on the nth and succeeding octets for the length of the
string specified by the value of the user-class-id argument.
nStarting octet is the last octet in the received ID minus the previous (n1)
octets. The matching operation is performed on the succeeding octets for the
length of the string specified by the value of the user-class-id argument.
The default value is 1 (the first octet). You can also specify the first octet with a
value of 0.
giaddr ip-addr IP address to be inserted in the giaddr field in the header of DHCP packets for the
specified user class ID.
Command Descriptions
5-72 IP Services and Security Configuration Guide
If more than one user class ID field is present in the option 77 field in the DHCP discover packet, the system
uses only the first user class ID field to make the comparison for setting the giaddr field. The remaining
user class ID fields are ignored.
If there is a match, the system inserts the specified IP address in the giaddr field in the header of DHCP
packets to this client. If there is no match, the system inserts the primary IP address that you have
configured for this interface.
Possible formats for the user-class-id argument are:
Alphanumeric string, enclosed in quotation marks ( ); for example, ABCD1234
Alphanumeric string, not enclosed in quotation marks; for example, redback1
Hex numeric string, not enclosed in quotation marks and prefaced with 0x or 0X; for example,
0Xabcd1234
Use the giaddr ip-addr construct to specify an IP address for the specified user-class-id argument. This IP
address must be one of the secondary IP addresses that you have configured for the interface. You can
specify the same IP address or different IP addresses for multiple values of the user-class-id argument.
Use the no form of this command to delete the giaddr IP address for the specified user-class-id argument.
Examples
The following example specifies secondary IP addresses for the interface in which the DHCP proxy server
is configured, and then specifies one of them as the IP address for the giaddr field for the net wor k user
class ID:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface voip multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 200.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #ip address 200.1.2.1/24 secondary
[ l ocal ] Redback( conf i g- i f ) #ip address 200.1.10.1/24 secondary
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 16000
[ l ocal ] Redback( conf i g- dhcp- gi addr ) #user-class-id network giaddr 200.1.2.1
Related Commands
Note If you delete this DHCP proxy or relay from the configuration, using the no form of the dhcp
proxy or dhcp relay command (in interface configuration mode), you also delete all
user-class-id commands for that DHCP proxy or relay.
dhcp proxy
dhcp relay
Command Descriptions
DHCP Configuration 5-73
vendor-class
vendor-class vendor-class-id [offset position] subnet-name subnet-name
no vendor-class vendor-class-id
Purpose
Creates a static mapping between a subnet and the specified vendor class ID.
Command Mode
DHCP server configuration
Syntax Description
Default
No static mapping is created between a subnet and any vendor class ID.
Usage Guidelines
Use the vendor-class command to create a static mapping between a subnet and the specified vendor class
ID.
Use the no form of this command to delete the static mapping between the vendor class ID and the subnet.
Examples
The following example specifies the f or - subs subnet as the subnet for the 123456 vendor class ID:
[ l ocal ] Redback( conf i g) #context local
vendor-class-id Vendor class ID for which a static mapping is to be created.
offset position Optional. Position of the starting octet in the option 60 field which is to be
matched with the specified vendor-class-id argument, according to one of
the following formats:
+n or nStarting octet is the nth octet in the received ID. The matching
operation is performed on the nth and succeeding octets for the length
of the string specified by the value of the vendor-class-id argument.
nStarting octet is the last octet in the received ID minus the previous
(n1) octets. The matching operation is performed on the succeeding
octets for the length of the string specified by the value of the
vendor-class-id argument.
The default value is 1 (the first octet). You can also specify the first octet
with a value of 0.
subnet-name subnet-name Subnet name for the specified vendor class ID.
Command Descriptions
5-74 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- ct x) #dhcp server policy
[ l ocal ] Redback( conf i g- dhcp- ser ver ) #vendor-class 123456 offset 1 subnet-name for-subs
Related Commands
subnet
vendor-class-id
Command Descriptions
DHCP Configuration 5-75
vendor-class-id
vendor-class-id vendor-class-id [offset position] giaddr ip-addr
no vendor-class-id vendor-class-id
Purpose
Specifies an IP address for the giaddr field in the header in Dynamic Host Configuration Protocol (DHCP)
packets for the specified vendor class ID (option 60) field.
Command Mode
DHCP giaddr configuration
Syntax Description
Default
The giaddr field is set to the primary IP address of the interface.
Usage Guidelines
Use the vendor-class-id command to specify the IP address for the giaddr field in DHCP packets for the
specified vendor class ID (option 60) field. option 60 is described in RFC 2131, DHCP Options and BootP
Vendor Extensions.
vendor-class-id Identifier to be matched against the contents of the DHCP option 60 ID field in
DHCP discover packets, in one of the formats given in the Usage Guidelines
section, for which this IP address is intended.
offset position Optional. Position of the starting octet in the option 60 field which is to be matched
with the specified vendor-class-id argument, according to one of the following
formats:
+n or nStarting octet is the nth octet in the received ID. The matching
operation is performed on the nth and succeeding octets for the length of the
string specified by the value of the vendor-class-id argument.
nStarting octet is the last octet in the received ID minus the previous (n1)
octets. The matching operation is performed on the succeeding octets for the
length of the string specified by the value of the vendor-class-id argument.
The default value is 1 (the first octet). You can also specify the first octet with a
value of 0.
giaddr ip-addr IP address to be inserted in the giaddr field in the header of DHCP packets for the
specified vendor class ID.
Command Descriptions
5-76 IP Services and Security Configuration Guide
When the SmartEdge router receives a DHCP discover packet, the SmartEdge OS performs a matching
operation, comparing the contents of the option 60 field, starting at the octet within the field, as specified
by the value of the position argument, with the string specified by the value of the vendor-class-id
argument.
If there is a match, the system inserts the specified IP address in the giaddr field in the header of DHCP
packets to this client. If there is no match, the system inserts the primary IP address that you have
configured for this interface.
Possible formats for the vendor-class-id argument are:
Alphanumeric string, enclosed in quotation marks ( ); for example, ABCD1234
Alphanumeric string, not enclosed in quotation marks; for example, redback1
Hex numeric string, not enclosed in quotation marks and prefaced with 0x or 0X; for example,
0Xabcd1234
Use the giaddr ip-addr construct to specify an IP address for the specified vendor-class-id argument. This
IP address must be one of the secondary IP addresses that you have configured for the interface. You can
specify the same IP address or different IP addresses for multiple values of the vendor-class-id argument.
Use the no form of this command to delete the giaddr IP address for the specified vendor-class-id argument.
Examples
The following example specifies secondary IP addresses for the interface in which the DHCP proxy server
is configured, and then specifies one of them as the IP address for the giaddr field for the r edback vendor
class ID:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface voip multibind
[ l ocal ] Redback( conf i g- i f ) #ip address 200.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #ip address 200.1.2.1/24 secondary
[ l ocal ] Redback( conf i g- i f ) #ip address 200.1.10.1/24 secondary
[ l ocal ] Redback( conf i g- i f ) #dhcp proxy 16000
[ l ocal ] Redback( conf i g- dhcp- gi addr ) #vendor-class-id redback offset -17 giaddr 200.1.2.1
Related Commands
Note If you delete this DHCP proxy or relay from the configuration, using the no form of the dhcp
proxy or dhcp relay command (in interface configuration mode), you also delete all
vendor-class-id commands for that DHCP proxy or relay.
dhcp proxy
dhcp relay
ANCP Configuration 6-1
C h a p t e r 6
ANCP Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS Access Node Control


Protocol (ANCP) features.
For information about the tasks and commands used to monitor, administer, and troubleshoot ANCP
features, see the ANCP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
The ANCP is a communications control protocol that allows the SmartEdge router to communicate with an
access node device and gather information about the parameters for the individual access lines on the access
node.
The ANCP is an out-of-band control protocol that is compared to the subscriber sessions that are carried
on the access lines. Beneath the ANCP, the SmartEdge router uses the General Switch Management
Protocol (GSMP) version3 (GSMPv3) to communicate with the ANCP neighbor peers; GSMPv3
messages are encapsulated using the Transmission Control Protocol (TCP).
Figure6-1 shows the information flow from the individual subscribers to the SmartEdge router. In the
network, the SmartEdge router, which is labeled Aggregation Router, acts as a broadband remote access
server (BRAS) with Ethernet aggregation capability.
Note In this chapter, access lines are also referred to as digital subscriber lines (DSLs) and access
nodes are referred to as DSL access multiplexers (DSLAMs) or ANCP neighbor peers.
Overview
6-2 IP Services and Security Configuration Guide
The ANCP control information for individual subscriber access lines is stored on the SmartEdge router,
along with other subscriber session information, and sent to Remote Authentication Dial-In User Service
(RADIUS) servers during the subscriber authentication and accounting process. Other sources from which
the SmartEdgeOS can learn access-line information are a Dynamic Host Control Protocol (DHCP) option
82 tag and a Point-to-Point Protocol (PPP) over Ethernet (PPPoE) tag.
Figure 6-1 Access Node to SmartEdge Router Information Flow
The SmartEdgeOS can adjust the performance of the subscriber sessions from access-line information by
modifying the quality of service (QoS) policy attached to the subscriber session or its parent 802.1Q
permanent virtual circuit (PVC). The SmartEdgeOS can also adjust the performance of 802.1Q tunnels.
You configure all ANCP functions under the umbrella of the ANCP router, which you create in the local
context. The ANCP router is characterized by a system ID, which identifies the SmartEdge router to an
ANCP neighbor peer; a TCP port, on which the SmartEdge router listens for incoming ANCP sessions; and
a keepalive timer, which is used by the SmartEdge router to maintain communication with its ANCP
neighbor peers. If the SmartEdge router does not receive keepalive messages from an ANCP neighbor peer,
the router disconnects the session. Each of these attributes has a default value that the SmartEdge routers
uses if you do not specify values.SmartEdgeOS.
Configuration Tasks
ANCP Configuration 6-3
For security, incoming sessions are validated against an ANCP neighbor profile to limit the peers that can
connect to the SmartEdge router. If an incoming ANCP neighbor peer does not match the attributes
specified by the profile, the connection is rejected. The profile can specify a peer ID, a peer IP address, the
TCP port on which an ANCP neighbor peer sends and receives ANCP sessions (GSMP messages), and the
interface to which you bind the circuit on which the ANCP sessions are transmitted and received. All these
attributes are optional; if you leave an attribute unspecified, it acts as a wild card and accepts any value for
the attribute.
You can modify the configuration of each subscriber record, profile, or the default subscriber profile to
allow the learned access-line rates to override the rates specified by the QoS policies attached to the
subscriber session or its 802.1Q PVC.
The circuit agent ID is used as a unique key to map ANCP information to specific subscriber sessions or to
its 802.1Q parent PVC; it identifies the access line that is transmitting and receiving traffic on that 802.1Q
PVC. The SmartEdgeOS can learn the subscribers circuit agent ID dynamically from DHCP option 82
information or from the PPPoE vendor tag; you can also configure it statically for the subscribers parent
802.1Q PVC.
ANCP features comply with the standards found in the draft-wadhwa-gsmp-l2control-configuration-02,
GSMP Extensions for Layer 2 Control (L2C) Topology Discovery and Line Configuration document.
The SmartEdge router supports dynamic learning of access-line information and agent circuit ID as
described in the DSL Forum TR-101, Migration to Ethernet-Based DSL Aggregation document.
Configuration Tasks
To configure ANCP features, perform the tasks described in the following sections:
ANCP Configuration Guidelines
Configure the ANCP Router
Configure an ANCP Neighbor Profile
Map an 802.1Q PVC to a DSL Line
Map an 802.1Q Tunnel to a DSL Line
Configure a Subscriber Record for ANCP Sessions
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
6-4 IP Services and Security Configuration Guide
ANCP Configuration Guidelines
This section includes configuration guidelines for ANCP features which affect more than one command or
a combination of commands:
You must configure the ANCP router in the local context.
You must create the interface to which you bind the circuits that carry ANCP sessions in the local
context.
ANCP sessions are supported on any type of circuit.
Configure the ANCP Router
To configure the ANCP router, perform the tasks described in Table6-1; enter all commands in ANCP
configuration mode, unless otherwise noted.
Configure an ANCP Neighbor Profile
To configure an ANCP neighbor profile, perform the tasks described in Table6-2; enter all commands in
ANCP neighbor configuration mode, unless otherwise noted.
Table 6-1 Configure the ANCP Router
# Task Root Command Notes
1. Create the ANCP router in the local context and access
ANCP configuration mode.
router ancp Enter this command in context configuration
mode.
2. Optional. Assign an ID to identify the SmartEdge router in
ANCP sessions transmitted to an ANCP neighbor peer.
system-id
3. Optional. Assign a TCP port on which the SmartEdge router
listens for ANCP sessions.
tcp-port local
4. Optional. Configure the parameters for the sending and
receiving of keepalive messages to and from ANCP neighbor
peers.
keepalive
Table 6-2 Configure an ANCP Neighbor Profile
# Task Root Command Notes
1. Optional. Create an empty ANCP profile for an ANCP
neighbor peer and access ANCP neighbor configuration
mode.
neighbor profile Enter this command in ANCP configuration
mode.
2. Optional. Filter incoming new neighbor connections using
the sender name of an ANCP neighbor peer.
peer id
3. Optional. Filter incoming new neighbor connections using
the IP address of an ANCP neighbor peer.
peer ip-address
4. Optional. Filter incoming new neighbor connections using
the TCP port on which the SmartEdge router receives the
GSMP messages from an ANCP neighbor peer.
tcp-port remote
5. Optional. Filter the incoming new neighbor connections
using the interface on which ANCP sessions are
transmitted and received for this ANCP neighbor profile.
interface
Configuration Tasks
ANCP Configuration 6-5
Map an 802.1Q PVC to a DSL Line
To map an 802.1Q PVC to a DSL line, perform the task described in Table6-3; enter the command in dot1q
PVC configuration mode. Configure only one of the commands.
Map an 802.1Q Tunnel to a DSL Line
To map an 802.1Q tunnel to a DSL line, perform the task described in Table6-4; enter the command in
dot1q PVC configuration mode and specify the encapsulation 1qtunnel keywords with the dot1q pvc
command. Configure only one of the commands.
Configure a Subscriber Record for ANCP Sessions
To configure a subscriber record for ANCP sessions, perform one of the tasks described in Table6-5; enter
the command in subscriber configuration mode.
Table 6-3 Map an 802.1Q PVC to a DSL Line
Task Root Command Notes
Specify the agent circuit ID that the system uses to match an ANCP
message to a circuit, thereby mapping a DSL line to a circuit.
access-lineagent-circuit-id The access-line
agent-circuit-id command is an
alternative to the access-line
access-node-id command.
Specify the agent circuit ID that the system uses to match an ANCP
message to a circuit, thereby mapping a DSL line to a circuit.
access-lineaccess-node-id The access-line
access-node-id command is an
alternative to the access-line
agent-circuit-id command.
Table 6-4 Map an 802.1Q Tunnel to a DSL Line
Task Root Command Notes
Specify the agent circuit ID that the system uses to match an ANCP
message to a circuit, thereby mapping a DSL line to a circuit.
access-lineagent-circuit-id The access-line
agent-circuit-id command is an
alternative to the access-line
access-node-id command.
Specify the agent circuit ID that the system uses to match an ANCP
message to a circuit, thereby mapping a DSL line to a circuit.
access-lineaccess-node-id The access-line
access-node-id command is an
alternative to the access-line
agent-circuit-id command.
Table 6-5 Configure a Subscriber Record for ANCP Sessions
Task Root Command Notes
Override the rates specified by the QoS policies attached to this subscriber
record with the actual rates.
access-linerate
Override the rates specified by the QoS policies attached to this subscriber
record with the rates learned from the DSLAM.
access-lineagent-circuit-id
Configuration Examples
6-6 IP Services and Security Configuration Guide
Configuration Examples
The following examples show how to configure the ANCP router, an ANCP neighbor profile, an 802.1Q
tunnel for ANCP sessions, and an 802.1Q PVC to map to a DSL line:
! Cr eat e t he i nt er f ace and ANCP r out er i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface ancp multibind
[ l ocal ] Redback( conf i g- ct x) #interface untagged
[ l ocal ] Redback( conf i g- ct x) #router ancp
! Conf i gur e t he ANCP r out er
[ l ocal ] Redback( conf i g- ancp) #system-id 12:34:56:78:9a:bc
[ l ocal ] Redback( conf i g- ancp) #tcp-port local 6070
[ l ocal ] Redback( conf i g- ancp) #keepalive interval 5 retries 5
! Conf i gur e an ANCP pr of i l e f or t he ANCP nei ghbor peer ( DSLAM)
[ l ocal ] Redback( conf i g- ancp) #neighbor profile ancp-profile
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #peer id 01:02:03:04:05:06
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #peer ip-address 30.100.1.20
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #tcp-port remote 7070
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #interface ancp
! Conf i gur e an Et her net por t f or t he DSLAM and DSL
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #bind interface untagged local
! Conf i gur e an 802. 1Q t unnel t o car r y t he ANCP pr ot ocol messages f or out - of - band f or t he
ANCP sessi on t r af f i c ( t o and f r omt he DSLAM)
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 1 encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface ancp local
! Conf i gur e an 802. 1Q PVC f or t he subscr i ber t r af f i c
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 1:1 encapsulation pppoe
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind authentication chap
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line agent-circuit-id abc-2.1:1:1
! Conf i gur e t he def aul t subscr i ber pr of i l e t o al l ow t he l ear ned r at e of t he DSL t o
over r i de t he r at e speci f i ed i n a QoS pol i cy at t ached t o t he subscr i ber ci r cui t or i t s
par ent ci r cui t i n t he out bound di r ect i on.
[ l ocal ] Redback( conf i g) #context subscribers
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #access-line rate out ancp
Configuration Examples
ANCP Configuration 6-7
The following examples show how to configure the ANCP router, an ANCP neighbor profile, an 802.1Q
tunnel for ANCP sessions, and an 802.1Q tunnel to map to a DSL line:
! Cr eat e t he i nt er f ace and ANCP r out er i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface ancp multibind
[ l ocal ] Redback( conf i g- ct x) #interface untagged
[ l ocal ] Redback( conf i g- ct x) #router ancp
! Conf i gur e t he ANCP r out er
[ l ocal ] Redback( conf i g- ancp) #system-id 12:34:56:78:9a:bc
[ l ocal ] Redback( conf i g- ancp) #tcp-port local 6070
[ l ocal ] Redback( conf i g- ancp) #keepalive interval 5 retries 5
! Conf i gur e an ANCP pr of i l e f or t he ANCP nei ghbor peer ( DSLAM)
[ l ocal ] Redback( conf i g- ancp) #neighbor profile ancp-profile
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #peer id 01:02:03:04:05:06
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #peer ip-address 30.100.1.20
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #tcp-port remote 7070
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #interface ancp
! Conf i gur e an Et her net por t f or t he DSLAM and DSL
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #bind interface untagged local
! Conf i gur e an 802. 1Q pr of i l e t o al l ow t he l ear ned r at e of t he DSL t o over r i de t he r at e
speci f i ed i n a QoS pol i cy at t ached t o t he ci r cui t i n t he i nbound and out bound di r ect i on.
[ l ocal ] Redback( conf i g) #dot1q profile pwfq
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #access-line rate in
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #access-line rate out
! Map an 802. 1Q t unnel ( ci r cui t ) t o a DSL l i ne by speci f yi ng t he agent ci r cui t I D t hat
t he syst emuses t o mat ch an ANCP message t o a ci r cui t . Thi s conf i gur at i on al so al l ows
t he l ear ned r at e of t he DSL l i ne t o over r i de t he r at e speci f i ed i n t he QoS pol i cy
at t ached t o t he 802. 1Q t unnel ( ci r cui t ) f or t he VLL and t he VPLS i nst ances.
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #port ether 3/3
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 3 profile pwfq encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line access-node-id "2.2.2.2/3.3.3.3" slot
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line access-node-id "2.2.2.2/3.3.3.3" slot-port
"10/0"
[ l ocal ] Redback( conf i g- dot 1q- pvc) #qos policy queuing triple-play
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 3:1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #l2vpn local
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 3:2
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bridge profile access-bp1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #bind interface cust1 vpls1
[ l ocal ] Redback( conf i g- dot 1q- pvc) #end
Command Descriptions
6-8 IP Services and Security Configuration Guide
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure ANCP features.
The commands are presented in alphabetical order:
access-line adjust
access-line access-node-id
access-line agent-circuit-id
access-line rate
interface
keepalive
neighbor profile
peer id
peer ip-address
router ancp
system-id
tcp-port local
tcp-port remote
Command Descriptions
ANCP Configuration 6-9
access-line adjust
access-line adjust {cvlan | subscriber}
no access-line adjust {cvlan | subscriber}
Purpose
Overrides the rates specified by the quality of service (QoS) policies attached to this subscriber record,
named profile, or the default profile with the rates learned from the digital subscriber line (DSL) access
multiplexer (DSLAM).
Command Mode
subscriber configuration
Syntax Description
Default
The rate learned from the DSLAM is applied to the subscriber circuit.
Usage Guidelines
Use the access-line adjust command to override the rates specified by the QoS policies attached to this
subscriber record, named profile, or the default profile with the rates learned from the DSLAM. The system
applies the DSLAM rate.
Use the no form of this command to specify the default condition.
Examples
The following example overrides the rate specified by any QoS policy attached to the def aul t subscriber
profile:
[ l ocal ] Redback( conf i g) #context isp2
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #access-line adjust subscriber
Related Commands
cvlan Applies the rate learned from the DSLAM to the port, 802.1Q tunnel, or 802.1Q
permanent virtual circuit (PVC) to which the QoS policy is attached.
subscriber Applies rate information learned from the DSLAM to the subscriber circuit. This is the
default.
access-line agent-circuit-id
access-line rate
Command Descriptions
6-10 IP Services and Security Configuration Guide
access-line agent-circuit-id
access-line agent-circuit-id string
no access-line agent-circuit-id string
Purpose
Specifies the agent circuit ID that the system uses to match an incoming ANCP message to a circuit.
Command Mode
dot1q PVC configuration
Syntax Description
Default
No agent circuit ID is specified for a DSL on this circuit. The SmartEdgeOS can learn this information
from a Point-to-Point Protocol (PPP) over Ethernet (PPPoE) tag or a Dynamic Host Control Protocol
(DHCP) option 82 tag.
Usage Guidelines
Use the access-line agent-circuit-id command to specify the agent circuit ID that the system uses to match
an ANCP message to a circuit, which can be either an 802.1Q PVC or 802.1Q tunnel. An incoming ANCP
message contains an agent circuit ID. The data contained in this message is applied to the circuit that
matches that agent circuit ID. The agent circuit ID received from the DSL access multiplexer (DSLAM)
must match the text string exactly.
If the value learned from a subscriber session on this DSL differs from the configured value for the string
argument, the system generates an error log message and uses the configured value.
Use the no form of this command to specify the default condition.
Examples
The following example specifies the agent circuit ID for all subscriber sessions:
[ l ocal ] Redback( conf i g) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 100
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line agent-circuit-id
dslam-10.1.1.1 dot1q 2/1:1:1
string Agent circuit ID. A text string with up to 63 printable characters; enclose the string in
quotation marks ( ) if the string includes spaces.
Note For a more flexible approach to matching an ANCP message to a circuit, use the
access-line access-node-id command (in dot1q PVC configuration mode).
Command Descriptions
ANCP Configuration 6-11
The following example shows how to specify the agent circuit ID for the circuit tagged as pvc 100 with
the profile pwf q. The PVC is a tunnel indicated by the specification of encapsulation 1qtunnel:
[ l ocal ] Redback( conf i g) #port ethernet 3/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- por t ) #dot1q pvc 100 profile pwfq encapsulation
1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line agent-circuit-id 10.2.1.1
eth 3/1:100
Related Commands
access-line access-node-id
access-line rate
Command Descriptions
6-12 IP Services and Security Configuration Guide
access-line access-node-id
access-line access-node-id ani slotport slot/port
no access-line
Purpose
Specifies the agent circuit ID that the system uses to match an incoming Access Node Control Protocol
(ANCP) message to a digital subscriber line (DSL).
Command Mode
dot1q PVC configuration
Syntax Description
Default
No agent circuit ID is specified for the circuit.
Usage Guidelines
Use the access-line access-node-id command to specify the agent circuit ID that the system uses to match
an incoming ANCP message to a DSL. This command identifies a unique configured agent circuit ID to be
associated with an 802.1Q PVC or 802.1Q tunnel. The data contained in the message is applied to the
circuit that matches the specified agent circuit ID. The agent circuit ID received from the DSLAM is either
unformatted (a blind string) or it can conform to one of the formats specified in DSL Forum Specification
TR-101, R-124, as follows:
For ATM DSLsANI atm slot/port:vpi.vci
For Ethernet DSLsANI eth slot/port[:vlan-id]
In the formatted version, the ANI field is always a blind string that identifies the DSLAM ANI; the
SmartEdgeOS stores but does not process this string; it only searches for a space that terminates the string.
The slot/port field is also a blind string; the SmartEdgeOS searches for a colon (:) that terminates the field,
discards the colon and the remaining text, and stores the remaining string.
Use the ani argument to specify the DSLAM ANI portion of the agent circuit ID to which the incoming
DSLAM ANIs are matched; use the slotport slot/port construct to specify the DSLAM slot and port. To
match incoming agent circuit IDs, duplicate the incoming format used by the DSLAM.
The total number of characters in the values for the ani and slotport fields must be fewer than 63.
Use the no form of this command to specify the default condition.
ani Access node identifier (ANI). Alphanumeric string.
slotport
slot/port
Slot and port of the DSL access multiplexer (DSLAM). This string must not include any
spaces.
Command Descriptions
ANCP Configuration 6-13
Examples
The following example specifies an agent circuit ID to which incoming DSLAM messages are matched:
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 1:1 encapsulation pppoe
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line access-node-id 10.101.90.4/0.0.0.0
slotport 3/2
The following examples of incoming DSLAM messages match:
10. 101. 90. 4/ 0. 0. 0. 0 at m3/ 2: 2. 3
10. 101. 90. 4/ 0. 0. 0. 0 et h 3/ 2: 7
The following examples of incoming DSLAM messages do not match; the reason is provided:
The following example specifies the agent circuit ID for the circuit tagged as pvc 200 with the profile
pwf q. The PVC is a tunnel indicated by the specification of encapsulation 1qtunnel keywords with the
doct1q pvc command:
[ l ocal ] Redback( conf i g) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #encapsulation dot1q
[ l ocal ] Redback( conf i g- dot 1q- pvc) #dot1q pvc 200 profile pwfq encapsulation 1qtunnel
[ l ocal ] Redback( conf i g- dot 1q- pvc) #access-line access-node-id 10.101.80.3/0.0.0.0
slotport 3/2
Related Commands
10. 101. 90. 4/ 0. 0. 0. 0 f oo 3/ 2: bar Invalid line type foo
10. 101. 90. 4/ 0. 0. 0. 0 at mxx 3/ 2: 2. 3 Invalid line type atmxx
10. 101. 90. 4/ 0. 0. 0. 0at m3/ 2: 2. 3 No space before atm
10. 101. 90. 4/ 0. 0. 0. 0- at m3/ 2: 2. 3 - instead of space before atm
10. 101. 90. 4/ 0. 0. 0. 0 at m3/ 2#2. 3 #instead of colon after the port
10. 101. 90. 4/ 0. 0. 0. 0 at m3/ 2 2. 3 Space instead of colon after the port
10. 101. 90. 4/ 0. 0. 0. 0 at m3/ 22 Wrong port number
access-line agent-circuit-id
Command Descriptions
6-14 IP Services and Security Configuration Guide
access-line rate
access-line rate {in | out} [ancp]
no access-line rate {in | out} [ancp]
Purpose
Overrides the rates specified by the quality of service (QoS) policies attached to a subscriber record, a
named subscriber profile, the default subscriber profile, or the default dot1q profile, with the rates learned
from the Access Node Control Protocol (ANCP) neighbor peer (DSLAM).
Command Mode
subscriber configuration
dot1q profile configuration
Syntax Description
Default
The system does not use the learned rates to override the rates specified by the attached QoS policies
Usage Guidelines
In the subscriber configuration, use the access-line rate command to override the rates specified by the
QoS policies attached to this subscriber record, named profile, or the default profile, with the rates learned
from the ANCP neighbor peer (DSLAM).
In dot1q profile configuration mode, use the access-line rate command to override the rates specified by
the QoS policies attached to a circuit that is configured with the bind interface command, bind bypass
command, or L2VPN bindings and a dot1q profile. This command overrides the rates specified by the QoS
policies with the learned rates from the ANCP neighbor peer (DSLAM).
in Applies the inbound rate to the QoS policing policy attached to the named subscriber
record, the named subscriber profile, the default subscriber profile, or the default dot1q
profile.
out Applies the outbound rate to the QoS policies attached to the named subscriber record,
the named subscriber profile, the default subscriber profile, or the default dot1q profile,
in the outbound direction (QoS metering, queuing, or both policies).
ancp Optional. Applies rate information learned from the ANCP session to the named
subscriber record, the named subscriber profile, the default subscriber profile, or the
default dot1q profile, using the associated circuit agent ID.
Command Descriptions
ANCP Configuration 6-15
If the subscriber circuit does not have a QoS policy attached to it, but the parent circuit has a QoS policy
with the inherit keyword configured attached to it, then the learned rate is applied to the QoS policy
attached to the parent circuit.
If there are multiple subscriber circuits running on a parent circuit that has a QoS policy configured with
the inherit keyword attached to it, and only one of the subscriber circuits has the access-line rate command
configured for it, then all subscriber circuits on that parent circuit appear to have the access-line rate
command configured for them. Otherwise, the learned rate is applied to the circuit with the associated
circuit agent ID.
Use the no form of this command to specify the default condition.
Examples
The following example shows how to enable the system to override the rates in the out direction for the
i sp1 subscriber profile in the access7 context, but only if the rate is learned from the ANCP session:
[ l ocal ] Redback( conf i g) #context access7
[ l ocal ] Redback( conf i g- ct x) #subscriber profile isp1
[ l ocal ] Redback( conf i g- sub) #access-line rate out ancp
The following example shows how to enable the system to override the rates in both the i n and out
directions for the dot1q profile named pwf q:
[ l ocal ] Redback( conf i g- ct x) #dot1q profile pwfq
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #access-line rate in
[ l ocal ] Redback( conf i g- dot 1q- pr of i l e) #access-line rate out
Related Commands
Note The SmartEdgeOS learns the rate to be applied from the Actual-Data-Rate-Downstream in
the General Switch Management Protocol (GSMP) port-up message or from the
Point-to-Point Protocol over Ethernet (PPPoE) or Dynamic Host Configuration Protocol
(DHCP) option according to TR-101. If the ancp keyword is specified with the access-line
rate command, the SmartEdge OS learns the rate from ANCP. Otherwise, the SmartEdge OS
learns the rate from the Point-to-Point Protocol over Ethernet (PPPoE) or Dynamic Host
Configuration Protocol (DHCP) option.
Note Queuing policies are inherited by default; policing and metering policies must be configured
with the inherit keyword. For more information about configuring QoS policies, see the QoS
Circuit Configuration chapter.
access-line agent-circuit-id
Command Descriptions
6-16 IP Services and Security Configuration Guide
interface
interface if-name
no interface
Purpose
Filters incoming new neighbor connections using the interface on which Access Node Control Protocol
(ANCP) sessions are transmitted and received for this ANCP neighbor profile.
Command Mode
ANCP neighbor configuration
Syntax Description
Default
ANCP sessions using this profile can arrive on any interface.
Usage Guidelines
Use the interface command to filter incoming new neighbor connections using the interface on which
ANCP sessions are transmitted and received. The incoming session is matched against the circuit on which
it is first connected.
ANCP sessions can arrive on any type of circuit that you have bound to this interface using the bind
interface command (in various configuration modes). For information about the bind interface command,
see the Bindings Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
All packets for ANCP sessions defined in this neighbor profile must arrive on this interface; otherwise, they
are discarded.
Use the no form of this command to specify the default condition.
Examples
The following example specifies the ancp interface for the circuit on which ANCP sessions are transmitted
and received:
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #interface ancp
Related Commands
if-name Name of the interface; an alphanumeric string with up to 127 characters.
peer id
tcp-port remote
Command Descriptions
ANCP Configuration 6-17
keepalive
keepalive interval seconds retry retry-num
{no | default} keepalive
Purpose
Configures the parameters for sending and receiving keepalive messages to and from Access Node Control
Protocol (ANCP) neighbor peers.
Command Mode
ANCP configuration
Syntax Description
Default
The interval value is 10 seconds; the retry value is 3.
Usage Guidelines
Use the keepalive command to configure the parameters for sending and receiving keepalive messages to
and from ANCP neighbor peers.
The SmartEdge router keeps track of the number of missing keepalive messages from each ANCP neighbor
peer. If the number missing messages exceeds that specified by the retry retry-num construct, it disconnects
the session for that peer.
Use the no or default form of this command to specify the default condition.
Examples
In the following example, the SmartEdge router sends keepalive messages to ANCP neighbor peers every
5 seconds. It disconnects the session to an ANCP neighbor peer if it does not receive 10 keepalive
messages from that peer:
[ l ocal ] Redback( conf i g- ancp) #keepalive interval 5 retries 10
interval seconds Number of seconds between keepalive messages sent to ANCP neighbor peers.
The range of values is 1 to 25; the default value is 10 seconds.
retry retry-num Number of missing keepalive messages permitted from an ANCP neighbor peer
before the session is disconnected. The range of values is 1 to 10; the default value
is 3.
Caution Risk of performance loss. When the system has many active General Switch Management
Protocol (GSMP) peer sessions and the value of the seconds argument in the keepalive
command syntax is less than 10, the system might incur a loss of performance. To minimize
the risk under these conditions, change the value of the seconds argument to 10 or greater.
Command Descriptions
6-18 IP Services and Security Configuration Guide
Related Commands
peer id
Command Descriptions
ANCP Configuration 6-19
neighbor profile
neighbor profile prof-name
no neighbor profile prof-name
Purpose
Creates an empty Access Node Control Protocol (ANCP) profile for an ANCP neighbor peer, and accesses
ANCP neighbor configuration mode.
Command Mode
ANCP configuration
Syntax Description
Default
No ANCP neighbor profile exists.
Usage Guidelines
Use the neighbor profile command to create an ANCP neighbor profile and access ANCP neighbor
configuration mode.
The SmartEdgeOS listens for incoming ANCP sessions, using the Transmission Control Protocol (TCP)
local port that you have configured with the tcp-port local command (in ANCP configuration mode).
When an ANCP session is received, its attributes must match the attributes you have configured for one of
the ANCP neighbor profiles. This means that the session must match each attribute that you have
configured for the profile. If an attribute is not configured, then any value for that attribute is accepted. For
example, if the remote TCP port is not configured, then the incoming session can have any source port
number, as long as the other items match. An empty neighbor profile with no attributes configured allows
all incoming connections.
Use the no form of this command to delete this ANCP neighbor profile.
Examples
The following example creates the ancp- pr of i l e ANCP neighbor profile and accesses ANCP neighbor
configuration mode:
[ l ocal ] Redback( conf i g- ancp) #neighbor profile ancp-profile
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #
Related Commands
None
prof-name ANCP neighbor profile name.
Command Descriptions
6-20 IP Services and Security Configuration Guide
peer id
peer id peer-name
no peer id peer-name
Purpose
Filters incoming new neighbor connections using the sender name of the incoming Access Node Control
Protocol (ANCP) neighbor peer.
Command Mode
ANCP neighbor configuration
Syntax Description
Default
If a peer name is not specified for this profile, there is no restriction on the sender name in a received
General Switch Management Protocol (GSMP) adjacency protocol message from an ANCP neighbor peer.
Usage Guidelines
Use the peer id command to filter incoming new neighbor connections using the sender name of the
incoming ANCP neighbor peer. The sender name is in the GSMP adjacency protocol message from the
ANCP neighbor peer.
Use the no form of this command to specify the default condition.
Examples
The following example specifies a name for an ANCP neighbor peer:
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #peer id 01:02:03:04:05:06
Related Commands
peer-name Name of an ANCP neighbor peer.
interface
tcp-port remote
Command Descriptions
ANCP Configuration 6-21
peer ip-address
peer ip-address ip-addr
no peer ip-address ip-addr
Purpose
Filter incoming new neighbor connections using the IP address of the incoming Access Node Control
Protocol (ANCP) neighbor peer.
Command Mode
ANCP neighbor configuration
Syntax Description
Default
If an IP address is not specified for this profile, there is no restriction on the IP address in a received General
Switch Management Protocol (GSMP) adjacency protocol message from an ANCP neighbor peer.
Usage Guidelines
Use the peer ip-address command to filter incoming new neighbor connections using the IP address of the
incoming ANCP neighbor peer. The incoming IP address is matched against the specified IP address and
the connection rejected if there is no match.
Use the no form of this command to specify the default condition.
Examples
The following example specifies IP address for an ANCP neighbor peer:
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #peer ip-address 30.100.1.20
Related Commands
ip-addr IP address of an ANCP neighbor peer.
interface
tcp-port remote
Command Descriptions
6-22 IP Services and Security Configuration Guide
router ancp
router ancp
no router ancp
Purpose
Creates the Access Node Control Protocol (ANCP) router and accesses ANCP configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
The ANCP router does not exist.
Usage Guidelines
Use the router ancp command to create the ANCP router and access ANCP configuration mode. The
ANCP router is always created in the l ocal context.
Use the no form of this command to delete the ANCP router and close all ANCP sessions; however, digital
subscriber line (DSL) information learned from the sessions is not removed.
Examples
The following example creates the ANCP router in the l ocal context and accesses ANCP configuration
mode:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router ancp
[ l ocal ] Redback( conf i g- ancp) #
Related Commands
interface
keepalive
neighbor profile
system-id
tcp-port local
Command Descriptions
ANCP Configuration 6-23
system-id
system-id name
{no | default} system-id
Purpose
Assign an ID to identify the SmartEdge router in Access Node Control Protocol (ANCP) sessions
transmitted to an ANCP neighbor peer.
Command Mode
ANCP configuration
Syntax Description
Default
The ID is set to the medium access control (MAC) address of the Ethernet management port or to
CA:FE:18:07:29:09 if the system cannot read the MAC address of the Ethernet management port.
Usage Guidelines
Use the system-id command to assign an ID to identify the ANCP sessions transmitted by the
SmartEdgerouter. If you configure the system ID, it is included as the sender name in adjacency packets
sent by the SmartEdge router. If you do not configure it, the system uses one of the following alternatives:
If the SmartEdge router has received the MAC address of the port on which the ANCP neighbor is
connected, it uses that MAC address.
Otherwise, the SmartEdge router uses either the MAC address of the Ethernet management port or
CA:FE:18:07:29:09, depending on whether the MAC address of the Ethernet management port is
readable.
Use the no or default form of this command to specify the default condition.
Examples
The following example specifies 12: 34: 56: 78: 9a: bc as the SmartEdge router ID for ANCP sessions:
[ l ocal ] Redback( conf i g- ancp) #system-id 12:34:56:78:9a:bc
Related Commands
name ID used for the ANCP sessions. The format is a 6-byte hexadecimal string in the form
hh:hh:hh:hh:hh:hh.
interface
keepalive
router ancp
tcp-port local
Command Descriptions
6-24 IP Services and Security Configuration Guide
tcp-port local
tcp-port local loc-port
{no | default} tcp-port local
Purpose
Assign a Transmission Control Protocol (TCP) port on which the SmartEdge router listens for Access Node
Control Protocol (ANCP) sessions.
Command Mode
ANCP configuration
Syntax Description
Default
The default TCP port, 6,068, is assigned as the local port.
Usage Guidelines
Use the tcp-port local command to specify the TCP port on which theSmartEdge router listens for ANCP
sessions.
Use the no or default form of this command to specify the default condition.
Examples
The following example specifies 6070 as the port number for the local TCP port:
[ l ocal ] Redback( conf i g- ancp) #tcp-port local 6070
Related Commands
loc-port TCP port number. The range of values is 6,068 to 10,000; the default value is 6,068.
tcp-port remote
Command Descriptions
ANCP Configuration 6-25
tcp-port remote
tcp-port remote remote-port
no tcp-port remote
Purpose
Filter incoming new neighbor connections using the Transmission Control Protocol (TCP) port on which
the SmartEdge router receives the General Switch Management Protocol (GSMP) messages from an
Access Node Control Protocol (ANCP) neighbor peer.
Command Mode
ANCP neighbor configuration
Syntax Description
Default
If a TCP remote port number is not specified for this profile, there is no restriction on the TCP remote port
number in a received GSMP adjacency protocol message from an ANCP neighbor.
Usage Guidelines
Use the tcp-port remote command to filter incoming new neighbor connections using the TCP port
number on which the SmartEdge router receives the GSMP messages from an ANCP neighbor peer.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 7070 as the port number for a remote TCP port:
[ l ocal ] Redback( conf i g- ancp- nei ghbor ) #tcp-port remote 7070
Related Commands
remote-port TCP port number. The range of values is 1,024 to 5,000.
interface
peer id
tcp-port local
Command Descriptions
6-26 IP Services and Security Configuration Guide
P a r t 3
Mobile IP Services
This part describes the tasks and commands used to configure SmartEdge

OS Mobile IP services and


consists of the following chapters:
Chapter 7, Mobile IP Foreign Agent Configuration
Chapter 8, Mobile IP Home Agent Configuration
Mobile IP Foreign Agent Configuration 7-1
C h a p t e r 7
Mobile IP Foreign Agent Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS Mobile IP (wireless)
services for foreign agent (FA) instances on the SmartEdge router and their home-agent (HA) peers.
For information about the tasks and commands used to monitor, administer, and troubleshoot Mobile IP
services, see the Mobile IP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
You configure IP-in-IP tunnels and, optionally, Generic Routing Encapsulation (GRE) tunnels on the
SmartEdge router to support the connections from FA instances to their HA peers. For information about
configuring the IP-in-IP and GRE tunnels, see the Single-Tunnel Circuit Configuration chapter in the
Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
For information about configuring Ethernet, Fast Ethernet-Gigabit Ethernet, and Gigabit Ethernet ports and
circuits to support mobile subscribers, see the ATM, Ethernet, and POS Port Configuration and Circuit
Configuration chapters in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Note The terms FA instance and HA instance refer to the FAs and HAs, respectively, that you
configure on the SmartEdge router.
The terms FA peers and HA peers refer to FAs and HAs that exist on other equipment in the
network.
The term Mobile IP binding refers to the association between a mobile node (MN) and its HA
instance on the SmartEdge router. The term visitor or visiting MN refers to the association
between an MN and an FA instance when that MN is communicating with its HA through the
FA instance on the SmartEdgerouter.
FA and HA tunnels can be used with Mobile IP services and non-mobile IP services traffic.
Overview
7-2 IP Services and Security Configuration Guide
Overview
This section includes the following topics:
Mobile IP Components
Traffic Flow
Deployment Scenarios
Restrictions
Supported Standards
Mobile IP Components
Mobile IP allows MNs to retain their IP addresses when they roam across multiple networks. Doing so
enables MNs to maintain their existing IP sessions.
Mobile IP consists of the following components:
Mobile Nodes
Home Agent Peer
Foreign Agent Instance
Registration
Mobile Nodes
The MN is a IP devicefor example, a laptop computer or personal digital assistant (PDA)whose point
of attachment (POA) to the Internet can frequently change. The MN maintains its connections using its
home IP address.
Home Agent Peer
The HA peer, a router on the MN home network, is the anchor component in Mobile IP network that
provides seamless mobility to the MN. When an MN is attached to its home network, it does not use Mobile
IP services because it communicates directly using normal IP routing. When an MN is roaming and is not
connected to its home network, its HA peer does the following:
Tracks the MN current POA to the Internet.
Tunnels datagrams destined to the MN current POA.
Authenticates the MN (usually with the user ID and password) and verifies that IP Mobile services
should be provided. It optionally assigns the MN a home address (HoA) on its home network. When
the MN roams outside its home network, it retains its home address to prevent losing existing IP
sessions.
Overview
Mobile IP Foreign Agent Configuration 7-3
Foreign Agent Instance
MNs listen for FA instance advertisements to determine if they are attached to a home or foreign network.
An FA instance is a router on a foreign network that provides routing services to visiting MNs. When the
MN visits a foreign network with whom its HA peer has service agreements and is authenticated by its HA
peer, the MN can obtain Mobile IP services while visiting this network. During the visit, the MN listens for
Internet Control Message Protocol (ICMP) Router Advertisements (RAs) from an FA instance. The RAs
allow the MN to learn which FA instances are available and what Mobile IP services they have to provide.
The FA instance does the following:
Allows the MN to maintain its existing sessions when it visits the foreign network.
Terminates the tunnels from HAs peers corresponding to visiting MNs.
Decapsulates packets destined for the MN and delivers them locally.
Reverse-tunnels traffic from the MN to other Internet nodes. This is often required to satisfy ingress
filtering (as described in RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks),
and facilitate accurate billing and accounting.
If the MN does not hear RAs from any FAs, the MN sends an ICMP Router Solicitation requesting that any
FA instances on the foreign network reply with an RA.
Registration
When the MN discovers a foreign agent (FA) instance with whom its HA peer has a service agreement, it
sends a Mobile IP registration request to the FA instance. The FA instance validates the request and
forwards it to the corresponding HA peer. The registration request does the following:
Requests Mobile IP services for the MN from the FA instance when it is visiting one of its foreign
networks. For successful registrations, the FA instance maintains the state of the visitor such as the
lifetime of the registration.
Informs the HA peer of the MN current POA to the Internet. This is normally the FA instance
care-of-address (CoA), which is also the termination point of the tunnel between the HA peer and FA
instance.
For new registrations, the HA peer creates a binding that maintains the MN location and other related
information, such as the lifetime of the registration. For existing registrations, the HA peer and FA
instance renews the registration lifetime in their respective binding and visitor entries.
Optionally, deregisters the MN when it returns to its home network or no longer requires Mobile IP
services.
The MN registration request includes the FA instance CoA and the IP address of its HA peer. It may include
the MN assigned home address (HoA) and the MN user identity as described in RFC 2794, Mobile IP
Network Access Identifier Extension for IPv4s.
The MN sends the registration request to the HA peer so that the HA peer knows where the MN is located.
When the MN is successfully authenticated, the HA peer sends a Mobile IP registration reply to the FA
instance and the FA instance, in turn, forwards it to the MN.
The HA peer and FA instance also set up forwarding so that all packets destined for the MN home address
are forwarded to the MN through the tunnel between the HA peer and the FA instance. The FA instance sets
up forwarding so that packets from the MN are reverse tunneled to back over the same tunnel to the HA
peer. Packets originating from an MN are always reverse tunneled.
Overview
7-4 IP Services and Security Configuration Guide
The MN uses it HoA as the source of all packets it sends when it is attached to its home network or visits
a foreign network through a FA instance. MN authentication is always performed on the HA peer. The
SmartEdge router HA peer uses the MN's user identifier (included in the registration request) to
authenticate mobile IP services using AAA protocols with a RADIUS server.
Optionally, the MN can acquire a collocated care-of address (CCoA) on the foreign network and perform
Mobile IP services without, or with minimal interaction, with the FA instance. The SmartEdge router does
not support this mode of operation.
Traffic Flow
Mobile IP services enables the SmartEdge router to act as one or more FA instances. Each FA instance
communicates with HA peers that support its mobile subscribers, which are referred to as mobile nodes
(MNs). Each FA instance has a care-of address (CoA) that the system uses as the termination address for
the tunnel to an HA peer.
In a typical deployment, MNs connect wirelessly to Base Transceiver Stations (BTSs), which connect to
the SmartEdge router FA instance through Ethernet. In this topology, each MN is represented by a separate
Ethernet circuit and MNs can move between BTSs. The FA instance communicates with a SmartEdge HA
peer through a tunnel endpoint (a local address of an HA instance). The SmartEdge router routes the MN
traffic to the HA peer using an IP-in-IP tunnel or GRE tunnel. Each HA peer uses a different tunnel. Traffic
for the MNs is routed from the FA instance to the HA peer using the same tunnel.
MNs communicate with the SmartEdge router (the FA instance) over Ethernet-based circuits using a
context where you configure the FA instance. The system routes the MN traffic to each external HA peer
using an IP-in-IP tunnel or a GRE tunnel. Each HA peer uses a different tunnel. Traffic from an HA peer
is routed back to the MNs associated with that HA peer using the same tunnel.
Figure7-1 illustrates the physical network for MNs, BTS, HA peers, and an FA instance.
Note Because the tunnels described in this chapter each support a single tunnel circuit, the term
tunnel refers to the tunnel and its circuit. For information about configuring the IP-in-IP and
GRE tunnels, see the Single-Tunnel Circuit Configuration in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdgeOS.
Overview
Mobile IP Foreign Agent Configuration 7-5
Figure 7-1 Physical Network of MNs, BTSs, HA Peers, and an FA Instance
Deployment Scenarios
The Mobile IP services implementation can use the multiple context support that the SmartEdgeOS
provides. The contexts that Mobile IP services can use in different deployment scenarios include:
CoA context
The CoA interface resides in the CoA context. The CoA interface provides an endpoint for a tunnel to
a home-agent peer. The CoA context is typically the local context, but other contexts can be used as
well. Each CoA interface can be in a different CoA context independent of other CoA interfaces.
FA context
The FA context provides one or more interfaces to the MN and defines the set of HA peers for the FA
instance. Each FA instance configured on the SmartEdge router has its own FA context.
HoA VPN context
The home address (HoA) Virtual Private Network (VPN) context includes the interfaces that terminate
the tunnels to the HA peers. Each HA peer that uses private HoAs has its own context. HA peers that
use nonoverlapping HoAs can share a single context. Each HA peer that has an overlapping HoA must
have its own HoA VPN context.
These contexts allow the SmartEdgeOS to support various deployment scenarios, which are described in
the following sections:
Home Agent Without Overlapping IP Addresses
Some Home Agents Use Private IP Addresses
Any Home Agent Can Use Private IP Addresses
Overview
7-6 IP Services and Security Configuration Guide
Home Agents Can Be Grouped for Each Mobile IP Service Provider
SmartEdge Router Provides Wholesale Mobile IP Services for Other Providers
Home Agent Without Overlapping IP Addresses
In the most basic deployment, a single FA instance provides connectivity to all MNs while interfacing with
all the HA peers. The MN HoAs do not overlap; that is, each MN has a public HoA. In this case, the
configuration is simplified to make use of a single context, the FA context.
Some Home Agents Use Private IP Addresses
A few HA peers can allocate HoAs from a private address space while providing Internet connectivity using
Network Address Translation (NAT). If so, the IP addresses of the MNs can overlap.
To configure the SmartEdgeOS for this deployment, use a single context for the FA instances, HA peers,
and CoAs, but exclude the HA peers that use private IP addresses. Use a separate context for each HA peer
that uses a private address space.
Any Home Agent Can Use Private IP Addresses
Each HA peer is independent and can use private IP addresses. For this deployment scenario, each HA peer
uses a separate context. The CoA and FA contexts can be the same.
Home Agents Can Be Grouped for Each Mobile IP Service Provider
In this scenario, an FA instance provides services to multiple mobile Internet service providers (ISPs). Each
ISP owns a set of HA peers and the HoAs that belong to the same ISP do not overlap. Each ISP may use
private IP addresses.
To configure this scenario, each ISP uses a use a separate HA VPN context; that is, all HA peers belonging
to an ISP use the same HA VPN context. The CoA and FA contexts can be the same for each ISP.
SmartEdge Router Provides Wholesale Mobile IP Services for Other Providers
In this scenario, the SmartEdgeOS can separate MN, FA, and HA peer networks for each mobile ISP. Each
ISP is like an enterprise VPN, ISP contexts are as follows::
A separate FA context is used for each ISP.
The CoA context for each ISP can be the same as its FA context; this is more appropriate than using the
local context because the ISP can choose to use private IP addresses for the tunnel endpoints.
The FA context can also serve as the HA VPN context, assuming that no HoAs overlap within the same
ISP. If HoAs overlap, then a separate HA VPN context is used for each HA peer.
If the backbone links are not within a nonlocal context, then the backbone connectivity is through the local
context.
Configuration Tasks
Mobile IP Foreign Agent Configuration 7-7
Restrictions
Mobile IP services has the following restrictions:
Mobile IP services is currently supported only for unicast traffic; broadcast and multicast traffic are not
supported.
Mobile IP services is supported only on PPA2 line cards. Do not have any PPA1-based line cards on the
chassis when enabling Mobile IP Services.
Supported Standards
Mobile IP services comply with the standards found in the following documents:
RFC 2794Mobile IP Network Access Identifier Extension for IPv4
RFC 3024Reverse Tunneling for Mobile IP, revised
RFC 3344IP Mobility Support for IPv4
RFC 3543Registration Revocation in Mobile IPv4
Configuration Tasks
To configure FA instances on the SmartEdge router and their home-agent (HA) peers, use the configuration
guidelines and perform the tasks described in the following sections:
Mobile IP Configuration Guidelines
Create the Contexts and Interfaces for Mobile IP Services
Configure a Key Chain Authentication Between a FA and HA
Configure an FA Instance
Configure an HA Peer
Configure a Mobile IP Interface for MN Access
Configure the MN Access to an FA Instance
Configure the Mobile IP Tunnels
Enable or Disable an FA Instance, an HA Peer, or MN Access
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
7-8 IP Services and Security Configuration Guide
Mobile IP Configuration Guidelines
The following configuration guidelines apply when configuring Mobile IP services for an FA instance:
Within a given context, the SmartEdge router can act as an FA instance.
HA peers that use public IP addresses can share an HoA VPN context.
If an HA peer uses private IP addresses, it can share an HoA VPN context with other HA peers if their
IP addresses do not overlap; otherwise, HA peers cannot share a HoA VPN context.
MNs can have overlapping IP addresses if they are registered with different HA peers.
You must configure IP-in-IP tunnels to HA peers; optionally, you can configure and use GRE tunnels
in addition to the IP-in-IP tunnels.
Configure the tunnel to an HA peer in the HoA VPN context for that peer if it exists; otherwise,
configure the tunnel in the FA context (the default for the HoA VPN context for that peer).
To prevent Mobile IP tunnels from shutting down because of circuit problems, create the interfaces for
the IP-in-IP and GRE tunnels as loopback interfaces. Loopback interfaces are always up.
When you configure the Ethernet circuits that provide access for all MNs, create a single interface in
the FA context for all the Ethernet circuits or create a separate interface in the FA context for each
802.1Q permanent virtual circuit (VLAN).
Create the Contexts and Interfaces for Mobile IP Services
To create the contexts and interfaces for Mobile IP services, perform the tasks described in Table7-1. These
contexts and interfaces are used in subsequent configuration tasks for the FA instances, HA peers, and
Mobile IP tunnels.
Table 7-1 Create the Contexts and Interfaces for Mobile IP Services
# Task Root Command Notes
1. Optional. Create the context for the CoA interface and access
context configuration mode.
context Enter this command in global configuration
mode. You can use the local context instead
of performing this step. For information
about the context command (in global
configuration mode), see the Basic System
Configuration Guide for the SmartEdge OS.
2. Create the CoA interface and access interface configuration
mode.
interface Enter this command in context configuration
mode. For information about the interface
command (in context configuration mode),
see the Basic System Configuration Guide
for the SmartEdge OS.
3. Optional. Create an FA context for an FA instance and access
context configuration mode.
context Enter this command in global configuration
mode. You can use the local context instead
of performing this step.
4. Create the interface for the Ethernet ports and 802.1Q VLANs
that BTS MNs use to access this FA instance and access
interface configuration mode.
interface Enter this command in context configuration
mode.
Configuration Tasks
Mobile IP Foreign Agent Configuration 7-9
Configure a Key Chain Authentication Between a FA and HA
To configure a key chain between a foreign-agent (FA) instance and home-agent (HA) peer, perform the
tasks described in Table7-2. For more information about configuring key chains, see Chapter 24, Key
Chain Configuration. Enter all commands in key chain configuration mode, unless otherwise noted.
Configure an FA Instance
To configure an FA instance, perform the tasks described in Table7-3; enter all commands in FA
configuration mode, unless otherwise noted.
5. Optional. Create an HA VPN context for the terminating
interfaces for the IP-in IP tunnel and, optionally, a GRE tunnel
for one or more HA peers and access context configuration
mode.
context Enter this command in global configuration
mode. You can use the local context instead
of performing this step, but only HA peers
that use public IP addresses or
nonoverlapping private IP addresses can
share a single context.
6. Create an interface for an IP-in-IP tunnel and, optionally, an
interface for a GRE tunnel, to the HA peer and access
interface configuration mode.
interface Enter this command in context configuration
mode. Consider making this interface a
loopback interface.
Table 7-2 Configure a Key Chain
# Task Root Command Notes
1. Select the context for the FA instance and access context
configuration mode.
context Enter this command in global
configuration mode.
2. Create the key chain and access key chain configuration
mode.
key-chain Enter this command in context
configuration mode.
3. Configure a key string. key-string
4. Specify the security parameter index (SPI) for this key chain. spi
Table 7-3 Configure an FA Instance
# Task Root Command Notes
1. Select the context for the FA instance and access context
configuration mode.
context Enter this command in global
configuration mode.
2. Enable Mobile IP services in this context and access Mobile
IP configuration mode.
router mobile-ip Enter this command in context
configuration mode.
3. Optional. Create a dynamic tunnel profile and enter Dynamic
Tunnel Profile configuration mode.
dynamic-tunnel-profile Enter this command in Mobile IP
configuration mode.
4. Optional. Clear the IP header DF flag in all packets that are
transmitted on an IP-in-IP or a GRE tunnel.
clear-df (dynamic
tunnel)
Enter this command in Dynamic Tunnel
Profile configuration mode.
5. Optional. Set the MTU for packets sent to GRE tunnels. gre mtu Enter this command in Dynamic Tunnel
Profile configuration mode.
Table 7-1 Create the Contexts and Interfaces for Mobile IP Services (continued)
# Task Root Command Notes
Configuration Tasks
7-10 IP Services and Security Configuration Guide
Configure an HA Peer
To configure an HA peer, perform the tasks described in Table7-4; enter all commands in HA peer
configuration mode, unless otherwise noted.
6. Optional. Specify the number of seconds for the router to wait
before it brings down a dynamic tunnel that has no active
bindings or visitors.
hold-time Enter this command in Dynamic Tunnel
Profile configuration mode.
7. Optional. Set the MTU for packets sent to IP-in-IP tunnels. ipip mtu Enter this command in Dynamic Tunnel
Profile configuration mode.
8. Optional. Specify the number of seconds for the router to wait
for a dynamic tunnel to be established before bringing the
current subscriber or visitor down.
time-out Enter this command in Dynamic Tunnel
Profile configuration mode.
9. Create or select the FA instance in this context and access
FA configuration mode.
foreign-agent
10. Optional. Reference an existing dynamic tunnel profile. The
dynamic tunnel attributes defined in this profile are applied to
the dynamic tunnels that are used by this FA instance.
dynamic-tunnel-profile
11. Specify the interface for the CoA advertised by this FA
instance.
care-of-address This is the interface that you created for
the tunnel for this FA instance.
12. Optional. Specify the GRE tunnel type to advertise. advertisetunnel-type The default is not to advertise optional
tunnel types.
13. Optional. Configure registration revocation. revocation The default is to not configure
revocation support.
14. Optional. Configure the default authentication for this FA
instance.
authentication This is the default authentication for all
HA peers for this FA instance.
15. Optional. Enable (the default condition) or disable the
forwarding of non-Mobile IP traffic for this FA instance.
forwardingtraffic
16. Optional. Specifies the means by which the forwarding
address for an MN is determined.
forwardingscheme
17. Optional. Enable or disable MN access interface change
detection using logical link control (LLC) exchange ID (XID)
messages received on a circuit.
llc-xid-processing Enable is the default.
Table 7-4 Configure an HA Peer
# Task Root Command Notes
1. Select the context for the FA instance for this HA
peer and access context configuration mode.
context Enter this command in global configuration
mode.
2. Enable Mobile IP services in this context and
access Mobile IP configuration mode.
router mobile-ip Enter this command in context configuration
mode.
3. Select the FA instance in this context for the HA
peer and access FA configuration mode.
foreign-agent Enter this command in Mobile IP configuration
mode.
4. Create or select the HA peer and access HA peer
configuration mode.
home-agent-peer Enter this command in FA configuration mode.
5. Optional. Apply a dynamic tunnel profile. dynamic-tunnel-profile
Table 7-3 Configure an FA Instance (continued)
# Task Root Command Notes
Configuration Tasks
Mobile IP Foreign Agent Configuration 7-11
Configure a Mobile IP Interface for MN Access
To configure a Mobile IP interface for MN access, perform the tasks described in Table7-5; enter all
commands in Mobile IP interface configuration mode, unless otherwise noted.
Configure the MN Access to an FA Instance
To configure the MN access to an FA instance, perform the tasks described in Table7-6.
6. Optional. Specify the maximum number of pending
registrations for this HA peer.
max-pending-registrations
7. Optional. Specify the HoA VPN context for this HA
peer.
vpn-context
8. Optional. Configure the authentication for the HA
peer.
authentication This authentication overrides the default
authentication configured for the FA instance.
Table 7-5 Configure a Mobile IP Interface for MN Access
# Task Root Command Notes
1. Select the context for the FA instance and access
context configuration mode.
context Enter this command in global configuration
mode.
2. Enable Mobile IP services in this context and
access Mobile IP configuration mode.
router mobile-ip Enter this command in context configuration
mode.
3. Select an existing interface, enable it for Mobile IP
services, and access Mobile IP interface
configuration mode.
interface This interface is the one you created for the
Ethernet circuits in step 4 in Table 7-1.
4. Optional. Specify the maximum lifetime registration
for an MN on this interface.
registrationmax-lifetime
5. Optional. Specify the maximum interval between
advertisement messages.
advertisemax-interval
6. Optional. Specify the maximum lifetime of
advertisement messages.
advertisemax-lifetime
7. Optional. Specify the minimum interval between
advertisement messages.
advertisemin-interval
Table 7-6 Configure MN Access to the FA Instance
# Task Root Command Notes
1. Configure the Ethernet ports and circuits on
which the MNs access an FA instance.
For information about configuring Ethernet circuits, see the
ATM, Ethernet, and POS Port Configuration and the
Circuit Configuration chapters in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdge OS.
2. Bind the Ethernet ports and circuits to the
interfaces created for MN access in the FA
context.
bind interface For information about binding circuits to interfaces, see the
Bindings Configuration chapter in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdge OS.
Table 7-4 Configure an HA Peer (continued)
# Task Root Command Notes
Configuration Examples
7-12 IP Services and Security Configuration Guide
Configure the Mobile IP Tunnels
You must configure an IP-in-IP tunnel to each HA peer. You can also configure a GRE tunnel to each HA
peer. To configure the Mobile IP tunnels, perform the tasks described in Table7-7.
Enable or Disable an FA Instance, an HA Peer, or MN Access
To enable or disable an FA instance, an HA peer, or MN access to the SmartEdge router, perform the task
described in Table7-8.
Configuration Examples
The following examples show configurations for:
Single FA Instance and HA Peer with IP-in-IP Tunnels
Single FA Instance with Multiple HA Peers and IP-in-IP Tunnels
Single FA Instance and HA Peer with IP-in-IP Tunnels
The following example creates an IP-in-IP tunnel and the interfaces to support an FA instance and a single
HA peer, all in the local context. The interface for the IP-in-IP tunnel is unnumbered; it borrows its IP
address from the CoA interface. Traffic to and from the MNs is carried on GE port 2/ 1:
! Cr eat e t he i nt er f aces f or t he CoA, t he MN access, and t he I P- i n- I P t unnel t o t he HA
peer , al l i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface coa loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 172.16.1.1/16
Table 7-7 Configure the Mobile IP Tunnels
# Task Root Command Notes
1. Configure the IP-in-IP tunnels to the HA peers. For information about configuring IP-in-IP
tunnels, see the Single-Tunnel Circuit
Configuration chapter in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdge
OS.
2. Optional. Configure the GRE tunnels to the HA peers. For information about configuring GRE tunnels,
see the Single-Tunnel Circuit Configuration
chapter in the Ports, Circuits, and Tunnels
Configuration Guide for the SmartEdge OS.
Table 7-8 Enable or Disable an FA Instance, an HA Peer, or MN Access to the SmartEdge Router
Task Root Command Notes
Optional. Disable or enable an FA instance, an HA
peer, or MN access to the SmartEdge router
shutdown Enter this command in FA, HA peer, or Mobile IP
interface configuration mode.
Use the no form of this command to enable an FA
instance, an HA peer, or MN access to the SmartEdge
router
Configuration Examples
Mobile IP Foreign Agent Configuration 7-13
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface mn-access
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface toHA-peer
[ l ocal ] Redback( conf i g- i f ) #ip unnumbered coa
[ l ocal ] Redback( conf i g- i f ) #exit
! Enabl e t he l ocal cont ext and t he mn- access i nt er f ace f or Mobi l e I P ser vi ces
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #exit
! Cr eat e t he f or ei gn agent , speci f y t he CoA i nt er f ace and cr eat e a home agent peer
l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #end
! Conf i gur e t he GE por t f or MN t r af f i c and bi nd i t t o t he MN access i nt er f ace
[ l ocal ] Redback#config
[ l ocal ] Redback( conf i g) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface mn-access local
[ l ocal ] Redback( conf i g- por t ) #exit
! Conf i gur e t he I P- i n- I P t unnel t o t he HA peer usi ng t he CoA as t he l ocal endpoi nt
! Bi nd i t t o t he HA peer i nt er f ace i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #tunnel ipip HApeerTnl
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 172.16.1.1 remote 172.16.2.1
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHA-peer local
[ l ocal ] Redback( conf i g- t unnel ) #end
Single FA Instance with Multiple HA Peers and IP-in-IP Tunnels
The following example creates an IP-in-IP tunnel and the interfaces to support an FA instance and two HA
peers with overlapping IP addresses. The FA instance and tunnels are configured in the local context; each
HA peer has its own VPN context. Traffic to and from the MNs is carried on the GE port 2/ 1:
! Cr eat e t he i nt er f aces f or t he CoA and t he MN access i nt er f ace i n t he l ocal cont ext
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface coa loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 20.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface mn-access
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/16
! Cr eat e t he cont ext s and t unnel i nt er f aces f or t he HA peer s ( HA- VPN 1 and HA- VPN 2)
[ l ocal ] Redback( conf i g) #context ha-vpn1
! Cr eat e t he i nt er f ace f or t he I P- i n- I P t unnel endpoi nt f or t he HA peer 1
Configuration Examples
7-14 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- ct x) #interface toHApeer1
! Use t he CoA I P addr ess f or t he i nt er f ace
[ l ocal ] Redback( conf i g- i f ) #ip 20.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #context ha-vpn2
! Cr eat e t he i nt er f ace f or t he I P- i n- I P t unnel endpoi nt f or t he HA peer 2
[ l ocal ] Redback( conf i g- ct x) #interface toHApeer2
! Use t he CoA I P addr ess f or t he i nt er f ace
[ l ocal ] Redback( conf i g- i f ) #ip 20.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
! Enabl e t he l ocal cont ext and t he MN access i nt er f ace f or Mobi l e I P vi si t or s
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #exit
! Cr eat e t he f or ei gn agent and speci f y t he car e of i nt er f ace
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa
! Cr eat e t he f i r st home- agent peer and speci f y i t s cont ext
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #vpn-context ha-vpn1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #exit
! Cr eat e t he second home- agent peer and speci f y i t s cont ext
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.2
[ l ocal ] Redback( conf i g- mi p- hapeer ) #vpn-context ha-vpn2
[ l ocal ] Redback( conf i g- mi p- hapeer ) #end
! Conf i gur e t he GE por t f or MN t r af f i c and bi nd i t t o t he MN access i nt er f ace
[ l ocal ] Redback#config
[ l ocal ] Redback( conf i g) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface mn-access local
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 2/2
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface toHApeer1 ha-vpn1
[ l ocal ] Redback( conf i g- por t ) #exit
[ l ocal ] Redback( conf i g) #port ethernet 2/3
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface toHApeer2 ha-vpn2
[ l ocal ] Redback( conf i g- por t ) #exit
! Conf i gur e t he I P- i n- I P t unnel s t o t he HA peer s
Command Descriptions
Mobile IP Foreign Agent Configuration 7-15
! Bi nd t hemt o t hei r i nt er f aces i n t he HA peer VPN cont ext s
! Cr eat e t he I P- i n- I P t unnel t o t he HA- 1 peer , usi ng t he CoA f or t he l ocal end
[ l ocal ] Redback( conf i g) #tunnel ipip HApeer1Tnl
[ l ocal ] Redback( conf i g- t unnel ) #description IP-in-IP tunnel circuit to HA-VPN 1 peer
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1/24 remote 172.16.2.1
context local
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHApeer1 ha-vpn1
[ l ocal ] Redback( conf i g- t unnel ) #no shutdown
[ l ocal ] Redback( conf i g- t unnel ) #exit
! Cr eat e t he I P- i n- I P t unnel t o t he HA- 2 peer ; use t he CoA f or t he l ocal end
[ l ocal ] Redback( conf i g) #tunnel ipip HApeer2Tnl
[ l ocal ] Redback( conf i g- t unnel ) #description IP-in-IP tunnel circuit to HA-VPN 2 peer
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1/24 remote 172.16.2.2
context local
[ l ocal ] Redback( conf i g- t unnel ) #bind interface toHApeer2 ha-vpn2
[ l ocal ] Redback( conf i g- t unnel ) #no shutdown
[ l ocal ] Redback( conf i g- t unnel ) #exit
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure Mobile IP FA
features. The commands are presented in alphabetical order:
advertise max-interval
advertise max-lifetime
advertise min-interval
advertise tunnel-type
authentication
care-of-address
clear-df (dynamic tunnel)
dynamic-tunnel-profile
foreign-agent
forwarding scheme
gre mtu
forwarding traffic
hold-time
home-agent-peer
interface
ipip mtu
llc-xid-processing
max-pending-registrations
registration max-lifetime
revocation
router mobile-ip
shutdown
time-out
vpn-context
Command Descriptions
7-16 IP Services and Security Configuration Guide
advertise max-interval
advertise max-interval max-int
no advertise max-interval max-int
Purpose
Specifies the maximum interval between advertisement messages sent by the foreign-agent (FA) instance
to the mobile nodes (MNs).
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The maximum interval between advertisement messages is 600 seconds.
Usage Guidelines
Use the advertise max-interval command specify the maximum interval between advertisement messages
sent by the FA instance or HA instance to the mobile nodes.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 300 seconds as the maximum interval between advertisement messages:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise max-interval 300
Related Commands
max-int Maximum interval (in seconds) between advertisement messages. The range of values
is 4 to 1800 seconds; the default value is 600 seconds (10 minutes).
advertise max-lifetime
advertise min-interval
interface
Command Descriptions
Mobile IP Foreign Agent Configuration 7-17
advertise max-lifetime
advertise max-lifetime max-life
no advertise max-lifetime max-life
Purpose
Specifies the maximum amount of time that an advertisement message sent by the foreign-agent (FA)
instance to the mobile node (MN) is valid in the absence of further advertisement messages.
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The maximum advertisement lifetime is three times the value of the max-int argument set by the advertise
max-interval command.
Usage Guidelines
Use the advertise max-lifetime command to specify the maximum amount of time that an advertisement
message sent by the FA instance or HA instance to the mobile node is valid in the absence of further
advertisement messages.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 900 seconds as the maximum lifetime of an advertisement message:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise max-lifetime 900
Related Commands
max-lifetime max-life Amount of time (in seconds) that an advertisement message is valid in the
absence of further advertisement messages. The minimum value equals the
value of the max-int argument set by the advertise max-interval command
(in Mobile IP interface configuration mode); the maximum value is 9000
seconds (150 minutes). The default value is three times the value of the
max-int argument set by the advertise max-interval command.
advertise max-interval
advertise min-interval
interface
Command Descriptions
7-18 IP Services and Security Configuration Guide
advertise min-interval
advertise min-interval min-int
no advertise min-interval min-int
Purpose
Specifies the minimum interval between advertisement messages sent by the foreign-agent (FA) instance
to the mobile node (MN).
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The minimum advertisement interval is 0.75 times the value of the max-int argument for the advertise
max-interval command.
Usage Guidelines
Use the advertise min-interval command to specify the minimum interval between advertisement
messages sent by the FA instance or HA instance to the mobile node.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 200 seconds as the minimum interval between advertisement messages:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #advertise min-interval 200
Related Commands
min-int Minimum interval (in seconds) between advertisement messages. The range of values
is 3 to 1800 seconds; the default value is 0.75 times the value of the max-int argument
for the advertise max-interval command (in Mobile IP interface configuration
mode).
advertise max-interval
advertise max-lifetime
interface
Command Descriptions
Mobile IP Foreign Agent Configuration 7-19
advertise tunnel-type
advertise tunnel-type gre
no advertise tunnel-type gre
Purpose
Advertises Generic Routing Encapsulation (GRE) tunnel types sent by the foreign-agent (FA) instance to
mobile nodes (MNs).
Command Mode
FA configuration
Syntax Description
Default
IP-in-IP tunnels are advertised implicitly; no GRE tunnel types are advertised.
Usage Guidelines
Use the advertise tunnel-type command to advertise GRE tunnel types in the mobility agent advertisement
extension in the ICMP Router Advertisement (RA) message.
Use the no form of this command to specify the default condition.
Examples
The following example advertises the GRE tunnel type:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #advertise tunnel-type gre
Related Commands
gre Specifies that Generic Routing Encapsulation (GRE) tunnels are advertised to
mobile nodes.
interface
Command Descriptions
7-20 IP Services and Security Configuration Guide
authentication
authentication hmac-md5 {key-chain-name | dynamic-key wimax proprietary}
no authentication hmac-md5
Purpose
Configures authentication between this foreign-agent (FA) instance and all its home-agent (HA) peers or
between this FA instance and a specific HA peer.
Command Mode
FA configuration
HA peer configuration
Syntax Description
Default
No authentication is configured for any FA instance or HA peer.
Usage Guidelines
Use the authentication command to configure authentication between this FA instance and its HA peers
or between this FA instance and a specific HA peer.
In FA configuration mode, this command configures the default authentication between the FA instance and
all its HA peers; in HA peer configuration, this command configures the authentication between the FA
instance and the relevant HA peer.
Use the no form of this command to remove the authentication configuration for this FA instance or HA
peer.
hmac-md5 Specifies the Hash-based Message Authentication Code (HMAC)-
Message Digest 5 (MD5) algorithm.
key-chain-name Name of an existing key chain, which you must have configured in
the context in which you have configured the HA peer.
dynamic-key wimax proprietary Specifies to use the Motorola FA-HA key Vendor Specific Attribute
(VSA) for FA-HA authentication. The Motorola FA-HA-Key VSA
ID is 26/161/67. The Motorola WiMax solution provides this VSA
to the FA. For more information about supported WiMax Attributes,
see TableA-22 in AppendixA, RADIUS Attributes.
Command Descriptions
Mobile IP Foreign Agent Configuration 7-21
Examples
The following example configures the key- ha key chain for key 100 and an security parameter index
(SPI) of 256 for incoming traffic and then specifies it when configuring the default authentication between
an FA instance and its HA peers:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #key-chain key-ha key-id 100
[ l ocal ] Redback( conf i g- key- chai n) #spi 256
[ l ocal ] Redback( conf i g- key- chai n) #key-string hex 0xfeedaceedeadbeef
[ l ocal ] Redback( conf i g- key- chai n) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #authentication hmac-md5 key-ha
The following example configures dynamic keys between an FA instance and its HA peers:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #authentication hmac-md5 dynamic-keys wimax
proprietary
Related Commands
foreign-agent
home-agent-peer
key-chain
spi
Command Descriptions
7-22 IP Services and Security Configuration Guide
care-of-address
care-of-address if-name [ctx-name]
no care-of-address if-name [ctx-name]
Purpose
Specifies the interface used for the care-of-address (CoA) advertised by this foreign-agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
The interface used for the CoA is not specified in advertisement messages.
Usage Guidelines
Use the care-of-address command to specify the interface used for the CoA advertised by this FA instance.
Enter this command multiple times to specify multiple CoA interfaces. This command specifies an existing
interface as the CoA interface; you must first create that interface using the interface command (in context
configuration mode).
Use the no form of this command to specify the default condition.
Examples
The following example creates the coa interface in the l ocal context and specifies it as the CoA interface
for the FA instance:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface coa
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #care-of-address coa local
Related Commands
if-name Name of the interface for the CoA.
ctx-name Optional. Context name in which the interface exists. If the interface exists in
a context other than the one you are currently in, you must specify the context
name.
foreign-agent
Command Descriptions
Mobile IP Foreign Agent Configuration 7-23
clear-df (dynamic tunnel)
clear-df
{no | default}clear-df
Purpose
Clears the IP header Dont Fragment (DF) flag in all packets that are transmitted on an IP-in-IP or a Generic
Routing Encapsulation (GRE) tunnel.
Command Mode
Dynamic Tunnel Profile
Syntax Description
This command has no keywords or arguments.
Default
The IP header DF flag is not cleared.
Usage Guidelines
Use the clear-df command to clear the IP header DF flag in all packets that are transmitted on an IP-in-IP
or a GRE tunnel. If the IP packet length exceeds the tunnel interface maximum transmission unit (MTU),
the packet is fragmented.
Use the no or default form of this command to honor the DF flag in inbound packets.
Examples
The following example shows how to specify that the DF flag in all transmitted packets be cleared in the
GRE and IP-in-IP tunnels:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
dynamic-tunnel-profile
gre mtu
hold-time
ipip mtu
time-out
Command Descriptions
7-24 IP Services and Security Configuration Guide
dynamic-tunnel-profile
dynamic-tunnel-profile profile
no dynamic-tunnel-profile profile
Purpose
In Mobile IP configuration mode, creates a dynamic tunnel profile and enters Dynamic Tunnel Profile
configuration mode.
In Foreign Agent configuration mode, applies the dynamic tunnel profile to an FA instance.
In HA peer configuration mode, applies a dynamic tunnel profile to an HA peer.
Command Mode
Mobile IP configuration
Foreign Agent configuration
HA peer configuration
Syntax Description
Default
The following are the defaults for the dynamic tunnel profile:
clear-dfDisabled.
gre mtu mtu1468 bytes
hold-time seconds30 seconds
ipip mtu mtu1480 bytes
time-out seconds3 seconds
Usage Guidelines
Use the dynamic-tunnel-profile command in Mobile IP configuration mode to create a dynamic tunnel
profile and enter Dynamic Tunnel Profile configuration mode. Dynamic Tunnel mode allows you configure
dynamic tunnel profile attributes.
Use the dynamic-tunnel-profile command in Foreign Agent Configuration mode to apply a dynamic
tunnel profile to a foreign-agent instance.
Use the dynamic-tunnel-profile command HA peer configuration mode to apply a dynamic tunnel profile
to a home-agent peers.
Configured static tunnels take precedence over dynamic tunnels. If a dynamic tunnel profile is not applied
to an HA peer, the peer inherits the dynamic tunnel profile specified in the FA instance. If there is no profile
configured in this mode, the HA peer inherits the default dynamic tunnel profile values. If you delete a
referenced dynamic tunnel profile, the references to this profile are also deleted by the FA instance and HA
profile Name of dynamic tunnel profile.
Command Descriptions
Mobile IP Foreign Agent Configuration 7-25
peer. When these references are deleted, the FA instance and HA peers use the default dynamic tunnel
profile values. For information about applying a dynamic tunnel profile to a HA instance or FA peer, see
the dynamic-tunnel-profile section on page8-12.
Use the no form of this command to delete a dynamic tunnel profile.
Examples
The following example creates a last resort interface and dynamic tunnel profile, pr of 1, (in Dynamic
tunnel configuration mode) and then applies the profile to an FA instance:
! Cr eat e a dynami c t unnel pr of i l e mode.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Appl y dynami c t unnel pr of i l e pr of 1 t o t he FA i nst ance.
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #dynamic-tunnel-profile prof1
! Cr eat e a l ast r esor t i nt er f ace wi t h an I P unnumber ed i nt er f ace.
[ l ocal ] Redback( conf i g- ct x) #interface loop loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 2.2.2.2/16
[ l ocal ] Redback( conf i g- i f ) #exit
l ocal ] Redback( conf i g- ct x) #interface mip2 multibind lastresort
[ l ocal ] Redback( conf i g- i f ) ip unnumbered loop
The following example creates a last resort interface, two dynamic tunnel profiles, pr of 1 and pr of 2, and
then applies profile pr of 1 to an FA instance and pr of i l e pr of 2 to an HA peer 1. 1. 1. 2. HA peer
3. 1. 1. 2 inherits the dynamic tunnel profile pr of 1 specified in FA configuration mode because no
dynamic tunnel profiles are applied in HA peer level:
! Cr eat e dynami c t unnel pr of i l e pr of 1.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
Note You must configure a last-resort interface within the same context (FA context or VPN
context) to use a dynamic tunnel profile. The last-resort interface must borrow an IP address
using an unnumbered interface. For information about configuring last resort interfaces, see
theBasic System Configuration Guide.
Command Descriptions
7-26 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Cr eat e dynami c t unnel pr of i l e pr of 2.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 120
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 8
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1000
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Cr eat e a l ast r esor t i nt er f ace.
[ l ocal ] Redback( conf i g- ct x) #interface loop loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 2.2.2.2/16
[ l ocal ] Redback( conf i g- i f ) #exit
l ocal ] Redback( conf i g- ct x) #interface mip2 multibind lastresort
[ l ocal ] Redback( conf i g- i f ) ip unnumbered loop
! Appl y t he dynami c t unnel pr of i l e t o t he FA i nst ance.
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- f a) #tunnel-type gre
[ l ocal ] Redback( conf i g- f a) #authentication none
[ l ocal ] Redback( conf i g- f a) #local-address to_fa
! Appl y t he dynami c t unnel pr of i l e t o t he HA peer 1. 1. 1. 2.
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 1.1.1.2
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #end
! HA peer 3. 1. 1. 2 i nher i t s dynami c t unnel pr of i l e pr of 1 ( used by t he FA
i nst ance) si nce no dynami c pr of i l e i s conf i gur ed i n HA peer
conf i gur at i on mode.
[ l ocal ] Redback( conf i g- ) #home-agent-peer 3.1.1.2
Related Commands
clear-df (dynamic tunnel)
foreign-agent
gre mtu
hold-time
home-agent-peer
ipip mtu
time-out
Command Descriptions
Mobile IP Foreign Agent Configuration 7-27
foreign-agent
foreign-agent
no foreign-agent
Purpose
Creates or selects a foreign-agent (FA) instance in this context and accesses FA configuration mode.
Command Mode
Mobile IP configuration
Syntax Description
This command has no keywords or arguments.
Default
No FAs are created.
Usage Guidelines
Use the foreign-agent command to create or select an FA instance in this context and access FA
configuration mode. You can only create one FA instance in a context. You can also apply a dynamic tunnel
profile.
Use the no form of this command to delete the FA instance in this context.
Examples
The following example creates an FA instance in the f a context:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #
Related Commands
care-of-address
dynamic-tunnel-profile
home-agent-peer
interface
shutdown
Command Descriptions
7-28 IP Services and Security Configuration Guide
forwarding scheme
forwarding scheme {source-mac}
{no | default} forwarding scheme
Purpose
Specifies how the IP route used for packet forwarding for a mobile node (MN) is determined.
Command Mode
FA configuration
Syntax Description
Default
The forwarding scheme uses the source MAC address.
Usage Guidelines
Use the forwarding scheme command to specify the means by which IP route used for packet forwarding
for a MN is determined.
Use the no or default form of this command to specify the default condition.
Examples
The following example specifies forwarding based on the source MAC address:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #forwarding scheme source-mac
Related Commands
source-mac Use the source medium access control (MAC) address to look up the IP route.
foreign-agent
Command Descriptions
Mobile IP Foreign Agent Configuration 7-29
forwarding traffic
forwarding traffic routed-ip
no forwarding traffic routed-ip
Purpose
Enables the forwarding of non-Mobile IP traffic for this foreign-agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
Routing of non-Mobile IP traffic is enabled.
Usage Guidelines
Use the forwarding traffic command to enable the forwarding of non-Mobile IP traffic for this
foreign-agent (FA) instance. Non-Mobile IP traffic is routed IP traffic received on an interface that is
enabled for Mobile IP services.
Use the no form of this command to disable the forwarding of non-Mobile IP traffic.
Examples
The following example disables the forwarding of non-Mobile IP traffic:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #no forwarding traffic routed-ip
Related Commands
routed-ip Forward routed IP (non-Mobile IP) traffic.
foreign-agent
Command Descriptions
7-30 IP Services and Security Configuration Guide
gre mtu
gre mtu bytes
no gre mtu
Purpose
Sets the Maximum Transmission Unit (MTU) for packets sent on GRE tunnels.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
1468 bytes
Usage Guidelines
Use the gre mtu command to set the MTU for packets sent in GRE tunnels. If an IP packet exceeds the
MTU, the system fragments that packet.
A tunnel uses the MTU size for the interface to which the tunnel is bound to compute the tunnel MTU size,
unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel,
the system determines the effective MTU by comparing the configured MTU with the interface MTU and
selecting the lesser of the two values.
Use the no form of this command to delete the configured MTU and use the interface MTU.
Examples
The following example shows how to set the maximum IP packet size for GRE tunnels for pr of 1 to 1200
bytes:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #gre mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
bytes MTU size in bytes. The range of values is 256 through 1468 bytes.
clear-df (dynamic tunnel)
dynamic-tunnel-profile
hold-time
ipip mtu
time-out
Command Descriptions
Mobile IP Foreign Agent Configuration 7-31
hold-time
hold-time seconds
{no | default}hold-time
Purpose
Specify the number of seconds for the router to wait before it brings down a dynamic tunnel that has no
active bindings or visitors.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
30 seconds
Usage Guidelines
Use the hold-time command to specify the number of seconds for the router to wait before it brings down
a dynamic tunnel that has no active bindings or visitors
Use the no or default form of this command to restore the setting to its default value of 30 seconds.
Examples
The following example shows how to set the router to wait to 10 seconds before it brings down a dynamic
tunnel that has no active bindings or visitors for the pr of 1:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
seconds Number of seconds for the router to wait before it brings down a dynamic
tunnel that has no active bindings or visitors. The range of values is 0 through
3600 seconds.
clear-df (dynamic tunnel)
dynamic-tunnel-profile
gre mtu
ipip mtu
time-out
Command Descriptions
7-32 IP Services and Security Configuration Guide
home-agent-peer
home-agent-peer ip-addr
no home-agent-peer ip-addr
Purpose
Creates or selects a home-agent (HA) peer for this foreign-agent (FA) instance and accesses HA peer
configuration mode.
Command Mode
FA configuration
Syntax Description
Default
No HA peers are created.
Usage Guidelines
Use the home-agent-peer command to create or select an HA peer for this FA instance and access HA peer
configuration mode. If a Mobile IP registration is received for a Home Agent peer that isn't configured, one
is created dynamically. FA and HA authentication and dynamic tunnel configuration are inherited from the
FA instance.
Use the no form of this command to delete the HA peer with the specified IP address.
Examples
The following example creates an HA peer with IP address 172. 16. 2. 1 for the FA instance in the f a
context:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- f a- hapeer ) #
Related Commands
ip-addr IP address for this HA peer.
max-pending-registrations
shutdown
vpn-context
Command Descriptions
Mobile IP Foreign Agent Configuration 7-33
interface
interface if-name
no interface if-name
Purpose
Selects an existing interface, enables it for Mobile IP services, and accesses Mobile IP interface
configuration mode.
Command Mode
Mobile IP configuration
Syntax Description
Default
None
Usage Guidelines
Use the interface command to select an existing interface, enable it for Mobile IP services, and access
Mobile IP interface configuration mode. Use this command to specify the interfaces supporting IPv4
Mobility as defined in RFC 3344, IP Mobility Support for IPv4.
Use the no form of this command to disable the interface for Mobile IP services.
Examples
The following example creates the mn- access interface in the f a context, selects it, and accesses Mobile
IP interface configuration mode:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #interface mn-access
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/16
Related Commands
if-name Name of an existing interface.
advertise max-interval
registration max-lifetime
shutdown
Command Descriptions
7-34 IP Services and Security Configuration Guide
ipip mtu
ipip mtu bytes
no ipip mtu
Purpose
Sets the Maximum Transmission Unit (MTU) for packets sent on IP-in-IP tunnels.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
1480 bytes
Usage Guidelines
Use the ipip mtu command to set the MTU for packets for IP-in-IP tunnels. If an IP packet exceeds the
MTU, the system fragments that packet.
A tunnel uses the MTU size for the interface to which the tunnel is bound to compute the tunnel MTU size,
unless you explicitly configure the MTU using this command. After you configure an MTU for the tunnel,
the system determines the effective MTU by comparing the configured MTU with the interface MTU and
selecting the lesser of the two values.
Use the no form of this command to delete the configured MTU and use the interface MTU.
Examples
The following example shows how to set the maximum IP packet size for IP-in-IP tunnels for pr of 1 to
1200 bytes:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
bytes MTU size in bytes. The range of values is 256 through 1480 bytes.
clear-df (dynamic tunnel)
dynamic-tunnel-profile
gre mtu
hold-time
time-out
Command Descriptions
Mobile IP Foreign Agent Configuration 7-35
llc-xid-processing
llc-xid-processing
no llc-xid-processing
Purpose
Enables the SmartEdge OS to detect the access interface change of a mobile node (MN) based on logical
link control (LLC) exchange ID (XID) messages received on a circuit.
Command Mode
FA configuration
Syntax Description
This command has no keywords or arguments.
Default
The detection of access interface changes of a MN based on LLC XID messages received on a circuit is
enabled.
Usage Guidelines
Use the llc-xid-processing command to enable SmartEdge OS to detect the access interface changes of a
MN based on LLC XID messages received on a circuit.
When XID is enabled, the SmartEdgeOS uses the received LLC XID frame to change the access interface
and circuit associated with the MN and transmits traffic to the MN over the new circuit. This feature allows
for a quick traffic switchover if the relocation of an MN remains in the same FA instance.
If you disable XID, the SmartEdgeOS must process a Mobile IP registration message on the new interface
before the MN can be moved to a new access interface.
Use the no form of this command to disable LLC XID message processing.
Examples
The following example disables LLC XID message processing:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #no llc-xid-processing
Related Commands
foreign-agent
Command Descriptions
7-36 IP Services and Security Configuration Guide
max-pending-registrations
max-pending-registrations maximum
no max-pending-registrations maximum
Purpose
Specifies the maximum number of pending registrations permitted for this home-agent (HA) peer.
Command Mode
HA peer configuration
Syntax Description
Default
Pending registrations are unlimited.
Usage Guidelines
Use the max-pending-registrations command to specify maximum number of pending registrations
permitted for this HA peer.
Use the no form of this command to specify the default condition.
Examples
The following example specifies that a maximum of 10 pending registrations are permitted for this HA
peer:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 10.1.1.1
[ l ocal ] Redback( conf i g- mi p- ha- peer ) #max-pending-registrations 10
Related Commands
maximum Maximum number of pending registrations permitted for this HA peer. The range of
values is 1 to 65535.
home-agent-peer foreign-agent
Command Descriptions
Mobile IP Foreign Agent Configuration 7-37
registration max-lifetime
registration max-lifetime seconds
no registration max-lifetime
Purpose
Specifies the maximum lifetime registration for any mobile node (MN) that uses this foreign agent (FA)
instance.
Command Mode
Mobile IP interface configuration
Syntax Description
Default
The maximum lifetime registration is 1800 seconds (30 minutes).
Usage Guidelines
Use the registration max-lifetime command to specify the maximum lifetime registration for any MN that
uses this FA instance.
Use the no form of this command to specify the default condition.
Examples
The following example specifies a maximum registration lifetime of 60 minutes (3600 seconds) with the
FA instance in this context:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #registration max-lifetime 3600
Related Commands
seconds Maximum lifetime registration. The range of values is 1 to 65535 seconds. The default
value is 1800 seconds (30 minutes).
interface
Command Descriptions
7-38 IP Services and Security Configuration Guide
revocation
revocation [mobile-notify condition] [timeout seconds] [retransmit num]
no revocation [mobile-notify condition] [timeout seconds] [retransmit num]
Purpose
Configures registration revocation for this foreign agent (FA) instance.
Command Mode
FA configuration
Syntax Description
Default
Registration revocation is not configured for any FA instance.
Usage Guidelines
Use the revocation command to configure registration revocation for this FA instance. For more
information, see RFC 3543, Registration Revocation in Mobile IPv4.
Use the no form of this command to remove the registration from the configuration for this FA instance.
Examples
The following example configures this FA instance to al ways notify the MNs when service is revoked:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #revocation mobile-notify always
mobile-notify condition Optional. Specifies the conditions for which the SmartEdgeOS notifies
mobile nodes (MNs) that their Mobile IP service has been revoked, according
to one of the following keywords:
alwaysAlways notify the MNs.
neverNever notify the MNs.
home-dictateNotify the MNs based on the home-agent (HA) preference
specified by the setting I-bit in received registration revocation requests
and replies. This is the default.
timeout seconds Number of seconds between registration revocation messages. The range of
values is 1 to 100; the default value is 7.
retransmit num Number of times the SmartEdgeOS transmits registration revocation
messages. The range of values is 1 to 100; the default value is 3.
Command Descriptions
Mobile IP Foreign Agent Configuration 7-39
Related Commands
foreign-agent
Command Descriptions
7-40 IP Services and Security Configuration Guide
router mobile-ip
router mobile-ip
no router mobile-ip
Purpose
Enables Mobile IP services in this context and accesses Mobile IP configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
Mobile IP services are not enabled in any context.
Usage Guidelines
Use the router mobile-ip command to enable Mobile IP services in this context and access Mobile IP
configuration mode.
Use the no form of this command to disable Mobile IP services in this context.
Examples
The following example enables Mobile IP services in the f a context:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #
Related Commands
foreign-agent
home-agent-peer
interface
Command Descriptions
Mobile IP Foreign Agent Configuration 7-41
shutdown
shutdown
no shutdown
Purpose
Disables or enables the foreign-agent (FA) instance, home-agent (HA) peer, or mobile node (MN) access
to the SmartEdge router for an FA instance.
Command Mode
FA configuration
HA peer configuration
Mobile IP interface configuration
Syntax Description
This command has no keywords or arguments.
Default
All FA instances, HA peers, and Mobile IP interfaces are enabled.
Usage Guidelines
Use the shutdown command to disable the FA instance, the HA peer, or the MN interface for an FA
instance.
Use the no form of this command to enable the FA instance, the HA peer, or the MN interface for an FA
instance.
Examples
The following example disables an FA instance:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #shutdown
The following example disables an HA peer:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #home-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #shutdown
Command Descriptions
7-42 IP Services and Security Configuration Guide
The following example disables the MN interface for an FA instance:
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #interface mn-access
[ l ocal ] Redback( conf i g- mi p- i f ) #shutdown
Related Commands
foreign-agent
home-agent-peer
interface
Command Descriptions
Mobile IP Foreign Agent Configuration 7-43
time-out
time-out seconds
{no | default} timeout
Purpose
Specifies the number of seconds for the router to wait for a dynamic tunnel to be established before bringing
the current subscriber or visitor down.
Command Mode
Dynamic Tunnel Profile configuration
Syntax Description
Default
3 seconds
Usage Guidelines
Use the time-out command to specify the number of seconds for the router to wait for a dynamic tunnel to
be established before bringing the current subscriber or visitor down.
Use the no or default form of this command to restore the setting to its default value of 3 seconds.
Examples
The following example shows how to set the timeout for pr of 1 to 10 seconds:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
Related Commands
seconds Number of seconds for the router to wait for a dynamic tunnel to be established before
bringing the current subscriber or visitor down. The range of values is 2 through 10
seconds.
clear-df (dynamic tunnel)
dynamic-tunnel-profile
gre mtu
hold-time
ipip mtu
Command Descriptions
7-44 IP Services and Security Configuration Guide
vpn-context
vpn-context ctx-name
no vpn-context ctx-name
Purpose
Specifies the context in which the IP-in-IP tunnel or Generic Routing Encapsulation (GRE) tunnel to this
home agent (HA) peer is terminated.
Command Mode
HA peer configuration
Syntax Description
Default
None
Usage Guidelines
Use the vpn-context command to specify the context in which the IP-in-IP tunnel or GRE tunnel to this
HA peer is terminated. The HA peers can share a context if they use public IP addresses or if their private
IP addresses do not overlap. HA peers with overlapping private IP addresses must each have their own
context.
Use the no form of this command to specify the default condition.
Examples
The following example specifies the ha- vpn1 context for the MNs associated with this HA peer:
[ l ocal ] Redback( conf i g) #context fa
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #foreign-agent
[ l ocal ] Redback( conf i g- mi p- f a) #ha-peer 172.16.2.1
[ l ocal ] Redback( conf i g- mi p- hapeer ) #vpn-context ha-vpn1
Related Commands
ctx-name Context in which the IP-in-IP tunnel or GRE tunnel to this HA peer is terminated and in
which the IP routes are added for the mobile nodes (MNs) that are registered with this
HA peer.
home-agent-peer
Mobile IP Home Agent Configuration 8-1
C h a p t e r 8
Mobile IP Home Agent Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS Mobile IP wireless
services for home-agent (HA) instances on the SmartEdge router and their foreign-agent (FA) peers.
For information about the tasks and commands used to configure FA instances and their HA peers, see
Chapter 7, Mobile IP Foreign Agent Configuration.
You configure IP-in-IP and, optionally, Generic Routing Encapsulation (GRE) tunnels on the SmartEdge
router to support the connections from FA instances to their HA peers and from HA instances to their FA
peers. For information about configuring the IP-in-IP and GRE tunnels, see the Single-Circuit Tunnel
Configuration chapter in the Ports, Circuits, and Tunnels Configuration Guide for the SmartEdgeOS.
For information about the tasks and commands used to monitor, administer, and troubleshoot Mobile IP
services, see the Mobile IP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
For information about configuring Ethernet, Fast Ethernet-Gigabit Ethernet, and Gigabit Ethernet ports and
circuits to support mobile subscribers, see the ATM, Ethernet, and POS Port Configuration and the
Circuit Configuration chapters in the Ports, Circuits, and Tunnels Configuration Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Note The terms FA instance and HA instance, each refer to the FAs and HAs, respectively, that you
configure on the SmartEdge router.
The terms FA peer and HA peer refer to FAs and HAs that exist on other equipment in the
network.
The term Mobile IP binding refers to the association between a mobile node (MN) and its HA
instance on the SmartEdge router. The term visitor or visiting MN refers to the association
between an MN and an FA instance when that MN is communicating with its HA through the
FA instance on the SmartEdgerouter.
HA tunnels can be used with Mobile IP services and non-Mobile IP services traffic.
Overview
8-2 IP Services and Security Configuration Guide
Overview
The following section provides an overview of Mobile IP services of the HA instance. This section includes
the following topics:
Traffic Flow
Deployment Scenarios
Supported Standards
Restrictions
Traffic Flow
Mobile IP services allows MNs to retain their IP addresses, and therefore maintain their existing IP
sessions, when they roam across multiple networks.
Mobile IP consists of the following components:
MNs
HA instance
FA peer
The HA instance, a router on the MN home network, is the anchor component in Mobile IP network that
provides seamless mobility to the MN. When an MN is attached to its home network, it does not use Mobile
IP services because it communicates directly using normal IP routing. When a MN is roaming and is not
connected to its home network, its HA instance provides the following services:
Tracks the MN current point of attachment (POA) to the Internet.
Tunnels datagrams destined to the MN current POA. HA tunnels can be used with Mobile IP services
and non-Mobile IP services traffic.
Authenticates the MN (usually with the user ID and password) and verifies that IP Mobile services
should be provided. It optionally assigns the MN a home address (HoA) on its home network. When
the MN roams outside its home network, it retains its home address so that active IP sessions remain up.
Receives reverse-tunneled packets from the FA peer and forwards them based on the IP packet sent by
MN.
Mobile IP services enable the SmartEdge router to act as one or more HA instances. Each instance
communicates with its mobile subscribers (MNs). When an MN moves outside the network for the HA
instance, it connects to the HA instance through an FA peer, which then communicates with the HA
instance. Each HA instance has a local address that the system uses as the termination address for its MNs
and FA peers.
Mobile IP subscribers are assigned a home slot where their corresponding subscriber circuit is anchored for
the purposes of accounting and other circuit based features. When selecting a home slot, preference is given
to the line card with the current HA-FA tunnel egress circuit. When a subscriber re-registers and the
subscriber's home slot is not on the same line card as the tunnel egress, an attempt will be may to
re-optimize the subscriber's home slot.
Overview
Mobile IP Home Agent Configuration 8-3
In a typical deployment, MNs connect wirelessly to Base Transceiver Stations (BTSs), which connect to
the SmartEdge router FA peer through Ethernet. In this topology, each MN is represented by a separate
Ethernet circuit and MNs can move between BTSs. The FA instance communicates with a SmartEdge HA
instance through a tunnel endpoint (a local address of an HA instance). The SmartEdge router routes the
MN traffic to the FA peer using an IP-in-IP tunnel or GRE tunnel. Each FA peer uses a different tunnel.
Traffic for the MNs is routed from the HA instance to the FA peer using the same tunnel
Figure8-1 illustrates the physical network of MNs, BTS, FA peers, and an HA instance.
Figure 8-1 Physical network of MNs, BTS, FA peers, and an HA instance.
Deployment Scenarios
The Mobile IP services implementation can use the SmartEdge OS multiple context support. For the HA,
all home addresses (HoAs) are allocated from the HA context address space. The HA local address
interfaces can be in the same context or in different contexts. This allows IP-in-IP or GRE tunnels to FA
peers to terminate in other contexts. For example, an FA peer tunnel could terminate in the local context
that is providing connectivity to the Internet backbone.
Note Because the tunnels described in this chapter each support a single tunnel circuit, the term
tunnel refers to the tunnel and its circuit. For information about configuring the IP-in-IP and
GRE tunnels, see the Single-Circuit Tunnel Configuration in the Ports, Circuits, and
Tunnels Configuration Guide for the SmartEdgeOS.
Configuration Tasks
8-4 IP Services and Security Configuration Guide
Restrictions
Mobile IP services has the following restrictions:
Mobile IP services is currently supported only for unicast traffic; broadcast and multicast traffic are not
supported.
Mobile IP services is supported only on PPA2 line cards. Do not have any PPA1-based line cards on the
chassis when enabling Mobile IP Services.
Supported Standards
Mobile IP services comply with the standards found in the following documents:
RFC 2794Mobile IP Network Access Identifier Extension for IPv4
RFC 3024Reverse Tunneling for Mobile IP, revised
RFC 3344IP Mobility Support for IPv4
RFC 3543Registration Revocation in Mobile IPv4
X.S0011-001-C v3.0, cdma2000 Wireless IP Network Standard: Introduction
Configuration Tasks
To configure HA Mobile IP features, perform the tasks described in the following sections:
Mobile IP Configuration Guidelines
Create the Contexts and Interfaces for Mobile IP Services
Configure a Key Chain for FA-HA Authentication
Configure an HA Instance
Configure an FA Peer
Configure an MN Subscriber
Configure AAA for MN Subscribers
Configure the Mobile IP Tunnels
Enable or Disable an HA Instance or FA Peer
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
Mobile IP Home Agent Configuration 8-5
Mobile IP Configuration Guidelines
The following HA configuration guidelines apply when configuring Mobile IP services for an HA instance:
Within a given context, the SmartEdge router can act as an HA instance or an FA instance; it cannot
perform both roles. For information about configuring it as an FA instance, see Chapter 7, Mobile IP
Foreign Agent Configuration.
You must configure IP-in-IP tunnels to FA peers; optionally, you can configure and use GRE tunnels in
addition to the IP-in-IP tunnels.
Configure the tunnel to an FA peer in the HA context for that peer.
MNs do not connect directly with an HA instance; instead they reach that HA instance through its FA
peers. If the SmartEdge router is also acting as an FA instance (in another context), the MNs can connect
to that FA instance as described in Chapter 7, Mobile IP Foreign Agent Configuration.
To prevent Mobile IP tunnels from shutting down because of circuit problems, create the interfaces for
the IP-in-IP and GRE tunnels as loopback interfaces. Loopback interfaces are always up.
When using GRE tunnels to connect FA peers, a separate GRE tunnel is required for each FA peer. GRE
keys are not supported.
Create the Contexts and Interfaces for Mobile IP Services
To create the contexts and interfaces for Mobile IP services, perform the tasks described in Table8-1. These
contexts and interfaces are used in subsequent configuration tasks for the HA instances and FA peers.
Table 8-1 Create the Contexts and Interfaces for Mobile IP Services
# Task Root Command Notes
1. Optional. Create the context for the HA instance and
access context configuration mode.
context Enter this command in global configuration mode.
You can use the local context instead of
performing this step.
2. Create an interface for the FA peers to connect to the
HA instance (using tunnels) using the HA local address
and access interface configuration mode.
interface Enter this command in context configuration
mode.
3. Optional. Create an FA context for an FA peer and
access context configuration mode.
context Enter this command in global configuration mode.
You can use the HA instance context for all FA
peers instead of performing this step.
Note For information about the context command (in global configuration mode) and the interface
command (in context configuration mode), and the various commands to configure contexts
and interfaces, see the Basic System Configuration Guide for the SmartEdgeOS.
Configuration Tasks
8-6 IP Services and Security Configuration Guide
Configure a Key Chain for FA-HA Authentication
To configure a key chain authentication for the FA and HA, perform the tasks described in Table8-2. For
more information about configuring key chains, see Chapter 24, Key Chain Configuration.
Configure an HA Instance
To configure an HA instance, perform the tasks described in Table8-3; enter all commands in HA
configuration mode, unless otherwise noted.
Table 8-2 Configure a Key Chain
# Task Root Command Notes
1. Select the context for the HA instance and access context
configuration mode.
context Enter this command in global
configuration mode.
2. Create the key chain and access key chain configuration mode. key-chain Enter this command in context
configuration mode.
3. Configure a key string. key-string Enter this command in key chain
configuration mode.
4. Specify the security parameter index (SPI) for this key chain. spi Enter this command in key chain
configuration mode.
Table 8-3 Configure an HA Instance
# Task Root Command Notes
1. Select the context for the HA instance and access
context configuration mode.
context Enter this command in global
configuration mode.
2. Enable Mobile IP services in this context and access
Mobile IP configuration mode.
router mobile-ip Enter this command in context
configuration mode.
3. Create or select the HA instance and access HA
configuration mode.
home-agent Enter this command in Mobile IP
configuration mode.
4. Apply a dynamic tunnel profile to an HA instance. dynamic-tunnel-profile Enter this command in HA configuration
mode.
5. Specify the interface for the HA local address. local-address This is the interface that you created for
the tunnels for this HA instance.
6. Optional. Enable the optional tunnel type. tunnel-type The default is not to enable optional
tunnel types.
7. Optional. Configure the default authentication for this
HA instance.
authentication This is the default authentication for all FA
peers for this HA instance.
8. Optional. Configure the registration maximum lifetime
for MN registrations using this HA instance.
registrationmax-lifetime The default is 1800 seconds.
9. Optional. Configure the tolerance for timestamp-based
replay protection between an MN and its HA instance.
replay-tolerance The default is 7 seconds.
10. Optional. Configure registration revocation support for
this HA instance.
revocation The default is that registration revocation
is not enabled.
Configuration Tasks
Mobile IP Home Agent Configuration 8-7
Configure an FA Peer
To configure an FA peer, perform the tasks described in Table8-4.
Configure an MN Subscriber
To configure an MN subscriber record, profile, or default profile, perform the task described in Table8-5.
Configure AAA for MN Subscribers
You can configure authentication, authorization, and accounting (AAA) features and Remote
Authentication Dial-In User Service (RADIUS) servers for MN subscribers. For information about
configuring AAA features, see Chapter 20, AAA Configuration and Chapter 21, RADIUS
Configuration, respectively.
Table 8-4 Configure an FA Peer
# Task Root Command Notes
1. Select the context for the HA instance for this FA
peer and access context configuration mode.
context Enter this command in global configuration mode.
2. Enable Mobile IP services in this context and
access Mobile IP configuration mode.
router mobile-ip Enter this command in context configuration
mode.
3. Select the HA instance for the FA peer and access
HA configuration mode.
home-agent Enter this command in Mobile IP configuration
mode.
4. Create or select the FA peer and access FA peer
configuration mode.
foreign-agent-peer Enter this command in HA configuration mode.
5. Optional. Apply a dynamic tunnel profile to an FA
peer.
dynamic-tunnel-profile Enter this command in FA peer configuration
mode. The dynamic tunnel profile is created in
Mobile IP configuration and Dynamic Tunnel
Profile configuration mode.
6. Optional. Configure the authentication for the FA
peer.
authentication Enter this command in FA peer configuration
mode. This authentication overrides the default
authentication for all FA peers for this HA instance.
Table 8-5 Configure an MN Subscriber Record, Profile, or Default Profile
# Task Root Command Notes
1. Configure the subscriber record, profile, or default
profile.
subscriber For information about configuring
subscribers and their attributes, see the
Basic System Configuration Guide for
the SmartEdge OS.
Configuration Examples
8-8 IP Services and Security Configuration Guide
Configure the Mobile IP Tunnels
You must configure an IP-in-IP tunnel to each FA peer. You can also configure a GRE tunnel to each FA
peer. To configure the Mobile IP tunnels, perform the tasks described in Table8-6.
Enable or Disable an HA Instance or FA Peer
To enable or disable an HA instance or an FA peer, perform the task described in Table8-7.
Configuration Examples
The following example creates an IP-in-IP tunnel and the interfaces to support an HA instance and an FA
peer, all in the local context. Traffic is carried on two Ethernet ports:
[ l ocal ] Redback( conf i g) #context
[ l ocal ] Redback( conf i g) #context local
! Cr eat e t he i nt er f aces f or t he I P- i n- I P t unnel s t o t he FA peer s and f or t he MNs
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #interface tun1
[ l ocal ] Redback( conf i g- i f ) #ip address 20.2.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface loc-addr
[ l ocal ] Redback( conf i g- i f ) #ip address 20.1.1.1/16
[ l ocal ] Redback( conf i g- i f ) #exit
! Enabl e t he l ocal cont ext f or Mobi l e I P ser vi ces
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
Table 8-6 Configure the Mobile IP Tunnels
# Task Root Command Notes
1. Configure the IP-in-IP tunnels to the FA peers. For information about creating IP-in-IP tunnels
and GRE tunnels, see the Ports, Circuits, and
Tunnels Configuration Guide for the
SmartEdge OS.
2. Optional. Configure the GRE tunnels to the FA peers. For information about creating IP-in-IP tunnels
and GRE tunnels, see the Ports, Circuits, and
Tunnels Configuration Guide for the
SmartEdge OS.
Table 8-7 Enable or Disable an FA, an HA Peer, or MN Access to the SmartEdge Router
Task Root Command Notes
Optional. Disable or enable an HA instance or an
FA peer.
shutdown Enter this command in HA instance or FA peer interface
configuration mode.
Use the no form of this command to enable an HA
instance or an FA peer.
Command Descriptions
Mobile IP Home Agent Configuration 8-9
! Cr eat e t he home agent i nst ance, speci f y t he l ocal addr ess i nt er f ace and cr eat e a
f or ei gn agent peer
l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- f a) #local-address loc-addr
[ l ocal ] Redback( conf i g- mi p- f a) #foreign-agent-peer 20.1.1.2
[ l ocal ] Redback( conf i g- mi p- hapeer ) #end
! Conf i gur e t he Et her net ci r cui t s ( bi nd t hemt o t he MN access and l ocal addr ess
i nt er f aces)
[ l ocal ] Redback#conf i g
[ l ocal ] Redback( conf i g) #port ethernet 2/10
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #port ethernet 2/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface loc-addr local
[ l ocal ] Redback( conf i g- por t ) #exit
! Conf i gur e t he I P- i n- I P t unnel ( bi nd i t t o t he t unnel i nt er f ace i n t he l ocal cont ext )
[ l ocal ] Redback( conf i g) #tunnel ipip tun1
[ l ocal ] Redback( conf i g- t unnel ) #peer-end-point local 20.1.1.1 remote 20.1.1.2
[ l ocal ] Redback( conf i g- t unnel ) #bind interface tun1 local
[ l ocal ] Redback( conf i g- t unnel ) #end
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure HA instances
and their FA peers. The commands are presented in alphabetical order:
authentication
dynamic-tunnel-profile
foreign-agent-peer
home-agent
local-address
replay-tolerance
registration max-lifetime
revocation
router mobile-ip
shutdown
tunnel-type
Command Descriptions
8-10 IP Services and Security Configuration Guide
authentication
authentication hmac-md5 {key-chain-name | dynamic-key wimax}
no authentication hmac-md5
Purpose
Configures authentication between this home agent (HA) instance and its foreign agent (FA) peers or
between the HA instance and a specific FA peer.
Command Mode
HA configuration
FA peer configuration
Syntax Description
Default
No authentication is configured for any HA instance or FA peer.
Usage Guidelines
Use the authentication command to configure authentication between this HA instance and its FA peers
or between the HA instance and a specific FA peer.
In HA configuration mode, this command configures the default authentication between the HA instance
and all its FA peers; in FA peer configuration, this command configures the authentication specifically
between the HA instance and the FA peer.
Use the no form of this command to remove the authentication configuration for this HA instance or FA
peer.
hmac-md5 Specifies the Hash-based Message Authentication Code (HMAC)-
Message Digest 5 (MD5) algorithm.
key-chain-name Name of an existing key chain, which you must have configured in the
context in which you have configured the HA instance or FA peer.
dynamic-key wimax Specifies to dynamically compute FA-HA keys using the WiMAX AAA
HA-RK-Key Vendor Specific Attribute (VSA).The WiMAX HA-RK-Key
VSA ID is 26/24757/15. Configured static key chains take precedence over
dynamic keys. For more information about supported WiMax Attributes,
see the RADIUS Attributes Supported by Mobile IP Services section in
AppendixA, RADIUS Attributes.
Command Descriptions
Mobile IP Home Agent Configuration 8-11
Examples
The following example configures the key- ha key chain for key 100 and an security parameter index
(SPI) of 256 for incoming traffic and then specifies it when configuring the default authentication between
an HA instance and its FA peers:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #key-chain key-ha key-id 100
[ l ocal ] Redback( conf i g- key- chai n) #spi 256
[ l ocal ] Redback( conf i g- key- chai n) #key-string hex 0xfeedaceedeadbeef
[ l ocal ] Redback( conf i g- key- chai n) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi b- ha) #authentication hmac-md5 key-ha
The following example configures dynamic keys between an HA instance and its FA peers:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi b- ha) #authentication hmac-md5 dynamic-key wimax
Related Commands
home-agent
foreign-agent-peer
key-chain
spi
Command Descriptions
8-12 IP Services and Security Configuration Guide
dynamic-tunnel-profile
dynamic-tunnel-profile profile
no dynamic-tunnel-profile profile
Purpose
In Home Agent configuration mode, applies a dynamic tunnel profile to a home-agent (HA) instance.
In FA Peer configuration mode, applies a dynamic tunnel profile to a foreign-agent (FA) peer.
Command Mode
Home Agent configuration
FA Peer configuration
Syntax Description
Default
The following are the defaults for the dynamic tunnel profile:
clear-dfDisabled.
gre mtu mtu1468 bytes
hold-time seconds30 seconds
ipip mtu mtu1480 bytes
time-out seconds3 seconds
Usage Guidelines
Use the dynamic-tunnel-profile command (in Home Agent configuration mode) to apply a dynamic
tunnel profile to an HA instance.
Use the dynamic-tunnel-profile command (in FA Peer configuration mode) to apply a dynamic tunnel
profile to a FA peer.
You first create a dynamic tunnel profile (in Mobile IP configuration mode and configure its attributes in
Dynamic Tunnel Profile configuration mode). You then apply the profile to the HA instance (in Home
Agent configuration mode) and its FA peers (in FA Peer configuration mode). Configured static tunnels
take precedence over dynamic tunnels. When the dynamic tunnel profile is not applied to an FA peer, the
peer inherits the profile specified in HA configuration mode. If you delete a referenced dynamic tunnel
profile, the references to this profile are also deleted for the HA instance and FA peers. When this happens,
the HA instance and FA peers use the default dynamic tunnel profile values. For information about how to
create a dynamic tunnel profile, see the dynamic-tunnel-profile section on page7-24.
profile Name of dynamic tunnel profile.
Command Descriptions
Mobile IP Home Agent Configuration 8-13
Use the no form of this command to delete the dynamic tunneling profile.
Examples
The following example creates a last-resort interface, two dynamic tunnel profiles ( pr of 1 and pr of 2),
and then applies these profiles to a HA instance and FA peer:
! Cr eat e dynami c t unnel pr of i l e pr of 1.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 10
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1200
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Cr eat e dynami c t unnel pr of i l e pr of 2
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #clear-df
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #hold-time 120
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #time-out 8
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #ipip mtu 1000
[ l ocal ] Redback( conf i g- mi p- dyn- t un1- pr of i l e) #end
! Cr eat e l ast r esor t i nt er f ace.
[ l ocal ] Redback( conf i g- ct x) #interface loop loopback
[ l ocal ] Redback( conf i g- i f ) #ip address 2.2.2.2/16
[ l ocal ] Redback( conf i g- i f ) #exit
l ocal ] Redback( conf i g- ct x) #interface mip2 multibind lastresort
[ l ocal ] Redback( conf i g- i f ) ip unnumbered loop
! Appl y dynami c t unnel pr of i l e pr of 1 t o HA i nst ance.
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #dynamic-tunnel-profile prof1
[ l ocal ] Redback( conf i g- f a) #tunnel-type gre
[ l ocal ] Redback( conf i g- f a) #authentication none
[ l ocal ] Redback( conf i g- f a) #local-address to_fa
! Appl y dynami c t unnel pr of i l e pr of 2 t o FA peer 1. 1. 1. 2.
[ l ocal ] Redback( conf i g- mi p- ha) #foreign-agent-peer 1.1.1.2
Note You must configure a last-resort interface within the same context to use a dynamic tunnel
profile. For information about configuring last-resort interfaces, see theBasic System
Configuration Guide.
Command Descriptions
8-14 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- mi p- ha- f apeer ) #dynamic-tunnel-profile prof2
[ l ocal ] Redback( conf i g- mi p- f a- f apeer ) #end
! The FA peer 3. 1. 1. 2 i nher i t s dynami c t unnel pr of i l e pr of 1 ( whi ch i s
speci f i ed i n HA conf i gur at i on mode) because no dynami c pr of i l e i s
appl i ed at t he FA peer l evel .
[ l ocal ] Redback( conf i g- ) #foreign-agent-peer 3.1.1.2
Related Commands
home-agent
foreign-agent-peer
Command Descriptions
Mobile IP Home Agent Configuration 8-15
foreign-agent-peer
foreign-agent-peer ip-addr
no foreign-agent-peer ip-addr
Purpose
Creates or selects a foreign-agent (FA) peer for this home-agent (HA) instance and accesses FA peer
configuration mode.
Command Mode
HA configuration
Syntax Description
Default
No FA peers are created.
Usage Guidelines
Use the foreign-agent-peer command to create or select an FA peer for this HA instance and access FA
peer configuration mode. If a Mobile IP registration is received from an FA peer that isn't configured, one
is created dynamically. FA and HA authentication and dynamic tunnel configuration are inherited from the
HA instance.
Use the no form of this command to delete the FA peer with the specified IP address.
Examples
The following example creates an FA peer with IP address 172. 16. 2. 1 for the HA instance in the ha
context:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #foreign-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- f apeer ) #
Related Commands
ip-addr IP address for this FA peer.
authentication
dynamic-tunnel-profile
shutdown
Command Descriptions
8-16 IP Services and Security Configuration Guide
home-agent
home-agent
no home-agent
Purpose
Creates or selects a home-agent (HA) instance in this context and accesses HA configuration mode.
Command Mode
Mobile IP configuration
Syntax Description
This command has no keywords or arguments.
Default
No HA instances are created.
Usage Guidelines
Use the home-agent command to create or select an HA instance in this context and access HA
configuration mode.
Use the no form of this command to delete the HA instance in this context.
Examples
The following example creates an HA instance in the ha context:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #
Related Commands
authentication
foreign-agent-peer
local-address
shutdown
Command Descriptions
Mobile IP Home Agent Configuration 8-17
local-address
local-address if-name [ctx-name]
no local-address if-name [ctx-name]
Purpose
Specifies the interface for the home agent (HA) local address used by remote foreign agent (FA) peers for
this HA instance.
Command Mode
HA configuration
Syntax Description
Default
None
Usage Guidelines
Use the local-address command to specify the interface for the HA local address used by FA peers for this
HA instance. Enter this command multiple times to specify multiple HA interfaces. This command
specifies an existing interface as the HA interface; you must first create that interface using the interface
command in context configuration mode.
Use the no form of this command to remove the HA local address.
Examples
The following example creates the local address interface in a context called ha and specifies it as the local
address interface for the HA instance:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #interface ha
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.2/16
[ l ocal ] Redback( conf i g- i f ) #exit
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #local-address ha
if-name Name of the interface for the HA.
ctx-name Optional. Context name in which the interface exists. If the interface exists in
a context other than the one you are currently in, you must specify the context
name.
Command Descriptions
8-18 IP Services and Security Configuration Guide
Related Commands
home-agent
Command Descriptions
Mobile IP Home Agent Configuration 8-19
registration max-lifetime
registration max-lifetime seconds
no registration max-lifetime
Purpose
Specifies the registration maximum lifetime for any mobile node (MN) that uses this home agent (HA)
instance.
Command Mode
HA configuration
Syntax Description
Default
The registration maximum lifetime default is 1800 seconds (30 minutes).
Usage Guidelines
Use the registration max-lifetime command to specify the registration maximum lifetime for any MN that
uses this HA instance.
Use the no form of this command to specify the default.
Examples
The following example specifies a registration maximum lifetime of 60 minutes (3600 seconds) for the
HA instance in this context:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #registration max-lifetime 3600
Related Commands
seconds Registration maximum lifetime. The range of values is 1 to 65535 seconds.
home-agent
Command Descriptions
8-20 IP Services and Security Configuration Guide
replay-tolerance
replay-tolerance seconds
no replay-tolerance
Purpose
Configures the tolerance for timestamp-based replay protection used between the home agent (HA)
instance and the registering mobile nodes (MN).
Command Mode
HA configuration
Syntax Description
Default
The default for tolerance for timestamp-based replay protection is 7 seconds.
Usage Guidelines
Use the replay-tolerance command to configure the tolerance for timestamp-based replay protection used
between the HA instance and the registering MN. Thereplay-tolerance command specifies the number of
seconds that the HA instance timestamp and MN timestamp can be different. When the HA instance
discovers that this difference is greater than the number of seconds specified, it rejects the MN registration.
Use the no form of this command to specify the default.
Examples
The following example configures a timestamp-based replay tolerance of 10 seconds for this HA instance:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #replay-tolerance 10
Related Commands
seconds Tolerance for timestamp-based replay protection used between the HA instance and
registering MNs. The range of values is 4 to 255 seconds.
authentication
Command Descriptions
Mobile IP Home Agent Configuration 8-21
revocation
revocation [mobile-notify {always | never | foreign-dictate}] [timeout seconds] [retransmit num]
no revocation [mobile-notify condition] [timeout seconds] [retransmit num]
Purpose
Configures registration revocation as described in RFC 3543, Registration Revocation in Mobile IPv4, for
this home agent (HA) instance. Registration revocation is negotiated between the HA instance and its
foreign agent (FA) peers.
Command Mode
HA configuration
Syntax Description
Default
Registration revocation is not configured for any HA instance.
Usage Guidelines
Use the revocation command to configure registration revocation, as described in RFC 3543, Registration
Revocation in Mobile IPv4, for this HA instance. Registration revocation is negotiated between the HA
instance and its FA peers.
mobile-notify condition Optional. Specifies the conditions for which the HA instance negotiates I-bit
support with its FA peers when the mobile node (MN) registers, according to
one of the following keywords:
alwaysAlways notify the MN when Mobile IP services have been
revoked, except when the MN is no longer receiving service from the FA
peer. This is the default.
neverNever notify the MN that Mobile IP services have been revoked.
foreign-dictateDoes not negotiate I-bit support with the FA peer when the
MN registers. The FA peer determines whether or not to notify the MN.
timeout seconds Number of seconds between registration revocation retransmissions. A
registration revocation request is retransmitted to the FA peer when an
acknowledgement is not received. The range of values is 1 to 100; the default
value is 7.
retransmit num Number of times the SmartEdgeOS retries transmission registration
revocation messages. The range of values is 1 to 100; the default value is 3.
Command Descriptions
8-22 IP Services and Security Configuration Guide
Use the no form of this command to disable support for registration revocation for the HA instance.
Examples
The following example enables registration revocation support for the HA instance. Registration
revocation I-bit support is negotiated with the FA peer and the MN is never notified that Mobile IP services
have been revoked:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #revocation mobile-notify never
Related Commands
Note To use registration revocation, you must configure authentication with the revocation
command. If authentication is not enabled for the FA peer, registration revocation is not
negotiated for registrations received from that peer. For more information about
authentication, see the authentication command (in HA configuration or FA peer
configuration mode).
authentication
home-agent
Command Descriptions
Mobile IP Home Agent Configuration 8-23
router mobile-ip
router mobile-ip
no router mobile-ip
Purpose
Enables mobile services in this context and accesses Mobile IP configuration mode.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
Mobile IP services are not enabled in any context.
Usage Guidelines
Use the router mobile-ip command to enable Mobile IP services in this context and access Mobile IP
configuration mode.
Use the no form of this command to disable Mobile IP services in this context.
Examples
The following example enables Mobile IP services in the ha context:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #
Related Commands
foreign-agent-peer
home-agent
local-address
Command Descriptions
8-24 IP Services and Security Configuration Guide
shutdown
shutdown
no shutdown
Purpose
Disables or enables the home-agent (HA) instance or foreign-agent (FA) peer.
Command Mode
FA peer configuration
HA configuration
Syntax Description
This command has no keywords or arguments.
Default
HA instances and FA peers are all enabled.
Usage Guidelines
Use the shutdown command to disable the HA instance or FA peer.
Use the no form of this command to enable HA instance or FA peer.
Examples
The following example disables an HA instance:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #shutdown
The following example disables an FA peer:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- ha) #foreign-agent-peer 172.16.2.1
[ l ocal ] Redback( conf i g- f apeer ) #shutdown
Related Commands
foreign-agent-peer
home-agent
local-address
Command Descriptions
Mobile IP Home Agent Configuration 8-25
tunnel-type
tunnel-type gre
no tunnel-type gre
Purpose
Enables use of Generic Routing Encapsulation (GRE) tunnel types by mobile nodes (MN).
Command Mode
HA configuration
Syntax Description
Default
IP-in-IP tunnels are enabled implicitly; no optional tunnel types are enabled.
Usage Guidelines
Use the tunnel-type command to use of GRE tunnel types by MNs.
Use the no form of this command to specify the default condition.
Examples
The following example enables the GRE tunnel type:
[ l ocal ] Redback( conf i g) #context ha
[ l ocal ] Redback( conf i g- ct x) #router mobile-ip
[ l ocal ] Redback( conf i g- mi p) #home-agent
[ l ocal ] Redback( conf i g- mi p- ha) #tunnel-type gre
Related Commands
gre Specifies Generic Routing Encapsulation tunnels.
local-address
Command Descriptions
8-26 IP Services and Security Configuration Guide
P a r t 4
IP Services
This part describes the tasks and commands used to configure HTTP redirect, Domain Name System
(DNS), and access control lists (ACLs) for IP services and policies. It consists of the following chapters:
Chapter 9, HTTP Redirect Configuration
Chapter 10, Hotlining Configuration
Chapter 11, DNS Configuration
Chapter 12, ACL Configuration
HTTP Redirect Configuration 9-1
C h a p t e r 9
HTTP Redirect Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS HTTP redirect features.


For information about tasks and commands used to monitor, troubleshoot, and administer HTTP redirect
features, see the HTTP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
HTTP redirect enables service providers to interrupt subscriber HTTP sessions and to redirect them to a
preconfigured URL. There is an option to provide the subscribers identity attributes along with the URL
and encrypt this data. Applications include the ability to require customer registration, to direct customers
to web sites for downloading virus protection software, and to advertise new services or software updates.
The SmartEdge router provides a lightweight HTTP server on its controller card. When a subscriber
initiates an HTTP session, authentication triggers an HTTP redirect when two conditions are in place: an
HTTP redirect profile containing a new URL is attached to the subscriber record, and a forward policy that
redirects HTTP traffic to the HTTP server on the controller card is attached to the subscriber circuit. HTTP
packets must be permitted to pass through to the external HTTP server that hosts the redirect URL. The
subscriber session opens to the web page indicated by the redirect URL. The forward policy that performs
the redirection is removed through the subscriber reauthorization mechanism.
Note In the following descriptions, the term, controller card, applies to the Cross-Connect Route
Processor (XCRP) or the XCRP Version 3 (XCRP3) Controller card, unless otherwise noted.
Configuration Tasks
9-2 IP Services and Security Configuration Guide
Configuration Tasks
To configure HTTP redirect features, perform the tasks described in the following sections:
Configure Subscriber Authentication and Reauthorization
Configure an IP ACL and Apply It to Subscribers
Configure the HTTP Server on the Active Controller Card
Configure and Attach an HTTP Redirect Profile to Subscribers
Configure a Policy ACL That Classifies HTTP Packets
Configure and Attach a Forward Policy to Redirect HTTP Packets
Configure Subscriber Authentication and Reauthorization
To configure subscriber authentication and reauthorization, see the Configure Subscriber Authentication
and Configure Dynamic Subscriber Reauthorization sections in Chapter 20, AAA Configuration.
Configure an IP ACL and Apply It to Subscribers
To redirect subscriber traffic to the new web page to which subscriber circuits are to be redirected, you
configure an IP access control list (ACL) that permits access to that web page and apply it to the subscriber
circuits (their records or profiles) that are to be redirected. To configure and apply an IP ACL, see the
Configure an IP ACL and Apply an IP ACL sections in Chapter 12, ACL Configuration.
Configure the HTTP Server on the Active Controller Card
To configure the HTTP server on the active controller card, perform the tasks described in Table9-1.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Table 9-1 Configure the HTTP Server on the Controller Card
# Task Root Command Notes
1. Enable the HTTP server on the controller card and
access HTTP redirect server configuration mode.
http-redirect server Enter this command in global configuration mode.
2. Optional. Select the port on which HTTP server
listens.
port Enter this command in HTTP redirect server
configuration mode.
Configuration Tasks
HTTP Redirect Configuration 9-3
Configure and Attach an HTTP Redirect Profile to Subscribers
To configure and attach an HTTP redirect profile to subscribers, perform the tasks described in Table9-2.
The SmartEdge OS applies an HTTP profile in the following order of precedence:
1. Uses the Redback

vendor-specific attribute (VSA) 107, HTTP-Redirect-Profile-Name, in the


subscriber record returned by the Remote Authentication Dial-In User Service (RADIUS) server in
Access-Accept packets for the subscriber.
2. If the RADIUS server does not return an HTTP profile name, it uses the HTTP profile attached to the
named subscriber configured in the context.
3. If the named subscriber does not have an HTTP profile attached to it, it uses the HTTP profile attached
to the named subscriber profile configured in the context.
4. If the subscriber profile does not have an HTTP profile attached to it, it uses the HTTP profile attached
to the default subscriber profile configured in the context.
Configure a Policy ACL That Classifies HTTP Packets
To configure a policy access control list (ACL) that classifies HTTP packets for the forward policy that
redirects HTTP packets, perform the tasks described in Table9-3.
Table 9-2 Configure and Attach an HTTP Redirect Profile to Subscribers
# Task Root Command Notes
1. Configure an HTTP redirect profile and access
HTTP redirect profile configuration mode.
http-redirect profile Enter this command in context configuration mode.
2. Configure the URL to which subscriber sessions
are to be redirected.
url Enter this command in HTTP redirect profile
configuration mode.
3. Attach the HTTP redirect profile to a subscriber
record, a named subscriber profile, or the default
subscriber profile.
http-redirect profile Enter this command in subscriber configuration
mode.
Caution Risk of redirect loop. Redirect can recur until an IP ACL that permits access to the new web
page is applied to the subscriber record or profile. To reduce the risk, before modifying an
existing URL, ensure that the subscriber record includes an IP ACL that permits access to the
new URL.
Table 9-3 Configure a Policy ACL That Classifies HTTP Packets
# Task Root Command Notes
1. Create or select the policy ACL and enter
access control list configuration mode.
policyaccess-list Enter this command in context configuration mode.
2. Assign HTTP packets that are destined to
the web server hosting the URL to a
separate class.
permit Enter this command in access control list configuration mode.
Use the following construct:
permit tcp any hostip-addr eq www class class-name
where the ip-addr argument is the IP address of the web server
hosting the URL that you configured in step 2 in Table 9-2.
Configuration Examples
9-4 IP Services and Security Configuration Guide
Configure and Attach a Forward Policy to Redirect HTTP Packets
To configure a forward policy to redirect HTTP packets and attach it to a circuit or subscriber, perform the
tasks described in Table9-4.
Configuration Examples
The following example provides a simple HTTP redirect configuration:
! Fi r st enabl e t he HTTP r edi r ect ser ver on t he cont r ol l er car d:
[ l ocal ] Redback( conf i g) #http-redirect server
[ l ocal ] Redback( conf i g- hr - ser ver ) #port 80 8080
[ l ocal ] Redback( conf i g- hr - ser ver ) #exit
! Conf i gur e t he HTTP r edi r ect pr of i l e and ur l :
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #http-redirect profile Redirect
[ l ocal ] Redback( conf i g- hr - pr of i l e) #url http://www.Redirect.com
[ l ocal ] Redback( conf i g- hr - pr of i l e) #exit
3. Assign all other HTTP packets to a
different class.
permit Enter this command in access control list configuration mode.
Use the following construct:
permit tcp any any eq www class class-name
where the class-name argument is distinct from the one you
configured in step 2.
Table 9-4 Configure and Attach a Forward Policy to Redirect HTTP Packets
# Task Root Command Notes
1. Create or select the forward policy and
access forward policy configuration mode.
forward policy Enter this command in global configuration mode.
For more information about forward policies, see
Chapter 14, Forward Policy Configuration.
2. Apply the policy ACL that you configured
in Table 9-3 to the forward policy and
access policy ACL configuration mode.
access-group Enter this command in forward policy configuration
mode.
3. Specify all HTTP packets and access
policy ACL class configuration mode.
class Enter this command in policy ACL configuration mode.
Use the class-name argument that you specified in
step 3 in Table 9-3.
4. Redirect HTTP packets to the HTTP
server on the controller card.
redirect destinationlocal Enter this command in policy ACL class configuration
mode.
5. Attach the forward policy to a circuit, a
subscriber record, named subscriber
profile, or default subscriber profile.
forwardpolicy in Enter this command in ATM DS-3, ATM OC, ATMPVC,
dot1q PVC, DS-0 group, DS-1, DS-3, Frame Relay
PVC, port, or subscriber configuration mode.
For more information about forward policies, see
Chapter 14, Forward Policy Configuration.
Table 9-3 Configure a Policy ACL That Classifies HTTP Packets (continued)
# Task Root Command Notes
Configuration Examples
HTTP Redirect Configuration 9-5
! At t ach t he HTTP r edi r ect pr of i l e t o t he def aul t subscr i ber pr of i l e:
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #http-redirect profile Redirect
[ l ocal ] Redback( conf i g- sub) #exit
! Cr eat e a pol i cy ACL:
[ l ocal ] Redback( conf i g- ct x) #policy access-list http-packets
! Cr eat e cl ass abc f or HTTP packet s t hat ar e dest i ned t o t he web ser ver wi t h t he new URL:
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any host 10.1.1.1 eq www class abc
! Cr eat e cl ass xyz f or al l ot her HTTP packet s t o be r edi r ect ed usi ng t he f or war d pol i cy:
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq www class xyz
[ l ocal ] Redback( conf i g- ct x) #exit
! Cr eat e t he f or war d pol i cy:
[ l ocal ] Redback( conf i g) #forward policy www-redirect
! Appl y t he pol i cy ACL t hat cl assi f i es HTTP packet s:
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group http-packets local
! Redi r ect al l HTTP packet s except t hose dest i ned t o t he web ser ver ( cl ass xyz) :
! t o t he HTTP ser ver on t he cont r ol l er car d:
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class xyz
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #redirect destination local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exi t
! Packet s t hat ar e dest i ned t o t he web ser ver ( cl ass abc) use nor mal r out i ng ( no act i on) .
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class abc
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #exit
! At t ach t he f or war d pol i cy t o i ncomi ng packet s on ATM PVC 3 5:
[ l ocal ] Redback( conf i g) #port atm 4/1
[ l ocal ] Redback( conf i g- at m) #no shutdown
[ l ocal ] Redback( conf i g- at m- oc) #atm pvc 3 5 profile atm-pro encapsulation bridge1483
[ l ocal ] Redback( conf i g- at m- pvc) #forward policy www-redirect in
! Bi nd t he appr opr i at e subscr i ber r ecor d t o t he ATM PVC:
[ l ocal ] Redback( conf i g- at m- pvc) #bind subscriber joe@local
Command Descriptions
9-6 IP Services and Security Configuration Guide
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure HTTP redirect
features. The commands are presented in alphabetical order.:
encrypt
http-redirect profile
http-redirect server
port
redirect destination local
url
Command Descriptions
HTTP Redirect Configuration 9-7
encrypt
encrypt sharedkey delimiter character
no encrypt sharedkey delimiter character
Purpose
Encrypts the identity attributes associated with the redirected subscriber HTTP session.
Command Mode
HTTP redirect profile configuration
Syntax Description
Default
The identity attributes associated with the redirected subscriber HTTP session are redirected in plain text.
Usage Guidelines
Use the encrypt command to encrypt the identity attributes associated with the redirected subscriber HTTP
session. The encryption ensures the confidentiality of the identity attributes.
Use the no form of this command to remove the specified encrypt command from the HTTP redirect
profile.
To encrypt the identity attributes associated with a redirected subscriber HTTP session, the SmartEdge
router performs an Exclusive Or (XOR) operation. The router takes the variable representing each identity
attribute and then applies the XOR operator to each character using a shared key. The identity attributes and
sharedkey are all in ASCII text. The XOR operation on the ASCII text produces binary text. Because it is
required that the URL be transmitted in ASCII text, the binary text is encoded to a two-character
hexidecimal value. To decrypt the string of hexidecimal values, map each two-character hexidecimal value
to its ASCII value and apply the XOR operation to it using the same shared key.
If the shared key is shorter than the combined string of identity attributes, the shared key is repeated within
the XOR equation so that each ASCII value that represents a value for the identity attribute is paired with
a value from the shared key. For instance, here are sample identity attributes and a shared key to encrypt:
Username portion of the subscriber name. For example, joe.
Domain portion of the subscriber name. For example, example.com.
IP address of the subscriber session. For example, 10.1.11.22.
Shared key. For example, abcd.
sharedkey Shared key used to encrypt the identity attributes associated with the
redirected subscriber HTTP session.
delimiter character Character that marks when the encrypted data starts and ends. The delimiter
character is not displayed as part of the redirected subscriber HTTP session.
Command Descriptions
9-8 IP Services and Security Configuration Guide
Here is what the XOR equation looks like using this data:
j oe@exampl e. com10. 1. 11. 22
abcdabcdabcdabcdabcdabcda
Here is an example of a redirected HTTP session that is encrypted:
ht t p: / / exampl e. com/ 061413144a57515658514a50514f 504f / i ndex. ht ml
where 061413144a57515658514a50514f504f is the encrypted data.
Examples
See the Configuration Examples on page9-4.
Related Commands
None
Command Descriptions
HTTP Redirect Configuration 9-9
http-redirect profile
http-redirect profile {default | prof-name} [temporary]
no http-redirect profile {default | prof-name} [temporary]
Purpose
In context configuration mode, configures an HTTP redirect profile and enters HTTP redirect profile
configuration mode.
In subscriber configuration mode, applies an HTTP redirect profile to a subscriber record, a named
subscriber profile, or the default subscriber profile.
Command Mode
context configuration
subscriber configuration
Syntax Description
Default
An HTTP redirect profile is not preconfigured.
Usage Guidelines
Use the http-redirect profile command in context configuration mode to configure an HTTP redirect
profile and to enter HTTP redirect profile configuration mode. To specify the default HTTP redirect profile,
use the keyword default.
Use the http-redirect profile command in subscriber configuration mode to apply an HTTP redirect profile
to a subscriber record, a named subscriber profile, or the default subscriber profile. To specify that the
HTTP redirect profile applied to a subscriber profile is to be temporary, use the keyword temporary.
default Specifies the default HTTP redirect profile name.
prof-name Specifies the HTTP redirect profile name.
temporary Optional. Specifies that the HTTP redirect profile to apply to the subscriber
profile is temporary. After the HTTP redirect is processed, the HTTP redirect
profile is removed from the subscriber profile.
Note It is within the default HTTP redirect profile that a shared key is configured. This key is used
to encrypt identity attributes associated with a redirected subscriber HTTP session, if VSA
165 is configured in RADIUS.
Command Descriptions
9-10 IP Services and Security Configuration Guide
Use the no form of this command to do the following:
In context configuration mode, delete an HTTP redirect profile.
In subscriber configuration mode, remove an HTTP redirect profile from a subscriber record, a named
subscriber profile, or the default subscriber profile.
Examples
The following example configures the HTTP profile, Redi r ect , and enters HTTP redirect profile
configuration mode:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #http-redirect profile Redirect
[ l ocal ] Redback( conf i g- hr - pr of i l e) #
The following example applies the HTTP profile, Redi r ect , to the def aul t subscriber record in the
l ocal context:
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #http-redirect profile Redirect
The following example shows how to configure the HTTP redirect profile, Redi r ect , to be a temporary
HTTP redirect policy, and to apply it to the def aul t subscriber record in the l ocal context:
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #http-redirect profile Redirect temporary
Related Commands
None
Command Descriptions
HTTP Redirect Configuration 9-11
http-redirect server
http-redirect server
no http-redirect server
Purpose
Enables an HTTP server on the controller card and accesses HTTP redirect server configuration mode.
Command Mode
global configuration
Syntax Description
This command has no keywords or arguments.
Default
The HTTP server is disabled on the controller card.
Usage Guidelines
Use the http-redirect server command to enable an HTTP server on the controller card and access HTTP
redirect server configuration mode.
Use the no form of this command to disable the HTTP server on the controller card.
Examples
The following example enables the HTTP server on the controller card and enters HTTP redirect server
configuration mode:
[ l ocal ] Redback( conf i g) #http-redirect server
[ l ocal ] Redback( conf i g- hr - ser ver ) #
Related Commands
http-redirect profile
port
redirect destination local
url
Command Descriptions
9-12 IP Services and Security Configuration Guide
port
port [80] [port-number]
Purpose
Selects the port or ports on which the HTTP server on the controller card listens.
Command Mode
HTTP redirect server configuration
Syntax Description
Default
The HTTP server listens on port 80.
Usage Guidelines
Use the port command to select the port (or ports) on which the HTTP server on the controller card listens.
By default, the HTTP server listens on port 80. You can configure the HTTP server to listen on any port or
ports (up to 10) ranging from 1025 to 51000. Including port 80, the total number of ports to which the HTTP
server can listen is 11.
Examples
The following example configures the HTTP server to listen on ports 80, 8080, 1025, 45000, and 50000:
[ l ocal ] Redback( conf i g) #http-redirect server
[ l ocal ] Redback( conf i g- hr - ser ver ) #port 80 8080 1025 45000 50000
Related Commands
80 Optional. Configures the HTTP server to listen on port 80. This is the default
port.
port-number Optional. Configures the HTTP server to listen to the specified port or ports. The
supported ports range from 1025 to 51000.
http-redirect server
Command Descriptions
HTTP Redirect Configuration 9-13
redirect destination local
redirect destination local
no redirect destination
Purpose
In forward policy configuration mode, redirects packets not associated with a class to the HTTP server on
the controller card.
In policy ACL configuration mode, redirects only packets associated with a class to the HTTP server on
the controller card.
Command Mode
forward policy configuration
policy ACL class configuration
Syntax Description
This command has no keywords or arguments.
Default
Packets are not redirected.
Usage Guidelines
In forward policy configuration mode, use the redirect destination local command to redirect packets not
associated with a class to the HTTP server on the controller card. In policy ACL configuration mode, use
the redirect destination local command to redirect only packets associated with a class to the HTTP server
on the controller card.
Use the no form of this command to disable the redirecting of packets.
Examples
The following example configures the forward policy, Busi ness- Redi r ect , which redirects packets
associated with the class, Redi r ect , to the HTTP server on the controller card:
[ l ocal ] Redback( conf i g) #forward policy Business-Redirect
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #redirect destination local
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group bus-redirect local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Redirect
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #redirect destination local
Command Descriptions
9-14 IP Services and Security Configuration Guide
Related Commands
http-redirect server
redirect destination circuit
redirect destination next-hop
Command Descriptions
HTTP Redirect Configuration 9-15
url
url url
no url url
Purpose
Configures the URL to which the current subscriber HTTP session is to be redirected.
Command Mode
HTTP redirect profile configuration
Syntax Description
Default
An HTTP redirect URL is not configured.
Usage Guidelines
Use the url command to configure the URL to which the current subscriber session is to be redirected.
url URL to which the subscriber HTTP session is to be redirected. You can add a
backslash at the end of the URL followed by any of these variables to personalize the
URL:
%cCalling-station-ID of the subscriber session.
%dDomain portion of the subscriber name.
%iIP address of the subscriber session.
%nNAS-port-ID of the subscriber session.
%tTime stamp (in seconds) indicating when the HTTP redirection is applied to
the subscriber.
%uUsername portion of the subscriber name.
%UEntire subscriber name used in Point-to-Point Protocol (PPP) authentication.
Caution Risk of redirect loop. Risk of redirect loop. Redirect can recur until an IP ACL that permits
access to the new web page is applied to the subscriber record or profile. To reduce the risk,
before modifying an existing URL, ensure that the subscriber record includes an IP ACL that
permits access to the new URL.
Note If the URL contains a question mark (?), press the Escape (Esc) key before you enter
the? character. Otherwise, the SmartEdge OS command-line interface (CLI) interprets the?
character as a request for help and does not allow you to complete the URL.
Command Descriptions
9-16 IP Services and Security Configuration Guide
Use the no form of this command to delete the URL from the HTTP redirect profile.
Examples
The following example configures the URL, www. Redi r ect . com:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #http-redirect profile Redirect
[ l ocal ] Redback( conf i g- hr - pr of i l e) #url http://www.Redirect.com
Related Commands
http-redirect profile
http-redirect server
redirect destination local
Hotlining Configuration 10-1
C h a p t e r 1 0
Hotlining Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS hotlining features.
For information about tasks and commands used to monitor, troubleshoot, and administer hotlining
features, see the HTTP Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Overview
Hotlining allows WiMAX operators to efficiently redirect subscribers to a portal controlled by a service
provider for service registration, updates, service advertisements, and address issues that require immediate
attention, such as virus attacks and missed payments. When hotlining is complete, the subscriber is released
from the hotlined state (released from the portal) and to the original destination.
For example, if a subscriber has a mobile device that is locked to a subscription with a service provider,
that subscriber can be hotlined to a subscription server then the device is turned on. No other traffic is
allowed. The subscription server provides subscription options that the subscriber can choose from. When
the subscriber completes the subscription process, the subscriber is removed from the hotlined state.
When a hotlining session is activated, the HA receives the WiMAX Forum RADIUS VSA,
Hotline-Profile-ID (the hotlining profile identifier attribute), and Hotline-Indicator attribute (an attribute
that enables hotlining) from the AAA server in a RADIUS Access-accept or change of authorization
message (CoA). These attributes enable hotlining.The hotlining profile identifier selects a preconfigured
Note Hotlining is WiMAX feature that supports only WiMAX subscribers.
There will be accounting discrepancies of a few bytes per packet when the home agent (HA)
receives packets containing IP and GRE field values.
If the shared-key is configured using thesubscriber default mobile-ip shared-key
command, the SmartEdge OS treats the subscriber as a 3GPP2 user.
Overview
10-2 IP Services and Security Configuration Guide
profile during the session. The RADIUS server or CoA sends the WiMax Forum RADIUS VSA
Hotline-Indicator attribute in the Access-Accept or COA-Request message, which is reported in the session
and hotlining accounting records. For information on hotlining RADIUS attributes (Hotline-Profile-ID and
Hotline-Indicator), see the WiMax Forum RADIUS VSAs and WiMax Forum RADIUS VSAs in the
CoA sections in AppendixA, RADIUS Attributes.
The following are key accounting attributes in SmartEdge router RADIUS accounting records that
distinguish hotline accounting records from session accounting records and start records from stop records:
(A) SESSION-ACCT-START
Acct - St at us- Type = St ar t
( no Hot l i ne- I ndi cat or )
Acct - Sessi on- I D = <gener at ed- i d- 2
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
( no count er s)
(B) SESSION-ACCT-STOP (session stop, hotlining begin)
Acct - St at us- Type = St op
Acct - Sessi on- I D = <gener at ed- i d- 2>
( no Hot l i ne- I ndi cat or )
( no Acct - Ter mi nat e- Cause)
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
Count er s
(C) SESSION-ACCT-STOP (regular session down)
Acct - St at us- Type = St op
( no Hot l i ne- I ndi cat or )
Acct - Ter mi nat e- Cause = <some cause code)
Acct - Sessi on- I D = <gener at ed- i d- 2>
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
Count er s
(D) HOTLINE-ACCT-START
Acct - St at us- Type = St ar t
Hot l i ne- I ndi cat or = <hl - i nd- 1> ( f r omAAA ser ver )
Acct - Sessi on- I D = <gener at ed- i d- 1>
Acct - Mul t i - Sessi on- I D = <mul t i - sessi on- i d- 1>
( no count er s)
(E) HOTLINE-ACCT-STOP (hotline stop, begin regular session)
Acct - St at us- Type = St op
Hot l i ne- I ndi cat or = <hl - i nd- 1>
Acct - Sessi on- I D = <gener at ed- i d- 1>
( no Acct - Ter mi nat e- Cause)
( no count er s)
Configuration Tasks
Hotlining Configuration 10-3
(F) HOTLINE-ACCT-STOP (session down from hotlining)
Acct - St at us- Type = St op
Hot l i ne- I ndi cat or = <hl - i nd- 1>
Acct - Sessi on- I D = <gener at ed- i d- 1>
Acct - Ter mi nat e- Cause = <some cause code>
( no count er s)
For information about the Acct-Terminate-Cause attribute, see AppendixA, RADIUS Attributes.
Configuration Tasks
To configure hotlining, perform the tasks described in the following sections:
Configure the Local HTTP Server on the Active Controller Card
Configure a RADIUS Server Profile
Configure a Policy ACL That Classifies HTTP Packets
Configure a Forward Policy to Redirect HTTP Packets
Configure Accounting Server
Configure the Local HTTP Server on the Active Controller Card
To configure the HTTP server on the active controller card, perform the tasks described in Table10-1.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section on page9-6 in Chapter 9, HTTP Redirect Configuration.
Note Hotlining is a WiMAX feature that supports only WiMax subscribers.
Hotlining does not support IP and GRE header field values in packets
Table 10-1 Configure the HTTP Server on the Controller Card
# Task Root Command Notes
1. Enable the HTTP server on the controller card and
access HTTP redirect server configuration mode.
http-redirect server Enter this command in global configuration mode.
2. Optional. Select the port on which the HTTP
server listens.
port Enter this command in HTTP redirect server
configuration mode.
Configuration Tasks
10-4 IP Services and Security Configuration Guide
Configure a RADIUS Server Profile
To configure a RADIUS server profile, perform the task described in Table10-2.
Configure a Policy ACL That Classifies HTTP Packets
To configure a policy access control list (ACL) that classifies HTTP packets for the forward policy that
redirects HTTP packets, perform the tasks described in Table10-3.
Configure a Forward Policy to Redirect HTTP Packets
To configure a forward policy to redirect HTTP packets, perform the tasks described in Table10-4.
Table 10-2 Configure and Attach an HTTP Redirect Profile to Subscribers
# Task Root Command Notes
1. Create or select RADIUS-guided service profile
and accesses service profile configuration mode.
radiusserviceprofile Enter this command in context configuration mode.
For more information about RADIUS configuration,
see Chapter 21, RADIUS Configuration.
Table 10-3 Configure a Policy ACL That Classifies HTTP Packets
# Task Root Command Notes
1. Create or select the policy ACL and enter
access control list configuration mode.
policyaccess-list Enter this command in context configuration mode.This profile
is the one selected by the value of the WiMAX attribute
Hotline-Profile-Id. For more information about ACLs, see
Chapter 12, ACL Configuration.
2. Assign HTTP packets that are destined to
the web server hosting the URL to a
separate class.
permit Enter this command in access control list configuration mode.
Use the following construct:
permit tcp any hostip-addr eq www class class-name
Where the ip-addr argument is the IP address of the web
server hosting the URL that you configured in step 2 in
Table 10-2.
3. Assign all other HTTP packets to a
different class.
permit Enter this command in access control list configuration mode.
Use the following construct:
permit tcp any any eq www class class-name
Where the class-name argument is distinct from the one that
you configured in step 2.
Table 10-4 Configure and Attach a Forward Policy to Redirect HTTP Packets
# Task Root Command Notes
1. Create or select the forward policy and
access forward policy configuration mode.
forward policy Enter this command in global configuration mode.
For more information about forward policies, see
Chapter 14, Forward Policy Configuration.
2. Apply the policy ACL that you configured
in Table 10-3 to the forward policy and
access policy ACL configuration mode.
access-group Enter this command in forward policy configuration
mode.
3. Specify all HTTP packets and access
policy ACL class configuration mode.
class Enter this command in policy ACL configuration mode.
Use the class-name argument that you specified in
step 3 in Table 10-3.
Configuration Examples
Hotlining Configuration 10-5
Configure Accounting Server
To configure an accounting server, perform the tasks described in Table10-4.
Configuration Examples
The following section includes the following topics:
Hotlining Configuration Example
RADIUS Entry Example
Hotlining Configuration Example
The following example shows a HTTP redirect configuration:
! Fi r st enabl e t he HTTP r edi r ect ser ver on t he cont r ol l er car d.
[ l ocal ] Redback( conf i g) #http-redirect server
[ l ocal ] Redback( conf i g- hr - ser ver ) #port 80
[ l ocal ] Redback( conf i g- hr - ser ver ) #exit
! Conf i gur e t he RADI US pr of i l e:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #radius service profile wimax-h1-prof-3
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #accounting in circuit
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #accounting out circuit
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #at t r i but e f or war d- pol i cy f wd- pol - 1
[ l ocal ] Redback( conf i g- ser vi ce- pr of i l e) #at t r i but e ht t p- r edi r ect - ur l
" ht t p: / / my- r edi r - ur l . f unky. com"
[ l ocal ] Redback( conf i g- hr - pr of i l e) #exit
! Conf i gur e t he ACL pol i cy.
[ l ocal ] Redback( conf i g- ct x) #policy access-list http-packets-1
! cl ass PORTAL al l ows HTTP f r omany t o t he r edi r ect ed web ser ver at 10. 1. 1. 1
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any host 10.1.1.1 eq www class PORTAL
4. Redirect HTTP packets to the HTTP
server on the controller card.
redirect destinationlocal Enter this command in policy ACL class configuration
mode.
Table 10-5 Configure and Attach a Forward Policy to Redirect HTTP Packets
# Task Root Command Notes
1. Create or select the forward policy and
access forward policy configuration mode.
radiusaccountingserver Enter this command in context configuration mode. For
more information about RADIUS configuration, see
Chapter 21, RADIUS Configuration.
Table 10-4 Configure and Attach a Forward Policy to Redirect HTTP Packets (continued)
# Task Root Command Notes
Configuration Examples
10-6 IP Services and Security Configuration Guide
! Speci f y t hat packet s t hat ar e not par t of t he PORTAL cl ass get r edi r ect ed t o t he l ocal
HTTP.
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq www class REDIRECT
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq www CATCH-ALL
[ l ocal ] Redback( conf i g- ct x) #exit
! Cr eat e t he f or war d pol i cy.
[ l ocal ] Redback( conf i g) #forward policy www-redirect-1
! Appl y t he ACL pol i cy t hat cl assi f i es HTTP packet s.
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group http-packets-1 local
! Redi r ect al l REDI RECT cl ass packet s t o t he l ocal HTTP ser ver on t he Smar t Edge r out er .
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class REDIRECT
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #redirect destination local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exi t
! Cl ass PORTAL packet s dest i ned f or t he r edi r ect ed web ser ver t ypi cal l y get r out ed t o t he
por t al .
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class PORTAL
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CATCH-ALL
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exi t
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #exit
! Conf i gur e a RADI US account i ng ser ver I P addr ess of 10. 3. 3. 3 wi t h t he key, secr et , usi ng
por t 4445 f or account i ng.
[ l ocal ] Redback( conf i g- ct x) #radius accounting server 10.3.3.3 key secret port 4445
RADIUS Entry Example
The following RADIUS entry applies the forward policy at hotline activation time by referring to it from
the RADIUS service profile configured on the SmartEdge router.
WiMAX-Hotline-Profile-ID="wimax-hl-prof-3",
WiMAX-Hotline-Indicator="ABCDEF",
WiMAX-Capability ="\002\003\001"
DNS Configuration 11-1
C h a p t e r 1 1
DNS Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS Domain Name System


(DNS) features.
For information about the tasks and commands used to monitor, troubleshoot, and administer DNS features,
see the DNSOperations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
DNS maps hostnames to IP addresses. When a command refers to a hostname, the SmartEdge OS consults
the host table for mappings to IP addresses. If the information is not in the table, the SmartEdge OS
generates a DNS query to resolve the hostname. DNS is enabled on a per-context basis, with one domain
name allowed per context.
Note When IP Version 6 (IPv6) addresses are not referenced or explicitly specified, the term, IP
address, can refer generally to IP Version 4 (IPv4) addresses, IPv6 addresses, or IP addressing.
In instances where IPv6 addresses are referenced or explicitly specified, the term, IP address,
refers only to IPv4 addresses. For a description of IPv6 addressing and the types of IPv6
addresses, see RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture.
Configuration Tasks
11-2 IP Services and Security Configuration Guide
Configuration Tasks
To configure DNS, perform the tasks described in the following sections:
Configure DNS
Enable DNS to Establish Subscriber Sessions (Optional)
Configure Static Hostname-to-IP Address Mappings (Optional)
Configure DNS
To configure DNS, perform the tasks described in Table11-1; enter all commands in context configuration
mode.
Enable DNS to Establish Subscriber Sessions (Optional)
To enable subscriber sessions to be established using DNS, perform the task described in Table11-2.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Table 11-1 Configure DNS
Task Root Command Notes
Specify a domain name (or alias) for the context. ip domain-name You can create up to six domain names per
context.
Specify the IP address of a primary (and, optionally,
secondary) DNS server with one of the following tasks:
For DNS resolution to function, there must be
an IP route to the DNS server.
Specify IPv4 addresses. ip name-servers
Specify IPv6 addresses. ipv6name-servers
Enable the SmartEdge OS to use DNS resolution to look up
hostname-to-IP address mappings.
ip domain-lookup For DNS resolution to function, you must
configure domain-name lookup.
Table 11-2 Enable DNS to Establish Subscriber Sessions (Optional)
Task Root Command Notes
Configure the IP address of a primary or secondary DNS
server that a subscriber should use.
dns Enter this command in subscriber configuration mode.
Configuration Examples
DNS Configuration 11-3
Configure Static Hostname-to-IP Address Mappings (Optional)
In addition to having DNS perform dynamic resolution, you can configure static hostname-to-IP address
mappings. To do so, perform the task described in Table11-3; enter all commands in context configuration
mode.
Configuration Examples
The following example configures the r edback. comdomain for the l ocal context and configures a
connection to a remote DNS server at IP address, 155. 53. 130. 200. The ip domain-lookup command
enables DNS resolution:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #ip domain-lookup
[ l ocal ] Redback( conf i g- ct x) #ip domain-name redback.com
[ l ocal ] Redback( conf i g- ct x) #ip name-servers 155.53.130.200
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure DNS features.
The commands are presented in alphabetical order:
Table 11-3 Configure Static Hostname-to-IP Address Mappings
Task Root Command Notes
Create static hostname-to-IP address mappings in
the host table with one of the following tasks:
The SmartEdge OS always consults the host table prior to
generating a DNS lookup query. You can create up to 64
static entries in the host table.
Create a mapping with an IPv4 address. ip host
Create a mapping with an IPv6 address. ipv6 host
dns
ip domain-lookup
ip domain-name
ip host
ip name-servers
ipv6 host
ipv6 name-servers
Command Descriptions
11-4 IP Services and Security Configuration Guide
dns
dns {primary | secondary} ip-addr
no dns {primary | secondary} ip-addr
Purpose
Configures the IP address of a primary (and, optionally, secondary) Domain Name System (DNS) server
for a subscriber.
Command Mode
subscriber configuration
Syntax Description
Default
No preconfigured DNS servers are preconfigured.
Usage Guidelines
Use the dns command to configure the IP address of a primary (and, optionally, secondary) DNS server for
a subscriber.
Use the no form of this command to remove the DNS server information from a subscriber record.
Examples
The following example configures a primary DNS server address of 10. 2. 3. 4 for subscriber, kenny:
[ l ocal ] Redback( conf i g- ct x) #subscriber name kenny
[ l ocal ] Redback( conf i g- sub) #dns primary 10.2.3.4
Related Commands
primary Configures the IP address of a primary DNS server.
secondary Configures the IP address of a secondary DNS server.
ip-addr DNS server IP address.
ip domain-lookup
ip domain-name
ip host
ip name-servers
ipv6 host
ipv6 name-servers
Command Descriptions
DNS Configuration 11-5
ip domain-lookup
ip domain-lookup
no ip domain-lookup
Purpose
Enables the SmartEdge OS to use Domain Name System (DNS) resolution to look up
hostname-to-IP address mappings in the host table for the context.
Command Mode
context configuration
Syntax Description
This command has no keywords or arguments.
Default
DNS lookup is disabled.
Usage Guidelines
Use the ip domain-lookup command to enable the SmartEdge OS to use DNS resolution to look up
hostname-to-IP address mappings in the host table for the context.
This command allows a user to ping or Telnet to a host using a hostname, instead of having to know the
hosts specific IP address. When a command references a hostname, the SmartEdge OS consults the local
host table to obtain the hostname-to-IP address mapping. If the information is not in the local host table,
the SmartEdge OS generates a DNS query to resolve the hostname.
For DNS resolution to function, one or more DNS servers must be specified using the ip name-servers
command. Hostnames that are statically entered into the local host table using the ip host command are
also used for DNS resolution.
Use the no form of this command to disable DNS resolution lookup.
Examples
The following example enables DNS resolution:
[ l ocal ] Redback( conf i g- ct x) #ip domain-lookup
Related Commands
dns
ip domain-name
ip host
ip name-servers
ipv6 host
ipv6 name-servers
Command Descriptions
11-6 IP Services and Security Configuration Guide
ip domain-name
ip domain-name name
no ip domain-name name
Purpose
Creates a Domain Name System (DNS) name (or alias) for the context.
Command Mode
context configuration
Syntax Description
Default
No domain names are created for the context.
Usage Guidelines
Use the ip domain-name command to create a domain name (or alias) for the context.
You can create up to six domain names for each context.
Use the no form of this command to remove the domain name (or alias) from the configuration.
Examples
The following example creates a domain name for the l ocal context, r edback. com:
[ l ocal ] Redback( conf i g- ct x) #ip domain-name redback.com
Related Commands
name Name (or alias) of the domain for the context.
dns
ip domain-lookup
ip host
ip name-servers
ipv6 host
ipv6 name-servers
Command Descriptions
DNS Configuration 11-7
ip host
ip host hostname ip-addr
no ip host hostname ip-addr
Purpose
Creates a static hostname-to-Internet Protocol version 4 (IPv4) address Domain Name System (DNS)
mapping in the host table for the context.
Command Mode
context configuration
Syntax Description
Default
No static mappings are preconfigured.
Usage Guidelines
Use the ip host command to create a static hostname-to-IPv4 address DNS mapping in the host table for
the context.
You can create up to 64 static entries in the host table. The SmartEdge OS always consults the host table
prior to generating a DNS lookup query.
Use the no form of this command to remove the specified static entry. Specifying a new IPv4 address for
an existing hostname removes the previously specified IPv4 address.
Examples
The following example statically maps the hostname, hamachi , to the IPv4 address, 192. 168. 42. 105:
[ l ocal ] Redback( conf i g- ct x) #ip host hamachi 192.168.42.105
Related Commands
hostname Name of the host.
ip-addr IPv4 address of the host.
dns
ip domain-lookup
ip domain-name
ip name-servers
Command Descriptions
11-8 IP Services and Security Configuration Guide
ip name-servers
ip name-servers primary-ip-addr [secondary-ip-addr]
no ip name-servers
Purpose
Specifies the Internet Protocol version 4 (IPv4) address of a primary (and, optionally, a secondary) Domain
Name System (DNS) server.
Command Mode
context configuration
Syntax Description
Default
No DNS server IPv4 addresses are preconfigured.
Usage Guidelines
Use the ip name-servers command to specify the IPv4 address of a primary (and, optionally, a secondary)
DNSserver.
For DNS resolution to function, you must configure domain-name lookup using the ip domain-lookup
command (in context configuration mode), and there must be an IP route to the DNS servers.
Use the no form of this command to remove the specified DNS server association. If you delete the primary
DNS server, any configured secondary DNS server becomes the primary server.
Examples
The following command configures an association with a primary DNS server at IPv4address,
128. 215. 33. 47, and a secondary server at IPv4 address, 196. 145. 92. 33:
[ l ocal ] Redback( conf i g- ct x) #ip name-servers 128.215.33.47 196.145.92.33
The following command removes the primary DNS server, making the server that was previously the
secondary into the primary:
[ l ocal ] Redback( conf i g- ct x) #no ip name-servers 128.215.33.47
Related Commands
primary-ip-addr IPv4 address of the primary DNS server.
secondary-ip-addr Optional. IPv4 address of the secondary DNS server.
dns
ip domain-lookup
ip domain-name
ip host
Command Descriptions
DNS Configuration 11-9
ipv6 host
ipv6 host hostname ipv6-addr
no ipv6 host hostname ipv6-addr
Purpose
Creates a static hostname-to-IP Version 6 (IPv6) address Domain Name System (DNS) mapping in the host
table for the context.
Command Mode
context configuration
Syntax Description
Default
No static mappings are preconfigured.
Usage Guidelines
Use the ipv6 host command to create a static hostname-to-IPv6 address DNS mapping in the host table for
the context.
You can create up to 64 static entries in the host table. The SmartEdge OS always consults the host table
prior to generating a DNS lookup query.
Use the no form of this command to remove the specified static entry. Specifying a new IPv6 address for
an existing hostname removes the previously specified IPv6 address.
Examples
The following example statically maps the hostname, hamachi , to the IPv6 address, 2007: : 1:
[ l ocal ] Redback( conf i g- ct x) #ipv6 host hamachi 2007::1
Related Commands
hostname Name of the host.
ipv6-addr IPv6 address of the host.
dns
ip domain-lookup
ip domain-name
ipv6 name-servers
Command Descriptions
11-10 IP Services and Security Configuration Guide
ipv6 name-servers
ipv6 name-servers primary-ipv6-addr [secondary-ipv6-addr]
no ipv6 name-servers
Purpose
Specifies the IP Version 6 (IPv6) address of a primary (and, optionally, a secondary) Domain Name System
(DNS) server.
Command Mode
context configuration
Syntax Description
Default
No DNS server IPv6 addresses are preconfigured.
Usage Guidelines
Use the ipv6 name-servers command to specify the IPv6 address of a primary (and, optionally, a
secondary) DNSserver.
For DNS resolution to function, you must configure the domain name lookup using the ip domain-lookup
command (in context configuration mode), and there must be an IPv6 route to the DNS servers.
Use the no form of this command to remove the specified DNS server association. If you delete the primary
DNS server, any configured secondary DNS server becomes the primary server.
Examples
The following command configures an association with a primary DNS server at IPv6address, 2007: :
1, and a secondary server at IPv6 address, 2007: : 2:
[ l ocal ] Redback( conf i g- ct x) #ipv6 name-servers 2007::1 2007::
The following command removes the primary DNS server, making the server that was previously the
secondary into the primary:
[ l ocal ] Redback( conf i g- ct x) #no ipv6 name-servers 2007::1
Related Commands
primary-ipv6-addr IPv6 address of the primary DNS server.
secondary-ipv6-addr Optional. IPv6 address of the secondary DNS server.
dns
ip domain-lookup
ip domain-name
ipv6 host
ACL Configuration 12-1
C h a p t e r 1 2
ACL Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS access control lists


(ACLs).
For information about the tasks and commands used to monitor, troubleshoot, and administer ACLs, see
the ACL Operations chapter in the IP Services and Security Operations Guide for the SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
SmartEdge OS ACLs are described in the following subsections:
IP ACLs
Policy ACLs
IP ACLs
IP ACLs are lists of packet filters used to control the type of service that packets should receive. All IP
ACLs are defined within a context. The following sections describe IP ACLs:
IP ACL Applications
IP ACL Statements
IP ACL Packet Filtering
Dynamic IP Filter ACL
Note In the following descriptions, the term, controller card, applies to the Cross-Connect Route
Processor (XCRP) or the XCRP Version 3 (XCRP3) Controller card, unless otherwise noted.
Overview
12-2 IP Services and Security Configuration Guide
IP ACL Applications
Using an IP ACL, you can filter traffic on traffic card circuits, the Ethernet management port, and
subscriber circuits, and administrative traffic, as described in the following subsections:
Traffic Card Circuits
Ethernet Management Port
Subscriber Circuits
Administrative
Traffic Card Circuits
To filter packets in either the inbound or outbound direction on traffic card circuits, you apply an IP ACL
to the interface to which the circuits are bound.
Ethernet Management Port
To filter packets in either the inbound or outbound direction on the Ethernet management port on the active
controller card, you apply an IP ACL to the interface to which the management port is bound. Both inbound
and outbound filters are supported.
Subscriber Circuits
To filter packets in either the inbound or outbound direction for a subscriber circuit, you apply an IP ACL
to the subscriber record, a named subscriber profile, or the default subscriber profile. Both inbound and
outbound filters are supported.
Administrative
To filter inbound packets that are delivered to the kernel, you apply an IP ACL to a context. These ACLs
are independent of the interface and circuit on which they were received.
IP ACL Statements
In IP ACL each statement (referred to as a rule) defines the action, either permit or deny, to be taken for a
packet if the packet satisfies the rule. A permit statement causes any packet matching the criteria to be
accepted. A deny statement causes any packet matching the criteria to be dropped. A packet that does not
match the criteria of the first statement is subjected to the criteria of the second statement, and so on, until
the end of the IP ACL is reached; at which point, the packet is dropped due to an implicit deny any any
statement at the end of every IP ACL.
You can use the optional seq seq-num construct with any permit or deny command to establish a sequence
number for the statement you are creating. If you do not use the seq seq-num construct, the system
automatically assigns sequence numbers to the statements that you enter, in increments of 10.
Note To ensure that all inbound packets are filtered before being delivered to the kernel, you must
apply an IP ACL to each and every context that you have configured.
Overview
ACL Configuration 12-3
The first statement that you enter is assigned the sequence number of 10, the second is assigned the number
20, and so on. This allows room to assign intermediate sequence numbers to statements that you might want
to add later. The assigned sequence numbers for the various statements are displayed in the output of the
show configuration acl and show ip access-list commands.
If manually assigned sequence numbers leave no room for insertion of additional entries in the IP ACL,
you can use the resequence ip access-list command (in context configuration mode) to reassign the
sequence numbers so that they are in increments of 10. The no seq seq-num construct removes an
individual statement from the IPACL.
IP ACL Packet Filtering
Based on the rules specified in the ACLs associated with the packet, the SmartEdge OS decides whether
the packet is forwarded or dropped. Statement criteria include all Internet protocols and can be specified by
the protocol numbers established in RFC 1700, Assigned Numbers. A subset of these options can also be
specified by keyword.
All packets that are permitted or dropped as a result of an IP ACL can be counted and logged (denied
packets only) if you enable the count and log functions when you apply an IP ACL. By default, the counting
and logging of packets is disabled because these functions have an impact on system performance. We
recommend that you only enable logging or counting when required for diagnostic purposes.
The SmartEdge router uses IP ACLs to filter packets in the following order:
1. ACLs applied to interfaces for inbound traffic on traffic card circuits and the Ethernet management port.
2. ACLs applied to subscriber records and profiles for inbound traffic on subscriber circuits.
3. ACLs applied to contexts for administrators (inbound only).
4. ACLs applied to outbound traffic on traffic card circuits and the Ethernet management port.
5. ACLs applied to subscriber records and profiles for outbound traffic on subscriber circuits.
Dynamic IP Filter ACL
Dynamic IP filter ACLs allow IP ACL packet filtering to be downloaded from a Remote Authentication
Dial-In User Service (RADIUS) server. A dynamic IP filter ACL consists of a set of rules, each of which
is contained in an RFC vendor-specific attribute (VSA) 242 instance.
For more information about VSA 242, see the Other VSAs Supported by the SmartEdgeOS section in
AppendixA, RADIUS Attributes.
Policy ACLs
A policy ACL is a list of packet filters (rules), each of which defines a class of packets. A policy ACL,
unlike an IP ACL, does not define the action for each rule; instead, the action for each class is determined
by the policy to which the policy ACL is applied. All policy ACLs are defined within a context.
The following subsections describe policy ACLs:
Policy ACL Applications
Dynamic Policy ACLs
Overview
12-4 IP Services and Security Configuration Guide
Policy ACL Statements
Policy ACL Packet Filtering
Policy ACL Applications
You can apply a policy ACL to class-based forwarding, Network Address Translation (NAT), or quality of
service (QoS) policies to filter packets. When applied to a class-based policy, a policy ACL allows different
actions to be applied to different classes of packets.
For information about forward policies, see Chapter 14, Forward Policy Configuration. For information
about NAT policies, see Chapter 13, NAT Policy Configuration. For information about QoS policing and
metering policies, see Chapter 16, QoS Rate- and Class-Limiting Configuration.
Dynamic Policy ACLs
Dynamic policy ACLs allow a class-based policy to be governed by a policy ACL that is downloaded from
a RADIUS server. A dynamic policy ACL consists of a set of classification rules, each of which is
contained in a Redback

vendor-specific attribute (VSA) 164 instance. All rules in all dynamic policy
ACLs are downloaded in a single RADIUS message. You do not apply a dynamic policy ACL to a
class-based policy; instead, the SmartEdgeOS applies the dynamic policy ACL from the VSA 164
instance. Class-based policies configured with dynamic ACLs are referred to as RADIUS-guided policies.
Traditional policy ACLs and class-based policies are referred to as static policy ACLs and static policies,
respectively.
Policy ACL Statements
A policy ACL uses permit statements to define how packets are assigned to classes. A packet that does not
match the criteria of the first statement is subjected to the criteria of the second statement, and so on, until
the end of the policy ACL is reached; at which point, the packet is assigned to the default class.
You can use the optional seq seq-num construct with any permit statement to establish a sequence number
for the statement. If you do not use the seq seq-num construct, the system automatically assigns sequence
numbers to the statements that you enter, in increments of 10. The first statement you enter is assigned the
sequence number of 10, the second is assigned the number 20, and so on. This allows room to assign
intermediate sequence numbers to statements that you might want to add later. The assigned sequence
numbers for the various statements are displayed in the output of the show configuration acl, show
configuration policy, and show policy access-list commands.
If manually assigned sequence numbers leave no room for insertion of additional entries in the policy ACL,
you can use the resequence policy access-list command (in context configuration mode) to reassign the
sequence numbers so they are in increments of 10. The no seq seq-num construct removes an individual
statement from the policyACL.
Policy ACL Packet Filtering
Statement criteria for filtering includes all Internet protocols, which can be specified by the protocol
numbers established in RFC 1700, Assigned Numbers. A subset of these options can also be specified by
keyword. Based on classification, a class-based policy defines the type of action to be performed on the
packets in a particular class. All packets that match the criteria can be counted by the statement if you
Configuration Tasks
ACL Configuration 12-5
enable the count when you apply a policy ACL. By default, the counting of packets is disabled because this
function has an impact on system performance. Redback recommends that you enable counting only when
required for diagnostic purposes.
Configuration Tasks
To configure ACLs, perform the tasks described in the following sections:
Configuration Guidelines
Configure an IP ACL
Apply an IP ACL
Enable ACL Counters or Logging for a Subscriber
Modify IP ACL Conditions in Real Time
Configure a Policy ACL
Apply a Policy ACL
Modify Policy ACL Conditions in Real Time
Configuration Guidelines
Guidelines for configuring IP and policy ACLs are described in the following sections:
Static IP and Policy ACL Guidelines
IP ACL Guidelines
Policy ACL Guidelines
Guidelines for RADIUS-Guided Policies
VSA 164 Guidelines for Dynamic Policy ACLs
Static IP and Policy ACL Guidelines
The following guidelines apply to the configuration of static IP and policy ACLs:
The optional construct, seq seq-num, for permit and deny commands, allows you to assign a sequence
number to a particular statement, affecting where it is located within a series of statements in an ACL.
If you do not use this construct, the SmartEdgeOS automatically assigns sequence numbers in
increments of 10. The first statement you enter is assigned the sequence number of 10, the second is
assigned the number 20, and so on.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
12-6 IP Services and Security Configuration Guide
You cannot modify static IP ACL and policy ACL statements that do not reference time range
conditions in real time unless you modify or remove the statements themselves, because the actions
(permit or deny) and the resulting class names are constant. However, you can modify statements that
reference time-range conditions, because their actions or the resulting class names depend on the
current date and time as defined in the corresponding condition statement.
ACL conditions redefine the rules action or the rules class name based on specified date and time
ranges. You can configure any combination of up to seven absolute (one specific time interval) or
periodic (recurring time interval) statements in an ACL condition. When an IP ACL rule or a policy
ACL rule references an ACL condition, the rules action (permit/deny) or the rules class name is
determined by the action and the class name defined in the condition.
ACL conditions are configured with individual IDs to make them unique. The cond-id argument used
with the condition command must match the condition ID specified in the ACL rule.
An IP or policy ACL can contain multiple entries; the order is significant. Each entry is processed in
the order it appears in the configuration file. As soon as an entry matches, the corresponding action is
taken and no further processing takes place.
IP ACL Guidelines
The following filtering rules apply to IP ACLs:
Each IP ACL has an implicit deny any any statement at the end. If a packet does not match any explicit
filter statement in the list, it is dropped. Unlike the explicit statements in the ACL, this implicit final
statement is not displayed in the output of the show configuration acl or show ip access-list command
(in any mode).
You apply IP ACLs to interfaces, subscriber records, and contexts. Administrative access control is
context-specific. To ensure that all inbound packets are filtered before being delivered to the kernel, you
must apply an IP ACL to each and every configured context.
If you apply an IP ACL to a multibind interface, it does not affect the IP traffic on the subscriber
sessions that are bound to that interface; the ACL is applied only to the IP traffic on circuits that are
statically bound to the interface using the bind interface command (in the circuits configuration
mode).
If a nonexistent IP ACL is applied to an interface, all packets are forwarded with no filtering.
If a nonexistent IP ACL is applied to a subscriber record, the subscriber session will not come up; this
restriction also applies if a nonexistent ACL is applied to a Remote Authentication Dial-In User Service
(RADIUS) attribute.
Policy ACL Guidelines
The following rules apply to static and dynamic policy ACLs:
If a packet does not match any classifying rule, it is considered to belong to the default class.
If a nonexistent policy ACL is applied to a forward policy, NAT policy, a QoS metering policy, or a QoS
policing policy, it is ignored and packets are forwarded according to a policy action with no
classification.
Configuration Tasks
ACL Configuration 12-7
Guidelines for RADIUS-Guided Policies
Configuration guidelines for RADIUS-guided policies include:
You can configure any class-based policy to allow a dynamic policy ACL to govern it. Class-based
policies include forward, NAT, and QoS policies.
Dynamic policy ACLs are not supported for NAT policies in the outgoing direction.
You cannot change the type of a class-based policy from static to RADIUS-guided or from
RADIUS-guided to static; you must delete the policy and recreate it.
You can configure a class-based policy with a static policy ACL in addition to allowing a dynamic
policy ACL, but the static policy ACL takes precedence. That is, the dynamic policy ACL classifies
only those packets that are not already classified by the static policy ACL.
You can apply any combination of static and dynamic policy ACLs to a RADIUS-guided policy.
You cannot apply a dynamic policy ACL to a static class-based policy.
RADIUS-guided policies can be attached only to subscriber profiles (named and default) and records.
You do not attach a RADIUS-guided policy with a dynamic policy ACL; instead, it is attached by the
SmartEdgeOS.
A RADIUS-guided policy must exist before the SmartEdgeOS can apply a dynamic policy ACL to it.
If you add a class to an existing RADIUS-guided policy and that class is governed by a dynamic policy
ACL, then that class is immediately active on all circuits to which the RADIUS-guided policy is
attached. If the class is not included in the dynamic policy ACL, it is dormant until the dynamic policy
ACL is changed to include the class.
If you delete a class from an existing RADIUS-guided policy, the change takes effect immediately on
all circuits to which the policy is attached. If you delete a dormant class, traffic is unaffected.
You can delete all classes from a RADIUS-guided policy that is already attached to subscriber circuits.
You can modify class parameters in a RADIUS-guided policy at any time.
If you delete a RADIUS-guided policy, it is removed from all subscriber circuits to which it was
attached. The subscriber circuits remain up, but the show subscribers command (in any mode) with the
active keyword might not display current information.
VSA 164 Guidelines for Dynamic Policy ACLs
The following guidelines govern the use of Redback VSAs for dynamic policy ACLs::
Dynamic policy ACLs are defined on a RADIUS server and downloaded using one or more instances
of VSA 164.
Each downloaded VSA 164 instance contains one classification rule.
A subscriber profile or record can contain multiple VSA 164 instances.
All VSA 164 instances that have the same service (forward, NAT, or QoS) and the same direction are
considered to be rules of a dynamic policy ACL for that service.
The rules in a dynamic policy ACL are sequenced by the order in which VSA 164 instances appear in
a subscriber record.
Configuration Tasks
12-8 IP Services and Security Configuration Guide
Configure an IP ACL
To configure an IP ACL, perform the tasks described in Table12-1; enter all commands in access control
list configuration mode, unless otherwise noted.
Apply an IP ACL
To apply an IP ACL to packets associated with a context, an interface, or a subscriber record, named profile,
or default profile, perform the appropriate task described in Table12-2.
Note For more information about Redback VSAs, see the Redback VSAs section in Chapter A,
RADIUS Attributes.
Table 12-1 Configure an IP ACL
# Task Root Command Notes
1. Create or select an ACL and enter access control
list configuration mode.
ipaccess-list Enter this command in context configuration
mode.
2. Optional. Associate a description with an IP ACL. description
3. Optional. Create ACL statements using either or
both of the following tasks:
4. Create an ACL statement using permit conditions. permit There is an implicit deny any any statement
at the end of any permit statement.
5. Create an ACL statement using deny conditions. deny
6. Optional. Create an ACL condition using a unique
ID and access ACL condition configuration mode.
condition Enter the following commands in ACL
condition configuration mode.
7. Optional. Configure absolute time condition
statements.
absolute An absolute time ACL statement redefines
an ACL rules action for only one specific
time interval.
8. Optional. Configure periodic time condition
statements.
periodic A periodic time ACL statement redefines the
ACL rule action for a recurring time interval.
9. Optional. Resequence statements in an IP ACL. resequenceipaccess-list Enter this command in context configuration
mode.
Table 12-2 Apply an IP ACL
Task Root Command Notes
Apply an IP ACL to an interface or to a subscriber record,
named profile, or default profile.
ipaccess-group Enter this command in either interface or
subscriber configuration mode.
Apply an IP ACL to a context. admin-access-group Enter this command in context configuration
mode.
Configuration Tasks
ACL Configuration 12-9
Enable ACL Counters or Logging for a Subscriber
To enable ACL counters or logging for a subscriber through the subscriber record, the default subscriber
profile, or a named subscriber profile, perform the task described in Table12-3.
Modify IP ACL Conditions in Real Time
To modify the action for an IP ACL condition, in real time, without requiring the reconfiguration of the
ACL condition statements, perform the task described in Table12-4.
Configure a Policy ACL
To configure a static policy ACL, perform the tasks described in Table12-5; enter all commands in access
control list configuration mode, unless otherwise noted.
Table 12-3 Enable ACL Counters or Logging for a Subscriber
Task Root Command Notes
Enable ACL counters or logging for a subscriber record, the
default subscriber profile, or a named subscriber profile.
access-list Enter this command in subscriber configuration mode.
Table 12-4 Modify IP ACL Condition Actions in Real Time
Task Root Command Notes
Modify the action for a condition referenced by an IP ACL. modifyipaccess-list Enter this command in exec mode.
Table 12-5 Configure a Policy ACL
# Task Root Command Notes
1. Create or select a policy ACL and enter
access control list configuration mode.
policyaccess-list Enter this command in context configuration
mode.
2. Optional. Associate a description with a
policy ACL.
description
3. Optional. Create policy ACL statements to
allow packets that meet the specified criteria.
permit Enter this command multiple times to specify
multiple classes.
4. Optional. Create a policy ACL condition
using a unique ID and access ACL condition
configuration mode.
condition Enter the following commands in ACL
condition configuration mode. You can create
up to seven conditions in a policy ACL.
5. Optional. Configure absolute time condition
statements.
absolute An absolute time ACL condition statement
applies an ACL rule for only one specific time
interval.
6. Optional. Configure periodic time condition
statements.
periodic A periodic time ACL statement applies an
ACL rule for a recurring time interval.
7. Optional. Resequence statements in a policy
ACL.
resequencepolicyaccess-list Enter this command in context configuration
mode.
Configuration Examples
12-10 IP Services and Security Configuration Guide
Apply a Policy ACL
To apply a policy ACL to packets associated with a forward policy, a NAT policy, or a QoS metering or
policing policy, and complete the configuration of the policy, perform the tasks described in Chapter 13,
Forward Policy Configuration, Chapter 12, NAT Policy Configuration, and Chapter 15, QoS Rate-
and Class-Limiting Configuration, respectively.
Modify Policy ACL Conditions in Real Time
To modify the class name for a policy ACL condition, in real time, without requiring the reconfiguration
of the ACL condition statements, perform the task described in Table12-6.
Configuration Examples
This section provides ACL configuration examples as described in the following subsections:
Configure an ACL Statement
Add an ACL Statement
Resequence ACL Statements
Configure an Absolute Time Condition Statement
Configure a Periodic Time Condition Statement
Configure an IP ACL
Configure a Policy ACL Associated with a Forward Policy
Configure a Policy ACL Associated with a NAT Policy
Configure a Policy ACL Associated with a QoS Policing Policy
Configure an ACL Statement
The following example configures a policy ACL to prioritize web and voice-over-IP (VOI P) traffic:
[ l ocal ] Redback( conf i g- ct x) #policy access-list QoSACL-1
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq 80 class Web
[ l ocal ] Redback( conf i g- access- l i st ) #permit udp any any eq 1000 class VOIP
[ l ocal ] Redback( conf i g- access- l i st ) #permit any any class default
The following example uses a policy ACL to define classes of traffic to be mirrored:
[ l ocal ] Redback( conf i g- ct x) #policy access-list PBR_ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit tcp any eq www any class WEB
Table 12-6 Modify Policy ACL Condition Actions in Real Time
Task Root Command Notes
Modify the action for a class name referenced by a policy
ACL.
modifypolicyaccess-list Enter this command in exec mode.
Configuration Examples
ACL Configuration 12-11
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq www class WEB
[ l ocal ] Redback( conf i g- access- l i st ) #seq 30 permit udp any class UDP
[ l ocal ] Redback( conf i g- access- l i st ) #seq 40 permit ip any class IP
The following example specifies that all IP traffic to destination host 10. 25. 1. 1 is to be denied, and all
other traffic on subnet 10.25.1/24 is to be permitted:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect201
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip any host 10.25.1.1
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any 10.25.1.0 0.0.0.255
Add an ACL Statement
The following example shows how to use the seq keyword to modify the existing t c1 ACL, adding a
statement between the statements with sequence numbers 20 and 30:
[ l ocal ] Redback#configure
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #ip access-list tc1
[ l ocal ] Redback( conf i g- access- l i st ) #seq 25 deny tcp 10.10.10.4 0.0.0.0 any eq 80
The output of the show configuration acl command now includes the new statement, with sequence
number 25:
!
i p access- l i st t c1
descr i pt i on Thi s i s a sampl e access cont r ol l i st
seq 10 deny i p host 10. 10. 10. 2 host 10. 10. 20. 2
seq 20 deny t cp host 10. 10. 10. 3 any eq www
seq 25 deny t cp host 10. 10. 10. 4 any eq www
seq 30 deny udp host 10. 10. 10. 3 any
seq 40 deny i p host 10. 10. 10. 4 any
seq 50 deny i p host 10. 10. 10. 5 any
seq 60 per mi t i p any any
Resequence ACL Statements
The following example displays the current sequencing of an IP ACL:
[ l ocal ] Redback#show configuration acl
Bui l di ng conf i gur at i on. . .
!
i p access- l i st t c1
descr i pt i on Thi s i s a sampl e access cont r ol l i st
seq 10 deny i p host 10. 10. 10. 2 host 10. 10. 20. 2
seq 20 deny t cp host 10. 10. 10. 5 any eq t el net
seq 25 deny t cp host 10. 10. 10. 4 any eq www
seq 30 deny udp host 10. 10. 10. 3 any
seq 50 deny i p host 10. 10. 10. 5 any
seq 60 per mi t i p any any
Configuration Examples
12-12 IP Services and Security Configuration Guide
The following example resequences the statements in the IP ACL to increments of 10 and displays the new
sequence of statements:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #resequence ip access-list tc1
[ l ocal ] Redback#show configuration
Bui l di ng conf i gur at i on. . .
Cur r ent conf i gur at i on:
cont ext l ocal
i p access- l i st t c1
descr i pt i on Thi s i s a sampl e access cont r ol l i st
seq 10 deny i p host 10. 10. 10. 2 host 10. 10. 20. 2
seq 20 deny t cp host 10. 10. 10. 5 any eq t el net
seq 30 deny t cp host 10. 10. 10. 4 any eq www
seq 40 deny udp host 10. 10. 10. 3 any
seq 50 deny i p host 10. 10. 10. 5 any
seq 60 per mi t i p any any
Configure an Absolute Time Condition Statement
The following example creates an absolute time ACL condition statement for ACL condition 342, which
is defined in the IP ACL, i p- acl - 1. The absolute time ACL condition applies a deny action to all IP
ACL statements that reference the ACL condition for the time interval beginning on December 15, 2003 at
9:00 p.m. (21: 00) and ending on the same day at 11:00 p.m (23: 00):
[ l ocal ] Redback( conf i g- ct x) #ip access-list ip-acl-1
[ l ocal ] Redback( conf i g- access- l i st ) #condition 342 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2003:12:15:21:00 end
2003:12:15:23:00 deny
Configure a Periodic Time Condition Statement
The following example creates an periodic ACL condition statement for the ACL condition 101, which is
referenced by the IP ACL, i p- acl - 2, such that all packets traveling between 9 a.m. and 5 p.m. (9:00 to
17:00 in 24-hour format) on weekdays are permitted:
[ l ocal ] Redback( conf i g- ct x) #ip access-list ip-acl-2
[ l ocal ] Redback( conf i g- access- l i st ) #condition 101 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic weekdays 9:00 to 17:00 permit
The following example creates a periodic ACL condition statement for the ACL condition 342, which is
referenced by the policy ACL pol i cy_acl _1, such that all packets traveling every weekday (Monday to
Friday) from 9:00p.m. to 11:00 p.m (9:00 to 23:00 in 24-hour format) are permitted:
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy_acl_1
[ l ocal ] Redback( conf i g- access- l i st ) #condition 342 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic weekdays 21:00 to 23:00 permit
Configuration Examples
ACL Configuration 12-13
Configure an IP ACL
The following example creates an IP ACL, t c1, and applies the list to an interface, oc1:
[ l ocal ] Redback( conf i g- ct x) #ip access-list tc1
[ l ocal ] Redback( conf i g- access- l i st ) #description This is a sample access control list
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.2 0.0.0.0 10.10.20.2 0.0.0.0
[ l ocal ] Redback( conf i g- access- l i st ) #deny tcp 10.10.10.3 0.0.0.0 any eq 80
[ l ocal ] Redback( conf i g- access- l i st ) #deny udp 10.10.10.3 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.4 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip 10.10.10.5 0.0.0.0 any
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any any
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface oc1
[ l ocal ] Redback( conf i g- i f ) #ip access-group tc1 in log
Configure a Policy ACL Associated with a Forward Policy
The policy ACL and forward policy configuration is as follows:
[ l ocal ] Redback( conf i g- ct x) #policy access-list PBR_Drop_ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit icmp host 51.1.1.2 class ICMP
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit pim any class PIM
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g) #forward policy DropPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_Drop_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class ICMP
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class PIM
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
The following configuration applies the forward policy to the i ncomi ng_t r af f i c interface:
[ l ocal ] Redback( conf i g) #port pos 9/1
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #bind interface incoming_traffic local
[ l ocal ] Redback( conf i g- por t ) #forward policy DropPolicy in
[ l ocal ] Redback( conf i g- por t ) #exit
Configure a Policy ACL Associated with a NAT Policy
The following example creates a policy ACL and applies it to a NAT policy with dynamic translations in
which all packets except those classified as CLASS3 are ignored (that is, the NAT policy is not applied to
them). All source IP addresses for incoming packets classified as CLASS3 are translated using IP addresses
from the pool _dyn pool:
! Cr eat e t he NAT pool
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn
[ l ocal ] Redback( conf i g- nat - pool ) #address 11.11.11.0/24
Configuration Examples
12-14 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- nat - pool ) #exit
! Cr eat e t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #policy access-list NAT-ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip 10.10.10.0 0.0.0.255 class CLASS3
[ l ocal ] Redback( conf i g- access- l i st ) #exit
! Cr eat e t he NAT pol i cy and appl y t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- nat - pool ) #ignore
[ l ocal ] Redback( conf i g- nat - pool ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn local
Configure a Policy ACL Associated with a QoS Policing Policy
The following example applies the conditions set by the ACL qos created for any circuit to which the QoS
policing policy, cl ass, is attached. Packets are classified into three classes: web, voice over IP (VOI P),
and def aul t :
[ l ocal ] Redback( conf i g- ct x) #policy access-list qos
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq 80 class Web
[ l ocal ] Redback( conf i g- access- l i st ) #permit udp any any eq 1000 class VOIP
[ l ocal ] Redback( conf i g- access- l i st ) #permit any any class default
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #qos policy class policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group qos local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #rate 5000 burst 1000
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #conform mark dscp AF11
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class voip
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp ef
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class default
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp df
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #port ethernet 3/1
[ l ocal ] Redback( conf i g- por t ) #bind interface eth1 local
[ l ocal ] Redback( conf i g- por t ) #qos policy policing class
Web t r af f i c t hat conf or ms t o t he t r af f i c r at e of 5000 kbps i s mar ked wi t h
a Di f f er ent i at ed Ser vi ces Code Poi nt ( DSCP) val ue of AF11. Web t r af f i c
exceedi ng t hat r at e i s dr opped by def aul t . Packet s cl assi f i ed as VOI P
ar e pr i or i t i zed over bot h web and def aul t t r af f i c t hr ough t he DSCP
set t i ng of ef , or expedi t ed f or war di ng. Packet s cl assi f i ed as def aul t
ar e set t o t he DSCP val ue of df , or def aul t .
Command Descriptions
ACL Configuration 12-15
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure ACLs. The
commands are presented in alphabetical order.:
absolute
access-group
access-list
admin-access-group
class
condition
deny
description
ip access-group
ip access-list
modify ip access-list
modify policy access-list
periodic
permit
policy access-list
resequence ip access-list
resequence policy access-list
Command Descriptions
12-16 IP Services and Security Configuration Guide
absolute
absolute start yyyy:mm:dd:hh:mm end yyyy:mm:dd:hh:mm [:ss] {{permit | deny} | class class-name}
no absolute start yyyy:mm:dd:hh:mm end yyyy:mm:dd:hh:mm
Purpose
Creates an absolute time access control list (ACL) condition statement.
Command Mode
ACL condition configuration
Syntax Description
Default
No ACL condition statements are configured.
start yyyy:mm:dd:hh:mm [:ss] Date and time to start the ACL condition. Arguments are defined as
follows:
yyyyYear.
mmMonth. The range of values is 1 to 12.
ddDay. The range of values is 1 to 31.
hhHour in 24-hour format. The range of values is 0 to 23.
mmMinutes. The range of values is 0 to 59.
ssSeconds. Optional. The range of values is 0 to 60.
end yyyy:mm:dd:hh:mm [:ss] Date and time to stop the ACL condition. Arguments are defined as
follows:
yyyyYear.
mmMonth. The range of values is 1 to 12.
ddDay. The range of values is 1 to 31.
hhHour 24-hour format. The range of values is 0 to 23.
mmMinutes. The range of values is 0 to 59.
ssSeconds. Optional. The range of values is 0 to 60.
permit Applies a permit action to packets processed during the specified
time range.
deny Applies a deny action to packets processed during the specified time
range. Used only with IP ACLs.
class class-name Name of the class assigned to policy ACL statements that reference
the ACL condition. Used only with policy ACLs.
Command Descriptions
ACL Configuration 12-17
Usage Guidelines
Use the absolute command to create an absolute time ACL condition statement that, when referenced in
an IP ACL statement, permits or denies packets, based on specific date and time ranges. Use this command
to create an absolute time ACL conditional statement that, when referenced in a policy ACL statement,
assigns a class name to packets.
Use the no form of this command to delete the absolute time ACL condition statement.
Examples
The following example creates an absolute time ACL condition statement for the ACL condition 500,
which is referenced in the policy ACL, pol i cy- acl - f or war d. The absolute time ACL condition applies
the Bar 003 class name to all policy ACL statements that reference the ACL condition during the time
interval beginning on December 15, 2003 at 9:00 p.m. (21: 00) and ending on the same day at 11:00 p.m
(23: 00):
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy-acl-forward
[ l ocal ] Redback( conf i g- access- l i st ) #condition 500 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2003:12:15:21:00 end
2003:12:15:23:00 class Bar003
Related Commands
condition
deny
ip access-list
periodic
permit
policy access-list
Command Descriptions
12-18 IP Services and Security Configuration Guide
access-group
access-group [acl-name] [ctx-name]
no access-group [acl-name] [ctx-name]
Purpose
Applies a policy access control list (ACL) to a class-based policy (forward policy, Network Address
Translation [NAT] policy, or quality of service [QoS] policy) and enters policy group configuration mode.
Command Mode
forward policy configuration
metering policy configuration
NAT policy configuration
policing policy configuration
Syntax Description
Default
None
Usage Guidelines
Use the access-group command to apply a policy ACL to a class-based policy (forward policy, NAT policy,
or QoS policy) and enter policy group configuration mode.
If the class-based policy is Remote Authentication Dial-In User Service (RADIUS)-guided, the policy ACL
can be dynamic or static:
A dynamic policy ACL is one that the SmartEdgeOS applies to the class-based policy using the rules
specified in an instance of vendor-specific attribute (VSA) 164 that has been downloaded from the
RADIUS server. In this case, use this command without specifying the name of the policy ACL.
A static policy ACL is one that you apply to the class-based policy. In this case, you must specify the
name of the policy ACL.
If you include the acl-name argument, you must also include the ctx-name argument when you apply a
static policy ACL to a forward policy or QoS policy. For a NAT policy, you need only enter the acl-name
argument; the context defaults to the context of the NAT policy.
You can apply a dynamic policy ACL in addition to a static policy ACL. However, the static policy ACL
takes precedence over the dynamic policy ACL.
acl-name Optional. Name of the policy ACL created using the policy access-list command (in
context configuration mode); required to apply or remove a static policy ACL.
ctx-name Optional. Name of the context in which the policy ACL was created; required to apply
or remove a static policy ACL to or from a forward or QoS policy. For a NAT policy,
the context defaults to the context of the NAT policy.
Command Descriptions
ACL Configuration 12-19
Use the no form of this command to remove a static policy ACL from a specified policy.
To remove a policy ACL from a RADIUS-guided policy, you must delete the RADIUS-guided policy and
then recreate it.
Examples
The following example applies the myacl policy ACL to the GE- i n QoS policing policy. The myacl ACL
has one class, voi p, and packets in this class are marked with the Differentiated Service Code Point
(DSCP) code af 13:
[ l ocal ] Redback( conf i g) #qos policy GE-in policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group myacl local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class voip
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp af13
The following example applies the forward policy, Redi r ect Pol i cy, as specified by the rules in the
policy ACL PBR_Redi r ect _ACL. The PBR_Redi r ect _ACL access group has one class, Web, and
packets in this class are redirected to the next hop in the route at IP address 100. 1. 1. 0:
[ l ocal ] Redback( conf i g) #forward policy RedirectPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_Redirect_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #redirect destination next-hop 100.1.1.0
Related Commands
Note The names of the IP and policy ACLs in the output of the show access-group command (in
any mode) include a prefix: ADF for dynamic IP ACLs and DPF for dynamic policy
ACLs.
class
conform mark dscp
policy access-list
Command Descriptions
12-20 IP Services and Security Configuration Guide
access-list
access-list {count counter-type | log ip}
no access-list {count counter-type | log ip}
Purpose
Enables access control list (ACL) counters or logging for the default subscriber profile, this named
subscriber profile, or this named subscriber record.
Command Mode
subscriber configuration
Syntax Description
Default
ACL counters are not enabled for any subscriber records or profiles.
Usage Guidelines
Use the access-list command to enable ACL counters or logging for the default subscriber profile, this
named subscriber profile, or this named subscriber record.
Use the no form of this command to disable ACL counters for the default subscriber profile, this named
subscriber profile, or this named subscriber record.
Examples
The following example enables ACL IP counters for the default subscriber profile:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #subscriber default
[ l ocal ] Redback( conf i g- sub) #access-list count ip
Related Commands
None
count counter-type ACL counter type, according to one of the following keywords:
ipSpecifies IP ACL counters.
policySpecifies policy ACL counters.
log ip Enables logging of dropped counters for IP ACL.
Command Descriptions
ACL Configuration 12-21
admin-access-group
admin-access-group acl-name1 acl-name2 acl-name3... in [count] [log]
no admin-access-group { | acl-name1 acl-name2 acl-name3...}in [count] [log]
Purpose
Applies access control to all inbound packets delivered to the kernel, regardless of the interface through
which packets are received.
Command Mode
context configuration
Syntax Description
Default
No administrative access control is applied.
Usage Guidelines
Use the admin-access-group command to apply access control to all inbound packets delivered to the
kernel, regardless of the interface through which packets are received. This is referred to as administrative
access control and is used with IP ACLs only.
If you configure multiple ACLs in an IP access group, the SmartEdge OS applies the ACLs in the order
they appear within the access group to produce a specific filtering behavior. The SmartEdge OS appends
an implicit deny ip any any rule after all configured rules are applied.
acl-name Name of the IP ACL being applied. You can configure up to ten
ACL names in one administrative access group list. You must
enclose multiple ACL names in quotation marks and separate
ACL names with one or more spaces.
Each IP ACL name can be up to 39 alphanumeric characters
long. However, ensure that the total number of characters for all
ACL names referenced in the access group does not exceed 255.
If you want to use ten ACLs, create names that are 24 or fewer
characters long. A colon (:) is not allowed in ACL names.
in Specifies that the IP ACL is to be applied to incoming packets.
count Optional. Enables ACL packet counting.
log Optional. Enables ACL packet logging.
Caution Risk of security breach. Administrative access control is context-specific. To ensure that all
inbound packets are filtered before being delivered to the kernel, you must apply an
administrative ACL to each and every context that is configured.
Command Descriptions
12-22 IP Services and Security Configuration Guide
When you use the count keyword, the system keeps track of the number of packet matches that occur.
When you use the log keyword, the system keeps track of the number of packets that were denied as a result
of the ACL. Count and log information is displayed in the output of the show access-group command.
Use the no form of this command to remove the application of an ACL to traffic inbound to the kernel.
Enter empty quotations marks ( ) to remove all associated ACL names. If you want to delete one or more
(but not all) ACLs, enter their names in quotation marks.
Examples
The following example applies the t est _2 and f i l t er _3 ACLs to inbound traffic for the l ocal
context:
[ l ocal ] Redback( conf i g- ct x) #admin-access-group test_2 filter_3 in count
log
The following example removes all ACLs from the administrative access group for the local context:
[ l ocal ] Redback( conf i g- ct x) #no admin-access-group in count log
The following example removes the ACL kt r af f i c from the administrative access group for the local
context:
[ l ocal ] Redback( conf i g- ct x) #no admin-access-group ktraffic in
Related Commands
Caution Risk of system performance impact. By default, counting and logging of packets is disabled
because these functions have an impact on system performance. To reduce the risk, we
recommend that you only enable logging or counting when required for diagnostic purposes.
ip access-group
ip access-list
Command Descriptions
ACL Configuration 12-23
class
class class-name
no class class-name
Purpose
Creates a class in a class-based policy and accesses policy group class configuration mode.
Command Mode
policy group configuration
Syntax Description
Default
None
Usage Guidelines
Use the class command to create a class in a class-based policy and access policy group class configuration
mode. This command allows a forward policy, a Network Address Translation (NAT) policy, or a quality
of service (QoS) policy to apply a different action to different sets (classes) of packets that are defined in
the applied policy access control list (ACL).
If the class-name argument matches a class-name argument in a rule in the policy ACL, the class-based
policy processes packets of that type as specified by the class-based policy. If a rule for the class-name
argument is not specified in the policy ACL, the class-based policy considers the class to be dormant and
takes no action. If a rule for the class-name argument is specified in the ACL, but you do not include the
class in the policy (using this command), the SmartEdge OS considers those packets to be in the default
class.
Use the no form of this command to delete the specified class.
Examples
The following example applies the QoSACL- 1 policy ACL to a QoS policing policy that prioritizes
incoming packets in the Web class using a Differentiated Service Code Point (DSCP) value of DF. For the
VOI P class, incoming traffic packets are prioritized with a DSCP value of AF11:
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group QoSACL-1 local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #rate 6000 burst 3000
[ l ocal ] Redback( conf i g- pol i cy- cl ass- r at e) #exceed mark dscp DF
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class VOIP
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp AF11
class-name Class name for a class of traffic packets to which the policy applies an action.
Command Descriptions
12-24 IP Services and Security Configuration Guide
The following example applies the PBR_ACL policy ACL to the Mi r r or Pol i cy forward policy, which
mirrors all traffic packets in the Web class to the mirror output destination, WebTr af f i c:
[ l ocal ] Redback( conf i g) #forward policy MirrorPolicy
[ l ocal ] Redback( conf i g- pol i cy- f r wd) #access-group PBR_ACL local
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mirror destination WebTraffic all
Related Commands
access-group
permit
policy access-list
Command Descriptions
ACL Configuration 12-25
condition
condition cond-id time-range
no condition cond-id
Purpose
Creates an access control list (ACL) condition and enters ACL condition configuration mode.
Command Mode
access control list configuration
Syntax Description
Default
None
Usage Guidelines
Use the condition command to create an ACL condition, and to enter ACL condition configuration mode.
An ACL condition is comprised of up to seven ACL condition statements (using any combination of the
absolute and periodic commands in ACL condition configuration mode). When an ACL statement
references an ACL condition, the ACL condition statements apply those time-dependent rules to the
referencing IP ACL or policy ACL statement.
Use the no form of this command to delete an ACL condition.
Examples
The following example creates the time range condition identified as 342 for the IP ACL, pr ot ect , and
enters ACL condition configuration mode:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect
[ l ocal ] Redback( conf i g- access- l i st ) #condition 342 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #
The following example creates the time range condition identified as 10. 1. 2. 3 for the policy ACL,
cont r ol , and enters ACL condition configuration mode:
[ l ocal ] Redback( conf i g- ct x) #policy access-list control
[ l ocal ] Redback( conf i g- access- l i st ) #condition 10.1.2.3 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #
cond-id Condition ID in integer or IP address format. The ID range of values is 1 to
4294967295.
time-range Specifies a time range condition type.
Command Descriptions
12-26 IP Services and Security Configuration Guide
Related Commands
absolute
ip access-list
periodic
policy access-list
Command Descriptions
ACL Configuration 12-27
deny
[seq seq-num] deny [protocol] {src src-wildcard | any | host src} [cond port | range port end-port]
[dest dest-wildcard | any | host dest] [cond port | range port end-port] [length {cond length |
range length end-length}] [icmp-type icmp-type [icmp-code icmp-code]] [igmp-type igmp-type]
[dscp eq dscp-value] [established] [precedence prec-value] [tos tos-value] [condition cond-id]
no seq seq-num
Purpose
Creates an IP access control list (ACL) statement that denies packets that meet the specified criteria.
Command Mode
access control list configuration
Command Descriptions
12-28 IP Services and Security Configuration Guide
Syntax Description
seq seq-num Optional. Sequence number for the statement. The range of values is 1to
4,294,967,295.
protocol Optional. Number indicating a protocol as specified in RFC 1700, Assigned
Numbers. The range of values is 0 to 255 or one of the keywords listed in
Table12-7.
src Source address to be included in the permit or deny criteria. An IP address in
the form A.B.C.D.
src-wildcard Indication of which bits in the src argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the src-wildcard argument mean that the corresponding bits in the
src argument must match; one-bits in the src-wildcard argument mean that the
corresponding bits in the src argument are ignored.
any Specifies a completely wildcard source or destination IP address indicating
that IP traffic to or from all IP addresses is to be included in the permit or
deny criteria. Identical to 0.0.0.0 255.255.255.255.
host src Address of a single-host source with no wild-carded address bits. The
host source construct is identical to the src src-wildcard construct if the
wildcard address indicates that all bits should be matched (0.0.0.0).
cond Optional. Matching condition for the port or length argument, according to
one of the keywords listed in Table12-8.
port Optional. TCP or UDP source or destination port. This argument is only
available if you specified TCP or UDP as the protocol. The range of values is
1 to 65,535 or one of the keywords listed in Table12-9 and Table12-10.
range port end-port Optional. Beginning and ending TCP or UDP source or destination ports that
define a range of port numbers. A packets port must fall within the specified
range to match the criteria. This construct is only available if you specified
TCP or UDP as the protocol. The range of values is 1 to 65,535 or one of the
keywords listed in Table12-9 and Table12-10.
dest Optional. Destination address to be included in the permit or deny criteria. An
IP address in the form A.B.C.D.
dest-wildcard Indication of which bits in the dest argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the dest-wildcard argument mean that the corresponding bits in
the dest argument must match; one-bits in the dest-wildcard argument mean
that the corresponding bits in the dest argument are ignored.
host dest Address of a single-host destination with no wildcard address bits. The
host dest construct is identical to the dest dest-wildcard construct, if the
wildcard address indicates that all bits should be matched (0.0.0.0).
Command Descriptions
ACL Configuration 12-29
Default
None
Usage Guidelines
Use the deny command to create the IP ACL statement to deny packets that meet the specified criteria.
The cond port and cond length constructs are mutually exclusive with the range port end-port and
range length end-length constructs.
Use the no form of this command to delete the statement with the specified sequence number from the
ACL.
Table12-7 lists the valid keyword substitutions for the protocol argument.
length Optional. Indicates that packet length is to be used as a filter. The packet
length is the length of the network-layer packet, beginning with the IP header.
This is true irrespective of the specified protocol.
length Packet length. The range of values is 20 to 65,535.
range length end-length Packets that fall into the range of specified lengths. Each value (length and
end-length) can be from 20 to 65,535.
icmp-type icmp-type Optional. Type of ICMP packet to be matched. The range of values is 0 to 255
or one of the keywords listed in Table12-11. This argument is only available
if you specify icmp for the protocol argument.
icmp-code icmp-code Optional if you use the icmp-type icmp-type construct. A particular ICMP
message code to be matched. The range of values is 0 to 255. This argument
is only accepted if you specified icmp for the protocol argument.
igmp-type igmp-type Optional. Type of IGMP packet to be matched. This argument is only
accepted if you specified igmp as the protocol argument The range of values
is 0 to 15 or one of the keywords listed in Table12-12.
dscp eq dscp-value Optional. Packets Differentiated Services Code Point (DSCP) value must be
equal to the value specified in the dscp-value argument to match the criteria.
The range of values is 0 to 63 or one of the keywords listed in Table12-13.
established Optional. Specifies that only established connections are to be matched. This
keyword is only available if you specify tcp for the protocol argument.
precedence prec-value Optional. Precedence value of packets to be considered a match. The range of
values is 0 to 7, 7 being the highest precedence, or one of the keywords listed
in Table12-14.
tos tos-value Optional. Type of service (ToS) to be considered a match. The range of values
is 0 to 15 or one of the keywords listed in Table12-15.
condition cond-id Optional. ACL condition ID in integer or IP address format. The ID range of
values is 1 to 4,294,967,295.
Command Descriptions
12-30 IP Services and Security Configuration Guide
Table12-8 lists the valid keyword substitutions for the cond argument.
Table12-9 lists the valid keyword substitutions for the port argument when it is used to specify a TCP port.
Table 12-7 Valid Keyword Substitutions for the protocol Argument
Keyword Definition
ahp Specifies Authentication Header Protocol.
esp Specifies Encapsulation Security Payload.
gre Specifies Generic Routing Encapsulation.
host Specifies host source address.
icmp Specifies Internet Control Message Protocol.
igmp Specifies Internet Group Management Protocol.
ip Specifies any IP protocol.
ipinip Specifies IP-in-IP tunneling.
ospf Specifies Open Shortest Path First.
pcp Specifies Payload Compression Protocol.
pim Specifies Protocol Independent Multicast.
tcp Specifies Transmission Control Protocol.
udp Specifies User Datagram Protocol.
Table 12-8 Valid Keyword Substitutions for the cond Argument
Keyword Description
eq Specifies that values must be equal to those specified by the port or length argument.
gt Specifies that values must be greater than those specified by the port or length argument.
lt Specifies that values must be less than those specified by the port or length argument.
neq Specifies that values must not be equal to those specified by the port or length argument.
Table 12-9 Valid Keyword Substitutions for the port Argument (TCP Port)
Keyword Definition Corresponding Port Number
bgp Border Gateway Protocol (BGP) 179
chargen Character generator 19
cmd Remote commands (rcmd) 514
daytime Daytime 13
discard Discard 9
domain Domain Name System 53
echo Echo 7
exec Exec (rsh) 512
Command Descriptions
ACL Configuration 12-31
Table12-10 lists the valid keyword substitutions for the port argument when it is used to specify a UDP
port.
finger Finger 79
ftp File Transfer Protocol 21
ftp-data FTP data connections (used infrequently) 20
gopher Gopher 70
hostname Network interface card (NIC) hostname server 101
ident Identification protocol 113
irc Internet Relay Chat 194
klogin Kerberos login 543
kshell Kerberos Shell 544
login Login (rlogin) 513
lpd Printer service 515
nntp Network News Transport Protocol 119
pim-auto-rp Protocol Independent Multicast Auto-RP 496
pop2 Post Office Protocol Version 2 109
pop3 Post Office Protocol Version 3 110
shell Remote command shell 514
smtp Simple Mail Transport Protocol 25
ssh Secure Shell 22
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control
System
49
talk Talk 517
telnet Telnet 23
time Time 37
uucp UNIX-to-UNIX Copy Program 540
whois Nickname 43
www World Wide Web (HTTP) 80
Table 12-10 Valid Keyword Substitutions for the port Argument (UDP Port)
Keyword Definition Corresponding Port Number
biff Biff (Mail Notification, Comsat) 512
Table 12-9 Valid Keyword Substitutions for the port Argument (TCP Port) (continued)
Keyword Definition Corresponding Port Number
Command Descriptions
12-32 IP Services and Security Configuration Guide
Table12-11 lists the valid keyword substitutions for the icmp-type argument.
bootpc Bootstrap Protocol client 68
bootps Bootstrap Protocol server 67
discard Discard 9
dnsix DNSIX Security Protocol Auditing 195
domain Domain Name System 53
echo Echo 7
isakmp Internet Security Association and Key Management
Protocol (ISAKMP)
500
mobile-ip Mobile IP Registration 434
nameserver IEN116 Name Service (obsolete) 42
netbios-dgm NetBIOS Datagram Service 138
netbios-ns NetBIOS Name Service 137
netbios-ss NetBIOS Session Service 139
ntp Network Time Protocol 123
pim-auto-rp Protocol Independent Multicast Auto-RP 496
rip Router Information Protocol (router, in.routed) 520
snmp Simple Network Management Protocol 161
snmptrap SNMP Traps 162
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control System 49
talk Talk 517
tftp Trivial File Transfer Protocol 69
time Time 37
who Who Service (rwho) 513
xdmcp X Display Manager Control Protocol 177
Table 12-11 Valid Keyword Substitutions for the icmp-type Argument
Keyword Description
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
Table 12-10 Valid Keyword Substitutions for the port Argument (UDP Port) (continued)
Keyword Definition Corresponding Port Number
Command Descriptions
ACL Configuration 12-33
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
general-parameter-problem General parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for ToS
host-tos-unreachable Host unreachable for ToS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirects
net-redirect Network redirect
net-tos-redirect Network redirect for ToS
net-tos-unreachable Network unreachable for ToS
net-unreachable Network unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
Table 12-11 Valid Keyword Substitutions for the icmp-type Argument (continued)
Keyword Description
Command Descriptions
12-34 IP Services and Security Configuration Guide
Table12-12 lists the valid keyword substitutions for the igmp-type argument.
Table12-13 lists the valid keyword substitutions for the dscp-value argument.
router-advertisement Router discovery advertisement
router-solicitation Router discovery solicitation
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceeded messages
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given type of service (ToS) value
traceroute Traceroute
ttl-exceeded TTL Exceeded
unreachable All unreachables
Table 12-12 Valid Keyword Substitutions for the igmp-type Argument
Keyword Description
dvmrp Specifies Distance-Vector Multicast Routing Protocol.
Host-query Specifies host query.
Host-report Specifies host report.
pim Specifies Protocol Independent Multicast.
Table 12-13 Valid Keyword Substitutions for the dscp-value Argument
Keyword Definition
af11 Assured ForwardingClass 1/Drop precedence 1
af12 Assured ForwardingClass 1/Drop precedence 2
af13 Assured ForwardingClass 1/Drop precedence 3
af21 Assured ForwardingClass 2/Drop precedence 1
af22 Assured ForwardingClass 2/Drop precedence 2
af23 Assured ForwardingClass 2/Drop precedence 3
af31 Assured ForwardingClass 3/Drop precedence 1
af32 Assured ForwardingClass 3/Drop precedence 2
af33 Assured ForwardingClass 3/Drop precedence 3
Table 12-11 Valid Keyword Substitutions for the icmp-type Argument (continued)
Keyword Description
Command Descriptions
ACL Configuration 12-35
Table12-14 lists the valid keyword substitutions for the prec-value argument.
Table12-15 lists the valid keyword substitutions for the tos-value argument.
af41 Assured ForwardingClass 4/Drop precedence 1
af42 Assured ForwardingClass 4/Drop precedence 2
af43 Assured ForwardingClass 4/Drop precedence 3
cs0 Class Selector 0
cs1 Class Selector 1
cs2 Class Selector 2
cs3 Class Selector 3
cs4 Class Selector 4
cs5 Class Selector 5
cs6 Class Selector 6
cs7 Class Selector 7
df Default Forwarding (same as cs0)
ef Expedited Forwarding
Table 12-14 Valid Keyword Substitutions for the prec-value Argument
Keyword Description
tine Specifies routine precedence (value=0).
priority Specifies priority precedence (value=1).
immediate Specifies immediate precedence (value=2).
flash Specifies flash precedence (value=3).
flash-override Specifies flash override precedence (value=4).
critical Specifies critical precedence (value=5).
internet Specifies internetwork control precedence (value=6).
network Specifies network control precedence (value=7).
Table 12-15 Valid Keyword Substitutions for the tos-value Argument
Keyword Description
max-reliability Specifies maximum reliable ToS (value=2).
max-throughput Specifies maximum throughput ToS (value=4).
min-delay Specifies minimum delay ToS (value=8).
min-monetary-cost Specifies minimum monetary cost ToS (value=1).
Table 12-13 Valid Keyword Substitutions for the dscp-value Argument (continued)
Keyword Definition
Command Descriptions
12-36 IP Services and Security Configuration Guide
Examples
The following example specifies that all IP traffic to destination host, 10. 25. 1. 1, is to be denied, and all
other traffic on subnet 10. 25. 1/ 24 is to be permitted:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect201
[ l ocal ] Redback( conf i g- access- l i st ) #deny ip any host 10.25.1.1
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip any 10.25.1.0 0.0.0.255
Related Commands
normal Specifies normal ToS (value=0).
ip access-group
ip access-list
permit
resequence ip access-list
Table 12-15 Valid Keyword Substitutions for the tos-value Argument (continued)
Keyword Description
Command Descriptions
ACL Configuration 12-37
description
description text
no description
Purpose
Associates a text description with an IP access control list (ACL) or a policy ACL.
Command Mode
access control list configuration
Syntax Description
Default
No description is associated with the ACL.
Usage Guidelines
Use the description command to associate a text description with the ACL.
You can use a text description to notate what an ACL consists of or how it is to be used. Only one
description can be associated with a single ACL. To revise a description, create a new one, and the old one
is overwritten.
Use the no form of this command to remove the description from an ACL.
Examples
The following example creates a text description to be associated with the IP ACL, r est r i ct ed:
[ l ocal ] Redback( conf i g- ct x) #ip access-list restricted
[ l ocal ] Redback( conf i g- access- l i st ) #description private net
The following example creates a text description to be associated with the policy ACL, t r af f i ci n:
[ l ocal ] Redback( conf i g- ct x) #policy access-list trafficin
[ l ocal ] Redback( conf i g- access- l i st ) #description inbound traffic web
Related Commands
text Alphanumeric text description to be associated with the ACL.
ip access-list
policy access-list
Command Descriptions
12-38 IP Services and Security Configuration Guide
ip access-group
ip access-group acl-name1 acl-name2 acl-name3... {in | out} [count] [log]
no ip access-group { | acl-name1 acl-name2 acl-name3...}{in | out} [count] [log]
Purpose
Applies from one to ten IP access control lists (ACL) to packets associated with an interface or subscriber.
Command Mode
interface configuration
subscriber configuration
Syntax Description
Default
No ACL is applied.
Usage Guidelines
Use the ip access-group command to apply an IP ACL to packets associated with an interface or subscriber,
restricting the flow of traffic through the SmartEdge router. If you configure multiple ACLs to an IP access
group, the SmartEdge OS combines the ACLs in order of appearance within the IP access group to produce
a specific filtering behavior. If you configure a dynamic filter ACL for a subscriber, the SmartEdge OS
applies the rules of the combined ACL and then the dynamic filter ACL. The SmartEdge OS appends an
implicit deny ip any any rule after all configured rules complete.
The SmartEdge router ignores conditional ACLs referenced in an access group.
acl-name Name of the IP ACL to apply to the interface, which can be up to 39 alphanumeric
characters long. You can configure up to ten ACL names to one IP access-group list.
Enclose multiple ACL names within quotation marks and separate each ACL name with
one or more spaces.
To include ten ACLs in a single ACL, however, you need to ensure that the total number
of characters for the ACL names does not exceed 255 for interface mode and 253 for
subscriber mode (average of 24 characters per name). A colon (:) is not allowed in ACL
names.
in Specifies that the ACL is to be applied to incoming packets.
out Specifies that the ACL is to be applied to outgoing packets.
count Optional. Enables ACL packet counting. Not available in subscriber configuration mode.
log Optional. Enables ACL packet logging. Not available in subscriber configuration mode.
Command Descriptions
ACL Configuration 12-39
When you use the count keyword, the system keeps track of the number of matches that occur. When you
use the log keyword, the system keeps track of the number of packets that were denied. By default, counting
and logging of packets is disabled.
To disable packet counting or logging, enter the ip access-group command again, omitting the count or
log keyword.
Use theno form of this command to remove an applied IP ACL from association with the interface. Enter
empty quotations marks ( ) to remove all associated ACL names. If you want to delete one or more (but
not all) ACLs, enter their names in quotation marks.
Examples
The following example applies the IP ACLs, WebCacheACL and Smar t Fi l t er , to the interface,
t opgun, and enables both packet counting and logging:
[ l ocal ] Redback( conf i g) #context fighter
[ l ocal ] Redback( conf i g- ct x) #interface topgun
[ l ocal ] Redback( conf i g- i f ) #ip access-group WebCacheACL SmartFilter in
log count
The following example applies the ACLs, WebCacheACL and Smar t Fi l t er , to the subscriber, j oe:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #subscriber name joe
[ l ocal ] Redback( conf i g- sub) #ip access-group WebCacheACL SmartFilter out
Related Commands
Note Applying an ACL to an interface has no effect if the named ACL has not yet been defined.
All packets are permitted as if no restrictions were in place.
If an access group for an interface has multiple ACLs, some of the ACLs can be unconfigured;
however any unconfigured ACLs have no (zero) rules. Only the configured ACLs in the
access group apply to traffic.
Caution Risk of performance loss. Enabling the count and log functions can affect system
performance. To reduce the risk, exercise caution when enabling these features on a
production system.
deny
ip access-list
permit
Command Descriptions
12-40 IP Services and Security Configuration Guide
ip access-list
ip access-list acl-name [ssh-and-telnet-acl]
no ip access-list acl-name [ssh-and-telnet-acl]
Purpose
Configures an IP access control list (ACL) and enters access control list configuration mode.
Command Mode
context configuration
Syntax Description
Default
None
Usage Guidelines
Use the ip access-list command to configure an IP ACL and enter access control list configuration mode,
where you can define statements using the permit and deny commands. All IP ACLs have an implicit
deny any any statement at the end.
When the IP ACL is created and its conditions have been set, you can apply the list to any of these entities:
An interface to restrict the flow of traffic through the SmartEdge router with the ip access-group
command (in interface configuration mode).
Local inbound traffic coming into the SmartEdge kernel with the admin-access-group command (in
context configuration mode).
Inbound SSH and Telnet traffic with the service command (in context configuration mode).
An interface enabled with reverse path forwarding (RPF) to allow packets that fail the RPF check but
match the ACL to pass through with the ip verify unicast source command (in interface configuration
mode).
A reference to an IP ACL that does not exist or does not contain any configured entries implicitly matches
and permits all packets.
Use theno form of this command to remove an ACL from the configuration.
acl-name Name of the ACL. Must be unique within the context.
ssh-and-telnet-acl Optional. Specifies that the ACL applies to Telnet and Secure Shell (SSH)
traffic.
Command Descriptions
ACL Configuration 12-41
Examples
The following example creates an IP ACL, WebCacheACL:
[ l ocal ] Redback( conf i g- ct x) #ip access-list WebCacheACL
[ l ocal ] Redback( conf i g- access- l i st ) #
Related Commands
admin-access-group
deny
ip access-group
permit
Command Descriptions
12-42 IP Services and Security Configuration Guide
modify ip access-list
modify ip access-list acl-name condition cond-id {permit | deny}
Purpose
Modifies, in real time, the action for the specified condition referenced by statements in the IP access
control list (ACL), without requiring reconfiguration of the IP ACL.
Command Mode
exec
Syntax Description
Default
None
Usage Guidelines
Use the modify ip access-list command to modify, in real time, the action for the specified condition
referenced by statements in the IP ACL, without requiring reconfiguration of the IP ACL.
For information about the condition and ip access-list commands in context configuration mode, see the
ACL Configuration Commands chapter in the IP Services and Security Command Reference for the
SmartEdgeOS.
Examples
With the following configuration, using the modify ip access-list list_cond condition 200 deny command
changes the action of the ACL condition 200 in statement 20 in the IP ACL l i st _cond from per mi t
to deny. However, using the modify ip access-list list_cond condition 100 permit command does not
affect the deny action of the ACL condition 100 because it has already been configured:
[ l ocal ] Redback( conf i g- ct x) #ip access-list list_cond
acl-name Name of the ACL to be modified.
condition cond-id ACL condition ID in integer or IP address format. The ID range of values is
1to 4,294,967,295.
permit Applies a permit action.
deny Applies a deny action.
Note If the specified condition ID is already configured (using the condition command in access
control list configuration mode), the modify ip access-list command is ignored. If a condition
ID is configured using the condition command and the changes are saved, any condition ID
that may be currently applied using the modify ip access-list command at runtime is
immediately overwritten.
Command Descriptions
ACL Configuration 12-43
[ l ocal ] Redback( conf i g- access- l i st ) #condition 100 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2005:01:01:01:00 end
2006:01:01:01:01 permit
[ l ocal ] Redback( conf i g- acl - condi t i on) #exit
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 deny tcp any any eq 80 cond 100
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq 81 cond 200
Related Commands
modify policy access-list
Command Descriptions
12-44 IP Services and Security Configuration Guide
modify policy access-list
modify policy access-list acl-name condition cond-id class class-name
Purpose
Modifies, in real time, the action for the specified condition referenced by statements in the policy access
control list (ACL), without requiring reconfiguration of the policy ACL.
Command Mode
exec
Syntax Description
Default
None
Usage Guidelines
Use the modify policy access-list command to modify, in real time, the action for the specified condition
referenced by statements in the policy ACL, without requiring reconfiguration of the policyACL.
Examples
With the following configuration, using the modify policy access-list list_cond condition 200 deny
command will change the action of the ACL condition, 200, in statement 20 in the IP ACL, l i st _cond,
from per mi t to deny. However, using the modify policy access-list list_cond condition 100 permit
command will not affect the deny action of the ACL condition, 100, because it has already been
configured:
[ l ocal ] Redback( conf i g- ct x) #policy access-list list_cond
[ l ocal ] Redback( conf i g- access- l i st ) #condition 100 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #absolute start 2005:01:01:01:00 end
2006:01:01:01:01 permit
[ l ocal ] Redback( conf i g- acl - condi t i on) #exit
acl-name Name of the ACL to be modified.
condition cond-id ACL condition ID in integer or IP address format. The ID range of values is 1
to 4,294,967,295.
class class-name Class name applied to statements in the policy ACL.
Note If the specified condition ID is already configured (using the condition command in access
control list configuration mode), the modify policy access-list command is ignored. If a
condition ID is configured using the condition command and the changes are saved, any
condition ID that may be currently applied using the modify policy access-list command at
runtime is immediately overwritten.
Command Descriptions
ACL Configuration 12-45
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 deny tcp any any eq 80 cond 100
[ l ocal ] Redback( conf i g- access- l i st ) #seq 20 permit tcp any any eq 81 cond 200
Related Commands
condition
modify ip access-list
policy access-list
Command Descriptions
12-46 IP Services and Security Configuration Guide
periodic
periodic day... hh:mm to hh:mm {{permit | deny} | class class-name}
no periodic day... hh:mm to hh:mm
Purpose
Creates a periodic time access control list (ACL) condition statement.
Command Mode
ACL condition configuration
Syntax Description
Default
None
Usage Guidelines
Use the periodic command to create a periodic time ACL condition statement that permits or denies
packets, or assigns packets to a class, based on specific date and time ranges. A periodic time ACL
condition is referenced by either an IP ACL statement or a policy ACL statement.
Each ACL condition statement can include up to seven absolute or periodic time statements in any
combination.
Use the no form of this command to delete the periodic time ACL condition statement.
day... One or more days of the week in which the ACL condition is applied.
hh:mm Hour and minute, for each specified day of the week, to start the ACL
condition.
to hh:mm Hour and minute, for each specified day of the week, to stop the ACL
condition.
permit Applies permit action, during the specified time ranges, to all ACL
statements that reference the ACL condition.
deny Applies deny action, during the specified time ranges, to all ACL statements
that reference the ACL condition. Used only with IP ACLs.
class class-name Name of the class assigned to policy ACL statements that reference the ACL
condition. Used only with policy ACLs.
Command Descriptions
ACL Configuration 12-47
Examples
The following example creates a periodic ACL condition statement for the ACL condition, 55, which is
referenced by the policy ACL, pol i cy_acl _2, such that the Bar 003 class name is applied every
Wednesday from 9:00p.m. to 11:00 p.m (21:00 to 23:00 in 24-hour format) to packets assigned to the
Bar 003 class:
[ l ocal ] Redback( conf i g- ct x) #policy access-list policy_acl_2
[ l ocal ] Redback( conf i g- access- l i st ) #condition 55 time-range
[ l ocal ] Redback( conf i g- acl - condi t i on) #periodic wednesday 21:00 to 23:00 class Bar003
Related Commands
absolute
condition
ip access-list
policy access-list
Command Descriptions
12-48 IP Services and Security Configuration Guide
permit
[seq seq-num] permit [protocol] {src src-wildcard | any | host src} [{cond port | range port end-port}]
[max-sessions limit] [min-sessions limit] [dest dest-wildcard | any | host dest] [cond port |
range port end-port] [length {cond length | range length end-length}] [icmp-type icmp-type
[icmp-code icmp-code]] [igmp-type igmp-type] [dscp eq dscp-value] [established]
[precedence prec-value] [tos tos-value] [class class-name] [condition cond-id]
no seq seq-num
Purpose
Creates an IP or policy access control list (ACL) statement to allow packets that meet the specified criteria.
Command Mode
access control list configuration
Command Descriptions
ACL Configuration 12-49
Syntax Description
seq seq-num Optional. Sequence number for the statement. The range of values is
1to4,294,967,295.
protocol Optional. Number indicating a protocol as specified in RFC 1700, Assigned
Numbers. The range of values is 0 to 255 or one of the keywords listed in
Table12-16.
src Source address to be included in the permit or deny criteria. An IP address in
the form A.B.C.D.
src-wildcard Indication of which bits in the source argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the src-wildcard argument mean that the corresponding bits in the
src argument must match; one-bits in the src-wildcard argument mean that the
corresponding bits in the src argument are ignored.
any Specifies a completely wildcarded source or destination IP address indicating
that IP traffic to or from all IP addresses is to be included in the permit or deny
criteria. Identical to 0.0.0.0 255.255.255.255.
host source Address of a single-host source with no wild-carded address bits. The
host source construct is identical to the src src-wildcard construct if the
wildcard address indicates that all bits should be matched (0.0.0.0).
cond Optional. Matching condition for the port or length argument, according to
one of the keywords listed in Table12-17.
port Optional. Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP) source or destination port. This argument is only available if you
specified TCP or UDP as the protocol. The range of values is 1 to 65,535 or
one of the keywords listed in Table12-18 and Table12-19.
range port end-port Optional. Beginning and ending TCP or UDP source or destination ports that
define a range of port numbers. A packets port must fall within the specified
range to match the criteria. This construct is only available if you specified
TCP or UDP as the protocol. The range of values is 1 to 65,535 or one of the
keywords listed in Table12-18 and Table12-19.
max-sessions limit Optional. Maximum number of sessions allowed for the specified IP address
or IP subnet. This construct is only available for TCP. Use the ip access-list
command with the ssh-and-telnet-acl keyword to apply an IP ACL to packets
associated with an Secured Shell (SSH) or a Telnet server. The range of values
is 1 to 32.
min-sessions limit Optional. Minimum number of sessions allowed for the specified IP address
or IP subnet. This construct is only available if you specify TCP as the
protocol in this command and use the ip access-list command with the
ssh-and-telnet-acl keyword to apply an IP ACL to packets associated with an
SSH or a Telnet server. The range of values is 0 to 32.
The sum of values specified for the min-sessions limit construct for all
specified IP addresses or IP subnets must not exceed 32.
Command Descriptions
12-50 IP Services and Security Configuration Guide
dest Optional. Destination address to be included in the permit or deny criteria. An
IP address in the form A.B.C.D.
dest-wildcard Indication of which bits in the dest argument are significant for purposes of
matching. Expressed as a 32-bit quantity in a 4-byte dotted-decimal format.
Zero-bits in the dest-wildcard argument mean that the corresponding bits in
the dest argument must match; one-bits in the dest-wildcard argument mean
that the corresponding bits in the dest argument are ignored.
length Optional. Indicates that packet length is to be used as a filter. The packet
length is the length of the network-layer packet, beginning with the IP header.
This is true irrespective of the specified protocol.
length Packet length. The range of values is 20 to 65,535.
range length end-length Packets that fall into the range of specified lengths. Each value (length and
end-length) can be from 20 to 65,535.
host dest Address of a single-host destination with no wildcarded address bits. The
host dest construct is identical to the dest dest-wildcard construct, if the
wildcard address indicates that all bits should be matched (0.0.0.0).
icmp-type icmp-type Optional. Type of Internet Control Message Protocol (ICMP) packet to be
matched. The range of values is 0 to 255 or one of the keywords listed in
Table12-20. This argument is only available if you specify the ICMP
protocol.
icmp-code icmp-code Optional if you use the icmp-type icmp-type construct. A particular ICMP
message code to be matched. The range of values is 0 to 255. This argument is
only accepted if you specified icmp as the protocol argument.
igmp-type igmp-type Optional. Type of Internet Group Management Protocol (IGMP) packet to be
matched. This argument is only accepted if you specified igmp as the protocol
argument The range of values is 0 to 15 or one of the keywords listed in
Table12-21.
dscp eq dscp-value Optional. Packets Differentiated Services Code Point (DSCP) value must be
equal to the value specified in the dscp-value argument to match the criteria.
The range of values is 0 to 63 or one of the keywords listed in Table12-22.
established Optional. Specifies that only established connections are to be matched. This
keyword is only available if you specified tcp for the protocol argument.
precedence prec-value Optional. Precedence value of packets to be considered a match. The range of
values is 0 to 7, 7 being the highest precedence, or one of the keywords listed
in Table12-23.
tos tos-value Optional. Type of service (ToS) to be considered a match. The range of values
is 0 to 15 or one of the keywords listed in Table12-24.
class class-name Optional. Policy-based class name. Available for policy ACLs only.
condition cond-id Optional. ACL condition ID in integer or IP address format. The ID range of
values is 1 to 4,294,967,295.
Command Descriptions
ACL Configuration 12-51
Default
None
Usage Guidelines
Use the permit command to create the IP or policy ACL statement to allow packets that meet the specified
criteria.
The cond port and cond length constructs are mutually exclusive with the range port end-port and
range length end-length constructs.
You can use the optional max-sessions limit and min-sessions limit constructs to specify a maximum or
minimum number of simultaneous SSH or Telnet sessions allowed from an IP address or subnet. These
constructs are available if you use the service ssh server or service telnet server commands with the
access-group keyword to enable the SSH or Telnet protocol and apply the ACL. For statements where the
any keyword is specified for both source and destination, only the max-sessions limit construct applies.
If you specify a limit for both an IP address and the related subnet, the limit for the subnet takes precedence.
Similarly, a limit specified for a larger subnet takes precedence over limits specified for related smaller
subnets. From all sources combined, the SmartEdgeOS supports up to 32 active Telnet and SSH sessions.
Use the no form of this command to delete the statement with the specified sequence number from the
ACL.
Table12-16 lists the valid keyword substitutions for the protocol argument.
Note There is an implicit deny any any statement at the end of every ACL.
Table 12-16 Valid Keyword Substitutions for the protocol Argument
Keyword Definition
ahp Specifies Authentication Header Protocol.
esp Specifies Encapsulation Security Payload.
gre Specifies Generic Routing Encapsulation.
host Specifies host source address.
icmp Specifies Internet Control Message Protocol.
igmp Specifies Internet Group Management Protocol.
ip Specifies any IP protocol.
ipinip Specifies IP-in-IP tunneling.
ospf Specifies Open Shortest Path First.
pcp Specifies Payload Compression Protocol.
pim Specifies Protocol Independent Multicast.
tcp Specifies Transmission Control Protocol.
udp Specifies User Datagram Protocol.
Command Descriptions
12-52 IP Services and Security Configuration Guide
Table12-17 lists the valid keyword substitutions for the cond argument.
Table12-18 lists the valid keyword substitutions for the port argument when it is used to specify a TCP
port.
Table 12-17 Valid Keyword Substitutions for the cond Argument
Keyword Description
eq Specifies that values must be equal to those specified by the port or length argument.
gt Specifies that values must be greater than those specified by the port or length argument.
lt Specifies that values must be less than those specified by the port or length argument.
neq Specifies that values must not be equal to those specified by the port or length argument.
Table 12-18 Valid Keyword Substitutions for the port Argument (TCP Port)
Keyword Definition Corresponding Port Number
bgp Border Gateway Protocol (BGP) 179
chargen Character generator 19
cmd Remote commands (rcmd) 514
daytime Daytime 13
discard Discard 9
domain Domain Name System 53
echo Echo 7
exec Exec (rsh) 512
finger Finger 79
ftp File Transfer Protocol 21
ftp-data FTP data connections (used infrequently) 20
gopher Gopher 70
hostname Network interface card (NIC) hostname server 101
ident Identification protocol 113
irc Internet Relay Chat 194
klogin Kerberos login 543
kshell Kerberos Shell 544
login Login (rlogin) 513
lpd Printer service 515
nntp Network News Transport Protocol 119
pim-auto-rp Protocol Independent Multicast Auto-RP 496
pop2 Post Office Protocol Version 2 109
pop3 Post Office Protocol Version 3 110
Command Descriptions
ACL Configuration 12-53
Table12-19 lists the valid keyword substitutions for the port argument when it is used to specify a UDP
port.
shell Remote command shell 514
smtp Simple Mail Transport Protocol 25
ssh Secure Shell 22
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control
System
49
talk Talk 517
telnet Telnet 23
time Time 37
uucp UNIX-to-UNIX Copy Program 540
whois Nickname 43
www World Wide Web (HTTP) 80
Table 12-19 Valid Keyword Substitutions for the port Argument (UDP Port)
Keyword Definition Corresponding Port Number
biff Biff (Mail Notification, Comsat) 512
bootpc Bootstrap Protocol client 68
bootps Bootstrap Protocol server 67
discard Discard 9
dnsix DNSIX Security Protocol Auditing 195
domain Domain Name System 53
echo Echo 7
isakmp Internet Security Association and Key Management
Protocol (ISAKMP)
500
mobile-ip Mobile IP Registration 434
nameserver IEN116 Name Service (obsolete) 42
netbios-dgm NetBIOS Datagram Service 138
netbios-ns NetBIOS Name Service 137
netbios-ss NetBIOS Session Service 139
ntp Network Time Protocol 123
pim-auto-rp Protocol Independent Multicast Auto-RP 496
Table 12-18 Valid Keyword Substitutions for the port Argument (TCP Port) (continued)
Keyword Definition Corresponding Port Number
Command Descriptions
12-54 IP Services and Security Configuration Guide
Table12-20 lists the valid keyword substitutions for the icmp-type argument.
rip Router Information Protocol (router, in.routed) 520
snmp Simple Network Management Protocol 161
snmptrap SNMP Traps 162
sunrpc Sun Remote Procedure Call 111
syslog System logger 514
tacacs Terminal Access Controller Access Control System 49
talk Talk 517
tftp Trivial File Transfer Protocol 69
time Time 37
who Who Service (rwho) 513
xdmcp X Display Manager Control Protocol 177
Table 12-20 Valid Keyword Substitutions for the icmp-type Argument
Keyword Description
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
general-parameter-problem General parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for ToS
host-tos-unreachable Host unreachable for ToS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
Table 12-19 Valid Keyword Substitutions for the port Argument (UDP Port) (continued)
Keyword Definition Corresponding Port Number
Command Descriptions
ACL Configuration 12-55
Table12-21 lists the valid keyword substitutions for the igmp-type argument.
log-input Log matches against this entry, including input interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirects
net-redirect Network redirect
net-tos-redirect Network redirect for ToS
net-tos-unreachable Network unreachable for ToS
net-unreachable Network unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisement
router-solicitation Router discovery solicitation
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceeded messages
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given type of service (ToS) value
traceroute Traceroute
ttl-exceeded TTL Exceeded
unreachable All unreachables
Table 12-20 Valid Keyword Substitutions for the icmp-type Argument (continued)
Keyword Description
Command Descriptions
12-56 IP Services and Security Configuration Guide
Table12-22 lists the valid keyword substitutions for the dscp-value argument.
Table12-23 lists the valid keyword substitutions for the prec-value argument.
Table 12-21 Valid Keyword Substitutions for the igmp-type Argument
Keyword Description
dvmrp Specifies Distance-Vector Multicast Routing Protocol.
Host-query Specifies host query.
Host-report Specifies host report.
pim Specifies Protocol Independent Multicast.
Table 12-22 Valid Keyword Substitutions for the dscp-value Argument
Keyword Definition
af11 Assured ForwardingClass 1/Drop precedence 1
af12 Assured ForwardingClass 1/Drop precedence 2
af13 Assured ForwardingClass 1/Drop precedence 3
af21 Assured ForwardingClass 2/Drop precedence 1
af22 Assured ForwardingClass 2/Drop precedence 2
af23 Assured ForwardingClass 2/Drop precedence 3
af31 Assured ForwardingClass 3/Drop precedence 1
af32 Assured ForwardingClass 3/Drop precedence 2
af33 Assured ForwardingClass 3/Drop precedence 3
af41 Assured ForwardingClass 4/Drop precedence 1
af42 Assured ForwardingClass 4/Drop precedence 2
af43 Assured ForwardingClass 4/Drop precedence 3
cs0 Class Selector 0
cs1 Class Selector 1
cs2 Class Selector 2
cs3 Class Selector 3
cs4 Class Selector 4
cs5 Class Selector 5
cs6 Class Selector 6
cs7 Class Selector 7
df Default Forwarding (same as cs0)
ef Expedited Forwarding
Command Descriptions
ACL Configuration 12-57
Table12-24 lists the valid keyword substitutions for the tos-value argument.
Examples
The following example specifies that all IP traffic from subnet 10.25/16 is to be allowed. All other traffic
is dropped because of the implicit deny any any statement at the end of the ACL:
[ l ocal ] Redback( conf i g- ct x) #ip access-list protect201
[ l ocal ] Redback( conf i g- access- l i st ) #permit ip 10.25.0.0 0.0.255.255 any
The following example shows how to use the seq keyword to edit the existing qos- acl - 1 ACL, adding
a statement using sequence number 25:
[ l ocal ] Redback#configure
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #policy access-list qos-acl-1
[ l ocal ] Redback( conf i g- access- l i st ) #seq 25 permit tcp 10.10.10.4 0.0.0.0 any eq 80
Related Commands
Table 12-23 Valid Keyword Substitutions for the prec-value Argument
Keyword Description
tine Specifies routine precedence (value=0).
priority Specifies priority precedence (value=1).
immediate Specifies immediate precedence (value=2).
flash Specifies flash precedence (value=3).
flash-override Specifies flash override precedence (value=4).
critical Specifies critical precedence (value=5).
internet Specifies internetwork control precedence (value=6).
network Specifies network control precedence (value=7).
Table 12-24 Valid Keyword Substitutions for the tos-value Argument
Keyword Description
max-reliability Specifies maximum reliable ToS (value=2).
max-throughput Specifies maximum throughput ToS (value=4).
min-delay Specifies minimum delay ToS (value=8).
min-monetary-cost Specifies minimum monetary cost ToS (value=1).
normal Specifies normal ToS (value=0).
ip access-list
policy access-list
resequence ip access-list
resequence policy access-list
Command Descriptions
12-58 IP Services and Security Configuration Guide
policy access-list
policy access-list acl-name
no policy access-list acl-name
Purpose
Creates or selects a policy access control list (ACL) and enters access control list configuration mode.
Command Mode
context configuration
Syntax Description
Default
None
Usage Guidelines
Use the policy access-list command to create or select a policy ACL and to enter access control list
configuration mode.
Use the no form of this command to remove the policy ACL.
Examples
The following example creates a policy ACL to define Web and VOI P traffic types on a circuit, and uses
the policy ACL in a QoS metering policy, marking these packet types as DF and AF11, respectively. All
other traffic is marked as DF also:
[ l ocal ] Redback( conf i g- ct x) #policy access-list QoSACL-1
[ l ocal ] Redback( conf i g- access- l i st ) #permit tcp any any eq 80 class Web
[ l ocal ] Redback( conf i g- access- l i st ) #permit udp any any eq 1000 class VOIP
[ l ocal ] Redback( conf i g- access- l i st ) #permit any any class default
[ l ocal ] Redback( conf i g- access- l i st ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
[ l ocal ] Redback( conf i g) #qos policy PolicingAndMarking policing
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #access-group QoSACL-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class Web
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp DF
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class VOIP
acl-name Policy ACL name.
Note If a forward policy, Network Address Translation (NAT) policy, or quality of service (QoS)
policy references a policy ACL that does not exist, the reference is ignored.
Command Descriptions
ACL Configuration 12-59
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp AF11
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class default
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #mark dscp DF
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- pol i ci ng) #exit
[ l ocal ] Redback( conf i g) #port ethernet 3/0
[ l ocal ] Redback( conf i g- por t ) #bind interface FromSubscriber local
[ l ocal ] Redback( conf i g- por t ) #qos policy policing PolicingAndMarking
Related Commands
forward policy
nat policy
permit
qos policy metering
qos policy policing
resequence policy access-list
Command Descriptions
12-60 IP Services and Security Configuration Guide
resequence ip access-list
resequence ip access-list acl-name
Purpose
Reassigns sequence numbers to the entries in the specified IP access control list (ACL) to be in increments
of 10.
Command Mode
context configuration
Syntax Description
Default
No resequencing is performed.
Usage Guidelines
Use the resequence ip access-list command to reassign sequence numbers to the entries in the specified IP
ACL to be in increments of 10. This command is useful if manually assigned sequence numbers have left
no room between entries for additional entries.
Examples
The following example resequences the statements in the ACL, f r emont 1:
[ l ocal ] Redback( conf i g- ct x) #resequence ip access-list fremont1
Related Commands
acl-name Name of the ACL to be resequenced.
ip access-list
Command Descriptions
ACL Configuration 12-61
resequence policy access-list
resequence policy access-list acl-name
Purpose
Reassigns sequence numbers to the entries in the specified policy access control list (ACL) to be in
increments of 10.
Command Mode
context configuration
Syntax Description
Default
No resequencing is performed.
Usage Guidelines
Use the resequence policy access-list command to reassign sequence numbers to the entries in the
specified policy ACL to be in increments of 10. This command is useful if manually assigned sequence
numbers have left no room between entries for additional entries.
Examples
The following example resequences the statements in the policy ACL, oakl and2:
[ l ocal ] Redback( conf i g- ct x) #resequence policy access-list oakland2
Related Commands
acl-name Name of the ACL to be resequenced.
policy access-list
Command Descriptions
12-62 IP Services and Security Configuration Guide
P a r t 5
IP Service Policies
This part describes the tasks and commands used to configure Network Address Translation (NAT)
policies, forward policies, and service policies. It consists of the following chapters:
Chapter 13, NAT Policy Configuration
Chapter 14, Forward Policy Configuration
Chapter 15, Service Policy Configuration
NAT Policy Configuration 13-1
C h a p t e r 1 3
NAT Policy Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS Network Address
Translation (NAT) policy features.
For information about the tasks and commands used to monitor, troubleshoot, and administer NAT policies,
see the NAT Policy Operations chapter in the IP Services and Security Operations Guide for the
SmartEdgeOS.
This chapter contains the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
Through NAT, hosts using unregistered IP addresses on an internal, private network can connect to hosts
on the Internet, and conversely. NAT translates the private (not globally unique) addresses in the internal
network into public IP addresses before packets are forwarded onto another network. Network Address and
Port Translation (NAPT) translates a private network and its Transmission Control Protocol/User Datagram
Protocol (TCP/UDP) port on the internal network into a public address and its TCP/UDP ports. By using
port multiplexing, NAPT enables multiple hosts on a private network to simultaneously access remote
networks through a single IP address.
NAT policies can contain a combination of static and dynamic translation actions as well as drop and ignore
actions, and can be applied to all packets traveling across a circuit, or to a particular class of packets using
policy access control list (ACL). The default NAT policy action is drop.
Figure13-1 illustrates how NAT translates private source IP addresses to public addresses.
Note NAT policies are not supported for subscriber sessions that use the Layer 2 Tunneling
Protocol (L2TP) and that are terminated at the SmartEdge router when it is acting as an L2TP
network server (LNS). If you inadvertently apply a NAT policy to such a subscriber, the
session comes up because the policy has no effect on it.
Overview
13-2 IP Services and Security Configuration Guide
Figure 13-1 NAT Process
The SmartEdge OS implementation of NAT supports traditional NAT. In a traditional NAT, sessions are
unidirectional, outbound from the private network. Sessions in the opposite direction may be allowed on
an exception basis, using static address maps for preselected hosts. It is assumed that NAT policies are
applied on private interfaces only because applying them on public interfaces would profoundly affect
performance.
The SmartEdge OS implementation of NAT is described in the following sections:
Static Translation
Dynamic Translation
Destination IP Address Translation
Policy ACLs
NAT DMZ
Session Limit Control
Summary
Static Translation
With static translation, the private source IP addresses and TCP or UDP ports and the NAT addresses and
the ports to which they are translated are fixed numbers.
Note NAT is also known as source NAT or SNAT.
Note In this chapter, the terms, incoming and outgoing, refer to the direction of the packets passing
through the interface. The terms, outbound and inbound, refer to the direction of the packet
flow from the private network to the public network, and from the public network to the
private network, respectively.
Overview
NAT Policy Configuration 13-3
Dynamic Translation
With dynamic translation, the SmartEdgeOS translates the private source IP addresses and TCP or UDP
ports to the NAT addresses and ports. At runtime, the SmartEdgeOS selects the NAT addresses and ports
from a pool of global IP addresses (referred to as a NAT pool). With dynamic translation, you can also
modify the period after which translations time out.
NAPT also supports dynamic translation of subsets of TCP/UDP ports, referred to as port blocks. The port
number space of the TCP/UDP ports is divided into 16 port blocks, numbered 0 to 15; each port block
consists of 4,096 port numbers. Port block granularity allows the sharing of a single IP address between
NAT pools, and thus between NAT policies and traffic cards, with each pool having the IP address with a
unique subset of TCP/UDP port blocks assigned to it.
Policy ACLs
A policy ACL defines classes of packets using classification statements (rules). Each policy ACL supports
up to eight unique classes. You can classify a packet according to its IP precedence value, protocol number,
IP source and destination address, Internet Control Message Protocol (ICMP) attributes, Internet Group
Management Protocol (IGMP) attributes, TCP attributes, and UDP attributes.
When you include the destination, drop, ignore, pool, admission-control, and timeout commands (in
NAT policy configuration mode) in a NAT policy, the specified action is applied to all packets traveling
across the interface or subscriber circuit or, if an ACL is referenced, to packets that do not belong to the
classes specified by the ACL and by the NAT policy. These packets are referred to as belonging to the
default class.
When you include the destination, drop, ignore, pool, admission-control, and timeout commands (in
class configuration mode) in a policy ACL, the specified action is applied only to packets belonging to the
specified class.
To configure class-based actions for a circuit, you apply a policy ACL to a NAT policy, specify the action
for each class that you want the policy to take, and then attach the NAT policy to the circuit. For more
information about policy ACLs, see Chapter 12, ACL Configuration.
Note When just the IP address is translated, static NAT is referred to as basic static NAT. Static NAT
includes both basic static NAT and static NAPT.
Note Static translations require manual configuration of the static IP routes and the static IP ARP
entries for the NAT addresses.
Note When just the IP address is translated, dynamic NAT is referred to as basic dynamic NAT.
Dynamic NAT includes both basic dynamic NAT and dynamic NAPT.
Note The pool and timeout commands apply only to dynamic NAT. The admission-control and
destination commands apply only to dynamic NAPT.
Overview
13-4 IP Services and Security Configuration Guide
Destination IP Address Translation
The SmartEdge OS allows you to configure a NAT policy or its class to use a specified destination IP
address instead of the original destination IP address. Using the destination command, you can configure
Destination NAT (DNAT) to redirect traffic destined for the original address to a different specified address.
On the return path, the source address of the incoming traffic is translated to the original destination address
of the outgoing packet, so the returning traffic appears to be sent from the original destination address.
You can enable DNAT with or without the SmartEdge OS having to perform NAT.
You can use DNAT both with and without NAT in the same configuration.
NAT DMZ
The SmartEdge OS also provides support for the demilitarized zone (DMZ) feature in NAT policies. You
can configure a DMZ rule in a NAT policy to translate traffic returning to the SmartEdge router that does
not satisfy any of the conditions for static or dynamic NAT that you have specified in that NAT policy. The
basic NAT specified by the DMZ rule changes the destination IP address of the packet to a fixed private IP
address of a DMZ host server without changing the TCP/UDP port number.
Three types of applications might require a DMZ host server:
You use your own tools to do extensive logging and analysis of the packets that would be dropped by
the NAT policy.
You do not know the exact TCP/UDP port numbers, or there are too many ports, that need to be opened
by static NAPT rules to allow access to applications.
You need a work around for applications that do not work with NAPT, because they use protocols other
than UPD or TCP, or require IP packet fragmentation.
The following differences apply to a private network with a DMZ host server:
A DMZ rule in a NAT policy does not affect non-DMZ hosts on the internal network that use static or
dynamic NAPT, except that returning traffic for dynamic UDP sessions are now subject to source IP
address verification.
Non-DMZ hosts can use basic static or basic dynamic NAT, although such configurations might not
seem practical.
The DMZ host server cannot use basic static NAT, basic dynamic NAT, and dynamic NAPT, but can
still use static NAPT.
Session Limit Control
Session limit control allows you to set session limits independently for TCP, UDP, and ICMP sessions from
the subscriber to the network. The SmartEdge OS does not limit sessions from the network to the
subscriber.
Configuration Tasks
NAT Policy Configuration 13-5
The following restrictions apply to the NAT implementation of session limit control:
Session limit control is a modification of a NAT policy; it applies to any circuit that has that NAT policy
attached.
Session limit control is supported on Ethernet, Gigabit Ethernet, and ATM OC-3 traffic cards.
The SmartEdge OS applies the session limit at the IP level; it is available for LNS circuits, but not when
the SmartEdge router is configured as an L2TP access concentrator (LAC).
You can set a session limit to support up to 65,535 sessions on a circuit.
Summary
The order in which the conditions in a NAT policy are checked to determine the action for a packet is as
follows:
1. The conditions set by the policy static translations.
2. The conditions set by the policy ACL.
3. If the conditions in step1 and step2 are not satisfied, the action for the packet is determined by the
default class action, if the policy ACL exists, or by the NAT policy action.
For more information about NAT, see RFC 3022, Traditional IP Network Address Translator (NAT) and
RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.
Configuration Tasks
Note In this chapter, the terms, session and connection, refer to a request to establish a connection
between a subscriber port (that is, an IP address and port tuple) and a host port (represented
by an IP address and port tuple). These requests can be initiated from a subscriber or from a
host, but you can only enable the SmartEdge OS to limit the requests initiated by the
subscriber or initiated on another system, sent to the subscriber, and accepted by that
subscriber.
When multiple sessions are initiated from the same IP address and port number on the
subscriber side, they are counted as a single connection by the SmartEdgeOS.
Note The sum of the configured session limit control numbers for a traffic card can exceed the
maximum number of sessions (approximately one million) allowed by the amount of memory
on the traffic card. In that case, some circuits might be unable to reach their configured
maximum session limit.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
13-6 IP Services and Security Configuration Guide
To configure NAT policies, perform the tasks described in the following sections:
Configure a NAT Policy with Static Translations
Configure a NAT Policy with a DMZ Host Server
Configure a NAT Policy with Dynamic Translations
Apply a Policy ACL to a NAT Policy
Configure a NAT Policy with Static Translations
To configure a NAT policy with static translations, perform the tasks described in Table13-1.
Configure a NAT Policy with a DMZ Host Server
To configure a NAT policy with a DMZ host server, perform the tasks described in Table13-2.
Table 13-1 Configure a NAT Policy with Traditional Static Translations
# Task Root Command Notes
1. Configure a NAT policy name and access
NAT policy configuration mode.
nat policy Enter this command in context configuration mode.
2. Translate the source IP address for
incoming packets on the interface or the
subscriber circuit to which the NAT policy
will be attached in the private network.
ipstaticin Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is translated in
the reverse direction.
Use the optional tcp or udp keyword to translate the source
address and source port number of the TCP/UDP packets.
3. Translate the source IP address for
outgoing packets on the interface or the
subscriber circuit to which the NAT policy
will be attached in the private network.
ipstaticout Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is translated in
the reverse direction.
4. Translate the destination IP address for
those inbound packets (on the interface
or subscriber circuit to which the NAT
policy will be attached) that do not satisfy
any condition for static or dynamic
translation in the policy.
ipdmz Enter this command in NAT policy configuration mode.
The source IP address is translated in the outbound direction.
5. Optional. Apply a policy ACL. See the Apply a Policy ACL to a NAT Policy section.
6. Attach the policy to an interface or
subscriber, using one of the following
tasks:
To an interface. ipnat Enter this command in interface configuration mode.
To a subscriber record, named profile, or
default profile.
nat policy-name Enter this command in subscriber configuration mode.
Note For information about configuring interfaces and subscribers, see the Interface
Configuration chapter and the Subscriber Configuration chapter, respectively, in the Basic
System Configuration Guide for the SmartEdgeOS.
Configuration Tasks
NAT Policy Configuration 13-7
Configure a NAT Policy with Dynamic Translations
To configure a NAT policy with dynamic translations, perform the tasks described in Table13-3; enter all
commands in NAT policy configuration mode, unless otherwise noted.
Table 13-2 Configure a NAT Policy with a DMZ Host Server
# Task Root Command Notes
1. Configure a NAT policy name and access
NAT policy configuration mode.
nat policy Enter this command in context configuration mode.
2. Translate the destination IP address for
those outgoing packets (on the interface or
subscriber circuit to which the NAT policy will
be attached) that do not satisfy any of the
static or dynamic rules in the policy.
ipdmz Enter this command in NAT policy configuration mode.
The destination IP address of incoming packets is
translated in the reverse direction.
3. Attach the policy to an interface or
subscriber, using one of the following tasks:
To an interface. ipnat Enter this command in interface configuration mode.
To a subscriber record, named profile, or
default profile.
nat policy-name Enter this command in subscriber configuration mode.
Table 13-3 Configure a NAT Policy with Dynamic Translations
# Task Root Command Notes
1. Create or select a NAT pool and access NAT
pool configuration mode.
ipnat pool Enter this command in context configuration mode.
Use the napt keyword to indicate that the addresses
associated with the pool will be used for NAPT policies.
Use the multibind keyword to enable the NAT pool to be
applied to multibind interfaces.
2. Configure the IP address, range of IP
addresses, or the IP address with a range of
TCP/UDP port blocks for the NAT pool.
address Enter this command in NAT pool configuration mode.
Enter this command multiple times to configure several IP
addresses, address ranges, and IP addresses with port
blocks for the NAT pool.
3. Create or select a policy and access NAT
policy configuration mode.
nat policy Enter this command in context configuration mode.
4. Optional. Specify the maximum number of
sessions allowed for the specified protocol
for each circuit.
connections
5. Specify the action to take on packets not
associated with a class with one of the
following tasks:
Any of these actions is applied to packets not associated
with a class if a policy ACL is applied to this NAT policy.
Translate the source IP addresses of the
packets using the pool of IP addresses
(created in step 1).
pool
Drop packets. drop
Forward packets without translating their
source IP addresses.
ignore
6. Optional. Modify the period after which
translations time out.
timeout Enter this command only if you have specified the pool
command (in step 5). This timeout is used for packets not
associated with a class, if a policy ACL is applied to this
NAT policy.
Configuration Tasks
13-8 IP Services and Security Configuration Guide
Apply a Policy ACL to a NAT Policy
To apply a policy ACL to packets associated with a dynamic NAT policy and complete the configuration
of the policy, perform the tasks described in Table13-4; enter all commands in policy group class
configuration mode, unless otherwise noted.
7. Optional. Enable session limit control for the
default class for the specified protocol.
admission-control
8. Optional. Overwrites the destination IP
address.
destination
9. Optional. Apply a policy ACL to this policy. See the Apply a Policy ACL to a NAT Policy section.
10. Attach the NAT or NATP policy to an interface
or subscriber, using one of the following
tasks:
To an interface. ipnat Enter this command in interface configuration mode.
To a subscriber record, named profile, or
default profile.
nat policy-name Enter this command in subscriber configuration mode.
Table 13-4 Apply a Policy ACL to a NAT Policy
# Task Root Command Notes
1. Apply a policy ACL to a dynamic NAT policy and
access policy group configuration mode.
access-group Enter this command in NAT policy configuration
mode.
2. Specify a class and access class configuration
mode.
class Enter this command in policy group configuration
mode.
For a class-based action to occur, the class name
must match one of the class names defined in the
policy ACL.
3. Specify the action to take on packets associated
with the class with one of the following tasks:
Enter any of these commands in policy group class
configuration mode.
Translate the source IP addresses of the packets
using the pool of IP addresses.
pool
Drop packets associated with the class. drop
Forward packets associated with the class without
translating their source IP addresses.
ignore
4. Optional. Modify the period after which translations
time out.
timeout Enter this command only if you have specified the
pool command (in step 3). Enter this command in
policy group class configuration mode.
5. Optional. Enable session limit control for this class
for the specified protocol.
admission-control
6. Optional. Overwrites the destination IP address. destination
Table 13-3 Configure a NAT Policy with Dynamic Translations (continued)
# Task Root Command Notes
Configuration Examples
NAT Policy Configuration 13-9
Configuration Examples
This section provides configuration examples for:
NAT Policy with Static Translation
NAT Policy with Static NAPT
NAT Policy with Static Translation and a DMZ Host Server
NAT Policy with Dynamic Translation and an Ignore Action
NAT Policy with Dynamic NAPT and a Drop Action
NAT Policy with Static and Dynamic Translations
NAT Policy with DNAT
NAT Policy with Session Limit Control
NAT Policy with Static Translation
The following example configures a NAT policy with static translations:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.3 100.1.1.3
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos2
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
NAT Policy with Static NAPT
The following example configures a static NAPT policy:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.1.3 80 100.1.1.3 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos2
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
NAT Policy with Static Translation and a DMZ Host Server
The following example configures a NAT policy with static translation, two internal hosts, and a DMZ host
server:
! Conf i gur e cont ext , NAT pol i cy, and i nt er f ace f or pr i vat e net wor k
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip dmz source 10.1.1.1 100.1.1.1 context local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.2 100.1.1.2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.3 100.1.1.3
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
Configuration Examples
13-10 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- ct x) #interface if-private
[ l ocal ] Redback( conf i g- i f ) #ip address 10.1.1.1/24
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
[ l ocal ] Redback( conf i g- i f ) #exit
l ocal ] Redback( conf i g- ct x) #exit
! Conf i gur e cont ext , NAT pol i cy, and i nt er f ace f or publ i c net wor k
[ l ocal ] Redback( conf i g) #context public
[ l ocal ] Redback( conf i g- ct x) #interface if-public
[ l ocal ] Redback( conf i g- i f ) #ip address 100.1.1.1/24
! Conf i gur e an Et her net por t f or t he pr i vat e net wor k
[ l ocal ] Redback( conf i g) #port ethernet 3/1
[ l ocal ] Redback( conf i g- por t ) #bind interface if-private local
[ l ocal ] Redback( conf i g- por t ) #no shutdown
! Conf i gur e an Et her net por t f or t he publ i c net wor k
[ l ocal ] Redback( conf i g) #port ethernet 5/1
[ l ocal ] Redback( conf i g- por t ) #bind interface if-public public
[ l ocal ] Redback( conf i g- por t ) #no shutdown
[ l ocal ] Redback( conf i g- por t ) #exit
Figure13-2 illustrates the network configuration for the example.
Figure 13-2 Private Network with NAT DMZ Host Server
NAT Policy with Dynamic Translation and an Ignore Action
The following example creates a policy ACL and applies it to a NAT policy with dynamic translations in
which all packets except those classified as CLASS3 are ignored (that is, the NAT policy is not applied to
them). All source IP addresses for incoming packets classified as CLASS3 are translated using IP addresses
from the pool _dyn pool:
! Cr eat e t he NAT pool
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn
[ l ocal ] Redback( conf i g- nat - pool ) #address 11.11.11.0/24
[ l ocal ] Redback( conf i g- nat - pool ) #exit
! Cr eat e t he pol i cy ACL
Configuration Examples
NAT Policy Configuration 13-11
[ l ocal ] Redback( conf i g- ct x) #policy access-list NAT-ACL
[ l ocal ] Redback( conf i g- access- l i st ) #seq 10 permit ip 10.10.10.0 0.0.0.255 class CLASS3
[ l ocal ] Redback( conf i g- access- l i st ) #exit
! Cr eat e t he NAT pol i cy and appl y t he pol i cy ACL
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- nat - pool ) #ignore
[ l ocal ] Redback( conf i g- nat - pool ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn local
NAT Policy with Dynamic NAPT and a Drop Action
The following example configures a NAPT policy with dynamic translations in which all packets, except
those classified as CLASS3, are dropped. Source IP addresses and their TCP/UDP ports for packets
classified as CLASS3 are translated using the IP address and its TCP/UDP port blocks 1 to 15 from the
pool _dyn_napt pool:
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn_napt napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 11.11.11.1/32 port-block 1 to 15
[ l ocal ] Redback( conf i g- nat - pool ) #exit
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #drop
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT_ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn_napt local
NAT Policy with Static and Dynamic Translations
The following example configures a NAT policy that uses a combination of static and dynamic, basic NAT
and NAPT, and applies a policy ACL:
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn
[ l ocal ] Redback( conf i g- nat - pool ) #address 100.1.2.0/24
[ l ocal ] Redback( conf i g- nat - pool ) #exit
[ l ocal ] Redback( conf i g- ct x) #ip nat pool pool_dyn_napt napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 100.1.1.2/32 port-block 1
[ l ocal ] Redback( conf i g- nat - pool ) #exit
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool pool_dyn local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool_dyn_napt local
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.1.2 80 100.1.1.2 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.1.3 100.1.1.3
Configuration Examples
13-12 IP Services and Security Configuration Guide
NAT Policy with DNAT
The following example configures a NAT policy that uses DNAT, both with and without NAT, within a
single NAT policy. A predefined destination address is configured for the NAT- CLASS1 and NAT- CLASS2
classes within the NAT policy NAT- POLI CY. For all packets from class NAT- CLASS1, the destination
address of each packet is replaced by 64. 233. 267. 100 so that all packets from class NAT- CLASS1 are
forwarded to that address. On the return path, a reverse translation from 64. 233. 267. 100 to the original
destination address is performed so that the returning traffic appears to be sent from the original destination
address. For the NAT- CLASS2 class, the destination address of each packet is translated exactly the same
way as for class NAT- CLASS1, but the source address is not translated
[ l ocal ] Redback( conf i g- ct x) #nat pol i cy NAT- POLI CY
! Def aul t cl ass
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT- POOL- DEFAULT l ocal
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access- gr oup NAT- ACL
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS1
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #pool NAT- POOL1 l ocal
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS2
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #i gnor e
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
NAT Policy with Session Limit Control
The following example configures a NAT policy that uses session limit control for both the default class
and a subset of named classes. Assuming that packets are not satisfied by both static rules (those are of
higher priority), the following processing takes place:
Packets classified into CLASS2 are NAT-translated with the use of pool 2 addresses and no session
limit control is applied (the default state).
Packets classified into CLASS3 are unchanged and session limit control is applied to TCP sessions with
a maximum number of TCP sessions set to 100.
All other packets (that is, those of the default class) are translated with the use of pool 1 addresses and
session limit control is applied to TCP sessions with a maximum number of TCP sessions set to 100.
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #nat policy pol1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.3.3 80
100.1.3.3 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in tcp source 10.1.4.3 80
100.1.3.4 8080
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp 100
! Def aul t cl ass
Note Specify the connections command (in NAT policy configuration mode) for the policy; then
specify the admission-control command for each class (including the default one) for which
you want the session limit to be enforced.
Command Descriptions
NAT Policy Configuration 13-13
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool pool1 local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #timeout tcp
[ l ocal ] Redback( conf i g- pol i cy- nat ) #admission-control tcp
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS2
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool pool2
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #ignore
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #admission-control tcp
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #exit
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #exit
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #exit
Command Descriptions
This section describes the syntax and usage guidelines for the commands used to configure NAT policies.
The commands are presented in alphabetical order:
address
admission-control
connections
destination
drop
ignore
ip dmz
ip nat
ip nat pool
ip static in
ip static out
nat policy
nat policy-name
pool
timeout
Command Descriptions
13-14 IP Services and Security Configuration Guide
address
address {ip-addr netmask | ip-addr/prefix-length | start-ip-addr to end-ip-addr | ip-addr/32
port-block start-port-block [to end-port-block]}
no address {ip-addr netmask | ip-addr/prefix-length | start-ip-addr to end-ip-addr}
Purpose
Assigns an IP address, a range of IP addresses, or an IP address with one or more blocks of Transmission
Control Protocol/User Datagram Protocol (TCP/UDP) ports to the Network Address Translation (NAT)
pool.
Command Mode
NAT pool configuration
Syntax Description
Default
All TCP/UDP port numbers for the IP address are assigned to the NAT pool.
Usage Guidelines
Use the address command to assign the IP address and subnet mask, a range of IP addresses, or an IP
address with a range of TCP/UDP ports that will be included in the NAT pool. The TCP/UDP port number
space is divided into 16 blocks. Each block contains 4,096 sequential numbers. Blocks are numbered from
0 to 15. If you specify one or more blocks of TCP/UDP ports, you must specify 32 as the prefix length.
You can enter this command multiple times to assign multiple IP addresses, ranges of IP addresses, and an
IP address with TCP/UDP port blocks to a NAT pool.
Use the no form of this command to remove IP addresses from the NAT pool. If you enter the no form with
an IP address that was configured with the port-block keyword, the IP address and all its configured port
blocks are removed from the NAT pool.
ip-addr netmask IP address and subnet mask.
ip-addr/prefix-length IP address and prefix length.
start-ip-addrtoend-ip-addr Starting IP address to ending IP address.
ip-addr/32 IP address and prefix length when specifying one or more blocks of
TCP/UDP port numbers.
port-block start-port-block Starting port block number. The range of values is 0 to 15.
to end-port-block Optional. Ending port-block number. If not entered, assigns only the
TCP/UDP port numbers in the port block specified by the
start-port-block argument. The range of values is 1 to 15.
Command Descriptions
NAT Policy Configuration 13-15
Examples
The following example configures the NAT pool, NAT- 1, and fills the pool with the IP address,
171. 71. 71. 1, with all its TCP/UDP ports and the IP address, 171. 71. 72. 2, with port blocks 1 to 3:
[ l ocal ] Redback( conf i g) #context ISP
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-1 napt
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.1/32
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.72.2/32 port-block 1 to 3
Related Commands
ip nat pool
pool
Command Descriptions
13-16 IP Services and Security Configuration Guide
admission-control
admission-control {icmp | tcp | udp}
no admission-control {icmp | tcp | udp}
Purpose
Enables or disables session limit control for the specified protocol.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
Default
Session limit control is disabled for this access control list (ACL) class.
Usage Guidelines
Use the admission-control command to enable session limit control for the specified protocol. Session
limit control applies only to this ACL class in this Network Address Translation (NAT) policy. You can use
this command only when the action in the class is either ignore or pool, and the pool is a Network Access
Port Translation (NAPT) pool.
Use the no form of this command to disable session limit control.
Examples
The following example enables TCP session limit control for the default ACL class in this NAT policy:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp 100
[ l ocal ] Redback( conf i g- pol i cy- nat ) #admission-control tcp
The following example enables TCP session limit control for CLASS3 in this NAT policy:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp 100
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class CLASS3
icmp Specifies the Internet Control Message Protocol (ICMP) as the protocol for which session
limit control is to be enabled.
tcp Specifies the Transmission Control Protocol (TCP) as the protocol for which session limit
control is to be enabled.
udp Specifies the User Datagram Protocol (UDP) as the protocol for which session limit control is
to be enabled.
Command Descriptions
NAT Policy Configuration 13-17
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #ignore
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #admission-control tcp
Related Commands
connections
Command Descriptions
13-18 IP Services and Security Configuration Guide
connections
connections {icmp | tcp | udp} maximum max-sess
no connections {icmp | tcp | udp}
Purpose
Specifies the maximum number of sessions allowed for the specified protocol for each circuit.
Command Mode
NAT policy configuration
Syntax Description
Default
The maximum number of sessions is not specified.
Usage Guidelines
Use the connections command to specify the maximum number of sessions allowed for the specified
protocol for each circuit.
The maximum number that you specify applies to all access control list (ACL) classes, including the default
class, for which you have specified admission control using the admission-control command (in NAT
policy configuration mode).
If the maximum number of sessions for a specific protocol is not specified using this command, the
admission control for that protocol, if specified using the admission-control command (in NAT policy or
policy group class configuration mode), is ignored.
Use the no form of this command to specify the default condition.
Examples
The following example specifies 100 as the maximum number of sessions for each TCP circuit:
[ l ocal ] Redback( conf i g- pol i cy- nat ) #connections tcp maximum 100
icmp Specifies the Internet Control Message Protocol (ICMP) as the protocol for which
session limit control is to be enabled.
tcp Specifies the Transmission Control Protocol (TCP) as the protocol for which
session limit control is to be enabled.
udp Specifies the User Datagram Protocol (UDP) as the protocol for which session
limit control is to be enabled.
maximum max-sess Maximum number of sessions allowed for this protocol for each circuit to which
you have applied this Network Address Translation (NAT) policy. The range of
values is 1 to 65,535.
Command Descriptions
NAT Policy Configuration 13-19
Related Commands
admission-control
Command Descriptions
13-20 IP Services and Security Configuration Guide
destination
destination ip-addr [context-name]
Purpose
Configures the Network Address Translation (NAT) policy or its class to use the specified IP address in
destination IP address translation or destination NAT (DNAT).
Command Mode
NAT policy configuration
NAT policy class configuration
Syntax Description
Default
No predefined IP address is configured as a destination IP address.
Usage Guidelines
Use the destination command to configure the NAT policy or its class to use the specified IP address in
DNAT. DNAT replaces the original destination IP addresses of all packets or the packets of a specific class
with a predefined IP address.
When a destination IP address is configured for a given class, the SmartEdge router applies this predefined
IP address to all packets of the class.
You can enable DNAT with or without having to perform NAT.
Configuring DNAT without NAT requires that you configure the destination command with the ignore
command.
Use the destination ip-addrr context-name construct to specify that the configured destination IP address
resides within the specified context. Without the name of the context specified, the configured destination
IP address is assumed to be either in the context in which the NAT pool is defined or, if no NAT pool is
defined, in the context in which the NAT policy is defined.
ip-addr Specifies the IP address to replace the original destination address.
context-name Specifies the name of the context in which the configured destination IP address
resides.
Note If you configure DNAT with NAT, the context name specified in the destination command
must be the same as the context name specified in the pool command.
Command Descriptions
NAT Policy Configuration 13-21
Examples
The following example shows how to configure DNAT with NAT. A predefined destination address is
configured for the NAT- CLASS1 class within the NAT policy NAT- POLI CY. For all packets from class
NAT- CLASS1, the destination address of each packet is replaced by 64. 233. 267. 100 so that all packets
from class NAT- CLASS1 are forwarded to that address. On the return path, a reverse translation from
64. 233. 267. 100 to the original destination address is performed so that the returning traffic appears to
be sent from the original destination address:
[ l ocal ] Redback( conf i g- ct x) #nat pol i cy NAT- POLI CY
! Def aul t cl ass
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT- POOL- DEFAULT l ocal
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access- gr oup NAT- ACL
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS1
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #pool NAT- POOL1 l ocal
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
The following example shows how to configure DNAT without NAT. A predefined destination address is
configured for the NAT- CLASS2 class within the NAT policy NAT- POLI CY. For the NAT- CLASS2 class
within the NAT policy NAT- POLI CY, the destination address of each packet is replaced by
64. 233. 267. 100 so that all packets from class NAT- CLASS2 are forwarded to that address. In this
example, the source address is not translated.
[ l ocal ] Redback( conf i g- ct x) #nat pol i cy NAT- POLI CY
! Def aul t cl ass
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT- POOL- DEFAULT l ocal
! Named cl asses
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access- gr oup NAT- ACL
[ l ocal ] Redback( conf i g- pol i cy- acl ) #cl ass NAT- CLASS2
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #i gnor e
[ l ocal ] Redback( conf i g- pol i cy- acl - cl ass) #dest i nat i on 64. 233. 167. 100
Related Commands
admission-control
drop
ignore
pool
timeout
Command Descriptions
13-22 IP Services and Security Configuration Guide
drop
drop
Purpose
Drops all packets or classes of packets associated with the Network Address Translation (NAT) policy.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
This command has no keywords or arguments.
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the drop command to drop all packets or classes of packets associated with the NAT policy.
Examples
The following example configures the NAT- 1 policy and applies the NAT- ACL- 1 access control list (ACL)
to it. Packets that are classified as NAT- CLASS- 1 will be dropped. All other packets, except those
explicitly defined by the static rule, will be ignored:
[ l ocal ] Redback( conf i g) #context CUSTOMER
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ignore
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.0.0.1 171.71.71.1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-1
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #drop
Related Commands
ignore
pool
timeout
Command Descriptions
NAT Policy Configuration 13-23
ignore
ignore
Purpose
Configures the Network Address Translation (NAT) policy or its class to not translate the source IP address
of all packets, or classes of packets, traveling across circuits attached to the interface or subscriber to which
the NAT policy is applied.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
This command has no keywords or arguments.
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the ignore command to configure the Network Address Translation (NAT) policy or its class to not
translate the source IP address of all packets, or classes of packets, traveling across circuits attached to the
interface or subscriber to which the NAT policy is applied.
Examples
The following example configures the NAT- 2 policy and applies the NAT- ACL- 2 access control list (ACL)
to it. Packets that are classified as NAT- CLASS- 2 are ignored; they are forwarded without translation of
the source IP address. All other packets, except those defined in the static rule, are dropped.
[ l ocal ] Redback( conf i g) #context CUSTOMER
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.0.0.1 171.71.71.1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL-2
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-2
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #ignore
Related Commands
drop
pool
timeout
Command Descriptions
13-24 IP Services and Security Configuration Guide
ip dmz
ip dmz source ip-addr nat-addr context ctx-name
no ip dmz source ip-addr nat-addr context ctx-name
Purpose
Configures the source and Network Address Translation (NAT) IP addresses for a demilitarized zone
(DMZ) host server.
Command Mode
NAT policy configuration
Syntax Description
Default
No DMZ host server is configured.
Usage Guidelines
Use the ip dmz command to configure a DMZ host server.
Use the no form of this command to remove the DMZ host server from the configuration.
Examples
The following example configures a DMZ host server with an internal network address, 10. 1. 1. 1, and
an external network address, 201. 1. 1. 1,which are defined in the l ocal context:
[ l ocal ] Redback( conf i g) #context local
[ l ocal ] Redback( conf i g- ct x) #nat policy policy1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip dmz source 10.1.1.1 201.1.1.1 context local
Related Commands
None
source ip-addr Original source IP address for the DMZ host server on the private network.
nat-addr NAT address. The IP address of the DMZ host server on the public network
to which the source IP address is mapped.
context ctx-name Name of the context in which the NAT address of the DMZ host server is
defined for the interface that is used to forward packets after the source IP
address is translated.
Command Descriptions
NAT Policy Configuration 13-25
ip nat
ip nat pol-name
no ip nat pol-name
Purpose
Attaches a Network Address Translation (NAT) policy to packets received or transmitted on any circuit
bound to the specified interface.
Command Mode
interface configuration
Syntax Description
Default
None
Usage Guidelines
Use the ip nat command to attach a NAT policy to packets received or transmitted on any circuit bound to
the specified interface.
Use the no form of this command to remove the NAT policy from the interface.
Examples
The following example translates an IP source address for the p1 NAT policy and applies the policy to
packets traveling across the pos1 interface:
[ l ocal ] Redback( conf i g- ct x) #nat policy p1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 10.1.2.3 32.32.32.32
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos1
[ l ocal ] Redback( conf i g- i f ) #ip nat p1
Related Commands
pol-name NAT policy name.
nat policy
nat policy-name
Command Descriptions
13-26 IP Services and Security Configuration Guide
ip nat pool
ip nat pool pool-name [napt [multibind]]
no ip nat pool pool-name [napt [multibind]]
Purpose
Configures a Network Address Translation (NAT) pool name and enters NAT pool configuration mode.
Command Mode
context configuration
Syntax Description
Default
None
Usage Guidelines
Use the ip nat pool command to configure a NAT pool name and to enter NAT pool configuration mode.
Use the no form of this command to remove a NAT pool.
Examples
The following example configures the NAT pool, NAT- POOL- BASI C, with 14 IP addresses
(171. 71. 71. 4 to 171. 71. 71. 7 and 171. 71. 71. 101 to 171. 71. 71. 110):
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-POOL-BASIC
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.4 255.255.255.252
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.101 to 171.71.71.110
Related Commands
pool-name NAT pool name.
napt Optional. Enables support for translation of Transmission Control
Protocol/User Datagram Protocol (TCP/UDP) ports.
multibind Optional. Enables the NAT pool to be applied to multibind interfaces.
address
pool
Command Descriptions
NAT Policy Configuration 13-27
ip static in
ip static in [{tcp | udp}] source ip-addr [port] nat-addr [nat-port] [context ctx-name]
no ip static in [{tcp | udp}] source ip-addr [port] nat-addr [nat-port] [context ctx-name]
Purpose
Translates the source IP address in the private network, and optionally, Transmission Control Protocol/User
Datagram Protocol (TCP/UDP) ports, of incoming packets on the interface to which the Network Address
Translation (NAT) policy is attached. In the reverse direction, translates the destination IP address, and
optionally, TCP/UDP ports, of outgoing packets on the interface.
Command Mode
NAT policy configuration
Syntax Description
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the ip static in command to translate the source IP address in the private network, and optionally,
TCP/UDP ports, of incoming packets on the interface to which the NAT policy is attached. In the reverse
direction, this command translates the destination IP address, and optionally, TCP/UDP ports, of outgoing
packets on the interface.
tcp Optional. Indicates a TCP port.
udp Optional. Indicates a UDP port.
source Indicates the source information.
ip-addr Original source IP address.
port Optional. Original TCP or UDP source port number. The range of values is 1
to 65,535. Required when using the tcp or udp keyword.
nat-addr NAT address. The IP address to which the source IP address is mapped in the
address translation table.
nat-port Optional. TCP or UDP port number to which the source port number is
mapped in the address translation table. The range of values is 1 to 65,535.
Required when using the tcp or udp keyword.
context ctx-name Optional. Context name. Required for intercontext forwarding of packets.
Interfaces in the specified context are used to forward packets after addresses
are translated.
Command Descriptions
13-28 IP Services and Security Configuration Guide
Incoming packets with a source IP address that matches the ip-addr argument use the IP address specified
with the nat-addr argument as their source IP address instead. In the opposite direction, outgoing packets
with a destination IP address that matches the nat-addr argument use the ip-addr argument as the
destination IP address.
If the nat-addr argument overlaps an IP address in a Network Access Port Translation (NAPT) pool, the
static translation takes precedence.
Use the no form of this command to disable the translation of the source IP address and TCP/UDP ports.
Examples
The following example translates the source IP address of packets received on the interface, cust omer 1,
to 2. 2. 2. 2 when the original source address of the packets is 1. 1. 1. 1. At the same time, the destination
address of packets sent out the interface are translated to 1. 1. 1. 1 when the original destination address
of the packets is 2. 2. 2. 2:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 1.1.1.1 2.2.2.2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface customer1
[ l ocal ] Redback( conf i g- i f ) #ip address 1.1.1.254/24
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
Related Commands
ip static out
Command Descriptions
NAT Policy Configuration 13-29
ip static out
ip static out source ip-addr nat-addr
no ip static out source ip-addr nat-addr
Purpose
Translates the source IP address in the private network of outgoing packets on the interface to which the
Network Address Translation (NAT) policy is applied, and in the reverse direction, translates the
destination IP address of incoming packets on the interface.
Command Mode
NAT policy configuration
Syntax Description
Default
If no action is configured for the NAT policy, packets are dropped.
Usage Guidelines
Use the ip static out command to translate the source IP address in the private network of outgoing packets
on the interface to which the NAT policy is applied, and in the reverse direction, to translate the destination
IP address of incoming packets on the interface.
Outgoing packets with a source IP address that match the ip-addr argument use the IP address specified
with the nat-addr argument as their source IP address instead. In the opposite direction, incoming packets
with a destination IP address that matches the nat-addr argument use the ip-addr argument as the
destination IP address.
Use the no form of this command to disable the translation of the IP address.
Examples
The following example translates the IP source address of packets sent out the interface, pos1, to
10. 30. 40. 50 when the original source address of the packets is 64. 64. 64. 64. At the same time, the
destination address of packets coming into the interface are translated to 64. 64. 64. 64 when the
destination address of the packets is 10. 30. 40. 50:
[ l ocal ] Redback( conf i g- ct x) #nat policy p1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static out source 64.64.64.64 10.30.40.50
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
source Indicates the source information.
ip-addr Original source IP address.
nat-addr NAT address. The IP address to which the source IP address is mapped in the
address translation table.
Command Descriptions
13-30 IP Services and Security Configuration Guide
[ l ocal ] Redback( conf i g- ct x) #interface pos1
[ l ocal ] Redback( conf i g- i f ) #ip nat p1
Related Commands
ip static in
Command Descriptions
NAT Policy Configuration 13-31
nat policy
nat policy pol-name [radius-guided]
no nat policy pol-name
Purpose
Configures a Network Address Translation (NAT) policy name and enters NAT policy configuration mode.
Command Mode
context configuration
Syntax Description
Default
None
Usage Guidelines
Use the nat policy command to configure a NAT policy name and enter NAT policy configuration mode.
Use the radius-guided keyword to specify a RADIUS-guided policy and to allow the policy to be modified
by dynamic ACLs. You cannot remove a dynamic policy ACL from the policy after you have configured
it, nor can you change the policy type from static to RADIUS-guided. To remove a dynamic policy ACL
or change its type, delete the policy and then recreate it as a static policy.
Use the no form of this command to remove the NAT policy.
Examples
The following example translates source addresses for NAT policy, p2, which is applied to packets received
on the pos2 interface:
[ l ocal ] Redback( conf i g- ct x) #nat policy p2
[ l ocal ] Redback( conf i g- pol i cy- nat ) #ip static in source 34.34.34.34 35.35.35.35
[ l ocal ] Redback( conf i g- pol i cy- nat ) #exit
[ l ocal ] Redback( conf i g- ct x) #interface pos2
[ l ocal ] Redback( conf i g- i f ) #ip nat p2
pol-name NAT policy name.
radius-guided Optional. Specifies a Remote Authentication Dial-In User Service (RADIUS)
guided policy and allows the policy to be modified by dynamic access control
lists (ACLs).
Command Descriptions
13-32 IP Services and Security Configuration Guide
Related Commands
destination
drop
ignore
ip nat
ip static in
ip static out
nat policy-name
pool
timeout
Command Descriptions
NAT Policy Configuration 13-33
nat policy-name
nat policy-name pol-name
no nat policy-name pol-name
Purpose
Attaches the specified Network Address Translation (NAT) policy name to the subscribers circuit.
Command Mode
subscriber configuration
Syntax Description
Default
None
Usage Guidelines
Use the nat policy-name command to attach the specified NAT policy to the subscribers circuit.
Use the no form of this command to remove the NAT policy from the subscribers circuit.
Examples
The following example attaches the NAT policy, nat - pol - 1, to the circuit attached to the nat - sub
subscribers circuit:
[ l ocal ] Redback( conf i g- ct x) #subscriber name nat-sub
[ l ocal ] Redback( conf i g- sub) #nat policy-name nat-pol-1
Related Commands
pol-name NAT policy name.
drop
ignore
ip nat
ip static in
ip static out
nat policy
pool
timeout
Command Descriptions
13-34 IP Services and Security Configuration Guide
pool
pool nat-pool-name ctx-name
Purpose
Configures the Network Address Translation (NAT) policy or its class to use the specified pool of
IP addresses for source IP address translation.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
Default
If no action is configured for the NAT policy, by default, packets are dropped.
Usage Guidelines
Use the pool command to configure the NAT policy or class of packets to use the specified pool of IP
addresses for packet translation.
Examples
The following example configures the NAT policy, NAT- POLI CY, to use the pool, NAT- POOL- DEFAULT,
configured in the I SP context, and configures packets classified as NAT- CLASS- BASI C to use the pool,
NAT- POOL- BASI C, configured in the I SP context:
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-POLICY
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT-POOL-DEFAULT ISP
[ l ocal ] Redback( conf i g- pol i cy- nat ) #access-group NAT-ACL
[ l ocal ] Redback( conf i g- pol i cy- gr oup) #class NAT-CLASS-BASIC
[ l ocal ] Redback( conf i g- pol i cy- gr oup- cl ass) #pool NAT-POOL-BASIC ISP
Related Commands
nat-pool-name NAT pool name.
ctx-name Name of the context in which the NAT pool is configured.
address
drop
ignore
ip nat pool
timeout
Command Descriptions
NAT Policy Configuration 13-35
timeout
timeout {basic seconds | fin-reset seconds | icmp seconds | syn seconds | tcp seconds | udp seconds}
no timeout {basic | fin-reset | icmp | syn | tcp | udp}
Purpose
Modifies the period after which Network Address Translation NAT times out if no activity occurs.
Command Mode
NAT policy configuration
policy group class configuration
Syntax Description
Default
For default values, see the Syntax Description section. For the ignore action in a NAT policy, all default
timeouts are 20 seconds.
basic seconds Period, in seconds, after which basic NAT time out. The range of values is 4 to
262,143; the default value is 3,600 (1 hour).
This construct is supported only for basic NAT, not Network Access Port
Translation (NAPT).
fin-reset seconds Period, in seconds, after which NAT for Transmission Control Protocol (TCP)
FINISH and RESET packets time out. The range of values is 4 to 65,535; the default
value is 240.
This construct is supported only by policies using NAPT.
icmp seconds Period, in seconds, after which NAT for Internet Control Message Protocol (ICMP)
packets time out. The range of values is 4 to 65,535; the default value is 60.
This construct is supported only by policies using NAPT.
syn seconds Period, in seconds, after which NAT for TCP SYN packets time out. The range of
values is 4 to 65,535; the default value is 128.
This construct is supported only by policies using NAPT.
tcp seconds Period, in seconds, after which NAT for established TCP connections time out. The
range of values is 4 to 262,143. The default value is 86,400 (24hours).
This construct is supported only by policies using NAPT.
udp seconds Period, in seconds, after which NAT for User Datagram Protocol (UDP) packets
time out. The range of values is 4 to 65,535; the default value is 120.
This construct is supported only by policies using NAPT.
Command Descriptions
13-36 IP Services and Security Configuration Guide
Usage Guidelines
Use the timeout command to modify the period after which NAT time out if no activity occurs. Timeout
applies only if there is relevant translation.
Use the no form of this command to reset the timeout to its default value.
Examples
The following example configures basic NAT to time out after no activity has occurred for 7200 seconds
(2 hours):
[ l ocal ] Redback( conf i g- ct x) #ip nat pool NAT-POOL
[ l ocal ] Redback( conf i g- nat - pool ) #address 171.71.71.0/24
[ l ocal ] Redback( conf i g- nat - pool ) #exit
[ l ocal ] Redback( conf i g- ct x) #nat policy NAT-1
[ l ocal ] Redback( conf i g- pol i cy- nat ) #pool NAT-POOL local
[ l ocal ] Redback( conf i g- pol i cy- nat ) #timeout basic 7200
Related Commands
drop
ignore
pool
Forward Policy Configuration 14-1
C h a p t e r 1 4
Forward Policy Configuration
This chapter describes the tasks and commands used to configure SmartEdge

OS forward policy features.


For information about the tasks and commands used to monitor, troubleshoot, and administer forward
policies, see the Forward PolicyOperations chapter in the IP Services and Security Operations Guide for
the SmartEdgeOS.
This chapter includes the following sections:
Overview
Configuration Tasks
Configuration Examples
Command Descriptions
Overview
A forward policy applies only to IP traffic. A forward policy can be a combination of three actions:
Mirroring
Mirroring copies packets forwards the duplicated packets to a designated outgoing port. Mirrored traffic
(forwarded, dropped, or both) is typically sent to a packet sniffer (or similar device) so that traffic
patterns can be analyzed. You can mirror all traffic, a sampling of traffic, or mirror only IP packet
headers. You can mirror both incoming and outgoing packets.
Redirect
Redirect forwards packets to IP addresses that are different than their original destination. You can
redirect incoming packets only.
Drop
The drop function specifies that particular packets are dropped, rather than forwarded; you can drop
incoming packets only.
You can apply forward policies at one of two levels or at both levels simultaneously. One level applies to
all packets on a circuit and is referred to as circuit-based forwarding. Another level applies only to a specific
class of packets traveling across a circuit and is referred to as class-based forwarding.
Configuration Tasks
14-2 IP Services and Security Configuration Guide
These levels of forward policies are described in the following sections:
Circuit-Based Forwarding
Class-Based Forwarding
Circuit- and Class-Based Forwarding
Circuit-Based Forwarding
When you attach a forward policy that does not include a policy access control list (ACL) to a circuit, all
traffic traveling over the circuit is treated in one manner, that is, it is mirrored, redirected, or dropped.
Class-Based Forwarding
A policy ACL classifies packets using classification statements (rules). Each policy ACL supports up to
eight unique classes. You can classify a packet according to its IP precedence value, protocol number, IP
source and destination address, Internet Control Message Protocol (ICMP) attributes, Internet Group
Management Protocol (IGMP) attributes, Transmission Control Protocol (TCP) attributes, and User
Datagram Protocol (UDP) attributes.
To configure class-based forwarding for a circuit, you apply a policy ACL to a forward policy, specify the
action that you want the policy to take for each class, and then attach the forward policy to the circuit. For
more information about policy ACLs, see Chapter 12, ACL Configuration.
Circuit- and Class-Based Forwarding
You can combine circuit-based and class-based forwarding, so that a class of packets can be treated in one
manner, dependent on a policy ACL, while all remaining packets traveling across the circuit are treated
strictly according to the forward policy conditions.
Configuration Tasks
To configure a forward policy, perform the tasks described in the following sections:
Configure a Forward Policy
Apply a Policy ACL to a Forward Policy
Note If you do not specify an action for a class that is defined in the policy ACL, the SmartEdge
OS considers the class to be the default class.
Note In this section, the command syntax in the task tables displays only the root command; for the
complete command syntax, see the full description for the command in the Command
Descriptions section.
Configuration Tasks
Forward Policy Configuration 14-3
Configure a Forward Policy
To configure a forward policy for circuit-based forwarding, for class-based forwarding, or for circuit- and
class-based forwarding, perform the tasks described in Table14-1; enter all commands in forward policy
configuration mode, unless otherwise noted.
Apply a Policy ACL to a Forward Policy
To apply a policy ACL to a forward policy for class-based forwarding, perform the tasks described in
Table14-2; enter all commands in policy group class configuration mode, unless otherwise noted.
Table 14-1 Configure a Forward Policy
# Task Root Command Notes
1. Create or select a policy and access
forward policy configuration mode.
forward policy Enter this command in global configuration
mode.
2. Redirect incoming packets not associated
with a class with one of the following tasks:
To the specified output destination. redirect destinationcircuit
To a next-hop IP address. redirect destinationnext-hop
3. Drop incoming packets not associated with
a class.
drop
4. Mirror specified incoming or outgoing
packets not associated with a class to a
specified output destination.
mirror destination
5. Optional. Configure class-based forwarding
for this policy.
See the Apply a Policy ACL to a Forward Policy
section.
6. Specify the destination circuit. forwardoutput Enter this command in ATM PVC, Frame Relay
PVC, GRE tunnel, or port configuration mode.
Select a different circuit from the circuits you
have configured for the traffic being mirrored or
redirected.
7. Attach the policy to a circuit, using one of
the following tasks:
Enter either of these commands in ATM DS-3,
ATM OC, ATM PVC, dot1q PVC, DS-0 group,
DS-1, DS-3, E1, E3, Frame Relay PVC, port, or
subscriber configuration mode.
8. To incoming traffic. forwardpolicy in Only incoming packets can be redirected or
dropped. Both incoming and outgoing packets
can be mirrored.
9. To outgoing traffic. forward policy out
Table 14-2 Apply a Policy ACL to a Forward Policy
# Task Root Command Notes
1. Apply a policy ACL to the forward policy, and
access policy group configuration mode.
access-group Enter this command in forward policy
configuration mode.
Configuration Examples
14-4 IP Services and Security Configuration Guide
Configuration Examples
This section provides forward policy configuration examples in the following sections:
Traffic Mirroring
Traffic Redirect
Traffic Drop
Combination of Traffic Mirror, Redirect, and Drop in One Policy
Traffic Mirroring
The following example implements traffic mirroring for:
Web traffic-to-POS port 13/1
Forwarded UDP traffic-to-POS port 13/2
Dropped IP packets-to-Ethernet port 4/1 not more frequently than once every three seconds
Other traffic-to-POS port 13/3
Traffic comes in through the interface, i ncomi ng_t r af f i c, and leaves the router through the interface,
nor mal _t r af f i c.
Figure14-1 displays the network topology for this example.
2. Specify a class and access policy group class
configuration mode.
class Enter this command in policy group
configuration mode.
For class-based forwarding to occur, the
class name must match one of the class
names defined in the policy ACL.
3. Optional. Redirect incoming packets associated
with the class with one of the following tasks:
To the specified output destination. redirect destinationcircuit
To a next-hop IP address. redirect destinationnext-hop
4. Optional. Drop incoming packets associated
with the class.
drop
5. Mirror specified packets associated with the
class to a specified output destination.
mirror destination
Note The redirect destination local command is used only for HTTP redirect and is described in
Chapter 9, HTTP Redirect Configuration.
Table 14-2 Apply a Policy ACL to a Forward Policy (continued)<