Configuring an IP Router with CLI

This section provides information to configure an IP router.

Topics in this section include:

  1. Router Configuration Overview
  2. Basic Configuration
  3. Common Configuration Tasks
  4. Service Management Tasks

Router Configuration Overview

On a 7705 SAR, an interface is a logical named entity. An interface is created by specifying an interface name under the config>router context, the global router configuration context where objects like static routes and dynamic routing are defined. An IP interface name can be up to 32 alphanumeric characters, must start with a letter, and is case-sensitive; for example, the interface name “1.1.1.1” is not allowed, but “int-1.1.1.1” is allowed.

To create an interface on an Alcatel-Lucent 7705 SAR, the basic configuration tasks that must be performed are:

  1. assign a name to the interface
  2. associate an IP address with the interface
  3. associate the interface with a network interface or the system interface
  4. configure appropriate routing protocols

A system interface and network interface should both be configured unless the network interface is configured as an unnumbered interface. In that case, the network interface borrows (or links to) an IP address from another interface on the system (the system IP address, another loopback interface, or any other numbered interface), which serves as a combined system IP address and network IP address.

System Interface

A system interface is a virtual interface similar to other interfaces but with only some operational parameters. The IP address, shutdown and no shutdown attributes are the only operational parameters for the system interface.

The system interface must have an IP address with a 32-bit subnet mask. The system interface is associated with the node (such as a specific 7705 SAR), not a specific interface. The system interface is also referred to as the loopback interface. The system interface is associated during the configuration of the following entities:

  1. LSP creation (next hop) — when configuring MPLS paths and LSPs
  2. the addresses on a target router — to set up an LDP or OSPF session between neighbors and to configure SDPs (the system interface is the service tunnel endpoint)

The system interface is used to preserve connectivity (when alternate routes exist) and to decouple physical connectivity and reachability. If an interface carrying peering traffic fails, and there are alternative routes to the same peer system interface, peering could be either unaffected or re-established over the alternate routes. The system interface IP address is also used for pseudowire/VLL signaling (via targeted LDP).

The system interface is used as the router identifier if a router ID has not been explicitly configured.

Network Interface

A network interface can be configured on a physical or logical port.

On the 2-port 10GigE (Ethernet) Adapter card/module, the network interface can only be created on the v-port (not the ring ports).

Basic Configuration

Note:

Refer to Filter Policies and Route Policies for information on configuring these policies.

The most basic router configuration must have the following:

  1. system name
  2. system address

The following example displays a router configuration.

A:ALU-A> config# info
. . .
#------------------------------------------
# Router Configuration
#------------------------------------------
    router
        interface "system"
            address 10.10.10.103/32
        exit
        interface "to-104"
            address 10.0.0.103/24
            port 1/1/1
            exit
        exit
#------------------------------------------
A:ALU-A> config#

Common Configuration Tasks

The following sections describe basic system tasks:

  1. Configuring a System Name
  2. Configuring Router IPv6 Neighbor Discovery Parameters
  3. Configuring Interfaces
  4. Configuring IPv6 Parameters
  5. Configuring Router Advertisement
  6. Configuring ECMP
  7. Configuring Static Routes
  8. Configuring or Deriving a Router ID
  9. Configuring an Autonomous System
  10. Configuring ICMP and ICMPv6
  11. Configuring a DHCP Relay Agent
  12. Configuring Proxy ARP
  13. Configuring a Security Zone
  14. Configuring Security Logging
  15. Applying an Application Group and a Host Group to a Security Policy

Configuring a System Name

Use the system command to configure a name for the device. The name is used in the prompt string. Only one system name can be configured. If multiple system names are configured, the last one configured will overwrite the previous entry.

If special characters are included in the system name string, such as spaces, #, or ?, the entire string must be enclosed within double quotes.

Use the following CLI syntax to configure the system name:

CLI Syntax:
config# system
name system-name
Example:
config# system
config>system# name ALU-A
ALU-A>config>system# exit all
ALU-A#

The following example displays the system name output.

A:ALU-A>config>system# info
#------------------------------------------
# System Configuration
#------------------------------------------
        name "ALU-A"
        location "Kanata, ON, Canada"
        snmp
        exit
        . . . 
        exit
----------------------------------------------

Configuring Router IPv6 Neighbor Discovery Parameters

Use the following CLI syntax to configure IPv6 neighbor discovery parameters:

CLI Syntax:
config# router
ipv6
reachable-time seconds
stale-time seconds
Example:
config# router
config>router# ipv6
config>router>ipv6# reachable-time 30
config>router>ipv6# stale-time 14400
config>router>ipv6# exit
config>router# exit

The following example displays IPv6 neighbor discovery parameters output.

A:ALU-A>config>router# info
#------------------------------------------
# IP Configuration
#------------------------------------------
        ...
            reachable-time 30
            stale-time 14400
        exit
        ...

Configuring Interfaces

The following command sequences create a system interface and a logical IP interface. The system interface assigns an IP address to the interface, and then associates the IP interface with a physical port. The logical interface can associate attributes like an IP address or port.

The system interface cannot be deleted.

Configuring a System Interface

Use the following CLI syntax to configure a system interface:

CLI Syntax:
config>router
interface ip-int-name
address {ip-addr/mask-length}| {ip-addr/netmask}
Example:
config>router# interface system
config>router>if# address 10.10.10.104/32
config>router>if# exit

Configuring a Network Interface

On the 2-port 10GigE (Ethernet) Adapter card/module, a network address is assigned to the v-port only.

Use the following CLI syntax to configure a network interface:

CLI Syntax:
config>router
interface ip-int-name
address {ip-addr/mask-length | ip-addr/netmask | dhcp} [client-identifier [ascii-value | interface-name]] [vendor-class-id vendor-class-id]
egress
agg-rate-limit agg-rate [cir cir-rate]
filter ip ip-filter-id
queue-policy name
ingress
filter ip ip-filter-id
port port-name
Example:
config>router> interface "to-ALU-2"
config>router>if# address 10.10.24.4/24
config>router>if# port 1/1/1
config>router>if# egress
config>router>if>egress# filter ip 12
config>router>if>egress# exit
config>router>if# ingress
config>router>if>ingress# filter ip 10
config>router>if>ingress# exit
config>router>if# exit

The preceding syntax example shows a configuration where the address is entered manually. To have the interface enabled for dynamic address assignment, use the dhcp keyword and, optionally, assign client ID and vendor class ID.

In addition, to apply and configure a per-VLAN network egress aggregate shaper, use the queue-policy and agg-rate-limit commands.

The following example displays the IP configuration output showing the interface information.

A:ALU-A>config>router# info 
#------------------------------------------
# IP Configuration
#------------------------------------------
        interface "system"
            address 10.10.0.4/32
        exit
        interface "to-ALU-2"
            address 10.10.24.4/24
            port 1/1/1
            ingress
                filter ip 10
            exit

Creating an IPv6 Network Interface

When configuring an IPv6 interface, a link-local address (FE80::x:x:x:x:x:x:x/64) is automatically generated after the CLI command ipv6 is given. If the port is already assigned to the interface when IPv6 is enabled, the link-local address is derived from the port MAC address. Otherwise, the link-local address is derived from the system MAC address.

In either case, if the configuration file is saved and the node is rebooted, the port will be assigned to the interface before IPv6 is enabled and the link-local address will be derived from the port MAC address. This means that the link-local address will change after the node is rebooted if it was derived from the system MAC address before the reboot.

To avoid having the link-local address change after a reboot, IPv6 on the interface should be configured in the following order. This will ensure that the link-local address is derived from the port MAC address and will therefore not change after a reboot.

CLI Syntax:
config>port
config>router
interface ip-int-name
port port-name
ipv6
address ipv6-address/prefix-length [eui-64]

Configuring an Unnumbered Interface

Use the following CLI syntax to configure an unnumbered interface:

CLI Syntax:
config>router
interface ip-int-name
unnumbered [ip-int-name | ip-address] [dhcp] [client-identifier ascii-value | interface-name] [vendor-class-id vendor-class-id]
Example:
config>router> interface "to-ALU-3"
config>router>if# unnumbered “system”
config>router>if# exit

The preceding syntax example shows a configuration where the address is entered manually. To have the interface enabled for dynamic assignment of the system IP address, use the dhcp keyword and, optionally, assign client ID and vendor class ID.

Configuring IPv6 Parameters

IP version 6 (IPv6) addresses are supported on:

  1. access ports (IES); for a complete list of cards and ports that support IES IPv6 SAPs, refer to the 7705 SAR OS Services Guide, “IES for Customer Traffic”.
  2. network ports (null or dot1q encapsulation) on:
    1. 2-port 10GigE (Ethernet) Adapter card (v-port only)
    2. 8-port Ethernet Adapter card, version 2
    3. 6-port Ethernet 10Gbps Adapter card
    4. 8-port Gigabit Ethernet Adapter card
    5. 10-port 1GigE/1-port 10GigE X-Adapter card
    6. Packet Microwave Adapter card
    7. Ethernet ports on the 7705 SAR-F
    8. Ethernet ports on the 7705 SAR-M (all variants)
    9. Ethernet ports on the 7705 SAR-A (both variants)
    10. 7705 SAR-W
    11. Ethernet ports on the 7705 SAR-Wx (all variants)
    12. 7705 SAR-H
    13. Ethernet ports on the 7705 SAR-Hc
    14. Ethernet ports on the 7705 SAR-X
    15. Ethernet management port
    16. DSL module
    17. GPON module
    18. 2-port 10GigE (Ethernet) module (v-port only) when the module is installed in the 7705 SAR-M (variants with module slots)
    19. 4-port SAR-H Fast Ethernet module ports when the module is installed in the 7705 SAR-H
    20. 6-port SAR-M Ethernet module ports when the module is installed in the 7705 SAR-M (variants with module slots)
  3. network ports on the 4-port OC3/STM1 Clear Channel Adapter card (POS encapsulation)

Use the following CLI syntax to configure IPv6 parameters:

CLI Syntax:
config>router
interface ip-int-name
ipv6
address ipv6-address/prefix-length [eui-64]
bfd transmit-interval [receive receive-interval] [multiplier multiplier] [type np]
icmp6 (see Configuring ICMP and ICMPv6)
neighbor ipv6-address mac-address
reachable-time seconds
stale-time seconds
Example:
config>router# interface “ipv6-interface”
config>router>if# ipv6
config>router>if>ipv6>address# ip fd00:1:1:1::/64
config>router>if>ipv6>address# exit
config>router>if>ipv6# bfd 100 receive 100 multiplier 3 type np
config>router>if>ipv6>bfd# exit
config>router>if>ipv6# neighbor 2001:DB8:CAFE::60 00-50-56-A3-04-0C
config>router>if>ipv6>neighbor# exit
config>router>if>ipv6# reachable-time 30
config>router>if>ipv6# stale-time 14400
config>router>if>ipv6# exit

Configuring Router Advertisement

To configure the router to originate router advertisement messages, the router-advertisement command must be enabled. All other router advertisement configuration parameters are optional. Router advertisement on all IPv6-enabled interfaces will be enabled.

Use the following CLI syntax to enable router advertisement and configure router advertisement parameters:

CLI Syntax:
config>router
router-advertisement
interface ip-int-name
current-hop-limit number
managed-configuration
max-advertisement-interval seconds
min-advertisement-interval seconds
mtu mtu-bytes
other-stateful-configuration
prefix ipv6-prefix/prefix-length
autonomous
on-link
preferred-lifetime {seconds | infinite}
valid-lifetime {seconds | infinite}
reachable-time milli-seconds
retransmit-time milli-seconds
router-lifetime seconds
no shutdown
Example:
config>router# router-advertisement
config>router>router-advert# interface “n1”
config>router>router-advert>if# prefix 3::/64
config>router>router-advert>if>prefix# autonomous
config>router>router-advert>if>prefix# on-link
config>router>router-advert>if>prefix# preferred-lifetime 604800
config>router>router-advert>if>prefix# valid-lifetime 2592000

The following example displays a router advertisement configuration:

A:ALU-A>config>router>router-advert# info 
------------------------------------------
            interface “n1”
                prefix 3::/64
                exit
                no shutdown
------------------------------------------
A:ALU-A>config>router>router-advert# interface n1
A:ALU-A>config>router>router-advert>if# prefix 3::/64
A:ALU-A>config>router>router-advert>if>prefix# into detail
------------------------------------------
                      
                      autonomous
                      on-link
                      preferred-lifetime 604800
                      valid-lifetime 2592000
------------------------------------------
A:ALU-A>config>router>router-advert>if>prefix#

Configuring ECMP

ECMP (Equal-Cost Multipath Protocol) refers to the distribution of packets over two or more outgoing links that share the same routing cost. The 7705 SAR load-balances traffic over multiple equal-cost links with a hashing algorithm that uses header fields from incoming packets to calculate which link to use. By adding additional fields to the algorithm, you can increase the randomness of the results and ensure a more even distribution of packets across available links. ECMP is supported on static routes and dynamic (OSPF, IS-IS, and BGP) routes. The 7705 SAR supports ECMP for LDP and IP traffic.

If multiple routes are learned with an identical preference using the same protocol, the lowest-cost route is used. If multiple routes are learned with an identical preference using the same protocol and the costs (metrics) are equal, the decision of which route to use is determined by the configuration of ECMP in the config>router context.

Use the following CLI syntax to configure ECMP, enable it and specify the maximum number of routes to be used for route sharing (up to 8):

CLI Syntax:
config>router
ecmp max-ecmp-routes
Example:
config>router# ecmp 7
config>router# exit

Configuring Static Routes

The 7705 SAR supports both static routes and dynamic routing to next-hop addresses.

For information on configuring OSPF, RIP, IS-IS, and BGP routing, refer to the 7705 SAR OS Routing Protocols Guide.

Only one next-hop IP address can be specified per IP interface for static routes.

Use the following CLI syntax to create static route entries:

CLI Syntax:
config>router
static-route {ip-prefix/prefix-length} | {ip-prefix netmask} [preference preference] [metric metric] [tag tag] [enable | disable] next-hop {ip-int-name | ip-address} [bfd-enable] [ldp-sync]
Example:
config>router# static-route 192.168.250.0/24 preference 5 metric 1 enable next-hop 10.200.10.3 ldp-sync
config>router# exit
Note:

If ldp-sync is enabled on a static route, the ldp synchronization timer must also be configured on the associated interface, using the config>router>if>ldp-sync-timer command.

Configuring or Deriving a Router ID

The router ID defaults to the address specified in the system interface command. If the system interface is not configured with an IP address, the router ID inherits the last 4 bytes of the MAC address. Alternatively, the router ID can be explicitly configured with the config>router>router-id command.

When configuring a new router ID, protocols are not automatically restarted with the new router ID. The next time a protocol is initialized, the new router ID is used. To force the new router ID, issue the shutdown and no shutdown commands for OSPF, IS-IS, or BGP, or restart the entire router.

Use the following CLI syntax to configure a router ID:

CLI Syntax:
config>router
router-id ip-address
interface ip-int-name
address {ip-address/mask | ip-address netmask}

The following example displays a router ID configuration:

A:ALU-B>config>router# info
#------------------------------------------
# IP Configuration
#------------------------------------------
        interface "system"
            address 10.10.10.104/32
        exit
        interface "to-103"
            address 10.0.0.104/24
            port 1/1/1
        exit
        router-id 10.10.10.104
...
#------------------------------------------
A:ALU-B>config>router# 

Configuring an Autonomous System

Configuring an autonomous system is optional.

Use the following CLI syntax to configure an autonomous system:

CLI Syntax:
config>router
autonomous-system as-number

The following displays an autonomous system configuration example:

A;ALU-B>config>router# info
#------------------------------------------
# IP Configuration
#------------------------------------------
     interface "system"
          address 10.10.10.103/32
     exit
     interface "to-104"
          address 10.0.0.103/24
          port 1/1/1
     exit
     exit
     autonomous-system 100
     router-id 10.10.10.103
#------------------------------------------
A:ALU-B>config>router#

Configuring ICMP and ICMPv6

Use the following CLI syntax to configure ICMP for the router:

CLI Syntax:
config>router
interface ip-int-name
icmp
mask-reply
ttl-expired number seconds
unreachables number seconds

The number and seconds parameters represent how many of each of these types of ICMP errors the node will generate in the specified interval on the specified interface.

Example:
config>router>if# icmp
config>router>if>icmp# mask-reply
config>router>if>icmp# ttl-expired 100 20
config>router>if>icmp# unreachables 100 20

Use the following CLI syntax to configure ICMPv6 for the router:

CLI Syntax:
config>router
interface ip-int-name
ipv6
icmp6
packet-too-big number seconds
param-problem number seconds
time-exceeded number seconds
unreachables number seconds

The number and seconds parameters represent how many of each of these types of ICMPv6 errors the node will generate in the specified interval on the specified interface.

Example:
config>router>if>ipv6# icmp6
config>router>if>ipv6>icmp6# packet-too-big 100 20
config>router>if>ipv6>icmp6# param-problem 100 20
config>router>if>ipv6>icmp6# time-exceeded 100 20
config>router>if>ipv6>icmp6# unreachables 100 20

Configuring a DHCP Relay Agent

Use the following CLI syntax to configure the router as a DHCP Relay agent:

CLI Syntax:
config>router
interface ip-int-name
dhcp
description description-string
option
action {replace | drop | keep}
circuit-id [ascii-tuple | port-id | if-name]
copy-82
remote-id [mac | string string]
server server1 [server2...(up to 8 max)]
no shutdown
no shutdown
Example:
A:ALU-41>config>router# interface “DHCP_interface”
A:ALU-41>config>router>if$ dhcp option
A:ALU-41>config>router>if>dhcp>option$ circuit-id ascii-tuple
A:ALU-41>config>router>if>dhcp>option$ exit

The following example displays the router DHCP Relay agent creation output.

A:ALU-41>config>router>if# info detail
-------------------------------------------
...
             dhcp
                  shutdown
                  no description
                  option
                      action keep
                      circuit-id ascii-tuple
                      no remote-id
                      no copy-82
                  exit
                  no server
             no shutdown...
-------------------------------------

Configuring Proxy ARP

To configure proxy ARP, you must first:

  1. configure a prefix list in the config>router>policy-options>prefix-list context
  2. configure a route policy statement in the config>router>policy-options>policy-statement context and apply the prefix list
    1. in the config>router>policy-options>policy-statement>entry>to context, specify the host source address(es) for which ARP requests can or cannot be forwarded to non-local networks, depending on the specified action
    2. in the config>router>policy-options>policy-statement>entry>from context, specify the network prefixes that ARP requests will or will not be forwarded to, depending on the specified action if a match is found
CLI Syntax:
config>router>policy-options
begin
commit
abort
prefix-list name
prefix ip-prefix/mask [exact | longer | through length | prefix-length-range length1-length2]
policy-statement name
default-action {accept | next-entry | next-policy | reject}
entry entry-id
action {accept | next-entry | next-policy | reject}
from
prefix-list name [name...(up to 5 max)]
to
prefix-list name [name...(up to 5 max)]

The following example displays the proxy ARP configuration output.

A:ALU-B>config>router>policy-options# info
----------------------------------------------
            prefix-list "prefixlist1"
                prefix 2.2.2.0/24 exact
            exit
            policy-statement "proxyARPpolicy"
                entry 1
                    from 
                         prefix-list “prefix-list1” 
                    exit 
                    to 
                         prefix-list “prefix-list1” 
                    exit 
                    action accept 
                    exit 
                exit
                default-action reject
                exit
            exit
----------------------------------------------
A:ALU-B>config>router>policy-options#

For more information on route policies, see Route Policies.

Apply the policy statement to the proxy ARP policy in the config>router>if> proxy-arp-policy context.

CLI Syntax:
config>router
interface ip-int-name
proxy-arp-policy policy-name [policy-name...(up to 5 max)]

The following example displays the router interface proxy ARP configuration.

A:ALU-41>config>router>if# info 
-------------------------------------------
...
             address 128.251.10.59/24
             remote-proxy-arp
             proxy-arp-policy “proxyARPpolicy”
-------------------------------------------

Configuring a Security Zone

To configure NAT or firewall security functionality, you must:

  1. configure a NAT or firewall security profile and policy in the config>security context
    1. in the config>security>profile context, specify the timeouts for the TCP/UDP/ICMP protocols and configure logging and application assurance parameters. This step is optional. If you do not configure the profile, a default profile is assigned.
    2. in the config>security>policy context, configure a security policy, and specify the match criteria and the action to be applied to a packet if a match is found
  2. configure a security zone and apply the policy ID to the zone, as shown in the CLI syntax below
CLI Syntax:
config>router
abort
begin
commit
zone zone-id [create]
description description-string
interface ip-int-name [create]
name zone-name
nat
pool pool-id [create]
description description-string
direction {zone-outbound | zone-inbound | both}
entry entry-id [create]
ip-address ip-address [to ip-address] interface ip-int-name
port port [to port] interface ip-int-name
name pool-name
policy policy-id | policy-name
shutdown

The following example displays a NAT zone configuration output.

A:ALU-B>config>router# info
----------------------------------------------
        configure
            router
                zone 1 create
                begin
                    name “GRT zone”
                    description “uplink zone to public” 
                    interface router-100-10.30.10.1
                    nat 
                        pool 1 create 
                            description "pool 1" 
                            direction zone-outbound 
                            entry 1 create 
                                ip-addr 68.193.0.1 
                                port 5000 to 6000 
                            exit 
                        exit 
                    exit 
                    policy 1  
                    commit 
                exit
                no-shutdown
----------------------------------------------
A:ALU-B>config>router#

Configuring Security Logging

The 7705 SAR supports rule-based logging (that is, logging for each entry of a security policy) and zone-based logging.

Logging is suppressed by default. To enable either rule-based logging or zone-based logging, logging must be configured as part of the security policy configuration.

Rule-Based Security Logging

If a packet does not match any of the rules in a security policy, the packet is dropped from a security session because the default security policy action is to reject non-matching packets. With rule-based logging, in order to see that event in the event log, the policy must be configured with a rule to log rejected, non-matching packets to the log-id, and this rule must be configured as the last entry in the policy.

Note:

If the policy>entry>logging to log-id command is enabled, the zone>log command cannot be enabled because a log-id cannot be configured at both the policy and zone levels.

Use the following CLI syntax to configure rule-based security logging:

CLI Syntax:
config>security
logging
profile {profile-id | profile-name} [create]
description description-string
event-control event-type [event event] {suppress | throttle | off}
name name
exit
log-id {log-id | log-name} [create]
description description-string
destination {memory [size] | syslog syslog-id}
name name
profile {logging-profile-id | logging- profile-name}
no shutdown
exit
exit
begin
policy {profile-id | profile-name} [create]
name profile-name
description description-string
application
assurance
dns
[no] reply-only
icmp
[no] limit-type3
request limit packets
no request limit
ip
options {permit ip-option-mask | permit-any}
options ip-option-name [ip-option-name]
tcp
[no] strict
exit
exit
exit
timeouts
exit
exit
policy {policy-id | policy-name} [create]
description description-string
entry entry-id
match [protocol {protocol-id | name}]
direction {zone-outbound | zone-inbound | both}
src-ip ip-address to ip-address
action reject
logging to log-id {log-id | log-name}
exit
exit

The following example displays a rule-based logging configuration output.

*A:7705:Dut-C>config>security# info
----------------------------------------------
    logging
        profile 2 create
            event-control "policy" event "1" throttle
            event-control "policy" event "2" throttle
        exit
        profile 100 create
            event-control "policy" event "1" throttle
            event-control "policy" event "2" throttle
        exit
        log-id 10 create
            name "SecurityLog10"
            description "Security Log ID 10"
            destination memory 1024
            profile "100"
            no shutdown
        exit
        log-id 20 create
            name "SecurityLog20"
            description "Security Log ID 20"
            destination memory 1024
            no shutdown
        exit
        log-id 30 create
            name "SecurityLog30"
            description "Security Log ID 30"
            destination memory 1024
            no shutdown
        exit
        log-id 40 create
            name "SecurityLog40"
            description "Security Log ID 40"
            destination memory 1024
            profile "100"
            no shutdown
        exit
        log-id 50 create
            name "SecurityLog50"
            description "Security Log ID 50"
            destination memory 1024
            no shutdown
        exit
        log-id 100 create
            name "SecurityLog100"
            description "Security Log ID 100"
            destination memory 1024
            no shutdown
        exit
    exit
    begin
    profile 10 create
        name "StrictTCP"
        description "Strict TCP Enabled"
        application
            assurance
                ip
                exit
                icmp
                exit
                tcp
                    strict
                exit
                dns
                exit
            exit
        exit
        timeouts
        exit
    exit
    profile 20 create
        name "DNS"
        description "DNS_Reply_Strict"
        application
            assurance
                ip
                exit
                icmp
                exit
                tcp
                exit
                dns
                exit
            exit
        exit
        timeouts
        exit
    exit
    profile 30 create
        name "ICMP"
        description "ICMP Type3 Response Limit"
        application
            assurance
                ip
                exit
                icmp
                exit
                tcp
                exit
                dns
                exit
            exit
        exit
        timeouts
        exit
    exit
    policy 10 create
        description "Strict TCP"
        entry 10 create
            description "Entry 10"
            match protocol tcp
                direction zone-outbound
                src-ip 100.1.1.2
            exit
            limit
            exit
            action forward
            profile "StrictTCP"
            logging to log-id "SecurityLog10"
        exit
        entry 20 create
            description "TCP"
            match protocol tcp
                direction zone-outbound
            exit
            limit
            exit
            action forward
            logging to log-id "SecurityLog20"
        exit
        entry 30 create
            description "UDP and DNS"
            match protocol udp
                direction zone-outbound
            exit
            limit
            exit
            action forward
            profile "DNS"
            logging to log-id "SecurityLog30"
        exit
        entry 40 create
            description "ICMP"
            match protocol icmp
                direction zone-outbound
            exit
            limit
            exit
            action forward
            profile "ICMP"
            logging to log-id "SecurityLog40"
        exit
        entry 50 create
            description "SCTP Drop Rule"
            match protocol sctp
                direction zone-outbound
            exit
            limit
            exit
            action drop
            logging to log-id "SecurityLog50"
        exit
        entry 255 create
            description "Non Supported Protocol Rule"
            match
            exit
            limit
            exit
            logging to log-id "SecurityLog100"
        exit
    exit
----------------------------------------------
*A:7705:Dut-C>config>security#

The following example displays the error that occurs when there is an attempt to configure a log-id at both the policy level and the zone level.

*A:7705:Dut-C>config>service>vprn# info
----------------------------------------------
            route-distinguisher 65000:1
            vrf-target target:1:1
            interface "vprn-1-100.1.1.1" create
                address 100.1.1.1/24
                ip-mtu 1500
                spoke-sdp 1:10 create
                    no shutdown
                exit
            exit
            interface "vprn-1-111.1.1.1" create
                address 111.1.1.1/24
                ip-mtu 1500
                spoke-sdp 3:20 create
                    no shutdown
                exit
            exit
            zone 10 create
                description "Zone 10: "
                interface "vprn-1-100.1.1.1"
                exit
                nat
                exit
                policy "10"
                inbound
                    limit
                    exit
                exit
                outbound
                    limit
                    exit
                exit
                commit
            exit
            no shutdown
----------------------------------------------
*A:7705:Dut-C>config>service>vprn#   zone 10 log 100
MINOR: FIREWALL #1086 Policy level rule logging enabled. - Can not configure 
logids at both policy and zone levels
*A:7705:Dut-C>config>service>vprn#

Zone-Based Security Logging

Zone-based logging is enabled when the config>security>policy> entry>logging to zone command is configured as part of the security policy configuration. Zone-based logging can be configured after the policy has been created, but this requires the begin and commit actions, which cause existing security sessions to be cleared.

Use the following CLI syntax to configure zone-based security logging:

CLI Syntax:
config>security
logging
profile {profile-id | profile-name} [create]
description description-string
event-control event-type [event event] {suppress | throttle | off}
name name
log-id {log-id | log-name} [create]
description description-string
destination {memory [size] | syslog syslog-id}
name name
profile {logging-profile-id | logging- profile-name}
no shutdown
exit
exit
profile {profile-id | profile-name} [create]
description description-string
name name
application
assurance
dns
reply-only
tcp
strict
exit
exit
exit
exit
policy {policy-id | policy-name} [create]
description description-string
entry entry-id
match [protocol {protocol-id | name}]
direction {zone-outbound | zone-inbound | both}
src-ip ip-address to ip-address
action {drop | forward | nat | reject}
logging to zone
exit
exit

The following example displays a zone-based logging configuration output.

*A:7705:Dut-C>config>security# info
----------------------------------------------
    logging
        profile 10 create
            event-control "packet" event "10" suppress
        exit
        log-id 10 create
            name "SecurityLog10"
            description "Security Log ID 10"
            destination memory 1024
            profile "10"
            no shutdown
        exit
        log-id 11 create
            destination memory 1024
            no shutdown
        exit
    exit
    profile 100 create
        name "StrictTCP"
        description "Strict TCP Enabled"
        application
            assurance
                ip
                exit
                icmp
                exit
                tcp
                    strict
                exit
                dns
                exit
            exit
        exit
        timeouts
        exit
    exit
    profile 101 create
        name "SessTimeout"
        description "timout"
        application
            assurance
                ip
                exit
                icmp
                exit
                tcp
                    strict
                exit
                dns
                exit
            exit
        exit
        timeouts
            other-sessions idle sec 40
        exit
    exit
    policy 10 create
        name "Mixed bag"
        description "Ingress Uni-directional"
        entry 1 create
            description "unknown"
            match protocol 48
                direction zone-outbound
            exit
            limit
            exit
            action forward
            logging to zone
        exit
        entry 2 create
            description "UDPLite"
            match protocol 136
                direction zone-outbound
            exit
            limit
            exit
            action forward
            logging to zone
        exit
        entry 3 create
            description "TCP"
            match protocol tcp
                direction zone-outbound
                src-port range 1024 15000
            exit
            limit
            exit
            action forward
            logging to zone
        exit
        entry 4 create
            description "Strict TCP"
            match protocol tcp
                direction zone-outbound
                src-port lt 1024
            exit
            limit
            exit
            action forward
            profile "StrictTCP"
            logging to zone
        exit
        entry 5 create
            description "GRE"
            match protocol gre
                direction zone-outbound
            exit
            limit
            exit
            action forward
            logging to zone
        exit
        entry 6 create
            description "UDP bad"
            match protocol udp
                direction zone-outbound
                src-port lt 1024
            exit
            limit
            exit
            logging to zone
        exit
        entry 7 create
            description "UDP good"
            match protocol udp
                direction zone-outbound
                src-port gt 1024
            exit
            limit
            exit
            action forward
            logging to zone
        exit
        entry 8 create
            description "UDP bad"
            match protocol udp
                direction zone-outbound
                src-port eq 1024
            exit
            limit
            exit
            action drop
            logging to zone
        exit
        entry 9 create
            description "IPv6 Encap"
            match protocol ipv6
                direction zone-outbound
            exit
            limit
            exit
            action forward
            logging to zone
        exit
    exit
    commit
----------------------------------------------
*A:7705:Dut-C>config>security#

The following example displays a zone-based logging configuration output for a VPRN service.

*A:7705:Dut-C>config>service>vprn# info
----------------------------------------------
            route-distinguisher 65000:1
            vrf-target target:1:1
            interface "vprn-1-100.1.1.1" create
                address 100.1.1.1/24
                ip-mtu 1500
                spoke-sdp 1:10 create
                    no shutdown
                exit
            exit
            interface "vprn-1-111.1.1.1" create
                address 111.1.1.1/24
                ip-mtu 1500
                spoke-sdp 3:20 create
                    no shutdown
                exit
            exit
            zone 10 create
                description "Zone 10: "
                interface "vprn-1-100.1.1.1"
                exit
                nat
                exit
                policy "Mixed bag"
                inbound
                    limit
                    exit
                exit
                outbound
                    limit
                    exit
                exit
                log "SecurityLog10"
                commit
            exit
            no shutdown
----------------------------------------------

Applying an Application Group and a Host Group to a Security Policy

Use the following CLI syntax to apply an application group or a host group to a security policy:

CLI Syntax:
config>security
app-group {id | name} [create]
name name
description description
entry entry-id [create]
match [protocol {protocol-id | protocol-name}]
exit
exit
exit
host-group {id | name} [create]
name name
description description
host ip-address [to ip-address]
exit
exit
exit
policy {policy-id | policy-name} [create]
description description-string
entry entry-id
description description-string
match [local] [protocol {protocol-id | name}]
match [local] [protocol {tcp| udp | *}]
match [app-group {group-id| name}]
direction {zone-outbound | zone-inbound | both}
src-ip host-group {group-id | name}
action {forward | reject |drop | nat}
profile {profile-id | profile-name}
logging to log-id {log-id | log-name}| suppressed | to zone}
exit
exit

The following output is an example of applying an application group and a host group to a security policy:

*A:7705:Dut-A>config>security>policy# info 
----------------------------------------------
    name "Inbound Policy"
    description "Common egress policy"
    entry 1 create
        description "match TCP and IP"
        match app-group "Telnet"
            direction zone-inbound
            src-ip host-group "Private Hosts"
        exit
        limit
        exit
        action nat
        profile "nonDefault1"
        logging to zone
    exit
    entry 2 create
        description "match UDP and port"
        match app-group "SNMP"
            direction zone-inbound
        exit
        limit
        exit
        action nat
        profile "nonDefault1"
        logging to zone
    exit
    entry 3 create
        description "match ISAKMP"
        match protocol udp
            direction zone-inbound
            src-ip host-group "Private Hosts"
            dst-port eq 500
        exit
        limit
        exit
        action nat
        profile "nonDefault1"
        logging to zone
    exit
----------------------------------------------
*A:7705:Dut-A>config>security>policy#  

Service Management Tasks

This section discusses the following service management tasks:

  1. Changing the System Name
  2. Modifying Interface Parameters
  3. Deleting a Logical IP Interface

Changing the System Name

The system command sets the name of the device and is used in the prompt string. Only one system name can be configured. If multiple system names are configured, the last one configured will overwrite the previous entry.

Use the following CLI syntax to change the system name:

CLI Syntax:
config# system
name system-name
Example:
A:ALU-A>config>system# name tgif
A:TGIF>config>system#

The following example displays the system name change.

A:ALU-A>config>system# name TGIF
A:TGIF>config>system# info
#------------------------------------------
# System Configuration
#------------------------------------------
        name "TGIF"
     location "Kanata, ON, Canada"
     snmp
        exit
        security
            snmp
                community "private" rwa version both
            exit
        exit
        . . .
----------------------------------------------
A:TGIF>config>system#

Modifying Interface Parameters

Starting at the config>router level, navigate down to the router interface context.

To modify an IP address, perform the following steps:

Example:
A:ALU-A>config>router# interface "to-sr1"
A:ALU-A>config>router>if# shutdown
A:ALU-A>config>router>if# no address
A:ALU-A>config>router>if# address 10.0.0.25/24
A:ALU-A>config>router>if# no shutdown

To modify a port, perform the following steps:

Example:
A:ALU-A>config>router# interface "to-sr1"
A:ALU-A>config>router>if# shutdown
A:ALU-A>config>router>if# no port
A:ALU-A>config>router>if# port 1/1/2
A:ALU-A>config>router>if# no shutdown

The following example displays the interface configuration.

A:ALU-A>config>router# info
#------------------------------------------
# IP Configuration
#------------------------------------------
        interface "system"
            address 10.0.0.103/32
        exit
        interface "to-sr1"
            address 10.0.0.25/24
            port 1/1/2
        exit
        router-id 10.10.10.104
 
#------------------------------------------
A:ALU-A>config>router# 

Deleting a Logical IP Interface

The no form of the interface command typically removes the entry, but all entity associations must be shut down and/or deleted before an interface can be deleted.

  1. Before an IP interface can be deleted, it must first be administratively disabled with the shutdown command.
  2. After the interface has been shut down, it can then be deleted with the no interface command.
CLI Syntax:
config>router
no interface ip-int-name
Example:
config>router# interface test-interface
config>router>if# shutdown
config>router>if# exit
config>router# no interface test-interface
config>router#