Configuring IES with CLI

This section provides the information required to configure IP routing services; that is, direct forwarding of IP traffic between CE devices, and to configure IES for in-band management of the 7705 SAR over ATM links.

Topics in this section include:

Common Configuration Tasks

The following list provides a brief overview of the tasks that must be performed to configure IES.

  1. Associate the IES service with a customer ID.
  2. Create an IP interface on the 7705 SAR.
  3. Specify the IP address of the interface.
  4. Define interface parameters.
  5. Define SAP parameters.
  6. For IES spoke SDP applications only —  define spoke SDP parameters.
  7. For IES applications only —  configure VRRP (optional).
  8. For IES management service only—manually configure the remote address of the far-end router to which the 5620 SAM network manager is connected (far-end router must be enabled for IES service).*
  9. For IES management service only—create a static route to the remote router and to the 5620 SAM.*
  10. Enable the service.
Note:

*Remote address and static route configuration is beyond the scope of this document. For information, refer to the 7705 SAR OS Router Configuration Guide.

Configuring IES Components

This section provides configuration examples for components of the IES service. Each component includes some or all of the following: introductory information, CLI syntax, a specific CLI example, and a sample CLI display output.

Topics in this section include:

Creating an IES Service

Use the following CLI syntax to create an IES service.

CLI Syntax:
config>service# ies service-id [customer customer-id] [create] [vpn vpn-id]
description description-string
interface ip-int-name [create]
no shutdown
Example:
A:ALU-41>config>service# ies 5 customer 1 create
A:ALU-41>config>service>ies# description “IES for in-band management”
A:ALU-41>config>service>ies# interface “ATMoIP Management” create
A:ALU-41>config>service>ies# no shutdown
A:ALU-41>config>service>ies#

The following example displays the IES service creation output.

A:ALU-41>config>service# info
-------------------------------------
...
        ies 5 customer 1 create
            description "IES for in-band management"
            interface “ATMoIP Management”
            no shutdown
        exit
...

Configuring Interface Parameters

Configure interface parameters for:

IES Management Service

Use the following CLI syntax to configure interface parameters for the IES management service.

CLI Syntax:
config>service# ies service-id [customer customer-id] [create] [vpn vpn-id]
interface ip-int-name
address if-ip-address
bfd transmit-interval [receive receive-interval] [multiplier multiplier] [type np]
description description-string
ip-mtu octets
no shutdown
Example:
A:ALU-41>config>service# ies 5
A:ALU-41>config>service>ies# interface “ATMoIP Management”
A:ALU-41>config>service>ies>if# address 3.3.3.3/24
A:ALU-41>config>service>ies>if# ip-mtu 1524
A:ALU-41>config>service>ies>if# no shutdown
A:ALU-41>config>service>ies>if#

The following example displays the IES interface creation output for the IES management service.

A:ALU-41>config>service>ies>if# info detail
-------------------------------------------
...
             no description
             address 3.3.3.3/24
             ip-mtu 1524
             no bfd
             exit
             no shutdown
...
-------------------------------------

IES Service

Use the following CLI syntax to configure interface parameters for the IES service.

Note:

The IES interface can be configured as a loopback interface by issuing the loopback command instead of the sap command. The loopback flag cannot be set on an interface where a SAP is already defined, and a SAP cannot be defined on a loopback interface.

CLI Syntax:
config>service# ies service-id [customer customer-id] [create] [vpn vpn-id]
interface ip-int-name
address if-ip-address
allow-directed-broadcasts
arp-timeout
bfd transmit-interval [receive receive-interval] [multiplier multiplier] [type np]
description description-string
dhcp
description description-string
option
action {replace | drop | keep}
circuit-id [ascii-tuple | ifindex | sap-id | vlan-ascii-tuple]
remote-id [mac | string string]
vendor-specific option
client-mac-address
sap-id
service-id
string text
system-id
server server1 [server2...(up to 8 max)]
no shutdown
trusted
icmp
mask-reply
ttl-expired [number seconds]
unreachables
ip-mtu octets
ipcp
dns ip-address [secondary ip-address]
dns secondary ip-address
peer-ip-address ip-address
local proxy-arp
loopback
mac ieee-address
proxy-arp-policy policy-name [policy-name...(up to 5 max)]
remote-proxy-arp
secondary {ip-address/mask | ip-address netmask} [broadcast all-ones | host-ones] [igp-inhibit]
no shutdown
static-arp ip-address ieee-mac-address
static-arp ieee-mac-address unnumbered
unnumbered {ip-int-name | ip-address}
no shutdown
Example:
A:ALU-41>config>service# ies 4
A:ALU-41>config>service>ies$ interface “to Internet”
A:ALU-41>config>service>ies>if$ address 3.2.3.3/24
A:ALU-41>config>service>ies>if$ dhcp option
A:ALU-41>config>service>ies>if>dhcp>option$ circuit-id ifindex
A:ALU-41>config>service>ies>if>dhcp>option$ exit
A:ALU-41>config>service>ies>if$ ip-mtu 1524

The following example displays the IES interface creation output for the IES service.

A:ALU-41>config>service>ies>if# info detail
-------------------------------------------
...
              no description
              address 3.2.3.3/24 broadcast host-ones
              no mac
              arp-timeout 14400
              no allow-directed-broadcasts
              icmp
                 mask-reply
                 unreachables 100 10
                 ttl-expired 100 10
              exit
              dhcp
                 shutdown
                 no description
                 option
                     action keep
                     circuit-id ifindex
                     no remote-id
                     no vendor-specific-option
                 exit
                 no server
                 no trusted
              exit
              ip-mtu 1524
              no bfd
              ipcp
                 no peer-ip-address
                 no dns
              exit
              proxy-arp policy “proxyARPpolicy”
              local proxy-arp
              remote proxy-arp
              no shutdown...
-------------------------------------

IES IPv6 Service

Use the following CLI syntax to configure interface parameters for the IES IPv6 service.

CLI Syntax:
config>service# ies service-id [customer customer-id] [create] [vpn vpn-id]
interface ip-int-name
ipv6
address ipv6-address/prefix-length [eui-64]
dhcp6-relay
description description-string
option
interface-id
interface-id ascii-tuple
interface-id ifindex
interface-id sap-id
interface-id string
remote-id
server ipv6-address [ipv6-address...(up to 8 max)]
no shutdown
icmp6
packet-too-big [number seconds]
param-problem [number seconds]
time-exceeded [number seconds]
unreachables [number seconds]
neighbor ipv6-address mac-address
reachable-time seconds
stale-time seconds
Example:
A:ALU-41>config>service# ies 9
A:ALU-41>config>service>ies$ interface “ies_interface”
A:ALU-41>config>service>ies>if$ ipv6
A:ALU-41>config>service>ies>if>ipv6$ address 1080:6809:8086:6502::/64
A:ALU-41>config>service>ies>if>ipv6$ dhcp6-relay
A:ALU-41>config>service>ies>if>ipv6>dhcp6-relay$ server 2001:DB8::
A:ALU-41>config>service>ies>if>ipv6>dhcp6-relay$ option
A:ALU-41>config>service>ies>if>ipv6>dhcp6-relay>option$ interface-id ascii-tuple
A:ALU-41>config>service>ies>if>ipv6>dhcp6-relay>option$ exit
A:ALU-41>config>service>ies>if>ipv6$ icmp6
A:ALU-41>config>service>ies>if>ipv6>icmp6$ packet-too-big 80 10
A:ALU-41>config>service>ies>if>ipv6>icmp6$ exit
config>service>ies>>if>ipv6# neighbor 2001:DB8:CAFE::60 00-50-56-A3-04-0C
config>service>ies>>if>ipv6>neighbor# exit
config>service>ies>>if>ipv6# reachable-time 30
config>service>ies>>if>ipv6# stale-time 14400
config>service>ies>>if>ipv6# exit

The following example displays the IES interface IPv6 output.

A:ALU-41>config>service>ies>if># info detail
-------------------------------------------
...
              no description
              address 1080:6809:8086:6502::/64
              dhcp6-relay
                  no description
                  option
                      interface-id ascii-tuple
                      no remote-id
                  server 2001:DB8::
              exit
              icmp6
                  packet-too-big 80 10
                  param-problem 100 10
                  time-exceeded 100 10
                  unreachables 100 10
                  exit
              exit
              ,,.
            reachable-time 30
            stale-time 14400
        exit
...

Configuring IES SAP Parameters

Configure IES SAP parameters for:

IES Management SAP

Use the following CLI syntax to configure IES management SAP parameters.

Note:

The encapsulation type is always aal5mux-ip.

CLI Syntax:
config>service# ies service-id [customer customer-id] [create] [vpn vpn-id]
interface ip-int-name
sap sap-id [create]
atm
encapsulation encap-type
egress
traffic-desc traffic-desc-profile-id
ingress
traffic-desc traffic-desc-profile-id
oam
alarm-cells
description description-string
ingress
filter ip ip-filter-id
no shutdown
Example:
A:ALU-41>config>service# ies 5
A:ALU-41>config>service>ies# interface “ATMoIP Management”
A:ALU-41>config>service>ies>if# sap 1/1/1.1:0/32 create
A:ALU-41>config>service>ies>if>sap# ingress
A:ALU-41>config>service>ies>if>sap>ingress# filter ip 3
A:ALU-41>config>service>ies>if>sap>ingress# exit
A:ALU-41>config>service>ies>if>sap# atm
A:ALU-41>config>service>ies>if>sap>atm# encapsulation aal5mux-ip
A:ALU-41>config>service>ies>if>sap>atm# egress
A:ALU-41>config>service>ies>if>sap>atm>egress# traffic-desc 3
A:ALU-41>config>service>ies>if>sap>atm>egress# exit
A:ALU-41>config>service>ies>if>sap>atm# ingress
A:ALU-41>config>service>ies>if>sap>atm>ingress# traffic-desc 2
A:ALU-41>config>service>ies>if>sap>atm>ingress# exit
A:ALU-41>config>service>ies>if>sap>atm# oam
A:ALU-41>config>service>ies>if>sap>atm>oam# alarm-cells
A:ALU-41>config>service>ies>if>sap>atm>oam# exit
A:ALU-41>config>service>ies>if>sap>atm# exit
A:ALU-41>config>service>ies>if>sap# exit
A:ALU-41>config>service>ies>if# exit
A:ALU-41>config>service>ies#

The following example displays the IES SAP creation output.

A:ALU-41>config>service>ies>if>sap# info detail
-------------------------------------------
...
           no description
           ingress
               filter ip 3
           exit
           atm
               encapsulation aal5mux-ip
               ingress
                   traffic-desc 2
               exit
               egress
                  traffic-desc 3
               exit
               oam
                   alarm-cells
               exit
           exit
           no shutdown
-------------------------------------

IES Service SAP

Use the following CLI syntax to configure SAP parameters for the IES service.

Note:

A SAP cannot be defined if the loopback command is enabled on the interface.

CLI Syntax:
config>service# ies service-id [customer customer-id] [create] [vpn vpn-id]
interface ip-int-name
sap sap-id [create]
accounting policy acct-policy-id
collect stats
description description-string
egress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
qos policy-id
ingress
filter ip ip-filter-id
filter ipv6 ipv6-filter-id
qos policy-id
no shutdown
Example:
A:ALU-41>config>service# ies 4
A:ALU-41>config>service>ies$ interface “to Internet”
A:ALU-41>config>service>ies>if$ sap 1/4/1 create
A:ALU-41>config>service>ies>if>sap$ egress
A:ALU-41>config>service>ies>if>sap>egress$ qos 3
A:ALU-41>config>service>ies>if>sap$ ingress
A:ALU-41>config>service>ies>if>sap>ingress$ filter ip 3

The following example displays the IES SAP creation output.

A:ALU-41>config>service>ies>if>sap# info detail
-------------------------------------------
...
           no description
           egress
               qos 3
           ingress
               filter ip 3
           exit
           no shutdown
-------------------------------------

Configuring IES Spoke SDP Parameters

Use the following CLI syntax to configure spoke SDP parameters for the IES service.

CLI Syntax:
config>service# ies service-id [customer customer-id] [create] [vpn vpn-id]
interface ip-int-name
spoke-sdp sdp-id:vc-id [create]
egress
vc-label egress-vc-label
ingress
filter ip ip-filter-id
vc-label ingress-vc-label
[no] shutdown
Example:
A:ALU-41>config>service# ies 6
A:ALU-41>config>service>ies$ interface “ies6_interface”
A:ALU-41>config>service>ies>if$ spoke-sdp 5:6 create
A:ALU-41>config>service>ies>if>spoke-sdp$ ingress
A:ALU-41>config>service>ies>if>spoke-sdp>ingress$ filter ip 56
A:ALU-41>config>service>ies>if>spoke-sdp>ingress$ vc-label 5566

The following example displays the IES spoke SDP creation output.

A:ALU-41>config>service>ies>if>spoke SDP# info detail
-------------------------------------------
...
           no description
           egress
               no vc-label
           ingress
               filter ip 56
               vc-label 5566
           exit
           no shutdown
-------------------------------------

Configuring VRRP

Configuring VRRP policies and instances on service interfaces is optional. The basic owner and non-owner VRRP configurations on an IES interface must specify the backup ip-address parameter.

VRRP helps eliminate the single point of failure in a routed environment by using virtual router IP addresses shared between two or more routers connecting the common domain. VRRP provides dynamic failover of the forwarding responsibility to the backup router if the master becomes unavailable.

The VRRP implementation allows one master per IP subnet. All other VRRP instances in the same domain must be in backup mode.

For further information about VRRP CLI syntax and command descriptions, see the IES Command Reference.

The following displays an IES interface VRRP owner configuration:

config>service>ies> info 
#----------------------------------------------
interface “vrrpowner”
address 10.10.10.23/24
vrrp 1 owner
backup 10.10.10.23
authentication-key "testabc”
exit
exit
#----------------------------------------------
config>service>ies#

Configuring a Security Zone within IES

To configure NAT or firewall security, you must:

  1. configure a NAT or firewall security profile and policy in the config>security context
    1. in the config>security>profile context, specify the timeouts for the TCP/UDP/ICMP protocols and configure logging and application assurance parameters. This step is optional. If you do not configure the profile, a default profile is assigned.
    2. in the config>security>policy context, configure a security policy, specify the match criteria and the action to be applied to a packet if a match is found.
  2. configure a security zone and apply the policy ID to the zone, as shown in the CLI syntax below
CLI Syntax:
config>service
ies service-id [customer customer-id] [create]
abort
begin
commit
zone zone-id [create]
description description-string
interface ip-int-name [create]
name zone-name
nat
pool pool-id [create]
description description-string
direction {zone-outbound | zone-inbound | both}
entry entry-id [create]
ip-address ip-address [to ip-address] interface ip-int-name
port port [to port] interface ip-int-name
name pool-name
policy policy-id | policy-name
shutdown

The following example displays a NAT zone configuration output.

A:ALU-B>config>service>ies# info
----------------------------------------------
        configure
            service ies 10 create
                zone 1 create
                begin
                    name “IES zone”
                    description “uplink zone from private” 
                    interface ies-100-10.30.10.1 
                    exit 
                    nat 
                        pool 1 create 
                            description "pool 1" 
                            direction zone-inbound 
                            exit 
                            entry 1 create 
                                ip-addr interface ies-100-10.30.10.1 
                            exit 
                        exit 
                    exit 
                    policy 1 nat pool 1 
                    commit 
                exit
                no-shutdown
----------------------------------------------
A:ALU-B>config>service>ies#

Service Management Tasks

This section discusses the following service management tasks:

Modifying IES Service Parameters

Existing IES service parameters can be modified, added, removed, enabled, or disabled.

To display a list of customer IDs, use the show>service>customer command.

Enter the parameters (such as description, interface information, or SAP information), and then enter the new information.

The following is an example of changing the IP MTU size.

Example:
A:ALU-41>config>service# ies 5
A:ALU-41>config>service>ies# interface “testname”
A:ALU-41>config>service>ies>if# ip-mtu 1517
A:ALU-41>config>service>ies>if# exit

Disabling an IES Service

An IES service can be shut down without deleting the service parameters.

Use the shutdown command to shut down an IES service.

CLI Syntax:
config>service# ies service-id
shutdown
Example:
A:ALU-41>config>service# ies 5
A:ALU-41>config>service>ies# shutdown
A:ALU-41>config>service>ies# exit

Re-enabling an IES Service

Use the no shutdown command to re-enable a previously disabled IES service.

CLI Syntax:
config>service# ies service-id
no shutdown
Example:
A:ALU-41>config>service# ies 5
A:ALU-41>config>service>ies# no shutdown
A:ALU-41>config>service>ies# exit

Deleting an IES Service

An IES service cannot be deleted until SAPs, spoke SDPs, and interfaces are shut down and deleted and the service is shut down on the service level.

Use the following CLI syntax to delete an IES service:

CLI Syntax:
config>service#
ies service-id
interface ip-int-name
sap sap-id
shutdown
exit
no sap sap-id
spoke-sdp sdp-id:vc-id
shutdown
exit
no spoke-sdp sdp-id:vc-id
interface ip-int-name
shutdown
exit
no interface ip-int-name
shutdown
exit
no ies service-id