Triple Play Security Command Reference

Command Hierarchies

Note:

This command tree is limited to those commands specific to Triple Play security. For the full command trees of a particular service type, consult the Services Overview Guide.

Anti-Spoofing Commands

config
— service
vpls service-id [customer customer-id] [vpn vpn-id] [m-vpls]
sap sap-id [split-horizon-group group-name]
anti-spoof {ip | mac | ip-mac}
— no anti-spoof
config
— service
ies service-id [customer customer-id] [vpn vpn-id]
[no] interface ip-int-name
sap sap-id
anti-spoof {ip | mac | ip-mac}
— no anti-spoof
— subscriber-interface
— group-interface ip-int-name
— sap sap-id
anti-spoof {ip | ip-mac}
— no anti-spoof

Layer 2 Security Commands

config
— service
[no] vpls service-id [customer customer-id] [vpn vpn-id] [m-vpls]
[no] mac [ieee-mac-address]
[no] split-horizon-group [group-name] [residential-group]
[no] restrict-protected-src [alarm-only | discard-frame]
mesh-sdp sdp-id[:vc-id] [vc-type {ether | vlan}]
[no] mac-pinning
[no] restrict-protected-src [alarm-only | discard-frame]
spoke-sdp sdp-id[:vc-id] [vc-type {ether | vlan | vpls}] [split-horizon-group group-name]
[no] mac-pinning
[no] restrict-protected-src [alarm-only | discard-frame]

ARP Handling Commands

config
— service
[no] vpls service-id [customer customer-id] [vpn vpn-id] [m-vpls]
sap sap-id
arp-reply-agent [sub-ident]
config
— service
ies service-id [customer customer-id] [vpn vpn-id]
[no] interface ip-int-name
[no] arp-populate
arp-timeout seconds
proxy-arp-policy policy-name [policy-name...(up to 5 max)]
static-arp ip-address ieee-address
— no static-arp ip-address [ieee-address]

Tools Commands

tools
— perform
— security
authentication-server-check server-address ip-address [port port] {{user-name user-name password password} | attr-from-file file-url} secret key [source-address ip-address] [timeout seconds] [router router-instance | service-name service-name] [debug]

Command Descriptions

Triple Play Security Configuration Commands

Topics in this section include:

Triple Play Anti-Spoofing Commands

anti-spoof

Syntax 
anti-spoof {ip | mac | ip-mac}
no anti-spoof
Context 
config>service>ies>if>sap
config>service>vpls>sap
config>service>vprn>if>sap
Description 

This command enables anti-spoof filtering and optionally changes the anti-spoof matching type for the SAP.

The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, mac, ip-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.

The no form of the command disables anti-spoof filtering on the SAP.

Default 

no anti-spoof

Parameters 
ip—
Configures SAP anti-spoof filtering to use only the source IP address in its lookup. If a static host exists on the SAP without an IP address specified, the anti-spoof ip command will fail.
mac—
Configures SAP anti-spoof filtering to use only the source MAC address in its lookup. If a static host exists on the SAP without a specified MAC address, the anti-spoof mac command will fail.
ip-mac—
Configures SAP anti-spoof filtering to use both the source IP address and the source MAC address in its lookup.

anti-spoof

Syntax 
anti-spoof {ip | ip-mac}
no anti-spoof
Context 
config>service>ies>>sub-if>grp-if>sap
Description 

This command enables anti-spoof filtering and optionally change the anti-spoof matching type for the SAP.

The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, ip-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.

The no form of the command disables anti-spoof filtering on the SAP.

This command applies to the 7750 SR only.

Default 

no anti-spoof

Parameters 
ip—
Configures SAP anti-spoof filtering to use only the source IP address in its lookup. If a static host exists on the SAP without an IP address specified, the anti-spoof ip command will fail.
ip-mac—
Configures SAP anti-spoof filtering to use both the source IP address and the source MAC address in its lookup.

Triple Play Layer 2 Security Commands

split-horizon-group

Syntax 
[no] split-horizon-group [group-name] [residential-group]
Context 
config>service>vpls
Description 

This command creates a new split horizon group for the VPLS instance. Traffic arriving on a SAP or spoke SDP within this split horizon group will not be copied to other SAPs or spoke SDPs in the same split horizon group.

A split horizon group must be created before SAPs and spoke SDPs can be assigned to the group.

The split horizon group is defined within the context of a single VPLS. The same group-name can be re-used in different VPLS instances.

Up to 30 split horizon groups can be defined per VPLS instance.

The no form of the command removes the group name from the configuration.

Default 

A split horizon group is by default not created as a residential-group.

Parameters 
group-name —
Specifies the name of the split horizon group to which the SDP belongs.
residential-group—
Defines a split horizon group as a residential split horizon group (RSHG). Doing so entails that:
  1. SAPs which are members of this Residential Split Horizon Group will have:
    1. Double-pass queuing at ingress as default setting (can be disabled)
    2. STP disabled (can not be enabled)
    3. ARP reply agent enabled per default (can be disabled)
    4. MAC pinning enabled per default (can be disabled)
    5. Besides the multicast downstream also broadcast packets are discarded thus also blocking the unknown, flooded traffic.
  2. Spoke SDPs which are members of this Residential Split Horizon Group will have:
    1. Downstream multicast traffic supported
    2. Double-pass queuing is not applicable
    3. STP is disabled (can be enabled)
    4. ARP reply agent is not applicable (dhcp-lease-states are not supported on spoke SDPs)
    5. MAC pinning enabled per default (can be disabled)

mac-protect

Syntax 
mac-protect
Context 
config>service>vpls
Description 

This command indicates whether or not this MAC is protected on the MAC protect list. When enabled, the agent will protect the MAC from being learned or re-learned on a SAP, spoke SDP or mesh-SDP that has restricted learning enabled. The MAC protect list is used in conjunction with restrict-protected-src, restrict-unprotected-dst and auto-learn-mac-protect.

Default 

disabled

mac

Syntax 
[no] mac ieee-address
Context 
config>service>vpls>mac-protect
Description 

This command specifies the 48-bit IEEE 802.3 MAC address.

Parameters 
ieee-address—
Specifies the 48-bit MAC address in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee, and ff are hexadecimal numbers.

auto-learn-mac-protect

Syntax 
[no] auto-learn-mac-protect
Context 
config>service>vpls>sap
config>service>vpls>spoke-sdp
config>service>vpls >mesh-sdp
config>service>vpls>split-horizon-group
config>service>vpls>endpoint
config>service>pw-template
config>service>pw-template>split-horizon-group
Description 

This command enables the automatic protection of source MAC addresses learned on the associated object. MAC protection is used in conjunction with restrict-protected-src, restrict-unprotected-dst and mac-protect. When this command is applied or removed, the MAC addresses are cleared from the related object.

When the auto-learn-mac-protect is enabled on an SHG the action only applies to the associated SAPs (no action is taken by default for spoke SDPs in the SHG). In order to enable this function for spoke SDPs within a SHG, the auto-learn-mac-protect must be enabled explicitly under the spoke-SDP. If required, auto-learn-mac-protect can also be enabled explicitly under specific SAPs within the SHG.

Default 

no auto-learn-mac-protect

restrict-protected-src

Syntax 
restrict-protected-src [alarm-only | discard-frame]
no restrict-protected-src
Context 
config>service>vpls>sap
config>service>vpls>spoke-sdp
config>service>vpls>mesh-sdp
config>service>vpls>split-horizon-group
config>service>vpls>endpoint
config>service>pw-template>
config>service>pw-template>split-horizon-group
Description 

This command indicates how the agent will handle relearn requests for protected MAC addresses, either manually added using the mac-protect command or automatically added using the auto-learn-mac-protect command. While enabled all packets entering the configured SAP, spoke-SDP, mesh-SDP, or any SAP that is part of the configured split horizon group (SHG) will be verified not to contain a protected source MAC address. If the packet is found to contain such an address, the action taken depends on the parameter specified on the restrict-protected-src command, namely:

  1. No parameter
    The packet will be discarded, an alarm will be generated and the SAP, spoke-SDP or mesh-SDP will be set operationally down. The SAP, spoke-SDP or mesh-SDP must be shutdown and enabled (no shutdown) for this state to be cleared.
  2. alarm-only
    The packet will be forwarded, an alarm will be generated but the source MAC is not learned on the SAP/spoke-SDP/mesh-SDP.
  3. discard-frame
    The packet will be discarded and an alarm generated. The frequency of alarm generation is fixed to be at most one alarm per MAC address per FP2 per 10 minutes in a given VPLS service. This parameter is only applicable to automatically protected MAC addresses.

When the restrict-protected-src is enabled on an SHG the action only applies to the associated SAPs (no action is taken by default for spoke SDPs in the SHG) and is displayed in the SAP show output as the oper state unless it is overridden by the configuration of restrict-protected-src on the SAP itself. In order to enable this function for spoke SDPs within a SHG, the restrict-protected-src must be enabled explicitly under the spoke-SDP. If required, restrict-protected-src can also be enabled explicitly under specific SAPs within the SHG.

When this command is applied or removed, with either the alarm-only or discard-frame parameters, the MAC addresses are cleared from the related object.

The use of restrict-protected-src discard-frame is mutually exclusive with the configuration of manually protected MAC addresses within a given VPLS.

The discard-frame parameter can only be enabled on SAPs on FP2 or later hardware, or on SDPs where all network interfaces are on FP2 or later hardware.

The alarm-only parameter is not supported on the 7750 SR-a, 7750 SR-1e/2e/3e, or 7950 XRS.

Default 

no restrict-protected-src

Parameters 
alarm-only —
Specifies that the packet will be forwarded, an alarm will be generated but the source MAC is not learned on the SAP/spoke-SDP/mesh-SDP.
Values—
no alarm-only
discard-frame—
Specifies that the packet will be discarded and an alarm generated. The frequency of alarm generation is fixed to be at most one alarm per FP2 per MAC address per 10 minutes within a given VPLS service.
Values—
no discard-frame

restrict-unprotected-dst

Syntax 
restrict-unprotected-dst
no restrict-unprotected-dst
Context 
config>service>pw-template>split-horizon-group
config>service>vpls>split-horizon-group
config>service>vpls>sap
Description 

This command indicates how the system will forward packets destined to an unprotected MAC address, either manually added using the mac-protect command or automatically added using the auto-learn-mac-protect command. While enabled all packets entering the configured SAP or SAPs within a split-horizon-group (but not spoke or mesh-SDPs) will be verified to contain a protected destination MAC address. If the packet is found to contain a non-protected destination MAC, it will be discarded. Detecting a non-protected destination MAC on the SAP will not cause the SAP to be placed in the operationally down state. No alarms are generated.

If the destination MAC address is unknown, even if the packet is entering a restricted SAP, with restrict-unprotected-dst enabled, it will be flooded.

Default 

no restrict-unprotected-dst

mac-pinning

Syntax 
[no] mac-pinning
Context 
config>service>vpls>sap
config>service>vpls>spoke-sdp
config>service>vpls>mesh-sdp
Description 

Enabling this command will disable re-learning of MAC addresses on other SAPs within the VPLS. The MAC address will remain attached to a given SAP for duration of its age-timer.

The age of the MAC address entry in the FIB is set by the age timer. If mac-aging is disabled on a given VPLS service, any MAC address learned on a SAP/SDP with mac-pinning enabled will remain in the FIB on this SAP/SDP forever.

Every event that would otherwise result in re-learning will be logged (MAC address; original-SAP; new-SAP).

Note:

MAC addresses learned during DHCP address assignment (DHCP snooping enabled) are not impacted by this command. MAC-pinning for such addresses is implicit.

Default 

When a SAP or spoke SDP is part of a Residential Split Horizon Group (RSHG), MAC pinning is activated at creation of the SAP. Otherwise MAC pinning is not enabled by default.

ARP Handling Commands

arp-reply-agent

Syntax 
arp-reply-agent [sub-ident]
no arp-reply-agent
Context 
config>service>vpls>sap
Description 

This command enables a special ARP response mechanism in the system for ARP requests destined to static or dynamic hosts associated with the SAP. The system responds to each ARP request using the host’s MAC address as the both the source MAC address in the Ethernet header and the target hardware address in the ARP header.

ARP replies and requests received on a SAP with arp-reply-agent enabled will be evaluated by the system against the anti-spoof filter entries associated with the ingress SAP (if the SAP has anti-spoof filtering enabled). ARPs from unknown hosts on the SAP will be discarded when anti-spoof filtering is enabled.

The ARP reply agent only responds if the ARP request enters an interface (SAP, spoke-SDP or mesh-SDP) associated with the VPLS instance of the SAP.

A received ARP request that is not in the ARP reply agent table is flooded to all forwarding interfaces of the VPLS capable of broadcast except the ingress interface while honoring split-horizon constraints.

Static hosts can be defined on the SAP using the host command. Dynamic hosts are enabled on the system by enabling the lease-populate command in the SAP’s dhcp context. In the event that both a static host and a dynamic host share the same IP and MAC address, the VPLS ARP reply agent will retain the host information until both the static and dynamic information are removed. In the event that both a static and dynamic host share the same IP address, but different MAC addresses, the VPLS ARP reply agent is populated with the static host information.

The arp-reply-agent command will fail if an existing static host on the SAP does not have both MAC and IP addresses specified. Once the ARP reply agent is enabled, creating a static host on the SAP without both an IP address and MAC address will fail.

The ARP-reply-agent may only be enabled on SAPs supporting Ethernet encapsulation.

The no form of the command disables ARP-reply-agent functions for static and dynamic hosts on the SAP.

Default 

not enabled

Parameters 
sub-ident
Configures the arp-reply-agent to discard ARP requests received on the SAP that are targeted for a known host on the same SAP with the same subscriber identification.

Hosts are identified by their subscriber information. For DHCP subscriber hosts, the subscriber hosts, the subscriber information is configured using the optional subscriber parameter string.

When arp-reply-agent is enabled with sub-ident:

  1. If the subscriber information for the destination host exactly matches the subscriber information for the originating host and the destination host is known on the same SAP as the source, the ARP request is silently discarded.
  2. If the subscriber information for the destination host or originating host is unknown or undefined, the source and destination hosts are not considered to be the same subscriber. The ARP request is forwarded outside the SAP’s Split Horizon Group.
  3. When sub-ident is not configured, the arp-reply-agent does not attempt to identify the subscriber information for the destination or originating host and will not discard an ARP request based on subscriber information.

arp-populate

Syntax 
[no] arp-populate
Context 
config>service>ies>interface
config>service>ies>subscriber-int
Description 

This command, when enabled, disables dynamic learning of ARP entries. Instead, the ARP table is populated with dynamic entries from the DHCP lease state table (enabled with lease-populate), and optionally with static entries entered with the host command.

Enabling the arp-populate command will remove any dynamic ARP entries learned on this interface from the ARP cache.

The arp-populate command will fail if an existing static ARP entry exists for this interface.

The arp-populate command will fail if an existing static subscriber host on the SAP does not have both MAC and IP addresses specified.

Once arp-populate is enabled, creating a static subscriber host on the SAP without both an IP address and MAC address will fail.

When arp-populate is enabled, the system will not send out ARP requests for hosts that are not in the ARP cache. Only statically configured and DHCP learned hosts are reachable through an IP interface with arp-populate enabled. The arp-populate command can only be enabled on IES and VPRN interfaces supporting Ethernet encapsulation (VPRN is supported by the 7750 SR only).

Use the no form of the command to disable ARP cache population functions for static and dynamic hosts on the interface. All static and dynamic host information for this interface will be removed from the system’s ARP cache.

Default 

not enabled

arp-timeout

Syntax 
arp-timeout seconds
no arp-timeout
Context 
config>service>ies>interface
config>service>ies>sub-if>grp-if
Description 

This command configures the minimum time in seconds an ARP entry learned on the IP interface will be stored in the ARP table. ARP entries are automatically refreshed when an ARP request or gratuitous ARP is seen from an IP host, otherwise, the ARP entry is aged from the ARP table. If arp-timeout is set to a value of zero seconds, ARP aging is disabled.

When the arp-populate and lease-populate commands are enabled on an IES interface, the ARP table entries will no longer be dynamically learned, but instead by snooping DHCP ACK message from a DHCP server. In this case the configured arp-timeout value has no effect.

The default value for arp-timeout is 14400 seconds (4 hours).

The no form of this command restores arp-timeout to the default value.

Default 

14400 seconds

Parameters 
seconds—
The minimum number of seconds a learned ARP entry will be stored in the ARP table, expressed as a decimal integer. A value of zero specifies that the timer is inoperative and learned ARP entries will not be aged.
Values—
0 — 65535

authentication-policy

Syntax 
authentication-policy name
no authentication-policy
Context 
config>service>ies>sub-if>grp-if
Description 

This command assigns a RADIUS authentication policy to the interface.

The no form of this command removes the policy name from the group interface configuration.

Default 

no authentication-policy

Parameters 
name —
Specifies the authentication policy name.

host-connectivity-verify

Syntax 
host-connectivity-verify [interval interval] [action {remove | alarm}] [timeout retry-timeout] [retry-count count] [family family]
Context 
config>service>ies>sub-if>grp-if
config>service>vprn>sub-if>grp-if
Description 

This command enables subscriber host connectivity verification for all hosts on this interface. This tool will periodically scan all known hosts (from dhcp-state) and perform a UC ARP request. The subscriber host connectivity verification will maintain state (connected vs. not-connected) for all hosts. This command applies to the 7750 SR only.

Default 

no host-connectivity-verify

Parameters 
interval interval
The interval, expressed in minutes, which specifies the time interval at which all known sources should be verified. The actual rate is then dependent on number of known hosts and interval.
Values—
1 — 6000
A zero value can be used by the SNMP agent to disable host-connectivity-verify.
timeout retry-timeout
Specifies the timeout, in seconds, before a retransmission in the periodic connectivity verification.
Values—
10 — 60
A zero value can be used by the SNMP agent to disable host-connectivity-verify.
retry count
Specifies the number of retransmissions in a periodic connectivity verification.
Values—
2 — 29
A zero value can be used by the SNMP agent to disable host-connectivity-verify.
action {remove | alarm}
Defines the action taken on a subscriber host connectivity verification failure for a given host. The remove keyword raises an alarm and removes dhcp-state and releases all allocated resources (queues, table entries and etc.). DHCP release will be signaled to corresponding DHCP server. Static hosts will be never removed. The alarm keyword raises an alarm indicating that the host is disconnected.
family family
The family configuration allows the host connectivity checks to be performed for IPv4 endpoint, IPv6 endpoint or both. With family IPv6 configured, host connectivity checks will be performed on the global unicast address (assigned via SLAAC or DHCPv6 IA_NA) and link-local address of a Layer 3 RG or bridged hosts. In case of SLAAC assignment, host connectivity can only be performed if the /128 is known (via downstream ND). DHCPv6 PD assigned prefixes will be removed if link-local address is determined to be unreachable via “host connectivity check”. Reachability checks for GUA and link-local address will be done simultaneously.

local-proxy-arp

Syntax 
[no] local-proxy-arp
Context 
config>service>ies>interface
config>service>ies>sub-if>grp-if
Description 

This command enables local proxy ARP. When local proxy ARP is enabled on an IP interface, the system responds to all ARP requests for IP addresses belonging to the subnet with its own MAC address, and thus will become the forwarding point for all traffic between hosts in that subnet.

When local-proxy-arp is enabled, ICMP redirects on the ports associated with the service are automatically blocked.

Default 

no local-proxy-arp

remote-proxy-arp

Syntax 
[no] remote-proxy-arp
Context 
config>service>ies>interface
Description 

This command enables or disables remote proxy ARP on the interface.

Default 

no remote-proxy-arp

qos-route-lookup

Syntax 
[no] qos-route-lookup
Context 
config>service>ies>sub-if>grp-if
config>service>ies>sub-if>grp-if>ipv6
Description 

This command enables or disables QoS route lookup for the interface.

proxy-arp-policy

Syntax 
proxy-arp-policy policy-name [policy-name...(up to 5 max)]
no proxy-arp-policy
Context 
config>service>ies>interface
config>service>ies>sub-if>grp-if
Description 

This command specifies an existing policy-statement to analyze match and action criteria that controls the flow of routing information to and from a given protocol, set of protocols, or a particular neighbor.

Default 

none

Parameters 
policy-name—
The export route policy name. Allowed values are any string up to 32 characters long composed of printable, 7-bit ASCII characters excluding double quotes. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.

The specified name(s) must already be defined.

static-arp

Syntax 
static-arp ip-address ieee-mac-address
no static-arp ip-address [ieee-mac-address]
Context 
config>service>ies>interface
Description 

This command configures a static address resolution protocol (ARP) entry associating a subscriber IP address with a MAC address for the core router instance. This static ARP appears in the core routing ARP table. A static ARP can only be configured if it exists on the network attached to the IP interface.

If an entry for a particular IP address already exists and a new MAC address is configured for the IP address, the existing MAC address will be replaced with the new MAC address.

The no form of the command removes a static ARP entry.

Default 

None

Parameters 
ip-address—
Specifies the IP address for the static ARP in IP address dotted decimal notation.
ieee-mac-address —
Specifies the 48-bit MAC address for the static ARP in the form aa:bb:cc:dd:ee:ff or aa-bb-cc-dd-ee-ff where aa, bb, cc, dd, ee and ff are hexadecimal numbers. Allowed values are any non-broadcast, non-multicast MAC and non-IEEE reserved MAC addresses.

Show Commands

Note:

The command outputs in the following section are examples only; actual displays may differ depending on supported functionality and user configuration.

arp

Syntax 
arp
Context 
show>service>id
Description 

This command displays the ARP cache entries for this service.

Output 

Show All Service-ID Output

The following table describes the show command output fields:

Table 49:  Security ARP Field Descriptions  

Label

Description  

IP Address

Specifies the IP address of the ARP cache entry.

MAC Address

Specifies the MAC address associated with the IP address.

Type

Other

Learned through normal ARP queries.

Static

Configured by static-arp commands.

Managed

Learned from DHCP snooping or configured by host commands.

Age

Indicates age of the ARP entry.

Interface

Indicates the name of the IP interface.

Port

Indicates the port that the entry was learned on.

Sample Output
A:ALA-A# show service id 100 base
===============================================================================
ARP Table
===============================================================================
IP Address MAC Address Type Age Interface Port
-------------------------------------------------------------------------------
101.1.0.1 00:00:66:66:66:01 Other 00h00m00s ies-100-101.1.0.1 1/1/4
200.1.1.2 00:00:5e:00:01:64 Other 00h00m00s ies-100-200.1.1.2 1/1/3
200.1.1.201 00:00:22:2e:a5:61 Static 00h00m00s ies-100-200.1.1.2 1/1/3
200.1.1.202 00:00:22:2e:a5:62 Static 00h00m00s ies-100-200.1.1.2 1/1/3
===============================================================================
A:ALA-A#

Tools Commands

authentication-server-check

Syntax 
authentication-server-check server-address ip-address [port port] {{user-name user-name password password} | attr-from-file file-url} secret key [source-address ip-address] [timeout seconds] [router router-instance | service-name service-name] [debug]
Context 
tools>perform>security
Description 

This command is used to perform an authentication check on the RADIUS server.

Parameters 
server-address ip-address—
the IP address of the RADIUS server
port —
the port of the RADIUS server
Values—
1 to 65535
user-name—
the user name, up to 253 characters
password—
the user password, up to 64 characters
file-url—
specifies to attach additional VSAs from a file
Values—

local-url:

[clfash-id] [file-path]

200 characters maximum, including cflash-id directory length maximum 99 characters each

remote-url:

[{ftp://|tftp://}<login>:<pswd>@<remote-locn>/][<file-path>]

255 characters maximum, directory length maximum 99 characters each

remote-locn:

[<hostname> | <ipv4-address> | <ipv6-address>]

ipv4-address:

a.b.c.d

ipv6-address:

x:x:x:x:x:x:x:x[-interface]

x:x:x:x:x:x:d.d.d.d[-interface]

x - [0..FFFF]H

d - [0..255]D

interface - 32 chars max, for link local addresses

cflash-id:

cf1:|cf1-A:|cf1-B:|cf2:|cf2-A:|cf2-B:|cf3:|cf3-A:|cf3-B:

key—
the secret key shared between the RADIUS client and server, up to 20 characters
source address ip-address—
the source address used for the access-request message
Values—

ipv4-address

a.b.c.d

ipv6-address

x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x - [0 to FFFF]H

d - [0 to 255]D

seconds—
the time to wait for the RADIUS server response
Values—
1 to 90
router-instance—
the router instance that should be used by the access request message
Values—

router-name | vprn-svc-id

router-name

"Base"|"management"

Default - Base

vprn-svc-id

1 to 2147483647

service-name—
the service name that should be used by the access request message, up to 64 characters
debug—
specifies to display the full debug message, including all VSAs and full hex sting, of the RADIUS reply message