4.14.  IP Tunnel Command Reference

This command creates a text description which is stored in the configuration file to help identify the content of the entity.

The no form of the command removes the string from the configuration.

This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.

The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

This command provisions or de-provisions an MDA to or from the device configuration for the slot.

This command enables the context to configure Integrated Services Adapter (ISA) parameters.

This command allows a tunnel group to be created or edited. A tunnel group is a set of one or more MS-ISAs that support the origination and termination of IPsec and IP/GRE tunnels. All of the MS-ISAs in a tunnel group must have isa-tunnel as their configured mda-type. On VSR, isa-scale-mode must be specified, which defines the number of tunnels on each ISA.

The no form of the command deletes the specified tunnel group from the configuration

This command specifies the number of active MS-ISA within all configured MS-ISA in the tunnel-group with multi-active enabled. IPsec traffic will be load balanced across all active MS-ISAs. If the number of configured MS-ISA is greater than the active-mda-number then the delta number of MS-ISA will be backup.

This command assigns an ISA IPsec module configured in the specified slot to this IPsec group. The backup module provides the IPsec group with warm redundancy when the primary module in the group is configured. An IPsec group must always have a primary configured.

Primary and backup modules have equal operational status and when both modules are coming up, the one that becomes operational first becomes the active module. An IPsec module can serve as a backup for multiple IPsec groups but the backup can become active for only one ISA IPsec group at a time.

All configuration information is pushed down to the backup MDA from the CPM once the CPM gets notice that the primary module has gone down. This allows multiple IPsec groups to use the same backup module. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is supported.

The operator is notified through SNMP events when:

The no form of the command removes the specified module from the IPsec group.

This command specifies the MDA ID of the MS-ISA as the member of tunnel-group with multi-active enabled. Up to 16 MDA could be configured under the same tunnel-group.

With this command configured, system will only act as IKE responder except for the automatic CHILD_SA re-key upon MC-IPsec switchover.

This command enables configuring multiple active MS-ISA in the tunnel-group. IPsec traffic will be load balanced to configured active MS-ISAs.

Operational notes:

This command assigns an ISA IPsec module configured in the specified slot to this IPsec group. The backup ISA IPsec provides the IPsec group with warm redundancy when the primary ISA IPsec in the group is configured. Primary and backup ISA IPsec have equal operational status and when both MDAs are coming up, the one that becomes operational first becomes the active ISA IPsec.

All configuration information is pushed down to the backup MDA from the CPM once the CPM gets notice that the primary module has gone down. This allows multiple IPsec groups to use the same backup module. Any statistics not yet spooled will be lost. Auto-switching from the backup to primary, once the primary becomes available again, is supported.

The operator is notified through SNMP events when:

The no form of the command removes the specified primary ID from the group’s configuration.

This command configures IP packet reassembly for IPsec and GRE tunnels supported by an MS-ISA. The reassembly command at the tunnel-group level configures IP packet reassembly for all IPsec and GRE tunnels associated with the tunnel-group. The reassembly command at the GRE tunnel level configures IP packet reassembly for that one specific GRE tunnel, overriding the tunnel-group configuration.

The no form of the command disables IP packet reassembly.

This command enables the context to configure ISA statistics collection parameters.

This command enables the system to collect statistics used to derive ISA CPU data plane usage. When enabled, this command impacts the ISA performance.

This command creates a new cert-profile or enters the configuration context of an existing cert-profile.

The no form of the command removes the profile name from the cert-profile configuration.

This command configures the certificate profile entry information

The no form of the command removes the entry-id value from the cert-profile configuration.

This command specifies the file name of an imported certificate for the cert-profile entry.

The no form of the command removes the cert-file-name from the entry configuration.

This command specifies the filename of an imported key for the cert-profile entry.

The no form of the command removes the key filename from the entry configuration.

This command specifies the signature scheme for RSA key.

This command enters the configuration context of send-chain in the cert-profile entry.

The configuration of this command is optional, by default system will only send the certificate specified by cert command in the selected entry to the peer. This command allows system to send additional CA certificates to the peer. These additional CA certificates must be in the certificate chain of the certificate specified by the cert command in the same entry.

This command specifies a CA certificate in the specified ca-profile to be sent to the peer.

Multiple configurations (up to seven) of this command are allowed in the same entry.

This command creates a new IPsec client-db or enters the configuration context of an existing client-db.

An IPsec client-db can be used for IKEv2 dynamic LAN-to-LAN tunnel authentication and authorization. When a new tunnel request is received, the system will match the request to the client entries configured in client-db and use credentials returned by the matched client entry for authentication. If authentication succeeds, the system could also use the IPsec configuration parameters (such as private-service-id) returned by the matched entry to set up the tunnel.

The configured client-db is referenced under the ipsec-gw configuration context using the client-db command.

The no form of the command removes the db-name from the configuration.

This command creates a new IPsec client entry in the client-db or enters the configuration context of an existing client entry.

There may be multiple client entries defined in the same client-db. If there are multiple entries that match the new tunnel request, then the system will select the entry that has smallest client-index.

The no form of the command reverts to the default.

This command enables the context to configure client ID information of this IPsec client.

If there are multiple match input are configured in the match-list of the client-db, then all corresponding match criteria must be configured for the client-entry.

This command specifies a match criteria that uses the peer’s identification initiator (IDi) as the input, only one IDi criteria can be configured for a given client entry. This command supports the following matching methods:

The no form of the command reverts to the default.

This command specifies match criteria that uses the peer’s tunnel IP address as the input. Only one peer-ip-prefix criteria can be configured for a given client entry.

The no form of the command reverts to the default.

This command specifies the name of the client entry. The client name can be used in CLI navigation or in show commands.

This command enables the context to configure the parameters used to authenticate peers.

This command specifies a pre-shared key used to authenticate peers.

The no form of the command reverts to the default.

This command specifies the private interface name that is used for tunnel setup.

The no form of the command reverts to the default.

This command specifies the private service ID that is used for tunnel setup.

The no form of the command reverts to the default.

This command specifies the traffic selector (TS) to be used for tunnel setup.

The no form of the command reverts to the default.

This command specifies the tunnel template to be used for tunnel setup.

The no form of the command reverts to the default.

This command enables the context of the client-db’s match list. The match list defines the match input used during IPsec’s tunnel setup. If there are multiple inputs configured in the match list, then they all must have matches before the system considers a client entry is a match.

This command enables the Identification Initiator (IDi) type in the IPsec client matching process.

The no form of the command disables the IDi matching process.

This command enables the use of the peer’s tunnel IP address as the match input.

The no form of the command disables the peer IP prefix matching process.

This command enables the context to configure Internet Protocol Security (IPsec) parameters. IPsec is a structure of open standards to ensure private, secure communications over Internet Protocol (IP) networks by using cryptographic security services.

This command enables the context to configured an IKE policy.

The no form of the command

This command specifies the trust anchor profile name for the IPsec tunnel or IPsec GW.

This command specifies the trust anchor profile name for the IPsec tunnel or IPsec GW.

This command specifies a CA profile as a trust anchor CA. Up to 8 multiple trust anchors can be specified in a single trust anchor profile.

This command specifies the authentication method used with this IKE policy.

The no form of the command removes the parameter from the configuration.

This command enables following behavior for IKEv2 remote-access tunnel when auth-method is configured as auto-eap-radius:

This command only applies when auth-method is configured as auto-eap-radius.

This command enables following behavior for IKEv2 remote-access tunnel when auth-method is configured as auto-eap-radius:

This command only applies when auth-method is configured as auto-eap-radius.

This command controls the dead peer detection mechanism.

The no form of the command removes the parameters from the configuration.

This command specifies one of either two modes of operation. IKE version 1 can support main mode and aggressive mode. The difference lies in the number of messages used to establish the session.

The no form of the command reverts to the default.

This command specifies the IKE transform to be used in the IKE policy. Up to four IKE transforms can be specified. If multiple IDs are specified, the system selects an IKE transform based on the peer's proposal. If the system is a tunnel initiator, it uses the configured IKE transform to generate the SA payload.

This command sets the IKE version (1 or 2) that the ike-policy will use.

This command specifies the system, when deleting an IKEv1 phase 1 SA for which it was the responder, to send a delete notification to the peer. This command only applies when the configured ike-version 1. This command is ignored with IKE version 2.

The no form of the command reverts to the default.

This command enables IKEv2 protocol level fragmentation (RFC 7383). The specified MTU is the maximum size of IKEv2 packet.

This command limits the number of ongoing IKEv2 initial exchanges per tunnel to 1. When the system receives a new IKEv2 IKE_SA_INIT request when there is an ongoing IKEv2 initial exchange from same peer, then system reduces the timeout value of the existing exchange to the specified reduced-max-exchange-timout. If the reduced-max-exchange-timout is disabled, then the system does not reduce the timeout value.

The no form of this command reverts to the default value.

This command enables the lockout mechanism for the IPsec tunnel. The system will lock out an IPsec client for the configured time interval if the number of failed authentications exceeds the configured value within the specified duration. This command only applies when the system acts as a tunnel responder.

A client is defined as the tunnel IP address plus the port.

Optionally, the max-port-per-ip parameter can be configured as the maximum number of ports allowed behind the same IP address. If this threshold is exceeded, then all ports behind the IP address are blocked.

The no form of this command disables the lockout mechanism.

This command enables checking the IKE peer's ID matches the peer's certificate when performing certificate authentication.

This command specifies whether NAT-T (Network Address Translation Traversal) is enabled, disabled or in forced mode.

The no form of the command reverts the parameters to the default.

This command configures the authentication method used with this IKE policy on its own side.

This command enables perfect forward secrecy on the IPsec tunnel using this policy. PFS provides for a new Diffie-Hellman key exchange each time the SA key is renegotiated. After that SA expires, the key is forgotten and another key is generated (if the SA remains up). This means that an attacker who cracks part of the exchange can only read the part that used the key before the key changed. There is no advantage in cracking the other parts if they attacker has already cracked one.

The no form of the command disables PFS. If this it turned off during an active SA, when the SA expires and it is time to re-key the session, the original Diffie-Hellman primes will be used to generate the new keys.

This command enters relay unsolicited configuration attributes context. With this configuration, the configured attributes returned from source (such as a RADIUS server) will be returned to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command will return IPv4 address from source (such as a RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command will return IPv4 DNS server address from source (such as a RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command will return IPv4 netmask from source (such as a RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command will return IPv6 DNS server address from source (RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command will return IPv6 address from source (such as a RADIUS server) to IKEv2 remote-access tunnel client regardless if the client has requested it in the CFG_REQUEST payload.

This command enables the system to add the Identification Responder (IDr) payload in the last IKE authentication response after an Extensible Authentication Protocol (EAP) Success packet is received. When disabled, the system will not include IDr payload.

The no form of the command disables sending the IDr payload in the last IKE.

This commands creates a new or enters an existing IKE transform instance. The IKE transform include following configuration for IKE SA:

The ike-transform-id is referenced in the ike-policy configuration.

This command specifies the Diffie-Hellman group to be used in this IKE transform instance.

This command specifies the IKE authentication algorithm for the IKE transform

This command specifies the IKE encryption algorithm to be used in the IKE transform instance.

This command specifies the lifetime of the IKE SA.

This command enables user to optionally include IKE-SA or CHILD-SA keys in the output of debug ipsec or admin ipsec display-key.

The no form of the command disallows the user from including keys in the output.

This command enables the context to create an ipsec-transform policy. IPsec transforms policies can be shared. A change to the ipsec-transform is allowed at any time. The change will not impact tunnels that have been established until they are renegotiated. If the change is required immediately the tunnel must be cleared (reset) for force renegotiation.

IPsec transform policy assignments to a tunnel require the tunnel to be shutdown.

The no form of the command removes the ID from the configuration.

This command specifies which hashing algorithm should be used for the authentication function Encapsulating Security Payload (ESP). Both ends of a manually configured tunnel must share the same configuration parameters for the IPsec tunnel to enter the operational state.

The no form of the command disables the authentication.

This command specifies the encryption algorithm to use for the IPsec session. Encryption only applies to esp configurations. If encryption is not defined, esp will not be used.

For IPsec tunnels to come up, both ends need to be configured with the same encryption algorithm.

The no form of the command removes the specified encryption algorithm.

Note: When aes-gcm or aes-gmac is configured: esp-auth-algorithm must be set to auth-encryption the system will not include the authentication algorithm in the ESP proposal of the SA payload ipsec-transform cannot be used for manual keying

This command specifies the lifetime of the Phase 2 IKE key.

The no form of the command reverts to the default.

This command specifies the CHILD_SA. If the inherit parameter is specified, then the system uses the IPsec lifetime configuration in the corresponding IKE policy configured in the same IPsec gateway or IPsec tunnel.

This command specifies the Diffie-Hellman group to be used for Perfect Forward Secrecy (PFS) computation during CHILD_SA rekeying.

The no form of the command reverts to the default.

This command configures an IPsec static SA.

This command configures the authentication algorithm to use for an IPsec manual SA.

This command creates a text description which is stored in the configuration file to help identify the content of the entity.

The no form of the command removes the string from the configuration.

This command configures the direction for an IPsec manual SA.

The no form of the command reverts to the default value.

This command configures the security protocol to use for an IPsec manual SA. The no statement resets to the default value.

This command configures the SPI key value for an IPsec manual SA.

This command specifies the SPI (Security Parameter Index) used to lookup the instruction to verify and decrypt the incoming IPsec packets when the value of the direction command is inbound.

The SPI value specifies the SPI that will be used in the encoding of the outgoing packets when the when the value of the direction command is outbound. The remote node can use this SPI to lookup the instruction to verify and decrypt the packet.

If no spi is selected, then this static SA cannot be used.

The no form of the command reverts to the default value.

The system will automatically establish phase 1 SA as soon as the tunnel is provisioned and enabled (no shutdown). This option should only be configured on one side of the tunnel.

Any associated static routes will remain up as long as the tunnel could be up, even though it may actually be operationally down according to the CLI.

This command creates a new traffic selector (TS).

The no form of the command removes the list name from the configuration.

This command enables the context to configure local TS-list parameters. The TS-list is the traffic selector of the local system, such as TSr, when the system acts as an IKEv2 responder.

This command enables the context to configure remote TS-list parameters. The TS-list is the traffic selector of the local system, such as TSi, when the system acts as an IKEv2 responder.

This command creates a new TS-list entry or enables the context to configure an existing TS-list entry.

The no form of the command removes the entry from the local or remote configuration.

This command specifies the address range in the IKEv2 traffic selector.

This command specifies the protocol and port range in the IKEv2 traffic selector.

The SR OS supports OPAQUE ports and port ranges for the following protocols:

For ICMP and ICMPv6, the port value takes the form icmp-type/icmp-code. For MIPv6, the port value is the mobility header type. For other protocols, only the port any configuration can be used.

This command enables the IKEv2 traffic selector negotiation with the specified ts-list.

This command creates a tunnel template. Up to 2000 templates are allowed.

This command enables clearing of the Do-not-Fragment bit.

This command specifies the max size of encapsulated tunnel packet for the ipsec-tunnel/ip-tunnel or the dynamic tunnels terminated on the ipsec-gw. If the encapsulated v4 or v6 tunnel packet exceeds the encapsulated-ip-mtu, then system fragments the packet against the encapsulated-ip-mtu.

This command enables the ICMPv6 packet generation configuration context.

This command enables system to send ICMPv6 PTB (Packet Too Big) message on private side and optionally specifies the rate.

With this command configured, system will send PTB back if received v6 packet on private side is bigger than 1280 bytes and also exceeds the private MTU of the tunnel.

The ip-mtu command (under ipsec-tunnel or tunnel-template) specifies the private MTU for the ipsec-tunnel or dynamic tunnel.

This command configures the template IP MTU.

This command enables TCP MSS adjust for IPsec or IP tunnels on the private side. When the command is configured, the system updates the TCP MSS option to the value of the received TCP SYN packet on the private side.

The no form of the command disables TCP MSS adjust on the private side.

This command enables TCP MSS adjust for IPsec or IP tunnels on the public side. When the command is configured, the system updates the TCP MSS option value to received.TCP SYN packet encapsulation in the ESP packet.

If auto is specified, the system derives the new MSS value based on the public MTU and IPsec overhead.

The no form of this command disables TCP MSS adjust on the public side.

This command sets the anti-replay window.

The no form of the command removes the parameter from the configuration.

This command specifies whether the node using this template will accept framed-routes sent by the RADIUS server and install them for the lifetime of the tunnel as managed routes.

The no form of the command disables sp-reverse-route.

This command configures IPsec transform.

This command enables the context to configure IPsec policies.

This command specifies a cert-profile for the IPsec tunnel or IPsec gw.

With this command configured, the system will allow a new dynamic LAN-to-LAN tunnel that terminates in the private VPRN service to be created with an overlapping reverse route. If the ID is the same as an existing one, the existing CHILD_SA and route will be removed.

This command configures a security policy to use for an IPsec tunnel.

This command configures an IPsec security policy entry.

This command configures the local (from the VPN) IP prefix/mask for the policy parameter entry.

Only one entry is necessary to describe a potential flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN when traffic flows from the VPN to the tunnel.

This command specifies the local v6 prefix for the security-policy entry.

This command configures the remote (from the tunnel) IP prefix/mask for the policy parameter entry.

Only one entry is necessary to describe a potential flow. The local-ip and remote-ip commands can be defined only once. The system will evaluate the local IP as the source IP when traffic is examined in the direction of VPN to the tunnel and as the destination IP when traffic flows from the tunnel to the VPN. The remote IP will be evaluated as the source IP when traffic flows from the tunnel to the VPN when traffic flows from the VPN to the tunnel.

This command specifies the remote v6 prefix for the security-policy entry.

This command add an IPv6 address to the tunnel interface.

The prefix length must be 96 or higher.

This command specifies the link-local-address for the tunnel interface.

Only one link-local-address is allowed per interface.

This command configures the dynamic ISA tunnel redundant next-hop address.

This command specifies redundant next-hop address on public or private IPsec interface (with public or private tunnel-sap) for static IPsec tunnel. The specified next-hop address will be used by standby node to shunt IPsec traffic to master in case of it receives them.

The next-hop address will be resolved in routing table of corresponding service.

This command creates a logical IP routing interface for a Virtual Private Routed Network (VPRN). Once created, attributes like an IP address and service access point (SAP) can be associated with the IP interface.

The interface command, under the context of services, is used to create and maintain IP routing interfaces within VPRN service IDs. The interface command can be executed in the context of an VPRN service ID. The IP interface created is associated with the service core network routing instance and default routing table. The typical use for IP interfaces created in this manner is for subscriber Internet access.

Interface names are case sensitive and must be unique within the group of defined IP interfaces defined for config router interface and config service vprn interface. Interface names must not be in the dotted decimal notation of an IP address. For example, the name “1.1.1.1” is not allowed, but “int-1.1.1.1” is allowed. Show commands for router interfaces use either interface names or the IP addresses. Use unique IP address values and IP address names to maintain clarity. It could be unclear to the user if the same IP address and IP address name values are used. Although not recommended, duplicate interface names can exist in different router instances.

The available IP address space for local subnets and routes is controlled with the config router service-prefix command. The service-prefix command administers the allowed subnets that can be defined on service IP interfaces. It also controls the prefixes that may be learned or statically defined with the service IP interface as the egress interface. This allows segmenting the IP address space into config router and config service domains.

When a new name is entered, a new logical router interface is created. When an existing interface name is entered, the user enters the router interface context for editing and configuration.

By default, there are no default IP interface names defined within the system. All VPRN IP interfaces must be explicitly defined. Interfaces are created in an enabled state.

The no form of this command removes IP the interface and all the associated configuration. The interface must be administratively shutdown before issuing the no interface command.

For VPRN services, the IP interface must be shutdown before the SAP on that interface may be removed. VPRN services do not have the shutdown command in the SAP CLI context. VPRN service SAPs rely on the interface status to enable and disable them.

This command creates a Service Access Point (SAP) within a service. A SAP is a combination of port and encapsulation parameters which identifies the service access point on the interface and within the router. Each SAP must be unique.

All SAPs must be explicitly created. If no SAPs are created within a service or on an IP interface, a SAP will not exist on that object.

Enter an existing SAP without the create keyword to edit SAP parameters. The SAP is owned by the service in which it was created.

A SAP can only be associated with a single service. A SAP can only be defined on a port that has been configured as an access port using the config interface port-type port-id mode access command. Channelized TDM ports are always access ports.

If a port is shutdown, all SAPs on that port become operationally down. When a service is shutdown, SAPs for the service are not displayed as operationally down although all traffic traversing the service will be discarded. The operational state of a SAP is relative to the operational state of the port on which the SAP is defined.

The no form of this command deletes the SAP with the specified port. When a SAP is deleted, all configuration parameters for the SAP will also be deleted.

This command specifies an IPsec tunnel name. An IPsec client sets up the encrypted tunnel across public network. The 7750 SR IPsec MDA acts as a concentrator gathering, and terminating these IPsec tunnels into an IES or VPRN service. This mechanism allows as service provider to offer a global VPRN service even if node of the VPRN are on an uncontrolled or insecure portion of the network.

This command specifies whether this IPsec tunnel is the BFD designated tunnel.

This command assigns a BFD session to provide a heart-beat mechanism for a given IPsec tunnel. There can be only one BFD session assigned to any given IPsec tunnel, but there can be multiple IPsec tunnels using same BFD session. BFD controls the state of the associated tunnel. If the BFD session goes down, the system will also bring down the associated non-designated IPsec tunnel.

This command enables dynamic keying for the IPsec tunnel.

The no form of the command disables dynamic keying.

This command specifies whether to attempt to establish a phase 1 exchange automatically.

The no form of the command disables the automatic attempts to establish a phase 1 exchange.

This command associates the IPsec transform sets allowed for this tunnel. A maximum of four transforms can be specified. The transforms are listed in decreasing order of preference (the first one specified is the most preferred).

This command configures Security Association (SA) for manual keying. When enabled, the command specifies whether this SA entry is created manually by the user or dynamically by the IPsec sub-system.

This command configures the information required for manual keying SA creation.

This command specifies the size of the anti-replay window. The anti-replay window protocol secures IP against an entity that can inject messages in a message stream from a source to a destination computer on the Internet.

This command configures an IPsec security policy. The policy may then be associated with static IPsec tunnels defined in the same routing instance.

With strict-match parameter enabled, when a CREATE_CHILD exchange request is received for a static IPsec tunnel, and this request is not a re-key request, then ISA matches the received TSi and TSr with the configured security policy. This can be a match only when a received TS (in TSi or TSr) address range matches exactly with the subnet in a security policy entry.

If there is no match, then the setup fails, and TS_UNACCEPTABLE is sent.

If there is a match, but there is an existing CHILD_SA for the matched security policy, then the setup fails, and NO_PROPOSAL_CHOSEN.

If there is a match, and there is not CHILD_SA for the matched entry, then the subnet is sent in the matched security-policy entry as TSi and TSr, and the CHILD_SA is created.

This command is used to configure an IP-GRE or IP-IP tunnel and associate it with a private tunnel SAP within an IES or VPRN service.

The no form of the command deletes the specified IP/GRE or IP-IP tunnel from the configuration. The tunnel must be administratively shutdown before issuing the no ip-tunnel command.

This command sets the source IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. It must be an address in the subnet of the associated public tunnel SAP interface. The GRE tunnel does not come up until a valid source address is configured.

The no form of the command deletes the source address from the GRE tunnel configuration. The tunnel must be administratively shutdown before issuing the no source command.

This command sets the primary destination IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. If this address is reachable in the delivery service (there is a route) then this is the destination IPv4 address of GRE encapsulated packets sent by the delivery service.

The no form of the command deletes the destination address from the GRE tunnel configuration.

This command sets the backup destination IPv4 address of GRE encapsulated packets associated with a particular GRE tunnel. If the primary destination address is not reachable in the delivery service (there is no route) or not defined then this is the destination IPv4 address of GRE encapsulated packets sent by the delivery service.

The no form of the command deletes the backup-destination address from the GRE tunnel configuration.

This command instructs the MS-ISA to reset the DF bit to 0 in all payload IP packets associated with the GRE or IPsec tunnel, before any potential fragmentation resulting from the ip-mtu command. (This will require a modification of the header checksum.) The no clear-df-bit command, corresponding to the default behavior, leaves the DF bit unchanged.

The no form of the command disables the DF bit reset.

This command sets the delivery service for GRE encapsulated packets associated with a particular GRE tunnel. This is the IES or VPRN service where the GRE encapsulated packets are injected and terminated. The delivery service may be the same service that owns the private tunnel SAP associated with the GRE tunnel. The GRE tunnel does not come up until a valid delivery service is configured.

The no form of the command deletes the delivery-service from the GRE tunnel configuration.

This command sets the DSCP code-point in the outer IP header of GRE encapsulated packets associated with a particular GRE tunnel. The default, set using the no form of the command, is to copy the DSCP value from the inner IP header (after remarking by the private tunnel SAP egress qos policy) to the outer IP header.

This command configures a private IPv4 or IPv6 address of the remote tunnel endpoint. A tunnel can have up to 16 dest-ip commands. At least one dest-ip address is required in the configuration of a tunnel. A tunnel does not come up operationally unless all dest-ip addresses are reachable (part of a local subnet).

Unnumbered interfaces are not supported.

This command configures the type of the IP tunnel. If the gre-header command is configured then the tunnel is a GRE tunnel with a GRE header inserted between the outer and inner IP headers. If the no form of the command is configured then the tunnel is a simple IP-IP tunnel.

This command configures the IP maximum transmit unit (packet) for this interface.

Because this connects a Layer 2 to a Layer 3 service, this parameter can be adjusted under the IES interface.

The MTU that is advertised from the IES size is:

MINIMUM((SdpOperPathMtu - EtherHeaderSize), (Configured ip-mtu))

By default (for the Ethernet network interface), if no ip-mtu is configured it is (1568 - 14) equals 1554.

The ip-mtu command instructs the MS-ISA to perform IP packet fragmentation, prior to IPsec encryption and encapsulation, based on the configured MTU value. In particular:

If the length of a payload IP packet (including its header) exceeds the configured MTU value and the DF flag is clear (due to the presence of the clear-df-bit command or because the original DF value was 0) then the MS-ISA fragments the payload packet as efficiently as possible (i.e. it creates the minimum number of fragments each less than or equal to the configured MTU size); in each created fragment the DF bit shall be 0.

If the length of a payload IP packet (including its header) exceeds the configured MTU value and the DF flag is set (because the original DF value was 1 and the tunnel has no clear-df-bit in its configuration) then the MS-ISA discards the payload packet without sending an ICMP type 3/code 4 message back to the packet’s source address.

The no ip-mtu command, corresponding to the default behavior, disables fragmentation of IP packets by the MS-ISA; all IP packets, regardless of size or DF bit setting, are allowed into the tunnel.

The effective MTU for packets entering a tunnel is the minimum of the private tunnel SAP interface IP MTU value (used by the IOM) and the tunnel IP MTU value (configured using the above command and used by the MS-ISA). So if it desired to fragment IP packets larger than X bytes with DF set, rather than discarding them, the tunnel IP MTU should be set to X and the private tunnel SAP interface IP MTU should be set to a value larger than X.

This command configures the reassembly wait time.