The no form of the command removes the description string from the configuration.
The shutdown command administratively disables an entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the
no shutdown command.
The shutdown command administratively disables an entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of the command puts an entity into the administratively enabled state.
When a mirror destination service ID is shutdown, mirrored packets associated with the service ID are not accepted from the mirror source or remote source7750 SR
router. The associated mirror source is put into an operationally down mode. Mirrored packets are not transmitted out of the SAP
or SDP. Each mirrored packet is silently discarded. If the mirror destination is a SAP, the SAP’s discard counters are incremented.
The shutdown command places the mirror destination service or mirror source into an administratively down state. The
mirror-dest service ID must be shut down in order to delete the service ID, SAP
or SDP association from the system.
The default state for a mirror destination service ID is shutdown. A
no shutdown command is required to enable the service.
When a mirror source is shutdown, mirroring is terminated for all sources defined locally for the
mirror-dest service ID.
If the remote-source command has been executed on the
mirror-dest asso
ciated with the shutdown mirror-source, mirroring continues for remote sources.
The default state for a mirror source for a given mirror-dest service ID is
no shutdown. A
shutdown command is required to disable mirroring from that mirror-source.
This command includes the mirrored packet system’s port-id. The system port ID can be used to identify which port the packet was received or sent on. Inclusion of the port-id is only supported for mirror-dest type ppp.
An explicitly named endpoint can have a maximum of one SAP and one ICB. Once a SAP is added to the endpoint, only one more object of type ICB sdp is allowed. The ICB sdp cannot be added to the endpoint if the SAP is not part of a MC-LAG instance. Conversely, a SAP which is not part of a MC-LAG instance cannot be added to an endpoint which already has an ICB sdp.
An explicitly named endpoint which does not have a SAP object can have a maximum of four SDPs which can include any of the following: a single primary SDP, one or many secondary SDPs with precedence, and a single ICB SDP.
The user can only add a SAP configured on a MC-LAG instance to this endpoint. Conversely, the user will not be able to change the mirror service type away from mirror service without first deleting the MC-LAG SAP.
The no form of the command removes the association of a SAP or a sdp with an explicit endpoint name. Removing an objects explicit endpoint association:
This command has an effect only when used in conjunction with a endpoint which contains a SDP of type ‘primary’. It is ignored and has no effect in all other cases. The revert-timer is the delay in seconds the system waits before it switches the path of the mirror service from an active secondary SDP in the endpoint into the endpoint primary SDP after the latter comes back up.
The no form of the command resets the timer to the default value of 0. This means that the mirror-service path will be switched back to the endpoint primary sdp immediately after it comes back up.
This command specifies a forwarding class for all mirrored packets transmitted to the destination SAP or SDP overriding the default (be) forwarding class. All packets are sent with the same class of service to minimize out-of-sequence issues. The mirrored packet does not inherit the forwarding class of the original packet.
When the destination is on an SDP, the fc-name defines the DiffServ-based egress queue that will be used to reach the destination. The fc-name also defines the encoded forwarding class of the encapsulation.
The no form of the command reverts the mirror-dest service ID forwarding class to the default for
warding class.
|
Values
|
be, l2, af, l1, h2, ef, h1, nc
|
The mirror-dest service is comprised of destination parameters that define where the mirrored packets are to be sent. It also specifies whether the defined
service-id will receive mirrored packets from far end 7750 SR over the network core.
The mirror-dest service IDs are persistent between boots of the router and are included in the configuration saves. The local sources of mirrored packets for the service ID are defined within the
debug mirror mirror-source command that references the same
service-id. Up to
255 mirror-dest service IDs can be created within a single system.
The mirror-dest command is used to create or edit a service ID for mirroring purposes. If the
service-id does not exist within the context of all defined services, the
mirror-dest service is created and the context of the CLI is changed to that service ID. If the
service-id exists within the context of defined
mirror-dest services, the CLI context is changed for editing parameters on that service ID. If the
service-id exists within the context of another service type, an error message is returned and CLI context is not changed from the current context.
The no form of the command removes a mirror destination from the system. The
mirror-source or
li-source associations with the
mirror-dest service-id do not need to be removed or shutdown first. The
mirror-dest service-id must be shutdown before the service ID can be removed. When the service ID is removed, all
mirror-source or
li-source commands that have the service ID defined will also be removed from the system.
If an Epipe service-ID 11 exists, then a mirror destination service-ID
11 cannot be created. If a VPLS service-ID
12 exists, then a mirror destination service-ID
12 cannot be created.
If an IES service-ID
13 exists, then a mirror destination service-ID
13 cannot be created.
|
Values
|
service-id: 1 — 2147483647 svc-name: 64 characters maximum
|
|
Values
|
ether, frame-relay, ppp, ip-only, atm-sdu, satop-e1, satop-e3, satop-t1, cesopsn, cesopsn-cas
|
far-end ip-address [vc-id vc-id] [ing-svc-label ing-vc-label | tldp] [icb]
The defined ing-svc-label is entered into the ingress service label table which causes ingress packet with that service label to be handled by this mirror-dest service.
The specified ing-svc-label must not have been used for any other service ID and must match the egress service label being used on the spoke-sdp that is configured on the source router. It must be within the range specified for manually configured service labels defined on this router. It may be reused for other far end addresses on this mirror-dest-service-id.
sap sap-id [create] [no-endpoint]
sap sap-id [create] endpoint name
The SAP is defined with port and encapsulation parameters to uniquely identify the (mirror) SAP on the interface and within the box. The specified SAP may be defined on an Ethernet access port with a dot1q, null, or q-in-q encapsulation type.
Only one SAP can be created within a mirror-dest service ID. If the defined SAP has not been created on any service within the system, the SAP is created and the context of the CLI will change to the newly created SAP. In addition, the port cannot be a member of a multi-link bundle, LAG,
APS group or IMA bundle.
When the no form of this command is used on a SAP created by a mirror destination service ID, the SAP with the specified port and encapsulation parameters is deleted.
sa-mac ieee-address da-mac
ieee-address
The no form of the command removes the QoS policy association from the SAP, and the QoS policy reverts to the default.
When defined, the mirror slice-size creates a threshold that truncates a mirrored frame to a specific size. For example, if the value of 256 bytes is defined, a frame larger than 256 bytes will only have the first 256 bytes transmitted to the mirror destination. The original frame is not affected by the truncation. The mirrored frame size may increase if encapsulation information is added during transmission through the network core or out the mirror destination SAP to the packet/protocol decode equipment.
The actual capability of the router to transmit a sliced or non-sliced frame is also dictated by the mirror destination SDP path-mtu and/or the mirror destination SAP physical MTU. Packets that require a larger MTU than the mirroring destination supports are discarded if the defined
slice-size does not truncate the packet to an acceptable size.
The no form of the command disables mirrored packet truncation.
no slice-size — Mirrored packet truncation is disabled.
spoke-sdp sdp-id:vc-id [create
] [no-endpoint
]
spoke-sdp sdp-id:vc-id [create
] endpoint
name [icb
]
The destination node should be configured with remote-source>spoke-sdp entries when using L2TPv3, MPLS-TP or LDP IPv6 LSP SDPs in the remote mirroring solution. For all other types of SDPs, r
emote-source>far-end entries should be used.
The no form of the command removes the SDP binding from the mirror destination service.
For mirror services, the vc-id defaults to the
service-id. However, there are scenarios where the
vc-id is being used by another service. In this case, the SDP binding cannot be created. So, to avoid this, the mirror service SDP bindings now accepts
vc-ids.
[no
] control-channel-status
request-timer timer1 retry-timer
timer2 timeout-multiplier
multiplier
cookie cookie1-value [cookie2-value]
The pw-path-id is only configurable if all of the following is true:
The no form of the command deletes the PW path ID.
config>service>vpls>spoke-sdp>pw-path-id
|
Values
|
<router-name> | <service-id>
|
ip src ip-address dest ip-address
[no
] mirror-source
service-id
The mirror-source command is used to enable mirroring of packets specified by the association of the
mirror-source to sources of packets defined within the context of the
mirror-dest-service-id. The mirror destination service must already exist within the system.
The hierarchy is structured so the most specific match criteria has precedence over a less specific match. For example, if a mirror-source defines a port and a SAP on that port, then the SAP mirror-source is accepted and the mirror-source for the port is ignored because of the hierarchical order of precedence.
The mirror-source configuration is not saved when a configuration is saved. A
mirror-source manually configured within an ASCII configuration file will not be preserved if that file is overwritten by a
save command. Define the
mirror-source within a file associated with a
config exec command to make a
mirror-source persistent between system reboots.
By default, all mirror-dest service IDs have a
mirror-source associated with them. The
mirror-source is not technically created with this command. Instead the
service ID provides a contextual node for storing the current mirroring sources for the associated
mirror-dest service ID. The
mirror-source is created for the mirror service when the operator enters the
debug>mirror-source svcId for the first time. If the operator enters
li>li-source svcId for the first time, an LI source is created for the mirror service. The
mirror-source is also automatically removed when the
mirror-dest service ID is deleted from the system.
The no form of the command deletes all related source commands within the context of the
mirror-source service-id. The command does not remove the service ID from the system.
|
Values
|
service-id: 1 — 2147483647 svc-name: 64 characters maximum
|
ip-filter ip-filter-id entry
entry-id [entry-id …]
The ip-filter command directs packets which match the defined list of entry IDs to be mirrored to the mirror destination referenced by the
mirror-dest-service-id of the
mirror-source.
The IP filter must already exist in order for the command to execute. Filters are configured in the config>filter context. If the IP filter does not exist, an error will occur. If the filter exists but has not been associated with a SAP or IP interface, an error is not generated but mirroring will not be enabled (there are no packets to mirror). Once the IP filter is defined to a SAP or IP interface, mirroring is enabled.
An entry-id within an IP filter can only be mirrored to a single mirror destination. If the same
entry-id is defined multiple times, an error occurs and only the first
mirror-source definition is in effect.
The no ip-filter command, without the
entry keyword, removes mirroring on all
entry-id’s within the
ip-filter-id.
When the no command is executed with the
entry keyword and one or more
entry-id’s, mirroring of that list of
entry-id’s is terminated within the
ip-filter-id. If an
entry-id is listed that does not exist, an error will occur and the command will not execute. If an
entry-id is listed that is not currently being mirrored, no error will occur for that
entry-id and the command will execute normally.
entry entry-id [entry-id …]
If an entry-id does not exist within the IP filter, an error occurs and the command will not execute.
If the filter’s entry-id is renumbered within the IP filter definition, the old
entry-id is removed but the new
entry-id must be manually added to the configuration to include the new (renumbered) entry’s criteria.
mac-filter mac-filter-id entry
entry-id [entry-id …]
The mac-filter command directs packets which match the defined list of entry IDs to be mirrored to the mirror destination referenced by the
mirror-dest-service-id of the
mirror-source.
An entry-id within a MAC filter can only be mirrored to a single mirror destination. If the same
entry-id is defined multiple times, an error occurs and only the first
mirror-source definition is in effect.
The no mac-filter command, without the
entry keyword, removes mirroring on all
entry-id’s within the
mac-filter-id.
When the no command is executed with the
entry keyword and one or more
entry-id’s, mirroring of that list of
entry-id’s is terminated within the
mac-filter-id. If an
entry-id is listed that does not exist, an error will occur and the command will not execute. If an
entry-id is listed that is not currently being mirrored, no error will occur for that
entry-id and the command will execute normally.
entry entry-id [entry-id …]
Each entry-id must exist within the
mac-filter-id. If the
entry-id is renumbered within the MAC filter definition, the old
entry-id is removed from the list and the new
entry-id will need to be manually added to the list if mirroring is still desired.
If no entry-id entries are specified in the command, mirroring will not occur for that MAC filter ID. The command will have no effect.
port {port-id | lag
lag-id} {[egress
] [ingress
]}
no port {port-id | lag
lag-id} [egress
] [ingress
]
The port command associates a port or LAG to a mirror source. The port is identified by the
port-id. The defined port may be Ethernet, Access or network, SONET/SDH, or TDM channel access. A network port may be a single port or a Link Aggregation Group (LAG) ID. When a LAG ID is given as the
port-id, mirroring is enabled on all ports making up the LAG. If the port is a SONET/SDH interface, the
channel-id must be specified to identify which channel is being mirrored. Either a LAG port member
or the LAG port can be mirrored.
The same port may not be associated with multiple mirror source definitions with the ingress parameter defined. The same port may not be associated with multiple mirror source definitions with the
egress parameter defined.
If the port is not associated with a mirror-source, packets on that port will not be mirrored. Mirroring may still be defined for a SAP, label or filter entry, which will mirror based on a more specific criteria.
The no port command disables port mirroring for the specified port. Mirroring of packets on the port may continue due to more specific mirror criteria. If the
egress or
ingress parameter keywords are specified in the
no command, only the ingress or egress mirroring condition will be removed.
Syntax: port-id:
slot/mda/port[.
channel]
bundle-id: bundle-
type-
slot/
mda.
bundle-num
bundle keyword
type ima, fr, ppp
bundle-num 1 — 336
bpgrp-id: bpgrp-
type-bpgrp-num
bpgrp keyword
type ima, ppp
bpgrp-num 1 — 2000
aps-id: aps-
group-id.
channel
aps keyword
group-id 1 — 64
ccag-id: ccag-
id.
path-id cc-type:cc-id
ccag keyword
id 1 — 8
path-id a, b
cc-type .sap-net, .net-sap
cc-id 0 — 4094
ccag-id ccag-
id.
path-id[
cc-type]:
cc-id
ccag keyword
id 1 — 8
path-id a, b
cc-type .sap-net, .net-sap
cc-id 0 — 4094
Note: On the 7950, The XMA ID takes the place of the MDA.
sap sap-id {[egress
] [ingress
]}
no sap sap-id [egress
] [ingress
]
This command enables mirroring of traffic ingressing or egressing a service access port (SAP). A SAP that is defined within a mirror destination cannot be used in a mirror source. The mirror source SAP referenced by the sap-id is owned by the service ID of the service in which it was created. The SAP is only referenced in the mirror source name for mirroring purposes. The mirror source association does not need to be removed before deleting the SAP from its service ID. If the SAP is deleted from its service ID, the mirror association is removed from the mirror source.
More than one SAP can be associated within a single mirror-source. Each SAP has its own
ingress and
egress parameter keywords to define which packets are mirrored to the mirror destination.
The no form of the command disables mirroring for the specified SAP. All mirroring for that SAP on ingress and egress is terminated. Mirroring of packets on the SAP can continue if more specific mirror criteria is configured. If the
egress or
ingress parameter keywords are specified in the
no command, only the ingress or egress mirroring condition is removed.
[no
] ingress-label
label [label …up to 8 max]
The ingress-label command is used to mirror ingressing MPLS frames with specific MPLS labels to a specific mirror destination. The ingress label must be at the top of the label stack and can only be mirrored to a single mirror destination. If the same label is defined with multiple mirror destinations, an error is generated and the original mirror destination remains.
The ingress-label mirror source overrides all other mirror source definitions. The MPLS frame is mirrored to the mirror destination as it is received on the ingress network port. The
router MPLS label space is global for the system. A specific label is mirrored to the mirror destination regardless of the ingress interface.
By default, no ingress MPLS frames are mirrored. The ingress-label command must be executed to start mirroring on a specific MPLS label.
The no ingress-label command removes all label mirroring for the mirror source. To stop mirroring on specific labels, use the
no ingress-label label form of the command. Multiple labels may be given in a single
no ingress-label command.
entry li-entry-id [create]
match [frame-type
{802dot3|802dot2-llc|802dot2-snap|ethernet_II
}]
The no form of the command removes the match criteria for the entry.
match [protocols
protocols-id]
The no form removes the match criteria for the entry
The protocol keyword configures an IP protocol to be used as an IP filter match criterion. The protocol type such as TCP or UDP is identified by its respective protocol number.
|
Values
|
0 — 255 (values can be expressed in decimal, hexidecimal, or binary - DHB)
keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-frag, ipv6-icmp, ipv6-no-nxt, ipv6-opts, ipv6-route, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp
* — udp/tcp wildcard
|
match [next-header
next-header]
The no form removes the match criteria for the entry
|
Values
|
[0 — 42 | 45 — 49 | 52 — 59 | 61— 255] — protocol numbers accepted in decimal, hexidecimal, or binary - DHB
keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp
* — udp/tcp wildcard
|
The no form of the command removes the destination mac address as the match criterion.
src-mac ieee-address [ieee-address-mask]
The no form of the command removes the source mac as the match criteria.
dst-ip {ip-address/mask | ip-address ipv4-address-mask}
The no form of this command removes any configured destination IP address. The match criterion is ignored.
dst-ip {ipv6-address/prefix-length | ipv6-address ipv6-address-mask}
The no form of this command removes any configured destination IPv6 address. The match criterion is ignored.
The no form of the command removes the destination port match criterion.
lt Specifies all port numbers less than
dst-port-number match.
gt Specifies all port numbers greater than
dst-port-number match.
eq Specifies that
dst-port-number must be an exact match.
src-ip {ip-address/mask | ip-address ipv4-address-mask}
The no form of this command removes any configured source IP. The match criterion is ignored.
src-ip {ipv6-address/prefix-length | ipv6-address ipv6-address-mask}
The no form of this command removes any configured source IPv6 address. The match criterion is ignored.
This command configures a source TCP or UDP port number or port range for an IP LI filter match criterion. Note that an entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information.
The no form of the command removes the source port match criterion.
lt Specifies all port numbers less than src-port-number match.
gt Specifies all port numbers greater than src-port-number match.
eq Specifies that src-port-number must be an exact match.
This command enters the li-filter-associations branch in order to define which LI filter entries get inserted into which normal filters.
Specifies the MAC filter(s) into which the entries from the specified li-mac-filter are to be inserted. The
li-mac-filter and
mac-filter must already exist before the association is made. If the normal MAC filter is deleted then the association is also removed (and not re-created if the MAC filter comes into existence in the future).
The no form of the command reverts to the default.
[no
] li-source
service-id
|
Values
|
service-id: 1 — 2147483647 svc-name: 64 characters maximum
|
ip-filter ip-filter-id [entry
entry-id...] [intercept-id
intercept-id...] [session-id
session-id...]
The ip-filter command directs packets which match the defined list of entry IDs to be intercepted to the destination referenced by the
mirror-dest-service-id of the
mirror-source.
The IP filter must already exist in order for the command to execute. Filters are configured in the config>filter context. If the IP filter does not exist, an error will occur. If the filter exists but has not been associated with a SAP or IP interface, an error is not generated but mirroring will not be enabled (there are no packets to mirror). Once the IP filter is defined to a SAP, IP interface or subscriber, mirroring is enabled.
An entry-id within an IP filter can only be intercepted to a single destination. If the same
entry-id is defined multiple times, an error occurs and only the first definition is in effect.
When the no command is executed with the
entry keyword and one or more
entry-id’s, interception of that list of
entry-id’s is terminated within the
ip-filter-id. If an
entry-id is listed that does not exist, an error will occur and the command will not execute. If an
entry-id is listed that is not currently being intercepted, no error will occur for that
entry-id and the command will execute normally.
If an entry-id does not exist within the IP filter, an error occurs and the command will not execute.
If the filter’s entry-id is renumbered within the IP filter definition, the old
entry-id is removed but the new
entry-id must be manually added to the configuration to include the new (renumbered) entry’s criteria.
This command configures the intercept-id that is inserted into the packet header for all mirrored packets of the associated li-source entry. This intercept-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, an
intercept-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
intercept-id configured for an
li-source entry, then the default value will be inserted. When the mirror service is configured with
ip-gre routable encap, no
intercept-id is inserted and none should be specified against the
li-source entries.
This command configures the session-id that is inserted into the packet header for all mirrored packets of the associated
li-source entry. This
session-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. The
session-id is only valid and used for mirror services that are configured with
ip-udp-shim routable encap (
config>mirror>mirror-dest>encap#ip-udp-shim). For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, a
session-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
session-id configured for an
li-source entry, then the default value will be inserted. When a mirror service is configured with
ip-gre routable encap, no
session-id is inserted and none should be specified against the
li-source entries.
ipv6-filter ipv6-filter-id [entry
entry-id...] [intercept-id
intercept-id...] [session-id
session-id...]
The ipv6-filter command directs packets which match the defined list of entry IDs to be intercepted to the destination referenced by the
mirror-dest-service-id of the
mirror-source.
The IPv6 filter must already exist in order for the command to execute. Filters are configured in the config>filter context. If the IPv6 filter does not exist, an error will occur. If the filter exists but has not been associated with a SAP or IPv6 interface, an error is not generated but mirroring will not be enabled (there are no packets to mirror). Once the IPv6 filter is defined to a SAP, IPv6 interface or subscriber, mirroring is enabled.
An entry-id within an IPv6 filter can only be intercepted to a single destination. If the same
entry-id is defined multiple times, an error occurs and only the first definition is in effect.
When the no command is executed with the
entry keyword and one or more
entry-id’s, interception of that list of
entry-id’s is terminated within the
ipv6-filter-id. If an
entry-id is listed that does not exist, an error will occur and the command will not execute. If an
entry-id is listed that is not currently being intercepted, no error will occur for that
entry-id and the command will execute normally.
If an entry-id does not exist within the IPv6 filter, an error occurs and the command will not execute.
If the filter’s entry-id is renumbered within the IPv6 filter definition, the old
entry-id is removed but the new
entry-id must be manually added to the configuration to include the new (renumbered) entry’s criteria.
This command configures the intercept-id that is inserted into the packet header for all mirrored packets of the associated li-source entry. This intercept-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, an
intercept-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
intercept-id configured for an
li-source entry, then the default value will be inserted. When the mirror service is configured with
ip-gre routable encap, no
intercept-id is inserted and none should be specified against the
li-source entries.
This command configures the session-id that is inserted into the packet header for all mirrored packets of the associated
li-source entry. This
session-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. The
session-id is only valid and used for mirror services that are configured with
ip-udp-shim routable encap (
config>mirror>mirror-dest>encap#ip-udp-shim). For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, a
session-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
session-id configured for an
li-source entry, then the default value will be inserted.. When a mirror service is configured with
ip-gre routable encap, no
session-id is inserted and none should be specified against the
li-source entries.
li-ip-filter filter-name entry
li-entry-id [
li-entry-id...(upto 8 max)] [intercept-id
intercept-id [
intercept-id...(upto 8 max)]] [session-id
session-id [
session-id...(upto 8 max)]]
no li-ip-filter filter-name [entry
li-entry-id [
li-entry-id...(upto 8 max)]]
This command configures the intercept-id that is inserted into the packet header for all mirrored packets of the associated li-source entry. This intercept-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, an
intercept-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
intercept-id configured for an
li-source entry, then the default value will be inserted. When the mirror service is configured with
ip-gre routable encap, no
intercept-id is inserted and none should be specified against the
li-source entries.
li-ipv6-filter filter-name entry
li-entry-id [
li-entry-id...(upto 8 max)] [intercept-id
intercept-id [
intercept-id...(upto 8 max)]] [session-id
session-id [
session-id...(upto 8 max)]]
li-mac-filter filter-name entry
li-entry-id [li-entry-id...(upto 8 max)] [intercept-id
intercept-id [intercept-id...(upto 8 max)]] [session-id
session-id [session-id...(upto 8 max)]]
This command configures the intercept-id that is inserted into the packet header for all mirrored packets of the associated li-source entry. This intercept-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, an
intercept-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
intercept-id configured for an
li-source entry, then the default value will be inserted. When the mirror service is configured with
ip-gre routable encap, no
intercept-id is inserted and none should be specified against the
li-source entries.
This command configures the session-id that is inserted into the packet header for all mirrored packets of the associated
li-source entry. This
session-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. The
session-id is only valid and used for mirror services that are configured with
ip-udp-shim routable encap (
config>mirror>mirror-dest>encap#ip-udp-shim). For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, a
session-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
session-id configured for an
li-source entry, then the default value will be inserted. When a mirror service is configured with
ip-gre routable encap, no
session-id is inserted and none should be specified against the
li-source entries.
mac-filter mac-filter-id entry
[entry-id...] [intercept-id
intercept-id...] [session-id
session-id...]
This command enables lawful interception (LI) of packets that match specific entries in an existing MAC filter. Multiple entries can be created using unique entry-id numbers within the filter. The router implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete. Entries without the
action keyword will be considered incomplete and hence will be rendered inactive.
An entry-id within an MAC filter can only be intercepted to a single destination. If the same
entry-id is defined multiple times, an error occurs and only the first definition is in effect.
The no form of the command removes the specified entry from the IP or MAC filter. Entries removed from the IP or MAC filter are immediately removed from all services or network ports where that filter is applied.
This command configures the intercept-id that is inserted into the packet header for all mirrored packets of the associated li-source entry. This intercept-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, an
intercept-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
intercept-id configured for an
li-source entry, then the default value will be inserted. When the mirror service is configured with
ip-gre routable encap, no
intercept-id is inserted and none should be specified against the
li-source entries.
This command configures the session-id that is inserted into the packet header for all mirrored packets of the associated
li-source entry. This
session-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. The
session-id is only valid and used for mirror services that are configured with
ip-udp-shim routable encap (
config>mirror>mirror-dest>encap#ip-udp-shim). For all types of
li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, a
session-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
session-id configured for an
li-source entry, then the default value will be inserted. When a mirror service is configured with
ip-gre routable encap, no
session-id is inserted and none should be specified against the
li-source entries.
[no
] classic-lsn-sub router
router-instance ip
ip-address
The no form of the command removes the parameter from the configuration.
For nat mirroring (a nat li-source entry type), when the mirror service is not configured with any routable encap (for example, no ip-udp-shim or ip-gre configured under config>mirror>mirror-dest>encap), the presence of a configured intercept-id against an li-source (nat) entry will cause the insertion of the intercept-id after a configurable mac-da, mac-sa and etype (configured under li-source>nat>ethernet-header), at the front of each packet mirrored for that particular li-source entry. If there is no intercept-id configured (for a nat entry using a mirror service without routable encap), then a configurable mac-da and mac-sa are added to the front of the packets (but no intercept-id). In both cases a non-configurable etype is also added immediately before the mirrored customer packet. Note that routable encapsulation configured in the mirror-dest takes precedence over the ethernet-header configuration in the li-source nat entries. If routable encapsulation is configured, then the ethernet-header config is ignored and no mac header is added to the packet (the encap is determined by the mirror-dest in this case).
The no form of the command removes the value from the configuration.
For all types of li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with ip-udp-shim routable encap, a session-id field (as part of the routable encap) is always present in the mirrored packets. If there is no session-id configured for an li-source entry, then the default value will be inserted. When a mirror service is configured with ip-gre routable encap, no session-id is inserted and none should be specified against the li-source entries.
The no form of the command removes the session-id from the configuration which results in the default value being used.
[no
] dslite-lsn-sub router
router-instance b4
ipv6-prefix
The no form of the command removes the value from the configuration.
The no form of the command removes the values from the configuration.
[no
] l2-aware-sub
sub-ident-string
The no form of the command removes the values from the configuration.
sap sap-id {[ingress
] [egress
]} [intercept-id
intercept-id...] [session-id
session-id...]
The intercept-id parameter configures the intercept IDs that is inserted into the packet header for all mirrored packets of the associated li-source entry.
The session-id parameter inserts the specified IDs into the packet header for all mirrored packets of the associated li-source entry.
When the no form of this command is used on a SAP, the SAP with the specified port and encapsulation parameters is deleted.
For all types of li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, an
intercept-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
intercept-id configured for an
li-source entry, then the default value will be inserted. When the mirror service is configured with
ip-gre routable encap, no
intercept-id is inserted and none should be specified against the
li-source entries.
This command configures the session-id that is inserted into the packet header for all mirrored packets of the associated
li-source entry. This
session-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs.
The session-id is only valid and used for mirror services that are configured with
ip-udp-shim routable encap (
config>mirror>mirror-dest>encap#ip-udp-shim).
For all types of li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, a
session-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
session-id configured for an
li-source entry, then the default value will be inserted. When a mirror service is configured with
ip-gre routable encap, no
session-id is inserted and none should be specified against the
li-source entries.
subscriber sub-ident-string [sap
sap-id [ip
ip-address] [mac
ieee-address]|sla-profile
sla-profile-name] [fc
{[be
] [l2
] [af
] [l1
] [h2
] [ef
] [h1
] [nc
]}] {[ingress
] [egress
]} [intercept-id
intercept-id...] [session-id
session-id...]
|
Values
|
be, l2, af, l1, h2, ef, h1, nc
|
For all types of li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, an
intercept-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
intercept-id configured for an
li-source entry, then the default value will be inserted. When the mirror service is configured with
ip-gre routable encap, no
intercept-id is inserted and none should be specified against the
li-source entries.
This command configures the session-id that is inserted into the packet header for all mirrored packets of the associated
li-source entry. This
session-id can be used (for example by a downstream LI Gateway) to identify the particular LI session to which the packet belongs. The
session-id is only valid and used for mirror services that are configured with
ip-udp-shim routable encap (
config>mirror>mirror-dest>encap#ip-udp-shim).
For all types of li-source entries (filter, nat, sap, subscriber), when the mirror service is configured with
ip-udp-shim routable encap, a
session-id field (as part of the routable encap) is always present in the mirrored packets. If there is no
session-id configured for an
li-source entry, then the default value will be inserted. When a mirror service is configured with
ip-gre routable encap, no
session-id is inserted and none should be specified against the
li-source entries.
[no
] dsm-subscriber mac
xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx
This command configures an LI event log destination. The log-id is used to direct events, alarms/traps, and debug information to respective destinations.
The filter command is optional. If no event filter is configured, all events, alarms and traps generated by the source stream will be forwarded to the destination.
The no form of the command removes the specified event filter from the
log-id.
no filter — No event filter policy is specified for a
log-id.
Specifies the li event stream that contains all events configured for Lawful Intercept activities.
If the requestor does not have access to the
li context, the event stream will fail.
The source of the data stream must be specified in the from command prior to configuring the destination with the
to command.
The to command cannot be modified or re-entered. If the destination or maximum size of an SNMP or memory log needs to be modified, the log ID must be removed and then re-created.
df-peer df-peer-id df2-addr
ip-address df2-port
port df3-addr
ip-address df3-port
port
The no form of the command removes the Delivery Function Peer information from the configuration.
The no form of the command reverts to the default.
target target-type id
string intercept
intercept peer
df-peer-id [liid
li-identifier]
The no form of the command de-activates a target that is being intercepted.
When the no li-separate command is set (the default mode), those who are allowed access to the
config>system>security>profile context and user command nodes are allowed to modify the configuration of the LI parameters. In this mode, a user that has a profile allowing access to the
config>li and/or
show>li command contexts can enter and use the commands under those nodes.
When the li-separate command is configured, only users that have the LI access capabilities set in the
config>system>security>user>access li context are allowed to access the
config>li and/or
show>li command contexts. A user who does not have LI access is not allowed to enter the
config>li and
show>li contexts even though they have a profile that allows access to these nodes. When in the
li-separate mode, only users with
config>system>security>user>access li set in their user account have the ability modify the setting LI parameters in either their own or others profiles and user configurations.
[no
] access
[ftp
] [snmp
] [console
] [li]
The no form of command removes access for a specific application.
no access denies permission for all management access methods. To deny a single access method, enter the
no form of the command followed by the method to be denied, for example,
no access FTP denies FTP access.
[no
] profile
user-profile-name
Once the profiles are created, the user command assigns users to one or more profiles. You can define up to 16 user profiles but a maximum of 8 profiles can be assigned to a user. The
user-profile-name can consist of up to 32 alphanumeric characters.
The no form of the command deletes a user profile.
