Routing Protocols
The Routing Protocols chapter contains the following sections:
The Routing Protocols chapter contains the following sections:
Routing Information Protocol (RIP) is a routing protocol typically used as an Interior Gateway Protocol (IGP). RIP uses hop counts only to determine the shortest path to a destination. To avoid loops, RIP limits its paths to a maximum of 15 hops, making it an ineffective protocol for large networks. RIP Version 2 supports Classless Inter-Domain Routing (CIDR) and uses IP multicast at address 224.0.0.9 to share the routing table with adjacent routers.
RIP sends updates whenever there is a change in the network topology and periodic updates when there are no changes. Receiving switches update their routing table whenever the update includes topology changes. Because RIP transmits the entire routing table every 30 seconds, RIP updates can generate heavy traffic loads in large or complicated networks.
Each switch also sends a list of distance-vectors to each of its neighbors periodically. The distance-vector is the metric RIP uses to express the cost of a route, and it describes the number of hops required to reach a destination. Each hop is typically assigned a hop count value of 1, and the router adds 1 to the metric when it receives a routing update and adds the network to its routing table.
To remove dead routes from its routing table, RIP marks a route for deletion if the router does not receive an advertisement for it within the expiration interval, then removes it from the routing table after the deletion interval.
The router rip command places the switch in router-RIP configuration mode to configure Routing Information Protocol (RIP) routing.
Example
switch(config)#router rip
switch(config-router-rip)#
Using the router rip command puts the switch in router-RIP configuration mode, but does not enable RIP on the switch.
Routing Information Protocol (RIP) is disabled on the switch by default. The no shutdown (RIP) command in router-RIP configuration mode will enable RIP.
Example
switch(config-router-rip)#no shutdown
switch(config-router-rip)#
Issuing this command enables RIP, but to send and receive RIP route updates and to route packets via RIP you must also specify interfaces on which RIP will run by using the network (RIP) command.
You can disable RIP in two ways. The shutdown (RIP) command disables RIP on the switch but maintains all user-entered router-RIP configuration statements in the running-config. The no router rip command disables RIP and removes all user-entered router-RIP configuration statements from the running-config.
switch(config)#no router rip
switch(config)#
switch(config-router-rip)#shutdown
switch(config-router-rip)#
Issuing the no shutdown (RIP) command in router-RIP configuration mode enables RIP, but to run RIP on an interface you must specify a RIP network by using the network (RIP) command.
You can also configure the redistribution of routes learned from other protocols, set the default metric and administrative distance for redistributed routes, configure the timing of various RIP events, and configure specific interfaces to send RIP update packets by broadcast instead of multicast.
The network (RIP) command identifies networks on which RIP will run and also specifies which routes RIP will accept into its routing table. You can issue the network (RIP) command multiple times to build up a list of RIP networks. No RIP networks are configured by default, so in order to route packets and send and receive RIP updates you must specify one or more RIP networks.
To disable RIP on a specific network, use the no network (RIP) command.
switch(config-router-rip)network 10.168.1.1/24
switch(config-router-rip)#
switch(config-router-rip)#no network 10.168.1.1/24
switch(config-router-rip)#
To enable route import from a specified protocol into RIP, use the redistribute (RIP) command. Additionally, you can apply a route map to the incoming routes to filter which routes are added to the RIP routing table. All connected routes are redistributed into RIP by default.
Example
switch(config-router-rip)#redistribute OSPF
switch(config-router-rip)#
When RIP is running on the switch, it sends unsolicited route updates and deletes expired routes at regular intervals. To configure the timing of those events, use the timers (RIP) command. The command takes three parameters: the update interval, the route expiration time, and the route deletion time.
The update interval is the amount of time in seconds that the switch waits between sending unsolicited RIP route updates to its neighbors. The route expiration time is how long the switch waits before marking an unadvertised route for deletion (the counter resets whenever an advertisement for the route is received). And the route deletion time is how long the switch waits between marking a route for deletion and removing it from the routing table. During the deletion interval, the switch continues to forward packets on the route.
Example
switch(config-router-rip)#timers 60 90 150
switch(config-router-rip)#
By default, the switch uses RIP version 2 and multicasts RIP update packets from all participating interfaces. To reconfigure a specific interface to send updates as broadcast packets, use the rip v2 multicast disable command in the configuration mode for the interface.
Example
switch(config)#interface ethernet5
switch(config-if-Et5)#rip v2 multicast disable
switch(config-if-Et5)#exit
switch(config)#
To see a listing of the RIP routes in the switch’s routing table, use the show ip rip database command. (You can also display similar information using the RIP option in the show ip route command.)
switch>show ip rip database
10.168.11.0/24 directly connected, Et4
10.168.13.0/24
[1] via 10.168.14.2, 00:00:25, Et4
[2] via 10.168.15.2, 00:00:20, Et1
10.168.13.0/24
[1] via 10.168.14.2, 00:00:25, Et3
switch>show ip rip database 10.168.13.0/16
10.168.13.0/24
[1] via 10.168.14.2, 00:00:25, Et4
[2] via 10.168.15.2, 00:00:20, Et1
This
command submits a query for RIP route information for a network.To see information about the switch’s RIP route gateways, use the show ip rip neighbors command. The output displays the IPv4 address, the last heard time of the gateway, and characteristic flags applying to the gateway.
Example
switch>show ip rip neighbors
Gateway Last-Heard Bad-Packets Bad-Routes Flags
10.2.12.33 00:00:15 SRC, TRSTED,
ACCPTED, RJCTED,
Q_RJCTED, AUTHFAIL
VRF support for Routing Information Protocol (RIP) allows instances of RIP on multiple non-default VRFs on the same router. By default, all interfaces belong to the default VRF until VRF forwarding is executed.
The vrf instanceand vrf (Interface mode) commands configure a non-default VRF, enable routing in it, and configure the network command under the configuration router RIP for the prefix to which the interface belongs.
The router rip vrf command places the switch in router-RIP configuration mode to configure a RIP routing instance in a non-default VRF.
switch(config)# vrf instance test
switch(config-vrf-test)# exit
switch(config)# ip routing vrf test
switch(config)#
switch(config)# router rip vrf test
switch(config-router-rip-router-rip-vrf-test)# no shutdown
switch(config-router-rip)# exit
switch(config)#
switch(config)# interface Ethernet 3 / 1
switch(config-if-Et3/1)# no switchport
switch(config-if-Et3/1)# ip address 1.0.0.1/24
switch(config-if-Et3/1)# vrf test
switch(config-if-Et3/1)# network 1.0.0.1
switch(config-if-Et3/1)# exit
switch(config)#
The distance command assigns an administrative distance to routes that the switch learns through RIP. Routers use administrative distances to select a route when two protocols provide routing information to the same destination. Distance values range from 1 to 255; lower distance values correspond to higher reliability. The default RIP distance value is 120.
The no distance and default distance commands restore the administrative distance default value of 120 by removing the distance command from running-config.
Command Mode
Router-RIP Configuration
Command Syntax
distance distance_value
no distance
default distance
Parameter
distance_value distance assigned to RIP routes. Values range from 1 to 255.Example
These commands assign an administrative distance of 75 to RIP routes.
switch(config)# router rip
switch(config-router-rip)# distance 75
switch(config-router-rip)#
The distribute-list command allows users to filter out routes that are received or sent out. The distribute-list command influences which routes the router installs into its routing table and advertises to its neighbors.
Permit or deny can be specified in both prefix/access list and route-map configurations. The following rules apply when filtering routes:
The no distribute-list and default distribute-list commands remove the corresponding distribute-list command from running-config.
Command Mode
Router-RIP Configuration
Command Syntax
distribute-list DIRECTION MAP [INTF]
no distribute-list DIRECTION MAP [INTF]
default distribute-list DIRECTION MAP [INTF]
INTF interface to be configured. Options include:
switch(config)# ip prefix-list 8to24 seq 5 permit 0.0.0.0/0 ge 8 le 24
switch(config)# route-map myRouteMap permit 10
switch(config-route-map-myRouteMap)# match ip address prefix-list 8to24
switch(config-route-map-myRouteMap)# exit
switch(config)#
switch(config)# router rip
switch(config-router-rip)# distribute-list in route-map myRouteMap
switch(config-router-rip)#
These commands suppress routes advertised on a particular interface.
switch(config)# ip prefix-list 2 seq 10 deny 30.1.1.0/24
switch(config)# route-map myRmOut permit 10
switch(config-route-map-myRmOut)# match ip address prefix-list 2
switch(config-route-map-myRouteMap)# exit
switch(config)# router rip
switch(config-router-rip)# distribute-list out route-map myRmOut
The metric default command specifies the metric value assigned to RIP routes learned from other protocols. All routes imported into RIP receive the default metric unless a matching route-map exists for the route. The route metric of 0 is assigned to redistributed connected and static routes. The default metric values range from 0 to 16 with a default value of 1.
The no metric default and default metric default commands remove the metric default command from running-config and returns the metric value to its default value of 1.
Command Mode
Router-RIP Configuration
Command Syntax
metric default metric_value
no metric default
default metric default
Parameter
metric_value default metric value assigned. Values range from 0 to 16; default is 1.
Example
This command sets the default metric value to 5.
switch(config)# router rip
switch(config-router-rip)# metric default 5
switch(config-router-rip)#
The network command specifies which network the switch runs Routing Information Protocol (RIP), and also specifies which routes will be accepted into the RIP routing table. Multiple network commands can be issued to create a network list on which RIP runs.
The switch enables RIP on all interfaces in the specified network.
The no network and default network commands disable RIP on the specified network by removing the corresponding network command from running-config.
Command Mode
Router-RIP Configuration
Command Syntax
network NETWORK_ADDRESS
no network NETWORK_ADDRESS
default network NETWORK_ADDRESS
Parameters
switch(config)# router rip
switch(config-router-rip)# network 10.168.1.1/24
switch(config-router-rip)#
switch(config-router-rip)# network 10.168.1.1 mask 0.0.0.255
switch(config-router-rip)#
The no redistribute and default redistribute commands reset the default route redistribution setting by removing the redistribute statement from running-config.
Command Mode
Router-RIP Configuration
Command Syntax
redistribute connected ROUTE_MAP
redistribute ROUTE_TYPE [ROUTE_MAP]
no redistribute connected ROUTE_MAP
no redistribute ROUTE_TYPE
default redistribute connected ROUTE_MAP
default redistribute ROUTE_TYPE
Example
These commands redistribute OSPF routes into RIP.
switch(config)# router rip
switch(config-router-rip)# redistribute OSPF
switch(config-router-rip)#
The rip v2 multicast disable command specifies the transmission of Routing Information Protocol (RIP) Version 2 update packets from the configuration mode interface as broadcast to 255.255.255.255.
The no rip v2 multicast disable and default rip v2 multicast disable commands specify the transmission of update packets as multicast to 224.0.0.9 if the configuration mode interface is multicast capable. Updates are broadcast if the interface is not multicast capable.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
rip v2 multicast disable
no rip v2 multicast disable
default rip v2 multicast disable
Example
The following example configures version 2 broadcasting on interface ethernet 5.
switch(config)# interface ethernet 5
switch(config-if-Et5)# rip v2 multicast disable
switch(config-if-Et5)# exit
switch(config)#
The router rip command places the switch in router-RIP configuration mode to configure an RIP routing instance in the non-default VRF.
The no router rip vrf and default router rip vrf commands disable an RIP routing instance in the non-default VRF, and remove all user-entered router-rip configuration statements from running-config. To disable RIP without removing configuration statements, use the shutdown (RIP) command.
The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
router rip vrf [RIP_INSTANCE]
no router rip vrf [RIP_INSTANCE]
default router rip vrf [RIP_INSTANCE]
Parameter
RIP_INSTANCE configure a RIP VRF instance in the non-default VRF.
switch(config)# router rip vrf test
switch(config-router-rip-router-rip-vrf-test)# no shutdown
switch(config-router-rip)# exit
switch(config)#
switch(config)# no router rip vrf test
switch(config)#
The router rip command places the switch in router-rip configuration mode to configure the Routing Information Protocol (RIP) routing process. Router-rip configuration mode is not a group change mode; running-config is changed immediately upon command entry. The exit command does not affect running-config.
The no router rip and default router rip commands disable RIP and remove all user-entered router-rip configuration statements from running-config. To disable RIP without removing configuration statements, use the shutdown (RIP) command.
The exit command returns the switch to the global configuration mode.
Command Mode
Global Configuration
Command Syntax
router rip
no router rip
default router rip
Example
This command places the switch in the router-rip configuration mode.
switch(config)# router rip
switch(config-router-rip)#
The show ip rip database command displays information about routes in the Routing Information Base. The default command displays active routes and learned routes not used in deference to higher priority routes from other protocols.
This command has the following forms:
Command Mode
EXEC
Command Syntax
show ip rip database [FILTER]
Parameters
switch> show ip rip database active
10.168.11.0/24 directly connected, Et4
10.168.13.0/24
[1] via 10.168.14.2, 00:00:25, Et4
[2] via 10.168.15.2, 00:00:20, Et1
10.168.13.0/24
[1] via 10.168.14.2, 00:00:25, Et3
switch> show ip rip database 10.168.13.0/16
10.168.13.0/24
[1] via 10.168.14.2, 00:00:25, Et4
[2] via 10.168.15.2, 00:00:20, Et1
switch> show ip rip database
10.1.0.0/255.255.255.0
[1] via 10.8.31.15, 00:00:21, Et2, holddown
10.2.0.0/255.255.255.0
[1] via 10.8.31.15, 00:00:21, Et2, holddown
10.3.0.0/255.255.255.0
[1] via 10.8.31.15, 00:00:21, Et2, inactive
10.212.0.0/255.255.255.0
[1] via 10.8.31.15, 00:00:21, Et2, active
10.214.0.0/255.255.255.0
[1] via 10.8.12.17, 00:00:30, Et4, active
The show ip rip neighbors command displays information about all RIP route gateways. The output displays the IPv4 address, the last heard time of the gateway, and characteristic flags applying to the gateway.
Command Mode
EXEC
Command Syntax
show ip rip neighbors
Example
switch> show ip rip neighbors
Gateway Last-Heard Bad-Packets Bad-Routes Flags
10.2.12.33 00:00:15 SRC, TRSTED,
ACCPTED, RJCTED,
Q_RJCTED, AUTHFAIL
The shutdown command disables RIP on the switch without modifying the RIP configuration. RIP is disabled by default.
The no shutdown command enables RIP. The default shutdown command disables RIP.
Command Mode
Router-RIP Configuration
Command Syntax
shutdown
no shutdown
default shutdown
This command disables RIP on the switch.
switch(config)# router rip
switch(config-router-rip)# shutdown
switch(config-router-rip)#
This command enables RIP on the switch.
switch(config-router-rip)# no shutdown
switch(config-router-rip)#
The no timers and default timers commands return the timer values to their default values by removing the timers command from running-config.
Command Mode
Router-RIP Configuration
Command Syntax
timers update_time expire_time deletion_time
no timers
default timers
Parameter values are in seconds and range from 5 to 2147483647.
Example
This command sets the update (60 seconds), expiration (90 seconds), and deletion (150 seconds) times.
switch(config)# router rip
switch(config-router-rip)# timers 60 90 150
switch(config-router-rip)#
Open Shortest Path First (OSPF) is a link-state routing protocol that operates within a single autonomous system. OSPF version 2 is defined by RFC 2328.
OSPFv2 is a dynamic, link-state routing protocol, where links represent interfaces or routable paths. Dynamic routing protocols calculate the most efficient path between locations based on bandwidth and device status.
A Link State Advertisement (LSA) is an OSPFv2 packet that communicates a router's topology to other routers. The Link State DataBase (LSDB) stores an areas topology database and is composed of LSAs received from other routers. Routers update the LSDB by storing LSAs from other routers.
An Autonomous System (AS) is the IP domain within which a dynamic protocol controls the routing of traffic. In OSPFv2, an AS is composed of areas, which define the LSDB computation boundaries. All routers in an area store identical LSDBs. Routers in different areas exchange updates without storing the entire database, reducing information maintenance on large, dynamic networks.
An AS shares internal routing information from its areas and external routing information from other processes to inform routers outside the AS about routes the network can access. Routers that advertise routes on other ASs commit to carry data to the IP space on the route.
OSPFv2 areas are assigned a number between 0 and 4,294,967,295 (2321). Area numbers are often expressed in dotted decimal notation, similar to IP addresses.
Each AS has a backbone area, designated as area 0, that connects to all other areas. The backbone receives routing information from all areas, then distributes it to the other areas as required.
Neighbors form adjacencies to exchange LSDB information. A neighbor group uses hello packets to elect a Designated Router (DR) and Backup Designated Router (BDR). The DR and BDR become adjacent to all other neighbors, including each other. Only adjacent neighbors share database information.
OSPFv2 Neighbors illustrates OSPFv2 neighbors.
The DR is the central contact for database exchanges. Switches send database information to their DR, which relays the information to the other neighbors. All routers in an area maintain identical LSDBs. Switches also send database information to their BDR, which stores this data without distributing it. If the DR fails, the BDR distributes LSDB information to its neighbors.
OSPFv2 routers distribute LSAs by sending them on all of their active interfaces. The router generates an LSA for a network defined and active on a passive interface but will not transmit this LSA on the passive interface as no adjacencies are formed.
When a routers LSDB is changed by an LSA, it sends the changes to the DR and BDR for distribution to the other neighbors. Routing information is updated only when the topology changes.
Routers use Dijkstras algorithm to calculate the shortest path to all known destinations, based on cumulative route cost. The cost of an interface indicates the transmission overhead and is usually inversely proportional to its bandwidth.
OSPFv2 Route Redistribution is used for redistributing OSPFv2 leaked and non-leaked routes from one instance to another when multiple OSPFv2 instances are configured. The OSPFv2 Route Redistribution is supported on all platforms in the multi-agent routing mode.
EOS Release 4.22.1F adds support for multiple OSPFv2 instances to be configured in the default VRF. OSPFv2 Multiple Instances Support provides isolation and allows segregating and dividing the link state database based on the interface.
Basic OSPFv2 functionality along with redistribution of OSPFv2 routes (all instances) into BGP and default information originate always is available forward from the EOS Release 4.22.1F.
Support for graceful restart and BFD with multiple OSPFv2 instances was added in the EOS Release 4.23.1.
OSPFv2 Multiple Instances Support is supported on all platforms.
This feature introduces the support for OSPF routes over GRE tunnels under default as well as non-default VRFs. The feature is disabled by default.
The platform does not support any arbitrarily created TCAM profile. When the TCAM profile cannot be programmed, the show command prints ERROR in the status column.
The router ospf command places the switch in router-ospf configuration mode and creates an OSPFv2 instance if one was not previously created. The switch only supports one OSPFv2 instance and all OSPFv2 configuration commands apply to this instance.
When an OSPFv2 instance is already configured, the command must specify its process ID. Any attempt to define additional instances will fail and generate errors.
The process ID is local to the router and is used to identify the running OSPFv2 process. Neighbor OSPFv2 routers can have different process ID's.
Example
switch(config)# router ospf 100
switch(config-router-ospf)#
The router ID is a 32-bit number assigned to a router running OSPFv2. This number uniquely labels the router within an Autonomous System. Status commands identify the switch through the router ID.
The router-id (OSPFv2) command configures the router ID for an OSPFv2 instance.
Example
switch(config-router-ospf)# router-id 10.1.1.1
switch(config-router-ospf)#
These router-ospf configuration mode commands define OSPFv2 behavior.
OSPFv2 is re-enabled with a router ospf command.
The LSDB size restriction is removed by setting the LSA limit to zero.
switch(config-router-ospf)# max-lsa 20000 40 ignore-time 10 ignore-count 4 reset-time 20
switch(config-router-ospf)#
The log-adjacency-changes (OSPFv2 command configures the switch to log OSPFv2 link-state changes and transitions of OSPFv2 neighbors into the up or down state.
switch(config-router-ospf)# log-adjacency-changes
switch(config-router-ospf)#
switch(config-router-ospf)# log-adjacency-changes detail
switch(config-router-ospf)#
RFC 2328 and RFC 1583 specify different methods for calculating summary route metrics. The compatible (OSPFv2) command allows the selective disabling of compatibility with RFC 2328.
Example
switch(config)# router ospf 6
switch(config-router-ospf)# compatible rfc1583
switch(config-router-ospf)#
The distance ospf (OSPFv2) command configures the administrative distance for intra-area, inter-area, or external OSPF routes. To configure the administrative distance for multiple route types, the command must be entered multiple times. Administrative distances compare dynamic routes configured by different protocols. The default administrative distance for all routes is 110.
Example
switch(config-router-ospf)# distance ospf intra-area 95
switch(config-router-ospf)#
The passive-interface (OSPFv2) command prevents the transmission of hello packets on the specified interface. Passive interfaces drop all adjacencies and do not form new adjacencies. Passive interfaces send LSAs but do not receive them. The router does not send or process OSPFv2 packets received on passive interfaces. The router advertises the passive interface in the router LSA.
The no passive-interface command re-enables OSPFv2 processing on the specified interface.
switch(config-router-ospf)# passive-interface vlan 2
switch(config-router-ospf)#
switch(config-router-ospf)# no passive-interface vlan 2
switch(config-router-ospf)#
Redistributing connected routes causes the OSPFv2 instance to advertise all connected routes on the switch as external OSPFv2 routes. Connected routes are routes that are established when IPv4 is enabled on an interface.
Example
switch(config-router-ospf)# redistribute connected
switch(config-router-ospf)#
Redistributing static routes causes the OSPFv2 instance to advertise all static routes on the switch as external OSPFv2 routes. The switch does not support redistributing individual static routes.
switch(config-router-ospf)# redistribute static
switch(config-router-ospf)#
switch(config-router-ospf)# no redistribute static
switch(config-router-ospf)#
An OSPF distribute list uses a route map or prefix list to filter specific routes from incoming OSPF LSAs; this filtering occurs after SPF calculation. The filtered routes are not installed on the switch, but are still included in LSAs sent by the switch. An OSPF router instance can have one distribute list configured.
If a prefix list is used, destination prefixes that do not match the prefix list will not be installed. If a route map is used, routes may be filtered based on address, next hop, or metric. OSPF external routes may also be filtered by metric type or tag.
The distribute-list in command specifies the filter to be used and applies it to the OSPF instance.
Example
switch(config)# router ospf 5
switch(config-router-ospf)# distribute-list prefix-list dist_list1 in
switch(config-router-ospf)#
Use the redistribute ospf instance command to redistribute either the non-leaked routes, or both leaked and non-leaked routes. This command is configured under the router-ospf mode.
switch(config-router-ospf)# redistribute ospf instance include leaked
<cr>
Options:
include Include leaked routes
match Routes learned by the OSPF protocol
route-map Specify which route map to use
switch(config-router-ospf)# redistribute ospf instance match external
<cr>
Options:
external OSPF routes learned from external sources
internal OSPF routes learned from internal sources
nssa-external OSPF routes learned from external NSSA sources
switch(config-router-ospf)# redistribute ospf instance match external
switch(config-router-ospf)# redistribute ospf instance include leaked match internal
switch(config)# route-map rm1 permit 10
switch(config-route-map-rm1)# match ospf instance 3
switch(config-router-ospf)# redistribute ospf instance match external route-map rm1
OSPFv2 areas are configured through area commands. The switch must be in router-ospf configuration mode, as described in Entering OSPFv2 Configuration Mode, to run area commands.
Areas are assigned a 32-bit number that is expressed in decimal or dotted-decimal notation. When an OSPFv2 instance configuration contains multiple areas, the switch only configures areas associated with its interfaces.
The default area type is normal.
switch(config-router-ospf)# area 45 stub
switch(config-router-ospf)#
switch(config-router-ospf)# area 10.92.148.17 NSSA
switch(config-router-ospf)#
The area nssa no-summary (OSPFv2) command configures the router to not import type-3 summary LSAs into the Not-So-Stubby Area (NSSA) and injects a default summary route (0.0.0.0/0) into the NSSA to reach the inter-area prefixes.
Example
switch(config)# router ospf 6
switch(config-router-ospf)# area 1.1.1.1 nssa no-summary
switch(config-router-ospf)#
The network area (OSPFv2) command assigns the specified network segment to an OSPFv2 area. The network can be entered in CIDR notation or by an address and wildcard mask.
The switch zeroes the host portion of the specified network address e.g. 1.2.3.4/24 converts to 1.2.3.0/24 and 1.2.3.4/16 converts to 1.2.0.0/16.
Example
switch(config-router-ospf)# network 10.1.10.0 0.0.0.255 area 0
switch(config-router-ospf)# network 10.1.10.0/24 area 0
In each case, running-config stores the command in CIDR (prefix) notation.
By default, ABRs create a summary LSA for each route in an area and advertise them to adjacent routers. The area range (OSPFv2) command aggregates routing information, allowing the ABR to advertise multiple routes with one LSA. The area range (OSPFv2) command can be used to suppress route advertisements.
switch(config-router-ospf)# network 10.1.25.80 0.0.0.240 area 5
switch(config-router-ospf)# network 10.1.25.112 0.0.0.240 area 5
switch(config-router-ospf)# area 5 range 10.1.25.64 0.0.0.192
switch(config-router-ospf)#
switch(config-router-ospf)# network 10.12.31.0 0.0.0.255 area 5
switch(config-router-ospf)# area 5 range 10.12.31.0 0.0.0.255 not-advertise
switch(config-router-ospf)#
These router-ospf configuration mode commands define OSPFv2 behavior in a specified area.
The area default-cost (OSPFv2) command specifies the cost of the default summary route that ABRs send into a stub area or NSSA. Summary routes, also called inter-area routes, originate in areas different than their destination.
Example
switch(config-router-ospf)# area 23 default-cost 15
switch(config-router-ospf)#
The area filter (OSPFv2) command prevents an area from receiving Type 3 (Summary) LSAs from a specified subnet. Type 3 LSAs are sent by ABRs and contain information about one of its connected areas.
Example
switch(config-router-ospf)# area 2 filter 10.1.1.2/24
switch(config-router-ospf)#
The OSPFv2 dn-bit-ignore command allows enabling or disabling the inclusion of LSAs having “Down” (DN) bit set in SPF calculations. The DN Bit is a loop prevention mechanism that implements when using OSPF as a CE - PE IGP protocol.
OSPFv2 only honors the DN-bit in type-3 LSAs in non-default VRFs. Starting with Release EOS-4.25.0F, OSPFv2 honors the DN-bit in type-5 and type-7 LSAs in non-default VRFs. This means that the type-3/5/7 LSAs with DN-bit set are not in SPF calculation, and any routes that carry LSAs are not installed in the routing table. This behavior changes when using the dn-bit-ignore lsa type-5 type-7 command.
Use the command dn-bit-ignore to ignore the DN-bit in type-3/5/7 LSAs.
(config)# router ospf 1 vrf red
(config-router-ospf-vrf-red)#?
...
dn-bit-ignore Disable DN-bit check for Type-3, Type-5 and Type-7 LSAs in non-default VRFs
...
(config-router-ospf-vrf-red)#dn-bit-ignore ?
lsa Disable DN-bit check only for Type-5 and Type-7 LSAs in non-default VRFs
<cr>
(config-router-ospf-vrf-red)#dn-bit-ignore lsa type-5 type-7
Use the command dn-bit-ignore to include type-3/5/7 LSAs having their DN-bit set in the SPF calculation.
Use the commands dn-bit-ignore or default dn-bit-ignore to revert the behavior back to default. This command is available in ipv6 router ospf PROCESS_ID vrf VRF_NAME configuration mode and router ospfv3 vrf <VRF_NAME> configuration mode. Note that this command is not available in the default VRF, and that both configuration styles are captured below.
(config)# router ospfv3 vrf red
(config-router-ospfv3-vrf-red)# dn-bit-ignore
(config)# ipv6 router ospf 1 vrf red
(config-router-ospfv3-vrf-red)# dn-bit-ignore
Use the show running-config command to verify whether the dn-bit-ignore command is configured.
The ospf area <area_id> filter command configures the set of prefixes to be filtered for multi-agent routing and the ribd routing protocols. Area filters are used to prevent specific prefixes from being announced by an area as Type 3 summary LSAs or as Type 4 ABSR summary LSAs in an OSPFv2 Area Border Router (ABR).
Examples
The following configures a prefix-list filter to permit two prefixes and deny all others.
switch(config)# ip prefix-list type3Permit
switch(config-ip-pfx)# ip seq 10 permit 10.0.1.0/24
switch(config-ip-pfx)# ip seq 20 permit 10.0.2.0/24
switch(config-ip-pfx)# ip seq 30 deny 10.0.0.0/0
switch(config-ip-pfx)# exit
The following applies the filter to the backbone area.
switch(config)# router ospf 1
switch(config-router-ospf)# area 0 filter prefix-list type3Permit
The following configures a prefix-list to deny a list of prefixes and permit all others.
switch(config)# ip prefix-list type3Deny
switch(config-ip-pfx)# ip seq 10 deny 10.0.1.0/24
switch(config-ip-pfx)# ip seq 20 deny 10.0.2.0/24
switch(config-ip-pfx)# exit
The following applies the filter.
switch(config)# router ospf 1
switch(config-router-ospf)# area 1.1.1.1 filter prefix-list type3Deny
The following displays the output of show ip ospf with the area filter listed.
switch# show ip ospf
Area 3.3.3.3
Number of interface in this area is 2
It is a normal area
Traffic engineering is disabled
Area has None authentication
SPF algorithm executed 1 times
Number of LSA 1. Checksum Sum 53568
Number of opaque link LSA 0. Checksum Sum 0
Number of opaque area LSA 0. Checksum Sum 0
Area ranges are
3.3.0.0/16 Cost 0 Advertise
3.30.0.0/16 Cost 0 Advertise
Area filter prefix-list type3Permit
The ip address unnumbered command specifies a lending interface from which many interfaces may borrow the same address, reducing the number of unique IPv4 addresses needed. A lending interface is a loopback interface. Only one borrowing interface is referenced to one lender at a time even though multiple loopbacks may be used as lending interfaces. Unnumbered interfaces may reference the same or different lending interfaces. Any IPv4 routed interface is configurable as unnumbered interface and is referenced to one lending interface.
The following configures an unnumbered borrowing interface.
switch(config)# interface Ethernet1
switch(config-if-Et1)# ip address unnumbered Loopback1
To enable OSPF on an unnumbered interface, configure the area and set the network type to point-to-point under the interface config mode.
switch(config-if-Et1)# ip ospf area 1
switch(config-if-Et1)# ip ospf network point-to-point
Enabling OSPF on the lending interface in the same area as the borrowing interfaces is recommended. For different unnumbered interfaces in different areas, configure them to use different loopbacks.
switch(config)# interface loopback 1
switch(config-if-Lo1)# ip address 1.1.1.1/32
switch(config-if-Lo1)# ip ospf area 1
To enable ISIS on an unnumbered interface, configure the area and set the network type to point-to-point under the interface config mode.
switch(config-if-Et1)# isis enable inst1
switch(config-if-Et1)# isis network point-to-point
Enabling ISIS on the lending interface in the same area as the borrowing interfaces is recommended.
switch(config)# interface loopback 1
switch(config-if-Lo1)# ip address 1.1.1.1/32
switch(config-if-Et1)# isis enable inst1
switch(config-if-Et1)# isis network point-to-point
The same IP address that may be in use on multiple interfaces at the same time, and is displayed as shown below.
The following displays the output of show ip interface brief. In this example, Ethernet 2-5 are all unnumbered and borrowing from loopback1.
switch(config-if-Et2)# show ip interface brief
Address
Interface IP Address Status Protocol MTU Owner
----------- ----------- ------- --------- ------- -------
Ethernet1 1.1.2.1/24 up up 1500
Ethernet2 1.1.1.1/32 up up 1500 Lo1
Ethernet3 1.1.1.1/32 up up 1500 Lo1
Ethernet4 1.1.1.1/32 up up 1500 Lo1
Ethernet5 1.1.1.1/32 up up 1500 Lo1
Loopback1 1.1.1.1/32 up up 65535
The following displays OSPF with two adjacencies with the same peer via Ethernet 2 and Ethernet 3. The same Neighbor ID is listed for both interfaces. IS-IS behaves similarly.
switch(config-if-Et2)#show ip ospf neighbor
Neighbor ID Instance VRF Pri State Dead Time Address Interface
2.2.1.1 1 default 0 FULL 00:00:36 2.2.1.1 Ethernet3
2.2.1.1 1 default 0 FULL 00:00:34 2.2.1.1 Ethernet2
OSPFv2 interface configuration commands specify transmission parameters for routed ports and SVIs that handle OSPFv2 packets.
OSPFv2 authenticates packets through passwords configured on VLAN interfaces. Interfaces connecting to the same area can authenticate packets if they have the same key. By default, OSPFv2 does not authenticate packets.
Message digest authentication supports uninterrupted transmissions during key changes by allowing each interface to have two keys with different key IDs. When a new key is configured on an interface, the router transmits OSPFv2 packets for both keys. Once the router detects that all neighbors are using the new key, it stops sending the old one.
switch(config-if-vl12)# ip ospf authentication
switch(config-if-vl12)# ip ospf authentication-key 0 code123
switch(config-if-vl12)# ip ospf authentication message-digest
switch(config-if-vl12)# ip ospf message-digest-key 23 md5 0 code123
The running-config stores the password as an encrypted string, using a proprietary algorithm. The key ID (23) is between keywords message-digest-key and md5.
Interval configuration commands determine OSPFv2 packet transmission characteristics for the specified VLAN interface and are entered in interface-vlan configuration mode.
The hello interval specifies the period between consecutive hello packet transmissions from an interface. Each OSPFv2 neighbor should specify the same hello interval, which should not be longer than any neighbors dead interval.
The ip ospf hello-interval command configures the hello interval for the configuration mode interface. The default is 10 seconds.
Example
switch(config-if-Vl2)# ip ospf hello-interval 30
switch(config-if-Vl2)#
The dead interval specifies the period that an interface waits for an OSPFv2 packet from a neighbor before it disables the adjacency under the assumption that the neighbor is down. The dead interval should be configured identically on all OSPFv2 neighbors and be longer than the hello interval of any neighbor.
The ip ospf dead-interval command configures the dead interval for the configuration mode interface. The default is 40 seconds.
Example
switch(config-if-Vl4)# ip ospf dead-interval 120
switch(config-if-Vl4)#
Routers that send OSPFv2 advertisements to an adjacent router expect to receive an acknowledgment from that neighbor. Routers that do not receive an acknowledgment will retransmit the advertisement. The retransmit interval specifies the period between retransmissions.
The ip ospf retransmit-interval command configures the LSA retransmission interval for the configuration mode interface. The default retransmit interval is 5 seconds.
Example
switch(config-if-Vl3)# ip ospf retransmit-interval 15
switch(config-if-Vl3)#
The transmission delay is an estimate of the time that an interface requires to transmit a link-state update packet. OSPFv2 adds this delay to the age of outbound packets to more accurately reflect the age of the LSA when received by a neighbor. The default transmission delay is one second.
The ip ospf transmit-delay command configures the transmission delay for the configuration mode interface.
Example
switch(config-if-Vl6)# ip ospf transmit-delay 5
switch(config-if-Vl6)#
The OSPFv2 interface cost (or metric) reflects the overhead of sending packets across the interface. The cost is typically inversely proportional to the bandwidth of the interface. The default cost is 10.
The ip ospf cost command configures the OSPFv2 cost for the configuration mode interface.
Example
switch(config-if-Vl2)# ip ospf cost 15
switch(config-if-Vl2)#
Router priority determines preference during Designated Router (DR) and Backup Designated Router (BDR) elections. Routers with higher priority numbers have preference over other routers. Routers with a priority of zero cannot be elected as a DR or BDR.
The ip ospf priority command configures router priority for the configuration mode interface. The default priority is 1.
switch(config-if-Vl8)# ip ospf priority 15
switch(config-if-Vl8)#
switch(config-if-Vl7)# no ip ospf priority
switch(config-if-Vl7)#
The no shutdown and no ip ospf disabled commands resume OSPFv2 activity.
switch(config-router-ospf)# shutdown
switch(config-router-ospf)#
switch(config-router-ospf)# no shutdown
switch(config-router-ospf)#
switch(config-if-Vl5)# ip ospf disabled
switch(config-if-Vl5)#
OSPFv2 requires that IPv4 routing is enabled on the switch. When IP routing is not enabled, entering OSPFv2 configuration mode generates a message.
This message is displayed if, when entering the router-ospf configuration mode, IP routing is not enabled.
switch(config)# router ospf 100
! IP routing not enabled
switch(config-router-ospf)#
switch(config)# ip routing
switch(config)#
The existing OSPFv2 configuration commands remain unchanged and are used for configuring multiple OSPFv2 instances. Each OSPFv2 instance in the default VRF is identified by a unique instance ID.
router ospf id [vrf | general]
Configuring the redistribute ospf command under the config-router-bgp mode with multiple OSPFv2 instances configured redistributes routes from all OSPFv2 instances into BGP.
These commands redistribute OSPFv2 routes into the BGP domain.
switch(config)# router bgp 1
switch(config-router-bgp)# redistribute OSPF
switch(config-router-bgp)#
When the same prefix happens to be learned in multiple instances with the same metric, route-type are used as the first criteria to tie break:
O > O IA > N1 > N2 > E1 > E2
Codes: O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2
When routes have identical route-type as well, the route with the lowest nexthop IP address is selected.
The CLI does not guard against overlapping network statements configured in different instances. This state is a misconfiguration.
switch(config)# router ospf 6
switch(config-router-ospf)# tunnel routes
switch(config-router-ospf)#
switch(config)# router ospf 6
switch(config-router-ospf)# no tunnel routes
switch(config-router-ospf)#
switch(config)# router ospf 6
switch(config-router-ospf)# default tunnel routes
switch(config-router-ospf)#
On DCS-7020, DCS-7280R/R2, or DCS-7500R/R2 enabling OSPF routes over GRE tunnels requires the system TCAM profile to have “Tunnel IPv4” feature enabled so that control packets such as OSPF hellos received over GRE tunnel interfaces are appropriately classified. This can be achieved by creating a user defined TCAM profile as described below.
The user defined TCAM profile can be created either manually from scratch or by copying from an existing TCAM profile. The system TCAM profile must have the feature tunnel ipv4 for the OSPFv2 over GRE tunnel interfaces to work. This is applicable regardless of whether the TCAM profile is copied from an existing profile or created from scratch.
This section describes a set of CLI commands to create user defined PMF (or TCAM) profile. The profile is composed of a set of TCAM features, with each feature having customized lookup key, actions and packet types to hit.
All TCAM profile CLIs are under hardware tcam mode.
(config)# hardware tcam
(config-hw-tcam)#
(config)# hardware tcam
(config-hw-tcam)# profile newprofile1 copy default
(config-hw-tcam-profile-newprofile1)#
(config)# hardware tcam
(config-hw-tcam)# profile newprofile2
(config-hw-tcam-profile-newprofile2)#
(config)# hardware tcam
(config-hw-tcam)# no profile newprofile2
(config-hw-tcam-profile-<profile>)# feature acl port ipv6
(config-hw-tcam-profile-<profile>)# no feature acl port ipv6
This describes packet types that the feature will be applied on.
packet packet header tokens forwarding [bridged | routed | mpls][multicast][decap]
no packet packet header tokens forwarding [bridged | routed | mpls][multicast][decap]
The packet header is described a series of CLI packet header tokens after packet token. It starts from the outer most header after Ethernet. For example, a regular IPv4 packet is packet ipv4 and a vxlan packet is packet ipv4 vxlan eth ipv4. The forwarding token indicates the forwarding type of the packet. multicast indicates if the packet is a multicast packet. Lastly, decap indicates if the packet is decapsulated after a tunnel.
(config-hw-tcam-profile-<profile>-feature-<feature>)# [no]keyfield field
All supported key fields can be found with key field ?
(config-hw-tcam-profile-<profile>-feature-<feature>)# [no]key size limit size
(config-hw-tcam-profile-<profile>-feature-<feature>)# [no]action action
The supported actions can be found through action ?.
(config-hw-tcam-profile-<profile>-feature-<feature>)# [no]sequence sequence
(config)# hardware tcam
(config-hw-tcam)# system profile newprofile1
This section describes OSPFv2 show commands that display OSPFv2 status. General switch methods that provide OSPFv2 information include pinging routes, viewing route status (show ip route command), and viewing the configuration (show running-config command).
The show ip ospf command displays general OSPFv2 configuration information and operational statistics.
Example
switch# show ip ospf
Routing Process "ospf 1" with ID 10.168.103.1
Supports opaque LSA
Maximum number of LSA allowed 12000
Threshold for warning message 75%
Ignore-time 5 minutes, reset-time 5 minutes
Ignore-count allowed 5, current 0
It is an area border router
Hold time between two consecutive SPFs 5000 msecs
SPF algorithm last executed 00:00:09 ago
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of LSA 27.
Number of areas in this router is 3. 3 normal 0 stub 0 nssa
Area BACKBONE(0.0.0.0)
Number of interfaces in this area is 2
It is a normal area
Area has no authentication
SPF algorithm executed 153 times
Number of LSA 8. Checksum Sum 0x03e13a
Number of opaque link LSA 0. Checksum Sum 0x000000
Area 0.0.0.2
Number of interfaces in this area is 1
It is a normal area
Area has no authentication
SPF algorithm executed 153 times
Number of LSA 11. Checksum Sum 0x054e57
Number of opaque link LSA 0. Checksum Sum 0x000000
Area 0.0.0.3
Number of interfaces in this area is 1
It is a normal area
Area has no authentication
SPF algorithm executed 5 times
Number of LSA 6. Checksum Sum 0x02a401
Number of opaque link LSA 0. Checksum Sum 0x000000
The output lists configuration parameters and operational statistics and status for the OSPFv2 instance, followed by a brief description of the areas located on the switch.
The show ip ospf interface command displays OSPFv2 information for switch interfaces configured for OSPFv2. Different command options allow the display of either all interfaces or a specified interface. The command can also be configured to display complete information or a brief summary.
switch# show ip ospf interface vlan 1
Vlan1 is up, line protocol is up (connected)
Internet Address 10.168.0.1/24, Area 0.0.0.0
Process ID 1, Router ID 10.168.103.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router is 10.168.104.2
Backup Designated router is 10.168.103.1
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 1
MTU is 1500
switch#
The display indicates the switch is an ABR by displaying a neighbor count, the Designated Router (DR), and Backup Designated Router (BDR).
switch# show ip ospf interface brief
InterfacePIDAreaIP AddressCostStateNbrs
Loopback010.0.0.010.168.103.1/2410DR0
Vlan110.0.0.010.168.0.1/2410BDR1
Vlan210.0.0.210.168.2.1/2410BDR1
Vlan310.0.0.310.168.3.1/2410DR0
switch#
Configuration information includes the Process ID (PID), area, IP address, and cost. OSPFv2 operational information includes the Designated Router status and number of neighbors.
The show ip ospf database <link state list> command displays the LSAs in the LSDB for the specified area. If no area is listed, the command displays the contents of the database for each area on the switch. The database command provides options to display subsets of the LSDB database, a summary of database contents, and the link states that comprise the database.
switch# show ip ospf 1 2 database
OSPF Router with ID(10.168.103.1)(Process ID 1)
Router Link States (Area 0.0.0.2)
Link IDADV RouterAgeSeq#Checksum Link count
10.168.103.110.168.103.100:29:080x80000031 0x001D5F 1
10.168.104.210.168.104.200:29:090x80000066 0x00A49B 1
Net Link States (Area 0.0.0.2)
Link IDADV RouterAgeSeq#Checksum
10.168.2.110.168.103.100:29:080x80000001 0x00B89D
Summary Net Link States (Area 0.0.0.2)
Link IDADV RouterAgeSeq#Checksum
10.168.0.010.168.103.100:13:200x80000028 0x0008C8
10.168.0.010.168.104.200:09:160x80000054 0x00A2FF
10.168.3.010.168.104.200:24:160x80000004 0x00865F
10.168.3.010.168.103.100:24:200x80000004 0x002FC2
10.168.103.010.168.103.100:14:200x80000028 0x0096D2
10.168.103.010.168.104.200:13:160x80000004 0x00364B
10.168.104.010.168.104.200:08:160x80000055 0x002415
10.168.104.010.168.103.100:13:200x80000028 0x00EF6E
switch#
switch# show ip ospf 1 2 database database-summary
OSPF Router with ID(10.168.103.1) (Process ID 1)
Area 0.0.0.2 database summary
LSA TypeCount
Router2
Network1
Summary Net8
Summary ASBR0
Type-7 Ext0
Opaque Area0
Subtotal11
Process 1 database summary
LSA TypeCount
Router2
Network1
Summary Net8
Summary ASBR0
Type-7 Ext0
Opaque Area0
Type-5 Ext0
Opaque AS0
Total11
switch#
switch# show ip ospf 1 2 database router
OSPF Router with ID(10.168.103.1) (Process ID 1)
Router Link States (Area 0.0.0.2)
LS age: 00:02:16
Options: (E DC)
LS Type: Router Links
Link State ID: 10.168.103.1
Advertising Router: 10.168.103.1
LS Seq Number: 80000032
Checksum: 0x1B60
Length: 36
Number of Links: 1
Link connected to: a Transit Network
(Link ID) Designated Router address: 10.168.2.1
(Link Data) Router Interface address: 10.168.2.1
Number of TOS metrics: 0
TOS 0 Metrics: 10
LS age: 00:02:12
Options: (E DC)
LS Type: Router Links
Link State ID: 10.168.104.2
Advertising Router: 10.168.104.2
LS Seq Number: 80000067
Checksum: 0xA29C
Length: 36
Number of Links: 1
Link connected to: a Transit Network
(Link ID) Designated Router address: 10.168.2.1
(Link Data) Router Interface address: 10.168.2.2
Number of TOS metrics: 0
TOS 0 Metrics: 10
switch#
The show ip ospf neighbor command displays information about the routers that are neighbors to the switch. Command options allow the display of summary or detailed information about the neighbors for all areas and interfaces on the switch. The command also allows the display of neighbors for individual interfaces or areas. The adjacency-changes option displays the interfaces adjacency changes.
switch# show ip ospf neighbor
Neighbor IDPriStateDead TimeAddressInterface
10.168.104.21FULL/DR00:00:3510.168.0.2Vlan1
10.168.104.28FULL/BDR00:00:3110.168.2.2Vlan2
switch#
switch# show ip ospf neighbor vlan 2 detail
Neighbor 10.168.104.2, interface address 10.168.2.2
In the area 0.0.0.2 via interface Vlan2
Neighbor priority is 8, State is FULL, 13 state changes
Adjacency was established 000:01:25:48 ago
DR is 10.168.2.1 BDR is 10.168.2.2
Options is E
Dead timer due in 00:00:34
switch#
switch# show ip ospf neighbor vlan 2 adjacency-changes
[08-04 08:55:32] 10.168.104.2, interface Vlan2 adjacency established
[08-04 09:58:51] 10.168.104.2, interface Vlan2 adjacency dropped: interface went
down
[08-04 09:58:58] 10.168.104.2, interface Vlan2 adjacency established
[08-04 09:59:34] 10.168.104.2, interface Vlan2 adjacency dropped: interface went
down
[08-04 09:59:42] 10.168.104.2, interface Vlan2 adjacency established
[08-04 10:01:40] 10.168.104.2, interface Vlan2 adjacency dropped: nbr did not
list our router ID
[08-04 10:01:46] 10.168.104.2, interface Vlan2 adjacency established
switch#
The show ip ospf neighbor state command displays the state information for OSPF neighbors on a per-interface basis.
Example
switch# show ip ospf neighbor state full
Neighbor ID VRF Pri State Dead Time Address Interface
Test1 default 1 FULL/BDR 00:00:35 10.17.254.105 Vlan3912
Test2 default 1 FULL/BDR 00:00:36 10.17.254.29 Vlan3910
Test3 default 1 FULL/DR 00:00:35 10.25.0.1 Vlan101
Test4 default 1 FULL/DROTHER 00:00:36 10.17.254.67 Vlan3908
Test5 default 1 FULL/DROTHER 00:00:36 10.17.254.68 Vlan3908
Test6 default 1 FULL/BDR 00:00:32 10.17.254.66 Vlan3908
Test7 default 1 FULL/DROTHER 00:00:34 10.17.36.4 Vlan3036
Test8 default 1 FULL/BDR 00:00:35 10.17.36.3 Vlan3036
Test9 default 1 FULL/DROTHER 00:00:31 10.17.254.13 Vlan3902
Test10 default 1 FULL/BDR 00:00:37 10.17.254.11 Vlan3902
Test11 default 1 FULL/DROTHER 00:00:33 10.17.254.163 Vlan3925
Test12 default 1 FULL/DR 00:00:37 10.17.254.161 Vlan3925
Test13 default 1 FULL/DROTHER 00:00:31 10.17.254.154 Vlan3923
Test14 default 1 FULL/BDR 00:00:39 10.17.254.156 Vlan3923
Test15 default 1 FULL/DROTHER 00:00:33 10.17.254.35 Vlan3911
Test16 default 1 FULL/DR 00:00:34 10.17.254.33 Vlan3911
Test17 default 1 FULL/DR 00:00:36 10.17.254.138 Ethernet12
Test18 default 1 FULL/DR 00:00:37 10.17.254.2 Vlan3901
switch>
The show ip ospf neighbor summary command displays a single line of summary information for each OSPFv2 neighbor.
Example
switch# show ip ospf neighbor summary
OSPF Router with (Process ID 1) (VRF default)
0 neighbors are in state DOWN
0 neighbors are in state GRACEFUL RESTART
2 neighbors are in state INIT
0 neighbors are in state LOADING
0 neighbors are in state ATTEMPT
18 neighbors are in state FULL
0 neighbors are in state EXCHANGE
0 neighbors are in state 2 WAYS
0 neighbors are in state EXCH START
switch>
The show ip routes command provides an OSPFv2 option.
switch# show ip route
Codes: C - connected, S - static, K - kernel, O - OSPF, B - BGP
Gateway of last resort:
S0.0.0.0/0 [1/0] via 10.255.255.1
C10.255.255.0/24 is directly connected, Management1
C10.168.0.0/24 is directly connected, Vlan1
C10.168.2.0/24 is directly connected, Vlan2
O10.168.3.0/24 [110/20] via 10.168.0.1
O10.168.103.0/24 [110/20] via 10.168.0.1
C10.168.104.0/24 is directly connected, Loopback0
switch#
switch# show ip route ospf
Codes: C - connected, S - static, K - kernel, O - OSPF, B - BGP
O10.168.3.0/24 [110/20] via 10.168.0.1
O10.168.103.0/24 [110/20] via 10.168.0.1
switch#
Use the ping command to determine the accessibility of a route.
Example
switch# ping 10.168.0.1
PING 10.168.0.1 (10.168.0.1) 72(100) bytes of data.
80 bytes from 10.168.0.1: icmp_seq=1 ttl=64 time=0.148 ms
80 bytes from 10.168.0.1: icmp_seq=2 ttl=64 time=0.132 ms
80 bytes from 10.168.0.1: icmp_seq=3 ttl=64 time=0.136 ms
80 bytes from 10.168.0.1: icmp_seq=4 ttl=64 time=0.137 ms
80 bytes from 10.168.0.1: icmp_seq=5 ttl=64 time=0.136 ms
--- 10.168.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 7999ms
rtt min/avg/max/mdev = 0.132/0.137/0.148/0.015 ms
switch#
The show ip ospf spf-log command displays when and how long the switch took to run a full SPF calculation for OSPF.
Example
switch# show ip ospf spf-log
OSPF Process 172.26.0.22
When Duration(msec)
13:01:34 1.482
13:01:29 1.547
13:01:24 1.893
13:00:50 1.459
13:00:45 1.473
13:00:40 2.603
11:01:49 1.561
11:01:40 1.463
11:01:35 1.467
11:01:30 1.434
11:00:54 1.456
11:00:49 1.472
11:00:44 1.582
15:01:49 1.575
15:01:44 1.470
15:01:39 1.679
15:01:34 1.601
15:00:57 1.454
15:00:52 1.446
15:00:47 1.603
switch>
The show ip ospf commands will take an instance ID filter to get the information for a particular OSPFv2 instance. If no instance ID is specified in the show query, information for all the active OSPFv2 instances are shown.
The show ip ospf commands will also display instance ID along with router ID either in the output headers or as a separate column.
Sample output for the show ip ospf command with two OSPFv2 instances with ID 1 and ID 2.
switch# show ip ospf
OSPF instance 1 with ID 1.1.1.1 VRF default
Supports opaque LSA
Maximum number of LSA allowed 12000
Threshold for warning message 75%
Ignore-time 5 minutes, reset-time 5 minutes
Ignore-count allowed 5, current 0
It is not an autonomous system boundary router and is not an area border router
...
OSPF instance 2 with ID 2.2.2.2 VRF default
Supports opaque LSA
Maximum number of LSA allowed 12000
Threshold for warning message 75%
Ignore-time 5 minutes, reset-time 5 minutes
Ignore-count allowed 5, current 0
It is not an autonomous system boundary router and is not an area border router
...
Sample output for the show ip ospf command with Graceful Restart enabled for two OSPFv2 instances with ID 10 and 11.
switch# show ip ospf
OSPF instance 10 with ID 2.2.2.2 VRF default
Supports opaque LSA
Maximum number of LSA allowed 12000
Threshold for warning message 75%
Ignore-time 5 minutes, reset-time 5 minutes
...
Graceful-restart is configured, grace-period 120 seconds
State: In progress, expires in 113 seconds
Graceful-restart-helper mode is enabled
...
OSPF instance 11 with ID 3.3.3.3 VRF default
Supports opaque LSA
Maximum number of LSA allowed 12000
Threshold for warning message 75%
Ignore-time 5 minutes, reset-time 5 minutes
...
Graceful-restart is configured, grace-period 120 seconds
State: In progress, expires in 113 seconds
Graceful-restart-helper mode is enabled
...
Sample output for the show ip ospf neighbor detail command.
switch# show ip ospf neighbor
Neighbor ID Instance VRF Pri State Dead Time Address Interface
2.2.2.2 1 default 1 FULL/DR 00:00:38 10.1.1.2 Ethernet1
4.4.4.4 2 default 1 FULL/DR 00:00:36 40.1.1.2 Ethernet4
switch# show ip ospf neighbor 2.2.2.2 detail
Neighbor 2.2.2.2, instance 1, VRF default, interface address 10.1.1.1
In area 0.0.0.0 interface Ethernet1
Neighbor priority is 1, State is FULL, 7 state changes
Adjacency was established 00:38:48 ago
Current state was established 00:38:48 ago
DR IP Address 10.1.1.2 BDR IP Address 10.1.1.1
Options is E
Dead timer is due in 00:00:35
Inactivity timer deferred 0 times
LSAs retransmitted 1 time to this neighbor
Graceful-restart-helper mode is Inactive
Graceful-restart attempts: 0
Sample output for show ip ospf neighbor detail with BFD enabled.
switch# show ip ospf neighbor 2.2.2.2 detail
Neighbor 3.3.3.3, instance 10, VRF default, interface address 1.0.0.1
In area 1.2.3.4 interface Ethernet1
Neighbor priority is 1, State is FULL, 7 state changes
Adjacency was established 22:03:05 ago
Current state was established 22:03:05 ago
DR IP Address 1.0.0.1 BDR IP Address 1.0.0.2
Options is E
Dead timer is due in 00:00:34
Inactivity timer deferred 0 times
LSAs retransmitted 1 time to this neighbor
Bfd request is sent and the state is Down
Graceful-restart-helper mode is Inactive
Graceful-restart attempts: 0
Neighbor 6.6.6.6, instance 10, VRF default, interface address 1.0.1.1
In area 1.2.3.4 interface Ethernet5
Neighbor priority is 1, State is FULL, 7 state changes
Adjacency was established 22:03:10 ago
Current state was established 22:03:10 ago
DR IP Address 1.0.1.1 BDR IP Address 1.0.1.2
Options is E
Dead timer is due in 00:00:30
Inactivity timer deferred 0 times
LSAs retransmitted 2 times to this neighbor
Bfd request is sent and the state is Down
Graceful-restart-helper mode is Inactive
Graceful-restart attempts: 0
Neighbor 4.4.4.4, instance 12, VRF default, interface address 1.0.3.1
In area 1.2.3.4 interface Ethernet2
Neighbor priority is 1, State is FULL, 7 state changes
Adjacency was established 22:03:10 ago
Current state was established 22:03:10 ago
DR IP Address 1.0.3.1 BDR IP Address 1.0.3.2
Options is E
Dead timer is due in 00:00:32
Inactivity timer deferred 0 times
LSAs retransmitted 1 time to this neighbor
Graceful-restart-helper mode is Inactive
Graceful-restart attempts: 0
The CAPI outputs for OSPFv2 show commands are already indexed by instance ID and remains unchanged.
The show ip route and show ip route ospf commands show routes from all OSPFv2 instances with no mention of instance ID. For example,
11.1.1.0/24 is learned from instance 100 and 12.1.1.0/24 from instance 200.
switch# show ip route
VRF: default
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route, L - VRF Leaked
Gateway of last resort is not set
O E2 11.1.1.0/24 [110/1] via 20.1.1.2, Ethernet3
C 10.1.1.0/24 is directly connected, Ethernet1
C 20.1.1.0/24 is directly connected, Ethernet3
O 12.1.1.0/24 [110/20] via 10.1.1.2, Ethernet1
switch# show ip route ospf
VRF: default
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route, L - VRF Leaked
O E2 11.1.1.0/24 [110/1] via 20.1.1.2, Ethernet3
O 12.1.1.0/24 [110/20] via 10.1.1.2, Ethernet1
The show ip route summary command displays the cumulative counts of OSPFv2 routes across all instances.
switch# show ip route summary
VRF: default
Route Source Number Of Routes
------------------------------------- -------------------------
connected 2
static (persistent) 0
static (non-persistent) 0
VXLAN Control Service 0
static nexthop-group 0
ospf 9
Intra-area: 2 Inter-area: 5 External-1: 0 External-2: 2
NSSA External-1: 0 NSSA External-2: 0
ospfv3 0
bgp 0
External: 0 Internal: 0
isis 0
Level-1: 0 Level-2: 0
rip 0
internal 9
attached 1
aggregate 0
dynamic policy 0
Total Routes 14
Number of routes per mask-length:
/8: 2 /24: 3 /32: 9
(config)# show hardware tcam profile
Configuration Status FixedSystem newprofile1 newprofile1
(config)# show hardware tcam profile detail
(config-hw-tcam)# show hardware tcam profile newprofile1 detail
Profile newprofile1 [ FixedSystem ]
Feature mpls
--------------- ---------------------------------------------------
Key size 160
Actions drop, redirect, set-ecn
Packet type ipv4 mpls ipv4 forwarding mpls decap
ipv4 mpls ipv6 forwarding mpls decap
mpls ipv4 forwarding mpls
mpls ipv6 forwarding mpls
mpls non-ip forwarding mpls
Feature acl vlan ipv6
--------------- ----------------------------------------------------
Key size 320
Key fields dst-ipv6, ipv6-next-header, l4-dst-port, l4-src-port,
src-ipv6-high, src-ipv6-low, tcp-control
Actions count, drop, mirror, redirect
Packet type ipv6 forwarding routed
...
Note that the profile contains all the features that are untouched after copying from the base profile.
(config-hw-tcam)# profile macvlan copy default
(config-hw-tcam-profile-macvlan)# feature acl port mac
(config-hw-tcam-profile-macvlan-feature-acl-port-mac)# key field vlan
(config-hw-tcam-profile-macvlan-feature-acl-port-mac)# exit
(config-hw-tcam-profile-macvlan)# exit
Saving new profile 'macvlan'
(config-hw-tcam)# system profile macvlan
The OSPF Autonomous System in Example 1 contains two areas that are connected through two routers. The backbone area also contains an internal router that connects two subnets.
OSPFv2 Example 1 displays the Example 1 topology. Two ABRs connect area 0 and area 1 Router A and Router B. Router C is an internal router that connects two subnets in area 0.
This code configures the OSPFv2 instances on the three switches.
The AS in Example 2 contains three areas. Area 0 connects to the other areas through different routers. The backbone area contains an internal router that connects two subnets. Area 0 is normal; the other areas are stub areas.
OSPFv2 Example 2 displays the Example 2 topology. One ABR (Router B) connects area 0 and area 10.42.110.0; another ABR (Router C) connects area 0 and area 36.56.0.0. Router A is an internal router that connects two subnets in area 0.
OSPFv2 Example 3 displays the Example 3 topology. One ABR connects area 0 and area 1. Router C is an ABR that connects the areas. Router A is an internal router that connects two subnets in area 1. Router D and Router E are internal routers that connect subnets in area 0. Router B and Router F are ASBRs that connect static routes outside the AS to area 1 and area 0, respectively.
The auto-cost reference-bandwidth command is a factor in the formula that calculates the default OSPFv2 cost for Ethernet interfaces.
OSPFv2-cost = (auto-cost value * 1 Mbps) / interface bandwidth.
The switch uses a minimum OSPFv2-cost of 1. The switch rounds down all non-integer results.
The no auto-cost reference-bandwidth and default auto-cost reference-bandwidth command removes the auto-cost reference-bandwidth command from running-config. When this parameter is not set, the default cost for Ethernet interfaces is the default ip ospf cost value of 10.
Command Mode
Router-OSPF Configuration
Command Syntax
auto-cost reference-bandwidth rate
no auto-cost reference-bandwidth rate
default auto-cost reference-bandwidth rate
Parameter
rate Values range from 1 to 4294967. Default is 100.
Example
To configure a default cost of 20 on 10G Ethernet interfaces:
The adjacency exchange-start threshold command sets the exchange-start options for an OSPF instance.
The no adjacency exchange-start threshold and default adjacency exchange-start threshold command resets the default by removing the corresponding a adjacency exchange-start threshold command from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
default adjacency exchange-start thresholdadjacency exchange-start threshold peers
no adjacency exchange-start threshold
Parameter
peers Value ranges from 1- 4294967295. Default value is 10.
Example
switch(config)# router ospf 6
switch(config-router-ospf)# adjacency exchange-start threshold 20045623
switch(config-router-ospf)#
The area default-cost command specifies the cost for the default summary routes sent into a specified area. The default-cost is set to 10.
The no area default-cost and default area default-cost command resets the default-cost value of the specified area to 10 by removing the corresponding area default-cost command from running-config. The no area (OSPFv2) command removes all area commands for the specified area from running-config, including the area default-cost command.
Command Mode
Router-OSPF Configuration
Command Syntax
area area_id default-cost def_cost
no area area_id default-cost def_cost
default area area_id default-cost def_cost
Example
switch(config)# router ospf 6
switch(config-router-ospf)# area 23 default-cost 15
switch(config-router-ospf)#
The area filter command prevents an area from receiving Type 3 Summary LSAs and Type 4 APSR Summary LSAs from a specified subnet.
The no area filter and default area filter commands remove the specified area filter command from running-config. The no area command (see no area (OSPFv2) removes all area commands for the specified area from running-config, including area filter commands.
Command Mode
Router-OSPF Configuration
Command Syntax
area area_id filter net_addr
no area area_id filter net_addr
default area area_id filter net_addr
Example
switch(config)# router ospf 6
switch(config-router-ospf)# area 2 filter 10.1.1.0/24
switch(config-router-ospf)#
The area not-so-stubby lsa type-7 convert type-5 command configures the switch to always translate Type-7 Link-State Advertisement (LSAs) to Type-5 LSAs.
The no area not-so-stubby lsa type-7 convert type-5 and no area not-so-stubby lsa type-7 convert type-5 commands allow LSAs to be translated dynamically by removing the no area not-so-stubby lsa type-7 convert type-5 command from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
area area_id not-so-stubby lsa type-7 convert type-5
no area area_id not-so-stubby lsa type-7 convert type-5
default area area_id not-so-stubby lsa type-7 convert type-5
Parameters
Example
switch(config-router-ospf)# area 3 not-so-stubby lsa type-7 convert type-5
switch(config-router-ospf)#
The area nssa command configures an OSPFv2 area as a Not-So-Stubby Area (NSSA). All routers in an AS must specify the same area type for identically numbered areas.
NSSA ASBRs advertise external LSAs that are part of the area, but do not advertise external LSAs from other areas.
Areas are normal by default; area type configuration is required only for stub NSSA areas. Area 0 is always a normal area and cannot be configured through this command.
The no area nssa command configures the specified area as a normal area by removing the specified area nssa command from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
area area_id nssa [TYPE]
no area area_id nssa [TYPE]
default area area_id nssa [TYPE]
Example
switch(config-router-ospf)# area 3 nssa nssa-only
switch(config-router-ospf)#
The default area nssa default-information-originate command sets default route origination for the Not-So-Stubby Area (NSSA), allowing the redistribute policy to advertise a default route if one is present. The resulting OSPF behavior depends on the presence of an installed static default route and on whether static routes are redistributed in OSPF (using the redistribute (OSPFv2) command). The no area nssa default-information-originate command disables advertisement of the default route for the NSSA regardless of the redistribute policy. See Advertisement of Default Route for details.
Areas are normal by default; area type configuration is required only for stub and NSSA areas. Area 0 is always a normal area and cannot be configured through this command.
Static Default Route Installed | Redistribute Static | Command Form | Advertise in ABR | Advertise in ASBR |
no | no | default or no | no | no |
no | no | standard | yes | no |
no | yes | default | yes | yes |
no | yes | no | no | no |
no | yes | standard | yes | no |
yes | no | default or no | no | no |
yes | no | standard | yes | yes |
yes | yes | default | yes | yes |
yes | yes | no | no | no |
yes | yes | standard | yes | yes |
Command Mode
Router-OSPF Configuration
Command Syntax
area area_id nssa default-information-originate [VALUE][TYPE][EXCL]
no area area_id nssa default-information-originate
default area area_id nssa default-information-originate
Example
switch(config-router-ospf)# area 3 nssa default-information-originate nssa-only
switch(config-router-ospf)#
The area nssa no-summary command configures the switch stop importing type-3 summary LSAs into the not-so-stubby area and sets the default summary route into theNot-So-Stubby Area (NSSA) in order to reach the inter-area prefixes.
The no area nssa no-summary anddefault area nssa no-summary commands allow type-3 summary LSAs into the NSSA area.
The no area nssa and default area nssa commands configure the specified area as a normal area.
Command Mode
Router-OSPF Configuration
Command Syntax
area area_id nssa no-summary
no area area_id nssa no-summary
default area area_id nssa no-summary
Parameters
switch(config)# router ospf 6
switch(config-router-ospf)# area 1.1.1.1 nssa no-summary
switch(config-router-ospf)#
This command directs the device to import type-3 summary LSAs into the NSSA area.
switch(config)# router ospf 6
switch(config-router-ospf)# no area 1.1.1.1 nssa no-summary
switch(config-router-ospf)#
The area range command configures OSPF Area Border Routers (ABRs) to consolidate or summarize routes, to set the cost setting routes, and to suppress summary route advertisements.
The no area (OSPFv2) command removes all area commands for the specified area from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
area area_id range net_addr [ADVERTISE_SETTING][COST_SETTING]
no area area_id range net_addr [ADVERTISE_SETTING][COST_SETTING]
default area area_id range net_addr [ADVERTISE_SETTING][COST_SETTING]
switch(config)# router ospf 6
switch(config-router-ospf)# network 10.1.25.80 0.0.0.240 area 5
switch(config-router-ospf)# network 10.1.25.112 0.0.0.240 area 5
switch(config-router-ospf)# area 5 range 10.1.25.64 0.0.0.192
switch(config-router-ospf)#
The network area command assigns a subnet to an area, followed by an area range command that suppresses the advertisement of that subnet.
switch(config-router-ospf)# network 10.12.31.0/24 area 5
switch(config-router-ospf)# area 5 range 10.12.31.0/24 not-advertise
switch(config-router-ospf)#
The area stub command sets the area type of an OSPF area to stub. All devices in an Area Stub (AS) must specify the same area type for identically numbered areas.
The no area stub command remove the specified stub area from the OSPFv2 instance by deleting all area stub commands from running-config for the specified area.
The no area stub command configures the specified area as a normal area.
Command Mode
Router-OSPF Configuration
Command Syntax
area area_id stub [summarize]
no area area_id stub [summarize]
default area area_id stub [summarize]
switch(config)# router ospf 3
switch(config-router-ospf)# area 45 stub
switch(config-router-ospf)#
switch(config-router-ospf)# area 10.92.148.17 stub
switch(config-router-ospf)#
The clear ip ospf command clears the neighbors statistics per interface.
Command Mode
Privileged EXEC
Command Syntax
clear ip ospf [PROCESS_ID] neighbor [LOCATION][VRF_INSTANCE]
switch# clear ip ospf neighbor *
switch#
switch# clear ip ospf neighbor ethernet 3
switch#
The compatible command allows the selective disabling of compatibility with RFC 2328.
The no compatible and default compatible commands reverts OSPF to RFC 2328 compatible and removes the compatible statement from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
compatible rfc1583
no compatible rfc1583
default compatible rfc1583
switch(config)# router ospf 6
switch(config-router-ospf)# compatible rfc1583
switch(config-router-ospf)#
switch(config)# router ospf 6
switch(config-router-ospf)# no compatible rfc1583
switch(config-router-ospf)#
The default-information originate command enables default route origination for normal areas. The user user may configure the metric value and metric type used in LSAs. The always option will cause the ASBR to create and advertise a default route whether or not one is configured.
The no default-information originate command prevents the advertisement of the default route. The default default-information originate command enables default route origination with default values (metric type 2, metric=1).
Command Mode
Router-OSPF Configuration
Command Syntax
default-information originate [FORCE][VALUE][TYPE][MAP]
no default-information originate
default default-information originate
Parameters
switch(config)# router ospf 1
switch((config-router-ospf)# default-information originate always
switch(config-router-ospf)# show active
router ospf 1
default-information originate always
switch(config)# router ospf 1
switch((config-router-ospf)# default-information originate metric 100 metric-type 1
The distance ospf command specifies the administrative distance for intra-area, inter-area, or external OSPF routes. The command must be issued separately for each route type being configured. The default administrative distance for all routes is 110.
The no distance ospf and default distance ospf commands remove the corresponding distance ospf command from running-config, returning the OSPFv2 administrative distance setting for the specified route type to the default value of 110.
Command Mode
Router-OSPF Configuration
Command Syntax
distance ospf [external | inter-area | intra-area]
no distance ospf [external | inter-area | intra-area]
default distance ospf [external | inter-area | intra-area]
Example
switch(config)# router ospf 6
switch(config-router-ospf)# distance ospf intra-area 85
switch(config-router-ospf)#
A distribute list uses a route map or prefix list to filter specific routes from incoming OSPF LSAs. Filtering occurs after SPF calculation. The filtered routes are not installed on the switch, but are still included in LSAs sent by the switch. The distribute-list in command creates a distribute list in the configuration mode OSPF instance.
If a prefix list is used, destination prefixes that do not match the prefix list will not be installed. If a route map is used, routes may be filtered based on address, next hop, or metric. OSPF external routes may also be filtered by metric type or tag.
The no distribute-list in and default distribute-list in commands remove the distribute-list in command from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
distribute-list {prefix-list | route-map} list_name in
no distribute-list {prefix-list | route-map}
default distribute-list {prefix-list | route-map}
Example
switch(config)# router ospf 5
switch(config-router-ospf)# distribute-list prefix-list dist_list1 in
switch(config-router-ospf)#
The dn-bit-ignore command results in the DN bit in Type 3 Summary LSAs to be ignored during the Shortest Path First (SPF) calculations.
The no dn-bit-ignore and default dn-bit-ignore commands result in the DN bit in Type 3 Summary LSAs to not be ignored during SPF calculations.
Command Mode
Router-OSPF Configuration
Command Syntax
dn-bit-ignore
no dn-bit-ignore
default dn-bit-ignore
switch(config)# router ospf 6
switch(config-router-ospf)# dn-bit-ignore
switch(config-router-ospf)#
This command causes the DN bit not to be ignored.
switch(config)# router ospf 6
switch(config-router-ospf)# no dn-bit-ignore
switch(config-router-ospf)#
OSPF packets by default are sent with Time to Live (TTL) value 1. This may not work in tunnel scenarios where the peer tunnel end point could be more than one hop away. It is recommended to explicitly configure TTL on the tunnel interface. TTL configuration is allowed only if path-mtu-discovery is configured.
Command Mode
Configuration mode
Command Syntax
interface Tunnel Tunnel No
Parameters
Tunnel No Tunnel number.
(config)# interface Tunnel 5
(config-if-Tu0)# tunnel path-mtu-discovery
(config-if-Tu0)# tunnel ttl 5
The ip ospf area command enables OSPFv2 on an interface and associates the area to the interface.
The no ip ospf area and default ip ospf area commands disable OSPFv2 on the configuration mode interface and remove the configured area from the system.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf area area_id
no ip ospf area area_id
default ip ospf area area_id
Parameters
area_id The area ID. The valid values are 0 to 4294967295 or a decimal range between 0.0.0.0 and 255.255.255.255.
Example
switch(config)# Interface ethernet 2
switch(config-if-Et2)# ip address 1.0.0.1/24
switch(config-if-Et2)# ip ospf area 1.1.1.1
router ospf 1
The ip ospf authentication command enables OSPFv2 authentication for the configuration mode interface..
The no ip ospf authentication and default ip ospf authentication commands disable OSPFv2 authentication on the configuration mode interface by removing the corresponding ip ospf authentication command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf authentication [METHOD]
no ip ospf authentication
default ip ospf authentication
Parameters
switch(config)# interface vlan 12
switch(config-if-vl12)# ip ospf authentication
switch(config-if-vl12)#
switch(config-if-vl12)# ip ospf authentication message-digest
switch(config-if-vl12)#
The ip ospf authentication-key command configures the OSPFv2 authentication password for the configuration mode interface.
The no ip ospf authentication-key and default ip ospf authentication-key commands removes the OSPFv2 authentication password from the configuration mode interface by removing the corresponding ip ospf authentication-key command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf authentication-key [ENCRYPT_TYPE] key_text
no ip ospf authentication-key
default ip ospf authentication-key
Example
switch(config)# interface vlan 12
switch(config-if-Vl12)# ip ospf authentication-key 0 code123
switch(config-if-Vl12)# show active
interface Vlan12
ip ospf authentication-key 7 baYllFzVbcx4yHq1IhmMdw==
switch(config-if-Vl12)#
The running-config stores the password as an encrypted string.
The no ip ospf cost and default ip ospf cost commands restore the default OSPFv2 cost for the configuration mode interface by removing the corresponding ip ospf cost command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf cost interface_cost
no ip ospf cost
default ip ospf cost
Parameters
interface_cost Value ranges from 1 to 65535; default is 10.
Example
switch(config)# interface vlan 2
switch(config-if-Vl2)# ip ospf cost 15
switch(config-if-Vl2)#
The ip ospf dead-interval command configures the dead interval for the configuration mode interface.
The no ip ospf dead-interval and default ip ospf dead-interval commands restore the default dead interval of 40 seconds on the configuration mode interface by removing the corresponding ip ospf dead-interval command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf dead-interval time
no ip ospf dead-interval
default ip ospf dead-interval
Parameters
time Value ranges from 1 to 8192; default is 40.
Example
switch(config)# interface vlan 4
switch(config-if-Vl4)# ip ospf dead-interval 120
switch(config-if-Vl4)#
The ip ospf disabled command disables OSPFv2 on the configuration mode interface without disrupting the OSPFv2 configuration. When OSPFv2 is enabled on the switch, the it is also enabled by default on all interfaces.
The OSPFv2 instance is disabled on the entire switch with the shutdown (OSPFv2) command.
The no ip ospf disabled and default ip ospf disabled commands enable OSPFv2 on the configuration mode interface by removing the corresponding ip ospf disabled command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf disabled
no ip ospf disabled
default ip ospf disabled
switch(config)# interface vlan 5
switch(config-if-Vl5)# ip ospf disabled
switch(config-if-Vl5)#
switch(config-if-Vl5)# no ip ospf disabled
switch(config-if-Vl5)#
The ip ospf hello-interval command configures the OSPFv2 hello interval for the configuration mode interface.
The same hello interval should be specified for Each OSPFv2 neighbor, and should not be longer than any neighbors dead interval.
The no ip ospf hello-interval and default ip ospf hello-interval commands restore the default hello interval of 10 seconds on the configuration mode interface by removing the ip ospf hello-interval command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf hello-interval time
no ip ospf hello-interval
default ip ospf hello-interval
Parameter
time Hello interval (seconds). Values range from 1 to 8192; default is 10.
Example
switch(config)# interface vlan 2
switch(config-if-Vl2)# ip ospf hello-interval 30
switch(config-if-Vl2)#
The ip ospf message-digest-key command configures a message digest authentication key for the configuration mode interface.
The no ip ospf message-digest-key and default ip ospf message-digest-key commands remove the message digest authentication key for the specified key ID on the configuration mode interface by deleting the corresponding ip ospf message-digest-key command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf message-digest-key key_id md5 ENCRYPT_TYPE key_text
no ip ospf message-digest-key key_id
default ip ospf message-digest-key key_id
Example
switch(config)# interface vlan 12
switch(config-if-vl12)# ip ospf message-digest-key 23 md5 0 code123
switch(config-if-vl12)#
The running-config stores the password as an encrypted string.
The ip ospf network point-to-point command sets the configuration mode interface as a point-to-point link. By default, interfaces are configured as broadcast links.
The no ip ospf network and default ip ospf network commands set the configuration mode interface as a broadcast link by removing the corresponding ip ospf networkcommand from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf network point-to-point
no ip ospf network
default ip ospf network
switch(config)# interface ethernet 10
switch(config-if-Etl0)# ip ospf network point-to-point
switch(config-if-Etl0)#
switch(config-if-Etl0)# no ip ospf network
switch(config-if-Etl0)#
The ip ospf retransmit-interval command configures the link state advertisement retransmission interval for the interface.
The no ip ospf retransmit-interval and default ip ospf retransmit-interval commands restore the default retransmission interval of 5 seconds on the configuration mode interface by removing the corresponding ip ospf retransmit-interval command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf retransmit-interval period
no ip ospf retransmit-interval
default ip ospf retransmit-interval
Parameters
period Retransmission interval (seconds). Value ranges from 1 to 8192; default is 5.
Example
switch(config)# interface vlan 3
switch(config-if-Vl3)# ip ospf retransmit-interval 15
switch(config-if-Vl3)#
The no ip ospf router-id output-format hostnames and default ip ospf router-id output-format hostnames commands remove the ip ospf router-id output-format hostnames command from running-config, restoring the default behavior of displaying OSPFv2 router IDs by their numeric value.
Command Mode
Global Configuration
Command Syntax
ip ospf router-id output-format hostnames
no ip ospf router-id output-format hostnames
default ip ospf router-id output-format hostnames
Example
This command programs the switch to display OSPFv2 router IDs by the corresponding DNS name in subsequent show commands.
switch(config)# ip ospf router-id output-format hostnames
switch(config)#
The ip ospf transmit-delay command configures the transmission delay for OSPFv2 packets over the configuration mode interface.
The no ip ospf transmit-delay and default ip ospf transmit-delay commands restore the default transmission delay (1 second) on the configuration mode interface by removing the corresponding ip ospf transmit-delay command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip ospf transmit-delay trans
no ip ospf transmit-delay
default ip ospf transmit-delay
Parameters
trans LSA transmission delay (seconds). Value ranges from 1 to 8192; default is 1.
Example
switch(config)# interface vlan 6
switch(config-if-Vl6)# ip ospf transmit-delay 5
switch(config-if-Vl6)#
The ip ospf priority command configures OSPFv2 router priority for the configuration mode interface..
The no ip ospf priority and default ip ospf priority commands restore the default priority (1) on the configuration mode interface by removing the corresponding ip ospf priority command from running-config.
Command Mode
Interface-Ethernet Configuration Interface-Port-Channel Configuration Interface-VLAN Configuration
Command Syntax
ip ospf priority priority_level
no ip ospf priority
default ip ospf priority
Parameter
priority_level priority level. Value ranges from 0 to 255. Default value is 1.
switch(config)# interface vlan 8
switch(config-if-Vl8)# ip ospf priority 15
switch(config-if-Vl8)#
switch(config)# interface vlan 7
switch(config-if-Vl7)# no ip ospf priority
switch(config-if-Vl7)#
The line system command places the switch in the OSPF - Line System configuration mode.
The no line system command removes the Line System configurations from the running-config.
Command Mode
Global Configuration Mode
Command Syntax
line system
no line system
Parameters
Example
switch# config
switch(config)# line system
switch(config-ls)#
The log-adjacency-changes command enables syslog messages to be sent when it detects OSPFv2 link state changes or when it detects that a neighbor has gone up or down. Log message sending is enabled by default.
The default log-adjacency-changes command restores the default state by removing the log-adjacency-changes statement from running-config.
The default option (sending a message only when a neighbor goes up or down) is active when running-config does not contain any form of the command. Entering the command in any form replaces the previous command state in running-config.
The no log-adjacency-changes disables link state change syslog reporting.
The default log-adjacency-changes command restores the default state by removing the log-adjacency-changes detail or no log-adjacency-changes statement from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
log-adjacency-changes detail
no log-adjacency-changes
default log-adjacency-changes
switch(config)# router ospf 6
switch(config-router-ospf)# log-adjacency-changes
switch(config-router-ospf)#
switch(config-router-ospf)# show active router ospf 1
switch(config-router-ospf)#
switch(config-router-ospf)# log-adjacency-changes detail
switch(config-router-ospf)#
switch(config-router-ospf)# show active router ospf 1
switch(config-router-ospf)# log-adjacency-changes detail
switch(config-router-ospf)#
The maximum-paths command controls the number of parallel routes that OSPFv2 supports. The default maximum is 16 paths.
The no maximum-paths and default maximum-paths commands restore the maximum number of parallel routes that OSPFv2 supports on the switch to the default value of 16 by placing the maximum-paths 16 statement in running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
maximum-paths paths
no maximum-paths
default maximum-paths
Parameters
paths Maximum number of parallel routes.
Example
switch(config)# router ospf 6
switch(config-router-ospf)# maximum-paths 12
switch(config-router-ospf)#
The no max-lsa and default max-lsa commands restore all LSA overload parameters to their default settings.
Command Mode
Router-OSPF Configuration
Command Syntax
max-lsa lsa_num [WARNING] [IGNORE_TIME][IGNORE_COUNT][RESET]
no max-lsa
default max-lsa
Example
switch(config-router-ospf)# max-lsa 8000 40 ignore-time 6 ignore-count 3 reset-time 20
switch(config-router-ospf)#
The max-metric router-lsa command configures OSPF to include the maximum value in LSA metric fields to keep other network devices from using the switch as a preferred intermediate SPF hop.
The no max-metric router-lsa and default max-metric router-lsa commands disable the advertisement of a maximum metric.
Command Mode
Router-OSPF Configuration
Command Syntax
max-metric router-lsa [EXTERNAL][STUB][STARTUP][SUMMARY]
no max-metric router-lsa [EXTERNAL][STUB][STARTUP][SUMMARY]
default max-metric router-lsa [EXTERNAL][STUB][STARTUP][SUMMARY]
Parameters
Example
switch(config-router-ospf)# max-metric router-lsa on-startup wait-for-bgp
switch(config-router-ospf)#
The network area command assigns the specified IPv4 subnet to an OSPFv2 area.
The no network area and default network area commands delete the specified network area assignment by removing the corresponding network area command from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
network ipv4_subnet area area_id
no network ipv4_subnet area area_id
default network ipv4_subnet area area_id
Example
switch(config-router-ospf)# network 10.1.10.0 0.0.0.255 area 0
switch(config-router-ospf)# network 10.1.10.0/24 area 0
switch(config-router-ospf)#
Command Mode
Router-OSPF Configuration
Command Syntax
no area area_id [TYPE]
default area area_id [TYPE]
switch(config)# router ospf 6
switch(config-router-ospf)# no area 1
switch(config-router-ospf)#
switch(config-router-ospf)# no area 10.92.148.17 nssa
switch(config-router-ospf)#
This describes packet types that the feature is applied on.
Command Mode
system-feature-source-profile
(config-hw-tcam-profile-profile-feature-feature)
Command Syntax
packet packet header tokens forwarding<[bridged | routed | mpls][multicast][decap]
Guidelines
On DCS-7020, DCS-7280R/R2 or DCS-7500R/R2, enabling OSPF routes over GRE tunnels requires the system TCAM profile to have “Tunnel IPv4” feature enabled so that control packets such as OSPF hellos received over GRE tunnel interfaces are appropriately classified. This can be achieved by creating a user defined TCAM profile.
The user defined TCAM profile may be created either manually from scratch or by copying from an existing TCAM profile. The system TCAM profile must have the feature tunnel ipv4 for OSPFv2 over GRE tunnel interfaces to work.This is applicable regardless of whether the TCAM profile is copied from an existing profile or created from scratch.
(config)# hardware tcam
(config-hw-tcam)# profile profilename copy default
(config-hw-tcam-profile-profile)# feature tunnel ipv4 copy system-feature-source-profile
(config-hw-tcam-profile-profile-feature-feature)# packet ipv4 non-vxlan forwarding routed decap
(config-hw-tcam-profile-profile-feature-feature)# packet ipv4 non-vxlan forwarding routed multicast decap
(config-hw-tcam-profile-profile-feature-feature)# key field inner-dst-ip inner-ip-protocol inner-l4-dst-port inner-l4-src-port inner-ttl
(config-hw-tcam-profile-profile-feature-feature)#key size limit 160
(config-hw-tcam-profile-profile-feature-feature)#exit
It maybe necessary to disassociate some features which are not applicable to GRE encapsulated packets from the GRE TCAM program to make room for the tunnel ipv4 feature.
The passive-interface default command configures all interfaces as OSPFv2 passive by default. The switch advertises the passive interface as part of the router LSA.
The no passive-interface and default passive-interface commands configures all interfaces as OSPFv2 active by default by removing the passive-interface default statement from running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
passive-interface default
no passive-interface default
default passive-interface default
switch(config)# router ospf 6
switch(config-router-ospf)# passive-interface default
switch(config-router-ospf)#
switch(config-router-ospf)# no passive-interface default
switch(config-router-ospf)#
The passive-interface command disables OSPFv2 on an interface range. The switch advertises the passive interface as part of the LSA.
The no passive-interface command enables OSPFv2 on the specified interface range. The default passive-interface command sets the interface to the default interface activity setting by removing the corresponding passive-interface or no passive-interface statement from the running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
passive-interface INTERFACE_NAME
no passive-interface INTERFACE_NAME
default passive-interface INTERFACE_NAME
switch(config)# router ospf 6
switch(config-router-ospf)# passive-interface ethernet 2-5
switch(config-router-ospf)#
switch(config-router-ospf)# passive-interface vlan 50-54,61,68,102-120
switch(config-router-ospf)#
switch(config-router-ospf)# no passive-interface vlan 2
switch(config-router-ospf)#
The point-to-point routes command enables the switch to maintain a local Routing Information Base (RIB) to store information it learns from its neighbors.
The no point-to-point routes and default point-to-point routes commands program the switch to include point-to-point links in its RIB by removing the point-to-point routes command from the running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
point-to-point routes
no point-to-point routes
default point-to-point routes
switch(config)# router ospf 6
switch(config-router-ospf)# no point-to-point routes
switch(config-router-ospf)#
switch(config-router-ospf)# point-to-point routes
switch(config-router-ospf)#
The redistribute command enables the advertising of all specified routes on the switch into the OSPFv2 domain as external routes.
The no redistribute and default redistribute commands remove the corresponding redistribute command from the running-config, disabling route redistribution for the specified route type.
Command Mode
Router-OSPF Configuration
Command Syntax
redistribute ROUTE_TYPE [ROUTE_MAP]
no redistribute ROUTE_TYPE [ROUTE_MAP]
default redistribute ROUTE_TYPE [ROUTE_MAP]
switch(config)# router ospf 6
switch(config-router-ospf)# redistribute static
switch(config-router-ospf)#
switch(config-router-ospf)# no redistribute bgp
switch(config-router-ospf)#
Redistributing connected routes causes the OSPFv2 instance to advertise all connected routes on the switch as external OSPFv2 routes. Connected routes are routes that are established when IPv4 is enabled on an interface.
Command Mode
config-router-bgp
Command Syntax
redistribute ospf [include [leaked] | match [external | internal | nssa-external] | route-map word]
no redistribute ospf [match [external | internal | nssa-external]
default redistribute ospf [match [external | internal | nssa-external]
Example
switch(config)# router bgp 1
switch(config-router-bgp)# redistribute OSPF
switch(config-router-bgp)#
The redistribute ospf instance command redistributes either the non-leaked routes, or both leaked and non-leaked routes. The exit command returns the switch to the global configuration mode.
Command Mode
Router-OSPF Configuration
Command Syntax
redistribute ospf instance [OPTIONS]
switch(config-router-ospf)# redistribute ospf instance match external
switch(config-router-ospf)# redistribute ospf instance include leaked match internal
The router ospf command places the switch in router-ospf configuration mode. The switch will create a process ID for the new instance if one does not already exist. The exit command returns the switch to the global configuration mode.
The show ip ospf command displays the process ID of the OSPFv2 instances configured on the switch.
The no router ospf and default router ospfcommands delete the specified OSPFv2 instance.
The router-ospf configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting router-ospf configuration mode does not affect running-config. The exit command returns the switch to the global configuration mode.
Refer to the Router-OSPFv2 Configuration Mode for a list of commands available in router-ospf configuration mode.
Command Mode
Global Configuration
Command Syntax
router ospf process_id [VRF_INSTANCE]
no router ospf process_id [VRF_INSTANCE]
default router ospf process_id [VRF_INSTANCE]
switch(config)# router ospf 145
switch(config-router-ospf)#
switch(config)# no router ospf 145
switch(config)#
The router-id command assigns a router ID for an OSPFv2 instance. This number uniquely identifies the router within an Autonomous System. Status commands use the router ID to identify the switch.
The no router-id and default router-id commands remove the router ID command from the running-config; the switch uses the loopback or highest address as the router ID.
Command Mode
Router-OSPF Configuration
Command Syntax
router-id [identifier]
no router-id [identifier]
default router-id [identifier]
Parameters
identifier Value ranges from 0.0.0.0 to 255.255.255.255.
Example
This command assigns 10.5.4.2 as the router ID for the OSPFv2 instance.
switch(config)# router ospf 6
switch(config-router-ospf)# router-id 10.5.4.2
switch(config-router-ospf)#
Use the show hardware tcam profile command to verify that the user-defined-tcam profile is applied correctly without errors on the DCS-7020, DCS-7280R/R2, or DCS-7500R/R2 platforms.
Command Mode
EXEC
Command Syntax
show hardware tcam profile [profile] detail
Example
(config-hw-tcam)# show hardware tcam profile newprofile1 detail
Profile newprofile1 [ FixedSystem ]
Feature mpls
--------------- ----------------------------------------------------
Key size 160
Actions drop, redirect, set-ecn
Packet type ipv4 mpls ipv4 forwarding mpls decap
ipv4 mpls ipv6 forwarding mpls decap
mpls ipv4 forwarding mpls
mpls ipv6 forwarding mpls
mpls non-ip forwarding mpls
Feature acl vlan ipv6
--------------- -----------------------------------------------------
Key size 320
Key fields dst-ipv6, ipv6-next-header, l4-dst-port, l4-src-port,
src-ipv6-high, src-ipv6-low, tcp-control
Actions count, drop, mirror, redirect
Packet type ipv6 forwarding routed
...
The show ip ospf border-routers command displays the internal OSPFv2 routing table entries to Area Border Routers (ABRs) and Autonomous System Boundary Routers (ASBRs) for each of the OSPFv2 areas.
Command Mode
EXEC
Command Syntax
show ip ospf border-routers [VRF_INSTANCE]
Parameters
Example
switch# show ip ospf border-routers
OSPF Process 10.17.0.42, VRF default
Router ID Area Type
10.17.0.1 0.0.0.0 ASBR
switch>
The show ip ospf database database-summary command displays the number of link state advertisements in the OSPFv2 database.
Command Mode
EXEC
Command Syntax
show ip ospf [AREA] database database-summary [VRF_INSTANCE]
Example
switch# show ip ospf 1 0 database database-summary
LSA Type Count
Router 18
Network 21
Summary Net 59
Summary ASBR 4
Type-7 Ext 0
Opaque Area 0
Type-5 Ext 4238
Opaque AS 0
Total 4340
switch>
The show ip ospf database <link state list> command displays the OSPFv2 link state advertisements that originate on a specified switch.
Command Mode
EXEC
Command Syntax
show ip ospf [AREA] database[ROUTER] [VRF_INSTANCE]
Example
switch# show ip ospf database adv-router 10.26.0.31
OSPF Router with ID(10.26.0.23) (Process ID 1) (VRF default)
10.26.0.3110.26.0.319180x80002b4a0x13153
Type-5 AS External Link States
Link IDADV RouterAgeSeq#Checksum
10.24.238.23810.26.0.316780x800003d20x8acf0
10.24.238.24410.26.0.316780x800003d20x4e060
10.24.238.22410.26.0.316780x800003d20x17510
<-------OUTPUT OMITTED FROM EXAMPLE-------->
Type 11 Opaque LSDB
TypeLink IDADV RouterAgeSeq# Checksum
switch>
The show ip ospf database command displays details of the specified link state advertisements.
Command Mode
EXEC
Command Syntax
show ip ospf [AREA] database LINKSTATE_TYPE linkstate_id [ROUTER] [VRF_INSTANCE]
Value depends on the LSA type.
switch# show ip ospf 1 2 database router
OSPF Router with ID(10.168.103.1) (Process ID 1) (VRF default)
Router Link States (Area 0.0.0.2)
LS age: 00:02:16
Options: (E DC)
LS Type: Router Links
Link State ID: 10.168.103.1
Advertising Router: 10.168.103.1
LS Seq Number: 80000032
Checksum: 0x1B60
Length: 36
Number of Links: 1
Link connected to: a Transit Network
(Link ID) Designated Router address: 10.168.2.1
(Link Data) Router Interface address: 10.168.2.1
Number of TOS metrics: 0
TOS 0 Metrics: 10
LS age: 00:02:12
Options: (E DC)
LS Type: Router Links
Link State ID: 10.168.104.2
Advertising Router: 10.168.104.2
LS Seq Number: 80000067
Checksum: 0xA29C
Length: 36
Number of Links: 1
Link connected to: a Transit Network
(Link ID) Designated Router address: 10.168.2.1
(Link Data) Router Interface address: 10.168.2.2
Number of TOS metrics: 0
TOS 0 Metrics: 10
switch>
switch# show ip ospf 1 2 database
OSPF Router with ID(10.168.103.1)(Process ID 1) (VRF default)
Router Link States (Area 0.0.0.2)
Link IDADV RouterAgeSeq#Checksum Link count
10.168.103.110.168.103.100:29:080x80000031 0x001D5F 1
10.168.104.210.168.104.200:29:090x80000066 0x00A49B 1
Net Link States (Area 0.0.0.2)
Link IDADV RouterAgeSeq#Checksum
10.168.2.110.168.103.100:29:080x80000001 0x00B89D
Summary Net Link States (Area 0.0.0.2)
Link IDADV RouterAgeSeq#Checksum
10.168.0.010.168.103.100:13:200x80000028 0x0008C8
10.168.0.010.168.104.200:09:160x80000054 0x00A2FF
10.168.3.010.168.104.200:24:160x80000004 0x00865F
10.168.3.010.168.103.100:24:200x80000004 0x002FC2
10.168.103.010.168.103.100:14:200x80000028 0x0096D2
10.168.103.010.168.104.200:13:160x80000004 0x00364B
10.168.104.010.168.104.200:08:160x80000055 0x002415
10.168.104.010.168.103.100:13:200x80000028 0x00EF6E
switch>
The show ip ospf interface brief command displays a summary of OSPFv2 information.
Command Mode
EXEC
Command Syntax
show ip ospf [PROCESS_ID] interface brief [VRF_INSTANCE]
Related Command
Example
switch# show ip ospf interface brief
InterfacePIDAreaIP AddressCostStateNbrs
Loopback010.0.0.010.168.103.1/2410DR0
Vlan110.0.0.010.168.0.1/2410BDR1
Vlan210.0.0.210.168.2.1/2410BDR1
Vlan310.0.0.310.168.3.1/2410DR0
switch>
The show ip ospf interface command displays interface information that is related to OSPFv2.
Command Mode
EXEC
Command Syntax
show ip ospf [PROCESS_ID] interface [INTERFACE_NAME][VRF_INSTANCE]
Related Command
Example
switch# show ip ospf interface vlan 1
Vlan1 is up, line protocol is up (connected)
Internet Address 10.168.0.1/24, VRF default, Area 0.0.0.0
Process ID 1, Router ID 10.168.103.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router is 10.168.104.2
Backup Designated router is 10.168.103.1
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 1
MTU is 1500
switch>
The show ip ospf lsa-log command displays log entries when LSA update messages are sent or received for OSPF.
Command Mode
EXEC
Command Syntax
show ip ospf [PROCESS_ID] ospf-log
Parameters
Example
switch# show ip ospf lsa-log
OSPF Process 3.3.3.3, LSA Throttling Log:
[04:21:09] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 2000 msecs
[04:21:08] type 1: 3.3.3.3/32 [3.3.3.3], event 2, backoff restarted, new hold value 900 msecs
[04:21:00] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 3000 msecs
[04:21:00] type 1: 3.3.3.3/32 [3.3.3.3], event 4, maxwait value changed, new hold value 3000 msecs
/* Here the maxwait value was changed to 3000 from earlier 32000, this is not part of the log */
[04:20:42] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 32000 msecs
[04:20:10] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 32000 msecs
[04:19:54] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 16000 msecs
[04:19:46] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 8000 msecs
[04:19:42] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 4000 msecs
[04:19:40] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 2000 msecs
[04:19:39] type 1: 3.3.3.3/32 [3.3.3.3], event 2, backoff restarted, new hold value 900 msecs
[04:19:22] type 1: 4.4.4.4/32 [4.4.4.4], event 3, discarded, was early by 995 msecs
[04:19:22] type 1: 3.3.3.3/32 [3.3.3.3], event 0, backoff started, new hold value 1000 msecs
switch#
The show ip ospf neighbor adjacency-changes command displays the OSPFv2 neighbor adjacency change log for specified interfaces.
Command Mode
EXEC
Command Syntax
show ip ospf neighbor [INTERFACE_NAME][NEIGHBOR] adjacency-changes [VRF_INSTANCE]
Example
switch# show ip ospf neighbor vlan 2 adjacency-changes
[08-04 08:55:32] 10.168.104.2, interface Vlan2 adjacency established
[08-04 09:58:51] 10.168.104.2, interface Vlan2 adjacency dropped: interface went down
[08-04 09:58:58] 10.168.104.2, interface Vlan2 adjacency established
[08-04 09:59:34] 10.168.104.2, interface Vlan2 adjacency dropped: interface went down
[08-04 09:59:42] 10.168.104.2, interface Vlan2 adjacency established
[08-04 10:01:40] 10.168.104.2, interface Vlan2 adjacency dropped: nbr did not
list our router ID
[08-04 10:01:46] 10.168.104.2, interface Vlan2 adjacency established
switch>
The show ip ospf neighbor state command displays the state information on OSPF neighbors on a per-interface basis.
Command Mode
EXEC
Command Syntax
show ip ospf neighbor state STATE_NAME [VRF_INSTANCE]
Example
switch# show ip ospf neighbor state full
Neighbor ID VRF Pri State Dead Time Address Interface
Test1 default 1 FULL/BDR 00:00:35 10.17.254.105 Vlan3912
Test2 default 1 FULL/BDR 00:00:36 10.17.254.29 Vlan3910
Test3 default 1 FULL/DR 00:00:35 10.25.0.1 Vlan101
Test4 default 1 FULL/DROTHER 00:00:36 10.17.254.67 Vlan3908
Test5 default 1 FULL/DROTHER 00:00:36 10.17.254.68 Vlan3908
Test6 default 1 FULL/BDR 00:00:32 10.17.254.66 Vlan3908
Test7 default 1 FULL/DROTHER 00:00:34 10.17.36.4 Vlan3036
Test8 default 1 FULL/BDR 00:00:35 10.17.36.3 Vlan3036
Test9 default 1 FULL/DROTHER 00:00:31 10.17.254.13 Vlan3902
Test10 default 1 FULL/BDR 00:00:37 10.17.254.11 Vlan3902
Test11 default 1 FULL/DROTHER 00:00:33 10.17.254.163 Vlan3925
Test12 default 1 FULL/DR 00:00:37 10.17.254.161 Vlan3925
Test13 default 1 FULL/DROTHER 00:00:31 10.17.254.154 Vlan3923
Test14 default 1 FULL/BDR 00:00:39 10.17.254.156 Vlan3923
Test15 default 1 FULL/DROTHER 00:00:33 10.17.254.35 Vlan3911
Test16 default 1 FULL/DR 00:00:34 10.17.254.33 Vlan3911
Test17 default 1 FULL/DR 00:00:36 10.17.254.138 Ethernet12
Test18 default 1 FULL/DR 00:00:37 10.17.254.2 Vlan3901
switch>
The show ip ospf neighbor summary command displays a single line of summary information for each OSPFv2 neighbor.
Command Mode
EXEC
Command Syntax
show ip ospf [PROCESS_ID] neighbor summary [VRF_INSTANCE]
Example
switch# show ip ospf neighbor summary
OSPF Router with (Process ID 1) (VRF default)
0 neighbors are in state DOWN
0 neighbors are in state GRACEFUL RESTART
2 neighbors are in state INIT
0 neighbors are in state LOADING
0 neighbors are in state ATTEMPT
18 neighbors are in state FULL
0 neighbors are in state EXCHANGE
0 neighbors are in state 2 WAYS
0 neighbors are in state EXCH START
switch>
The show ip ospf neighbor command displays OSPFv2 neighbor information for specified interfaces.
Command Mode
EXEC
Command Syntax
show ip ospf [PROCESS_ID] neighbor [INTERFACE_NAME] [NEIGHBOR] [DATA] [VRF_INSTANCE]
switch# show ip ospf neighbor
Neighbor IDVRFPriStateDead TimeAddressInterface
10.168.104.2default1FULL/DR00:00:3510.168.0.2Vlan1
10.168.104.2default8FULL/BDR00:00:3110.168.2.2Vlan2
switch>
switch# show ip ospf neighbor vlan 2 detail
Neighbor 10.168.104.2, VRF default, interface address 10.168.2.2
In the area 0.0.0.2 via interface Vlan2
Neighbor priority is 8, State is FULL, 13 state changes
Adjacency was established 000:01:25:48 ago
DR is 10.168.2.1 BDR is 10.168.2.2
Options is E
Dead timer due in 00:00:34
switch>
The show ip ospf request queue command displays a list of all OSPFv2 Link State Advertisements (LSAs) requested by a router.
Command Mode
EXEC
Command Syntax
show ip ospf request queue [VRF_INSTANCE]
Parameters
VRF_INSTANCE Specifies the VRF instance.
Example
switch# show ip ospf request queue
Neighbor 10.168.104.2 vrf default interface: 10.168.0.2 address vlan1
Type LS ID ADV RTR Seq No Age Checksum
Neighbor 10.168.104.2 vrf default interface: 10.168.2.2 address vlan2
Type LS ID ADV RTR Seq No Age Checksum
switch>
The show ip ospf retransmission queue command displays a list of all OSPFv2 Link State Advertisements (LSAs) waiting to be re-sent.
Command Mode
EXEC
Command Syntax
show ip ospf retransmission queue [VRF_INSTANCE]
Parameters
Example
switch# show ip ospf retransmission queue
Neighbor 10.168.104.2 vrf default interface vlan1 address 10.168.0.2
LSA retransmission not currently scheduled. Queue length is 0
TypeLink IDADV RouterAgeSeq# Checksum
Neighbor 10.168.104.2 vrf default interface vlan2 address 10.168.2.2
LSA retransmission not currently scheduled. Queue length is 0
TypeLink IDADV RouterAgeSeq# Checksum
switch>
The show ip ospf spf-log command displays when and how long the switch took to run a full SPF calculation for OSPF.
Command Mode
EXEC
Command Syntax
show ip ospf [PROCESS_ID] ospf-log
Parameters
Example
switch# show ip ospf spf-log
OSPF Process 172.26.0.22
When Duration(msec)
13:01:34 1.482
13:01:29 1.547
13:01:24 1.893
13:00:50 1.459
13:00:45 1.473
13:00:40 2.603
11:01:49 1.561
11:01:40 1.463
11:01:35 1.467
11:01:30 1.434
11:00:54 1.456
11:00:49 1.472
11:00:44 1.582
15:01:49 1.575
15:01:44 1.470
15:01:39 1.679
15:01:34 1.601
15:00:57 1.454
15:00:52 1.446
15:00:47 1.603
switch>
The show ip ospf command displays OSPFv2 routing information
Command Mode
EXEC
Command Syntax
show ip ospf [PROCESS_ID][VRF_INSTANCE]
Example
switch# show ip ospf
Routing Process "ospf 1" with ID 10.168.103.1 VRF default
Supports opaque LSA
Maximum number of LSA allowed 12000
Threshold for warning message 75%
Ignore-time 5 minutes, reset-time 5 minutes
Ignore-count allowed 5, current 0
It is an area border router
Hold time between two consecutive SPFs 5000 msecs
SPF algorithm last executed 00:00:09 ago
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of LSA 27.
Number of areas in this router is 3. 3 normal 0 stub 0 nssa
Area BACKBONE(0.0.0.0)
Number of interfaces in this area is 2
It is a normal area
Area has no authentication
SPF algorithm executed 153 times
Number of LSA 8. Checksum Sum 0x03e13a
Number of opaque link LSA 0. Checksum Sum 0x000000
Area 0.0.0.2
Number of interfaces in this area is 1
It is a normal area
Area has no authentication
SPF algorithm executed 153 times
Number of LSA 11. Checksum Sum 0x054e57
Number of opaque link LSA 0. Checksum Sum 0x000000
Area 0.0.0.3
Number of interfaces in this area is 1
It is a normal area
Area has no authentication
SPF algorithm executed 5 times
Number of LSA 6. Checksum Sum 0x02a401
Number of opaque link LSA 0. Checksum Sum 0x000000
The show line system dom thresholds command reports DOM information reported by the OSFP-LS module. This includes standard fields such as temperature and voltage. In addition to standard DOM fields, the OSFP-LS also monitors the laser temperature for each of its amplifiers. The reported RX power reflects the total RX power seen on that path. TX bias current monitoring is not supported on these modules and should be ignored.
Command Mode
EXEC
Command Syntax
show line system [[port RANGE] dom thresholds]
Example
switch# show line system port 10 dom thresholds
Ch: Channel, mA: milliamperes, dBm: decibels (milliwatts),
C: Celsius, V: Volts, NA or N/A: not applicable.
Port 10
Last update: 0:00:04 ago
High Alarm High Warn Low Warn Low Alarm
Value Threshold Threshold Threshold Threshold Unit Indicator
-------------------------------------------------------------------------
Temperature 32.83 70.00 65.00 0.00 -5.00 C
Voltage 3.29 3.47 3.37 3.23 3.14 V
Booster
TX bias current N/A N/A N/A N/A N/A mA
Optical TX power (line) -3.58 7.96 7.50 -9.03 -15.06 dBm
Optical RX power (local) -28.24 -16.23 -17.26 -30.00 -33.01 dBm
Laser Temperature 43.55 80.00 75.00 -5.00 -10.00 C
Pre-amp
TX bias current N/A N/A N/A N/A N/A mA
Optical TX power (local) -3.38 7.96 7.50 -9.03 -15.06 dBm
Optical RX power (line) -15.42 5.77 4.77 -28.24 -30.97 dBm
Laser Temperature 43.54 80.00 75.00 -5.00 -10.00 C
The show line system status command displays module status. The OSFP-LS is compliant to the Common Management Interface Specification (CMIS), and implements various CMIS-defined status flags. Data path 1 reflects the outgoing booster path and data path 2 reflects the incoming pre-amp path.
Command Mode
EXEC
Command Syntax
show line system [port RANGE] status
Example
switch(config-ls-port10,19)# show line system status
Current State Changes Last Change
------------- ------- -----------
Port 10
Transceiver AMP-ZR 3 0:23:03 ago
Transceiver SN XDG203505010
Presence present
Adapters none
Bad EEPROM checksums 0 never
Resets 0 0:23:08 ago
Interrupts 0 never
Data path firmware fault ok 0 never
Module firmware fault ok 0 never
Temperature high alarm ok 0 never
Temperature high warn ok 0 never
Temperature low alarm ok 0 never
Temperature low warn ok 0 never
Voltage high alarm ok 0 never
Voltage high warn ok 0 never
Voltage low alarm ok 0 never
Voltage low warn ok 0 never
Module state ready 2 0:22:59 ago
Data path 1 state initialized 12 0:16:35 ago
Data path 2 state initialized 12 0:16:35 ago
Data path 3 state unknown 0 never
Data path 4 state unknown 0 never
Data path 5 state unknown 0 never
Data path 6 state unknown 0 never
Data path 7 state unknown 0 never
Data path 8 state unknown 0 never
Booster
Operational speed 400Gbps
RX LOS ok 0 never
TX fault ok 0 never
RX CDR LOL ok 0 never
TX power high alarm ok 0 never
TX power high warn ok 0 never
TX power low alarm alarm 3 0:16:37 ago
TX power low warn warn 3 0:16:37 ago
TX bias high alarm ok 0 never
TX bias high warn ok 0 never
TX bias low alarm ok 0 never
TX bias low warn ok 0 never
RX power high alarm ok 0 never
RX power high warn ok 0 never
RX power low alarm ok 2 0:16:35 ago
RX power low warn ok 2 0:16:35 ago
TX LOS
Host lane 1 ok 0 never
Host lane 2 ok 0 never
Host lane 3 ok 0 never
Host lane 4 ok 0 never
Host lane 5 ok 0 never
Host lane 6 ok 0 never
Host lane 7 ok 0 never
Host lane 8 ok 0 never
TX CDR LOL
Host lane 1 ok 0 never
Host lane 2 ok 0 never
Host lane 3 ok 0 never
Host lane 4 ok 0 never
Host lane 5 ok 0 never
Host lane 6 ok 0 never
Host lane 7 ok 0 never
Host lane 8 ok 0 never
TX adaptive input EQ fault
Host lane 1 ok 0 never
Host lane 2 ok 0 never
Host lane 3 ok 0 never
Host lane 4 ok 0 never
Host lane 5 ok 0 never
Host lane 6 ok 0 never
Host lane 7 ok 0 never
Host lane 8 ok 0 never
Pre-amp
Operational speed 50Gbps
RX LOS ok 0 never
TX fault ok 0 never
RX CDR LOL ok 0 never
TX power high alarm ok 0 never
TX power high warn ok 0 never
TX power low alarm alarm 3 0:16:37 ago
TX power low warn warn 3 0:16:37 ago
TX bias high alarm ok 0 never
TX bias high warn ok 0 never
TX bias low alarm ok 0 never
TX bias low warn ok 0 never
RX power high alarm ok 0 never
RX power high warn ok 0 never
RX power low alarm ok 2 0:16:35 ago
RX power low warn ok 2 0:16:35 ago
Some lines of output do not apply to the OSFP-LS modules (For example, Operational speed, RX CDR LOL). These lines of output should be ignored. The fields of interest are Module state, Data path 1 state, and Data path 2 state. Under normal operating conditions, Module state will read ready and the Data path state fields will read either initialized or activated. Initialized means that the module is ready to operate but is receiving no signal to amplify. Activated means that the amplifier is active.
The shutdown command disables OSPFv2 on the switch. OSPFv2 is disabled on individual interfaces with the shutdown (OSPFv2) command.
The no shutdown and default shutdown commands enable the OSPFv2 instance by removing the shutdown statement from the OSPF block in running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
shutdown
no shutdown
default shutdown
switch(config)# router ospf 6
switch(config-router-ospf)# shutdown
switch(config-router-ospf)#
switch(config-router-ospf)# no shutdown
switch(config-router-ospf)#
The summary-address command allows aggregation of external routes advertised by an OSPF ASBR. It is used to aggregate AS External and NSSA External LSAs.
Thedefault summary-address andno summary-address commands delete the current summary-address configurations.
Command Mode
Router Configuration Mode
Command Syntax
summary-address {ip_address subnet_mask | ip_prefix} [attribute_map WORD | not_advertise | tag]
default summary-address {ip_address summary_mask | ip_prefix}
no summary-address {ip_address summary_mask | ip_prefix}
Guidelines
This feature reduces the size of External LSDB in OSPF, does not impact inter area and intra area LSAs. This command installs a Null0 route in FIB when at least one contributor is present.
Restriction
Only OSPF redistributed routes are aggregated.
Example
This command advertises an external LSA for 50.0.0.0/16 prefix if at least one BGP contributing route is present which falls in the subnet 50.0.0.0/16.
switch(config)# router ospf 5
switch(config-router-ospf)# redistribute bgp
switch(config-router-ospf)# summary-address 50.0.0.0/16 attribute-map BGP_AGGR
switch(config-router-ospf)# exit
switch(config)# show ip route bgp
VRF: default
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
B E 50.0.0.0/24 [200/0] via 3.0.0.12, Ethernet3
B E 50.0.1.0/24 [200/0] via 3.0.0.12, Ethernet3
switch(config)# show running-config
...
route-map BGP_AGGR permit 10
set metric 42
set tag 19
...
router ospf 1
router-id 1.0.0.10
redistribute bgp
max-lsa 12000
summary-address 50.0.0.0/16 attribute-map BGP_AGGR
switch(config)# show ip ospf database external
OSPF Router with ID(1.0.0.10) (Process ID 1) (VRF default)
Type-5 AS External Link States
LS Age: 9
Options: (E DC)
LS Type: AS External Links
Link State ID: 50.0.0.0
Advertising Router: 1.0.0.10
LS Seq Number: 0x80000001
Checksum: 0x2c0c
Length: 36
Network Mask: 255.255.0.0
Metric Type: 2
Metric: 42
Forwarding Address: 0.0.0.0
External Route Tag: 19
switch(config)# show ip route aggregate
VRF: default
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
A O 50.0.0.0/16 is directly connected, Null0
Use the system profile command to apply the user defined TCAM profile to the system.
Command Mode
hardware tcam mode
Command Syntax
system profile profilename
Parameter
profilename Name of the selected system profile.
(config-hw-tcam)# system profile profilename
The timers lsa rx min interval command sets the minimum interval for acceptance of identical Link State Advertisements (LSAs) from OSPFv2 neighbors.
The no timers lsa rx min interval and default timers lsa rx min interval commands restore the minimum interval to the default of 1 second by removing the timers lsa rx min interval command from the running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
timers lsa rx min interval lsa_time
no timers lsa rx min interval
default timers lsa rx min interval
Parameter
lsa_time Minimum time (in milliseconds) after which the switch will accept an identical LSA from OSPFv2 neighbors. Default is 1000 (1 second).Example
switch(config)# router ospf 6
switch(config-router-ospf)# timers lsa rx min interval 10
switch(config-router-ospf)#
The timers lsa tx delay initial command sets the rate-limiting values for OSPF link-state advertisement generation.
The no timers lsa tx delay initial and default imers throttle lsa all commands restore the defaults by removing the timers lsa tx delay initial command from the running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
timers lsa tx delay initial [initial_delay | min_hold | max_wait]
no timers lsa tx delay initial
default timers lsa tx delay initial
Example
switch(config)# router ospf 6
switch(config-router-ospf)# timers lsa tx delay initial 10
switch(config-router-ospf)#
The no timers spf delay initial and default timers spf delay initial commands restore the default OSPFv2 SPF calculation intervals by removing the timers spf delay initial command from the running-config.
Command Mode
Router-OSPF Configuration
Command Syntax
timers spf delay initial [initial_delay | hold_interval | max_interval]
no timers spf
default timers spf
Example
switch(config)# router ospf 6
switch(config-router-ospf)# timers spf 5 100 20000
switch(config-router-ospf)#
Use the tunnel routes command or the default form of the command to enable OSPFv2 routes over GRE tunnels. The tunnel routes are enabled, by default. Use the no form of the command to disable the tunnel routes.
Command Mode
Router OSPF configuration (config-router-ospf)
Command Syntax
tunnel routes
no tunnel routes
default tunnel routes
switch(config)# router ospf 6
switch(config-router-ospf)# tunnel routes
switch(config-router-ospf)#
switch(config)# router ospf 6
switch(config-router-ospf)# no tunnel routes
switch(config-router-ospf)#
switch(config)# router ospf 6
switch(config-router-ospf)# default tunnel routes
switch(config-router-ospf)#
Open Shortest Path First (OSPF) is a link-state routing protocol that operates within a single autonomous system. OSPF version 3 is defined by RFC 5340.
OSPFv3 is a dynamic, link-state routing protocol, where links represent routable paths. Dynamic routing protocols calculate the most efficient path between locations based on bandwidth and device status.
A Link State Advertisement (LSA) is an OSPFv3 packet that communicates a router's topology to other routers. The Link State DataBase (LSDB) stores an area’s topology database and is composed of LSAs received from other routers. Routers update the LSDB by storing LSAs from other routers.
An Autonomous System (AS) is the IP domain within which a dynamic protocol controls the routing of traffic. In OSPFv3, an AS is composed of areas, which define the LSDB computation boundaries. All routers in an area store identical LSDBs. Routers in different areas exchange updates without storing the entire database, reducing information maintenance on large, dynamic networks.
An AS shares internal routing information from its areas and external routing information from other processes to inform routers outside the AS about routes the network can access. Routers that advertise routes on other ASs commit to carry data to the IP space on the route.
OSPFv3 Router Types displays the OSPFv3 router types.
OSPFv3 areas are assigned a number between 0 and 4,294,967,295. Area numbers are often expressed in dotted decimal notation, similar to IP addresses.
Each AS has a backbone area, designated as area 0, that connects to all other areas. The backbone receives routing information from all areas, then distributes it to the other areas as required.
Neighbors form adjacencies to exchange LSDB information. A neighbor group uses hello packets to elect a Designated Router (DR) and Backup Designated Router (BDR). The DR and BDR become adjacent to all other neighbors, including each other. Only adjacent neighbors share database information.
OSPFv3 Neighbors illustrates OSPFv3 neighbors.
The DR is the central contact for database exchanges. Switches send database information to their DR, which relays the information to the other neighbors. All routers in an area maintain identical LSDBs. Switches also send database information to their BDR, which stores this data without distributing it. If the DR fails, the BDR distributes LSDB information to its neighbors.
OSPFv3 routers distribute LSAs by sending them on all of their active interfaces. The router does not send hello packets from passive interfaces preventing adjacencies. The router does not process any OSPFv2 packets received on a passive interface.
When a routers LSDB is changed by an LSA, it sends the changes to the BDR and DR for distribution to the other neighbors. Routing information is updated only when the topology changes.
Routing devices use Dijkstras algorithm to calculate the shortest path to all known destinations, based on cumulative route cost. The cost of an interface indicates the transmission overhead and is usually inversely proportional to its bandwidth.
The OSPFv3 protocol relies on the IPsec Authentication Header (AH) and Encapsulating Security Payload (ESP) header to provide data integrity, authentication and confidentiality. Transport mode provides IPsec to OSPFv3 packets.
The IPsec SA has Security Policy Index (SPI), HMAC algorithm, and a secret key as parameters. These parameters are used to compute Integrity Check Value (ICV), that is used to authenticate peers. When authentication is enabled, all corresponding peers must use same SA parameters to clear OSPFv3 ICV verification. SA can be configured at both area and interface levels.
While sending OSPFv3 packets, the HMAC-MD5 or SHA algorithm hash is inserted in the IPsec header and the packet is sent over the wire for peer authentication.
While receiving OSPFv3 packets, the computed hash is verified with the one present in the IPsec header. If it fails, OSPFv3 packets are discarded.
ESP provides confidentiality to OSPFv3 packets. When confidentiality is enabled, ESP encrypts the sent data and decrypts the received data. OSPFv3 packets that are not encapsulated with security payload are discarded.
OSPFv3 encryption uses algorithms of Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES). 3DES uses a 192 bit key, whereas the AES key length varies by 128, 192 and 256 bits.
The OSPFv3 dn-bit-ignore command allows enabling or disabling the inclusion of LSAs having “Down” (DN) bit set in SPF calculations. The DN Bit is a loop prevention mechanism that implements when using OSPF as a CE - PE IGP protocol.
The DN-bit usage in OSPFv3 is explained in RFC6565. With Release EOS-4.25.0F, OSPFv3 honors the DN-bit in type-3, type-5, or type-7 LSAs in non-default VRFs. LSAs are not used in SPF calculation, and are not installed in the routing table. Using the dn-bit-ignore command changes this behavior. It is recommended to understand the entire topology before configuring the dn-bit-ignore command as it may lead to forwarding loops.
OSPFv3 configuration commands apply to the specified OSPFv3 instance. To perform OSPFv3 configuration commands, the switch must be in router-OSPFv3 configuration mode. The ipv6 router ospf command places the switch in router-OSPFv3 configuration mode, creating an OSPFv3 instance if OSPFv3 was not previously instantiated on the switch. If no VRF is specified, the OSPFv3 instance is in the default VRF. To instantiate or configure OSPFv3 on a non-default VRF, specify that VRF when using the ipv6 router ospf command.
The process ID identifies the OSPFv3 instance and is local to the router. Neighbor OSPFv3 routers can have different process IDs. OSPFv3 instances configured in different VRFs on the switch must have different process IDs.
The switch supports one OSPFv3 instance for each VRF. When an OSPFv3 instance already exists, the ipv6 router ospf command must specify its process ID (and VRF, if it is not configured in the default VRF). Attempts to define additional instances in the same VRF will generate errors. The show ipv6 ospf command displays information about OSPFv3 instances, including their process IDs.
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# show active
ipv6 router ospf 9
switch(config-router-ospf3)#
The router ID is a 32-bit number assigned to a router running OSPFv3. This number uniquely labels the router within an Autonomous System. Status commands identify the switch through the router ID. When configuring OSPFv3 instances in multiple VRFs, each should have a different router ID.
The router-id (OSPFv3) command configures the router ID for an OSPFv3 instance.
Example
switch(config-router-ospf3)# router-id 15.21.4.9
switch(config-router-ospf3)# show active
ipv6 router ospf 9
router-id 15.21.4.9
switch(config-router-ospf3)#
These router-OSPFv3 configuration mode commands define OSPFv3 behavior for the OSPFv3 instance under which they are used.
The log-adjacency-changes (OSPFv3) command configures the switch to log OSPFv3 link-state changes and transitions of OSPFv3 neighbors into the up or down state.
switch(config-router-ospf3)# log-adjacency-changes
switch(config-router-ospf3)#
switch(config-router-ospf3)# log-adjacency-changes detail
switch(config-router-ospf3)#
The distance ospf intra-area (OSPFv3) command configures the administrative distance for routes contained in a single OSPFv3 area. Administrative distances compare dynamic routes configured by different protocols. The default administrative distance for intra-area routes is 10.
Example
switch(config-router-ospf3)# distance ospf intra-area 90
switch(config-router-ospf3)# show active
ipv6 router ospf 9
distance ospf intra-area 90
switch(config-router-ospf3)#
The passive-interface (OSPFv3) command prevents the transmission of hello packets on the specified interface. Passive interfaces drop all adjacencies and do not form new adjacencies. Although passive interfaces do not send or receive LSAs, other interfaces may generate LSAs for the network segment. The router does not send OSPFv3 packets from a passive interface or process OSPFv3 packets received on a passive interface. The router advertises the passive interface in the router LSA.
The no passive-interface command re-enables OSPFv3 processing on the specified interface.
switch(config-router-ospf3)# passive-interface vlan 200
switch(config-router-ospf3)# show active
ipv6 router ospf 9
passive-interface Vlan200
switch(config-router-ospf3)#
switch(config-router-ospf3)# no passive-interface vlan 200
switch(config-router-ospf3)# show active
ipv6 router ospf 9
switch(config-router-ospf3)#
Redistributing connected routes causes the OSPFv3 instance to advertise all connected routes on the switch as external OSPFv3 routes. Connected routes are routes that are established when IPv6 is enabled on an interface.
Example
switch(config-router-ospf3)# redistribute connected
switch(config-router-ospf3)# show active
ipv6 router ospf 9
redistribute connected
switch(config-router-ospf3)#
Redistributing static routes causes the OSPFv3 instance to advertise all static routes on the switch as external OSPFv3 routes. The switch does not support redistributing individual static routes.
Example
switch(config-router-ospf3)# redistribute static
switch(config-router-ospf3)# show active
ipv6 router ospf 9
redistribute static
switch(config-router-ospf3)#
OSPFv3 areas are configured through area commands. The switch must be in router-OSPFv3 configuration mode, as described in Entering OSPFv3 Configuration Mode, to run area commands.
Areas are assigned a 32-bit number that is expressed in decimal or dotted-decimal notation. When an OSPFv3 instance configuration contains multiple areas, the switch only configures areas associated with its interfaces.
The default area type is normal.
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# area 200 nssa
switch(config-router-ospf3)# area 300 stub
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.0.200
area 0.0.1.44 stub
switch(config-router-ospf3)#
These router-OSPFv3 configuration mode commands define OSPFv3 behavior in a specified area.
The area default-cost (OSPFv3) command specifies the cost of the default summary route that ABRs send into a stub area or NSSA. Summary routes, also called inter-area routes, originate in areas different than their destination. When the area default-cost command is not configured for an area, the default-cost of that area is set to 10.
Example
switch(config-router-ospf3)# area 450 default-cost 25
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.1.194 default-cost 25
The area stub (OSPFv3) command configures the area type of an OSPFv3 area. All routers in an AS must specify the same area type for identically numbered areas.
Stub areas are areas in which external routes are not advertised. To reach these external routes, the stub area uses a default summary route (0.0.0.0). Networks without external routes do not require stub areas.
Areas are normal by default; area type configuration is required only for stub NSSA areas. Area 0 is always a normal area and cannot be configured through this command.
switch(config)# ipv6 router ospf 3
switch(config-router-ospf3)# area 45 stub
switch(config-router-ospf3)#
switch(config-router-ospf3)# area 10.92.148.17 stub
switch(config-router-ospf3)#
The area range (OSPFv3) command is used by OSPFv3 Area Border Routers (ABRs) to consolidate or summarize routes, to configure a cost setting for those routes, and to suppress summary route advertisements.
By default, an ABR creates a summary LSA for each route in an area and advertises that LSA to adjacent areas. The area range (OSPFv3) command aggregates routing information on area boundaries, allowing the ABR to use one summary LSA to advertise multiple routes.
switch(config)# ipv6 router ospf 1
switch(config-router-ospf3)# area 1 range 2001:0DB8:0:1::/64
switch(config-router-ospf3)#
switch(config)# ipv6 router ospf 1
switch(config-router-ospf3)# area 1 range 2001:0DB8:0:1::/64 not-advertise
switch(config-router-ospf3)#
OSPFv3 interface configuration commands enable OSPFv3 on an interface, assign the interface to an area, and specify transmission parameters for routed ports and SVIs that handle OSPFv3 packets.
The ipv6 ospf area command enables OSPFv3 on the configuration mode interface and associates the specified area to the interface. Each routed interface can be associated with one OSPFv3 area; subsequent ipv6 ospf area commands that designate a different area on an interface replace any existing command for the interface.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 ospf 9 area 0
switch(config-if-Vl200)# show active
interface Vlan200
ipv6 ospf 9 area 0.0.0.0
switch(config-if-Vl200)#
Interval configuration commands determine OSPFv3 packet transmission characteristics for a specified VLAN interface. Interval configuration commands are entered in vlan-interface configuration mode.
The hello interval specifies the period between consecutive hello packet transmissions from an interface. Each OSPFv3 neighbor should specify the same hello interval, which should not be longer than any neighbors dead interval.
The ospfv3 hello-interval command configures the hello interval for the configuration mode interface. The default is 10 seconds.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 hello-interval 45
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 hello-interval 45
switch(config-if-Vl200)#
The dead interval specifies the period that an interface waits for an OSPFv3 packet from a neighbor before it disables the adjacency under the assumption that the neighbor is down. The dead interval should be configured identically on all OSPFv3 neighbors and be longer than the hello interval of any neighbor.
The ospfv3 dead-interval command configures the dead interval for the configuration mode interface. The default is 40 seconds.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 dead-interval 75
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 dead-interval 75
switch(config-if-Vl200)#
Routers that send OSPFv3 advertisements to an adjacent router expect to receive an acknowledgment from that neighbor. Routers that do not receive an acknowledgment will retransmit the advertisement. The retransmission interval specifies the period between retransmissions.
The ospfv3 ipv6 retransmit-interval command configures the LSA retransmission interval for the configuration mode interface. The default retransmission interval is 5 seconds.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 ipv6 retransmit-interval 25
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 ipv6 retransmit-interval 25
switch(config-if-Vl200)#
The transmission delay is an estimate of the time that an interface requires to transmit a link-state update packet. OSPFv3 adds this delay to the age of outbound packets to more accurately reflect the age of the LSA when received by a neighbor.
The ospfv3 transmit-delay command configures the transmission delay for the configuration mode interface. The default transmission delay is one second.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 transmit-delay 10
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 transmit-delay 10
switch(config-if-Vl200)#
The OSPFv3 interface cost reflects the overhead of sending packets across the interface. The cost is typically assigned to be inversely proportional to the bandwidth of the interface. The ospfv3 cost command configures the OSPFv3 cost for the configuration mode interface. The default cost is 10.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 cost 50
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 cost 50
switch(config-if-Vl200)#
Router priority determines preference during Designated Router (DR) and Backup Designated Router (BDR) elections. Routers with higher priority numbers have preference over other routers. Routers with a priority of zero cannot be elected as a DR or BDR.
The ospfv3 priority command configures router priority for the configuration mode interface. The default priority is 1.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 priority 128
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 priority 128
switch(config-if-Vl200)#
OSPFv3 requires that IPv6 unicast routing is enabled on the switch. When IP routing is not enabled, entering OSPFv3 configuration mode generates a message.
switch(config)# ipv6 router ospf 9
! IPv6 routing not enabled
switch(config-router-ospf3)#
switch(config)# ipv6 unicast-routing
The shutdown (OSPFv3) disables OSPFv3 operations on the switch without disrupting the OSPFv3 configuration. To disable OSPFv3 on an interface, remove the ipv6 ospf area statement for the corresponding interface.
The no shutdown command resumes OSPFv3 activity.
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# shutdown
switch(config-router-ospf3)# show active
ipv6 router ospf 9
shutdown
switch(config-router-ospf3)#
switch(config-router-ospf3)# no shutdown
switch(config-router-ospf3)# show active
ipv6 router ospf 9
switch(config-router-ospf3)#
You can configure OSPFv3 security for either an area or an interface, or both, using either an Authentication Header (AH) or an Encapsulating Security Payload (ESP).
When OSPFv3 security is configured on an area, the configured settings apply to all interfaces in that area. Interface-specific configuration overrides configuration on the area to which the interface belongs.
The area authentication ipsec spi command configures OSPFv3 authentication on an area.
Example
This command configures OSPFv3 authentication on an area with MD5 hash algorithm.
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# area 0.0.0.0 authentication ipsec spi 34 md5 0 8FD6158BFE81ADD961241D8E4169D411
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.0.0 authentication ipsec spi 34 md5 7 $1$cNpcrQl1czqdvKAzKLtYVr6I7+R3niuWouDKKYCFNs4/XOWG/Iap5Q==
switch(config-router-ospf3)#
Configuring OSPFv3 Authentication for
InterfacesThe ospfv3 authentication ipsec spi command configures OSPFv3 authentication on an interface.
Example
This command configures OSPFv3 authentication on an interface with MD5 hash algorithm.
switch(config-if-Et9)# ospfv3 authentication ipsec spi 3456 md5 0 8FD6158BFE81ADD961241D8E4169D411
switch(config-if-Et9)# show active
interface Ethernet9
no switchport
ospfv3 authentication ipsec spi 3456 md5 7 $1$xtmcMSPzEn+Njp8Lb4qryVVOjKcjsrYuv6dx1O+nSwKQdaiRt2RPTQ==
switch(config-if-Et9)#
The area encryption ipsec spi command configures OSPFv3 security on an area.
Example
This command configures OSPFv3 security on an area with 3DES-CBC encryption and MD5 hash algorithm.
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# area 0.0.0.0 encryption ipsec spi 5678 esp 3des-cbc md5 passphrase 0 8FD6158BFE81ADD961241D8E4169D411
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.0.0 encryption ipsec spi 5678 esp 3des-cbc md5 passphrase 7
$1$cNpcrQl1czqdvKAzKLtYVr6I7+R3niuWouDKKYCFNs4/XOWG/Iap5Q==
switch (config-router-ospf3)#
Configuring OSPFv3 Encryption for
InterfacesThe ospfv3 encryption ipsec spi command configures OSPFv3 security on an interface.
Example
This command configures OSPFv3 security on an interface with 3DES-CBC encryption and SHA1 algorithm.
switch(config)# interface ethernet 9
switch(config-if-Et9)# ospfv3 encryption ipsec spi 345 esp 3des-cbc sha1 passphrase 0 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
switch(config-if-Et9)# show active
interface Ethernet9
no switchport
ospfv3 encryption ipsec spi 345 esp 3des-cbc sha1 passphrase 7
$1$VmUkWk6IL2S343bR3BbH0RhgvxHhwBpfvB4VXKNOOQF7HJBp5VvXTfBaVYbgCkWU
switch(config-if-Et9)#
Flood pacing can be configured for global OSPFv3 instances and address families. The timers pacing flood command configures OSPFv3 flood pacing.
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# timers pacing flood 50
switch(config-router-ospf3)# show ipv6 ospf
Routing Process "ospfv3 9" with ID 13.13.13.13 and Instance 0 VRF default
FIPS mode disabled
It is not an autonomous system boundary router and is not an area border router
Minimum LSA arrival interval 1000 msecs
Initial LSA throttle delay 1000 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
Interface flood pacing timer 50 msecs
It has 0 fully adjacent neighbors
Number of areas in this router is 1. 1 normal, 0 stub, 0 nssa
Number of LSAs 1
Initial SPF schedule delay 0 msecs
Minimum hold time between two consecutive SPFs 5000 msecs
Current hold time between two consecutive SPFs 5000 msecs
Maximum wait time between two consecutive SPFs 5000 msecs
SPF algorithm last executed 21d19h ago
No scheduled SPF
Adjacency exchange-start threshold is 20
Maximum number of next-hops supported in ECMP is 32
Number of backbone neighbors is 0
Graceful-restart is not configured
Graceful-restart-helper mode is enabled
Area 0.0.0.0
Number of interface in this area is 0
It is a normal area
SPF algorithm executed 2 times
switch(config)# router ospfv3
switch(config-router-ospfv3)# address-family ipv4
switch(config-router-ospfv3-af)# timers pacing flood 50
switch(config-router-ospfv3-af)# show ospfv3
OSPFv3 address-family ipv4
Routing Process "ospfv3" with ID 11.1.11.1 and Instance 64 VRF default
FIPS mode disabled
It is not an autonomous system boundary router and is not an area border router
Minimum LSA arrival interval 1000 msecs
Initial LSA throttle delay 1000 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
Interface flood pacing timer 50 msecs
It has 0 fully adjacent neighbors
Number of areas in this router is 1. 1 normal, 0 stub, 0 nssa
Number of LSAs 1
Initial SPF schedule delay 0 msecs
Minimum hold time between two consecutive SPFs 5000 msecs
Current hold time between two consecutive SPFs 5000 msecs
Maximum wait time between two consecutive SPFs 5000 msecs
SPF algorithm last executed 00:01:05 ago
No scheduled SPF
Adjacency exchange-start threshold is 20
Maximum number of next-hops supported in ECMP is 32
Number of backbone neighbors is 0
Graceful-restart is not configured
Graceful-restart-helper mode is enabled
Area 0.0.0.0
Number of interface in this area is 0
It is a normal area
SPF algorithm executed 2 times
Use the command dn-bit-ignore to include type-3/5/7 LSAs having their DN-bit set in the SPF calculation.
Use the commands dn-bit-ignore or default dn-bit-ignore to revert the behavior back to default. This command is available in ipv6 router ospf vrf configuration mode and the router ospfv3 vrf configuration mode. Note that this command is not available in the default VRF, and that both configuration styles are captured below.
switch(config)# router ospfv3 vrf red
switch(config-router-ospfv3-vrf-red)# dn-bit-ignore
switch(config)# ipv6 router ospf 1 vrf red
switch(config-router-ospfv3-vrf-red)# dn-bit-ignore
This section describes OSPFv3 show commands that display OSPFv3 status. General switch methods that provide OSPFv3 information include pinging routes, viewing route status (show ip route command), and viewing the configuration (show running-config command).
The show ipv6 ospf command displays general OSPFv3 configuration information, operational statistics and status for the OSPFv3 instance, followed by a brief description of the areas configured on the switch.
Example
switch(config-router-ospf3)#show ipv6 ospf
Routing Process "ospfv3 1" with ID 1.1.1.1 and Instance 0 VRF default
It is not an autonomous system boundary router and is not an area border router
Minimum LSA arrival interval 1000 msecs
Initial LSA throttle delay 1000 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
Interface flood pacing timer 50 msecs
It has 0 fully adjacent neighbors
...
Graceful-restart is not configured
Graceful-restart-helper mode is enabled
The show ipv6 ospf interface command displays OSPFv3 information for switch interfaces configured for OSPFv3. Different command options allow the display of either all interfaces or a specified interface. The command can also be configured to display complete information or a brief summary.
Example
switch#show ipv6 ospf interface
Ethernet17 is up
Interface Address fe80::48c:73ff:fe00:1319%Ethernet12, Area 0.0.0.0
Network Type Broadcast, Cost 10
Transmit Delay is 1 sec, State Backup DR, Priority 1
Designated Router is 10.37.0.37
Backup Designated Router is 10.37.0.23
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 1
Vlan31 is up
Interface Address fe80::48c:73ff:fe00:1319%Vlan31, Area 0.0.0.0
Network Type Broadcast, Cost 10
Transmit Delay is 1 sec, State Backup DR, Priority 1
Designated Router is 10.37.0.22
Backup Designated Router is 10.37.0.23
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 1
Vlan32 is up
Interface Address fe80::48c:73ff:fe00:1319%Vlan32, Area 0.0.0.0
Network Type Broadcast, Cost 10
Transmit Delay is 1 sec, State DR Other, Priority 1
Designated Router is 10.37.0.11
Backup Designated Router is 10.37.0.22
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 2
switch#
The show ipv6 ospf database <link state list> command displays the LSAs in the LSDB for the specified area. If no area is listed, the command displays the contents of the database for each area on the switch. The database command provides options to display subsets of the LSDB database, a summary of database contents, and the link states that comprise the database.
Example
switch#show ipv6 ospf database
Routing Process "ospf 9":
AS Scope LSDB
Type Link ID ADV Router Age Seq# Checksum
AEX 0.0.0.5 10.37.0.37 15 0x80000005 0x00be82
AEX 0.0.0.9 10.37.0.22 1747 0x8000002b 0x00df56
AEX 0.0.0.3 10.37.0.46 599 0x8000002d 0x00651d
Area 0.0.0.0 LSDB
Type Link ID ADV Router Age Seq# Checksum
RTR 0.0.0.0 10.37.0.32 234 0x80000031 0x00585a
NTW 0.0.0.26 10.37.0.32 271 0x80000005 0x005609
NAP 0.0.0.26 10.37.0.32 274 0x80000005 0x00964c
Interface vlan3911 LSDB
Type Link ID ADV Router Age Seq# Checksum
LNK 0.0.0.38 10.37.0.22 267 0x80000005 0x00a45a
LNK 0.0.0.23 10.37.0.23 270 0x8000002c 0x005b7e
Interface vlan3902 LSDB
Type Link ID ADV Router Age Seq# Checksum
LNK 0.0.0.17 10.37.0.11 1535 0x8000002b 0x007120
LNK 0.0.0.37 10.37.0.22 7 0x8000002b 0x00ce23
LNK 0.0.0.22 10.37.0.23 250 0x8000002d 0x00c350
switch#
The show ipv6 ospf neighbor command displays information about the routers that are neighbors to the switch. Command options allow the display of summary or detailed information about the neighbors to all areas and interfaces on the switch. The command also allows for the display of neighbors to individual interfaces or areas. The adjacency-changes option displays the interfaces adjacency changes.
Example
switch# show ipv6 ospf neighbor
Routing Process "ospf 9":
Neighbor 10.37.0.37 priority is 1, state is Full
In area 0.0.0.0 interface et12
DR is 10.37.0.37 BDR is 10.37.0.23
Options is 0
Dead timer is due in 37 seconds
Neighbor 10.37.0.22 priority is 1, state is Full
In area 0.0.0.0 interface vlan3911
DR is 10.37.0.22 BDR is 10.37.0.23
Options is 0
Dead timer is due in 31 seconds
Neighbor 10.37.0.22 priority is 1, state is Full
In area 0.0.0.0 interface vlan3902
DR is 10.37.0.11 BDR is 10.37.0.22
Options is 0
Dead timer is due in 31 seconds
Neighbor 10.37.0.22 priority is 1, state is Full
In area 0.0.0.0 interface vlan3908
DR is 10.37.0.22 BDR is 10.37.0.21
Options is 0
Dead timer is due in 39 seconds
switch#
The show ipv6 routes command provides an OSPFv3 option.
Example
switch# show ipv6 route ospf
IPv6 Routing Table - 43 entries
Codes: C - connected, S - static, K - kernel, O - OSPF, B - BGP, R - RIP, A -
Aggregate
O fd7a:3279:81a4:1112::/64 [150/11]
via fe80::21c:41ff:fe00:d120, Ethernet12
O fd7a:3279:81a4:1114::/64 [150/11]
via fe80::21c:41ff:fe00:d120, Ethernet12
O fd7a:3279:81a4:1124::/64 [10/20]
via fe80::21c:41ff:fe01:5fe1, Vlan3901
via fe80::21c:41ff:fe01:5fe1, Vlan3902
via fe80::21c:41ff:fe01:5fe1, Vlan3908
O fd7a:3279:81a4:1a00::25/128 [150/11]
via fe80::21c:41ff:fe00:d120, Ethernet12
O fd7a:3279:81a4:1a00::28/128 [150/11]
via fd7a:3279:81a4:fe40::5, Vlan3908
Use the show running-config command to verify whether the dn-bit-ignore command is configured.
This section describes the commands required to configure three OSPFv3 topologies.
The AS in Example 1 contains two areas that are connected through two routers. The backbone area also contains an internal router that connects two links.
OSPFv3 Example 1 displays the Example 1 topology. Two ABRs connect area 0 and area 1 Router A and Router B. Router C is an internal router that connects two links in area 0. Area 0 is normal; area 1 is stub.
Area 0 contains two links to an internal router.
This code configures the OSPFv3 instances on the three switches.
The AS in Example 2 contains three areas. Area 0 connects to the other areas through different routers and contains an internal router connecting two links. Area 0 is normal; the other areas are stub areas.
OSPFv3 Example 2 displays the Example 2 topology. One ABR (Router B) connects area 0 and area 1; another ABR (Router C) connects area 0 and area 2. Router A is an internal router that connects two links in area 0.
The AS in Example 3 contains two areas that connect through one ABR. Each area also contains an ASBR that connects static routes to the AS.
OSPFv3 Example 3 displays the Example 3 topology. One ABR connects area 0 and area 1. Router C is an ABR that connects the areas. Router A is an internal router that connects two links in area 1. Router D and Router E are internal routers that connect links in area 0. Router B and Router F are ASBRs that connect static routes outside the AS to area 1 and area 0, respectively.
The adjacency exchange-start threshold command sets the exchange-start options for an OSPF instance.
The no adjacency exchange-start threshold and default adjacency exchange-start threshold command resets the default by removing the corresponding adjacency exchange-start threshold command from the running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
adjacency exchange-start threshold peers
no adjacency exchange-start threshold
default adjacency exchange-start threshold
Parameters
peers Value ranges from 1 - 4294967295. Default value is 10.
Example
switch(config)# ipv6 router ospf 3
switch(config-router-ospf3)# adjacency exchange-start threshold 156923
switch(config-router-ospf3)#
The area authentication ipsec spi command configures OSPFv3 authentication on an area.
The default area authentication and no area authentication commands delete the OSPFv3 authentication on an area.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
area area_id authentication ipsec spi spi_value {md5|sha1} passphrase {0 unencrypted_key | 7 hidden_key | LINE}
no area area_id authentication ipsec spi spi_value {md5| sha1} passphrase {0 unencrypted_key | 7 hidden_key | LINE}
default area area_id authentication ipsec spi spi_value {md5| sha1} passphrase {0 unencrypted_key | 7 hidden_key | LINE}
Guidelines
Passphrase and key value are exclusive. MD5 and SHA1 keys are derived from the configured passphrase.
Restriction
On the same area, EOS allows security configuration with either AH or ESP but not both. We can have one area configured with AH and another with ESP.
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# area 0.0.0.0 authentication ipsec spi 34 md5 0 8FD6158BFE81ADD961241D8E4169D411
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.0.0 authentication ipsec spi 34 md5 7 $1$cNpcrQl1czqdvKAzKLtYVr6I7+R3niuWouDKKYCFNs4/XOWG/Iap5Q==
switch(config-router-ospf3)#
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# area 0.0.0.0 authentication ipsec spi 5789 sha1 passphrase 7 $1$Ab754G0OHbGllIKqlCl7lyUKscUlpFTpvcQxQIhjJm1OUzGJDh4bLWxSdKHvWMo6
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.0.0 authentication ipsec spi 5789 sha1 passphrase 7
Ab754G0OHbGllIKqlCl7lyUKscUlpFTpvcQxQIhjJm1OUzGJDh4bLWxSdKHvWMo6
switch(config-router-ospf3)#
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 1.1.1.1 authentication ipsec spi 2437 md5 7 cNpcrQl1czqdvKAzKLtYVr6I7+R3niuWouDKKYCFNs4/XOWG/Iap5Q==
area 0.0.0.0 authentication ipsec spi 5789 sha1 passphrase 7
Ab754G0OHbGllIKqlCl7lyUKscUlpFTpvcQxQIhjJm1OUzGJDh4bLWxSdKHvWMo6
switch(config-router-ospf3)#no area 0.0.0.0 authentication
switch(config-router-ospf3)#show active
ipv6 router ospf 9
area 1.1.1.1 authentication ipsec spi 2437 md5 7 cNpcrQl1czqdvKAzKLtYVr6I7+R3niuWouDKKYCFNs4/XOWG/Iap5Q==
switch(config-router-ospf3)#
The area default-cost command sets the cost for the default summary routes sent into an area. When the area default-cost command is not configured for an area, the default-cost of that area is set to 10.
The no area default-cost and default area default-cost command resets the default-cost value of the specified area to 10 by removing the corresponding area default-cost command from running-config. The no area (OSPFv3) command removes all area commands for the specified area from running-config, including the area default-cost command.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
area area_id default-cost def_cost
no area area_id default-cost
default area area_id default-cost
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# area 100 default 15
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.0.100 default-cost 15
switch(config-router-ospf3)#
The area encryption ipsec spi command configures OSPFv3 security on an area.
The default area encryption andno area encryptioncommands delete the OSPFv3 security on an area.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
area area_id encryption ipsec spi spi_value esp{3des-cbc| aes-128-cbc | aes-192-cbc | aes-256-cbc}{ 0 unencrypted_key | 7 encrypted_key}{ md5| sha1} { 0 unencrypted_key | 7 encrypted_key | KEY}
area area_id encryption ipsec spi spi_value esp null{md5 | sha1} { 0 unencrypted_key | 7 encrypted_key | KEY}
area area_id encryption ipsec spi spi_value esp{3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | null} {md5 | sha1} { 0 unencrypted_key | 7 encrypted_key | LINE}
no area area_id encryption
default area area_id encryption
Parameters
Guidelines
Passphrase and key values are exclusive. MD5 and SHA1 keys are derived from the configured passphrase.
Restriction
On the same area, EOS allows security configuration with either AH or ESP but not both. We can have one area configured with AH and another with ESP.
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# area 0.0.0.0 encryption ipsec spi 5678 esp 3des-cbc md5 passphrase 0
8FD6158BFE81ADD961241D8E4169D411
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.0.0 encryption ipsec spi 5678 esp 3des-cbc md5 passphrase 7
$1$cNpcrQl1czqdvKAzKLtYVr6I7+R3niuWouDKKYCFNs4/XOWG/Iap5Q==
switch (config-router-ospf3)#
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# show active
ipv6 router ospf 9
area 0.0.0.0 encryption ipsec spi 5678 esp 3des-cbc md5 passphrase 7
$1$cNpcrQl1czqdvKAzKLtYVr6I7+R3niuWouDKKYCFNs4/XOWG/Iap5Q==
switch(config-router-ospf3)# no area 0.0.0.0 encryption
switch(config-router-ospf3)# show active
ipv6 router ospf 9
switch(config-router-ospf3)#
The area not-so-stubby lsa type-7 convert type-5 command configures the switch to always translate Type-7 Link-State Advertisement (LSAs) to Type-5 LSAs.
The no area not-so-stubby lsa type-7 convert type-5 and no area not-so-stubby lsa type-7 convert type-5 commands allow LSAs to be translated dynamically by removing the no area not-so-stubby lsa type-7 convert type-5 command from the running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
area area_id not-so-stubby lsa type-7 convert type-5
no area area_id not-so-stubby lsa type-7 convert type-5
default area area_id not-so-stubby lsa type-7 convert type-5
Parameters
Example
switch(config)# ipv6 router ospf 3
switch(config-router-ospf3)# area 3 not-so-stubby lsa type-7 convert type-5
switch(config-router-ospf)#
The area nssa command configures an OSPFv3 area as a Not-So-Stubby Area (NSSA). All routers in an AS must specify the same area type for identically numbered areas.
NSSA ASBRs advertise external LSAs that are part of the area, but do not advertise external LSAs from other areas.
Areas are normal by default; area type configuration is required only for stub NSSA areas. Area 0 is always a normal area and cannot be configured through this command.
The no area nssa command configures the specified area as a normal area by removing the specified area nssa command from running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
area area_id nssa [TYPE]
no area area_id nssa [TYPE]
default area area_id nssa [TYPE]
Example
switch(config)# ipv6 router ospf 1
switch(config-router-ospf3)# area 3 nssa nssa-only
switch(config-router-ospf3)#
The area nssa default-information-originate command sets an area as an NSSA and the generation of a type 7 default LSA is created if a default route exists in the routing table.
The switch supports three area types:
Areas are normal by default; area type configuration is required only for stub NSSA areas. Area 0 is always a normal area and cannot be configured through this command.
The no areaand default area commands remove the specified area from the OSPFv3 instance by deleting all area commands from the running-config for the specified area, including the area default-cost (OSPFv3) command.
The no area stub and default area stub commands configure the specified area as a normal area.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
area area_id nssa default-information-originate [VALUE][TYPE][EXCL]
no area area_id nssa default-information-originate [VALUE][TYPE][EXCL]
default area area_id nssa default-information-originate [VALUE][TYPE][EXCL]
Parameters
switch(config-router-ospf3)# area 3 nssa default-information-originate nssa-only
switch(config-router-ospf3)#
switch(config-router-ospf3)# area 3 nssa default-information-originate
switch(config-router-ospf3)#
The area range command is used by OSPFv3 area border routers to summarize routes.
The no area range and default area range commands remove the area-range by deleting the corresponding area range command from the running-config.
Command Mode
Router-OSPFv3 Configuratio
Command Syntax
area area_id range net_addr [ADVERTISE_SETTING][COST_SETTING]
no area area_id range net_addr [ADVERTISE_SETTING][COST_SETTING]
default area area_id range net_addr [ADVERTISE_SETTING][COST_SETTING]
cost range_cost Value ranges from 1 to 65535.
switch(config)# ipv6 router ospf 1
switch(config-router-ospf3)# area 1 range 2001:0DB8:0:1::/64
switch(config-router-ospf3)#
switch(config)# ipv6 router ospf 1
switch(config-ospf6-router)# area 1 range 2001:0DB8:0:1::/64 not-advertise
switch(config-ospf6-router)#
The area stub command configures the area type of an OSPFv3 area.
Areas are normal by default.
The no area stub command configures the specified area as a normal area.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
area area_id stub
no area area_id stub
default area area_id stub
Parameters
switch(config)# ipv6 router ospf 3
switch(config-router-ospf3)# area 45 stub
switch(config-router-ospf3)#
switch(config-router-ospf3)# area 10.92.148.17 stub
switch(config-router-ospf3)#
The clear ospfv3 ipv6 force-spf command starts the SPF algorithm without clearing the OSPF database.
Command Mode
Privileged EXEC
Command Syntax
clear ospfv3 ipv6 force-spf [VRF_INSTANCE]
Parameters
Example
switch(config)# clear ospfv3 ipv6 force-spf
switch(config)#
The default-information originate command generates a default external route into an OSPF domain.
The no default-information originate and default default-information originate command removes the configuration from the the running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
default-information originate [DURATION][VALUE][TYPE][MAP]
no default-information originate
default default-information originate
Parameters
switch(config)# ipv6 router ospf 1
switch(config-router-ospf3)# default-information originate always
switch(config-router-ospf3)# show active
ipv6 router ospf 1
default-information originate always
switch(config)# ipv6 router ospf 1
switch(config-router-ospf3)# default-information originate metric 100 metric-type 1
switch(config-router-ospf3)# show active
ipv6 router ospf 1
default-information originate metric 100 metric-type 1
switch(config-router-ospf3)#
The default-metric command sets default metric value for routes redistributed into the OSPFv3 domain.
The no default-metric and default default-metric commands restores the default metric to its default value of 10 by removing the default-metric command from the running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
default-metric def_metric
no default-metric
default default-metric
Parameter
def_metric Values range from 1 to 65535. Default value is 10.
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# default-metric 30
switch(config-router-ospf3)# show active
ipv6 router ospf 9
default-metric 30
switch(config-router-ospf3)#
The distance ospf intra-area command sets the administrative distance for routes in a single OSPFv3 area. The default is 110.
The no distance ospf intra-area and default distance ospf intra-area commands remove the distance ospf intra-area command from the running-config, returning the OSPFv3 intra-area distance setting to the default value of 110
Command Mode
Router-OSPFv3 Configuration
Command Syntax
distance ospf intra-area distance
no distance ospf intra-area
default distance ospf intra-area
Parameter
distance Values range from 1 to 255. Default is 110.
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# distance ospf intra-area 90
switch(config-router-ospf3)# show active
ipv6 router ospf 9
distance ospf intra-area 90
switch(config-router-ospf3)#
The ipv6 ospf area command enables OSPFv3 on the interface and associates the area to the interface.
OSPFv3 areas are configured in by no area (OSPFv3) commands in router-OSPFv3 configuration mode.
The no ipv6 ospf area and default ipv6 ospf area commands disable OSPFv3 on the configuration mode interface by removing the corresponding ipv6 ospf area command from the running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 ospf process_id [area area_id]
no ipv6 ospf process_id [area area_id]
default ipv6 ospf process_id [area area_id]
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 ospf 9 area 0
switch(config-if-Vl200)# show active
interface Vlan200
ipv6 ospf 9 area 0.0.0.0
switch(config-if-Vl200)#
The ipv6 router ospf command places the switch in router-OSPFv3 configuration mode and creates and OSPFv3 instance if one does not already exist. Note that each OSPFv3 instance on the switch must have a unique process ID. A router ID for the new instance will be created if one does not already exist.
The show ipv6 ospf command displays the router ID of each OSPFv3 instance configured on the switch.
The no ipv6 router ospf and default ipv6 router ospf commands delete the OSPFv3 instance.
Refer to the Router-OSPFv3 Configuration Mode command for a list of commands available in router-OSPFv3 configuration mode.
Command Mode
Global Configuration
Command Syntax
ipv6 router ospf process_id [VRF_INSTANCE]
no ipv6 router ospf process_id [ VRF_INSTANCE]
default ipv6 router ospf process_id [ VRF_INSTANCE]
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# show active
ipv6 router ospf 9
switch(config-router-ospf3)#
switch(config)# no ipv6 router ospf 9
switch(config)#
The log-adjacency-changes command enables syslog messages to be sent when it detects OSPFv3 link state changes or when it detects that a neighbor has gone up or down. Log message sending is enabled by default.
The default log-adjacency-changes command restores the default state by removing the log-adjacency-changes statement from the running-config.
The default option (sending a message only when a neighbor goes up or down) is active when the running-config does not contain any form of the command. Entering the command in any form replaces the previous command state in the running-config.
The no log-adjacency-changes disables link state change Syslog reporting.
The default log-adjacency-changes command restores the default state by removing the log-adjacency-changes detail or no log-adjacency-changes statement from the running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
log-adjacency-changes [INFO_LEVEL]
no log-adjacency-changes
default log-adjacency-changes
Parameters
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# log-adjacency-changes
switch(config-router-ospf3)# show active
ipv6 router ospf 9
log-adjacency-changes
switch(config-router-ospf3)#
The maximum-paths command sets the maximum number of parallel routes that OSPFv3 supports on the switch.
The no maximum-paths command restores the maximum number of parallel routes that OSPFv3 supports on the switch to the default value of 16 by removing the maximum-paths command from running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
maximum-paths paths
no maximum-paths
default maximum-paths
Parameters
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# maximum-paths 12
switch(config-router-ospf3)#
The max-metric router-lsa command configures OSPF to include the maximum value in LSA metric fields to keep other network devices from using the switch as a preferred intermediate SPF hop.
The no max-metric router-lsa and default max-metric router-lsa commands disable the advertisement of a maximum metric.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
max-metric router-lsa [EXTERNAL][STUB][STARTUP][SUMMARY]
no max-metric router-lsa [EXTERNAL][STUB][STARTUP][SUMMARY]
default max-metric router-lsa [EXTERNAL][STUB][STARTUP][SUMMARY]
Parameters
wait-for-bgp or an on-start time value is not included in no and default commands.
Example
switch(config-router-ospf3)# max-metric router-lsa on-startup wait-for-bgp
switch(config-router-ospf3)#
Area settings can be removed individually; refer to the command description page of the desired command for details.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
no area area_id [TYPE]
default area area_id [TYPE]
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# no area 1 stub
switch(config-router-ospf3)#
Theospfv3 transmit-delay command configures the transmission delay for OSPFv3 packets.
The no ospfv3 transmit-delay and default ospfv3 transmit-delay commands restore the default transmission delay of 1 second on the configuration mode interface by removing the corresponding ospfv3 transmit-delay command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ospfv3 transmit-delay trans
no ospfv3 transmit-delay
default ospfv3 transmit-delay
Parameter
trans Value ranges from 1 to 65535; default is 1.
Guideline
Arista devices also support the legacy ipv6 ospf transmit-delay command in certain software releases of the EOS.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 transmit-delay 10
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 transmit-delay 10
switch(config-if-Vl200)#
The ospfv3 authentication ipsec spi command configures OSPFv3 authentication on an interface.
The default ospfv3 authentication and no ospfv3 authentication commands delete the OSPFv3 authentication on an interface.
Command Mode
Interface-Ethernet Configuration
Command Syntax
ospfv3 authentication ipsec spi spi_value {md5 | sha1}{0 unencrypted_key | 7 hidden_key | KEY}
ospfv3 authentication ipsec spi spi_value {md5 | sha1} passphrase{0 unencrypted_passphrase | 7 hidden_passphrase | LINE}
no ospfv3 authentication
default ospfv3 authentication
Guidelines
Passphrase and key values are exclusive. MD5 and SHA1 keys are derived from the configured passphrase. Arista devices also support the legacy ipv6 ospf authentication ipsec spi command in certain software releases of the EOS.
Restriction
On the same interface, EOS allows security configuration with either AH or ESP but not both. We can have one interface configured with AH and another with ESP.
switch(config)# interface ethernet 9
switch(config-if-Et9)# ospfv3 authentication ipsec spi 3456 md5 0 8FD6158BFE81ADD961241D8E4169D411
switch(config-if-Et9)# show active
interface Ethernet9
no switchport
ospfv3 authentication ipsec spi 3456 md5 7 $1$xtmcMSPzEn+Njp8Lb4qryVVOjKcjsrYuv6dx1O+nSwKQdaiRt2RPTQ==
switch(config-if-Et9)#
switch(config)# interface ethernet 9
switch(config-if-Et9)# ospfv3 authentication ipsec spi 987 sha1 7 $1$VmUkWk6IL2S343bR3BbH0RhgvxHhwBpfvB4VXKNOOQF7HJBp5VvXTfBaVYbgCkWU
switch(config-if-Et9)# show active
interface Ethernet9
no switchport
ospfv3 authentication ipsec spi 987 sha1 7
$1$VmUkWk6IL2S343bR3BbH0RhgvxHhwBpfvB4VXKNOOQF7HJBp5VvXTfBaVYbgCkWU
switch(config-if-Et9)#
switch(config)# interface ethernet 9
switch(config-if-Et9)# show active
interface Ethernet9
no switchport
ospfv3 authentication ipsec spi 3456 md5 7 $1$xtmcMSPzEn+Njp8Lb4qryVVOjKcjsrYuv6dx1O+nSwKQdaiRt2RPTQ==
switch(config-if-Et9)#no ospfv3 authentication
switch(config-if-Et9)#show active
interface Ethernet9
no switchport
switch(config-if-Et9)#
The ospfv3 cost command sets the OSPFv3 cost for the interface. The default OSPFv3 cost is 10.
The no ospfv3 cost and default ospfv3 cost commands restore the default cost of 10 for the configuration mode interface by removing the corresponding ospfv3 cost command from the running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ospfv3 cost interface_cost
no ospfv3 cost
default ospfv3 cost
Parameters
interface_cost Value ranges from 1 to 65535; default is 10.
Guideline
Arista devices also support the legacy ipv6 ospf cost command in certain software releases of the EOS.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 cost 50
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 cost 50
switch(config-if-Vl200)#
The ospfv3 dead-interval command sets the OSPFv3 dead interval.
The no ospfv3 dead-interval and default ospfv3 dead-interval commands restore the default dead interval of 40 seconds on the configuration mode interface by removing the corresponding ospfv3 dead-interval command from the running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ospfv3 dead-interval time
no ospfv3 dead-interval
default ospfv3 dead-interval
Parameter
time Value ranges from 1 to 65535; default is 40.
Guideline
Arista devices also support the legacy ipv6 ospf dead-interval command in certain software releases of the EOS.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 dead-interval 75
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 dead-interval 75
switch(config-if-Vl200)#
The ospfv3 encryption ipsec spi command configures OSPFv3 security on an interface.
The default ospf3 encryption and no ospfv3 encryption commands delete the OSPFv3 security on an interface.
Command Mode
Interface-Ethernet Configuration
Command Syntax
ospfv3 encryption ipsec spi spi_value esp {3des-cbc | aes-128-cbc | aes-128-cbc | aes-192-cbc}{0 unencrypted_key | 7 encrypted_key} {md5 | sha1}{0 unencrypted_key | 7 encrypted_key | KEY}
ospfv3 encryption ipsec spi spi_value esp {3des-cbc | aes-128-cbc | aes-128-cbc | aes-192-cbc}{0 unencrypted_key | 7 encrypted_key}{md5 | sha1} passphrase {0 unencrypted_passphrase | 7 encrypted_passphrase | LINE}
ospfv3 encryption ipsec spi spi_value esp null {md5 | sha1}{0 unencrypted_key | 7 encrypted_key | KEY}
ospfv3 encryption ipsec spi spi_value esp {md5 | sha1} passphrase {0 unencrypted_passphrase | 7 encrypted_passphrase | LINE}
default ospfv3 encryption
no ospf3 encryption
Guidelines
Passphrase and key value are exclusive. MD5 and SHA1 keys are derived from the configured passphrase. Arista devices also support the legacy ipv6 ospf encryption ipsec spi command in certain software releases of the EOS.
Restrictions
On the same interface, EOS allows security configuration with either AH or ESP but not both. We can have one interface configured with AH and another with ESP.
switch(config)# interface ethernet 9
switch(config-if-Et9)# ospfv3 encryption ipsec spi 345 esp 3des-cbc sha1 passphrase 0 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
switch(config-if-Et9)# show active
interface Ethernet9
no switchport
ospfv3 encryption ipsec spi 345 esp 3des-cbc sha1 passphrase 7
$1$VmUkWk6IL2S343bR3BbH0RhgvxHhwBpfvB4VXKNOOQF7HJBp5VvXTfBaVYbgCkWU
switch(config-if-Et9)#
switch(config)# interface ethernet 9
switch(config-if-Et9)# ospfv3 encryption ipsec spi 345 esp 3des-cbc md5 passphrase 7 $1$VmUkWk6IL2S343bR3BbH0RhgvxHhwBpfvB4VXKNOOQF7HJBp5VvXTfBaVYbgCkWU
switch(config-if-Et9)# show active
interface Ethernet9
no switchport
ospfv3 encryption ipsec spi 345 esp 3des-cbc md5 passphrase 7
$1$VmUkWk6IL2S343bR3BbH0RhgvxHhwBpfvB4VXKNOOQF7HJBp5VvXTfBaVYbgCkWU
switch(config-if-Et9)#
switch(config)# interface ethernet 9
switch(config-if-Et9)# show active
interface Ethernet9
no switchport
ospfv3 encryption ipsec spi 3456 md5 7 $1$xtmcMSPzEn+Njp8Lb4qryVVOjKcjsrYuv6dx1O+nSwKQdaiRt2RPTQ==
switch(config-if-Et9)#no ospfv3 encryption
switch(config-if-Et9)#show active
interface Ethernet9
no switchport
switch(config-if-Et9)#
The ospfv3 hello-interval command sets the OSPFv3 hello interval. The hello interval is the period between the transmission of consecutive hello packets.
Each OSPFv3 neighbor should be the same hello interval and should not be longer than any neighbors dead interval.
The no ospfv3 hello-interval and default ospfv3 hello-interval commands restore the default hello interval of 10 seconds on the configuration mode interface by removing the ospfv3 hello-interval command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ospfv3 hello-interval time
no ospfv3 hello-interval
default ospfv3 hello-interval
Parameter
timeValues range from 1 to 65535; default is 10.
Guideline
Arista devices also support the legacy ipv6 ospf hello-interval command in certain software releases of the EOS.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 hello-interval 45
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 hello-interval 45
switch(config-if-Vl200)#
The ospfv3 ipv6 retransmit-interval command configures the link state advertisement retransmission interval.
The no ospfv3 ipv6 retransmit-interval and default ospfv3 ipv6 retransmit-interval commands restore the default retransmission interval of 5 seconds on the configuration mode interface by removing the corresponding ospfv3 ipv6 retransmit-interval command from the running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ospfv3 ipv6 retransmit-interval period
no ospfv3 ipv6 retransmit-interval
default ospfv3 ipv6 retransmit-interval
Parameter
period Value ranges from 1 to 65535; default is 5.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 ipv6 retransmit-interval 25
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 ipv6 retransmit-interval 25
switch(config-if-Vl200)#
The ospfv3 network command sets the configuration mode interface as a point-to-point link. By default, interfaces are set as broadcast links.
The no ospfv3 network and default ospfv3 network commands set the configuration mode interface as a broadcast link by removing the corresponding ospfv3 network command from the running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ospfv3 network point-to-point
no ospfv3 network
default ospfv3 network
Guideline
Arista devices also support the legacy ipv6 ospf network command in certain software releases of the EOS.
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 network point-to-point
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 network point-to-point
switch(config-if-Vl200)#
switch(config)# interface vlan 200
switch(config-if-Vl200)# no ospfv3 network
switch(config-if-Vl200)# show active
interface Vlan200
switch(config-if-Vl200)#
The ospfv3 priority command configures the OSPFv3 router priority.
The no ospfv3 priority and default ospfv3 priority commands restore the default priority (1) on the interface by removing the corresponding ospfv3 priority command from the running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ospfv3 priority priority_level
no ospfv3 priority
default ospfv3 priority
Parameter
priority_level Settings range from 0 to 255.
Guideline
Arista devices also support the legacy ipv6 ospf prioritycommand in certain software releases of the EOS.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ospfv3 priority 128
switch(config-if-Vl200)# show active
interface Vlan200
ospfv3 priority 128
switch(config-if-Vl200)#
The passive-interface command disables OSPF on an interface range. All interfaces are active by default.
The no passive-interface and default passive-interface commands enable OSPFv3 on the specified interface range by removing the corresponding passive-interface statements from the running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
passive-interface INTERFACE_NAME
no passive-interface INTERFACE_NAME
default passive-interface INTERFACE_NAME
Valid e_range, l_range, m_range, p_range v_range, and vx_range formats include number, range, or comma-delimited list of numbers and ranges.
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# passive-interface vlan 101-103
switch(config-router-ospf3)# show active
ipv6 router ospf 9
passive-interface Vlan101
passive-interface Vlan102
passive-interface Vlan103
switch(config-router-ospf3)#
The redistribute command enables the advertising of all specified routes into the OSPFv3 domain as external routes.
The no redistribute and default redistribute commands remove the corresponding redistribute command from the running-config, disabling route redistribution for the specified route type.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
redistribute ROUTE_TYPE ROUTE_MAP
no redistribute ROUTE_TYPE
default redistribute ROUTE_TYPE
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# redistribute static
switch(config-router-ospf3)# show active
ipv6 router ospf 9
redistribute connected
redistribute static
switch(config-router-ospf3)#
The router-id command assigns the router ID for an OSPFv3 instance. The switch sets the router ID to the first available alternative in the following list:
The no router-id and default router-id commands remove the router ID command from the running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
router-id identifier
no router-id
default router-id
Parameters
identifier Value ranges from 0.0.0.0 to 255.255.255.255 (dotted decimal notation).
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# router-id 10.10.1.4
switch(config-router-ospf3)# show active
ipv6 router ospf 9
router-id 15.10.1.4
switch(config-router-ospf3)#
The show ipv6 ospf border-routers command displays the OSPF routing table entries.
Command Mode
EXEC
Command Syntax
show ipv6 ospf border-routers [VRF_INSTANCE]
Example
switch# show ipv6 ospf border-routers
Routing Process "ospf 9", VRF default
Router 10.37.0.32 area 0.0.0.0 ASBR
Router 10.37.0.18 area 0.0.0.0 ASBR
Router 10.37.0.22 area 0.0.0.0 ASBR ABR
Router 10.37.0.31 area 0.0.0.0 ASBR ABR
Router 10.37.0.58 area 0.0.0.0 ASBR
Router 10.37.0.37 area 0.0.0.0 ASBR
Router 10.37.0.22 area 0.0.0.2 ASBR ABR
Router 10.37.0.31 area 0.0.0.2 ASBR ABR
switch>
The show ipv6 ospf database link command displays link state advertisement details. The switch can return link state data about a single area or for all areas on the switch.
Command Mode
EXEC
Command Syntax
show ipv6 ospf database link if-name [INTF_ID][LS_ID][ROUTER][DATA_LEVEL]
Valid range formats include number, range, or comma-delimited list of numbers and ranges.
Example
switch# show ipv6 ospf database link if-name ethernet 4/1
Codes: AEX - AS External, GRC - Grace,
IAP - Inter Area Prefix, IAR - Inter Area Router,
LNK - Link, NAP - Intra Area Prefix,
NSA - Not So Stubby Area, NTW - Network,
RTR - Router
Routing Process "ospf 1":
switch>
The show ipv6 ospf database link command displays information of the link state advertisements. The switch can return link state data about a single area or for all areas on the switch.
Command Mode
EXEC
Command Syntax
show ipv6 ospf database link if-type [INTF_TYPE][LS_ID][ROUTER][DATA_LEVEL]
Example
switch# show ipv6 ospf database link if-type broadcast
Codes: AEX - AS External, GRC - Grace,
IAP - Inter Area Prefix, IAR - Inter Area Router,
LNK - Link, NAP - Intra Area Prefix,
NSA - Not So Stubby Area, NTW - Network,
RTR - Router
Routing Process "ospf 1":
Interface et4 LSDB
Type Link ID ADV Router Age Seq# Checksum
LNK 0.0.0.61 10.26.0.491378 0x80000027 0x00f8b0
LNK 0.0.0.20 10.26.0.231371 0x80000027 0x005423
Interface et7 LSDB
Type Link ID ADV Router Age Seq# Checksum
LNK 0.0.0.61 10.26.0.501298 0x80000028 0x005e0d
LNK 0.0.0.38 10.26.0.231291 0x80000028 0x00ce8d
Interface vlan3901 LSDB
Type Link ID ADV Router Age Seq# Checksum
LNK 0.0.0.36 10.26.0.22216 0x800000b0 0x00c2b1
LNK 0.0.0.19 10.26.0.23231 0x800000b0 0x00cfca
switch>
The show ipv6 ospf database command displays the OSPF link state advertisements that originate on a switch.
Command Mode
EXEC
Command Syntax
show ipv6 ospf database [FILTER][LINKSTATE_ID][ROUTER][DATA_LEVEL]
Example
switch# show ipv6 ospf database 10.26.0.23
Codes: AEX - AS External, GRC - Grace,
IAP - Inter Area Prefix, IAR - Inter Area Router,
LNK - Link, NAP - Intra Area Prefix,
NSA - Not So Stubby Area, NTW - Network,
RTR - Router
Routing Process "ospf 9":
AS Scope LSDB
Type Link ID ADV Router Age Seq# Checksum
AEX 0.0.0.5 10.37.0.37 15 0x80000005 0x00be82
AEX 0.0.0.9 10.37.0.22 1747 0x8000002b 0x00df56
AEX 0.0.0.3 10.37.0.46 599 0x8000002d 0x00651d
Area 0.0.0.0 LSDB
Type Link ID ADV Router Age Seq# Checksum
RTR 0.0.0.0 10.37.0.32 234 0x80000031 0x00585a
NTW 0.0.0.26 10.37.0.32 271 0x80000005 0x005609
NAP 0.0.0.26 10.37.0.32 274 0x80000005 0x00964c
Interface vlan3911 LSDB
Type Link ID ADV Router Age Seq# Checksum
LNK 0.0.0.38 10.37.0.22 267 0x80000005 0x00a45a
LNK 0.0.0.23 10.37.0.23 270 0x8000002c 0x005b7e
Interface vlan3902 LSDB
Type Link ID ADV Router Age Seq# Checksum
LNK 0.0.0.17 10.37.0.11 1535 0x8000002b 0x007120
LNK 0.0.0.37 10.37.0.22 7 0x8000002b 0x00ce23
LNK 0.0.0.22 10.37.0.23 250 0x8000002d 0x00c350
switch>
The show ipv6 ospf database link command displays details of the specified link state advertisements. The switch can return link state data about a single area or for all areas on the switch.
Command Mode
EXEC
Command Syntax
show ipv6 ospf database link [LINKSTATE_ID][ROUTER][DATA_LEVEL]
Example
switch# show ipv6 ospf database link
Codes: AEX - AS External, GRC - Grace,
IAP - Inter Area Prefix, IAR - Inter Area Router,
LNK - Link, NAP - Intra Area Prefix,
NSA - Not So Stubby Area, NTW - Network,
RTR - Router
Routing Process "ospf 9":
switch>
The show ipv6 ospf database command displays data from the OSPF database. The switch can return link state data for a single VRF or for all VRFs on the switch.
Command Mode
EXEC
Command Syntax
show ipv6 ospf database [VRF_INSTANCE]
Example
switch# show ipv6 ospf database vrf blue
Codes: AEX - AS External, GRC - Grace,
IAP - Inter Area Prefix, IAR - Inter Area Router,
LNK - Link, NAP - Intra Area Prefix,
NSA - Not So Stubby Area, NTW - Network,
RTR - Router
Routing Process "ospf 9", VRF blue
AS Scope LSDB
switch>
The show ipv6 ospf database <link-state details> command displays detailed information about the specified link state advertisements. The switch can return link state data about a single area or for all areas on the switch.
Command Mode
EXEC
Command Syntax
show ipv6 ospf database [FILTER][LINK_TYPE][LINKSTATE_ID][ROUTER][DATA_LEVEL]
Example
switch# show ipv6 ospf database detail
Codes: AEX - AS External, GRC - Grace,
IAP - Inter Area Prefix, IAR - Inter Area Router,
LNK - Link, NAP - Intra Area Prefix,
NSA - Not So Stubby Area, NTW - Network,
RTR - Router
Routing Process "ospf 9":
AS Scope LSDB
LSA Type: AEX
Link State ID: 0.0.0.1
Advertising Router: 10.21.4.9
Age: 1123
Sequence Number: 0x80000001
Checksum: 0x009c89
Length: 40
Metric Type: 2
Metric: 1
External Route Tag: 0
Prefix
Prefix: fd7a:629f:52a4:1::
Length: 64
Options: (null)
Metric: 0
Area 0.0.1.44 LSDB
LSA Type: LNK
Link State ID: 0.0.0.14
Advertising Router: 10.26.0.11
Age: 1285
Sequence Number: 0x800000c1
Checksum: 0x00629b
Length: 56
Option Priority: 16777235
Link Local Addr: fe80::21c:73ff:fe0b:a80e
Number of Prefixes: 1
Prefix
Prefix: fd7a:629f:52a4:fe08::
Length: 64
Options: (null)
Metric: 0
LSA Type: LNK
Link State ID: 0.0.0.34
Advertising Router: 10.26.0.22
Age: 1042
Sequence Number: 0x800000c2
Checksum: 0x00bd9f
Length: 56
Option Priority: 16777235
Link Local Addr: fe80::21c:73ff:fe01:5fe1
Number of Prefixes: 1
Prefix
Prefix: fd7a:629f:52a4:fe08::
Length: 64
Options: (null)
Metric: 0
LSA Type: LNK
Link State ID: 0.0.0.15
Advertising Router: 10.26.0.23
Age: 1128
Sequence Number: 0x800000c7
Checksum: 0x00d4ab
Length: 56
Option Priority: 16777235
Link Local Addr: fe80::21c:73ff:fe00:1319
Number of Prefixes: 1
Prefix
Prefix: fd7a:629f:52a4:fe08::
Length: 64
Options: (null)
Metric: 0
Interface vlan3925 LSDB
LSA Type: LNK
Link State ID: 0.0.0.153
Advertising Router: 10.27.0.52
Age: 1186
Sequence Number: 0x800009b6
Checksum: 0x002f27
Length: 56
Option Priority: 16777235
Link Local Addr: fe80::21c:73ff:fe17:3906
Number of Prefixes: 1
Prefix
Prefix: fd7a:629f:52a4:fe67::
Length: 64
Options: (null)
Metric: 0
Interface lo0 LSDB
switch>
The show ipv6 ospf interface command displays OSPFv3 information on interfaces where OSPFv3 is enabled.
Command Mode
EXEC
Command Syntax
show ipv6 ospf interface [VRF_INSTANCE]
Example
switch# show ipv6 ospf interface
Ethernet17 is up
Interface Address fe80::48c:73ff:fe00:1319, VRF default, Area 0.0.0.0
Network Type Broadcast, Cost 10
Transmit Delay is 1 sec, State Backup DR, Priority 1
Designated Router is 10.37.0.37
Backup Designated Router is 10.37.0.23
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 1
Options are R E V6
Vlan31 is up
Interface Address fe80::48c:73ff:fe00:1319, VRF default, Area 0.0.0.0
Network Type Broadcast, Cost 10
Transmit Delay is 1 sec, State Backup DR, Priority 1
Designated Router is 10.37.0.22
Backup Designated Router is 10.37.0.23
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 1
Options are R E V6
Vlan32 is up
Interface Address fe80::48c:73ff:fe00:1319, VRF default, Area 0.0.0.0
Network Type Broadcast, Cost 10
Transmit Delay is 1 sec, State DR Other, Priority 1
Designated Router is 10.37.0.11
Backup Designated Router is 10.37.0.22
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 2
Options are R E V6
switch>
The show ipv6 ospf lsa-log command displays log entries when LSA update messages are sent or received for OSPFv3.
Command Mode
EXEC
Command Syntax
show ipv6 ospf [PROCESS_ID] lsa-log [VRF_INSTANCE]
Example
switch# show ipv6 ospf lsa-log
OSPF3 Process 3.3.3.3, VRF default, LSA Throttling Log:
[04:21:09] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 2000 msecs
[04:21:08] type 1: 3.3.3.3/32 [3.3.3.3], event 2, backoff restarted, new hold value 900 msecs
[04:21:00] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 3000 msecs
[04:21:00] type 1: 3.3.3.3/32 [3.3.3.3], event 4, maxwait value changed, new hold value 3000
msecs
/* Here the maxwait value was changed to 3000 from earlier 32000, this is not part of the log */
[04:20:42] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 32000 msecs
[04:20:10] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 32000 msecs
[04:19:54] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 16000 msecs
[04:19:46] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 8000 msecs
[04:19:42] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 4000 msecs
[04:19:40] type 1: 3.3.3.3/32 [3.3.3.3], event 1, backed off, new hold value 2000 msecs
[04:19:39] type 1: 3.3.3.3/32 [3.3.3.3], event 2, backoff restarted, new hold value 900 msecs
[04:19:22] type 1: 4.4.4.4/32 [4.4.4.4], event 3, discarded, was early by 995 msecs
[04:19:22] type 1: 3.3.3.3/32 [3.3.3.3], event 0, backoff started, new hold value 1000 msecs
switch>
The show ipv6 ospf neighbor state command displays the state information on OSPF neighbors on a per-interface basis.
Command Mode
EXEC
Command Syntax
show ipv6 ospf neighbor state STATE_NAME [VRF_INSTANCE ]
Example
switch# show ipv6 ospf neighbor state full
Routing Process "ospf 3":
switch>
The show ipv6 ospf neighbor summary command displays a single line of state information for each OSPFv3 neighbor.
Command Mode
EXEC
Command Syntax
show ipv6 ospf neighbor summary [VRF_INSTANCE]
Parameters
Example
switch# show ipv6 ospf neighbor summary
Routing Process "ospf 1":
3 neighbors are in state Down
3 neighbors are in state Full
5 neighbors are in state Init
0 neighbors are in state Loading
0 neighbors are in state Attempt
3 neighbors are in state Restarting
0 neighbors are in state Exchange
3 neighbors are in state 2 Ways
0 neighbors are in state Exch Start
switch>
The show ipv6 ospf neighbor command displays OSPFv3 neighbor information.
Command Mode
EXEC
Command Syntax
show ipv6 ospf neighbor [VRF_INSTANCE]
Parameters
Example
switch# show ipv6 ospf neighbor
Routing Process "ospf 9":
Neighbor 10.37.0.37 VRF default priority is 1, state is Full
In area 0.0.0.0 interface et12
DR is 10.37.0.37 BDR is 10.37.0.23
Options is 0
Dead timer is due in 37 seconds
Neighbor 10.37.0.22 VRF default priority is 1, state is Full
In area 0.0.0.0 interface vlan3911
DR is 10.37.0.22 BDR is 10.37.0.23
Options is 0
Dead timer is due in 31 seconds
Neighbor 10.37.0.11 VRF default priority is 1, state is Full
In area 0.0.0.0 interface vlan3902
DR is 10.37.0.11 BDR is 10.37.0.22
Options is 0
Dead timer is due in 33 seconds
Neighbor 10.37.0.22 VRF default priority is 1, state is Full
In area 0.0.0.0 interface vlan3902
DR is 10.37.0.11 BDR is 10.37.0.22
Options is 0
Dead timer is due in 31 seconds
Neighbor 10.37.0.22 VRF default priority is 1, state is Full
In area 0.0.0.0 interface vlan3923
DR is 10.37.0.22 BDR is 10.37.0.46
Options is 0
Dead timer is due in 31 seconds
Neighbor 10.37.0.22 VRF default priority is 1, state is Full
In area 0.0.0.0 interface vlan3908
DR is 10.37.0.22 BDR is 10.37.0.21
Options is 0
Dead timer is due in 39 seconds
Neighbor 10.37.0.22 VRF default priority is 1, state is Full
In area 0.0.0.2 interface vlan3992
DR is 10.37.0.22 BDR is 10.37.0.23
Options is 0
Dead timer is due in 39 seconds
switch>
The show ipv6 ospf spf-log command displays when and how long the switch took to run a full SPF calculation for OSPFv3.
Command Mode
EXEC
Command Syntax
show ipv6 ospf [PROCESS_ID] spf-log [VRF_INSTANCE]
Example
switch# show ipv6 ospf spf-log
OSPF3 Process 172.26.0.22, VRF default
TIME EVENT REASON
04:54:52.070 SPF ran for 0.70 ms
04:54:52.070 Scheduled after 0 ms Router LSA generation
04:54:39.151 SPF ran for 0.71 ms
04:54:39.151 Scheduled after 0 ms Router LSA generation
04:54:12.071 SPF ran for 0.56 ms
04:54:12.070 Scheduled after 0 ms Router LSA generation
04:54:04.153 SPF ran for 0.29 ms
04:53:59.153 Scheduled after 4999 ms Router LSA generation
04:53:59.153 SPF ran for 0.25 ms
04:53:59.151 Scheduled after 0 ms Router LSA generation
04:53:33.081 SPF ran for 0.3 ms
04:53:33.081 Scheduled after 0 ms ECMP max nexthop cfg change
switch>
The show ipv6 ospf command displays information about OSPFv3 routing.
Command Mode
EXEC
Command Syntax
show ipv6 ospf [access-list | border-routers | database | interface | lsa-log | neighbor | request-list | retransmission-list | spf-log | vrf ] Process ID
switch# show ipv6 ospf
Routing Process "ospfv3 0" with ID 11.1.11.1 and Instance 0 VRF default
FIPS mode disabled
It is not an autonomous system boundary router and is not an area border router
Minimum LSA arrival interval 1000 msecs
Initial LSA throttle delay 1000 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
It has 0 fully adjacent neighbors
Number of areas in this router is 0. 0 normal, 0 stub, 0 nssa
Number of LSAs 0
Initial SPF schedule delay 0 msecs
Minimum hold time between two consecutive SPFs 5000 msecs
Current hold time between two consecutive SPFs 5000 msecs
Maximum wait time between two consecutive SPFs 5000 msecs
SPF algorithm last executed 00:07:13 ago
No scheduled SPF
Adjacency exchange-start threshold is 20
Maximum number of next-hops supported in ECMP is 32
Number of backbone neighbors is 0
Graceful-restart is not configured
Graceful-restart-helper mode is enabled
switch# show ipv6 ospf lsa-log
[22:11:02] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[21:31:02] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[20:56:22] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[20:18:12] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[19:47:22] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[19:13:22] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[18:39:32] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[18:06:32] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[17:26:42] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[16:48:42] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[16:13:12] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[15:36:52] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[15:03:32] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[14:27:52] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[13:52:02] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[13:15:02] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[12:39:42] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[12:00:02] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[11:27:22] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[10:53:22] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[10:17:12] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
[09:42:42] type RTR: 0.0.0.0 [13.13.13.13], event 2, backoff restarted, new hold value 1000 msecs
The show ospfv3 command displays the OSPFv3 configuration of OSPFv3 address family and routing process.
Command Mode
EXEC Command Syntax
show ospfv3 [access-list | border-routers | database | interface | ipv4 | ipv6 | lsa-log | neighbor | request-list | retransmission-list | spf-log | vrf]
switch# show ospfv3
OSPFv3 address-family ipv6
Routing Process "ospfv3" with ID 13.13.13.13 and Instance 0 VRF default
FIPS mode disabled
It is not an autonomous system boundary router and is not an area border router
Minimum LSA arrival interval 1000 msecs
Initial LSA throttle delay 1000 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
Interface flood pacing timer 50 msecs
It has 0 fully adjacent neighbors
Number of areas in this router is 1. 1 normal, 0 stub, 0 nssa
Number of LSAs 1
Initial SPF schedule delay 0 msecs
Minimum hold time between two consecutive SPFs 5000 msecs
Current hold time between two consecutive SPFs 5000 msecs
Maximum wait time between two consecutive SPFs 5000 msecs
SPF algorithm last executed 3d23h ago
No scheduled SPF
Adjacency exchange-start threshold is 20
Maximum number of next-hops supported in ECMP is 32
Number of backbone neighbors is 0
Graceful-restart is not configured
Graceful-restart-helper mode is enabled
Area 0.0.0.0
Number of interface in this area is 0
It is a normal area
SPF algorithm executed 2 times
switch# show ospfv3 database database-summary
OSPFv3 address-family ipv4
Routing Process "ospfv3" Instance 64 VRF default
LSA Type Count
Router 1
Network 0
Inter Area Prefix 0
Inter Area Router 0
Summary Asex 0
Nssa 0
Link 0
Intra Area Prefix 0
Grace 0
Total 1
OSPFv3 address-family ipv6
Routing Process "ospfv3" Instance 0 VRF default
LSA Type Count
Router 0
Network 0
Inter Area Prefix 0
Inter Area Router 0
Summary Asex 0
Nssa 0
Link 0
Intra Area Prefix 0
Grace 0
Total 0
ro301.02:05:02(config-router-ospfv3-af)#
switch# show ospfv3 spf-log
OSPFv3 address-family ipv4
Routing Process "ospfv3" with ID 11.1.11.1 and Instance 64, VRF default
TIME EVENT REASON
02:00:13.495 SPF ran for 0.064 ms
02:00:13.335 Scheduled after 0.000 ms Router LSA generation
01:59:55.499 SPF ran for 0.061 ms
01:59:54.604 Scheduled after 0.000 ms ECMP max nexthop cfg change
OSPFv3 address-family ipv6
Routing Process "ospfv3" with ID 11.1.11.1 and Instance 0, VRF default
TIME EVENT REASON
02:00:13.495 SPF ran for 0.064 ms
02:00:13.335 Scheduled after 0.000 ms OSPF3 re-initialisation
01:59:55.499 SPF ran for 0.089 ms
01:59:54.603 Scheduled after 0.000 ms ECMP max nexthop cfg change
ro301.02:04:06(config-router-ospfv3-af)#
The shutdown command disables OSPFv3 on the switch.
OSPFv3 is disabled by default on individual interfaces and enabled through ipv6 ospf area commands.
The no shutdown and default shutdown commands enable the OSPFv3 instance by removing the shutdown statement from the OSPFv3 block in running-config.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
shutdown
no shutdown
default shutdown
Example
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# shutdown
switch(config-router-ospf3)# show active
ipv6 router ospf 9
shutdown
switch(config-router-ospf3)#
The timers lsa rx min interval command sets the minimum interval for accepting identical Link-State Advertisements (LSAs) from OSPFv3 neighbors.
The no timers lsa rx min interval and default timers lsa rx min interval commands restore the minimum interval to the default value of one second by removing the timers lsa rx min interval command from the running-config.
Command Mode
Router-OSPFv3 Configuration
Router-OSPFv3 Address-Family
IPv4/IPv6 Configuration
Command Syntax
timers lsa rx min interval lsa_time
no timers lsa rx min interval
default timers lsa rx min interval
Parameter
lsa_time Minimum time (in milliseconds) after which the switch accepts an identical LSA from OSPFv3 neighbors. Value ranges from 0 to 600000 (ms). Default value is 1000 milliseconds (1 second).
Example
switch(config)# router ospfv3
switch(config-router-ospfv3)# timers lsa rx min interval 10
switch(config-router-ospfv3)#
The timers lsa tx delay initial command sets the rate-limiting values for OSPFv3 Link-State Advertisement (LSA) generation.
The no timers lsa tx delay initial and default timers lsa tx delay initial commands restore the default LSA rate-limiting values by removing the timers lsa tx delay initial command from the running-config.
Command Mode
Router-OSPFv3 Configuration
Router-OSPFv3 Address-Family
IPv4/IPv6 Configuration
Command Syntax
timers lsa tx delay initial initial_delay min_hold max_wait
no timers lsa tx delay initial
default timers lsa tx delay initial
Example
These commands set the LSA transmission timers on the switch.
switch(config)# router ospfv3
switch(config-router-ospfv3)#timers lsa tx delay initial 5 100 20000
switch(config-router-ospfv3)#
The no timers spf delay initial and default timers spf delay initial commands restore the default OSPFv3 SPF calculation intervals by removing the timers spf delay initial command from running-config.
Command Mode
Router-OSPFv3 Configuration
Router-OSPFv3 Address-Family
IPv4/IPv6 Configuration
Command Syntax
timers spf delay initial initial_delay hold_interval max_interval
no timers spf
default timers spf
Example
These commands set the SPF timers on the switch.
switch(config)#router ospfv3
switch(config-router-ospfv3)#timers spf delay initial 5 100 20000
switch(config-router-ospfv3)#
The timers command configures the minimum interval between the transmission of consecutive LS update packets in a network.
The no timers and default timers commands set the configured timer value to its default.
Command Mode
Router-OSPFv3 Configuration
Command Syntax
timers {lsa | out-delay| pacing | throttle}
no timers {lsa | out-delay| pacing | throttle}
deault timers {lsa | out-delay| pacing | throttle}
switch(config)# ipv6 router ospf 9
switch(config-router-ospf3)# timers pacing flood 50
switch(config-router-ospf3)# show ospfv3
Routing Process "ospfv3 9" with ID 13.13.13.13 and Instance 0 VRF default
FIPS mode disabled
It is not an autonomous system boundary router and is not an area border router
Minimum LSA arrival interval 1000 msecs
Initial LSA throttle delay 1000 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
Interface flood pacing timer 50 msecs
It has 0 fully adjacent neighbors
Number of areas in this router is 1. 1 normal, 0 stub, 0 nssa
Number of LSAs 1
Initial SPF schedule delay 0 msecs
Minimum hold time between two consecutive SPFs 5000 msecs
Current hold time between two consecutive SPFs 5000 msecs
Maximum wait time between two consecutive SPFs 5000 msecs
SPF algorithm last executed 21d19h ago
No scheduled SPF
Adjacency exchange-start threshold is 20
Maximum number of next-hops supported in ECMP is 32
Number of backbone neighbors is 0
Graceful-restart is not configured
Graceful-restart-helper mode is enabled
Area 0.0.0.0
Number of interface in this area is 0
It is a normal area
SPF algorithm executed 2 times
switch(config)# router ospfv3
switch(config-router-ospfv3)# address-family ipv4
switch(config-router-ospfv3-af)# timers pacing flood 50
switch(config-router-ospfv3-af)# show ospfv3
OSPFv3 address-family ipv4
Routing Process "ospfv3" with ID 11.1.11.1 and Instance 64 VRF default
FIPS mode disabled
It is not an autonomous system boundary router and is not an area border router
Minimum LSA arrival interval 1000 msecs
Initial LSA throttle delay 1000 msecs
Minimum hold time for LSA throttle 5000 msecs
Maximum wait time for LSA throttle 5000 msecs
Interface flood pacing timer 50 msecs
It has 0 fully adjacent neighbors
Number of areas in this router is 1. 1 normal, 0 stub, 0 nssa
Number of LSAs 1
Initial SPF schedule delay 0 msecs
Minimum hold time between two consecutive SPFs 5000 msecs
Current hold time between two consecutive SPFs 5000 msecs
Maximum wait time between two consecutive SPFs 5000 msecs
SPF algorithm last executed 00:10:38 ago
No scheduled SPF
Adjacency exchange-start threshold is 20
Maximum number of next-hops supported in ECMP is 32
Number of backbone neighbors is 0
Graceful-restart is not configured
Graceful-restart-helper mode is enabled
Area 0.0.0.0
Number of interface in this area is 0
It is a normal area
SPF algorithm executed 2 times
Intermediate System-to-Intermediate System (IS-IS) intra-domain routing information exchange protocol is designed by the International Organization for Standardization to support connectionless networking. This protocol is a dynamic routing protocol.
IS-IS is a link-state protocol, which uses the Shortest Path First (SPF) algorithm. IS-IS and the OSPF protocol are similar in many aspects. As an Interior Gateway Protocol (IGP), IS-IS runs inside an Autonomous System (AS).
To enable IS-IS, you must instantiate an IS-IS routing instance and assign it to an interface. Arista IS-IS support includes IS-IS segment routing and IS-IS graceful restart.
Segment Routing (SR) provides a mechanism to simplify the definition of end-to-end paths within IGP topologies by encoding paths as sequences of topological sub-paths, called segments. The IS-IS protocol advertises these segments in four different ways: node segments, prefix segments, proxy-node segments, and adjacency segments.
Node segments represent a node in an IGP topology. A proxy segment are generally associated with an IP(v6) address received from a router that does not support IS-IS SR. Prefix segments represent an ECMP-aware shortest path to a prefix (or a node), as per the state of the IGP topology. Adjacency segments represent a hop over a specific adjacency between two nodes in IGP.
Topology Independent Fast Reroute, or TI-LFA, uses IS-IS SR to build loop-free alternate paths along the post-convergence path. These loop-free alternates provide fast convergence in the range of sub-50 ms.
The (Point of Local Repair (PLR)- the router where TI-LFA is configured) PLR switches to these loop-free alternate backup paths in the event of a link down (link-protection) or BFD neighbor down (node-protection) event, protecting traffic destined to IS-IS SR node segments, adjacency segments, and anycast segments while the IGP converges and the post-convergence paths are computed. Anycast segment protection is restricted to those segments which are attached to prefixes with host mask (/32 for V4 address and /128 for v6 address).
Backup paths are only installed for IS-IS SR labeled routes and tunnels corresponding to node segments, adjacency segments, and anycast segments. When requesting node-protection, and no node-protecting LFAs are available, a link-protecting LFA is computed instead. TI-LFA FRR using IS-IS Segment-Routing is available with the multi-agent routing protocol model and the ribd routing protocol model.
Other traffic that resolves over IS-IS SR tunnels, such as LDP pseudowires, BGP LU tunnels, BGP IP routes, L2 EVPN, MPLS L3 VPN, and so on, are also protected by the TI-LFA tunnel that protects the resolving IS-IS SR tunnel.
The following configuration tasks can be performed by Topology Independent Fast Reroute (TI-LFA FRR) using IS-IS Segment-Routing.
IS-IS Graceful Restart (GR) is a mechanism to prevent routing protocol re-convergence during a processor switchover or device downtime. Normally, when a router restarts, all the neighboring routers associated with that router detect that the device has gone down and remove routes from that neighbor. When the router restarts, the session is re-established and data transfer continues. During the restart, the removal and re-insertion of routes will result in data loss. This can be prevented by configuring graceful restart on the device.
With IS-IS Graceful Restart (GR) configured, a redundancy switchover from active to standby supervisor, or SSU, or restart of the IS-IS software (the RIB agent) should be a hitless event if the GR completes successfully. Neighboring routers will continue to forward traffic to the restarting router and traffic forwarding through the restarting router continues without loss. If GR is successful, the failure of a router should be completely transparent to network applications.
Dynamic Flooding allows IS-IS to scale to large, dense topologies such as Leaf-Spine topologies. In such topologies, legacy IS-IS can exhibit a congestive collapse due to the control plane load created by excessively redundant flooding.
The concept in Dynamic Flooding is to dynamically compute a restricted topology for flooding (the flooding topology). Since this can be much smaller than the full physical topology, this can reduce the redundancy seen by each node, thereby reducing the control plane load and avoiding a congestive collapse.
To do this, first select one node within the IS-IS area as the area leader. Leverage the Designated Intermediate System (DIS) election algorithm for this, except instead of applying it to the neighbors on an interface, compute it across all of the nodes within the area.
The area leader is responsible for computing the flooding topology. This is distributed to the other nodes in the area through the Area System IDs TLV and the Flooding Path TLV.
All nodes within the area then flood only on the flooding topology.
A flooding topology on a dense graph. The flooding topology is shown by the solid lines. Dotted lines indicate non-flooding links.
In a dense topology, this can reduce the amount of flooding by an order of magnitude or more, with a resulting increase in scalability.
The switch supports only one IS-IS routing instance per VRF. The routing instance uniquely identifies the switch to other devices. IS-IS configuration commands apply globally to the IS-IS instance.
The switch must be in router IS-IS configuration mode to run IS-IS configuration commands. The router isis command places the switch in router IS-IS configuration mode.
Example
switch(config)# router isis Osiris
switch(config-router-isis)#
After creating an IS-IS routing instance, configure the Network Entity Title (NET) with the net command. The NET defines the IS-IS area address and the system ID of the device.
Example
switch(config)# router isis Osiris
switch(config-router-isis)# net 49.0001.1010.1040.1030.00
The address-family command enables the address families that IS-IS will route and places the switch in the configuration mode for that address family. The address families supported are IPv4 unicast and IPv6 unicast.
Example
switch(config)# router isis Osiris
switch(config-router-isis)# address-family ipv4 unicast
switch(config-router-isis-af)#
After enabling IS-IS globally, enable it on an interface with the isis enable command.
Example
switch(config-router-isis)# interface ethernet 4
switch(config-if-Eth4)#isis enable Osiris
The is-type command sets the routing level for an IS-IS instance.
Example
switch(config)# router isis Osiris
switch(config-router-isis)# is-type level-2
switch(config-router-isis)#
The redistribute (IS-IS) command configures redistribution of connected or static non-ISIS routes.
Example
switch(config)# router isis Osiris
switch(config-router-isis)# redistribute connected
switch(config-router-isis)#
Non-ISIS routes can be exported into Level-1, Level-2, or both using a route map. By default, the routes are exported only to Level-2; to export to Level-1 or to both levels, configure the route map using the set isis level command. The Level-1 or Level-2 routes can also be filtered using the route maps match statement. The route map is then used when redistributing routes in ISIS with the redistribute (IS-IS) command.
Use the show isis database detail command to make sure that the route shows up in the exported level.
switch(config)# route-map rm
switch(config-route-map-rm)# set isis level level-1
switch(config-route-map-rm)# router isis osiris
switch(config-router-isis)# redistribute connected route-map rm
switch(config-router-isis)#
switch# show isis database detail
ISIS Instance: inst1 VRF: default
ISIS Level 1 Link State Database
LSPID Seq Num Cksum Life IS Flags
1111.1111.1001.00-00 10 63306 751 L2 <>
NLPID: 0xCC(IPv4) 0x8E(IPv6)
Area address: 49.0001
<-------OUTPUT OMITTED FROM EXAMPLE-------->
The redistribute bgp route-map command redistributes the BGP routes from the specified route map into IS-IS. Only one route map can be specified; reissuing the command overrides any previous configuration.
The no redistribute bgp and default redistribute bgp commands disable BGP route redistribution from the specified domain by removing the redistribute bgp statement from running-config.
The command is available in both router IS-IS configuration mode and the address-family submode. The command is rejected if configured in both modes at the same time. Issuing the no or default command in router IS-IS configuration mode has no effect on redistribution configured in the address-family submode.
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv4
switch(config-router-isis-af)# redistribute bgp route-map bgp-to-isis-v4
switch(config-router-isis-af)#
switch(config)# router isis 1
switch(config-router-isis)# redistribute bgp route-map bgp-to-isis
In scenarios when Border Gateway Protocol (BGP) routes are resolved using an Interior Gateway Protocol (IGP), if the transit router reboots and becomes available again, the IGP will consider the transit router as an optimal path again. After rebooting, the transit router will blackhole traffic until the transit router learns the external destination reachability information via BGP.
These commands configure the switch to set the overload bit in LSPs sent for 120 seconds after startup.
switch(config)# router isis Osiris
switch(config-router-isis)# set-overload-bit on-startup 120
switch(config-router-isis)#
switch(config)# router isis Osiris
switch(config-router-isis)# set-overload-bit on-startup wait-for-bgp
switch(config-router-isis)# set-overload-bit on-startup wait-for-bgp timeout 750
switch(config-router-isis)#
To configure authentication for the IS-IS instance causing LSPs, CSNPs and PSNPs to be authenticated, use the authentication mode and authentication key commands. To configure authentication on the interface, causing IS-IS Hellos to be authenticated, use the isis authentication mode and isis authentication key commands on the interface.
Two forms of authentication are supported by the IS-IS routing protocol: Clear-text authentication and MD5 authentication. The difference between the two forms of authentication is in the level of security provided. In the case of clear-text authentication, the password is specified as text in the authentication TLV, making it possible for an attacker to break authentication by sniffing and capturing IS-IS PDUs on the network. Arista recommends using the MD5 authentication.
HMAC MD5 authentication provides much stronger authentication by computing the message digest (on the IS-IS PDU contents) using the secret key to produce a hashed message authentication code (HMAC). Different modes of authentication can be specified on the interface, which authenticates IIH PDUs (IS-IS hello PDUs), and globally in the router IS-IS mode, in which the LSPs, CSNPs and PSNPs are authenticated. Area-wide and domain-wide authentication can be specified for L1 and L2 routers respectively.
switch(config)# router isis 1
switch(config-router-isis)# authentication mode md5
switch(config-router-isis)# authentication key secret
switch(config-router-isis)#
switch(config)# interface Ethernet 3/6
switch(config-if-Et3/6)# isis authentication mode text
switch(config-if-Et3/6)# isis authentication key 7 cAm28+9a/xPi04o7hjd8Jw==
switch(config-if-Et3/6)#
To maximize interoperability, Arista recommends using the same key in both interface mode and in the router isis mode.
Example
This command configures maximum wait interval, initial wait interval, and hold time to 10 seconds, 2000 ms, and 1000 ms respectively.
switch(config)# router isis inst1
switch(config-router-isis)# spf-interval 10 2000 1000
IS-IS Segment Routing (SR) supports global adjacency SIDs for point-to-point interfaces. The adjacency SID is configured as an index using the adjacency-segment command.
Global adjacency segments are represented using an index instead of actual MPLS labels. The index is an offset into the Segment Routing Global Block (SRGB) advertised by a router, resulting in an MPLS label. The default value of SRGB in EOS is Base: 900000 and Size: 65536.
The same index may be used to configure multiple interfaces so that MPLS forms an ECMP group, and the same index may be applied to IPv4 and IPv6 adjacencies.
Example
switch(config-if-Et1)# adjacency-segment ipv4 p2p index 10 global
The command show isis segment-routing adjacency-segments displays the global adjacency SID value and other related information.
interface ethernet1
ip address 1.1.1.1/24
ipv6 address 1000::1/64
isis enable isis1
isis network point-to-point
adjacency-segment ipv4 p2p index 1 global
adjacency-segment ipv6 p2p index 2 global
switch# show isis segment-routing adjacency-segments
System ID: 1000.0000.0002 Instance: isis1
SR supported Data-plane: MPLS SR Router ID: 1.1.1.4
Adj-SID allocation mode: SR-adjacencies
Adj-SID allocation pool: Base: 100000 Size: 16384
Adjacency Segment Count: 2
Flag Descriptions: F: Ipv6 address family, B: Backup, V: Value
L: Local, S: Set
Segment Status codes: L1 - Level-1 adjacency, L2 - Level-2 adjacency, P2P -
Point-to-Point adjacency, LAN - Broadcast adjacency
Locally Originated Adjacency Segments
Adj IP Address Local Intf SID SID Source Flags Type
----------------- ---------- ------ ----------- --------------- -------
1.1.1.2 Et1 1 Configured F:0 B:0 V:0 L:0 S:0 P2P L1
fe80::1:ff:fe65:0 Et1 2 Configured F:1 B:0 V:0 L:0 S:0 P2P L1
Received Global Adjacency Segments
SID Originator Neighbor Flags
--------- -------------------- ---------------- ---------
0 rtrmpls1 1000.0000.0002 F:0 B:0 V:0 L:0 S:0
The log-adjacency-changes (IS-IS) command configures the switch to send syslog messages when it detects IS-IS neighbor adjacency state changes.
Example
switch(config)# router isis Osiris
switch(config-router-isis)# log-adjacency-changes
switch(config-router-isis)#
The is-hostname command configures the use of a human-readable string to represent the symbolic name of an IS-IS router. It also changes the output of IS-IS show commands, to show the IS-IS hostname in place of system IDs if the corresponding IS-IS hostname is known. However, syslogs still use IS-IS system IDs and not the IS-IS hostname.
By default if theres a hostname configured on the switch, it is used as the IS-IS hostname. It is also possible to deconfigure an assigned hostname for IS-IS using the no is-hostname command. When the IS-IS hostname is removed, the switch goes back to using the switchs hostname as the IS-IS hostname.
switch(config)# router isis inst1
switch(config-router-isis)# is-hostname ishost1
switch(config-router-isis)#
switch(config)# router isis inst1
switch(config-router-isis)# no is-hostname ishost1
switch(config-router-isis)#
The multi-topology command configures IS-IS Multi-Topology (MT) support (disabled by default), enabling an IS-IS router to compute a separate topology for IPv4 and IPv6 links in the network. With MT configured, not all the links in a network need to support both IPv4 and IPv6. Some can support IPv4 or IPv6 individually. The IPv4 SPF will install IPv4 routes using the IPv4 topology, and similarly, the IPv6 SPF will install IPv6 routes using the IPv6 topology. Without MT support, all links in an IS-IS network need to support the same set of address families.
When MT is enabled, and each link has a separate IPv4 metric and IPv6 metric.
The isis ipv6 metric command configures the IPv6 metric.
The isis multi-topology command configures the IPv4 or IPv6 address family individually on an interface with both IPv4 and IPv6 addresses.
The address families that are enabled on an interface are based on the global address families enabled in router IS-IS configuration mode, and the addresses configured on the interface. To enable a particular address family on an interface, it needs to have an address configured in that address family. In the case where both IPv4 and IPv6 address families are enabled in router IS-IS configuration mode, then if an interface has IPv4 and IPv6 addresses, both IPv4 and IPv6 address families are enabled on that interface. In the case of an interface with only an IPv4 address family, the IPv4 address family is enabled on that interface. Where an interface only has an IPv6 address family, the IPv6 address family is enabled on that interface. Finally, where only the IPv6 address family is enabled in router IS-IS config mode and MT is enabled, then the IPv6 address family is enabled on all interfaces which have an IPv6 address configured.
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv6 unicast
switch(config-router-isis-af)# multi-topology
switch(config-router-isis-af)#
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv6 unicast
switch(config-router-isis-af)# no multi-topology
switch(config-router-isis-af)#
switch(config)# interface Ethernet 5/6
switch(config-if-Et5/6)# isis ipv6 metric 30
switch(config-if-Et5/6)#
switch(config)# interface Ethernet1
switch(config-if-Et1)# isis multi-topology address-family ipv4 unicast
switch(config-if-Et1)#
switch(config)# interface Ethernet1
switch(config-if-Et1)# isis multi-topology address-family ipv6 unicast
switch(config-if-Et1)#
switch(config)# interface Ethernet1
switch(config-if-Et1)# no isis multi-topology address-family unicast
switch(config-if-Et1)#
The isis hello-interval command sets the time interval between the hello packets that maintain an IS-IS adjacency.
Example
switch(config)# interface ethernet 4
switch(config-if-Et4)# isis hello-interval 60
switch(config-if-Et4)#
The switch maintains the adjacency by sending/receiving hello packets. When receiving no hello packets from the peer within a time interval, the local switch considers the neighbors invalid.
The isis hello-multiplier command calculates the hold time announced in hello packets by multiplying this number with the configured isis hello-interval.
Example
switch(config)# interface ethernet 4
switch(config-if-Et4)# isis hello-interval 60
switch(config-if-Et4)# isis hello-multiplier 5
switch(config-if-Et4)#
The isis metric command sets the cost for sending information over a specific interface. At present only wide metrics are supported.
Example
These commands configure a metric cost of 30 for sending information over interface ethernet 5.
switch(config)# interface ethernet 5
switch(config-if-Et5)# isis metric 30
switch(config-if-Et5)#
The isis lsp tx interval command configures the minimum interval between successive LSP transmissions on an interface.
Example
switch(config)# interface ethernet 5
switch(config-if-Et5)# isis lsp tx interval 50
switch(config-if-Et5)#
The isis priority command determines which device will be the Designated Intermediate System (DIS). The device with the highest priority on the LAN will become the DIS.
Example
switch(config)# interface ethernet 5
switch(config-if-Et5)# isis priority 60
switch(config-if-Et5)#
A passive IS-IS interface does not send or receive IS-IS packets and will not form adjacencies, but is still included in LSP advertisements, making its IP address visible to the IS-IS domain.To configure an IS-IS interface as passive, use the isis passive command in interface configuration mode or the passive (IS-IS) command in router IS-IS configuration mode.
switch(config)# interface ethernet 10
switch(config-if-Etl0)# isis passive
switch(config-if-Etl0)#
switch(config)# router isis Osiris
switch(config-router-isis)# passive ethernet 10
switch(config-router-isis)#
The isis bfd and bfd all-interfaces commands configure Bidirectional Forwarding Detection (BFD). BFD is supported for both IS-IS IPv4 and IPv6 routes.
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv4
switch(config-router-af)# bfd all-interfaces
switch(config-router-af)#
switch(config)# interface Ethernet 5/6
switch(config-if-Et5/6)# isis bfd
switch(config-if-Et5/6)#
Global IS-IS Segment Routing (IS-IS SR) commands are accessed in Segment-Routing MPLS mode, under the router IS-IS configuration mode. Interface-specific IS-IS SR commands are accessed in interface configuration mode.
The Routing Information Base (RIB) or IS-IS agent provides IS-IS segment routing, but the actual installation of LFIB entries pertaining to SR information provided by IS-IS is handled by the MPLS agent in EOS, which is disabled by default. To enable the MPLS agent, use the following commands.
Example
switch(config)# ip routing
switch(config)# mpls ip
switch(config)#
By default, IS-IS SR is disabled. You must enable it explicitly by issuing the no form of the shutdown (IS-IS SR) command in Segment-Routing MPLS configuration mode.
Example
switch(config)#router isis instance1
switch(config-router-isis)#segment-routing mpls
switch(config-router-isis-sr-mpls)#no shutdown
switch(config-router-isis-sr-mpls)#
To administratively disable IS-IS SR, issue the shutdown (IS-IS SR) command in Segment-Routing MPLS configuration mode. To disable isis sr and delete all isis sr configuration, issue the no segment-routing mpls command in router isis configuration mode.
Example
switch(config)# router isis instance1
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)# shutdown
switch(config-router-isis-sr-mpls)#
switch(config)# router isis instance1
switch(config-router-isis)# no segment-routing mpls
switch(config-router-isis)#
The global segments such as Prefix-SID, Node-SID, Proxy-node-SID are represented using indices of actual MPLS labels. These indices are offset on the SRGB advertised by a router to derive the respective MPLS label. The default value of SRGB in EOS is Base: 900000, Size: 65536. In other words, the labels that any global segment could represent is between 900000-965535. The MPLS label range is categorized and reserved into pools based on the applications using these labels. The default values of label ranges in these pools are:
switch(config)# mpls label range isis-sr 900000 65536
The IS-IS maximum LSP size provides the ability to configure the maximum LSP size that the IS-IS protocol accepts and sends.The default value of LSP size is 9000. The lsp size maximum command configures maximum size of an LSP that is sent or received. The default LSP maximum size is 9000. The minimum value is 512.
switch(config)# lsp size maximum 400
switch(config)# no lsp size maximum
switch(config)# default lsp size maximum
Node segments are indices associated with routers within an IS-IS SR domain. This is done by associating node-segments with prefix mask length /32 (IPV4) or /128 (IPV6) addresses. Node segments are carried as sub-TLVs (type-length-value) in IP reachability TLVs for the prefixes with which these segments are associated. Node segments are configured on IS-IS enabled Loop-back interface(s) as shown in the example below.
switch(config)# int loopback 1
switch(config-if-Lo1)# ip address 21.1.1.1/32
switch(config-if-Lo1)# node-segment ipv4 index 5
switch(config)# int loopback 1
switch(config-if-Lo1)# ipv6 add 2000::24/128
switch(config-if-Lo1)# node-segment ipv6 index 5
switch(config)# int loopback 1
switch(config-if-Lo1)# ip address 21.1.1.1/24
switch(config-if-Lo1)# node-segment ipv4 index 1
! /32 IPv4 address is not configured on the interface
switch(config-if-Lo1)# no node-segment ipv4 index 1
Prefix segments are associated with any IS-IS prefix a router is originating an IP Reachability TLV for. These segments are carried as sub-TLVs in IP Reachability TLVs of the prefixes with which these segments are associated. Prefix segments are configured under segment-routing MPLS configuration mode in IS-IS.
Example
switch(config)# router isis instance1
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)# prefix-segment 1.1.1.0/24 index 50
Node segments represent a device (node) by attaching a segment (index) with a /32, /128 prefix which generally is configured on a loopback interface. There are routers which do not support segment routing, and there might be a situation where it is required to assign node identifiers on such routers. To overcome this shortfall, a router that supports IS-IS SR is made to proxy by configuring a proxy-node-SID for a IS-IS prefix originating from the router that does not support IS-IS SR.
Example
switch(config)# router isis instance1
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)# proxy-node-segment 1.1.1.0/32 index 50
Although the general use case is to configure a proxy node segment on a router that is not originating the prefix with which we want to associate the proxy-node SID, it is not prohibited to configure one for self-originated prefixes.
Configuring proxy-node-SIDs enables a router to send out a Binding-SID TLV with details pertaining to the prefix and SID.
An Anycast-SID is a prefix segment that identifies a set of routers and not a specific router. It enforces the ECMP-aware shortest-path forwarding towards the closest node of the anycast set.
An example of such an anycast group could be a set of routers A1, A2, A3, and A4 where at least one router of A1, A2, A3, and A4 advertises the prefix SID corresponding to the anycast address (which can be a prefix originating on all of A1, A2, A3 and A4 a loop-back address, maybe).
In general use case, all the routers of the anycast group would have the same prefix-SID configured for the anycast IP address present on them.
A router that support IS-IS SR need to advertise its SR data-plane capability and the range of MPLS label values it uses for segment routing, this is advertised by inserting SR-Capability sub-TLV in the Router Capabilities TLV.
A Router Capability TLV is now sent in IS-IS LSPs when Segment routing is enabled and it is necessary for a Router Capability TLV to carry a router-ID. This router-ID could be configured in EOS under the segment routing MPLS configuration mode. If no router-ID is configured, the router automatically picks up the highest IPv4 address configured on the router for an router-ID.
Adjacency segments for IS-IS adjacencies are statically configured on the switch, so that these values are preserved even when the switch restarts. Static adjacency segments are configured per address family on any interface (including Port-Channel, VLANs and SVIs). They are configured and advertised as labels.
Example
switch(config-if-Et1)# adjacency-segment ipv4 p2p index 50 global
They can be a label (local) or index (global) and we can assign multiple adjacency segments per link.
Where label-value must be within the SR Local Block (SRLB) that can be found in the output of show mpls label range command as shown.
switch# show mpls label range
Start End Size Usage
------------------------------------------------
0 15 16 reserved
16 99999 99984 static mpls
100000 362143 262144 free (dynamic)
362144 899999 537856 unassigned
900000 965535 65536 isis-sr
900000 965535 65536 bgp-sr
965536 1031071 65536 srlb
1031072 1036287 5216 unassigned
1036288 1048575 12288 l2evpn
Adjacency Segments are MPLS labels assigned to IS-IS adjacencies.These labels are shared with other routers in the domain by adding them in adjacency-SID sub-TLVs which are inserted in neighbor Reachability TLVs in IS-IS.
The MPLS labels (adjacency segments) are incrementally allocated to adjacencies, as the transition to Up state, from a adjacent set of MPLS labels pre-allocated by MPLS agent. This label range extends from 100000 to 116383 (base: 100000, size: 16384) by default. This could be changed by the following configuration:
Example
switch(config)# mpls label range dynamic 200000 131072
The dynamic label pool is shared between LDP and IS-IS SR Adjacency Segments.
Adjacency Segments are allocated to all IS-IS adjacencies based on the IS-IS routers that have advertised IS-IS SR capability or to none of the adjacencies. The command adjacency-segment allocation is used to configure this under the segment-routing mpls configuration mode.
The default behavior is to allocate adjacency segments to adjacencies of SR supporting devices.
Example
switch(config-router-isis-sr-mpls)# adjacency-segment allocation sr-peer
Adjacency segments are allocated to IS-IS adjacencies based on configured adjacency segment allocation mode mentioned above.
If an adjacency that has been allocated label L goes down, L is reserved for this adjacency for a duration of 3600 seconds from the time of the adjacency down event. Only the adjacency that owned this label before going down could reclaim label L in this duration.
For a given prefix, if both a proxy-node segment and prefix-SID are received, the prefix-SID advertised is preferred while the proxy-node segment is ignored.
The show tech-support ribd displays detail information about IS-IS SRs internal state, and more information on conflicts and chosen active segments could be found under the SR Book Keeper section of show tech-support ribd command as shown.
Received Prefix Segments:
------------------------------------------------------------------
Prefix | Value | Index/Label | Type | SystemID | spfgen
* - Active, # - Duplicate pfx, + - duplicate SID
-------------------------------------------------------------------
*1.0.3.0/24 3 Index Prefix 1111.1111.1002 0
*1.0.5.1/32 0 Index Node 1111.1111.1002 0
*1.0.6.1/32 2 Index Node 1111.1111.1003 39
*1.0.7.1/32 14 Index Node 1111.1111.1001 39
#1.0.7.1/32
10 Index Proxy 1111.1111.1003 39
The redistribute dhcp command redistributes DHCPv6 routes in IS-IS when using multi-agent routing protocol mode.
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv6
switch(config-router-isis-af)# redistribute dhcp
switch(config-router-isis-af)#
switch(config)# show isis database detail
IS-IS Instance: inst1 VRF: default
IS-IS Level 1 Link State Database
LSPID Seq Num Cksum Life IS Flags
1111.1111.1001.00-00 10 19778 1101 L1 <>
...
Reachability (MT-IPv6): 3ffe:701:ffff:101::10/128 Metric: 0 Type: 1 Up
...
An IS-IS instance can be shut down globally or can be disabled on individual interfaces.
The shutdown (IS-IS) command shuts down an IS-IS instance globally.
Example
switch(config)# router isis Osiris
switch(config-router-isis)# shutdown
switch(config-router-isis)#
The no isis enable command disables IS-IS on an interface.
Example
switch(config-router-isis)# interface ethernet 4
switch(config-if-Eth4)# no isis enable
By default, IS-IS graceful restart is disabled. Use the graceful-restart command to configure graceful restart on an IS-IS router. By default IS-IS graceful-restart-helper functionality is enabled, and to disable it use no graceful-restart-helper command.
Examples
switch(config)# router isis 1
switch(config-router-isis)# graceful-restart t2 level-1 30
t2 is the maximum wait time for the LSP database to synchronize (SPF computation is not done while t2 is running). t2 can be configured for either Level-1 or Level-2 through the CLI. The default value is 30 seconds, and the allowed configuration range is 5 to 300 seconds.
Example
switch(config)# router isis 1
switch(config-router-isis)# graceful-restart restart-hold-time 50
In case of a planned restart, the hold time advertised by the IS-IS router prior to restart should be greater than the time for which the router is expected to be offline. Otherwise, neighboring routers will bring down the adjacency before the restarting router has a chance to send a restart request in its hello packet, which may result in traffic loss.
In case of ASU2, the IS-IS router instance will advertise a hello hold time of restart-hold-time on those interfaces for which the configured hold time is less than restart-hold-time. This is done just before the router restarts.
For Graceful Restart to be successful, the hold time advertised by the router should be greater than the time it takes for Graceful Restart to complete. If the restarting router is DIS, hold time advertised is 1/3rd of the configured value (default is 9s). We recommend increasing the hold time for the DIS to a higher value before a planned restart; otherwise, it may result in traffic loss.
The following configuration tasks can be performed by Topology Independent Fast Reroute (TI-LFA FRR) using IS-IS Segment-Routing.
To enable link or node protection for node segments and Adjacency segments learned on a specific IS-IS interface, use the following command in the interface configuration mode.
switch(config-if-Et1)# [no|default] isis fast-reroute ti-lfa mode {link-protection|node-protection|disabled} [level-1|level-2]
The interface TI-LFA configuration inherits the address-family sub-mode configuration by default.
On an L1-L2 router, the [level-1|level-2] optional keyword in both the router IS-IS address-family sub-mode and interface configuration mode CLIs is used to restrict protection to node segments and Adjacency segments learned through either Level-1 or Level-2 topologies only.
The Point of Local Repair (PLR) switches to the TI-LFA backup path on link failure or BFD neighbor failure but switches back to the post-convergence path once the PLR computes SPF and updates its LFIB. This sequence of events can lead to micro-loops in the topology if the PLR converges faster than other routers along the post-convergence path. So a configuration option is provided to apply a delay, after which the LFIB route being protected by the TI-LFA loop-free repair path will be replaced by the post-convergence LFIB route.
To configure a convergence delay only to LFIB routes that are being protected, the following command is used either in the router IS-IS mode or the router isis address-family sub-mode. A default of 10 seconds is used when using the command without an explicitly specified delay.
switch (config-router-isis-af)#timers local-convergence-delay [delay_in_milliseconds] protected-prefixes
The PLR computes backup paths for an adjacency segment only if the Adjacency SID sub-TLV has the B-flag (backup flag) set.
To set the B-flag in originated Adjacency SID sub-TLVs corresponding to adjacency segments dynamically allocated on the router, the following command is used in the segment-routing mpls sub-mode in the router isis mode.
switch(config-router-isis-sr-mpls)# adjacency-segment allocation [all-interfaces | sr-peers]
To set the B-flag in originated Adjacency SID sub-TLVs corresponding to adjacency segments statically configured on the router, the following command is used in the interface configuration mode.
switch(config-if-Et1)# adjacency-segment [ipv4 | ipv6] p2p [multiple][label label | index index] backup-eligible
backup-eligible is the newly introduced optional keyword in both the CLIs mentioned above that controls the setting of the B-flag in the Adjacency SID sub-TLV.
To enable SRLG protection on all interfaces, use the fast-reroute ti-lfa srlg command. This command is used in addition to configuring link-protection or node-protection. If SRLG protection is enabled, the backup paths are computed after excluding all the links that share the same SRLG with the active link that is being used by all prefix segments and adjacency segments.
If the optional argument strict is configured, the backup path is only programmed if a backup path that excludes all the SRLGs configured on the primary interface. If the keyword is not provided and an SRLG excluding path is not available, TI-LFA programs the backup path that excluded the maximum number of SRLGs possible.
To selectively disable SRLG protection on an interface, use the isis [ipv4|ipv6] fast-reroute ti-lfa srlg disabled command. This is useful if SRLG protection is enabled globally for all interfaces but needs to be selectively disabled for a specific interface.
Sample Configuration
The above topology is used to demonstrate the configuration and show command output. You will see the backup paths that the PLR computes to protect the node segments of R1 and R2, the global adjacency segment on R2, and the local adjacency segment on the vlan 2387 on the PLR.
Here is a snippet of the configuration on the PLR.
switch(config)# interface vlan 2138
switch(config-if-Vl2138)# ip address 10.1.1.1/24
switch(config-if-Vl2138)# isis enable inst1
switch(config-if-Vl2138)# isis metric 11
switch(config-if-Vl2138)# isis network point-to-point
switch(config)# interface vlan2387
switch(config-if-Vl2138)# ip address 10.1.2.1/24
switch(config-if-Vl2138)# isis enable inst1
switch(config-if-Vl2138)# isis network point-to-point
switch(config-if-Vl2138)# adjacency-segment ipv4 p2p label 965537 backup-eligible
switch(config)# interface vlan2968
switch(config-if-Vl2968)# ip address 10.1.3.1/24
switch(config-if-Vl2968)# isis enable inst1
switch(config-if-Vl2968)# isis network point-to-point
switch(config-if-Vl2968)# isis fast-reroute ti-lfa mode disabled
…
switch(config)# router isis inst1
switch(config-isis)# net 49.0001.1111.1111.1001.00
switch(config-isis)# router-id ipv4 252.252.1.252
switch(config-isis)# is-type level-2
switch(config-isis)# timers local-convergence-delay 5000 protected-prefixes
!
switch(config-isis)# address-family ipv4 unicast
switch(config-isis-af)# fast-reroute ti-lfa mode node-protection
!
switch(config-isis)# segment-routing mpls
switch(config-isis-sr-mpls)# no shutdown
switch(config-isis-sr-mpls)# adjacency-segment allocation sr-peers backup-eligible
!
end
The protection of anycast segments does not need any new configuration. The above configuration enables protection of anycast segments.
To demonstrate the protection of anycast segments consider the following topology.
R1 and R4 are originators of the host prefix 10.10.10.1/32 and advertise prefix segment 900010. This must be configured as a prefix segment and not a node segment.
R1 and R4’s configuration should look similar to the following:
switch(confg)# router isis inst1
switch(config-router-isis)# interface Loopback0
switch(config-if-Lo0)# ip address 10.10.10.1/32
switch(config-if-Lo0)# isis enable inst1
!
...
switch(confg)# router isis inst1
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)# prefix-segment 10.10.10.1/32 index 10
!
The prefix in the prefix-segment command must belong to an interface enabled with IS-IS or must be an active route in the RIB of another protocol redistributed into IS-IS.
When the link or node protection is configured on the PLR, then the primary path to the segment 900010 is PLR - R1 and the backup path is PLR - R2 - R3 - R4. In other words, the destination in the backup path is the segment originated by R4 as the segment originated by R1 and is not reachable when link PLR-R1 or the node R1 goes down.
When services like LDP pseudowires, BGP LU, L2 EVPN, or L3 MPLS VPN use IS-IS SR tunnels as an underlay, these services are automatically protected by TI-LFA tunnels that protect the IS-IS SR tunnels. The show ip route command displays the hierarchy of the overlay-underlay-TI-LFA tunnels.
switch# show ip route
B 2001:db8:3::/48 [200/0]
via 2002::b00:301/128, IS-IS SR tunnel index 3, label 122697
via TI-LFA tunnel index 5, label imp-null(3)
via fe80::200:76ff:fe03:0, Ethernet26/1, label imp-null(3)
backup via fe80::200:76ff:fe01:0, Ethernet30/1, label 900002 900003
switch(config)# router isis Amun
switch(config-router-isis)# net 49.0000.0000.3333.00
switch(config-router-isis)# is-hostname ip3
switch(config-router-isis)# lsp flooding dynamic
Dynamic flooding should be enabled on all routers in the area. To enable Dynamic Flooding on all routers, use the following command:
lsp flooding dynamic [level-1 | level-2]
nolsp flooding dynamic [level-1 | level-2]
default lsp flooding dynamic [level-1 | level-2]
If necessary, the area leader election process can be tuned or disabled with the commands:
area leader [level-1 | level-2] priority 0-255 area leader [level-1 | level-2] disabled
no area leader [level-1 | level-2] priority 0-255 area leader [level-1 | level-2] disabled
default area leader [level-1 | level-2] priority 0-255 area leader [level-1 | level-2] disabled
On a sparse topology, Dynamic Flooding is not effective and only adds overhead. Leaf-spine and Clos networks are appropriate dense topologies.
Address-Family Check for IS-IS creates the adjacency between devices with different address famiies. For example, a router supporting IPv4 and IPv6 is connected to a IPv4 only router, Address-Family Check is verified by comparing the NLPID TLV ( Type #129 ) advertised in IIH hellos exchanged between peers. It is useful in following scenarios.
Relaxing the Address-Family Check is useful to gradually add IPv6 support in an IPv4 network, without disturbing the IPv4 connectivity.
A controller forms an IS-IS adjacency with a router and uses the IS-IS database for topology discovery. If the controller only supports IPv4 IS-IS or only IPv4 tunnels, to relax the Address-Family Check on the dual stack IPv4/v6 router for adjacency is useful in establishment.
Under IS-IS instance, configure the following to disable the Address-Family Check during IIH processing.
switch(config-router-isis)#?
adjacency Configure parameters for adjacency formation
switch(config-router-isis)# adjacency?
address-family Configure address-family related parameters for adjacency formation
switch(config-router-isis)# adjacency address-family?
match Configure address-family match check related parameters for adjacency formation
switch(config-router-isis)# adjacency address-family match?
disabled Relax address-family match check for bringing up adjacency
switch(config-router-isis)# adjacency address-family match disabled?
switch# show isis neighbor detail
Instance VRF System Id Type Interface SNPA State Hold time Circuit Id
inst1 default 1111.1111.1002 L2 Vlan2116 P2P UP 24 06
Area Address(es): 49.0001
SNPA: P2P
Router ID: 1.0.0.2
Advertised Hold Time: 30
State Changed: 00:04:18 ago at 2020-11-01 22:28:35
IPv4 Interface Address: 1.0.0.2
IPv6 Interface Address: none
Interface name: Vlan2116
Graceful Restart: Supported
Segment Routing Enabled
SRGB Base: 900000 Range: 65536
Adjacency Label IPv4: 149152
Supported Address Families: IPv4, IPv6
Neighbor Supported Address Families: IPv4
switch(config-router-isis)# show isis interface detail
IS-IS Instance: inst1 VRF: default
Interface Vlan2116:
Index: 35 SNPA: P2P
MTU: 1497 Type: point-to-point
Supported Address Families: IPv4, IPv4
Area Proxy Boundary is Disabled
BFD IPv4 is Disabled
BFD IPv6 is Disabled
Hello Padding is Enabled
Level 2:
Metric: 10, Number of adjacencies: 1
Link-ID: 23
Authentication mode: None
TI-LFA link protection is enabled for the following IPv4 segments: node segments, adjacency segments
TI-LFA protection is disabled for IPv6
Adjacency 1111.1111.1002:
State: UP, Level: 2 Type: Level 2 IS
Advertised Hold Time: 30
Neighbor Supported Address Families: IPv4
Address Family Match: Disabled
IPv4 Interface Address: 1.0.0.2
Areas:
49.0001
For IPv6 network upgrade, ensure the knob is incrementally configured on a contiguous section of the network, at any point the choice of routers for upgrade should not bisect the upgraded (supporting IPv4/v6) part of the network. All the routers bordering the upgraded network should always have the knob enabled.
To display the link state database of IS-IS, use the show isis database command.
Example
switch# show isis database
ISIS Instance: Osiris
ISIS Level 2 Link State Database
LSPID Seq Num Cksum Life IS Flags
1212.1212.1212.00-00 4 714 1064 L2 <>
1212.1212.1212.0a-00 1 57417 1064 L2 <>
2222.2222.2222.00-00 6 15323 1116 L2 <>
2727.2727.2727.00-00 10 15596 1050 L2 <>
3030.3030.3030.00-00 12 62023 1104 L2 <>
3030.3030.3030.c7-00 4 53510 1104 L2 <>
switch>
To display interface information related to the IS-IS instance, use the show isis interface command.
Example
switch# show isis interface
ISIS Instance: Osiris
Interface Vlan20:
Index: 59 SNPA: 0:1c:73:c:5:7f
MTU: 1497 Type: broadcast
Level 2:
Metric: 10, Number of adjacencies: 2
LAN-ID: 1212.1212.1212, Priority: 64
DIS: 1212.1212.1212, DIS Priority: 64
Interface Ethernet30:
Index: 36 SNPA: 0:1c:73:c:5:7f
MTU: 1497 Type: broadcast
Level 2:
Metric: 10, Number of adjacencies: 1
LAN-ID: 3030.3030.3030, Priority: 64
DIS: 3030.3030.3030, DIS Priority: 64
switch>
To display general information for IS-IS neighbors that the device sees, use show isis neighbors.
Example
switch# show isis neighbor
Inst Id System Id Type Interface SNPA State Hold time
10 2222.2222.2222 L2 Vlan20 2:1:0:c:0:0 UP 30
10 1212.1212.1212 L2 Vlan20 2:1:0:d:0:0 UP 9
10 3030.3030.3030 L2 Ethernet30 2:1:0:b:0:0 UP 9
switch>
To display the system ID, Type, Interface, IP address, State and Hold information for IS-IS instances, use the show isis summary command. The command is also used to verify the configured maximum wait interval, initial wait interval, and hold time of SPF timers in IS-IS instances. This command also displays values of the current SPF interval, last Level-1 SPF run, and last Level-2 SPF run.
switch# show isis summary
ISIS Instance: Osiris
System ID: 1010.1040.1030, administratively enabled, attached
Internal Preference: Level 1: 115, Level 2: 115
External Preference: Level 1: 115, Level 2: 115
IS-Type: Level 2, Number active interfaces: 1
Routes IPv4 only
Last Level 2 SPF run 2:32 minutes ago
Area Addresses:
10.0001
level 2: number dis interfaces: 1, LSDB size: 1
switch>
switch(config-router-isis-af)# show isis summary
IS-IS Instance: 1 VRF: default
System ID: 0000.0000.0001, administratively enabled
Multi Topology disabled, not attached
IPv4 Preference: Level 1: 115, Level 2: 115
IPv6 Preference: Level 1: 115, Level 2: 115
IS-Type: Level 1 and 2, Number active interfaces: 0
Routes both IPv4 and IPv6
Max wait(s) Initial wait(ms) Hold interval(ms)
LSP Generation Interval: 5 50 50
SPF Interval: 2 1000 1000
Current SPF hold interval(ms): Level 1: 1000, Level 2: 1000
Last Level 1 SPF run 1 seconds ago
Last Level 2 SPF run 1 seconds ago
Authentication mode: Level 1: None, Level 2: None
Graceful Restart: Disabled, Graceful Restart Helper: Enabled
Area Addresses:
49.0001
level 1: number dis interfaces: 0, LSDB size: 1
level 2: number dis interfaces: 0, LSDB size: 1
The show isis database detail command provides a view of LSPDB of different devices in the IS-IS domain. The output displays the TLVs and sub-TLVs that are being self-originated or the ones that have been received from other routers.
Example
switch# show isis database detail
ISIS Instance: inst1 VRF: default
ISIS Level 2 Link State Database
LSPID Seq Num Cksum Life IS Flags
1111.1111.1001.00-00 10 63306 751 L2 <>
NLPID: 0xCC(IPv4) 0x8E(IPv6)
Area address: 49.0001
Interface address: 1.0.7.1
Interface address: 1.0.0.1
Interface address: 2000:0:0:47::1
Interface address: 2000:0:0:40::1
IS Neighbor : lf319.53 Metric: 10
LAN-Adj-sid: 100000 flags: [ L V ] weight: 0 system ID: 1111.1111.1002
IS Neighbor (MT-IPv6): lf319.53 Metric: 10
LAN-Adj-sid: 100001 flags: [ L V F ] weight: 0 system ID: 1111.1111.1002
Reachability : 1.0.11.0/24 Metric: 1 Type: 1 Up
SR Prefix-SID: 10 Flags: [ R ] Algorithm: 0
Reachability : 1.0.3.0/24 Metric: 1 Type: 1 Up
Reachability : 1.0.7.1/32 Metric: 10 Type: 1 Up
SR Prefix-SID: 2 Flags: [ N ] Algorithm: 0
Reachability : 1.0.0.0/24 Metric: 10 Type: 1 Up
Reachability (MT-IPv6): 2000:0:0:4b::/64 Metric: 1 Type: 1 Up
SR Prefix-SID: 11 Flags: [ R ] Algorithm: 0
Reachability (MT-IPv6): 2000:0:0:43::/64 Metric: 1 Type: 1 Up
Reachability (MT-IPv6): 2000:0:0:47::1/128 Metric: 10 Type: 1 Up
SR Prefix-SID: 3 Flags: [ N ] Algorithm: 0
Reachability (MT-IPv6): 2000:0:0:40::/64 Metric: 10 Type: 1 Up
Router Capabilities: 252.252.1.252 Flags: [ ]
SR Capability: Flags: [ I V ]
SRGB Base: 900000 Range: 65536
Segment Binding: Flags: [ F ] Weight: 0 Range: 1 Pfx 2000:0:0:4f::1/128
SR Prefix-SID: 19 Flags: [ ] Algorithm: 0
Segment Binding: Flags: [ ] Weight: 0 Range: 1 Pfx 1.0.15.1/32
SR Prefix-SID: 18 Flags: [ ] Algorithm: 0
The show isis segment-routing command displays the summary information on IS-IS SR status.
Example
switch(config)# show isis segment-routing
System ID: 1111.1111.1002 Instance: inst1
SR supported Data-plane: MPLS SR Router ID: 252.252.2.252
SR Global Block( SRGB ): Base: 900000 Size: 65536
Adj-SID allocation mode: SR-adjacencies
Adj-SID allocation pool: Base: 100000 Size: 16384
All Prefix Segments have : P:0 E:0 V:0 L:0
All Adjacency Segments have : F:0 B:0 V:1 L:1 S:0
ISIS Reachability Algorithm : SPF (0)
Number of ISIS segment routing capable peers: 3
Self-Originated Segment Statistics:
Node-Segments : 2
Prefix-Segments : 2
Proxy-Node-Segments : 0
Adjacency Segments :
About the Output
The first line of the output shows the IS-IS system ID of this device and the name of the instance with which IS-IS is configured.
The supported data plane is shown against the SR supported Data-plane field whereas the Router ID being advertised in the Router Capability is mentioned in the SR Router ID Field.
The SRGB in use and the MPLS label pool being used for adjacency segment allocation are mentioned in this output. The current adjacency allocation mode which refers to whether we are allocating adjacency segments to all IS-IS adjacencies or only those adjacencies which support SR or None of the adjacencies is shown in the Adj-SID allocation mode field.
Flag contents of All Prefix Segments originated on this router, Flag contents of All Adjacency Segments originated on this router and supported IS-IS Reachability Algorithm have been provided through this command output and they carry the meaning as per the IS-IS SR IETF draft.
This show command provides a statistics related to IS-IS SR in terms of various counters ranging from number of IS-IS SR enabled peers, number of Node-SIDs, prefix-SIDs, proxy-node-segments and adjacency segments being originated on this router in IS-IS.
The show isis segment-routing command also provides information if segment routing has been administratively disabled as shown.
switch(config-router-isis-sr-mpls)# show isis segment-routing
! IS-IS (Instance: inst1) Segment Routing has been administratively shutdown
The show isis segment-routing global-blocks command lists the SRGBs in use by all SR supporting devices in IS-IS domain including the SRGB in use by IS-IS SR on this device.
Example
switch# show isis segment-routing global-blocks
System ID: 1111.1111.1002 Instance: inst1
SR supported Data-plane: MPLS SR Router ID: 252.252.2.252
SR Global Block( SRGB ): Base: 900000 Size: 65536
Number of ISIS segment routing capable peers: 3
SystemId Base Size
-------------------- ------------ -----
1111.1111.1002 900000 65536
1111.1111.1001 900000 65536
The show isis segment-routing prefix-segments command provides the details of all prefix segments being originated as well the segments received from IS-IS SR speakers in the domain.
Example
switch# show isis segment-routing prefix-segments
System ID: 1111.1111.1002 Instance: inst1
SR supported Data-plane: MPLS SR Router ID: 252.252.2.252
Node: 2 Proxy-Node: 2 Prefix: 2 Total Segments: 6
Flag Descriptions: R: Re-advertised, N: Node Segment, P: no-PHP
E: Explicit-NULL, V: Value, L: Local
Segment status codes: * - Self originated Prefix, L1 - level 1, L2 - level 2
Prefix SID Type Flags SystemID Type
--------------------- --------- ---------------- ---------------------
1.0.7.1/32 2 Node R:0 N:1 P:0 E:0 V:0 L:0 1111.1111.1001 L1
* 1.0.8.1/32 4 Node R:0 N:1 P:0 E:0 V:0 L:0 1111.1111.1002 L2
1.0.11.0/24 10 Prefix R:1 N:0 P:0 E:0 V:0 L:0 1111.1111.1001 L2
* 1.0.12.0/24 12 Prefix R:1 N:0 P:0 E:0 V:0 L:0 1111.1111.1002 L2
1.0.15.1/32 18 Proxy-Node R:0 N:0 P:0 E:0 V:0 L:0 1111.1111.1001 L2
1.0.16.1/32 20 Proxy-Node R:0 N:0 P:0 E:0 V:0 L:0 1111.1111.1003 L2
About the Output
After the usual output header that represents the system ID, instance name, etc and parameters of a router, there is a line depicting prefix segment counters. Each field in this line relates to the number of segments that are present in this routers IS-IS instance. For example, the above example shows that this device has 2 Node Segments (Self originated as well as the ones received from other IS-IS SR devices).
The main section of this show commands output is the section that lists all the prefix segments and related information like prefix, SID, type of segment (Prefix, Node, Proxy-Node), the flag values being carried in the sub-TLVs of these prefix segments and the system ID of the originating router. The Type field will be useful on a IS type level-1-2 router. It shows whether the installed prefix segment is from a level-1 prefix or a level-2 prefix.
The show isis segment-routing prefix-segments self-originated command output is identical to show isis segment-routing prefix-segments except, the fact that the former lists only self-originated prefix segments.
The show isis segment-routing adjacency-segments displays list of all the adjacency segments that are being originated by IS-IS SR on a router.
Example
switch# show isis segment-routing adjacency-segments
System ID: 1111.1111.1002 Instance: inst1
SR supported Data-plane: MPLS SR Router ID: 252.252.2.252
Adj-SID allocation mode: SR-adjacencies
Adj-SID allocation pool: Base: 100000 Size: 16384
Adjacency Segment Count: 4
Adj IP-address Local Intf Label SID Source Flags Type
----------------- -------- ------ ------ --- --------- --------- --------
1.0.0.1 Vlan2472 100000 Dynamic F:0 B:0 V:1 L:1 S:0 LAN L2
1.0.1.2 Vlan2579 100001 Dynamic F:0 B:0 V:1 L:1 S:0 P2P L2
fe80::1:ff:fe01:0 Vlan2472 100002 Dynamic F:0 B:0 V:1 L:1 S:0 LAN L2
fe80::1:ff:fe02:0 Vlan2579 100003 Dynamic F:0 B:0 V:1 L:1 S:0 P2P L2
About the Output
It consists allocation mode, MPLS label pool from which labels would be allocated to adjacencies, total count of adjacency segments allocated so far and the default flag values carried in all adj-SID sub-TLVs originating from this device.
The main section of the output lists all the adjacency segments allocated so far in six columns each pertaining to Adjacency IP address, local interface name, MPLS label value, SID source, flags in the sub-TLV and the type of adj-SID respectively. The type of the adjacency segments depends on the IS-IS type of adjacency and the IS level.
The show mpls label ranges command displays the MPLS label range available on a router is categorized into different pools which cater to different applications running on the router.
The isis-sr refers to the SRGB use-case in IS-IS, and isis (dynamic) refers to the label pool that is used for dynamic allocation of adjacency segments in IS-IS.
Example
switch# show mpls label ranges
Start End Size Usage
-----------------------------------------
0 15 16 reserved
16 99999 99984 static mpls
100000 116383 16384 isis (dynamic)
116384 362143 245760 free (dynamic)
362144 899999 537856 unassigned
900000 965535 65536 isis-sr
The show mpls segment-routing bindings command displays the local label bindings and label bindings on the peer routers for each prefix that has a segment advertised. Peer ID here represents the IS-IS system ID of the peer.
Example
switch# show mpls segment-routing bindings
1.0.7.1/32
Local binding: Label: 900002
Remote binding: Peer ID: 1111.1111.1001, Label: imp-null
Remote binding: Peer ID: 1111.1111.1003, Label: 900002
1.0.8.1/32
Local binding: Label: imp-null
Remote binding: Peer ID: 1111.1111.1001, Label: 900004
Remote binding: Peer ID: 1111.1111.1003, Label: 900004
1.0.9.1/32
Local binding: Label: 900006
Remote binding: Peer ID: 1111.1111.1001, Label: 900006
Remote binding: Peer ID: 1111.1111.1003, Label: imp-null
The show mpls lfib route command displays the LFIB. Each LFIB entry has In-Label, Out-Label, metric, payload type, nexthop information, etc. fields. The source column depicts the MPLS control plane protocol that is responsible for the label binding that resulted in this LFIB route.
Example
switch# show mpls lfib route
MPLS forwarding table (Label [metric] Vias) - 7 routes
MPLS next-hop resolution allow default route: False
Via Type Codes:
M - Mpls Via, P - Pseudowire Via,
I - IP Lookup Via, V - Vlan Via,
VA - EVPN Vlan Aware Via, ES - EVPN Ethernet Segment Via,
VF - EVPN Vlan Flood Via, AF - EVPN Vlan Aware Flood Via,
NG - Nexthop Group Via
Source Codes:
S - Static MPLS Route, B2 - BGP L2 EVPN,
B3 - BGP L3 VPN, R - RSVP,
P - Pseudowire, L - LDP,
IP - IS-IS SR Prefix Segment, IA - IS-IS SR Adjacency Segment,
IL - IS-IS SR Segment to LDP, LI - LDP to IS-IS SR Segment,
BL - BGP LU, ST - SR TE Policy,
DE - Debug LFIB
IA 100000 [1]
via M, 1.0.1.2, pop
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
IA 100001 [1]
via M, fe80::200:eff:fe02:0, pop
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
IP 900008 [1]
via M, 1.0.1.2, swap 900008
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
IP 900009 [1]
via M, fe80::200:eff:fe02:0, swap 900009
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
The show mpls lfib route <label value> command provides information relevant to just the label value passed as an extension to the show command.
Example
switch# show mpls lfib route 900008
MPLS forwarding table (Label [metric] Vias) - 7 routes
MPLS next-hop resolution allow default route: False
Via Type Codes:
M - Mpls Via, P - Pseudowire Via,
I - IP Lookup Via, V - Vlan Via,
VA - EVPN Vlan Aware Via, ES - EVPN Ethernet Segment Via,
VF - EVPN Vlan Flood Via, AF - EVPN Vlan Aware Flood Via,
NG - Nexthop Group Via
Source Codes:
S - Static MPLS Route, B2 - BGP L2 EVPN,
B3 - BGP L3 VPN, R - RSVP,
P - Pseudowire, L - LDP,
IP - IS-IS SR Prefix Segment, IA - IS-IS SR Adjacency Segment,
IL - IS-IS SR Segment to LDP, LI - LDP to IS-IS SR Segment,
BL - BGP LU, ST - SR TE Policy,
DE - Debug LFIB
IP 900008 [1]
via M, 1.0.1.2, swap 900008
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
The show isis local-convergence-delay command shows the current or last attempt at delaying the convergence of protected routes on a link down/BFD neighbor down event. If the timer aborts for some reason (such as a topology change causing a new SPF), the attempt fails.
switch# show isis local-convergence-delay
IS-IS Instance: inst1 VRF: default
System ID: 1111.1111.1001
IPv4 local convergence delay configured, 5000 msecs
IPv6 local convergence delay configured, 5000 msecs
Level 1 attempts 0, failures 0
Level 2 attempts 3, failures 1
Level 2 in progress due to LINK DOWN on Vlan2138
TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 0
Delay timer started at: 2019-07-25 23:16:33
Delay timer expires in 2 secs
TI-LFA protection is disabled for IPv6
Level 2 last attempt due to LINK DOWN on Vlan2138, Succeeded
TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 3
Delay timer started at: 2019-07-25 23:14:51
Delay timer stopped at: 2019-07-25 23:14:56
TI-LFA protection is disabled for IPv6
The detail keyword also lists all the routes that have been delayed.
switch# show isis local-convergence-delay detail
...
Level 2 last attempt due to LINK DOWN on Vlan2138, Succeeded
TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 3
Delay timer started at: 2019-07-25 23:14:51
Delay timer stopped at: 2019-07-25 23:14:56
Delayed routes:
10.0.7.1/32
10.0.9.1/32
10.0.10.1/32
TI-LFA protection is disabled for IPv6
switch# show isis graceful-restart vrf default
IS-IS Instance: 1 VRF: default
System ID: 0000.0000.0001
Graceful Restart: Enabled, Graceful Restart Helper: Enabled
State: Last Start exited after T2 (level-1) expiry
T1 : 3s
T2 (level-1) : 30s/20s remaining
T2 (level-2) : 30s/not running
T3 : not running
System ID Type Interface Restart Capable Status
is-hostname-1 L1L2 Ethernet1 Yes Running
is-hostname-2 L1 Ethernet2 Yes Restarting
switch# show isis summary vrf default
IS-IS Instance: 1 VRF: default
System ID: 0000.0000.0001, administratively enabled
....
Graceful Restart: Enabled, Graceful Restart Helper: Enabled
switch# show isis neighbors detail vrf default
Instance VRF System Id Type Interface SNPA State Hold time Circuit Id
1 default OT1 L1 Ethernet1 2:1:0:b 4:0:0 UP 29839 OT3.05
Area Address(es): 49.0001
SNPA: 2:1:0:b4:0:0
....
Graceful Restart: Supported, Status: Restarting (RR rcvd, RA sent, CSNP sent)
switch# show isis interface detail vrf default
ISIS Instance: ISISQ VRF: default
Interface Ethernet1:
Index: 2 SNPA: P2P
...
Level 1:
Graceful Restart Status: RR sent, SA sent, RA rcvd, CSNP rcvd
switch# show isis dynamic flooding topology
IS-IS Instance: Amun VRF: default
Level 1:
Path: ip6.00 ip4.00 ip2.00 ip1.00 ip3.00 ip5.00 ip6.00
This command displays a list of paths that describe the flooding topology. Each path is a list of nodes in the network.
switch# show isis dynamic flooding interfaces
IS-IS Instance: Amun VRF: default
Level 1:
Ethernet5
Ethernet4
This shows that the system is currently flooding only on ethernet4 and ethernet5. Normally at least two interfaces are selected.
The address-family command places the switch in address-family configuration mode.
Address-family configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.
The no address-family and default address-family commands delete the specified address-family from running-config by removing all commands previously configured in the corresponding address-family mode.
The exit command returns the switch to the isis configuration mode.
Command Mode
Router-IS-IS Configuration
Command Syntax
address-family [ipv4 | ipv6][MODE]
no address-family [ipv4 | ipv6][MODE]
default address-family [ipv4 | ipv6][MODE]
Parameters
switch(config)# router isis Osiris
switch(config-router-isis)# address-family ipv4 unicast
switch(config-router-isis-af)#
switch(config)# router isis Osiris
switch(config-router-isis)# address-family ipv4 unicast
switch(config-router-isis-af)# exit
switch(config-router-isis)#
Use the adjacency-segment command in the interface configuration mode to have the PLR computes backup paths for an adjacency segment only if the Adjacency SID sub-TLV has the B-flag (backup flag) set.
Command Mode
Interface configuration mode
Command Syntax
adjacency-segment [ipv4|ipv6] p2p [multiple][label label | indexindex] backup-eligible
no adjacency-segment [ipv4 | ipv6]p2p [multiple][label label|index index] backup-eligible
default adjacency-segment [ipv4 | ipv6]p2p multiple][label label|index index] backup-eligible
The adjacency-segment command allocates adjacency segments to all IS-IS adjacencies, or only those adjacencies which are to IS-IS routers that have advertised IS-IS SR capability, or to none of the adjacencies.
Command Mode
Segment-Routing MPLS Configuration
Command Syntax
adjacency-segment allocation [all-interface |none | sr-peers]
Parameters
Example
switch(config-router-isis-sr-mpls)# adjacency-segment allocation sr-peer
The adjacency-segment command configures IS-IS adjacencies statically on the switch, so that these values are preserved even when the switch restarts. The no and the default form of the command places the switch back to the global configuration mode.
Command Mode
Interface Ethernet Configuration
Command Syntax
adjacency-segment ipv4 | ipv6 p2p [[label label-value]|[index index-value global]]
Parameters
Example
switch(config-if-Et1)# adjacency-segment ipv4 p2p index 50 global
Use the area leader command to tune or disable the area leader election process.
Command Mode
Router configuration mode
Command Syntax
area leader [disabled | level-1 [disabled] | level-2 [disabled] | priority [num [level-1 | level-2]]]
no area leader
default area leader
Theauthentication key command configures the authentication key for the IS-IS instance causing LSPs, CSNPs and PSNPs to be authenticated.
The no authentication key and default authentication key commands disables the authentication key for the IS-IS instance.
Command Mode
ISIS-Router Configuration
Command Syntax
authentication key [0 | 7] [LAYER_VALUE]
no authentication key [0 | 7] [LAYER_VALUE]
default authentication key [0 | 7] [LAYER_VALUE]
Parameters
Example
switch(config)# router isis 1
switch(config-router-isis)# authentication key secret
switch(config-router-isis)#
The authentication mode command configures authentication for the IS-IS instance causing LSPs, CSNPs, and PSNPs to be authenticated.
The no authentication mode and default authentication mode commands disables authentication for the IS-IS instance.
Command Mode
ISIS-Router Configuration
Command Syntax
authentication mode [md5 | text] [LAYER_VALUE]
no authentication mode [md5 | text] [LAYER_VALUE]
default authentication mode [md5 | text] [LAYER_VALUE]
Parameters
Example
switch(config)# router isis 1
switch(config-router-isis)# authentication mode md5
switch(config-router-isis)#
The bfd all-interfaces command enables Bidirectional Forwarding Detection (BFD) for all IS-IS-enabled interfaces in the IPv4 or IPv6 address family.
Use the isis bfd command to configure BFD on a specific interface.
Command Mode
Router-IS-IS Address-Family Configuration
Command Syntax
bfd all-interfaces
Example
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv4
switch(config-router-af)# bfd all-interfaces
switch(config-router-af)#
Command Mode
Privileged Exec
Command Syntax
clear isis [INSTANCE] database {LSPID | all |level-1 | level-2}
Parameters
switch(config)# clear isis database 1111.1111.1002.00-00
1 LSPs cleared on instance 1.
switch(config)#
switch(config)# clear isis database all
3 LSPs cleared on instance 1.
switch(config)#
switch(config)# clear isis database level-1
3 LSPs cleared on instance 1.
switch(config)#
switch(config)# clear isis instance2 database all
3 LSPs cleared on instance instance 2.
switch(config)#
The clear isis neighbor command clears IS-IS adjacencies that exist on an interface, or at a specific level, or the adjacencies formed with a given neighbor (either with a system ID or a hostname).
Command Mode
Privileged EXEC
Command Syntax
clear isis neighbor {Neighbor-ID | all | interface} [level-1 | level-2 | level-1-2]
Parameters
switch# clear isis neighbor af86.3032.1a0f
2 neighbors cleared on instance 1
switch#
switch# clear isis neighbor interface et1
4 neighbors cleared on instance 1
switch#
switch# clear isis neighbor af86.3032.1a0f interface et1
2 neighbors cleared on instance 1
switch#
switch# clear isis neighbor interface et1 level-1
2 neighbors cleared on instance 1
switch#
switch# clear isis neighbor all level-1-2
0 neighbors cleared on instance 1
switch#
Use the fast-reroute ti-lfa mode to enable link or node protection for node segments and adjacency segments of a specific address-family learned on all IS-IS interfaces.
Command Mode
address-family sub-mode of the router isis mode (config-router-isis-af)
Command Syntax
fast-reroute ti-lfa mode [[[ link-protection | node-protection][level-1 | level-2]] | disabled]
Guidelines
FRR using TI-LFA is disabled globally by default in the router IS-IS address-family sub-modes.
The interface TI-LFA configuration inherits the address-family sub-mode configuration by default.
Use the fast reroute ti-lfa srlg command to enable SRLG protection on all interfaces. This command is used in addition to configuring link-protection or node-protection. When SRLG protection is enabled, the backup paths are computed after excluding all the links that share the same SRLG with the active link that is being used by all prefix segments and adjacency segments.
Command Mode
IS-IS router address-family configuration mode
Command Syntax
fast-reroute ti-lfa srlg [strict]
Parameters
strict The backup path is only programmed if a backup path that excludes all the SRLGs configured on the primary interface.
The graceful-restart command configures IS-IS graceful-restart. The command provides options to configure the t2 time or the restart-hold-time.
t2 is the maximum wait time for the LSP database to synchronize (SPF computation is not done while t2 is running). t2 can be configured for either Level-1 or Level-2 routes.
restart-hold-time is the hold time advertised by the router to its neighbors before undergoing ASU2 fast reboot.
The no graceful-restart and default graceful-restart commands disables the IS-IS graceful-restart configuration from running-config.
Command Mode
Router-IS-IS Configuration
Command Syntax
graceful-restart t2 | restart-hold-time value
no graceful-restart t2 | restart-hold-time value
default graceful-restart t2 | restart-hold-time value
Parameters
switch(config)# router isis 1
switch(config-router-isis)# graceful-restart t2 level-1 30
switch(config)# router isis 1
switch(config-router-isis)# graceful-restart restart-hold-time 50
The is-hostname command configures the use of a human-readable string to represent the symbolic name of an IS-IS router. It also changes the output of IS-IS show commands, to show the IS-IS hostname in place of system IDs if the corresponding IS-IS hostname is known. However, syslogs still use IS-IS system IDs and not the IS-IS hostname.
By default, if a hostname is configured on the switch, it is used as the IS-IS hostname. It is also possible to unconfigure an assigned hostname for IS-IS using the no is-hostname command. When the IS-IS hostname is removed, the switch goes back to using the switchs hostname as the IS-IS hostname.
Command Mode
Router-IS-IS Configuration
Command Syntax
is-hostname string
no is-hostname
switch(config)# router isis inst1
switch(config-router-isis)# is-hostname ishost1
switch(config-router-isis)#
switch(config)# router isis inst1
switch(config-router-isis)# no is-hostname ishost1
switch(config-router-isis)#
The isis authentication key command configures the authentication key on the interface causing IS-IS Hellos to be authenticated.
The no isis authentication mode and default isis authentication mode commands disables the authentication key for the IS-IS instance.
Command Mode
Interface-Ethernet Configuration
Command Syntax
isis authentication key [0 | 7] [LAYER_VALUE]
no isis authentication key [0 | 7] [LAYER_VALUE]
default isis authentication key [0 | 7] [LAYER_VALUE]
Parameters
Example
switch(config)# interface Ethernet 3/6
switch(config-if-Et3/6)# isis authentication mode text
switch(config-if-Et3/6)# isis authentication key 7 cAm28+9a/xPi04o7hjd8Jw==
switch(config-if-Et3/6)#
The isis authentication mode command configures authentication on the interface causing IS-IS Hellos to be authenticated.
The no isis authentication mode and default isis authentication mode commands disables authentication for the IS-IS instance.
Command Mode
Interface-Ethernet Configuration
Command Syntax
isis authentication mode [md5 | text][LAYER_VALUE]
no isis authentication mode [md5 | text][LAYER_VALUE]
default isis authentication mode [md5 | text][LAYER_VALUE]
Parameters
Example
switch(config)# interface Ethernet 3/6
switch(config-if-Et3/6)# isis authentication mode text
switch(config-if-Et3/6)# isis authentication key 7 cAm28+9a/xPi04o7hjd8Jw==
switch(config-if-Et3/6)#
The isis bfd command activates the corresponding IS-IS routing instance on the configuration mode interface. By default, the IS-IS routing instance is not enabled on an interface.
The no isis enable and default isis enable commands disable IS-IS on the configuration mode interface by removing the corresponding isis enable command from running-config.
Command Mode
Interface-Ethernet Configuration
Command Syntax
isis bfd
no isis bfd
default isis bfd
Example
switch(config)# interface Ethernet 5/6
switch(config-if-Et5/6)# isis bfd
switch(config-if-Et5/6)#
The isis enable command activates the corresponding IS-IS routing instance on the configuration mode interface. By default, the IS-IS routing instance is not enabled on an interface.
The no isis enable and default isis enable commands disable IS-IS on the configuration mode interface by removing the corresponding isis enable command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
isis enable instance_id
no isis enable
default isis enable
Parameters
instance_id IS-IS instance name.
switch(config)# router isis Osiris
switch(config-router-isis)# net 49.0001.1010.1040.1030.00
switch(config-router-isis)# interface ethernet 4
switch(config-if-Eth4)# isis enable Osiris
switch(config)# interface ethernet 4
switch(config-if-Eth4)# no isis enable
Use the isis fast-reroute ti-lfa mode command to enable link or node protection for node segments and adjacency segments learned on a specific IS-IS interface. By default, the interface TI-LFA configuration inherits the address-family sub-mode configuration.
The no isis fast-reroute ti-lfa mode and default isis fast-reroute ti-lfa mode commands disable link or node protection for node segments and adjacency segments learned on a specific IS-IS interface.
Command Mode
Interface configuration mode.
Command Syntax
isis fast-reroute ti-lfa mode [link-protection | node-protection | disabled][level-1 | level-2]
no isis fast-reroute ti-lfa mode [link-protection | node-protection | disabled][level-1 | level-2]
default isis fast-reroute ti-lfa mode [link-protection | node-protection | disabled][level-1 | level-2]
Parameters
The isis hello-interval command sends Hello packets from applicable interfaces to maintain the adjacency through the transmitting and receiving of Hello packets. The Hello packet interval can be modified.
The no isis hello-interval and default isis hello-interval commands restore the default hello interval of 10 seconds on the configuration mode interface by removing the isis hello-interval command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
isis hello-interval time
no isis hello-interval
default isis hello-interval
Parameters
time Values range from 1 to 300; default is 10.
switch(config)# interface vlan 200
switch(config-if-Vl200)# isis hello-interval 45
switch(config-if-Vl200)#
switch(config)# interface vlan 200
switch(config-if-Vl200)# no isis hello-interval
switch(config-if-Vl200)#
switch(config)# interface ethernet 5
switch(config-if-Et5)# isis hello-interval 60
switch(config-if-Et5)#
switch(config)# interface ethernet 5
switch(config-if-Et5)# no isis hello-interval
switch(config-if-Et5)#
The isis hello-multiplier command specifies the number of IS-IS hello packets missed by a neighbor before the adjacency is considered down.
The no isis hello-multiplier and default isis hello-multiplier commands restore the default hello interval of 3 on the configuration mode interface by removing the isis hello-multiplier command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
isis hello-multiplier factor
no isis hello-multiplier
default isis hello-multiplier
Parameters
factor Values range from 3 to 100; default is 3.
switch(config)# interface vlan 200
switch(config-if-Vl200)# isis hello-multiplier 4
switch(config-if-Vl200)#
switch(config)# interface vlan 200
switch(config-if-Vl200)# no isis hello-multiplier
switch(config-if-Vl200)#
switch(config)# interface ethernet 5
switch(config-if-Et5)# isis hello-multiplier 45
switch(config-if-Et5)#
switch(config)# interface ethernet 5
switch(config-if-Et5)# no isis hello-multiplier
switch(config-if-Et5)#
Use the isis [ipv4|ipv6] fast-reroute ti-lfa srlg command to enable protection selectively on a specific interface. This command only enables SRLG protection for prefix segments and adjacency segments enabled on the interface.
Command Mode
Interface configuration mode
Command Syntax
isis [ipv4 | ipv6][fast-reroute ti-lfa srlg][strict | disabled]
no isis [ipv4 | ipv6][fast-reroute ti-lfa srlg][strict | disabled
default isis [ipv4 | ipv6][fast-reroute ti-lfa srlg][strict | disabled]
The isis ipv6 metric command configures the IPv6 metric.
The no isis ipv6 metric and default isis ipv6 metric commands restore the default metric of 10 on the configuration mode interface.
Command Mode
Interface-Ethernet Configuration
Command Syntax
isis ipv6 metric metric_value
no isis ipv6 metric
default isis ipv6 metric
Parameters
metric_value Values range from 1 to 16777214; default is 10.
Example
switch(config)# interface Ethernet 5/6
switch(config-if-Et5/6)# isis ipv6 metric 30
switch(config-if-Et5/6)#
The isis lsp tx interval command sets the interval at which IS-IS sends link-state information on the interface.
The no isis lsp tx interval and default isis lsp tx interval commands restores the default setting of 33 ms. by removing the isis lsp tx interval command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
isis lsp tx interval period
no isis lsp tx interval
default isis lsp tx interval
Parameters
period Value ranges from 1 through 3000. Default interval is 33 ms.
switch(config)# interface ethernet 5
switch(config-if-Et5)# isis lsp tx interval 600
switch(config-if-Et5)#
switch(config)# interface ethernet 5
switch(config-if-Et5)# no isis lsp tx interval
switch(config-if-Et5)#
The isis metric command sets cost for sending information over an interface.
The no isis metric and default isis metric commands restore the metric to its default value of 10 by removing the isis metric command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
isis metric metric_cost
no isis metric
default isis metric
Parameters
metric_cost Values range from 1 to 1677214. Default value is 10.
switch(config)# router isis Osiris
switch(config-router-isis)# interface ethernet 5
switch(config-if-Et5)# isis metric 30
switch(config-if-Et5)#
switch(config)# router isis Osiris
switch(config-router-isis)# interface ethernet 5
switch(config-if-Et5)# no isis metric
switch(config-if-Et5)#
The isis multi-topology command configures the IPv4 or IPv6 address family individually on an interface with both IPv4 and IPv6 addresses.
The no isis multi-topology and default isis multi-topologycommands restores the default interface to both IPv4 and IPv6 address families.
Command Mode
Interface-Ethernet Configuration
Command Syntax
isis multi-topology address-family ipv4 unicast
no isis multi-topology address-family ipv4 unicast
default isis multi-topology address-family ipv4 unicast
switch(config)# interface Ethernet 5/6
switch(config-if-Et5/6)# isis multi-topology address-family ipv4 unicast
switch(config-if-Et5/6)#
switch(config)# interface Ethernet 5/6
switch(config-if-Et5/6)# isis multi-topology address-family ipv6 unicast
switch(config-if-Et5/6)#
switch(config)# interface Ethernet 5/6
switch(config-if-Et5/6)# no isis multi-topology address-family unicast
switch(config-if-Et5/6)#
The isis network command sets the configuration mode interface as a point-to-point link. By default, interfaces are configured as broadcast links.
The no isis network and default isis network commands set the configuration mode interface as a broadcast link by removing the corresponding isis network command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
isis network point-to-point
no isis network
default isis network
switch(config)# interface ethernet 10
switch(config-if-Etl0)# isis network point-to-point
switch(config-if-Etl0)#
switch(config-if-Etl0)# no isis network
switch(config-if-Etl0)#
The isis passive command configures the configuration-mode interface as passive. The switch will continue to advertise the IP address in the LSP, but the interface will not send or receive IS-IS control packets.
The no isis passive command removes the passive configuration, allowing the interface to send and receive IS-IS control packets. The default isis passive command sets the interface to the default interface activity setting by removing the corresponding isis passive or no isis passive statement from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
isis passive
no isis passive
default isis passive
switch(config)# interface ethernet 10
switch(config-if-Etl0)# isis passive
switch(config-if-Etl0)#
switch(config)# interface ethernet 10
switch(config-if-Etl0)# no isis passive
switch(config-if-Etl0)#
The isis priority command sets the IS-IS priority for the interface.
The default priority is 64. The network device with the highest priority will be elected as the designated intermediate router to send link-state advertisements for that network.
The no isis priority and default isis priority commands restore the default priority (64) on the configuration mode interface.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
isis priority priority_level
no isis priority
default isis priority
Parameters
priority_level Value ranges from 0 to 127. Default value is 64.
switch(config)# router isis Osiris
switch(config-router-isis)# interface ethernet 5
switch(config-if-Et5)# isis priority 60
switch(config-if-Et5)#
switch(config)# router isis Osiris
switch(config-router-isis)# interface ethernet 5
switch(config-if-Et5)# no isis priority
switch(config-if-Et5)#
switch(config)# interface vlan 7
switch(config-if-Vl7)# isis priority 64
switch(config-if-Vl7)#
switch(config)# interface vlan 7
switch(config-if-Vl7)# no isis priority
switch(config-if-Vl7)#
The is-type command configures the routing level for an IS-IS instance.
An IS-IS router can be configured as Level-1-2 which can form adjacencies and exchange routing information with both Level-1 and Level-2 routers. A Level-1-2 router can be configured to transfer routing information from Level-1 to Level-2 areas and vice versa (via route leaking). By default, all routes from Level-1 area are always leaked into Level-2 network.
Command Mode
Router-IS-IS Configuration
Command Syntax
is-type LAYER_VALUE
Parameters
switch(config)# router isis Osiris
switch(config-router-isis)# is-type level-1-2
switch(config-router-isis)#
switch(config)# router isis Osiris
switch(config-router-isis)# is-type level-2
switch(config-router-isis)#
The log-adjacency-changes command sets the switch to send Syslog messages when it detects link state changes or when it detects that a neighbor state has changed.
The default option is active when running-config does not contain any form of the command. Entering the command in any form replaces the previous command state in running-config.
Command Mode
Router-IS-IS Configuration
Command Syntax
log-adjacency-changes
no log-adjacency-changes
default log-adjacency-changes
switch(config)# router isis Osiris
switch(config-router-isis)# log-adjacency-changes
switch(config-router-isis)#
switch(config)# router isis Osiris
switch(config-router-isis)# no log-adjacency-changes
switch(config-router-isis)#
Use the lsp flooding dynamic command to configure dynamic flooding. Dynamic flooding must be enabled on all roters in the area. The no form of the command removes LSP dynamic flooding. LSP flooding dynamic is disabled by default.
Command Mode
Router configuration mode
Command Syntax
lsp flood dynamic [level-1 | level-2]
no lsp flood dynamic [level-1 | level-2]
default lsp flood dynamic [level-1 | level-2]
switch(config)# router isis Amun
switch(config-router-isis)# net 49.0000.0000.3333.00
switch(config-router-isis)# is-hostname ip3
switch(config-router-isis)# lsp flooding dynamic
The match isis level command configures a route map to match on ISIS level. It filters the Level-1 or Level-2 routes by using route maps match statement.
The no match isis level and default match isis level commands disables the match ISIS level configuration from running-config.
Command Mode
Route-map Configuration
Command Syntax
match isis level [level-1 | level-2]
no match isis level [level-1 | level-2]
default match isis level [level-1 | level-2]
Parameters
Example
switch(config)# route-map Test
switch(config-route-map-test)# match isis level level-1
The mpls label range command derives the indices of the actual MPLS label on the SRGB advertised by the router. The default value of SRGB in EOS is Base: 900000, Size: 65536. In other words, the labels that any global segment could represent is between 900000-965535.
Command Mode
Global Configuration
Command Syntax
mpls label range value
Parameters
Example
switch(config)# mpls label range isis-sr 900000 65536
The multi-topology command configures IS-IS Multi-Topology (MT) support (disabled by default), enabling an IS-IS router to compute a separate topology for IPv4 and IPv6 links in the network. With MT configured, not all the links in a network need to support both IPv4 and IPv6. Some can support IPv4 or IPv6 individually. The IPv4 SPF will install IPv4 routes using the IPv4 topology, and similarly the IPv6 SPF will install IPv6 routes using the IPv6 topology. Without MT support, all links in an IS-IS network need to support the same set of address families. When MT is enabled, and each link has a separate IPv4 metric and IPv6 metric.
The no multi-topology and default multi-topology commands restores the default interface to both IPv4 and IPv6 address families.
Command Mode
Router IS-IS Address-Family Configuration
Command Syntax
multi-topology
no multi-topology
default multi-topology
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv6 unicast
switch(config-router-isis-af)# multi-topology
switch(config-router-isis-af)#
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv6 unicast
switch(config-router-isis-af)# no multi-topology
switch(config-router-isis-af)#
The net command configures the Network Entity Title of the IS-IS instance. By default, no NET is defined.
The no net and default net commands removes the NET from running-config.
Command Mode
Router-IS-IS Configuration
Command Syntax
net mask_hex
no net
default net
Parameters
switch(config)# router isis Osiris
switch(config-router-isis)# net 49.0001.1010.1040.1030.00
switch(config-router-isis)#
switch(config)# router isis Osiris
switch(config-router-isis)# no net 49.0001.1010.1040.1030.00
switch(config-router-isis)#
The node-segment command associates the node segments with prefix mask length /32 (IPV4) or /128 (IPV6) addresses. The node-segment command must be issued on an IS-IS-enabled loop back interface.
Command Mode
Loop-back Interface Configuration
Command Syntax
node-segment [ipv4 | ipv6] index value
Parameters
switch(config)# int loopback 1
switch(config-if-Lo1)# ip address 21.1.1.1/32
switch(config-if-Lo1)# node-segment ipv4 index 5
switch(config)# int loopback 1
switch(config-if-Lo1)# ipv6 add 2000::24/128
switch(config-if-Lo1)# node-segment ipv6 index 5
switch(config)# int loopback 1
switch(config-if-Lo1)# ip address 21.1.1.1/24
switch(config-if-Lo1)# node-segment ipv4 index 1
! /32 IPv4 address is not configured on the interface
switch(config-if-Lo1)# no node-segment ipv4 index 1
The passive command configures the specified IS-IS interface as passive. The switch will continue to advertise the IP address in the LSP, but the interface will not send or receive IS-IS control packets.s
The no passive command removes the passive configuration, allowing the interface to send and receive IS-IS control packets. The default passive command sets the interface to the default interface activity setting by removing the corresponding passive or no passive statement from running-config.
Command Mode
Router-IS-IS Configuration
Command Syntax
passive INTERFACE_NAME
no passive INTERFACE_NAME
default passive INTERFACE_NAME
Parameters
Valid e_range, l_range, p_range, and v_range formats include number, range, or comma-delimited list of numbers and ranges.
switch(config)# router isis Osiris
switch(config-router-isis)# passive ethernet 10
switch(config-router-isis)#
switch(config)# router isis Osiris
switch(config-router-isis)# no passive ethernet 10
switch(config-router-isis)#
The prefix-segment command associates prefix segments with any IS-IS prefix a router is originating an IP Reachability TLV for.
Command Mode
Segment-Routing MPLS Configuration
Command Syntax
prefix-segment ip-address index value
Parameters
Example
switch(config)# router isis instance1
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)# prefix-segment 1.1.1.0/24 index 50
The proxy-node-segment command configures a proxy-node-SID for a IS-IS prefix originating from the router that does not support IS-IS SR.
Command Mode
Segment-Routing MPLS Configuration
Command Syntax
proxy-node-segment ip-address index value
Example
switch(config)# router isis instance1
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)# proxy-node-segment 1.1.1.0/32 index 50
The redistribute command redistributes the specified types of routes into IS-IS.
The no redistribute and default redistribute commands disable route redistribution from the specified domain by removing the corresponding redistribute statement from running-config.
Command Mode
Router-IS-IS Configuration
Command Syntax
redistribute ROUTE_TYPE
no redistribute ROUTE_TYPE
default redistribute ROUTE_TYPE
Parameters
switch(config)# router isis Test
switch(config-router-isis)# redistribute connected
switch(config)# router isis Test
switch(config-router-isis)# redistribute static
Switch(config)# router isis 1
Switch(config-router-isis)# address-family ipv4
Switch(config-router-isis-af)# redistribute bgp route-map bgp-to-isis-v4
Switch(config)# router isis 1
Switch(config-router-isis)# redistribute bgp route-map bgp-to-isis
The redistribute bgp route-map command redistributes the BGP routes from the specified route map into IS-IS. Only one route map can be specified; reissuing the command overrides any previous configuration.
The no redistribute bgp and default redistribute bgpcommands disable BGP route redistribution from the specified domain by removing the redistribute bgp statement from running-config.
The command is available in both router isis configuration mode and the address-family submode. The command is rejected if configured in both modes at the same time. Issuing the no or default command in router isis configuration mode has no effect on redistribution configured in the address-family submode.
Command Mode
Router-IS-IS Configuration
Router-IS-IS Address-Family Configuration
Command Syntax
redistribute bgp route-map map_name
no redistribute bgp
default redistribute ROUTE_TYPE
Parameter
map_name Route map to be used for redistribution of BGP routes.
switch(config)# router isis 1
switch(config-router-isis)# address-family ipv4
switch(config-router-isis-af)# redistribute bgp route-map bgp-to-isis-v4
switch(config-router-isis-af)#
switch(config)# router isis 1
switch(config-router-isis)# redistribute bgp route-map bgp-to-isis
The router isis command places the switch in router ISIS configuration mode.
Router ISIS configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.
The no router isis command deletes the IS-IS instance.
The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
router isis instance_name [VRF_INSTANCE]
no router isis instance_name
default router isis instance_name
Parameters
switch(config)# router isis Osiris
switch(config-router-isis)#
switch(config)# router isis Osiris
% More than 1 ISIS instance is not supported
switch(config)#
switch(config)# no router isis Osiris
switch(config)#
The segment-routing mpls command places the switch in the segment-routing mpls configuration mode.
The no segment-routing mpls and default segment-routing mpls commands disable IS-IS SR and delete all IS-IS SR configurations.
Command Mode
Router IS-IS Configuration
Command Syntax
segment-routing mpls
no segment-routing mpls
default segment-routing mpls
Example
switch(config)# router isis instance1
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)#
When services like LDP pseudowires, BGP LU, L2 EVPN, or L3 MPLS VPN use IS-IS SR tunnels as an underlay, these services are automatically protected by TI-LFA tunnels that protect the IS-IS SR tunnels. The show ip route command displays the hierarchy of the overlay-underlay-TI-LFA tunnels.
switch# show ip route
B 2001:db8:3::/48 [200/0]
via 2002::b00:301/128, IS-IS SR tunnel index 3, label 122697
via TI-LFA tunnel index 5, label imp-null(3)
via fe80::200:76ff:fe03:0, Ethernet26/1, label imp-null(3)
backup via fe80::200:76ff:fe01:0, Ethernet30/1, label 900002 900003
The set isis level command configures a route map to set ISIS level.
The no set isis level and default set isis level commands disables the set ISIS level configuration from running-config.
Command Mode
Route-map Configuration
Command Syntax
set isis level [level-1 | level-2 | level-1-2]
no set isis level[level-1 | level-2 | level-1-2]
default set isis level[level-1 | level-2 | level-1-2]
Example
switch(config)# route-map Test
switch(config-route-map-test)# set isis level level-1
The set-overload-bit command sets the overload bit in link state packets (LSPs) to signal that the switch is not available for forwarding transit traffic (for instance, during startup or when the switch is being taken down for maintenance). To configure the switch to set the overload bit for a specified period after a reboot, use the on-startup option.
Command Mode
Router-IS-IS Configuration
Command Syntax
set-overload-bit [on-startup interval]
no set-overload-bit
default set-overload-bit
Parameters
switch(config)# router isis Osiris
switch(config-router-isis)# set-overload-bit on-startup 120
switch(config-router-isis)#
switch(config)# router isis Osiris
switch(config-router-isis)# no set-overload-bit on-startup
switch(config-router-isis)#
The show isis database command displays the link state database of IS-IS. The default command displays active routes and learned routes.
Command Mode
EXEC
Command Syntax
show isis database [INSTANCES][INFO_LEVEL]
show isis database [INFO_LEVEL] [VRF_INSTANCE]
Parameters
switch# show isis database
ISIS Instance: Osiris
ISIS Level 2 Link State Database
LSPID Seq Num Cksum Life IS Flags
1212.1212.1212.00-00 4 714 1064 L2 <>
1212.1212.1212.0a-00 1 57417 1064 L2 <>
2222.2222.2222.00-00 6 15323 1116 L2 <>
2727.2727.2727.00-00 10 15596 1050 L2 <>
3030.3030.3030.00-00 12 62023 1104 L2 <>
3030.3030.3030.c7-00 4 53510 1104 L2 <>
switch>
switch# show isis database detail
ISIS Instance: Osiris
ISIS Level 2 Link State Database
LSPID Seq Num Cksum Life IS Flags
1212.1212.1212.00-00 4 714 1060 L2 <>
Area address: 49.0001
Interface address: 10.1.1.2
Interface address: 2002::2
IS Neighbor: 1212.1212.1212.0a Metric: 10
Reachability: 10.1.1.0/24 Metric: 10 Type: 1
Reachability: 2002::/64 Metric: 10 Type: 1
1212.1212.1212.0a-00 1 57417 1060 L2 <>
IS Neighbor: 2727.2727.2727.00 Metric: 0
IS Neighbor: 2222.2222.2222.00 Metric: 0
IS Neighbor: 1212.1212.1212.00 Metric: 0
2222.2222.2222.00-00 6 15323 1112 L2 <>
Area address: 49.0001
Interface address: 10.1.1.1
Interface address: 10.1.1.3
Interface address: 2002::3
IS Neighbor: 1212.1212.1212.0a Metric: 10
Reachability: 10.1.1.0/24 Metric: 10 Type: 1
Reachability: 10.1.1.0/24 Metric: 10 Type: 1
Reachability: 2002::/64 Metric: 10 Type: 1
2727.2727.2727.00-00 10 15596 1046 L2 <>
Area address: 49.0001
Interface address: 10.1.1.1
Interface address: 30.1.1.1
Interface address: 2002::1
Interface address: 2001::1
IS Neighbor: 1212.1212.1212.0a Metric: 10
IS Neighbor: 3030.3030.3030.c7 Metric: 10
Reachability: 10.1.1.0/24 Metric: 10 Type: 1
Reachability: 30.1.1.0/24 Metric: 10 Type: 1
Reachability: 2002::/64 Metric: 10 Type: 1
Reachability: 2001::/64 Metric: 10 Type: 1
3030.3030.3030.00-00 12 62023 1100 L2 <>
Area address: 49.0001
Interface address: 30.1.1.2
Interface address: 2001::2
IS Neighbor: 3030.3030.3030.c7 Metric: 10
Reachability: 12.1.1.0/24 Metric: 1 Type: 1
Reachability: 110.1.1.0/24 Metric: 0 Type: 1
Reachability: 30.1.1.0/24 Metric: 10 Type: 1
Reachability: 2001::/64 Metric: 10 Type: 1
3030.3030.3030.c7-00 4 53510 1100 L2 <>
IS Neighbor: 2727.2727.2727.00 Metric: 0
IS Neighbor: 3030.3030.3030.00 Metric: 0
switch>
Theshow isis database detail command displays a view of LSPDB of different devices in the IS-IS domain.
Command Mode
EXEC
Command Syntax
show isis database detail
Example
switch# show isis database detail
ISIS Instance: inst1 VRF: default
ISIS Level 2 Link State Database
LSPID Seq Num Cksum Life IS Flags
1111.1111.1001.00-00 10 63306 751 L2 <>
NLPID: 0xCC(IPv4) 0x8E(IPv6)
Area address: 49.0001
Interface address: 1.0.7.1
Interface address: 1.0.0.1
Interface address: 2000:0:0:47::1
Interface address: 2000:0:0:40::1
IS Neighbor : lf319.53 Metric: 10
LAN-Adj-sid: 100000 flags: [ L V ] weight: 0 system ID: 1111.1111.1002
IS Neighbor (MT-IPv6): lf319.53 Metric: 10
LAN-Adj-sid: 100001 flags: [ L V F ] weight: 0 system ID: 1111.1111.1002
Reachability : 1.0.11.0/24 Metric: 1 Type: 1 Up
SR Prefix-SID: 10 Flags: [ R ] Algorithm: 0
Reachability : 1.0.3.0/24 Metric: 1 Type: 1 Up
Reachability : 1.0.7.1/32 Metric: 10 Type: 1 Up
SR Prefix-SID: 2 Flags: [ N ] Algorithm: 0
Reachability : 1.0.0.0/24 Metric: 10 Type: 1 Up
Reachability (MT-IPv6): 2000:0:0:4b::/64 Metric: 1 Type: 1 Up
SR Prefix-SID: 11 Flags: [ R ] Algorithm: 0
Reachability (MT-IPv6): 2000:0:0:43::/64 Metric: 1 Type: 1 Up
Reachability (MT-IPv6): 2000:0:0:47::1/128 Metric: 10 Type: 1 Up
SR Prefix-SID: 3 Flags: [ N ] Algorithm: 0
Reachability (MT-IPv6): 2000:0:0:40::/64 Metric: 10 Type: 1 Up
Router Capabilities: 252.252.1.252 Flags: [ ]
SR Capability: Flags: [ I V ]
SRGB Base: 900000 Range: 65536
Segment Binding: Flags: [ F ] Weight: 0 Range: 1 Pfx 2000:0:0:4f::1/128
SR Prefix-SID: 19 Flags: [ ] Algorithm: 0
Segment Binding: Flags: [ ] Weight: 0 Range: 1 Pfx 1.0.15.1/32
SR Prefix-SID: 18 Flags: [ ] Algorithm: 0
Use the show isis dynamic flooding command to monitor Dynamic Flooding.
Command Mode
EXEC
Command Syntax
show isis dynamic flooding [interfaces | level-1 | level-2 | nodes | paths | topology | interface]
switch# show isis dynamic flooding nodes
IS-IS Instance: Amun VRF: default
Level 1 Nodes:
Index Node ID
0 ip6.00
1 ip4.00
2 ip2.00
3 ip1.00
4 ip3.00
5 ip5.00
switch# show isis dynamic flooding paths
IS-IS Instance: Amun VRF: default
Level 1:
Path: 0 1 2 3 4 5 0
switch# show isis dynamic flooding topology
IS-IS Instance: Amun VRF: default
Level 1:
Path: ip6.00 ip4.00 ip2.00 ip1.00 ip3.00 ip5.00 ip6.00
switch# show isis dynamic flooding interfaces
IS-IS Instance: Amun VRF: default
Level 1:
Ethernet5
Ethernet4
The show isis graceful-restart vrf command displays the GR configuration and graceful-restart related state of the IS-IS instance as well as its neighbors.
Command Mode
EXEC
Command Syntax
show isis graceful-restart vrf vrf-name
Example
switch# show isis graceful-restart vrf default
IS-IS Instance: 1 VRF: default
System ID: 0000.0000.0001
Graceful Restart: Enabled, Graceful Restart Helper: Enabled
State: Last Start exited after T2 (level-1) expiry
T1 : 3s
T2 (level-1) : 30s/20s remaining
T2 (level-2) : 30s/not running
T3 : not running
System ID Type Interface Restart Capable Status
is-hostname-1 L1L2 Ethernet1 Yes Running
is-hostname-2 L1 Ethernet2 Yes Restarting
The show isis hostname command displays mapping between the System ID and IS-IS hostname.
Command Mode
EXEC
Command Syntax
show isis hostname
Example
switch# show isis hostname
ISIS Instance: 1 VRF: default
Level System ID Hostname
L1 1111.1111.1001 host1
L1 1111.1111.1002 host2
The show isis interface command displays interface information for the IS-IS instance.
Command Mode
EXEC
Command Syntax
show isis interface [INSTANCES][INTERFACE_NAME][INFO_LEVEL]
show isis interface [INTERFACE_NAME] [INFO_LEVEL][VRF_INSTANCE]
switch# show isis interface
ISIS Instance: Osiris
Interface Vlan20:
Index: 59 SNPA: 0:1c:73:c:5:7f
MTU: 1497 Type: broadcast
Level 2:
Metric: 10, Number of adjacencies: 2
LAN-ID: 1212.1212.1212, Priority: 64
DIS: 1212.1212.1212, DIS Priority: 64
Interface Ethernet30:
Index: 36 SNPA: 0:1c:73:c:5:7f
MTU: 1497 Type: broadcast
Level 2:
Metric: 10, Number of adjacencies: 1
LAN-ID: 3030.3030.3030, Priority: 64
DIS: 3030.3030.3030, DIS Priority: 64
switch# show isis interface detail
ISIS Instance: Osiris
Interface Vlan20:
Index: 59 SNPA: 0:1c:73:c:5:7f
MTU: 1497 Type: broadcast
Level 2:
Metric: 10, Number of adjacencies: 2
LAN-ID: 1212.1212.1212, Priority: 64
DIS: 1212.1212.1212, DIS Priority: 64
Adjacency 2222.2222.2222:
State: UP, Level: 2 Type: Level 2 IS
Hold Time: 30, Supported Protocols: ipv4, ipv6
SNPA: 2:1:0:c:0:0, Priority: 64
IPv4 Interface Address: 10.1.1.3
IPv6 Interface Address: fe80::1:ff:fe0c:0
Areas:
49.0001
Adjacency 1212.1212.1212:
State: UP, Level: 2 Type: Level 2 IS
Hold Time: 9, Supported Protocols: ipv4, ipv6
SNPA: 2:1:0:d:0:0, Priority: 64
IPv4 Interface Address: 10.1.1.2
IPv6 Interface Address: fe80::1:ff:fe0d:0
Areas:
49.0001
Interface Ethernet30:
Index: 36 SNPA: 0:1c:73:c:5:7f
MTU: 1497 Type: broadcast
Level 2:
Metric: 10, Number of adjacencies: 1
LAN-ID: 3030.3030.3030, Priority: 64
DIS: 3030.3030.3030, DIS Priority: 64
Adjacency 3030.3030.3030:
State: UP, Level: 2 Type: Level 2 IS
Hold Time: 9, Supported Protocols: ipv4, ipv6
SNPA: 2:1:0:b:0:0, Priority: 64
IPv4 Interface Address: 30.1.1.2
IPv6 Interface Address: fe80::1:ff:fe0b:0
Areas:
49.0001
switch# show isis interface Vlan2387
IS-IS Instance: inst1 VRF: default
Interface Vlan2387:
Index: 36 SNPA: P2P
MTU: 1497 Type: point-to-point
BFD IPv4 is Disabled
BFD IPv6 is Disabled
Hello Padding is Enabled
Level 2:
Metric: 10, Number of adjacencies: 1
Link-ID: 24
Authentication mode: None
TI-LFA node protection with SRLG loose protection is enabled for the following IPv4 segments: node segments, adjacency segments
TI-LFA protection is disabled for IPv6
The show isis local-convergence-delay command shows the current or last attempt at delaying the convergence of protected routes on a link down/BFD neighbor down event. If the timer aborts for some reason (such as a topology change causing a new SPF), the attempt fails.
switch# show isis local-convergence-delay
IS-IS Instance: inst1 VRF: default
System ID: 1111.1111.1001
IPv4 local convergence delay configured, 5000 msecs
IPv6 local convergence delay configured, 5000 msecs
Level 1 attempts 0, failures 0
Level 2 attempts 3, failures 1
Level 2 in progress due to LINK DOWN on Vlan2138
TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 0
Delay timer started at: 2019-07-25 23:16:33
Delay timer expires in 2 secs
TI-LFA protection is disabled for IPv6
Level 2 last attempt due to LINK DOWN on Vlan2138, Succeeded
TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 3
Delay timer started at: 2019-07-25 23:14:51
Delay timer stopped at: 2019-07-25 23:14:56
TI-LFA protection is disabled for IPv6
The detail keyword also lists all the routes that have been delayed.
switch# show isis local-convergence-delay detail
...
Level 2 last attempt due to LINK DOWN on Vlan2138, Succeeded
TI-LFA node protection is enabled for IPv4
IPv4 Routes delayed: 3
Delay timer started at: 2019-07-25 23:14:51
Delay timer stopped at: 2019-07-25 23:14:56
Delayed routes:
10.0.7.1/32
10.0.9.1/32
10.0.10.1/32
TI-LFA protection is disabled for IPv6
The show isis neighbors command displays IS-IS neighbor information.
Command Mode
EXEC
Command Syntax
show isis neighbors [INSTANCES] [INFO_LEVEL]
show isis neighbor [INFO_LEVEL] [VRF_INSTANCE]
Example
switch(config)# show isis neighbors
Inst Id System Id Type Interface SNPA State Hold time
10 2222.2222.2222 L2 Vlan20 2:1:0:c:0:0 UP 30
10 1212.1212.1212 L2 Vlan20 2:1:0:d:0:0 UP 9
10 3030.3030.3030 L2 Ethernet30 2:1:0:b:0:0 UP 9
switch(config)#
The show isis network topology command displays a list of all IS-IS devices that are reachable in the network.
Command Mode
EXEC
Command Syntax
show isis network topology
show isis INSTANCES network topology
show isis network topology VRF_INSTANCE
Example
switch# show isis network topology
IS-IS Instance: Osiris VRF: default
IS-IS paths to level-2 routers
System Id Metric IA Metric Next-Hop Interface SNPA
2222.2222.2222 10 0 2222.2222.2222 Ethernet1 P2P
switch>
The show isis segment-routing adjacency-segments command displays the global adjacency SID value and other related information.
Command Mode
EXEC
Command Syntax
show isis segment-routing adjacency-segments
interface Ethernet1
ip address 1.1.1.1/24
ipv6 address 1000::1/64
isis enable isis1
isis network point-to-point
adjacency-segment ipv4 p2p index 1 global
adjacency-segment ipv6 p2p index 2 global
switch# show isis segment-routing adjacency-segments
System ID: 1000.0000.0002 Instance: isis1
SR supported Data-plane: MPLS SR Router ID: 1.1.1.4
Adj-SID allocation mode: SR-adjacencies
Adj-SID allocation pool: Base: 100000 Size: 16384
Adjacency Segment Count: 2
Flag Descriptions: F: Ipv6 address family, B: Backup, V: Value
L: Local, S: Set
Segment Status codes: L1 - Level-1 adjacency, L2 - Level-2 adjacency, P2P -
Point-to-Point adjacency, LAN - Broadcast adjacency
Locally Originated Adjacency Segments
Adj IP Address Local Intf SID SID Source Flags Type
---------------- ---------- ------ ------------- ------------------- -------
1.1.1.2 Et1 1 Configured F:0 B:0 V:0 L:0 S:0 P2P L1
fe80::1:ff:fe65:0 Et1 2 Configured F:1 B:0 V:0 L:0 S:0 P2P L1
Received Global Adjacency Segments
SID Originator Neighbor Flags
--------- -------------------- ---------------- --------------------
0 rtrmpls1 1000.0000.0002 F:0 B:0 V:0 L:0 S:0
switch# show isis segment-routing adjacency-segments | json
{
"vrfs": {
"default": {
"isisInstances": {
"isis1": {
"routerId": "1.1.1.4",
"adjSidPoolSize": 16384,
"receivedGlobalAdjacencySegments": [
{
"systemId": "1000.0000.0001",
"hostname": "rtrmpls1",
"sid": 0,
"flags": {
"s": false,
"b": false,
"v": false,
"f": false,
"l": false
},
"nbrSystemId": "1000.0000.0002"
}
],
"systemId": "1000.0000.0002",
"adjSidAllocationMode": "SrOnly",
"dataPlane": "MPLS",
"adjacencySegments": [
{
"lan": false,
"sidOrigin": "configured",
"flags": {
"s": false,
"b": false,
"v": true,
"f": false,
"l": false
},
"sid": 1,
"localIntf": "Ethernet1",
"ipAddress": "1.1.1.2",
"level": 1
},
{
"lan": false,
"sidOrigin": "configured",
"flags": {
"s": false,
"b": false,
"v": false,
"f": true,
"l": false
},
"sid": 2,
"localIntf": "Ethernet1",
"ipAddress": "fe80::1:ff:fe65:0",
"level": 1
}
],
"adjSidPoolBase": 100000,
"misconfiguredAdjacencySegments": []
}
}
}
}
switch# show isis segment-routing adjacency-segments
...
Locally Originated Adjacency Segments
Adj IP Address Local Intf SID Flags Protection
----------------- ---------- -------- --------------------- ------------
10.1.0.1 Vl2138 100001 F:0 B:1 V:1 L:1 S:0 node
10.1.0.2 Vl2968 100002 F:0 B:1 V:1 L:1 S:0 node with SRLG loose
10.1.0.3 Vl2387 965537 F:0 B:1 V:1 L:1 S:0 node with SRLG strict
Received Global Adjacency Segments
SID Originator Neighbor Flags Protection
--------- -------------------- -------------------- ------------------------- ----------
5 1111.1111.1005 1111.1111.1004 F:0 B:1 V:0 L:0 S:0 node
The show isis segment-routing global-blocks command lists the SRGBs in use by all SR supporting devices in IS-IS domain including the SRGB in use by IS-IS SR on this device.
Command Mode
EXEC
Command Syntax
show isis segment-routing global-blocks
switch# show isis segment-routing global-blocks
System ID: 1111.1111.1002 Instance: inst1
SR supported Data-plane: MPLS SR Router ID: 252.252.2.252
SR Global Block( SRGB ): Base: 900000 Size: 65536
Number of ISIS segment routing capable peers: 3
SystemId Base Size
-------------------- ------------ -----
1111.1111.1002 900000 65536
1111.1111.1001 900000 65536
The show isis segment-routing prefix-segments command provides the details of all prefix segments being originated as well the segments received from IS-IS SR speakers in the domain.
Command Mode
EXEC
Command Syntax
show isis segment-routing prefix-segments
switch# show isis segment-routing prefix-segments
System ID: 1111.1111.1002 Instance: inst1
SR supported Data-plane: MPLS SR Router ID: 252.252.2.252
Node: 2 Proxy-Node: 2 Prefix: 2 Total Segments: 6
Flag Descriptions: R: Re-advertised, N: Node Segment, P: no-PHP
E: Explicit-NULL, V: Value, L: Local
Segment status codes: * - Self originated Prefix, L1 - level 1, L2 - level 2
Prefix SID Type Flags SystemID Type
--------------------- --------- ----------------------- --------------- -----
1.0.7.1/32 2 Node R:0 N:1 P:0 E:0 V:0 L:0 1111.1111.1001 L1
* 1.0.8.1/32 4 Node R:0 N:1 P:0 E:0 V:0 L:0 1111.1111.1002 L2
1.0.11.0/24 10 Prefix R:1 N:0 P:0 E:0 V:0 L:0 1111.1111.1001 L2
* 1.0.12.0/24 12 Prefix R:1 N:0 P:0 E:0 V:0 L:0 1111.1111.1002 L2
1.0.15.1/32 18 Proxy-Node R:0 N:0 P:0 E:0 V:0 L:0 1111.1111.1001 L2
1.0.16.1/32 20 Proxy-Node R:0 N:0 P:0 E:0 V:0 L:0 1111.1111.1003 L2
switch# show isis segment-routing prefix-segments
...
Prefix SID Type System ID Level Protection
------------- ----- ------ ... --------------- ------ -----------
* 10.1.1.1/32 0 Node ... 1111.1111.1001 L2 unprotected
10.1.1.2/32 1 Node ... 1111.1111.1002 L2 node with SRLG loose
10.1.1.3/32 4 Node ... 1111.1111.1005 L2 node with SRLG strict
10.1.1.4/32 10 Prefix ... 1111.1111.1004 L1 node
About the Output
After the usual output header that represents the system ID, instance name, etc and parameters of a router, there is a line depicting prefix segment counters. Each field in this line relates to the number of segments that are present in this routers IS-IS instance. For example, the above example shows that this device has 2 Node Segments (Self originated as well as the ones received from other IS-IS SR devices).
The main section of this show commands output is the section that lists all the prefix segments and related information like prefix, SID, type of segment (Prefix, Node, Proxy-Node), the flag values being carried in the sub-TLVs of these prefix segments and the system ID of the originating router. The Type field will be useful on a IS type level-1-2 router. It shows whether the installed prefix segment is from a level-1 prefix or a level-2 prefix.
The show isis segment-routing command displays the summary information on IS-IS SR status.
Command Mode
EXEC
Command Syntax
show isis segment-routing
Example
switch(config)# show isis segment-routing
System ID: 1111.1111.1002 Instance: inst1
SR supported Data-plane: MPLS SR Router ID: 252.252.2.252
SR Global Block( SRGB ): Base: 900000 Size: 65536
Adj-SID allocation mode: SR-adjacencies
Adj-SID allocation pool: Base: 100000 Size: 16384
All Prefix Segments have : P:0 E:0 V:0 L:0
All Adjacency Segments have : F:0 B:0 V:1 L:1 S:0
ISIS Reachability Algorithm : SPF (0)
Number of ISIS segment routing capable peers: 3
Self-Originated Segment Statistics:
Node-Segments : 2
Prefix-Segments : 2
Proxy-Node-Segments : 0
Adjacency Segments :
The first line of the output shows the IS-IS system ID of this device and the name of the instance with which IS-IS is configured.
The supported data plane is shown against the SR supported Data-plane field, while the router ID being advertised in the Router Capability is mentioned in the SR Router ID field.
The SRGB in use and the MPLS label pool being used for adjacency segment allocation are mentioned in this output. The current adjacency allocation mode which refers to whether we are allocating adjacency segments to all IS-IS adjacencies or only those adjacencies which support SR or None of the adjacencies is shown in the Adj-SID allocation mode field.
Flag contents of All Prefix Segments originated on this router, Flag contents of All Adjacency Segments originated on this router and supported IS-IS Reachability Algorithm have been provided through this command output and they carry the meaning as per the IS-IS SR IETF draft.
This show command provides a statistics related to IS-IS SR in terms of various counters ranging from number of IS-IS SR enabled peers, number of Node-SIDs, prefix-SIDs, proxy-node-segments and adjacency segments being originated on this router in IS-IS.
switch(config-router-isis-sr-mpls)# show isis segment-routing
! IS-IS (Instance: inst1) Segment Routing has been administratively shutdown.
The show isis segment-routing tunnel command displays all the IS-IS SR tunnels. The field TI-LFA tunnel index displays the index of the TI-LFA tunnel protecting the SR tunnel. The same TI-LFA tunnel that protects the LFIB route also protects the corresponding IS-IS SR tunnel.
switch#show isis segment-routing tunnel 10.0.10.1/32
Index Endpoint Nexthop Interface Labels TI-LFA
tunnel index
------ --------------- ----------- ----------- ---------- -------------
4 10.0.10.1/32 10.0.0.2 Vlan2387 [900004] 0
The show isis summary command displays information about the configured IS-IS instances.
Command Mode
EXEC
Command Syntax
show isis summary
show isis [INSTANCES] summary
show isis summary VRF_INSTANCE
Example
switch(config-router-isis-af)# show isis summary
IS-IS Instance: 1 VRF: default
System ID: 0000.0000.0001, administratively enabled
Multi Topology disabled, not attached
IPv4 Preference: Level 1: 115, Level 2: 115
IPv6 Preference: Level 1: 115, Level 2: 115
IS-Type: Level 1 and 2, Number active interfaces: 0
Routes both IPv4 and IPv6
LSP size maximum: Level 1: 9000, Level 2: 9000
Max wait(s) Initial wait(ms) Hold interval(ms)
LSP Generation Interval: 5 50 50
SPF Interval: 2 1000 1000
Current SPF hold interval(ms): Level 1: 1000, Level 2: 1000
Last Level 1 SPF run 1 seconds ago
Last Level 2 SPF run 1 seconds ago
Authentication mode: Level 1: None, Level 2: None
Graceful Restart: Disabled, Graceful Restart Helper: Enabled
Area Addresses:
49.0001
level 1: number dis interfaces: 0, LSDB size: 1
level 2: number dis interfaces: 0, LSDB size: 1
The show isis ti-lfa path command displays the repair path with the list of all the system IDs from the P-node to the Q-node for every destination/constraint tuple. You will see that even though node protection is configured, a link protecting LFA is computed too. This is to fallback to link protecting LFAs if the node protecting LFA becomes unavailable.
switch#show isis ti-lfa path 1111.1111.1005
TI-LFA paths for IPv4 address family
Topo-id: Level-2
Destination Constraint Path
1111.1111.1005 exclude node 1111.1111.1002 1111.1111.1003
1111.1111.1004
exclude Vlan2387 1111.1111.1002
SRLG strict
switch#show isis ti-lfa path 10.10.10.1/32
TI-LFA paths for IPv4 address family
Topo-id: Level-1
Destination Constraint Path
--------------- ---------------------------- --------------
10.10.10.1/32 exclude Vlan2387 1111.1111.1002
1111.1111.1003
exclude node 1111.1111.1004 1111.1111.1002
SRLG strict 1111.1111.1003
The TI-LFA repair tunnels are just internal constructs that are shared by multiple LFIB routes that compute similar repair paths. The show isis ti-lfa tunnel command displays TI-LFA repair tunnels with the primary and backup via information.
switch#show isis ti-lfa tunnel 1
Tunnel Index 1
via 10.0.1.2, 'Vlan2968'
label stack 3
backup via 10.0.0.2, 'Vlan2387'
label stack 900004 900002
The show tunnel fib command that displays tunnels programmed in the tunnel FIB also includes the TI-LFA tunnels along with protected IS-IS SR tunnels.
switch#show tunnel fib ti-lfa 1
Type 'TI-LFA', index 1, forwarding None
via 10.0.1.2, 'Vlan2968'
label stack 3
backup via 10.0.0.2, 'Vlan2387'
label stack 900004 900002
switch#show tunnel fib isis segment-routing
Type 'IS-IS SR', index 1, endpoint 2002::b00:201/128, forwarding Primary
via TI-LFA tunnel index 3 label 3
via fe80::200:76ff:fe01:0, 'Ethernet30/1' label 900002
backup via fe80::200:76ff:fe03:0, 'Ethernet26/1' label 132769
Type 'IS-IS SR', index 2, endpoint 2002::b00:101/128, forwarding Primary
via TI-LFA tunnel index 4 label 3
via fe80::200:76ff:fe01:0, 'Ethernet30/1' label 3
backup via fe80::200:76ff:fe03:0, 'Ethernet26/1' label 132769 900001
The show mpls label ranges command displays the MPLS label range available on a router is categorized into different pools which cater to different applications running on the router.
Command Mode
EXEC
Command Syntax
show mpls label ranges
switch# show mpls label ranges
Start End Size Usage
-----------------------------------------
0 15 16 reserved
16 99999 99984 static mpls
100000 116383 16384 isis (dynamic)
116384 362143 245760 free (dynamic)
362144 899999 537856 unassigned
900000 965535 65536 isis-sr
The show mpls lfib route command displays the LFIB information for a specified route or for all routes. The source column depicts the MPLS control plane protocol that is responsible for the label binding that resulted in this LFIB route.
Command Mode
EXEC
Command Syntax
show mpls lfib route [label_num]
switch# show mpls lfib route
MPLS forwarding table (Label [metric] Vias) - 7 routes
MPLS next-hop resolution allow default route: False
Via Type Codes:
M - Mpls Via, P - Pseudowire Via,
I - IP Lookup Via, V - Vlan Via,
VA - EVPN Vlan Aware Via, ES - EVPN Ethernet Segment Via,
VF - EVPN Vlan Flood Via, AF - EVPN Vlan Aware Flood Via,
NG - Nexthop Group Via
Source Codes:
S - Static MPLS Route, B2 - BGP L2 EVPN,
B3 - BGP L3 VPN, R - RSVP,
P - Pseudowire, L - LDP,
IP - IS-IS SR Prefix Segment, IA - IS-IS SR Adjacency Segment,
IL - IS-IS SR Segment to LDP, LI - LDP to IS-IS SR Segment,
BL - BGP LU, ST - SR TE Policy,
DE - Debug LFIB
IA 100000 [1]
via M, 1.0.1.2, pop
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
IA 100001 [1]
via M, fe80::200:eff:fe02:0, pop
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
IP 900008 [1]
via M, 1.0.1.2, swap 900008
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
IP 900009 [1]
via M, fe80::200:eff:fe02:0, swap 900009
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
switch#
switch# show mpls lfib route 900008
MPLS forwarding table (Label [metric] Vias) - 7 routes
MPLS next-hop resolution allow default route: False
Via Type Codes:
M - Mpls Via, P - Pseudowire Via,
I - IP Lookup Via, V - Vlan Via,
VA - EVPN Vlan Aware Via, ES - EVPN Ethernet Segment Via,
VF - EVPN Vlan Flood Via, AF - EVPN Vlan Aware Flood Via,
NG - Nexthop Group Via
Source Codes:
S - Static MPLS Route, B2 - BGP L2 EVPN,
B3 - BGP L3 VPN, R - RSVP,
P - Pseudowire, L - LDP,
IP - IS-IS SR Prefix Segment, IA - IS-IS SR Adjacency Segment,
IL - IS-IS SR Segment to LDP, LI - LDP to IS-IS SR Segment,
BL - BGP LU, ST - SR TE Policy,
DE - Debug LFIB
IP 900008 [1]
via M, 1.0.1.2, swap 900008
payload autoDecide, ttlMode uniform, apply egress-acl
interface Vlan2930
switch#
The show mpls segment-routing bindings command displays the local label bindings and label bindings on the peer routers for each prefix that has a segment advertised. Peer ID here represents the IS-IS system ID of the peer.
Command Mode
EXEC
Command Syntax
show mpls segment-routing bindings
switch# show mpls segment-routing bindings
1.0.7.1/32
Local binding: Label: 900002
Remote binding: Peer ID: 1111.1111.1001, Label: imp-null
Remote binding: Peer ID: 1111.1111.1003, Label: 900002
1.0.8.1/32
Local binding: Label: imp-null
Remote binding: Peer ID: 1111.1111.1001, Label: 900004
Remote binding: Peer ID: 1111.1111.1003, Label: 900004
1.0.9.1/32
Local binding: Label: 900006
Remote binding: Peer ID: 1111.1111.1001, Label: 900006
Remote binding: Peer ID: 1111.1111.1003, Label: imp-null
The shutdown command disables IS-IS on the switch without modifying the IS-IS configuration.
The no shutdown and default shutdown commands enable the IS-IS instance by removing the shutdown command from running-config.
Command Mode
Router-IS-IS Configuration
Command Syntax
shutdown
no shutdown
default shutdown
switch(config)# router isis Osiris
switch(config-router-isis)# shutdown
switch(config-router-isis)#
switch(config)# router isis Osiris
switch(config-router-isis)# no shutdown
switch(config-router-isis)#
The shutdown and default shutdown commands administratively disable IS-IS SR on the switch without modifying the IS-IS SR configuration.
The no shutdown command enables IS-IS SR.
Command Mode
Segment-Routing MPLS Configuration
Command Syntax
shutdown
no shutdown
default shutdown
switch(config)# router isis Osiris
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)# shutdown
switch(config-router-isis-sr-mpls)#
switch(config)# router isis Osiris
switch(config-router-isis)# segment-routing mpls
switch(config-router-isis-sr-mpls)# no shutdown
switch(config-router-isis-sr-mpls)#
The spf-interval command sets the Shortest Path First (SPF) timer that defines the interval between IS-IS path calculations. The default value is two seconds.
This command also configures the maximum wait interval between any two SPF runs, initial wait interval before executing the first SPF computation, and the hold time between the first and second SPF runs.
The no spf-interval and default spf-interval commands restore the default maximum IS-IS path calculation interval to two seconds by removing the spf-interval command from running-config.
For information about viewing SPF interval values, see Displaying IS-IS Instance Information.
Command Mode
Router-IS-IS Configuration
Command Syntax
spf-interval max-wait [initial-wait | hold-time]
no spf-interval
default spf-interval
Guidelines
EOS does not support configuring topology-specific SPF timers in multi-topology deployments and IS-IS level-specific SPF timers.
Examples
switch(config)# router isis Osiris
switch(config-router-isis)# spf-interval 50
switch(config)# router isis inst1
switch(config-router-isis)# spf-interval 20 10000 5000
switch(config)# router isis Osiris
switch(config-router-isis)# no spf-interval
The Point of Local Repair (PLR) switches to the TI-LFA backup path on link failure or BFD neighbor failure but switches back to the post-convergence path once the PLR computes SPF and updates its LFIB. This sequence of events can lead to micro-loops in the topology if the PLR converges faster than other routers along the post-convergence path. So a configuration option is provided to apply a delay, after which the LFIB route being protected by the TI-LFA loop-free repair path will be replaced by the post-convergence LFIB route.
Command Mode
IS-IS address-family sub-mode
Command Syntax
timers local-convergence-delay [delay_in_seconds] protected-prefixes
Border Gateway Protocol (BGP) exchanges routing information among neighboring routers in different Autonomous Systems (AS). Arista switches use BGP version 4+, incorporating the multiprotocol extensions defined by RFC 4760 so that BGP can carry both IPv4 and IPv6 routes simultaneously over a single BGP peering.
BGP is a protocol that exchanges routing information among neighboring routers in different autonomous systems through TCP sessions.
BGP neighbors (peers) communicate through a TCP session on port 179. They are established by manual configuration commands (static peers) or by creating a peer group listen range and accepting incoming peering requests in that range (dynamic peers). Internal BGP (iBGP) peers operate within a single Autonomous System (AS). External BGP (eBGP) peers operate between autonomous systems. Border routers are on AS boundaries and exchange information with other autonomous systems; the primary function of border routers is distributing routes. Internal routers do not distribute route updates that they receive.
During established BGP sessions, routers exchange UPDATE messages about the destinations to which they offer connectivity. The route description includes the destination prefix, prefix length, autonomous systems in the path, the next hop, and information that affects the acceptance policy of the receiving router. UPDATE messages also list destinations to which the router no longer offers connectivity.
BGP detects and eliminates routing loops while making routing policy decisions by using the network topology as defined by AS paths and path attributes.
Multiprotocol BGP facilitates the advertisement of network routes and switch capabilities to neighbors from multiple address families over a single BGP peering. The switch supports IPv4 unicast and IPv6 unicast address families.
BGP confederations divide an Autonomous System (AS) into subsystems (sub-ASs), each identified by a unique sub-AS number, while still appearing externally as a single AS.
To help prevent BGP sessions from being affected by dropped neighbor discovery and ARP packets, some Arista switches assign those packets to a higher priority output queue when they are being software forwarded. This helps minimize hardware drops from competition with data plane packets traffic congestion.
Routing information received via the BGP protocol often contains more than one route to the same destination: the BGP best-path selection algorithm determines which of these routes will be installed in the routing table. Criteria are evaluated in order; at each step, if there is a tie for best path the next criterion is applied. If there is still a tie at the end of the process, BGP installs the route received from the peer with the lowest address. When Equal Cost Multi Path (ECMP) routing is enabled, multiple paths to a single destination may be installed in the IP routing table.
Route preferences can be shaped through configuration choices as described in Configuring Best-path Selection.
BGP supports convergence where it waits for all peers to join and receive all the routes from other peers.
Before declaring convergence, BGP also waits for IGP protocols to converge so that all IBGP sessions are established, and routes that were learned over IBGP sessions, are resolved via the IGP routes. BGP declares convergence when it has received route updates from all its peers and End-Of-RIB (EOR) markers from all the expected peers and IGP protocols have converged. Using BGP convergence, you can avoid hardware updates or route advertisement churn during a switch reload or a BGP instance start.
Autonomous System Boundary Routers (ASBRs) do not update all paths received from external BGP sessions and routers. They hide inefficient alternate paths and update only best paths in the routing table. BGP route policies are applied to all internal BGP sessions of ASBRs that support the graceful shutdown procedure.
Refer to Maintenance Mode for detailed information on maintenance mode.
BGP Labeled-Unicast Protocol (BGP LU) path next-hop is enhanced to allow BGP in ribd mode to support resolution of BGP LU path next-hop over entries in the Tunnel RIB and fall-back to resolving over connected route when there is no entry in Tunnel RIB that provides a direct match for the BGP LU path next-hop. Previously, BGP in “ribd” mode allowed resolution of BGP Labeled-Unicast Protocol (BGP LU) path next-hop over only connected routes, resolution of the next-hop over IGP or static routes was not allowed since the next-hop router may not be in the MPLS forwarding path in which case the traffic will get dropped by the next-hop router (per IGP).
Egress Peer Engineering is a source-routing paradigm that provides ability to select an egress node/interface through which traffic goes out of an Autonomous System (AS). As shown in Figure 1 below R1, R2, ASBR1 & ASBR2 are in AS 1 and E1, E2, E3 & E4 are in different Ases. R1, R2, ASBR1 & ASBR2 could be connected each other directly or reachable to each other over an IGP (OSPF/ISIS) or MPLS tunnel. Let’s assume reachability of loop-back addresses 1.1.1.1, 2.2.2.2, 3.3.3.3 & 4.4.4.4 through LDP or Segment Routing (SR). There exists an iBGP Full Mesh between R1, R2, ASBR1 & ASBR2. eBGP session is present between ASBR1 & E1, ASBR1 & E2, ASBR2 & E3 and ASBR2 & E4. Consider following BGP updates are received on ASBR1:
Prefix 50.0.0.0/8 next-hop 10.0.0.2 as-path 2 100 from E1.
Prefix 50.0.0.0/8 next-hop 11.0.0.2 as-path 3 200 300 from E2.
BGP path from E1 will be selected as best path due to shorter AS path length. ASBR1 advertises this prefix to both R1 & R2. Any traffic destined to prefix 50.0.0.0/8 from R1 will always be tunneled to ASBR1 and then it will always be sent on an interface connected to E1. Traditional Destination based routing enforced by BGP policy and best path selection on the ASBRs may route traffic to a single AS as exit when a case can be made that for some prefixes an exit via some other AS may be preferable. BGP LU can be used here to perform traffic engineering or selecting Egress peer through which traffic should be forwarded.
A Centralized EPE Controller can be used to establish iBGP session with R1 and R2. Let’s assume Controller advertises BGP LU routes for E2, i.e., 11.0.0.2/32, with next-hop set to loop-back IP address of ASBR1, that is, 1.1.1.1 and a label 111 to R1 & R2.
switch# show ip bgp 11.0.0.2/32
BGP routing table information for VRF default
Router identifier 3.3.3.3, local AS number 1
BGP routing table entry for 11.0.0.2/32
Paths: 1 available
Local
1.1.1.1 labels [111] from 100.100.100.1 (100.100.100.1)
Origin IGP, metric 0, localpref 100, IGP metric 40, weight 0, received
21:07:07 ago, valid, external, not installed
Rx SAFI: Labels
Tunnel RIB eligible
BGP LU path next-hop will get resolved over an ISIS SR tunnel present on R1 and R2 to reach 1.1.1.1, loop-back IP address of ASBR1.
switch# show tunnel rib brief
Endpoint Tunnel Type Index(es) Metric Metric2 Preference Preference2
----------- ------------ --------- ------- ------- ----------- -----------
1.1.1.1/32 IS-IS SR IPv4 5 40 0 115 0
switch#show bgp labeled-unicast tunnel
Index Endpoint Nexthop/Tunnel Index Interface Labels Contributing Metric
----- -------- -------------------- --------- ------ ------------ ------
1 11.0.0.2/32 IS-IS SR IPv4 (5) - [ 111 ] Yes 0
Metric 2 Pref Pref 2
-------- ---- ------
100 200 0
switch#show isis segment-routing tunnel
Index Endpoint Nexthop Interface Labels
-------- ---------- ------- --------- ----------
5 1.1.1.1/32 6.6.6.6 Ethernet 5 [ 900001 ]
Controller or CLI can be used to install a static label route on ASBR1 such that ingress label 111 have a forwarding action of “POP and forward” to next-hop (11.0.0.2) in MPLS forwarding table.
switch# show mpls lfib route
MPLS forwarding table (Label [metric] Vias) - 20 routes
MPLS next-hop resolution allow default route: False
Via Type Codes:
M - Mpls Via, P - Pseudowire Via,
I - IP Lookup Via, V - Vlan Via,
VA - EVPN Vlan Aware Via, ES - EVPN Ethernet Segment Via,
VF - EVPN Vlan Flood Via, AF - EVPN Vlan Aware Flood Via,
NG - Nexthop Group Via
Source Codes:
S - Static MPLS Route, B2 - BGP L2 EVPN,
B3 - BGP L3 VPN, R - RSVP,
P - Pseudowire, L - LDP,
IP - IS-IS SR Prefix Segment, IA - IS-IS SR Adjacency Segment,
IL - IS-IS SR Segment to LDP, LI - LDP to IS-IS SR Segment,
BL - BGP LU, ST - SR TE Policy,
DE - Debug LFIB
S 111 [100]
via M, 11.0.0.2, pop
payload ipv4, apply egress-acl
interface Ethernet 4
For prefixes to which traffic should be sent over interface connected E2 controller will advertise a BGP route with next-hop being BGP LU prefix and higher local-preference compared to paths advertised by ASBR1 and ASBR2, so that path received from controller will be preferred over paths coming from ASBR1 and ASBR2.
switch# show ip bgp 50.0.0.0/8
BGP routing table information for VRF default
Router identifier 3.3.3.3, local AS number 1
BGP routing table entry for 50.0.0.0/8
Paths: 3 available
Local
11.0.0.2 from 100.100.100.1 (100.100.100.1)
Origin IGP, metric 0, localpref 200, IGP metric 0, weight 0, received 00:00:15
ago, valid, internal, best
Rx SAFI: Unicast
2 100
1.1.1.1 from 1.1.1.1 (1.1.1.1)
Origin IGP, metric 0, localpref 100, IGP metric 0, weight 0, received 00:04:49
ago, valid, internal
Rx SAFI: Unicast
2 200 300
2.2.2.2 from 2.2.2.2 (2.2.2.2)
Origin IGP, metric 0, localpref 100, IGP metric 0, weight 0, received 00:30:38
ago, valid, internal
Rx SAFI: Unicast
This results in pushing two labels on R1, top label is the label corresponding to ISIS SR tunnel to reach ASBR1 and bottom label is the label that corresponds to egress interface. Similarly LU route for12.0.0.0.2 or 13.0.0.2 can be advertised from controller to select egress peer between E3 and E4. This approach provides Egress peer selection on an ingress router R1/R2.
switch# show ip route 50.0.0.0/8
VRF: default
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
B I 50.0.0.0/8 [200/0] via 11.0.0.2/32, BGP LU tunnel index 1
via 6.6.6.6, Ethernet 5, label 900001 111
Inter-AS Option C is an efficient and scalable MPLS IP VPN solution to provide connectivity between two sites of a customer connected to Provider Edge (PE) routers in different ASes. Following diagram shows a typical topology.
PE1 and ASBR1 and PE2 and ASBR2 distribute loop-back addresses using an IBGP Labeled Unicast (LU) session. ASBR2 advertises system addresses in AS200 to ASBR1 with next-hop as itself over EBGP LU session between them and installing Label swap entry of label sent to ASBR1 (L2) to label received from PE2 (L1) in MPLS forwarding table. ASBR1 further propagates system addresses in AS200 learned from ASBR2 into AS100 or to PE1 using IBGP LU session with next-hop as itself and installing Label swap entry with label advertised to PE1 (L3) to Label received from ASBR2 (L2) in MPLS forwarding table. Similarly ASBR1 sends system addresses in AS100 to ASBR2 over EBGP LU session, ASBR2 forwards them into AS200 or to PE2 using IBGP LU session with itself as next-hop and this would trigger installing appropriate label swap actions into MPLS forwarding table. These advertisements results in the creation of a label switched path from PE1 to PE2.
PE1 and PE2 exchange VPN routes between each other using a Multi hop EBGP session with next-hop being their own loop-back/system addresses. This method eliminates the requirement of storing or sending/receiving VPN routes at ASBR routers. When PE and ASBR routers are non-adjacent, but in the same AS, then LDP or ISIS-SR can be used as a transport label signaling protocol and this would need resolving BGP LU path next-hop over LDP or ISIS-SR tunnel. An IP packet destined to an address in CE1 site 2 is received on PE1 from CE1 site 1 PE1 would need to push 3 labels onto it. Bottom label corresponds to packet destination address in a particular VRF of CE1 site 2 advertised by PE2 to PE1 over Multi hop EBGP session, Middle label belongs to PE2 system address sent by ASBR1 and top label corresponding to ASBR1 system address assigned by transport label signaling protocol.
BGP Selective Route Download allows the learning and advertising of BGP routes without installing them in hardware. The BGP routes are filtered before installation in hardware through the route map definition and routes that are filtered out are flagged as inactive in the Routing Information Base (RIB).
The route map used for filtering is applied only to BGP learned paths and not on locally originated routes, for example, BGP aggregate or redistributed routes. Also, because the BGP routes filtered by Selective Route Download are not active in the RIB, they are not used for recursive resolution, they are not redistributed into other protocols, and they do not contribute to BGP aggregates.
When BGP Selective Route Download is configured, the best path for peer advertisement is chosen based on the following aspects. If received BGP paths exist, then the best of them is advertised to BGP peers, else, the aggregate is preferred if configured and active. If neither BGP paths nor a BGP aggregate is available, then the RIB winner is advertised.
A BGP route reflector is a switch within an autonomous system that forwards route information learned from iBGP peers to other iBGP peers as an alternative to a full-mesh topology. When the switch is configured as a route reflector it can also be configured to preserve the BGP attributes of the reflected routes (next-hop, local preference, and metric) in its route advertisements regardless of outbound BGP policies.
Adds the BGP Nexthop Resolution RIBs feature for EVPN and labeled-unicast address families.
BGP Nexthop Resolution RIBs: EVPN and IPV4/6 Labeled-Unicast Support adds support for user-configured BGP Nexthop Resolution RIB profiles for various BGP-based services such as IP unicast, L3 VPN, EVPN, etcetra. This feature allows an administrator to customize the next hop resolution semantics of BGP routes with an ordered list, or profile, of resolution RIB domains (for example, either tunnel or IP domain). This allows EOS to direct specific services over the specified RIB domains, overriding the default behavior. Further, this feature, through the use of user-defined tunnel RIBs, empowers an administrator to further select a subset of tunneling protocols for specific services.
For IPv4 or IPv6 unicast NLRI received from eBGP, directly connected BGP sessions are resolved by only using connected routes, or system-connected, in the parlance of this feature. This feature does not change this behavior, nor will configuration of a non-default resolution profile affect this behavior.
Address family | Restriction |
IPv4/IPv6 unicast (non 6PE) | None. |
IPv6 unicast 6PE | Only supports tunnel domains*. |
IPv4/IPv6 unicast (eBGP directly connected) | Only supports system-connected; Not configurable. |
IPv4/IPv6 VPN | Only supports tunnel domains* and system-connected. |
IPv4/IPv6 LU | Only supports tunnel domains* and system-connected. |
EVPN (MPLS) | Only supports tunnel domains* and system-connected. |
EVPN (VXLAN) | Only supports IP domains+. |
* Tunnel domains refer to tunnel RIBs, e.g. system-colored-tunnel-rib, system-tunnel-rib, or user-defined tunnel RIBs.
+ IP domains are either of system-unicast-rib or system-connected.
In the multi-agent routing protocol model, the BGP agent now supports matching community lists with a logical OR via the route map match community or-results command (same applies for extended and large communities with match extcommunity and match large-community).
Without the or-results portion of the command, the default is to compute the logical AND of all provided community lists. Before, one would need to merge existing community lists into one to do a logical OR:
ip community-list COMMLIST1 permit 1:1
ip community-list COMMLIST2 permit 2:2
! No way to match "COMMLIST1" or "COMMLIST2" in a singe
! route-map sequence
match community COMMLIST1 COMMLIST2
ip community-list standard mergedCommunityList permit 1:1
ip community-list standard mergedCommunityList permit 2:2
match community mergedCommunityList
This feature is available only when configuring BGP in the multi-agent routing protocol model.
The EOS Release 4.21.3F introduces support for BGP Flowspec, as defined in RFC5575 and RFC7674. The typical use case is to filter or redirect DDoS traffic on edge routers.
BGP Flowspec rules are disseminated using a new BGP address family. The rules include both matching criteria used to match traffic, and actions to perform on the matching traffic. The rules are programmed into TCAM resources and applied on the ingress ports for which flowspec is enabled.
Added support for hitless rule updates. This enhancement ensures that persistent filtering rules are always active while other filtering rules are updated (example: rules are published or withdrawn by a BGP peer).
Added support for configuring BGP Flowspec on subinterfaces. To enable subinterface support, the TCAM profile of the flow-spec feature must include port qualifier size 3 bits (see Flowspec TCAM Profile and Flowspec Policer TCAM Profile below).
Removed EOS Release 4.23.1 limitation to best effort programming.
To redirect to a nexthop, IP RIB must have a route to resolve the specified nexthop. When redirecting to a VRF, a default route for the VRF must be configured and traffic is sent to the nexthop for the default route in this VRF.
EOS adds support to use large community lists in the set large community route map set clause.
The Support for Set Large Community List feature allows a large community list to be shared between a number of route maps. Changes to the large community list then affect all route-maps which use this list. This makes applying the same policy change to different inbound and outbound communication easier.
Properties of large communities and how to create large community lists are not be covered as those are described here.
The following commands have been added to route map configuration
set large-community large-community-list LIST1 [LIST2][additive | delete]
no set large-community large-community-list LIST1 [LIST2][additive | delete]
default set large-community large-community-list LIST1 [LIST2][additive | delete]
The following command replaces the large community value of the contents of the permit sequences of the specified large community list. It is possible to specify more than one large community list to the set clause. In this example, the community values in permit sequences in the lists are concatenated and applies in the set clause.
set large-community large-community-list LIST1 [LIST2]
no set large-community large-community-list LIST1 [LIST2]
default set large-community large-community-list LIST1 [LIST2]
The following command works similarly to the prior command, however, it does not replace communities already set on a route; it concatenates the community values with the values specified in the list. Duplicate communities are only shown once.
default set large-community large-community-list LIST1 [LIST2][additive]
set large-community large-community-list LIST1 [LIST2][additive]
no set large-community large-community-list LIST1 [LIST2][additive]
In the following command, the delete keyword is used. The delete keyword specifies that any large community values in the input matching any of the large community values (or large community value regular expressions) in the specified large community lists are removed.
default set large-community large-community-list LIST1 [LIST2][delete]
set large-community large-community-list LIST1 [LIST2][delete]
no set large-community large-community-list LIST1 [LIST2][delete]
Apply the following command to the concerned neighbour which large communities are to be sent, otherwise they are not sent.
neighbour x.x.x.x send-community large
Use the following command to show information about all of the configured route maps.
show route-map
switch# show route-map
route-map rm1 permit 10
Description:
Match clauses:
SubRouteMap:
Set clauses:
set large-community large-community-list lgl1 lgl2
For IPv4 or IPv6 unicast NLRI received from eBGP, directly connected BGP sessions are resolved by only using connected routes, or system-connected, in the parlance of this feature. This feature does not change this behavior, nor will configuration of a non-default resolution profile affect this behavior.
Address family | Restriction |
IPv4/IPv6 unicast (non 6PE) | None. |
IPv6 unicast 6PE | Only supports tunnel domains*. |
IPv4/IPv6 unicast (eBGP directly connected) | Only supports system-connected; Not configurable. |
IPv4/IPv6 VPN | Only supports tunnel domains* and system-connected. |
IPv4/IPv6 LU | Only supports tunnel domains* and system-connected. |
EVPN (MPLS) | Only supports tunnel domains* and system-connected. |
EVPN (VXLAN) | Only supports IP domains+. |
* Tunnel domains refer to tunnel RIBs, e.g. system-colored-tunnel-rib, system-tunnel-rib, or user-defined tunnel RIBs.
+ IP domains are either of system-unicast-rib or system-connected.
BGP Add-Path TX, or send, allows for a BGP speaker to advertise multiple paths (instead of a single best-path) for a prefix towards a peering BGP speaker. BGP Add-Path increases path diversity in a network. It restores fast traffic and has efficient link usage through multipathing. This can also be used as a monitoring solution for eligible paths to a monitoring or receiving Add-Path speaker.
Without Add-Path, a sending speaker only sends the best-path for a prefix and a receiving speaker collects all best-path announcements from its peers. The receiving speaker uses only the peer’s address to identify the path.
With Add-Path, the sending speaker can potentially send multiple paths using distinct path-id’s to a peer and the receiver can use to distinguish the multiple paths coming from the same sender.
In symmetric network topology, for the same Equal Cost Multi-Path (ECMP) route programmed at different devices in a switch layer, the various devices can program ECMP next-hops in the Forwarding Equivalence Class (FEC) for that route in varying orders. This could result in inconsistent hashing of traffic for those destination routes at the same layer of switches in the network and could be undesired behavior for certain classes of applications. Ordered FEC is an approach to order the next hops in the FEC of a route based on a network-wide device identifier for each next-hop resulting inconsistent ordering of next hops in the FEC for a route across all switches in a layer.
A BGP router-id can be used as a unique network-wide device identifier and BGP paths received from various peers for a BGP ECMP route can have their paths and subsequently, next-hops sorted based on the corresponding peer’s router-id. Ordered Next Hops in the FEC feature would use the BGP router-id to achieve a consistent ordering of next hops in the FEC for a route. This feature is available with multi-agent routing protocol models.
Use the following configuration commands to implement Ordered FEC solution for BGP routes.
switch(config)# router bgp 100
switch(config-router-bgp)# address-family ipv4
switch(config-router-bgp)# bgp bestpath tie-break router-id
switch(config-router-bgp)#
switch(config)# router general
switch(config-router-general)# rib fib fec ecmp ordered
switch(config-router-general)#
The show ip route fec command displays if the next-hops in the FEC of a route have been ordered. The output below indicate the show command output before enabling the Ordered FEC solution on the device, and after enabling it. The show ip bgp command output is also included to correlate next hop with corresponding router-id of the peer that the path was received from.
switch# show ip bgp 1.0.16.0
BGP routing table information for VRF default
Router identifier 0.0.0.1, local AS number 1
BGP routing table entry for 1.0.16.0/24
Paths: 8 available
30
1.0.10.2 from 1.0.10.2 (10.0.1.1)
Origin EGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:01:53 ago, valid, external, ECMP head, ECMP, best, ECMP contributor
Rx SAFI: Unicast
10
1.0.8.2 from 1.0.8.2 (10.0.4.1)
Origin EGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:01:55 ago, valid, external, ECMP, ECMP contributor
Rx SAFI: Unicast
20
1.0.9.2 from 1.0.9.2 (10.0.3.1)
Origin EGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:01:54 ago, valid, external, ECMP, ECMP contributor
Rx SAFI: Unicast
40
1.0.11.2 from 1.0.11.2 (10.0.8.1)
Origin EGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:01:52 ago, valid, external, ECMP, ECMP contributor
Rx SAFI: Unicast
50
1.0.12.2 from 1.0.12.2 (10.0.2.1)
Origin EGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:01:52 ago, valid, external, ECMP, ECMP contributor
Rx SAFI: Unicast
60
1.0.13.2 from 1.0.13.2 (10.0.5.1)
Origin EGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:01:51 ago, valid, external, ECMP, ECMP contributor
Rx SAFI: Unicast
70
1.0.14.2 from 1.0.14.2 (10.0.6.1)
Origin EGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:01:50 ago, valid, external, ECMP, ECMP contributor
Rx SAFI: Unicast
80
1.0.15.2 from 1.0.15.2 (10.0.7.1)
Origin EGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:01:49 ago, valid, external, ECMP, ECMP contributor
Rx SAFI: Unicast
switch#
switch#show ip ro 1.0.16.0 fec
FEC ID 4294967334, used by 100 IPv4 prefixes and 0 IPv6 prefixes
Next hops:
via 1.0.8.2, Ethernet8
via 1.0.9.2, Ethernet9
via 1.0.10.2, Vlan2317
via 1.0.11.2, Vlan2836
via 1.0.12.2, Vlan2043
via 1.0.13.2, Ethernet4
via 1.0.14.2, Vlan2000
via 1.0.15.2, Vlan2191
switch#
switch(config)#router general
switch(config-router-general)#rib fib fec ecmp ordered
switch(config-router-general)#end
switch#show ip route 1.0.16.0 fec
FEC ID 4294967334, used by 100 IPv4 prefixes and 0 IPv6 prefixes
Next hops (ordered):
via 1.0.10.2, Vlan2317
via 1.0.12.2, Vlan2043
via 1.0.9.2, Ethernet9
via 1.0.8.2, Ethernet8
via 1.0.13.2, Ethernet4
via 1.0.14.2, Vlan2000
via 1.0.15.2, Vlan2191
via 1.0.11.2, Vlan2836
Example
The switch supports one BGP instance, which is associated with a specified Autonomous System (AS). To other BGP peers, the AS number uniquely identifies the network to which the switch belongs. Arista switches support four-byte AS numbers as described in RFC 4893. Four-byte AS number capability is communicated to BGP peers in OPEN messages. When communicating with a BGP peer which does not support four-byte AS numbers, the switch will replace AS numbers greater than 65535 with the well-known two-byte AS number 23456 (also called AS_TRANS), and encode the actual four-byte AS numbers using the AS4_PATH attribute.
The switch must be in router-BGP configuration mode to run BGP configuration commands. The router bgp command places the switch in the router-BGP configuration mode for creating a BGP instance if one was not previously created. BGP configuration commands apply globally to the BGP instance.
This command places the switch in router-BGP configuration mode. It also creates a BGP instance in AS 50 if an instance was not previously created.
switch(config)# router bgp 50
switch(config-router-bgp)#
When a BGP instance exists, the router bgp command must include its autonomous system. Any attempt to create a second instance results in an error message.
This command attempts to open a BGP instance with a different AS number from that of the existing instance. The switch displays an error and stays in global configuration mode.
switch(config)# router bgp 100
% BGP is already running with AS number 50
switch(config)#
IPv6 VRF support in EOS allows application of a BGP configuration to a single VRF instance, overriding global commands. To apply VRF-specific BGP configuration, use the vrf command within router-BGP configuration mode to enter BGP VRF configuration mode. IPv6 BGP VRF configuration is performed in the VRF submode of the router-BGP configuration mode. This submode is also where a Route Distinguisher (RD) is configured for a VRF on switches running Ethernet VPN (EVPN): use the rd (Router-BGP VRF and VNI Configuration Modes) command to configure an RD for a VRF.
switch(config)# router bgp 1
switch(config-router-bgp)# vrf purple
switch(config-router-bgp)#
switch(config-router-bgp-vrf-purple)# router-id 1.1.1.1
switch(config-router-bgp-vrf-purple)# neighbor 2001:0DB8:8c01::1 remote-as 16
switch(config-router-bgp-vrf-purple)# address-family ipv6
switch(config-router-bgp-vrf-purple-af)# neighbor 2001:0DB8:8c01::1 activate
switch(config-router-bgp-vrf-purple-af)#
switch(config-router-bgp-vrf-purple)# rd 530:12
switch(config-router-bgp-vrf-purple)#
RCF functions support in EOS allows application of a BGP configuration to filter routes and update route attributes. RCF functions can be configured for inbound and outbound updates on BGP neighbors under the IPv4 unicast, IPv6 unicast, IPv4 labeled unicast, and IPv6 labeled unicast address families.
switch(config)# router bgp 64500
switch(config-router-bgp)# address-family ipv4
switch(config-router-bgp-af)# neighbor 192.168.0.1 rcf in INBOUND_POLICY()
switch(config-router-bgp-af)# neighbor 192.168.0.1 rcf out OUTBOUND_POLICY()
switch(config)# router bgp 64500
switch(config-router-bgp)# address-family ipv6 labeled-unicast
switch(config-router-bgp-af-label)# neighbor 192.168.0.1 rcf in LU_INBOUND_POLICY()
switch(config-router-bgp-af-label)# neighbor 192.168.0.1 rcf out LU_OUTBOUND_POLICY()
switch(config)# router bgp 64500
switch(config-router-bgp)# redistribute connected rcf CONNECTED_POLICY()
switch(config-router-bgp)# redistribute static rcf STATIC_POLICY()
switch(config)# router bgp 64500
switch(config-router-bgp)# redistribute isis level-1 rcf ISIS_LEVEL_1_POLICY()
switch(config-router-bgp)# redistribute isis level-2 rcf ISIS_LEVEL_2_POLICY()
switch(config-router-bgp)# redistribute isis level-1-2 rcf ISIS_LEVEL_1_2_POLICY()
Static neighbors may belong to a static peer group, allowing them to be configured as a group. Configuration applied to an individual member of a static peer group overrides the group configuration for that peer. Dynamic neighbors must belong to a dynamic peer group, and can only be configured as a group.
The neighbor remote-as command connects the switch with a peer, establishing a static neighbor.
Once established, a static neighbor may be added to an existing peer group. Any configuration applied to the peer group then is inherited by the neighbor, unless a conflicting configuration has been entered for that peer. Settings applied to a member of the peer group override group settings.
switch(config)# router bgp 50
switch(config-router-bgp)# neighbor 10.1.1.14 remote-as 50
switch(config-router-bgp)#
switch(config)# router bgp 50
switch(config-router-bgp)# neighbor 192.168.2.5 remote-as 100
switch(config-router-bgp)#
The bgp listen range command specifies a range of IPv4 addresses from which the switch will accept incoming dynamic BGP peering requests, and creates the named dynamic peer group to which those peers belong. Dynamic BGP neighbors are peers which have not been manually established, but are accepted into a dynamic peer group when the switch receives a peering request from them.
Dynamic peers cannot be configured individually, but inherit any configuration that is applied to the peer group to which they belong. Peering relationships with dynamic peers are terminated if the peer group is deleted.
switch(config)# router bgp 50
switch(config-router-bgp)# bgp listen range 192.168.2.0/24 peer-group brazil remote-as 50
switch(config-router-bgp)#
The show ip bgp summary and show ip bgp neighbors commands display neighbor connection status.
switch# show ip bgp summary
BGP summary information for VRF default
BGP router identifier 192.168.104.2, local AS number 50
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State PfxRcd PfxAcc
192.168.2.5 4 100 198 281 0 0 03:11:31 Estab 12 12
switch#
A static BGP peer group is a collection of BGP neighbors which can be configured as a group. Once a static peer group is created, the group name can be used as a parameter in neighbor configuration commands, and the configuration will be applied to all members of the group. Neighbors added to the group will inherit any settings already created for the group. Static peer group members may also be configured individually, and the settings of an individual neighbor in the peer group override group settings for that neighbor.
When the default form of a BGP configuration command is entered for a member of a static peer group, the peer inherits that configuration from the peer group.
A static peer group is created with the neighbor peer group (create) command, or by using the bgp listen range command to accept dynamic peering requests. Once a static peer group has been created, static neighbors can be manually added to the group by using the neighbor peer group (neighbor assignment) command. The no neighbor peer group (neighbor assignment) command removes a neighbor from a static peer group.
The no neighbor peer group (create) command will delete a static peer group. When a peer group is deleted, the members of that group revert to their individual configurations, or to the system default for any attributes that have not been specifically configured for that peer.
switch(config)# router bgp 50
switch(config-router-bgp)# neighbor akron peer group
switch(config-router-bgp)#
switch(config-router-bgp)# neighbor 1.1.1.1 peer group akron
switch(config-router-bgp)# neighbor 2.2.2.2 peer group akron
switch(config-router-bgp)#
switch(config-router-bgp)# neighbor akron remote-as 109
switch(config-router-bgp)# neighbor akron out-delay 101
switch(config-router-bgp)# neighbor akron maximum-routes 12000
switch(config-router-bgp)# no neighbor 1.1.1.1 out-delay
switch(config-router-bgp)#
A dynamic BGP peer group is a collection of BGP neighbors in a specified address range which makes a peer request to the switch. Members of dynamic peer group are configured in groups and not as individuals. A dynamic peer group name is used as a parameter to apply the configuration across all the members in the group. Neighbors joining the group inherit any settings already created for the group.
The bgp listen range command is used to create a dynamic peer group. This command identifies the BGP peering request from a range of IP address, and names the dynamic peer group to which those peers belong to. The bgp listen range command can be configured to accept a peering request from a single AS number or to accept peer request from the range of AS numbers. To accept the request from the range of AS numbers use the peer filter option in the command as shown. If the peer filter referred by the bgp listen range command does not exist, or if the filter exists but has no match commands, it will accept any AS number.
To delete a dynamic peer group, use the no or default form of the bgp listen range command. All peering relationships with group members are terminated when the dynamic peer group is deleted.
switch(config)# router bgp 1
switch(config-router-bgp)# bgp listen range 192.0.2.0/24 peer-group brazil remote-as 5
switch(config-router-bgp)#
switch(config)# router bgp 1
switch(config-router-bgp)# bgp listen range 192.0.2.0/24 peer-group brazil peer-filter group-1
switch(config-router-bgp)#
The show ip bgp peer group command displays the source of a listen range’s remote AS number definition as shown.
switch(config-router-bgp)# show ip bgp peer-group
BGP peer-group is brazil
BGP version 4
Listen-range subnets:
VRF default:
192.0.2.0/24, remote AS 5
192.0.2.0/24, peer filter group1
switch(config-router-bgp)#
A peer filter defines a set of rules to decide whether to accept or reject the incoming peer request based on the peer’s attributes. The peer filter is defined using a sequence number and a match statement, and supports one new match statement for matching against a range of BGP AS numbers. A peer filter is defined in peer filter configuration mode as shown. The peer filter command supports only matching AS ranges. Unlike route maps, peer filters do not support sets, continues or subroutines.
To delete a peer filter, use the no peer filter or default peer filter commands.
switch(config)# peer-filter group1
switch(config-peer-filter-group1)# 10 match as-range 1-4294967295 result accept
switch(config-peer-filter-group1)#
switch(config)# peer-filter group2
switch(config-peer-filter-group2)# 10 match as-range 65008-65009 result reject
switch(config-peer-filter-group2)# 20 match as-range 65000-651000 result accept
switch(config-peer-filter-group2)#
switch(config)# peer-filter group3
switch(config-peer-filter-group3)# 10 match as-range 65003 result accept
switch(config-peer-filter-group3)# 20 match as-range 65007 result accept
switch(config-peer-filter-group3)# 30 match as-range 65009 result accept
switch(config-peer-filter-group3)#
The show peer-filter command displays the peer filter definition.
switch(config)# show ip bgp peer-group3
peer-filter group3
10 match as-range 65003 result accept
20 match as-range 65007 result accept
30 match as-range 65009 result accept
switch(config)#
BGP predates the use of IPv6, and BGP configuration assumes IPv4 connections by default. The following additional steps are used to configure IPv6 BGP neighbors.
By default, the switch does not negotiate or advertise IPv6 BGP routes. In order to establish a session with an IPv6 neighbor, it must be made active in the IPv6 address family. The ipv6-unicast option of the bgp default command causes the switch to send IPv6 capability messages and all network advertisements with IPv6 prefixes to all BGP neighbors. The neighbor activate command issued in IPv6 address family configuration mode does the same for a single BGP neighbor.
switch(config)# router bgp 11
switch(config)# address-family ipv6
switch(config-router-bgp-af)# bgp default ipv6-unicast
switch(config-router-bgp-af)# exit
switch(config-router-bgp)#
switch(config)# router bgp 11
switch(config)# address-family ipv6
switch(config-router-bgp-af)# neighbor 2001:0DB8:8c01::1 activate
switch(config-router-bgp-af)# exit
switch(config-router-bgp)#
The switch supports the exchange of IPv4 NLRIs with IPv6 neighbors. To enable this feature for all IPv6 neighbors, use the ipv4-unicast transport ipv6 option of the bgp default command in the IPv4 address family configuration mode. To enable it for a single IPv6 neighbor, use the neighbor activate command for that neighbor in the IPv4 address family configuration mode.
To send IPv4 NLRIs to IPv6 neighbors, the IPv4 next-hop address must also be communicated. To explicitly configure an IPv4 next hop to send to a specific IPv6 neighbor, use the neighbor local-v4-addr command. In some network configurations, the switch can also be configured to automatically determine the best IPv4 next-hop address for an individual IPv6 neighbor or for all neighbors in the VRF using the neighbor auto-local-addr command.
switch(config)# router bgp 11
switch(config-router-bgp)# address-family ipv4
switch(config-router-bgp-af)# bgp default ipv4-unicast transport ipv6
switch(config-router-bgp-af)# exit
switch(config-router-bgp)# neighbor indianapolis auto-local-addr
switch(config-router-bgp)#
switch(config)# router bgp 11
switch(config-router-bgp)# address-family ipv4
switch(config-router-bgp-af)# neighbor 2001:0DB8:8c01::1 activate
switch(config-router-bgp-af)# exit
switch(config-router-bgp)# neighbor 2001:0DB8:8c01::1 local-v4-addr 10.7.5.11
switch(config-router-bgp)#
BGP neighbors maintain connections by exchanging KEEPALIVE, UPDATE, and NOTIFICATION messages. Neighbors that do not receive a message from a peer within a specified period (hold time) close the BGP session with that peer. Hold time is typically three times the period between scheduled KEEPALIVE messages. The default keepalive period is 60 seconds; default hold time is 180 seconds.
The timers bgp command configures the hold time and keepalive period. A peer retains its BGP connections indefinitely when its hold time is zero.
switch(config-router-bgp)# timers bgp 15 45
switch(config-router-bgp)#
The show ip bgp neighbors command displays the hold time.
switch# show ip bgp neighbors 10.100.100.2
BGP neighbor is 10.100.100.2, remote AS 100
BGP version 4, remote router ID 192.168.100.13, VRF default
Negotiated BGP version 4
Last read 00:00:05, last write 00:00:05
Hold time is 45, keepalive interval is 15 seconds <= hold time
Configured hold time is 45, keepalive interval is 15 seconds
Connect timer is inactive
Idle-restart timer is inactive
BGP state is Established, up for 04:44:05
Number of transitions to established: 11
Last state was OpenConfirm
Last event was RecvKeepAlive
Last sent notification:Cease/administrative reset, Last time 04:44:09
Last rcvd notification:Cease/peer de-configured, Last time 2d02h, First time 7d08h, Repeats 1
Neighbor Capabilities:
Multiprotocol IPv4 Unicast: advertised and received and negotiated
Four Octet ASN: advertised and received
<-------OUTPUT OMITTED FROM EXAMPLE------->
switch#
The neighbor maximum-routes command determines the number of BGP routes the switch accepts from a specified neighbor. The switch disables peering with the neighbor when this number is exceeded.
Example
switch(config-router-bgp)# neighbor 192.168.18.24 maximum-routes 15000
switch(config-router-bgp)#
Participating BGP routers within an AS communicate eBGP-learned routes to all of their peers; they do not re-advertise iBGP-learned routes within the AS to prevent routing loops. Although a fully meshed network topology ensures that all AS members share routing information, this topology can result in high volumes of iBGP messages when scaled. Alternatively, one or more routers can be configured as route reflectors in larger networks.
A route reflector re-advertises routes learned through iBGP to a group of BGP neighbors within the AS, replacing the function of a fully meshed topology. The neighbor route-reflector-client command configures the switch to act as a route reflector and configures the specified neighbor as a client. The bgp client-to-client reflection command enables client-to-client reflection.
Cluster IDs When using route reflectors, an AS is divided into clusters. A cluster contains at least one route reflector and a group of clients to which they re-advertise route information. A cluster may contain multiple route reflectors to provide redundancy protection. Each reflector has a cluster ID. When the cluster has a single route reflector, the cluster ID is its router ID. When a cluster has multiple route reflectors, a 4-byte cluster ID is assigned to all route reflectors in the cluster, allowing them to recognize updates from other cluster reflectors. The bgp cluster-id command configures the cluster ID in a cluster with multiple route reflectors.
Attribute Preservation Outbound BGP policies can rewrite the BGP attributes (next-hop, local preference and metric) of routes advertised by a route reflector. To configure the route reflector to preserve these attributes regardless of policy (unless those policies are included in a route map), use the bgp route-reflector preserve-attributes command. To include route attributes at all times (even contrary to policies included in route maps), use the always option of the command.
Client-to-client Reflection Usually the clients of a route reflector are not interconnected, and any routes learned by a client are mirrored to other clients and re-advertised within the AS by the route reflector. If the clients of a route reflector are fully meshed, routes received from a client do not need to be mirrored to other clients. In this case, client-to-client reflection should be disabled using the no bgp client-to-client reflection command.
switch(config-router-bgp)# neighbor 172.72.14.5 route-reflector-client
switch(config-router-bgp)# bgp cluster-id 172.22.30.101
switch(config-router-bgp)# bgp route-reflector preserve-attributes
switch(config-router-bgp)#
switch# show bgp instance
BGP instance information for VRF default
BGP Local AS: 64512, Router ID: 1.1.4.1
Total peers: 14
Configured peers: 14
UnConfigured peers: 0
Disabled peers: 4
Established peers: 9
Graceful restart helper mode enabled
Attributes of reflected routes are preserved
End of rib timer timeout: 00:05:00
BGP Convergence timer is inactive
BGP Convergence information:
BGP has converged: yes, Time taken to converge: 00:05:44
Outstanding EORs: 0, Outstanding Keepalives: 0
Convergence timeout: 00:10:00
switch#
The primary function of external peers is to distribute routes they learn from their peers. Internal peers receive route updates without distributing them. External peers receive route updates, then distribute them to internal and external peers.
Local preference is a metric that iBGP sessions use to select an external route. Preferred routes have the highest local preference value. UPDATE packets include this metric in the LOCAL_PREF field.
The neighbor export-localpref command specifies the LOCAL_PREF that the switch sends to an internal peer. The command overrides previously assigned preferences and has no effect on external peers.
Example
switch(config-router-bgp)# neighbor 10.1.1.45 export-localpref 200
switch(config-router-bgp)#
The neighbor import-localpref command assigns a local preference to routes received through UPDATE packets from an external peer. This command has no effect when the neighbor is an internal peer.
switch(config-router-bgp)# neighbor 172.16.5.2 import-localpref 50
switch(config-router-bgp)#
The show ip bgp command displays the LOCAL_PREF value for all listed routes.
switch# show ip bgp
BGP routing table information for VRF default
Router identifier 192.168.100.23, local AS number 64512
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* >Ec 10.10.20.0/24 192.168.31.3 0 400 0 64521 i
switch#
Graceful BGP restart allows a BGP speaker with separate control plane and data plane processing to continue forwarding traffic during a BGP restart. Its neighbors (receiving speakers) may retain routing information from the restarting speaker while a BGP session with it is being re-established, reducing route flapping.
Arista switches can act as helpers (receiving speakers) for graceful BGP restart with neighbors that advertise graceful restart capability.
Graceful restart helper mode is enabled by default, but can be turned off globally with the no graceful-restart-helper command. Per-peer configuration takes precedence over the global configuration.
switch(config-router-bgp)# no graceful-restart-helper
switch(config-router-bgp)#
switch(config-router-bgp)# no neighbor 192.168.32.5 graceful-restart-helper
switch(config-router-bgp)#
Peers with graceful restart capability advertise a restart time value as an estimate of the time it will take them to restart a BGP session. When a BGP session with a restarting speaker goes down, the switch (receiving speaker) marks routes from that peer as stale and starts the restart timer. If the session with the peer is not re-established before the restart time runs out, the switch deletes the stale routes from that peer. If the session is re-established within that time, the stale path timer is started. If the stale paths are not updated by the restarting speaker before the stale path time runs out, they are deleted. The maximum time these stale paths are retained after the BGP session is re-established is 300 seconds by default, but can be configured using the graceful-restart stalepath-time command.
Example
switch(config-router-bgp)# graceful-restart stalepath-time 500
switch(config-router-bgp)#
Route maps are used in BGP to directly filter IPv4 unicast routes. The neighbor route-map (BGP) command applies a route map to inbound or outbound BGP routes. To display the route maps associated with a specific BGP neighbor, use the show ip bgp neighbors command.
The redistribution of BGP unicast routes into multicast address families allows the network to take a different path for the multicast traffic. It allows redistribution of IPv4 unicast routes into the IPv4 multicast address family and IPv6 unicast routes into the IPv6 multicast address family.
The following command configures the redistribution of IPv4 unicast routes into IPv4 multicast address family in both default and non-default VRF.
switch(config-router-bgp)# address-family ipv4 multicast
switch(config-router-bgp-af)# route input address-family ipv4 unicast rcf onePfx()
bgprtr1(config-router-multicast)# show bgp ipv4 unicast
BGP routing table information for VRF default
Router identifier 1.1.1.1, local AS number 100
Route status codes: s - suppressed, * - valid, > - active, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric AIGP LocPref Weight Path
* > 10.10.10.1/32 1.1.1.2 0 - 100 0 200 i
* > 10.10.20.1/32 1.1.1.2 0 - 100 0 200 i
The following command shows BGP IPv4 multicast output, when a RCF function filters 10.10.20.1/32.
bgprtr1# show bgp ipv4 multicast
BGP routing table information for VRF default
Router identifier 1.1.1.1, local AS number 100
Route status codes: s - suppressed, * - valid, > - active, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric AIGP LocPref Weight Path
* > 10.10.20.1/32 1.1.1.2 - - - 0 ?
Example
switch(config)# ip prefix-list PL_1 permit 10.1.2.5/24
switch(config)# ip prefix-list PL_1 permit 10.2.5.1/28
switch(config)#
switch(config)# route-map MAP_1 permit
switch(config-route-map-MAP_1)# match ip address prefix-list PL_1
switch(config-route-map-MAP_1)# set community 500
switch(config-route-map-MAP_1)# exit
switch(config)#
switch(config)# ip community-list CL_1 permit 500
switch(config)#
BGP extended communities identify routes for VRFs or for Link BandWidth (LBW). Extended community clauses utilize Route Target (RTt) and Site of Origin Options (SOO):
An AS path access list is a named list of permit and deny statements which use regular expressions to filter BGP routes based on their AS path attribute. AS path access lists are created using the ip as-path access-list command, and are applied using a route map match clause with the name of the access list as a parameter.
Example
switch(config)# ip as-path access-list as_list3 permit _3
switch(config)# route-map MAP_3 permit
switch(config-route-map-MAP_3)# match as-path as_list3
switch(config-route-map-MAP_3)# set community 300
switch(config-route-map-MAP_3)# exit
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.68.14.5 route-map MAP_3 in
switch(config-router-bgp)#
The Generalized TTL Security Mechanism (GTSM) uses a packet's Time to Live (TTL) (IPv4) or Hop Limit (IPv6) to protect BGP peering sessions from Denial-of-Service (DoS) attacks based on forged protocol packets.
An IP packet received from a BGP peer is discarded when its current TTL value is less than (255-n) where n is the configured maximum number of hops to the peer. Use the neighbor ttl maximum-hops command to configure the maximum hop count.
A BGP neighbor advertises routes it can reach through UPDATE packets. The network (BGP) command specifies a prefix that the switch advertises as a route originating from its AS.
The configuration clears the host portion of addresses entered in network commands. For example, 192.0.2.4/24 is stored as 192.0.2.0/24.
Example
switch(config-router-bgp)# network 10.5.8.0/24
switch(config-router-bgp)#
By default, BGP will advertise only those routes that are active in the switch’s RIB. This can contribute to dropped traffic. If a preferred route is available through another protocol (like OSPF), the BGP route will become inactive and not be advertised; if the preferred route is lost, there is no available route to the affected peers. Advertising inactive BGP routes minimizes traffic loss by providing alternative routes.
The bgp advertise-inactive command causes BGP to advertise inactive routes to BGP neighbors. Inactive route advertisement is configured globally, but the global setting can be overridden on a per-VRF basis.
switch(config-router-bgp)# bgp advertise-inactive
switch(config-router-bgp)#
switch(config-router-bgp)# vrf purple
switch(config-router-bgp-vrf-purple)# no bgp advertise-inactive
switch(config-router-bgp-vrf-purple)#
The redistribute isis route-map isis-to-bgp command advertises the routes learned through IS-IS routes into the BGP network. It also allows the user to selectively advertise some routes and modify route attributes before advertising using route maps.
The command is available in both address-family mode and router BGP mode, but the command is rejected if configured in both address-family mode and router mode at the same time.
While redistributing IS-IS routes into BGP, the Level-1 or Level-2 keyword can be used to selectively redistribute Level-1 routes or Level-2 routes into BGP. The keyword is optional, and defaults to Level-2 when not configured.
Use the show ipv6 bgp detail command to verify that routes are advertised with correct attributes.
switch(config)# router bgp 1
switch(config-router-bgp)# address-family ipv4
switch(config-router-bgp-af)# redistribute isis level-1 route-map isis-to-bgp-v4
switch(config-router-bgp-af)#
switch(config)# router bgp 1
switch(config-router-bgp)# redistribute isis level-1 route-map isis-to-bgp
switch(config-router-bgp)#
Routes learned through the OSPF protocol can be redistributed into the BGP domain and advertised by BGP. To redistribute OSPF routes into BGP, use the redistribute (BGP) command. By default, redistribute ospf will redistribute only internal OSPF routes into BGP; the command must be issued separately with additional parameters for each type of OSPF route that is to be redistributed.
switch(config)# router bgp 1
switch(config-router-bgp) #redistribute ospf
switch(config-router-bgp)#
switch(config)# router bgp 1
switch(config-router-bgp)# redistribute ospf internal
switch(config-router-bgp)# redistribute ospf external
switch(config-router-bgp)# redistribute ospf nssa-external
switch(config-router-bgp)#
Aggregation combines the characteristics of multiple routes into a single route for advertisement by the BGP speaker. Aggregation can reduce the amount of information that a BGP speaker is required to store and transmit when advertising routes to other BGP speakers. Aggregation options affect the attributes associated with the aggregated route, the advertisement of the contributor routes that comprise the aggregate, and which contributor routes are included.
BGP speakers display aggregate routes that they create as null routes (with one exception: if all the contributors to the aggregate have the same BGP path attributes, then the BGP aggregate copies those attributes and is no longer a null route). Aggregate routes are advertised into the BGP autonomous system and redistributed automatically, and their redistribution cannot be disabled. BGP neighbors display inbound aggregate routes as normal BGP routes. Null routes are displayed with the show ip route command; normal BGP routes (and null aggregate routes) are displayed with the show ip bgp and show ip route commands.
The aggregate-address command provides the following aggregate route options:
When the command includes as-set, the aggregate route’s AS_SET attribute contains the AS numbers of contributor routes. This can help BGP neighbors to prevent loops by rejecting aggregate routes that include their AS number in the AS_SET.
When the command does not include as-set, the aggregate route’s ATOMIC_AGGREGATE attribute is set and the AS_PATH attribute does not include AS numbers of contributing routes.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# aggregate-address 10.16.48.0/20 as-set
switch(config-router-bgp)# exit
switch(config)#
switch(config)# route-map map1 permit 10
switch(config-route-map-map1)# set local-preference 40
switch(config-route-map-map1)# exit
switch(config)# router bgp 1
switch(config-router-bgp)# aggregate-address 10.16.48.0/20 attribute-map map1
switch(config-router-bgp)# exit
switch(config)#
switch(config)# route-map matchmap permit 10
switch(config-route-map-matchmap)# match ip address prefix-list agglist
switch(config-route-map-matchmap)# exit
switch(config)# router bgp 1
switch(config-router-bgp)# aggregate-address 1.1.0.0/16 match-map matchmap
switch(config-router-bgp)#
When configured, this feature introduces the ability to match on:
The attributes that are currently supported for matching on BGP aggregate contributors are community, local-preference, prefix, next-hop,route-type.
switch(config-route-map-test)# match aggregate-role contributor
The match aggregate-role contributor clause only works with outbound policies.
Example
ip community-list BLUE permit 65536:100
!
route-map OUTBOUND_POLICY permit 10
match aggregate-role contributor
set community community-list BLUE
!
route-map OUTBOUND_POLICY permit 20
description “Permit the routes rejected by seq10"
!
router bgp 65536
aggregate-address 203.0.113.0/24
neighbor 192.0.2.1 route-map OUTBOUND_POLICY out
!
To match contributors which contribute only to a BGP aggregate with specific attributes (say communities) and set attributes (say communities again) on said contributor, add an outbound policy with the clause:
switch(config-route-map-test)# match aggregate-role contributor aggregate-attributes MATCH_AGG_COLOR
route-map MATCH_AGG_COLOR
match community RED
Add an aggregate definition to explicitly set the desired attributes on the aggregate of interest:
route-map AGG_SET_COLOR
set community community-list RED
!
router bgp 65536
aggregate-address 203.0.113.0/24 attribute-map AGG_SET_COLOR
The route map referenced by the match aggregate-role contributor aggregate-attributes clause discards all set operations.
ip community-list BLUE permit 65536:100
ip community-list RED permit 65536:200
!
route-map AGG_SET_COLOR
set community community-list RED
!
route-map MATCH_AGG_COLOR
match community RED
!
route-map OUTBOUND_POLICY permit 10
match aggregate-role contributor aggregate-attributes MATCH_AGG_COLOR
set community community-list BLUE
!
route-map OUTBOUND_POLICY permit 20
description “Permit the routes rejected by seq10”
!
router bgp 65536
aggregate-address 203.0.113.0/24 attribute-map AGG_SET_COLOR
neighbor 192.0.2.1 route-map OUTBOUND_POLICY out
!
This match clause supports the invert-result modifier. When applied, invert-result inverts the result of the match clause to which it is applied.
switch(config-route-map-test)# match invert-result aggregate-role contributor aggregate-attributes MATCH_AGG_COLOR
Related Command
The BGP Replace AS-Path feature allows the user to customize the AS_PATH attribute for prefixes that are either received from a BGP neighbor or advertised to a BGP neighbor. To configure the BGP Replace AS-Path feature, use the set as-path match and set as-path prepend commands.
To replace the AS_PATH attribute of routes received from a BGP neighbor, configure a route map and attach the policy to the corresponding BGP neighbor statement in the inbound direction.
To replace the AS_PATH attribute of routes that are advertised to a neighbor, configure a route map and attach the policy to the corresponding BGP neighbor statement in the outbound direction.
The Replace AS-Path feature works in conjunction with the AS-Path Prepend feature which is also used to modify the AS_PATH attribute. However, if both features are configured within the same route map, then the replace AS-Path feature takes precedence over the AS-Path Prepend.
Example
switch# show ip bgp neighbors 80.80.1.2 advertised-routes
BGP routing table information for VRF default
Router identifier 202.202.1.1, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued
for advertisement
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 101.101.1.0/24 80.80.1.1 - - - 200 i
* > 102.102.1.0/24 80.80.1.1 - - - 200 i
* > 103.103.1.0/24 80.80.1.1 - - - 200 302 i
* > 202.202.1.0/24 80.80.1.1 - - - s200 i
switch# configuration terminal
switch(config)# route-map foo permit 10
switch(config-route-map-foo)# set as-path match all replacement none
switch(config-route-map-foo)# exit
switch(config)# router bgp 200
switch(config-router-bgp)# neighbor 80.80.1.2 route-map foo out
switch(config-router-bgp)# end
switch# show ip bgp neighbors 80.80.1.2 advertised-routes
BGP routing table information for VRF default
Router identifier 202.202.1.1, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued
for advertisement
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 101.101.1.0/24 80.80.1.1 - - - 200 i
* > 102.102.1.0/24 80.80.1.1 - - - 200 i
* > 103.103.1.0/24 80.80.1.1 - - - 200 i
* > 202.202.1.0/24 80.80.1.1 - - - 200 i
switch#
switch(config)# route-map foo permit 10
switch(config-route-map-foo)# set as-path match all replacement auto
switch(config-route-map-foo)# end
switch# show ip bgp neighbors 80.80.1.2 advertised-routes
BGP routing table information for VRF default
Router identifier 202.202.1.1, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued
for advertisement
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 101.101.1.0/24 80.80.1.1 - - - 200 200 i
* > 102.102.1.0/24 80.80.1.1 - - - 200 200 i
* > 103.103.1.0/24 80.80.1.1 - - - 200 200 i
* > 202.202.1.0/24 80.80.1.1 - - - 200 200 i
switch#
The AS-path of matching prefixes are replaced with the locally configured AS 200.
The switch can replace its local AS number with a configured value when sending OPEN messages to a specified neighbor, allowing the switch to appear as a member of a different AS to that peer. In the case of a static peer, the neighbor must also be configured to recognize the modified AS in order for peering to occur. The additional configuration is unnecessary in the case of dynamic peers.
To configure a different local AS value for the switch, use the neighbor local-as command. To configure the peer to expect the altered ASN from the switch, use the neighbor remote-as command on the peer.
These commands configure the switch to replace its local ASN in OPEN messages sent to the peer at 10.13.64.1 with ASN 64500, and configure the peer to expect that ASN in messages received from the switch.
Switch Configuration
switch(config)# router bgp 64497
switch(config-router-bgp)# neighbor 10.13.64.1 local-as 64500 no-prepend
switch(config-router-bgp)#
Peer Configuration
peer(config)# router bgp 64502
peer(config-router-bgp)# neighbor 10.4.3.10 remote-as 64500
peer(config-router-bgp)#
By default, BGP rejects routes that contain the local Autonomous System Number (ASN). Sometimes a single autonomous system is divided geographically or otherwise with one or more provider ASs in between. In these cases, a valid route can sometimes be dropped by a customer edge router because the local ASN appears in the AS-path of route advertisements that have traveled through one or more provider networks. To ensure that these routes are not dropped, the provider edge router can be configured to replace the customer AS with its own, or the customer edge router can be configured to ignore its local AS number in received routes.
To replace a remote ASN with the local ASN in BGP route announcements sent to a specified router, use the neighbor as-path remote-as replace out command.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.168.2.15 as-path remote-as replace out
switch(config-router-bgp)#
To accept BGP routes that include the local ASN in their AS-path attribute, use the neighbor allowas-in command.
Example
These commands configure the switch to accept routes from the BGP neighbor at 192.168.1.30 which contain the switch’s ASN in their AS paths as many as 3 times.switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.168.1.30 allowas-in
switch(config-router-bgp)#
The switch determines the network prefixes that peering sessions advertise and the BGP neighbor addresses that receive advertisements through address family activity configuration.
Address family activity levels for neighbor addresses are configured through bgp default and neighbor activate commands.
The switch sends the following announcements to addresses that are active in an address family:
The neighbor route-map (BGP) command applies a route map to inbound or outbound BGP routes. In address-family mode, the route map is applied to routes corresponding to the configuration-mode address family. When a route map is applied to outbound routes, the switch advertises only routes matching at least one section of the route map. One outbound and one inbound route map can be applied to a neighbor for each address family. Applying a route map to a route replaces the previous corresponding route map assignment.
The network (BGP) command specifies a network for advertisement through UPDATE packets to BGP peers. The command is available in Router-BGP and Router-BGP-Address-Family configuration modes; the mode in which the command is issued does not affect the command’s execution.
The default activity level for IPv4 and IPv6 address families is set to the default; all neighbor addresses are IPv4 address family active and IPv6 address family not active. IPv4 capability and network routes with IPv4 prefixes are advertised to all neighbor IPv4 addresses.
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 172.21.14.8 remote-as 15
switch(config-router-bgp)# neighbor 172.23.18.6 remote-as 16
switch(config-router-bgp)# neighbor 2001:0DB8:8c01::1 remote-as 16
switch(config-router-bgp)# network 172.18.23.9/24
switch(config-router-bgp)# network 2001:0DB8:de29::/64
switch(config-router-bgp)#
IPv6 capability and network routes with IPv6 prefixes are advertised to all neighbor addresses.
switch(config)# router bgp 10
switch(config-router-bgp)# bgp default ipv6-unicast
switch(config-router-bgp)# no bgp default ipv4-unicast
switch(config-router-bgp)# neighbor 172.21.14.8 remote-as 15
switch(config-router-bgp)# neighbor 172.23.18.6 remote-as 16
switch(config-router-bgp)# neighbor 2001:0DB8:8c01::1 remote-as 16
switch(config-router-bgp)# network 172.18.23.9/24
switch(config-router-bgp)# network 2001:0DB8:de29::/64
switch(config-router-bgp)#
switch(config)# router bgp 11
switch(config-router-bgp)# neighbor 172.21.14.8 remote-as 15
switch(config-router-bgp)# neighbor 172.23.18.6 remote-as 16
switch(config-router-bgp)# neighbor 2001:0DB8:8c01::1 remote-as 16
switch(config-router-bgp)# network 172.18.23.9/24
switch(config-router-bgp)# network 2001:0DB8:de29::/64
switch(config-router-bgp)# no bgp default ipv4-unicast
switch(config-router-bgp)# no bgp default ipv6-unicast
switch(config-router-bgp)# address-family ipv4
switch(config-router-bgp-af)# neighbor 172.21.14.8 activate
switch(config-router-bgp-af)# neighbor 172.23.18.6 activate
switch(config-router-bgp-af)# exit
switch(config-router-bgp)# address-family ipv6
switch(config-router-bgp-af)# neighbor 2001:0DB8:8c01::1 activate
switch(config-router-bgp-af)# exit
switch(config-router-bgp)#
switch(config)# router bgp 11
switch(config)# address-family ipv4
switch(config-router-bgp-af)# bgp default ipv4-unicast transport ipv6
switch(config-router-bgp-af)# exit
switch(config-router-bgp)#
The best-path selection algorithm (described under Best-Path Selection) determines which of multiple paths to the same destination received by BGP will be added to the IP routing table. To shape route preferences and influence best-path selection, use the following commands in router-BGP configuration mode.
To see the reasons why certain routes were excluded by the best-path selection process, use the detail option of the show ip bgp command. Enter the prefix to which BGP has selected a best path, and the output will display all learned paths. Paths which were not selected as best will display the reason they were not selected after the label not best.
Example
switch# show ip bgp 172.16.0.0/24 detail
BGP routing table information for VRF default
Router identifier 192.168.100.18, local AS number 64524
Route status: [a.b.c.d] - Route is queued for advertisement to peer.
BGP routing table entry for 204.1.47.220/30
Paths: 4 available
64512 64550 65100
192.168.14.2 from 192.168.14.2 (192.168.100.21)
Origin IGP, metric 0, localpref 100, weight 0, received 19:15:29 ago, valid,
external, ECMP head, ECMP, best, ECMP contributor
Rx SAFI: Unicast
64512 64550 65100
192.168.24.2 from 192.168.24.2 (192.168.100.22)
Origin IGP, metric 0, localpref 100, weight 0, received 19:15:29 ago, valid,
external, ECMP, ECMP contributor
Rx SAFI: Unicast
Not best: ECMP-Fast configured
64512 64550 65100
192.168.34.2 from 192.168.34.2 (192.168.100.23)
Origin IGP, metric 0, localpref 100, weight 0, received 19:15:29 ago, valid,
external, ECMP, ECMP contributor
Rx SAFI: Unicast
Not best: Redistributed route exists
64512 64550 65100
192.168.44.2 from 192.168.44.2 (192.168.100.24)
Origin IGP, metric 0, localpref 100, weight 0, received 19:15:29 ago, valid,
external, ECMP, ECMP contributor
Rx SAFI: Unicast
Not best: eBGP path preferred
Not advertised to any peer
switch#
To avoid hardware updates and route advertisement churn during switch reload or BGP instance start, BGP enters into the convergence state where it waits for all peers to join and receive all routes from all the peers.
BGP Convergence is bound by an upper value of convergence time (default value is 5 minutes) and BGP declares convergence on expiry of convergence timer. At the end of convergence, BGP updates the routes in FIB and advertises to all the peers.
To configure BGP convergence and the different timeout features, use the following commands in router-BGP configuration mode.
Use the show bgp convergence command to view information about the BGP convergence status, and to know if the convergence timer has started or not. The examples below show the command output at different points in the convergence process.
switch(config-router-bgp)# show bgp convergence
BGP Convergence information for VRF: default
Configured convergence timeout: 00:02:30
Configured convergence slow peer timeout: 00:00:55
Convergence based update synchronization is enabled
Last Bgp convergence event : None
Bgp convergence state : Not Initiated (Waiting for the first peer to join)
Convergence timer is not running
Convergence timeout in use: 00:02:30
Convergence slow peer timeout in use: 00:00:55
First peer is not up yet
All the expected peers are up: no
All IGP protocols have converged: yes
Outstanding EORs: 0, Outstanding Keepalives: 0
Pending Peers: 2
Total Peers: 2
Established Peers: 0
Disabled Peers: 0
Peers that have not converged yet:
IPv4 peers:
201.1.1.1 (Session : Connect)
202.1.1.1 (Session : Connect)
IPv6 peers:
None
switch(config-router-bgp)#
switch# show bgp convergence
BGP Convergence information for VRF: default
Configured convergence timeout: 00:02:30
Configured convergence slow peer timeout: 00:00:55
Convergence based update synchronization is enabled
Last Bgp convergence event 00:00:40 ago
Bgp convergence state : Pending (Waiting for EORs/Keepalives from peer(s) and IGP
convergence)
Convergence timer running, will expire in 00:01:50
Convergence timeout in use: 00:02:30
Convergence slow peer timeout in use: 00:00:55
First peer came up 00:00:13 ago
All the expected peers are up: no
All IGP protocols have converged: yes
Outstanding EORs: 0, Outstanding Keepalives: 0
Pending Peers: 1
Total Peers: 2
Established Peers: 1
Disabled Peers: 0
Peers that have not converged yet:
IPv4 peers:
201.1.1.1 (Session : Active)
IPv6 peers:
None
switch#
switch(config-router-bgp)# show bgp convergence
BGP Convergence information for VRF: default
Configured convergence timeout: 00:02:30
Configured convergence slow peer timeout: 00:00:55
Convergence based update synchronization is enabled
Last Bgp convergence event 00:02:44 ago
Bgp convergence state : Timeout reached
Time taken to converge 00:02:30
Pending Peers: 1
Total Peers: 2
Established Peers: 1
Disabled Peers: 0
Peers that did not converge before local bgp convergence:
IPv4 peers:
201.1.1.1 (Session : Active)
202.1.1.1 (Session : Established)
IPv6 peers:
None
switch(config-router-bgp)#
switch(config-router-bgp)# show bgp convergence
BGP Convergence information for VRF: default
Configured convergence timeout: 00:05:00
Configured convergence slow peer timeout: 00:01:30
Convergence based update synchronization is enabled
Last Bgp convergence event 00:00:05 ago
Bgp convergence state : Converged
Time taken to converge 00:00:02
First peer came up 00:00:05 ago
Pending Peers: 0
Total Peers: 3
Established Peers: 3
Disabled Peers: 0
Peers that did not converge before local bgp convergence:
IPv4 peers:
None
IPv6 peers:
None
switch(config-router-bgp)#
The set community (route-map) command specifies community attribute modifications to BGP routes.
switch(config)# route-map map1
switch(config-route-map-map1)# set community GSHUT
switch(config)# exit
switch(config)#
The ip community-list command creates and configures a BGP access list that is based on BGP communities.
The match (route-map) command creates a route map clause entry that specifies one route filtering condition.
switch(config)# ip community-list gshut_list permit GSHUT
switch(config)# route-map map1
switch(config-route-map-map1)# match community gshut_list
switch(config-route-map-map1)# exit
switch(config)#
The show route-map command displays the contents of the specified route maps.
switch# show route-map map1
route-map map1 permit 10
Description:
Match clauses:
Set clauses:
set community GSHUT
switch#
The bgp additional-paths send mode/application command is used in the BGP configuration mode to enable BGP additional paths.
The following examples show how to configure Add-Path TX at global, address family (AF) and neighbor for both default VRF and non-default VRF.
switch(config)# router bgp 65003
switch(config-router-bgp)# bgp additional-paths send any
switch(config)# router bgp 65003
switch(config-router-bgp)# bgp additional-paths send limit 2
switch(config)# router bgp 65003
switch(config-router-bgp)# bgp additional-paths send ecmp
switch(config)# router bgp 65003
switch(config-router-bgp)# bgp additional-paths send ecmp limit 2
switch(config)# router bgp 65003
switch(config-router-bgp)# bgp additional-paths send backup
switch(config)#router bgp 65003
switch(config-router-bgp)#address-family ipv4
switch(config-router-bgp-af)#bgp additional-paths send any
switch(config)#router bgp 65003
switch(config-router-bgp)#address-family ipv4
switch(config-router-bgp-af)#bgp additional-paths send limit 3
switch(config)#router bgp 65003
switch(config-router-bgp)#address-family ipv4
switch(config-router-bgp-af)#bgp additional-paths send ecmp
switch(config)#router bgp 65003
switch(config-router-bgp)#address-family ipv4
switch(config-router-bgp-af)#bgp additional-paths send ecmp limit 3
switch(config)#router bgp 65003
switch(config-router-bgp)#address-family ipv4
switch(config-router-bgp-af)#bgp additional-paths send backup
switch(config)# router bgp 65003
switch(config-router-bgp)# neighbor 90.0.0.1 additional-paths send any
switch(config)# router bgp 65003
switch(config-router-bgp)# neighbor 90.0.0.1 additional-paths send limit
switch(config)# router bgp 65003
switch(config-router-bgp)# neighbor 90.0.0.1 additional-paths send ecmp
switch(config)# router bgp 65003
switch(config-router-bgp)# neighbor 90.0.0.1 additional-paths send ecmp limit 4
switch(config)# router bgp 65003
switch(config-router-bgp)# neighbor 90.0.0.1 additional-paths send backup
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# bgp additional-paths send any
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# bgp additional-paths send limit 5
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# bgp additional-paths send ecmp
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# bgp additional-paths send ecmp limit 5
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# bgp additional-paths send backup
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# address-family ipv4
switch(config-router-bgp-vrf-Acme-af)# bgp additional-paths send any
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# address-family ipv4
switch(config-router-bgp-vrf-Acme-af)# bgp additional-paths send limit 6
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# address-family ipv4
switch(config-router-bgp-vrf-Acme-af)# bgp additional-paths send ecmp
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# address-family ipv4
switch(config-router-bgp-vrf-Acme-af)# bgp additional-paths send ecmp limit 6
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# address-family ipv4
switch(config-router-bgp-vrf-Acme-af)# bgp additional-paths send backup
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# neighbor 90.0.0.1 additional-paths send any
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# neighbor 90.0.0.1 additional-paths send limit 7
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# neighbor 90.0.0.1 additional-paths send ecmp
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# neighbor 90.0.0.1 additional-paths send ecmp limit 7
switch(config)# router bgp 65003
switch(config-router-bgp)# vrf Acme
switch(config-router-bgp-vrf-Acme)# neighbor 90.0.0.1 additional-paths send backup
The bgp route install-map command is used in the BGP configuration mode to enable BGP Selective Route Download. BGP Selective Route Download can also be configured in an address family or VRF instance as shown in the following examples.
The following examples show how to configure a prefix list and route map, then apply BGP Selective Route Download to the map.
switch(config)# ip prefix-list PFXL_ALLOW
switch(config-ip-pfx)# seq 1 permit 10.0.0.0/24 ge 24 le 32
switch(config-ip-pfx)# seq 2 permit 20.0.0.0/24 ge 24 le 32
switch(config-ip-pfx)# exit
switch(config-ip-pfx)#
switch(config)# route-map BGP_INSTALL_MAP permit 10
switch(config-route-map-BGP_INSTALL_MAP)# match ip address prefix-list PFXL_ALLOW
switch(config-route-map-BGP_INSTALL_MAP)# exit
switch(config)# route-map BGP_INSTALL_MAP deny 20
switch(config)#
switch(config)# router bgp 100
switch(config-router-bgp)# bgp route install-map BGP_INSTALL_MAP
switch(config-router-bgp)#
The following examples show how to configure prefix lists individually for the IPv4 and IPv6 address families, then apply BGP Selective Route Download for these address families.
switch(config)# ip prefix-list V4_ALLOW
switch(config-ip-pfx)# route-map BGP_V4_MAP permit 10
switch(config-route-map-BGP_V4_MAP)# match ip address prefix-list V4_ALLOW
switch(config-route-map-BGP_V4_MAP)# route-map BGP_V4_MAP deny 20
switch(config-route-map-BGP_V4_MAP)# exit
switch(config-route-map-BGP_V4_MAP)#
switch(config)# ipv6 prefix-list V6_ALLOW
switch(config-ipv6-pfx)# route-map BGP_V6_MAP permit 10
switch(config-route-map-BGP_V6_MAP)# match ipv6 address prefix-list V6_ALLOW
switch(config-route-map-BGP_V6_MAP)# route-map BGP_V6_MAP deny 20
switch(config-route-map-BGP_V6_MAP)# exit
switch(config-route-map-BGP_V6_MAP)#
switch(config)# router bgp 200
switch(config-router-bgp)# address-family ipv4
switch(config-router-bgp-af)# bgp route install-map BGP_V4_MAP
switch(config-router-bgp-af)# exit
switch(config-router-bgp)# address-family ipv6
switch(config-router-bgp-af)# bgp route install-map BGP_V6_MAP
switch(config-router-bgp-af)#
The show ip bgp command displays BGP RIB winning paths that are not installed in the RIB.
Example
switch# show ip bgp
BGP routing table information for VRF default
Router identifier 1.0.0.2, local AS number 100
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 6.0.0.0/24 1.0.0.1 0 100 0 ?
* # 7.0.0.0/24 1.0.0.1 0 100 0 ?
switch#
The show ip bgp command with a specified prefix displays detailed information and the reason for the BGP RIB winning paths to that prefix not being installed in the RIB.
Example
switch# show ip bgp 7.0.0.0/24
BGP routing table information for VRF default
Router identifier 1.0.0.2, local AS number 100
BGP routing table entry for 7.0.0.0/24
Paths: 1 available
Local
1.0.0.1 from 1.0.0.1 (1.0.0.1)
Origin INCOMPLETE, metric 0, localpref 100, weight 0, valid, internal, not
installed (denied by install-map)
switch#
The show ip bgp installed command displays the list of installed routes in the BGP RIB.
Example
switch# show ip bgp installed
BGP routing table information for VRF default
Router identifier 1.0.0.2, local AS number 100
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 6.0.0.0/24 1.0.0.1 0 100 0 ?
switch#
The show ip bgp not-installed displays the list of non-installed routes in the RIB.
Example
switch# show ip bgp not-installed
BGP routing table information for VRF default
Router identifier 1.0.0.2, local AS number 100
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* # 7.0.0.0/24 1.0.0.1 0 100 0 ?
switch#
The configuration model for this feature involves configuring and applying Nexthop Resolution RIB Profiles on a per-address family basis. There are two ways a profile can be applied: (1) across an entire address-family, or (2) a granular, route-map based mechanism for specific routes within an address family. The per-address-family configuration is the simplest. It enables specification of a unique profile for all the routes in a given address family, such as IPV4 unicast, or EVPN. In contrast, the route-map approach leverages the matching criteria of route-map statements to apply profiles to individual routes within an address family.
switch(config-router-bgp-af)# next-hop resolution ribs(PROFILE|[route-map NAME])
The PROFILE option is a list of up to three (3) resolution domains. The NAME option is the name of a route-map. Notice the PROFILE and route-map NAME options are mutually exclusive. That is, a resolution profile can be specified either explicitly at the address family level, or on a per-route basis via a route-map.
switch(config-route-map-NAME)# set next-hop resolution ribs PROFILE
You ban combine this statement with existing match statements to select profiles based on the BGP path attributes of a route, or other properties.
PROFILE:=DOMAIN[DOMAIN[DOMAIN]]
switch(config)# router bgp id
switch(config-router-bgp)# address-family evpn
switch(config-router-bgp-af)# next-hop mpls resolution ribs PRIMARY-RIB [FALLBACK-RIB]
switch(config-router-bgp-af)# next-hop vxlan resolution ribs IP-RIB
...
address-family ipv4 labeled-unicast
next-hop mpls resolution ribs PRIMARY-RIB [FALLBACK-RIB]
address-family ipv6 labeled-unicast
next-hop mpls resolution ribs PRIMARY-RIB [FALLBACK-RIB]
The PRIMARY-RIB and FALLBACK-RIB refers to either tunnel domain or IP RIB domain. EVPN VXLAN only supports IP-RIB domain.
The system-unicast-rib refers to complete IP RIB and the system-connected refers to just the connected routes.
Primary and secondary RIBs cannot come from the same domain (for example, both cannot be from the tunnel domain and both cannot be from the IP RIB domain). The FALLBACK-RIB is optional.
Nexthops will first attempt to resolve, using the primary rib. If the resolution fails, it attempts to resolve using the fallback rib (if that exists).
router bgp <id>
address-family ipv4 labeled-unicast
next-hop resolution ribs tunnel-rib USER_TR system-unicast-rib
All the nexthops of the IPV4 labeled-unicast routes will first attempt to resolve, using the tunnel rib USER_TR. If the resolution fails, the nexhops attempt to resolve using the complete unicast IP RIB.
Domain | Token | Description |
---|---|---|
IP RIB | system-unicast-rib | The complete IP unicast RIB is available for next-hop resolution. |
Connected routes (IP) | system-connected | Only connected routes are available for next-hop resolution. |
System tunnel RIB | tunnel-rib system-tunnel-rib | All winning tunnels from all protocols are available for next-hop resolution. |
System colored tunnel RIB | tunnel-rib colored system-colored-tunnel-rib | All winning, colored tunnels from all protocols are available for next-hop resolution. Only routes with an associated color can be resolved by the system colored tunnel RIB. |
User-defined tunnel RIB | tunnel-rib NAME | All contributing tunnels to the tunnel RIB called NAME are available for next-hop resolution. |
IP RIB of VPN Import VRF | vrf-unicast-rib | This token is limited to BGP L3VPNs. |
switch(config)# router bgp num
switch(config-router-bgp)# address-family evpn
switch(config-router-bgp-af)# next-hop mpls resolution ribs PROFILE
next-hop vxlan resolution ribs PROFILE
address-family ipv4
next-hop resolution ribs ( PROFILE | route-map NAME )
address-family ipv4 labeled-unicast
next-hop resolution ribs PROFILE
address-family ipv6
next-hop resolution ribs ( PROFILE | route-map NAME )
next-hop 6pe resolution ribs PROFILE
address-family ipv6 labeled-unicast
next-hop resolution ribs PROFILE
address-family vpn-ipv4
next-hop resolution ribs PROFILE
address-family vpn-ipv6
next-hop resolution ribs PROFILE
Note that a given address-family may restrict the possible profiles which can be configured, and may not support specifying a route-map. For example, the resolution profile for 6PE routes, configured via next-hop 6pe resolution ribs PROFILE, is constrained to only the tunnel domain. That is, the profile cannot specify either system-unicast-rib or system-connected. This is, of course, because it is meaningless to resolve a 6PE next-hop using either of those resolution domains.
Configuration | Release | |||||
next-hop resolution ribs PROFILE command | ||||||
4.22.0F | 4.22.1F | 4.23.1F | 4.24.1F | 4.25.1F | Unsupported / Not Applicable | |
IPv4/IPv6 unicast (non 6PE) | X | |||||
IPv6 unicast 6PE | X | |||||
IPv4/IPv6 VPN (vrf-unicast-rib) | X | |||||
IPv4/IPv6 VPN (full profile) | X | |||||
EVPN (MPLS) | X | |||||
EVPN (VXLAN) | X | |||||
IPv4/IPv6 LU | X | |||||
IPv4/IPv6 Multicast | X | |||||
IPv4/IPv6 SR TE | X | |||||
Flowspec | X | |||||
Path Selection | X | |||||
Link State | X | |||||
RT Membership | X | |||||
PROFILE configuration | ||||||
Up to 2 resolution domains | X | |||||
Up to 3 resolution domains | X | |||||
system-colored-tunnel-rib | X | |||||
next-hop resolution ribs route-map NAME command | ||||||
IPv4/IPv6 unicast (non 6PE) | X | |||||
IPv6 unicast 6PE | X | |||||
IPv4/IPv6 VPN | X | |||||
EVPN (MPLS) | X | |||||
EVPN (VXLAN) | X | |||||
IPv4/IPv6 LU | X | |||||
IPv4/IPv6 Multicast | X | |||||
IPv4/IPv6 SR TE | X | |||||
Flowspec | X | |||||
Path Selection | X | |||||
Link State | X | |||||
RT Membership | X | |||||
Route-map submode | ||||||
match ip[v6] next-hop | X | |||||
match ip[v6] address prefix-list | X | |||||
match community | X | |||||
match extcommunity | X | |||||
match large-community | X | |||||
All other match statements | X | |||||
All other set statements | X | |||||
sub-route-map | X |
Address-family | Default profile |
IPv4/IPv6 unicast (non 6PE) | tunnel-rib colored system-colored-tunnel-rib tunnel-ribsystem-tunnel-rib system-unicast-rib |
IPv6 unicast 6PE | tunnel-rib colored system-colored-tunnel-rib tunnel-ribsystem-tunnel-rib |
IPv4/IPv6 unicast (eBGP directly connected) | system-connected |
IPv4/IPv6 VPN | tunnel-rib colored system-colored-tunnel-rib tunnel-ribsystem-tunnel-rib system-connected |
IPv4/IPv6 LU | tunnel-rib colored system-colored-tunnel-rib tunnel-ribsystem-tunnel-rib system-connected |
EVPN (MPLS) | tunnel-rib colored system-colored-tunnel-rib tunnel-ribsystem-tunnel-rib system-connected |
EVPN (VXLAN) | system-unicast-rib |
IPv4/IPv6 Multicast | This is not supported. Multicast next-hops are first resolved in the MRIB. Failure to resolve in the MRIB results in a lookup in the unicast RIB. |
Flowspec | These next hops are not resolved. |
When processing the next-hop of a route, the next-hop resolver attempts resolution by using the first domain in the route’s resolution profile. If the resolution domain successfully resolves the next-hop, the resolver stops. If resolution fails, however, the resolver moves onto the next domain, if it exists, and tries again. This iterative process continues until the next-hop is either resolved, or the profile is exhausted. In the latter case, the next-hop is left unresolved.
switch(config-router-bgp-af)# next-hop resolution ribs system-unicast-rib
switch(config-router-bgp-af)# next-hop resolution ribs tunnel-rib colored system-colored-tunnel-rib tunnel-rib system-tunnel-rib system-connected
Therefore, only when a next-hop cannot be resolved by any of those domains will it be ultimately unresolved.
This section describes semantics and limitations specific to the next-hop resolution ribs route-map NAME command.
The use of a route-map to select a custom resolution profile allows for per-route granularity rather than an entire BGP address-family. The next-hop resolution semantics of a next-hop whose profile is set using a route-map are the same as the per-address family configuration. However, unlike in the per-address family configuration model, a route-map makes it possible to leave the resolution profile for a next-hop unspecified. A next-hop for which the resolution profile is unspecified is left unresolved. The following example illustrates this as well as the recommended configuration.
ip prefix-list SUBSET 192.0.2.1/32 192.0.2.2/32 192.0.2.3/32
route-map TUNNEL_ONLY permit 10
match ip next-hop prefix-list SUBSET
set next-hop resolution ribs tunnel-rib system-tunnel-rib
router bgp 64512
address-family ipv4
next-hop resolution ribs route-map TUNNEL_ONLY
Note, however, that the TUNNEL_ONLY route-map applies to all IPV4 unicast routes. Further, note that only routes whose next-hop value matches SUBSET will have a resolution profile set. All other IPV4 unicast routes will have no resolution profile. Any route without a resolution profile is left unresolved. This is often not intentional.
A more common use case is to allow the route’s which do not match a given sequence to fallback to the system default resolution behavior. This can be achieved by adding a second sequence to the route-map with no match statements (matches all routes), and a single set statement which sets the default profile (see the Default Resolution Profiles section) for the given address family.
ip prefix-list SUBSET 192.0.2.1/32 192.0.2.2/32 192.0.2.3/32
route-map TUNNEL_ONLY permit 10
match ip next-hop prefix-list SUBSET
set next-hop resolution ribs tunnel-rib system-tunnel-rib
route-map TUNNEL_ONLY permit 20
set next-hop resolution ribs tunnel-rib colored system-colored-tunnel-rib tunnel-rib system-tunnel-rib system-unicast-rib
router bgp 64512
address-family ipv4
next-hop resolution ribs route-map TUNNEL_ONLY
ip prefix-list SUBSET 192.0.2.1/32 192.0.2.2/32 192.0.2.3/32
route-map TUNNEL_ONLY permit 10
match ip next-hop prefix-list SUBSET
set next-hop resolution ribs tunnel-rib system-tunnel-rib
route-map TUNNEL_ONLY permit 20
set next-hop resolution ribs system-default
router bgp 64512
address-family ipv4
next-hop resolution ribs route-map TUNNEL_ONLY
This subfeature affects both the profile used to resolve BGP VPN routes as well as the VRF in which the route resolution takes place. With this feature disabled, or prior to EOS Release 4.22.0F, imported VPN routes and is subject to the following restriction:
For each VPN route received from a neighbor, the route is imported (based on route-targets) and installed into the target VRF (import-vrf), only if the nexthop of the route is resolvable via an MPLS tunnel in the default VRF.
With this feature enabled, the above restriction is lifted, enabling a VPN route to be imported into the target VRF unconditionally. The plain IP unicast route is subsequently resolved using the unicast RIB of the target VRF.
switch(config-router-bgp-af)# next-hop resolution ribs vrf-unicast-rib
router bgp 64512
address-family vpn-ipv4
next-hop resolution ribs vrf-unicast-rib
switch(config)# show bgp vpn-ipv4
BGP routing table information for VRF default
Router identifier 0.0.0.1, local AS number 300
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
RD: 11.0.1.1:0 IPv4 prefix 50.1.1.0/24
42.42.42.42 - 1 0 100 200 i
The route is inactive in the default VRF.
switch(config)# show ip bgp vrf CUST-1
BGP routing table information for VRF CUST-1
Router identifier 11.0.0.1, local AS number 300
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 50.1.1.0/24 42.42.42.42 - 1 0 100 200 i
switch(config)# show ip route vrf CUST-1
VRF: CUST-1
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
S 42.42.42.42/32 is directly connected, Null0
B I 50.1.1.0/24 is directly connected, Null0
switch(config)# show rib next-hop ip vrf CUST-1 bgp detail
VRF: CUST-1, Protocol: bgp
Codes: * - Unresolved Next hop
L - Part of a recursive route resolution loop
A - Next hop not resolved in ARP/ND
11.0.1.1 [1 pref/0 metric] [ID: 18] type ipv4
Resolution RIBs: system-unicast-rib
via Null0, directly connected [ID 3]
switch(config)# show route-map
route-map foo permit 10
Description:
Match clauses:
SubRouteMap:
Set clauses:
set next-hop resolution ribs tunnel-rib system-tunnel-rib
route-map foo permit 20
Description:
Match clauses:
SubRouteMap:
Set clauses:
set next-hop resolution ribs tunnel-rib colored system-colored-tunnel-rib tunnel-rib system-tunnel-rib system-unicast-rib
switch(config)#show route-map | json
{
"routeMaps": {
"foo": {
"entries": {
"20": {
"setRules": {
"resolutionRibProfileConfig": {
"resolutionMethods": [
{
"ribType": "tunnel",
"colored": true,
"name": "system-colored-tunnel-rib"
},
{
"ribType": "tunnel",
"name": "system-tunnel-rib"
},
{
"ribType": "ip",
"name": "system-unicast-rib"
}
]
}
},
"subRouteMap": {
"name": "",
"invert": false
},
"filterType": "permit",
"matchRules": {},
"description": []
},
"10": {
"setRules": {
"resolutionRibProfileConfig": {
"resolutionMethods": [
{
"ribType": "tunnel",
"name": "system-tunnel-rib"
}
]
}
},
"subRouteMap": {
"name": "",
"invert": false
},
"filterType": "permit",
"matchRules": {
},
"description": []
}
}
}
}
},
Use the show bgp instance command to inspect the configured profiles and route-maps for each address family. The diplay output has been extended to show the resolution ribs as seen below, done so in order to display the resolution ribs used for EVPN and BGP Labeled-unicast address families. The output displays the resolution rib profile configuration for the respective address families.
switch(config-router-bgp)# show bgp instance
BGP instance information for VRF default
...
Address family IPv4 MplsLabel:
Additional-paths installation is disabled
Convergence based update synchronization is disabled
Target RIBs: Tunnel RIB
Resolution RIBs: tunnel-rib system-tunnel-rib, system-connected
...
Address family IPv6 MplsLabel:
Additional-paths installation is disabled
Convergence based update synchronization is disabled
Target RIBs: Tunnel RIB
Resolution RIBs: tunnel-rib system-tunnel-rib, system-connected
...
Address family L2VPN EVPN:
Additional-paths installation is disabled
Convergence based update synchronization is disabled
Vxlan Resolution RIBs: system-unicast-rib
Mpls Resolution RIBs: tunnel-rib system-tunnel-rib, system-connected
Use the show rib next-hop ip bgp command to display the per-via resolution profile.
Use the show rib next-hop {ip | ipv6}[proto] detail command to display which resolution profile is used to resolve each next-hop.
switch#(config-router-bgp)# show rib next-hop ip bgp detail
VRF: default, Protocol: bgp
Codes: * - Unresolved Next hop
L - Part of a recursive route resolution loop
A - Next hop not resolved in ARP/ND
192.0.2.1 [110 pref/20 metric] [ID: 1] type ipv4
Resolution RIBs: tunnel-rib colored system-colored-tunnel-rib, tunnel-rib system-tunnel-rib, system-unicast-rib
via 198.51.100.1, Ethernet3 [ID: 10]
192.0.2.2 * [ID: 86]
Resolution RIBs: No profile set for this next-hop
192.0.2.3 * [ID: 78]
Resolution RIBs: tunnel-rib colored system-colored-tunnel-rib, tunnel-rib system-tunnel-rib, system-connected
Note how 192.0.2.2 has no profile set, and is therefore unresolved. This show command illustrates this clearly with the No profile set for this next-hop message.
Currently, EOS generates a single system-defined tunnel RIB for the next-hop resolution.
When tunnels to the same destination address are learned from multiple protocols, a fixed preference that is associated with each protocol is used to determine the winning tunnel.
However, with the User-defined tunnel RIBs feature the user is allowed to create user-defined tunnel RIBs with:
switch(config)# tunnel-ribs
switch(config-tunnel-ribs)# tunnel-rib SR_OVER_LDP
switch(config-tunnel-rib-SR_OVER_LDP)# source-protocol isis segment-routing preference 10
switch(config-tunnel-rib-SR_OVER_LDP)# source-protocol ldp preference 20
When adding a source protocol in a user-defined tunnel RIB, the preference is optional. A lower preference value indicates a more preferred protocol. If the preference is not specified, the following system-defined preference values are used:
Source Protocol | System-defined Preference |
Static | 15 |
Nexthop group tunnel | 25 |
RSVP LER | 45 |
LDP | 55 |
IS-IS SR | 65 |
BGP-LU | 85 |
Modifying the system-tunnel-rib
switch#(config)# tunnel-ribs
switch#(config-tunnel-ribs)# tunnel-rib system-tunnel-rib
switch#(config-tunnel-rib-system-tunnel-rib)#?
source-protocol Configure the tunnel source
----------------------------------------
comment Up to 240 characters, comment for this mode
default Set a command to its defaults
exit Leave Configure mode
no Disable the command that follows
show Display details of switch operation
!! Append to comment
switch#(config-tunnel-rib-system-tunnel-rib)# source-protocol ?
bgp BGP tunnel
isis IS-IS tunnel
ldp LDP tunnel
nexthop-group Nexthop group tunnel
rsvp-ler RSVP LER tunnel
static Static tunnel
switch#(config-tunnel-rib-system-tunnel-rib)# source-protocol rsvp-ler preference 2
switch#(config-tunnel-rib-system-tunnel-rib)# exit
switch#(config-tunnel-ribs)# show active all
tunnel-ribs
tunnel-rib system-tunnel-rib
source-protocol static
source-protocol isis segment-routing
source-protocol bgp labeled-unicast
source-protocol nexthop-group
source-protocol rsvp-ler preference 2
source-protocol ldp
switch# show tunnel rib SR_OVER_LDP brief
Tunnel RIB: SR_OVER_LDP
Endpoint Tunnel Type Index(es) Tunnel Preference IGP Preference IGP Metric
--------------- ------------- --------- ------------------ --------------- ----------
1.1.1.1/32 IS-IS SR IPv4 2 10 115 20
switch# show tunnel rib brief
Tunnel RIB: system-tunnel-rib
Endpoint Tunnel Type Index(es) Tunnel Preference IGP Preference IGP Metric
--------------- ------------- --------- ------------------ --------------- ----------
1.1.1.1/32 LDP 1 55 1 0
switch(config)# tunnel-ribs
switch(config-tunnel-ribs)# tunnel-rib system-tunnel-rib
switch(config-tunnel-ribs)# show active all
tunnel-ribs
tunnel-rib system-tunnel-rib
source-protocol static
source-protocol isis segment-routing
source-protocol bgp labeled-unicast
source-protocol nexthop-group
source-protocol rsvp-ler
source-protocol ldp
BGP confederations allow you to break an Autonomous System (AS) into multiple sub-ASs, and then to group the sub-ASs as a confederation. The sub-ASs exchange iBGP routing information (next-hop, local-preference and MED), but communicate via eBGP.
To configure a BGP confederation, complete the following tasks on each BGP device in the confederation.
The neighbors from other autonomous systems within the confederation are treated as special eBGP peers when using the bgp confederation peers command.
switch(config)# router bgp 65050
switch(config-router-bgp)# bgp confederation identifier 100
switch(config-router-bgp)# bgp confederation peers 65060
switch(config-router-bgp)#
switch(config)# router bgp 65050
switch(config-router-bgp)# bgp confederation identifier 100
switch(config-router-bgp)# bgp confederation peers 65060
switch(config-router-bgp)# no bgp confederation peers 65032, 65036
switch(config-router-bgp)#
The BGP Flowspec address family is enabled on a per-peer basis with:
switch(config)# router bgp id
switch(config-router-bgp)# address-family flow-spec [ipv4 | ipv6]
switch(config-router-bgp-af)# neighbor address activate
Flowspec has to be explicitly enabled on an interface, with:
switch(config)# interface Ethernet1
switch(config-if-Et1)# flow-spec ipv4 ipv6
Currently, both IPv4 and IPv6 must be enabled together on the interface. A user defined TCAM profile, a feature introduced in EOS Relaease 4.20.5F, must be configured for TCAM support for flowspec.
Warning: Creating user-defined TCAM profile on the Arista switch could cause serious issues that impact traffic. You should test flowspec policer with the profile given in this document. If you need to add new features in the profile, work with Arista's TAC team to define and test the new profile before deploying it on your production switches.
The ACL counters and Flowspec counters cannot be enabled simultaneously. To enable reporting of counters for flow-spec rules, use the following configuration:
switch(config)# no hardware counter feature acl in
switch(config)# hardware counter feature flow-spec in
The BGP show commands have been enhanced to display the flow-spec content for both IPv4 and IPv6 address families:
The show bgp flow-spec ipv4 summary command displays the count of flowspec rules received from each peer:
switch(config)# show bgp flow-spec ipv4 summary
BGP summary information for VRF default
Router identifier 0.0.0.1, local AS number 10
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State RulesRcd RulesAcc
10.0.0.2 4 10 12 4 0 0 00:02:18 Estab 2 2
10.0.1.2 4 10 6 4 0 0 00:02:18 Estab 0 0
The show bgp flow-spec ipv4 displays a brief description of each flowspec rule, including the matching rule and actions. The matching rule uses a format:
dest prefix; src prefix; [component:condition] +
The component is abbreviated, for example, DP for destination port and IP for IP Protocol as shown in the following example. The detail of the show command will display the full component name.
The condition is expressed with logical operators. In the following example, IP:=6|=17 matches any packets whose IP Protocol is 6 (TCP) or 17 (UDP). DP:>1010&<1024 matches any packets whose destination port is greater than 1010 and less than 1024.switch(config)# show bgp flow-spec ipv4
BGP Flow Specification rules for VRF default
Router identifier 0.0.0.1, local AS number 10
Rule status codes: # - not installed, M - received from multiple peers
Matching Rule Actions
10.2.3.0/24;*; Drop
10.2.4.0/24;10.2.0.0/16;IP:=6|=17;DP:>1010&<1024; Drop
The show bgp flow-spec detail displays the full details of each flowspec rule including the peer(s) it was received from, BGP properties, and an expanded description of the matching rule:
switch(config)# show bgp flow-spec ipv4 detail
BGP Flow Specification rules for VRF default
Router identifier 0.0.0.1, local AS number 10
BGP Flow Specification Matching Rule for 10.2.3.0/24;*;
Rule identifier: 3882065752
Matching Rule:
Destination Prefix: 10.2.3.0/24
Source Prefix: *
Paths: 1 available
Local
from 10.0.0.2 (10.1.1.2)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Actions: Drop
BGP Flow Specification Matching Rule for 10.2.4.0/24;10.2.0.0/16;IP:=6|=17;DP:>1010&<1024;
Rule identifier: 3882090640
Matching Rule:
Destination Prefix: 10.2.4.0/24
Source Prefix: 10.2.0.0/16
IP Protocol: =6 | =17
Destination Port: >1010 & <1024
Paths: 1 available
Local
from 10.0.0.2 (10.1.1.2)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Actions: Drop
The show flow-spec ipv4 summary command displays an overall status of how many flowspec rules were received and how many were installed:
switch(config)# show flow-spec ipv4 summary
Flow specification rules summary for VRF default
Total number of rules: 2
Number of installed rules: 2
The show flow-spec ipv4 displays the installation status of the rule, and a counter of how many hits it has accumulated. This command also compiles the received flowspec rules into rules that can be programmed into the TCAM. For example, logical expressions on values such as the destination port are converted to ranges, as shown below:
switch(config)# show flow-spec ipv4
Flow specification rules for VRF default
Applied on: Ethernet47/1
Flow-spec rule: 10.2.3.0/24;*;
Rule identifier: 3882065752
Matches:
Destination prefix: 10.2.3.0/24
Actions:
Police: 80 Mbps (10 MBps)
Redirect: VRF customer1
Route via LDP tunnel index 4, MPLS label 100123
Route via LDP tunnel index 1, MPLS label 116507
Status:
Installed: yes
Counter: 312 packets
Flow-spec rule: 10.2.4.0/24;10.2.0.0/16;IP:=6|=17;DP:>1010&<1024;
Rule identifier: 3882090640
Matches:
Destination prefix: 10.2.4.0/24
Source prefix: 10.2.0.0/16
Next protocol: 17
6
Destination port: 1011-1023
Actions:
Police: 80 Mbps (10 MBps)
Redirect: VRF customer1
Route via LDP tunnel index 4, MPLS label 100123
Route via LDP tunnel index 1, MPLS label 116507
Status:
Installed: yes
Counter: 0 packets
For redirect actions, additional information is displayed to show how it was resolved.
Actions:
Redirect: VRF customer1
Route via LDP tunnel index 4, MPLS label 100123
Route via LDP tunnel index 1, MPLS label 116507
The specified nexthop in the flow-spec redirect action can be resolved by the respective VRFs IP RIB over MPLS or GRE tunnel, as shown in the following example:
Actions:
Redirect: VRF default, fc00:91:91:91::91
Route via Static Interface tunnel index 1
match community or-results COMMLIST1 COMMLIST2
match extcommunity or-results EXTCOMMLIST1 EXTCOMMLIST2
match large-community or-results LARGECOMMLIST1 LARGECOMMLIST2
switch(config)#service routing protocols model multi-agent
switch(config)#ip community-list COMMLIST1 permit 1:1
switch(config)#ip community-list COMMLIST2 permit 2:2
switch(config)#route-map IN-POLICY
switch(config-route-map-IN-POLICY)#match community or-results
COMMLIST1 COMMLIST2
switch# show route-map IN-POLICY
route-map IN-POLICY permit 10
Description:
Match clauses:
match community or-results COMMLIST1 COMMLIST2
SubRouteMap:
Set clauses:
set local-preference 500
route-map IN-POLICY permit 20
Description:
Match clauses:
SubRouteMap:
Set clauses:
switch# show run | in 200.200.200.57
neighbor 200.200.200.57 remote-as 300
neighbor 200.200.200.57 update-source Loopback200
neighbor 200.200.200.57 ebgp-multihop
neighbor 200.200.200.57 route-map IN-POLICY in
neighbor 200.200.200.57 maximum-routes 0
switch# show ip bgp community 1:1
BGP routing table information for VRF default
Router identifier 220.220.220.51, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 66.170.224.0/20 200.200.200.57 0 500 0 300 ?
* > 66.170.232.0/21 200.200.200.57 0 500 0 300 ?
* > 128.29.0.0/16 200.200.200.57 0 500 0 300 ?
switch# show ip bgp community 2:2
BGP routing table information for VRF default
Router identifier 220.220.220.51, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 192.12.24.0/24 200.200.200.57 0 500 0 300 ?
* > 192.47.242.0/24 200.200.200.57 0 500 0 300 ?
To set the default policy behavior for BGP so that all routes can be denied or rejected, use the bgp missing policy command. Options control inbound and outbound directions independently. When the inbound direction is affected, currently installed routes from the peer are removed (and withdrawn from other attached peers). When the outbound direction is affected, currently exported routes to the peer are withdrawn. Setting the Missing Policy Action options back to its default/permit value re-applies the current inbound route-map policy processing to the set of routes received from the peer and export routes according to the configured outbound route-map. If soft-reconfiguration is disabled and the inbound direction is affected then the peer must re-send its routes (e.g. a manual “clear ip bgp” command is required).
Permit is the default missing policy action when no/default are applied. Entering the ‘default’ form of the command in a non-default VRF will cause the non-default VRF to inherit the setting from the default VRF. Entering the no form of the command in a non-default VRF will cause the non-default VRF to be configured with the permit setting regardless of the default VRF setting.
The include keyword is optional, and only takes effect in the multi-agent protocol model.
switch(config-router-bgp)# bgp missing-policy [include {prefix-list|sub-route-map}]
direction [in|out] action [permit|deny|deny-in-out]
switch(config-router-bgp)# [no|default] bgp missing-policy [include {prefix-list|sub-route-map}]
direction [in|out] action
For the actions, the permit and deny options inherit the direction of route denial from the direction, while the deny-in-out option specifically calls out denying routes in both directions.
The include keyword specifies that the policy constructs in the route map should also be examined. The options to the include keyword are.
switch(config-router-bgp)# show ip bgp neighbors
BGP neighbor is 1.0.0.2, remote AS 200, external link
BGP version 4, remote router ID 0.0.1.1, VRF default
Negotiated BGP version 4
…
Missing policy/default deny import action is active
Missing policy/default deny export action is active
Inbound route map is rm1
Outbound route map is rm2
…
To configure BGP to translate IPv4-mapped IPv6 addresses to IPv4 addresses when receiving next hops in labeled-unicast routes, use the neighbor next-hop resolution v4-mapped-v6 translation command. With this configuration, when the switch receives an IPv4-mapped IPv6 address for the next hop of an IPv6 labeled-unicast route, it will translate it to an IPv4 address, which allows the next hop to be resolved in an IPv4 network. This command takes effect only if the multi-agent routing protocol model is running. It applies only to the default VRF.
Example
switch(config)# router bgp 64510
switch(config-router-bgp)# address-family ipv6 labeled-unicast
switch(config-router-bgp-af-label)# neighbor v6_pg next-hop resolution v4-mapped-v6 translation
switch(config-router-bgp-af-label)#
A BGP router advertising a route can provide the IPv4-mapped IPv6 address of one of its local interfaces, such as a loopback interface, as the next hop. This source interface is specified with the neighbor next-hop-self command. The interface must be configured with an IPv4 address for this to be effective.
This configuration does not enable next-hop-self. It simply specifies the interface to be provided if the router advertises itself as the next hop. The next-hop-self action can be enabled with the neighbor next-hop-self command, or by configuring Egress Peer Engineering (EPE) using the neighbor default-originate command, or by other methods.
Example
switch(config)# router bgp 64510
switch(config-router-bgp)# neighbor 2001:0db8::1 next-hop-self
switch(config-router-bgp)# neighbor 2001:0db8::1 next-hop-self v4-mapped-v6 source-interface Loopback 0
switch(config-router-bgp)#
The shutdown (BGP) command disables BGP operations without disrupting the BGP configuration. The no router bgp command disables BGP and removes the BGP configuration.
The no shutdown (BGP) command resumes BGP activity.
switch(config-router-bgp)# shutdown
switch(config-router-bgp)#
switch(config-router-bgp)# no shutdown
switch(config-router-bgp)#
When entered without parameters, the clear ip bgp command clears all BGP learned routes from the routing table, reads routes from designated peers, and sends routes required by those peers. Routes that are read or sent are processed through any modified route map or AS-path access list.
Followed by an asterisk (*), it clears the BGP sessions with all BGP peers. To reset the session with a specific peer, enter the peer’s IP address at the end of the command.
Example
switch# clear ip bgp
! Peerings for all neighbors were hard reset
switch#
BGP IPv6 Link Local Peers Discovery supports a dynamic configuration model to eliminate the need for the network administrator to assign and configure IPv6 addresses for BGP peering.
BGP IPv6 Link Local Peers Discovery uses IPv6 router advertisement to discover the peers IPv6 link local address. Devices are required to have IPv6 routing enabled, and the interface used for peering must have an IPv6 link local address. The time taken to discover the peers IPv6 link local address is proportional to the time taken by the peer to send a router advertisement message. When bringing up BGP sessions based on router advertisements received, a flurry of router advertisements on the interfaces causes the Rib agent to do more work and potentially delays the discovery of BGP neighbors over those interfaces and the establishment of BGP sessions. Since these are link local addresses, the peers must be directly connected at Layer 3.
This section shows example configurations and topologies for iBGP (BGP Example 1) and eBGP (BGP Example 2).
Example 1 features an internal BGP (iBGP) link that connects peers in AS 100.
Figure 3 displays an iBGP connection, linking neighbors within AS 100. Each switch advertises two subnets. In UPDATE packets sent by Switch A, the LOCAL_PREF field is 150. In UPDATE packets sent by Switch B, the LOCAL_PREF field is 75.
This code configures the Example 1 BGP instance on both switches.
Example 2 creates an external BGP (eBGP) link that connects routers in AS 100 and AS 200.
Figure 4 displays an eBGP connection, linking Switch A in AS 100 to Switch B in AS 200. Each switch advertises two subnets.
Switch A assigns a local preference of 150 to networks advertised by Switch B. Switch B assigns a local preference of 75 to networks advertised by Switch A.
This code configures the Example 2 BGP instance on both switches.
The address-family command places the switch in address-family configuration mode to configure the address family setting of addresses configured as BGP neighbors. The address-family configuration mode is not a group change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.
The running-config displays the address-family commands in sub-blocks of the BGP configuration. The following commands are available in address family configuration mode:
The no address-family and default address-family commands delete the specified address family from running-config by removing all commands previously configured in the corresponding address-family mode.
The exit command returns the switch to router-BGP configuration mode.
Command Mode
Router-BGP Configuration
Command Syntax
bgp [ipv4 | ipv6]
no bgp [ipv4 | ipv6]
default bgp [ipv4 | ipv6]
Example
switch(config)# router bgp 1
switch(config-router-bgp)# address-family ipv6
switch(config-router-bgp-af)# neighbor 172.10.1.1 activate
switch(config-router-bgp-af)# exit
switch(config-router-bgp)#
Use the address-family flow-spec command to filter or redirect DDoS traffic on edge routers. The no and default versions of the command removes the filter to redirect the DDoS traffic.
Command Mode
BGP router configuration mode (config-router-bgp)
Command Syntax
address-family flow-spec [ipv4 | ipv6]
no address-family flow-spec [ipv4 | ipv6]
default address-family flow-spec [ipv4 | ipv6]
Example
The BGP Flowspec address family is enabled on a per-peer basis with:
switch(config)# router bgp id
switch(config-router-bgp)# address-family flow-spec [ipv4|ipv6]
switch(config-router-bgp-af)# neighbor address activate
The aggregate-address command creates an aggregate route in the Border Gateway Protocol (BGP) database. Aggregate routes combine the characteristics of multiple routes into a single route that the switch advertises. Aggregation can reduce the amount of information that a BGP speaker is required to store and transmit when advertising routes to other BGP speakers. Aggregate routes are advertised only after they are redistributed.
The advertised address of the aggregate is entered as an IP subnet; any routes configured on the switch that lie within that subnet then become contributors to the aggregate. Note that on Arista switches the BGP aggregate route will become active if there are any available contributor routes on the switch, regardless of the originating protocol. This includes routes configured statically.
Command options affect the attributes associated with the aggregated route, the advertisement of the contributor routes that comprise the aggregate, and which contributor routes are included.
Command options affect the following aggregate routing attributes:
When the command includes as-set, the aggregate route’s AS_SET attribute contains the AS numbers of contributor routes. This can help BGP neighbors to prevent loops by rejecting aggregate routes that include their AS number in the AS_SET.
When the command does not include as-set, the aggregate route’s ATOMIC_AGGREGATE attribute is set and the aggregate route AS_PATH will include the longest leading PATH_SEQ of the AS_PATH which is common to all contributor routes. For example, for the aggregate 1.0.0.0/16 with two contributors present, the AS_PATH for the aggregate is 100 200 as shown.
Aggregate
1.0.0.0/16 as-path ??
Contributors
1.0.1.0/24 as-path 100 200 400 500
1.0.2.0/24 as-path 100 200 300
The no aggregate-address and default aggregate-address commands remove the corresponding aggregate-address command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
aggregate-address AGGREGATE_NET [AS_SET][SUMMARY][ATTRIBUTE_MAP][MATCH_MAP]
no aggregate-address AGGREGATE_NET
default aggregate-address AGGREGATE_NET
switch(config)# router bgp 1
switch(config-router-bgp)# aggregate-address 10.16.48.0/20 as-set
switch(config-router-bgp)# exit
switch(config)#
switch(config)# route-map map1 permit 10
switch(config-route-map-map1)# set community 45
switch(config-route-map-map1)# exit
switch(config)# router bgp 1
switch(config-router-bgp)# aggregate-address 10.16.48.0/20 attribute-map map1
switch(config-router-bgp)# exit
switch(config)#
switch(config)# route-map matchmap permit 10
switch(config-route-map-matchmap)# match ip address prefix-list agglist
switch(config-route-map-matchmap)# exit
switch(config)# router bgp 1
switch(config-router-bgp)# aggregate-address 1.1.0.0/16 match-map matchmap
switch(config-router-bgp)#
By default, BGP will advertise only those routes that are active in the switch’s RIB. This can contribute to dropped traffic. If a preferred route is available through another protocol (like OSPF), the BGP route will become inactive and not be advertised; if the preferred route is lost, there is no available route to the affected peers. Advertising inactive BGP routes minimizes traffic loss by providing alternative routes.
The bgp advertise-inactive command configures BGP to advertise inactive routes to BGP neighbors. Inactive route advertisement is configured globally, but the global setting can be overridden on a per-VRF basis.
The no bgp advertise-inactive and default bgp advertise-inactive commands restore the default BGP behavior (advertising only active routes) by removing the corresponding bgp advertise-inactive command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp advertise-inactive
no bgp advertise-inactive
default bgp advertise-inactive
Example
switch(config)# router bgp 64500
switch(config-router-bgp)# bgp advertise-inactive
switch(config-router-bgp)#
The bgp always-compare-med command configures the switch to always consider Multi-Exit Discriminator (MED) values (also known as “metric”) in best-path selection. By default, this function is disabled, and MED values are compared only if two paths have the same neighbor AS.
When there are two or more links between autonomous systems, MED values may be set by a router in the originating AS to give preferences to certain routes. In comparing MED values, the lower value is preferred.
The no bgp always-compare-med and default bgp always-compare-med commands restore the default behavior of comparing MED values only on paths with the same neighbor AS.
Command Mode
Router-BGP Configuration
Command Syntax
bgp always-compare-med
no bgp always-compare-med
default bgp always-compare-med
Example
switch(config)# router bgp 64500
switch(config-router-bgp)# bgp always-compare-med
switch(config-router-bgp)#
The bgp bestpath as-path ignore command configures BGP to ignore the length of the Autonomous System (AS) path when comparing routes. This behavior is disabled by default. Normally, the switch compares AS paths as the third step in the best-path selection process (see Best-Path Selection), preferring the route with the shorter AS path.
The no bgp bestpath as-path ignore and default bgp bestpath as-path ignore commands restore the default behavior of considering AS path length in route comparisons.
Command Mode
Router-BGP Configuration
Command Syntax
bgp bestpath as-path ignore
no bgp bestpath as-path ignore
default bgp bestpath as-path ignore
Example
switch(config)# router bgp 64500
switch(config-router-bgp)# bgp bestpath as-path ignore
switch(config-router-bgp)#
The bgp bestpath as-path multipath-relax command allows multiple eBGP routes to a destination to be considered equal in ECMP if their AS paths are the same length despite having different autonomous systems in those paths. The no bgp bestpath as-path multipath-relax command configures best-path selection to consider two paths unequal if their AS path contents are different, and prefers the first path received.
Multipath-relax is enabled by default. The bgp bestpath as-path multipath-relax and default bgp bestpath as-path multipath-relax commands restore the default behavior by removing the corresponding no bgp bestpath as-path multipath-relax command from running-config.
For BGP to support equal cost multipath (ECMP) routing, the maximum paths (BGP) command must be issued in router-BGP configuration mode.
Command Mode
Router-BGP Configuration
Command Syntax
bgp bestpath as-path multipath-relax
no bgp bestpath as-path multipath-relax
default bgp bestpath as-path multipath-relax
Example
switch(config)# router bgp 64500
switch(config-router-bgp)# no bgp bestpath as-path multipath-relax
switch(config-router-bgp)#
By default, within an ECMP group the BGP best-path selection process prefers the active path (the first path received by the switch) unless a relevant tie-breaker is enabled. The no bgp bestpath ecmp-fast command causes the best-path selection process to ignore order of arrival and continue evaluating paths on other criteria.
The bgp bestpath ecmp-fast and default bgp bestpath ecmp-fast commands restore the default behavior by removing the corresponding no bgp bestpath ecmp-fast command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp bestpath ecmp-fast
no bgp bestpath ecmp-fast
default bgp bestpath ecmp-fast
Example
switch(config)# router bgp 64500
switch(config-router-bgp)# no bgp bestpath ecmp-fast
switch(config-router-bgp)#
By default, paths originating within the same confederation as the switch and received from confederation peers do not have their Multi-Exit Discriminator (MED) values compared as part of the best-path selection process. The bgp bestpath med confed command causes comparison of MED values in such routes. To ensure that MED values are considered in the best-path selection process for all routes received, use the bgp always-compare-med command.
The no bgp bestpath med confed and default bgp bestpath med confed commands restore the default behavior by removing the corresponding bgp bestpath ecmp-fast command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp bestpath med confed [missing-as-worst]
no bgp bestpath med confed [missing-as-worst]
default bgp bestpath med confed [missing-as-worst]
Parameters
Example
switch(config)# router bgp 64500
switch(config-router-bgp)# bgp bestpath med confed
switch(config-router-bgp)#
By default, BGP best-path selection considers a missing MED value to be 0, so paths with missing MED values will be preferred. The bgp bestpath med missing-as-worst command reverses the behavior, treating a missing MED as having the highest (least preferred) value.
The no bgp bestpath med missing-as-worst and default bgp bestpath med missing-as-worst commands restore the default behavior (giving preference to missing MED values) by removing the corresponding bgp bestpath med missing-as-worst command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp bestpath med missing-as-worst
no bgp bestpath med missing-as-worst
default bgp bestpath med missing-as-worst
Related CommandsExample
switch(config)# router bgp 64500
switch(config-router-bgp)# bgp bestpath med missing-as-worst
switch(config-router-bgp)#
The bgp bestpath tie-break cluster-list-length command causes the best-path selection process to prefer the multipath route with the shortest CLUSTER_LIST length in case of a tie in step 10. The cluster list length is assumed to be 0 if the route does not carry a CLUSTER_LIST attribute.
The no bgp bestpath tie-break cluster-list-length and default bgp bestpath tie-break cluster-list-length commands restore the default behavior by removing the associated bgp bestpath tie-break cluster-list-length command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp bestpath tie-break cluster-list-length
no bgp bestpath tie-break cluster-list-length
default bgp bestpath tie-break cluster-list-length
Example
switch(config)# router bgp 64500
switch(config-router-bgp)# bgp bestpath tie-break cluster-list-length
switch(config-router-bgp)#
The bgp bestpath tie-break router-id command causes the best-path selection process to prefer the multipath route with the lowest ROUTER_ID in case of a tie in step 10. If the route is a reflected route (i.e., if it contains route reflector attributes), the process will use the ORIGINATOR_ID as the ROUTER_ID for comparison. This behavior is disabled by default.
The no bgp bestpath tie-break router-id and default bgp bestpath tie-break router-id commands restore the default behavior by removing the associated bgp bestpath tie-break router-id command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp bestpath tie-break router-id
no bgp bestpath tie-break router-id
default bgp bestpath tie-break router-id
Example
switch(config)# router bgp 64500
switch(config-router-bgp)# bgp bestpath tie-break router-id
switch(config-router-bgp)#
By default, routes received from a route reflector client and selected as best routes are propagated to all BGP peers, including other route reflector clients. If the clients are fully meshed, however, routes received from a client do not need to be mirrored to other clients. In this case, client-to-client reflection should be disabled.
The no bgp client-to-client reflection command disables client-to-client reflection.
The bgp client-to-client reflection and default bgp client-to-client reflection commands restore the default behavior by removing the no bgp client-to-client reflection command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp client-to-client reflection
no bgp client-to-client reflection
default bgp client-to-client reflection
Example
switch(config)# router bgp 1
switch(config-router-bgp)# no bgp client-to-client reflection
switch(config-router-bgp)#
When using route reflectors, an AS is divided into clusters. A cluster consists of one or more route reflectors and a group of clients to which they re-advertise route information, and for redundancy a single cluster may contain multiple route reflectors. Each route reflector has a cluster ID. If the cluster has only one route reflector the cluster ID is its router ID, but if a cluster has multiple route reflectors a 4-byte cluster ID must be assigned to all route reflectors in the cluster. All must be configured with the same cluster ID to allow them to identify updates from the cluster’s other route reflectors.
The bgp cluster-id command configures the cluster ID in a cluster with multiple route reflectors.
The no bgp cluster-id and default bgp cluster-id commands remove the cluster ID by removing the corresponding bgp cluster-id command from running-config. Do not remove the cluster ID if there are multiple route reflectors in the cluster.
Command Mode
Router-BGP Configuration
Command Syntax
bgp cluster-id ID_NUM
no bgp cluster-id
default bgp cluster-id
Parameters
Example
This command sets the cluster ID for the switch to 172.22.30.101.
switch(config)# router bgp 1
switch(config-router-bgp)# bgp cluster-id 172.22.30.101
switch(config-router-bgp)#
The bgp confederation identifier command configures the confederation identifier. Confederation can reduce the number of iBGP connections in a large AS domain. The AS domain is divided into several smaller sub-ASs, and each sub-AS remains fully connected. Devices in a sub-AS exchange information via iBGP, while devices in different sub-ASs use eBGP.
The no bgp confederation identifier and default bgp confederation identifier commands remove the bgp confederation identifier command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp confederation identifier as_number
no bgp confederation identifier
default bgp confederation identifier
Parameters
as_number the ID of BGP AS confederation. Values range from 1 to 4294967295.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# bgp confederation identifier 9
switch(config-router-bgp)#
The bgp confederation peers command configures a confederation consisting of sub-ASs.
Before this command is executed, the confederation ID should be configured using the bgp confederation identifier command. Otherwise this configuration is invalid. The configured ASs in this command are inside the confederation and each AS uses a fully meshed network. The confederation appears as a single AS to the devices outside it.
The no bgp confederation peers and default bgp confederation peers commands delete the specified sub-AS from the confederation by removing the corresponding bgp confederation peers command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
bgp confederation peers as_range
no bgp confederation peers as_range
default bgp confederation peers as_range
Parametersas_range the sub-AS number. Formats include number (from 1 to 4294967295), number range, or comma-delimited list of numbers and ranges.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# bgp confederation peers 1000 1002
switch(config-router-bgp)#
The bgp convergence slow-peer time command configures the idle peer time to wait for the slow peers to establish a session in a BGP convergence state.
The no bgp convergence slow-peer time command disables the inheritance of the configuration from the global BGP configuration mode. The default bgp convergence slow-peer time command sets the timeout value to the default value.
Command Mode
Router-BGP Configuration
Command Syntax
bgp convergence slow-peer time timeout
no bgp convergence slow-peer time
default bgp convergence slow-peer time
Parameters
timeout the maximum time to wait for the slow peers to establish a session connection. Values range from 1 to 3600 seconds. The default value is 90 seconds.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# bgp convergence slow-peer time 40
switch(config-router-bgp)#
The bgp convergence time command configures the time to wait before the BGP convergence starts in a session.
The no bgp convergence time command removes the configured convergence time to wait. The default bgp convergence time command sets the timeout value to the default value.
Command Mode
Router-BGP Configuration
Command Syntax
bgp convergence time timeout_range
no bgp convergence time
default bgp convergence time
Parameters
timeout_range the maximum time to wait for the BGP convergence. Values range from 1 to 3600 seconds. The default value is 300 seconds.
Example
This command configures a convergence time of 200 seconds to wait before establishing a session.switch(config)# router bgp 1
switch(config-router-bgp)# bgp convergence time 200
switch(config-router-bgp)#
The following commands configure default address family activation levels for addresses configured as BGP neighbors:
Command Mode
Router-BGP Configuration
Command Syntax
bgp default ADDRESS_FAMILY
no bgp default ADDRESS_FAMILY
default bgp default ADDRESS_FAMILY
Parameters
Example
switch(config)# router bgp 1
switch(config-router-bgp)# bgp default ipv4-unicast
switch(config-router-bgp)# bgp default ipv6-unicast
switch(config-router-bgp)# show active
router bgp 65533
bgp log-neighbor-changes
distance bgp 20 200 200
neighbor 172.23.254.2 remote-as 65533
neighbor 172.41.254.78 remote-as 65534
neighbor 2001:0DB8:52a4:fe01::2 remote-as 65533
neighbor 2001:0DB8:52a4:fe4c::1 out-delay 10
switch(config-router-bgp)#
The show active command does not display the bgp default ipv4-unicast command because it is the default setting for IPv4 peering sessions.
The bgp enforce-first-as command causes a forced comparison of the first Autonomous System (AS) in the AS path of eBGP routes received from BGP neighbors to the configured remote external peer Autonomous System Number (ASN). Updates from eBGP peers that do not include that ASN as the first item in the AS path (in the AS_PATH attribute) are discarded.
This behavior is enabled by default upon BGP configuration, and disabled globally by the no form of this command. To configure first-AS enforcement for an individual neighbor or peer group, use the neighbor enforce-first-as command.
Command Mode
Router-BGP Configuration
Command Syntax
bgp enforce-first-as
default bgp enforce-first-as
no bgp enforce-first-as
Example
switch(config-router-bgp)# bgp enforce-first-as
switch(config-router-bgp)#
The bgp listen range command identifies the BGP peering request from a range of IPv4 or IPv6 address, and names the dynamic peer group to which those peers belong to. To create a static peer group, use the neighbor peer group (create) command.
The request can be from a single AS number or from a range of AS numbers configured. To accept the peering request from single ASN use the remote-as option, and to accept request from multiple ASNs use the peer-filter option.
The no bgp listen range and default bgp listen range commands remove the dynamic peer group by deleting the corresponding command from running-config. To remove a static peer group, use the no neighbor command. All peering relationships with group members are terminated when the dynamic peer group is deleted.
Command Mode
Router-BGP Configuration
Command Syntax
bgp listen range NET_ADDRESS [PEER-ID include router-id ] peer-group group_name [remote-as as_number | peer-filter filter_name]
no bgp listen range NET_ADDRESS peer-group group_name
default bgp listen range NET_ADDRESS peer-group group_name
switch(config)# router bgp 1
switch(config-router-bgp)# bgp listen range 192.168.6.0/24 peer-group brazil remote-as 5
switch(config-router-bgp)#
switch(config)# router bgp 1
switch(config-router-bgp)# bgp listen range 192.0.2.0/24 peer-group brazil peer-filter group-1
switch(config-router-bgp)#
switch(config)# router bgp 1
switch(config-router-bgp)# bgp listen range 192.0.2.0/24 peer-id include router-id peer-group brazil peer-filter group-1
The bgp log-neighbor-changes command configures the switch to generate a log message when a BGP peer enters or exits the established state. This is the default behavior.
The no bgp log-neighbor-changes command disables the generation of these log messages. The default bgp log-neighbor-changes command enables the generation of these log messages.
Command Mode
Router-BGP Configuration
Command Syntax
bgp log-neighbor-changes
no bgp log-neighbor-changes
default bgp log-neighbor-changes
Example
switch(config)# router bgp 1
switch(config-router-bgp)# bgp log-neighbor-changes
switch(config-router-bgp)#
The bgp redistribute-internal command enables the redistribution of iBGP routes into an Interior Gateway Protocol (IGP).
The no bgp redistribute-internal command disable route redistribution from the specified domain by removing the corresponding bgp redistribute-internal command from running-config. The default bgp redistribute-internal command enables the redistribution of iBGP routes into an IGP.
Command Mode
Router-BGP Configuration Router-BGP Address-Family Configuration
Command Syntax
bgp redistribute internal
no bgp redistribute internal
default bgp redistribute internal
Exampleswitch(config)# router bgp 9
switch(config-router-bgp)# bgp redistribute-internal
switch(config-router-bgp)#
The bgp route install-map command enables BGP Selective Route Download on the switch and allows the learning and advertising of the BGP routes without installing them in hardware.
The no bgp route install-map and default bgp route install-map commands delete the BGP Selective Route Download instance.
The exit command returns the switch to global configuration mode.
Command Mode
BGP Configuration
Command Syntax
bgp route install-map map_name
Parameter
map_name The name of the route map configured.
Example
switch(config)# router bgp 100
switch(config-router-bgp)# bgp route install-map test_BGP
switch(config-router-bgp)#
The bgp route-reflector preserve-attributes command configures the switch, when operating as a BGP route reflector, to preserve the BGP attributes of re-advertised routes. By default, BGP attribute preservation is disabled. When attribute preservation is enabled, the BGP attributes (next-hop,local preference, and metric) are preserved in the reflected routes regardless of outbound BGP policies, except when those policies are part of an outbound route map. To override outbound route maps, use the always keyword.
The no bgp route-reflector preserve-attributes and default bgp route-reflector preserve-attributes commands disable BGP attribute preservation.
Command Mode
Router-BGP Configuration
Command Syntax
bgp route-reflector preserve-attributes [always]
no bgp route-reflector preserve-attributes
default bgp route-reflector preserve-attributes
Parameter
always Always preserves route attributes, overwriting route map changes.
Related Command
neighbor route-reflector-client
Example
switch(config)# router bgp 10
switch(config-router-bgp)# neighbor 10.5.2.11 route-reflector-client
switch(config-router-bgp)# bgp route-reflector preserve-attributes
switch(config-router-bgp)#
To clear all messages for a peer or group of peers, use the clear bgp history command .
Command Mode
Privileged EXEC
Command Syntax
clear bgp [PEER | PREFIX | peer-group PEER_GROUP] history [connect-failures] [vrf VRF]
If no peer, prefix, or peer-group is supplied, the clear bgp history command will clear the history for all peers in the specified VRF.
Related Command
Example
switch# clear bgp Purple history vrf VRF_1
The clear ip bgp command removes learned BGP routes from the routing table, reads all routes from designated peers, and sends routes to those peers as required. This command can also clear the switch’s BGP sessions with its peers.
Routes that are read or sent are processed through modified route maps or AS-path access lists.
Command Mode
Privileged EXEC
Command Syntax
clear ip bgp [PEERS] [RESET_TYPE] [DATA_FLOW] [VRF_INSTANCE]
Guidelines
switch# clear ip bgp
! Peerings for all neighbors were hard reset
switch#
switch# clear ip bgp *
! Peerings for all neighbors were hard reset
switch#
The clear ip bgp counters command resets general statistics of peers. These statistics primarily consist of message-related counts.
Command Mode
Privileged EXEC
Command Syntax
clear ip bgp [PEERS] counters [VRF_INSTANCES]
Example
switch# clear ip bgp counters
! Counters for all neighbors were reset
switch#
The clear ip bgp errors command resets the error statistics and history of peers. Peer general statistics primarily consist of notification errors, socket errors, and update errors.
Command Mode
Privileged EXEC
Command Syntax
clear ip bgp [PEERS] errors [VRF_INSTANCES]
Example
switch# clear ip bgp errors
! Errors for all neighbors were reset
switch#
The clear ip bgp neighbor command clears BGP neighbors belonging to the IPv4 transport address family. To clear BGP neighbors in the IPv6 transport address family, use the clear ipv6 bgp neighbor command.
Command Mode
Privileged EXEC
Command Syntax
clear ip bgp neighbor [*] [vrf vrf_name] [reason
Parameters
* optional; all neighbors in the address family are cleared with or without this option
vrf vrf_name specifies a VRF instance for which IPv4 transport address family BGP neighbors will be cleared. If no VRF is specified, the command clears IPv4 BGP neighbors in the context-active VRF.
vrf all clears IPv4 BGP neighbors in all VRFs.
vrf default clears IPv4 BGP neighbors in the default VRF.
reason message includes the specified message string in the notification sent to neighbors. Maximum string length 250 characters.
switch# clear ip bgp neighbor
! Peerings for all ipv4 neighbors were hard reset
switch#
switch# clear ip bgp neighbor vrf purple
! Peerings for all ipv4 neighbors were hard reset
switch#
The clear ipv6 bgp command removes learned BGP routes from the routing table, reads all routes from designated peers, and sends routes to those peers as required. This command can also clear the switch’s BGP sessions with its peers.
Routes that are read or sent are processed through modified route maps or AS-path access lists.
Command Mode
Privileged EXEC
Command Syntax
clear ipv6 bgp [PEERS] [RESET_TYPE] [DATA_FLOW] [VRF_INSTANCE]
Guidelines
switch# clear ipv6 bgp
! Peerings for all neighbors were hard reset
switch#
switch# clear ipv6 bgp *
! Peerings for all neighbors were hard reset
switch#
The clear ipv6 bgp counters command resets general statistics of peers. These statistics primarily consist of message-related counts.
Command Mode
Privileged EXEC
Command Syntax
clear ipv6 bgp [PEERS] counters [VRF_INSTANCES]
Example
switch#clear ipv6 bgp counters
! Counters for all neighbors were reset
switch#
The clear ipv6 bgp errors command resets the error statistics and history of peers. Peer general statistics primarily consist of notification errors, socket errors, and update errors.
Command Mode
Privileged EXEC
Command Syntax
clear ipv6s bgp [PEERS] errors [VRF_INSTANCES]
Example
switch# clear ipv6 bgp errors
! Errors for all neighbors were reset
switch#
The clear ipv6 bgp neighbor command clears BGP neighbors belonging to the IPv6 transport address family. To clear BGP neighbors in the IPv4 transport address family, use the clear ip bgp neighbor command.
Command Mode
Privileged EXEC
Command Syntax
clear ipv6 bgp neighbor [*] [vrf vrf_name] [reason message]
Parameters
* optional; all neighbors in the address family are cleared with or without this option
vrf vrf_name specifies a VRF instance for which IPv6 transport address family BGP neighbors will be cleared. If no VRF is specified, the command clears IPv6 BGP neighbors in the context-active VRF.
vrf all clears IPv6 BGP neighbors in all VRFs.
vrf default clears IPv6 BGP neighbors in the default VRF.
reason message includes the specified message string in the notification sent to neighbors. Maximum string length 250 characters.
switch# clear ipv6 bgp neighbor
! Peerings for all ipv6 neighbors were hard reset
switch#
switch# clear ipv6 bgp neighbor vrf purple reason going down for maintenance
! Peerings for all ipv6 neighbors were hard reset
switch#
The distance bgp command assigns an administrative distance to routes that the switch learns through BGP. Routers use administrative distances to select a route when two protocols provide routing information to the same destination. Distance values range from 1 to 255; lower distance values correspond to higher reliability. BGP routing tables do not include routes with a distance of 255.
The no distance bgp and default distance bgp commands restore the default administrative distances by removing the distance bgp command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
distance bgp external_dist [INTERNAL_LOCAL]
no distance bgp
default distance bgp
Example
switch(config)# router bgp 1
switch(config-router-bgp)# distance bgp 150 200 150
switch(config-router-bgp)#
The dynamic peer max command limits the number of dynamic BGP peers allowed on the switch.
The no dynamic peer max and default dynamic peer max commands restore the default limit of dynamic BGP peers by removing the dynamic peer max command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
dynamic peer max maximum
no dynamic peer max
default dynamic peer max
Parameters
maximum the maximum number of dynamic BGP peers to be allowed on the switch. Values range from 1 to 1000; default value is 100.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# dynamic peer max 200
switch(config-router-bgp)#
The graceful-restart stalepath-time command specifies the maximum time that stale routes from a restarting BGP neighbor will be retained after a BGP session is re-established with that peer.
The no graceful-restart stalepath-time and default graceful-restart stalepath-time commands restore the default value of 300 seconds by deleting the graceful-restart stalepath-time statement from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
graceful-restart stalepath-time interval
no graceful-restart stalepath-time
default graceful-restart stalepath-time
Parameters
interval Maximum period (in seconds) that stale routes from a restarting BGP neighbor will be retained after the BGP session is re-established. Values range from 1 to 3600 (60 minutes). Default is 300.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# graceful-restart stalepath-time 900
switch(config-router-bgp)#
The graceful-restart helper command enables BGP graceful restart helper mode on the switch for all BGP neighbors. When graceful restart helper mode is enabled, the switch will retain routes from neighbors which are capable of graceful restart while those neighbors are restarting BGP. Graceful restart helper is enabled by default. To configure graceful restart helper mode for a specific neighbor or peer group, use the neighbor graceful-restart-helper command. Individual neighbor configuration takes precedence over the global configuration.
The no graceful-restart helper command disables graceful restart helper mode on the switch. The default graceful-restart helper command enables graceful restart helper mode by removing the corresponding no graceful-restart helper command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
graceful-restart helper long-lived
no graceful-restart helper long-lived
default graceful-restart helper long-lived
Parameter
long-lived Enables long lived graceful restart helper mode.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# no graceful-restart-helper
switch(config-router-bgp)#
The ip as-path access-list command creates an access list to filter BGP route updates. If access list list_name does not exist, this command creates it. If it already exists, this command appends statements to the list.
The no ip as-path access-list and default ip as-path access-list commands delete the named access list.
Command Mode
Global Configuration
Command Syntax
ip as-path access-list list_name FILTER_TYPE regex ORIGIN
no ip as-path access-list list_name
default ip as-path access-list list_name
Example
switch(config)# ip as-path access-list list1 deny _3$
switch(config)# ip as-path access-list list1 permit .*
switch(config)#
The ip as-path regex-mode command specifies how the switch will evaluate regular expressions describing AS paths in ACLs. When the regex mode is set to asn, AS numbers in the ACL are interpreted as AS numbers; only complete AS number matches in the AS path return a match. When it is set to string, AS numbers in the ACL are interpreted as strings; both complete AS number matches and longer AS numbers that include the target string return a match. The default mode is asn.
For example, asn mode returns as false and the string mode returns as true when searching for “10 in an AS path of 100 200.
The no ip as-path regex-mode and default ip as-path regex-mode commands restore the regex mode to asn by removing the ip as-path regex-mode command from running-config.
Command Mode
Global Configuration
Command Syntax
ip as-path regex-mode MODE_SETTING
no ip as-path regex-mode
default ip as-path regex-mode
Parameters
Example
switch(config)# ip as-path regex-mode string
switch(config)#
The ip community-list command creates and configures a BGP access list based on BGP communities.
The no ip community-list and default ip community-list commands delete the specified community list by removing the corresponding ip community-list command from running-config.
Command Mode
Global Configuration
Command Syntax
ip community-list list_name [permit | deny] [GSHUT | aa:nn | internet | local-as | no-advertise | no-export | number]
no ip community-list list_name
default ip community-list list_name
Guideline
EOS does not support disabling the process of graceful shutdown community.
switch(config)# ip community-list list_9 deny 100:250
switch(config)#
switch(config)# ip community-list gshut_list permit GSHUT
switch(config)# route-map map1
switch(config-route-map-map1)# match community gshut_list
switch(config-route-map-map1)# exit
switch(config)# show route-map map1
route-map map1 permit 10
Description:
Match clauses:
match community gshut_list
SubRouteMap:
Set clauses:
switch(config)#
switch(config)# ip community-list CLIST1 permit internet
switch(config)#
The ip community-list regexp command creates and configures a BGP access list based on BGP communities. A BGP community access list filters prefixes based on their BGP communities. The command uses regular expressions to identify the communities specified by the list. To create a community list by explicitly specifying one or more communities, use the ip community-list command.
The no ip community-list regexp and default ip community-list regexp commands delete the specified community list. To delete a specific community-list entry, specify the entry in the no ip community-list regexp command.
Command Mode
Global Configuration
Command Syntax
ip community-list regexp list_name {deny | permit} reg_exp
no ip community-list regexp list_name {deny | permit} reg_exp
default ip community-list regexp list_name
Guideline
The ip community-list regexp command with the permit internet option permits access to only those routes that carry the community value of 0.
switch(config)# ip community-list regexp list_2 permit 10:[2-3][0-4]_
switch(config)#
switch(config)# no ip community-list regexp list_2 permit 10:[2-3][0-4]_
switch(config)#
switch(config)# no ip community-list regexp list_2
switch(config)#
switch(config)# ip community-list regexp CLIST1 permit internet
switch(config)#
The ip extcommunity-list command creates an extended community list to filter VRF routes or for Link BandWidth (LBW) advertisement.
The no ip extcommunity-list and default ip extcommunity-list commands delete the specified extended community list by removing the corresponding ip extcommunity-list statement from running-config.
Command Mode
Global Configuration
Command Syntax
ip extcommunity-list list_name {deny | permit} COMM_1 [COMM_2...COMM_n]
no ip extcommunity-list list_name
default ip extcommunity-list list_name
Example
This command creates a BGP extended community list that denies routes from route target 100:250.
switch(config)# ip extcommunity-list list_9 deny rt 100:250
switch(config)#
The ip extcommunity-list regexp command creates an extended community list to filter VRF routes or for link bandwidth (LBW) advertisement. The command uses regular expressions to define the extended communities specified by the list. To specify particular values, use the ip extcommunity-list command.
The no ip extcommunity-list regexp and default ip extcommunity-list regexp commands delete the specified extended community list by removing the corresponding ip extcommunity-list regexp statement from running-config.
Command Mode
Global Configuration
Command Syntax
ip extcommunity-list regexp list_name {deny | permit} reg_exp
no ip extcommunity-list regexp list_name {deny | permit} reg_exp
default ip extcommunity-list regexp list_name
Example
switch(config)# ip extcommunity-list regexp list_1 deny RT:10:[2-3][0-4]_
switch(config)#
The ip large-community-list regexp command creates and configures a BGP access list based on BGP large communities. A BGP large-community access list filters prefixes based on their BGP large community values. The command uses regular expressions to match large communities. Multiple large-community lists with the same name may be specified. To create a large-community list by explicitly specifying one or more communities, use the ip large-community-list command.
Large-communities are represented as follows: [ASN]:local-part1:local-part2.
The no ip large-community-list regexp and default ip large-community-list regexp commands delete the specified large community list. To delete a specific community-list entry, specify the entry in the no ip large-community-list regexp command.
Command Mode
Global Configuration
Command Syntax
ip large-community-list regexp list_name {deny | permit} reg_exp
no ip large-community-list regexp list_name {deny | permit} reg_exp
default ip large-community-list regexp list_name
Parametersswitch(config)# ip large-community-list regexp list_2 permit 10:[2-3][0-4]:_
switch(config)#
switch(config)# no ip large-community-list regexp list_2 permit 10:[2-3]:[0-4]_
switch(config)#
switch(config)# no ip large-community-list regexp list_2
switch(config)#
The match as-range command defines the match statement for the peer-filter, based on the match statement the peer-filter accept or reject the incoming peer request. The match statement includes a sequence number, AS number range and a match condition to accept or reject a peer by comparing its remote AS number to the specified range. A peer filter can consist of a single match statement or multiple match statements. The match statement for the peer filter is configured under peer-filter configuration mode.
The no match as-range or default match as-range command deletes the peer-filter condition for the group from running-config.
Command Mode
Peer-Filter Configuration
Command Syntax
[sequence_number] match as-range [as_number1] [as_number2] result {accept | reject} group_name
no match as-range [as_number1] [as_number2] result {accept | reject} group_name
default match as-range [as_number1] [as_number2] result {accept | reject} group_name
Parametersswitch(config)# peer-filter group1
switch(config-peer-filter-group1)# 10 match as-range 1-4294967295 result accept
switch(config-peer-filter-group1)#
switch(config)# peer-filter group2
switch(config-peer-filter-group2)# 10 match as-range 65008-65009 result reject
switch(config-peer-filter-group2)# 20 match as-range 65000-651000 result accept
switch(config-peer-filter-group2)#
switch(config)# peer-filter group3
eswitch(config-peer-filter-group3)# 10 match as-range 65003 result accept
switch(config-peer-filter-group3)# 20 match as-range 65007 result accept
switch(config-peer-filter-group3)# 30 match as-range 65009 result accept
switch(config-peer-filter-group3)#
The maximum-paths command controls the maximum number of parallel BGP routes that the switch supports. The default maximum is one route. The command provides an Equal Cost Multiple Paths (ECMP) parameter that controls the number of equal-cost paths that the switch stores in the routing table for each route.
For paths to be consider equal, they must have the same weight, local preference, AS-path length, and origin. To require that they also have the same Mmulti-Exit Discriminator (MED) value, use the bgp always-compare-med command. To require that their AS paths have the same contents, use the no bgp bestpath as-path multipath-relax command.
The no maximum-paths and default maximum-paths commands restore the default values of the maximum number of parallel routes and the maximum number of ECMP paths by removing the corresponding maximum paths command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
maximum-paths paths [ecmp ecmp_paths]
no maximum-paths
default maximum-paths
ParametersValue for each parameter ranges from 1 to the number of interfaces available per ECMP group, which is platform dependent.
switch(config)# router bgp 1
switch(config-router-bgp)# maximum-paths 12
switch(config-router-bgp)#
switch(config)# router bgp 1
switch(config-router-bgp)# maximum-paths 2 ecmp 4
switch(config-router-bgp)#
Use the neighbor command to enable large communities on a ‘per-neighbor’ or ‘per-peer group’ basis. This behavior is consistent with all other forms of communities supported by EOS.
Receiving and processing of large communities is enabled by default.
Command Mode
BGP router mode
Command Syntax
neighbor [A.B.C.D.
[send-community [large]]| A:B:C:D:E:F:G:H | NAME | default| fe80::A:B:C:D% interface | interface]
Example
You can enable large communities on a ‘per-neighbor’ or ‘per-peer group’ basis.
switch(config)# router bgp 1
switch(config-bgp-router)# neighbor 1.1.1.1 send-community large
The default neighbor activate command removes the corresponding neighbor activate or no neighbor activate command from running-config, restoring the default address family activation state for the specified neighbor address.
Command Mode
Router-BGP Address-Family Configuration
Command Syntax
neighbor neighbor_ID activate
no neighbor neighbor_ID activate
default neighbor neighbor_ID activate
Parameters
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
Limitations
The switch supports the advertisement of networks with IPv6 prefixes to IPv4 transport neighbors. The switch does not support the advertisement of networks with IPv4 prefixes to IPv6 transport neighbors.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# no address-family ipv4
switch(config-router-bgp-af)# neighbor 172.41.18.15 activate
switch(config-router-bgp-af)# neighbor 172.49.22.6 activate
switch(config-router-bgp-af)# no neighbor 172.15.21.18 activate
switch(config-router-bgp-af)# show active
address-family ipv4
no neighbor 172.15.21.18 activate
neighbor 172.49.22.6 activate
neighbor 172.41.18.15 activate
switch(config-router-bgp-af)# exit
switch(config-router-bgp)#
By default, BGP drops received routes if their Autonomous System (AS) paths contain the AS Number (ASN) of the switch. The neighbor allowas-in command configures the switch to accept routes from the specified BGP neighbor even if their AS paths contain the ASN of the switch itself. Optionally, the command can also configure the maximum number of times that the switch’s ASN can appear in a route before it is dropped.
The no neighbor allowas-in command configures the default behavior (dropping BGP routes that contain the ASN of the switch).
The default neighbor allowas-in command applies the system default configuration for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the BGP neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntaxneighbor neighbor_ID allowas-in [asn_quantity]
no neighbor neighbor_ID allowas-in
default neighbor neighbor_ID allowas-in
Related Commands
This command is used on a customer edge router that is part of a split AS; to address the problem at the provider end, use the neighbor as-path remote-as replace out command.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.168.1.30 allowas-in
switch(config-router-bgp)#
By default, BGP drops received routes if their Autonomous System (AS) paths contain the AS Number (ASN) of the switch. In a split AS sharing route advertisements through a provider network, this can result in valid routes being dropped. The neighbor as-path remote-as replace out command configures a provider edge switch to replace the customer’s AS with its own in route advertisements sent to neighbors in that AS.
The no neighbor as-path remote-as replace out command configures the default behavior (leaving the customer’s AS in the AS path attribute of routes advertised to the specified neighbor).
The default neighbor as-path remote-as replace out command applies the system default configuration for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the BGP neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntaxneighbor neighbor_ID as-path remote-as replace out
no neighbor neighbor_ID as-path remote-as replace out
default neighbor neighbor_ID as-path remote-as replace out
Parameters
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
Related Commands
This command is used on a provider edge router forwarding BGP routes to a customer in a split AS; to address the problem at the customer end, use the neighbor allowas-in command.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.168.2.15 as-path remote-as replace out
switch(config-router-bgp)#
The neighbor auto-local-addr command configures the switch to automatically determine the local address to be used for the non-transport address family in NLRIs sent to the specified neighbor or peer group. This allows IPv4 NLRIs to be carried over IPv6 transport, or IPv6 NLRIs to be carried over IPv4 transport.
The no neighbor auto-local-addr command applies the system default configuration.
The default neighbor auto-local-addr command applies the system default configuration for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
To explicitly configure a local address for the non-transport address family for a specific neighbor or peer group, use the neighbor local-v4-addr command for IPv6 neighbors, or the neighbor local-v6-addr for IPv4 neighbors.
Command Mode
Router-BGP Configuration
Command Syntaxneighbor neighbor_ID auto-local-addr
no neighbor neighbor_ID auto-local-addr
default neighbor neighbor_ID auto-local-addr
Parameters
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 2001:0DB8:c2a4:1761::2 auto-local-addr
switch(config-router-bgp)#
The neighbor default-originate command advertises a default route to a BGP neighbor or peer group. This default route overrides the default route advertised by any other means to the specified neighbor or peer group. However, the update generated by neighbor default-originate is not processed by neighbor route map out policies.
If a route map is specified in this command, its set clauses are used to modify attributes of the exported default route, but its match clauses are not used to conditionally advertise the route. The default route is always advertised to the specified neighbor.
The no neighbor default-originate command applies the system default configuration.
The default neighbor default-originate command applies the system default configuration for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration Router-BGP Address-Family Configuration
Command Syntaxneighbor neighbor_ID default-originate [MAP]
no neighbor neighbor_ID default-originate
default neighbor neighbor_ID default-originate
Example
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 192.168.14.5 default-originate
switch(config-router-bgp)#
The neighbor description command associates descriptive text with the specified peer or peer group.
The no neighbor description command removes the text association from the specified peer or peer group.
The default neighbor description command removes the text association from the specified peer for individual neighbors, and applies the peer group’s description to neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address or for the specified peer group.
Command Mode
Router-BGP Configuration
Command Syntaxneighbor neighbor_ID description description_string
no neighbor neighbor_ID description
default neighbor neighbor_ID description
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.168.1.30 description PEER_1
switch(config-router-bgp)#
The neighbor ebgp-multihop command programs the switch to accept and attempt BGP connections to the external peers residing on networks not directly connected to the switch. The command does not establish the multihop if the only route to the peer is the default route (0.0.0.0).
The no neighbor ebgp-multihop command applies the system default configuration.
The default neighbor ebgp-multihop command applies the system default configuration for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntaxneighbor neighbor_ID ebgp-multihop [hop_number]
no neighbor neighbor_ID ebgp-multihop
default neighbor neighbor_ID ebgp-multihop
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.168.1.30 ebgp-multihop 32
switch(config-router-bgp)#
The neighbor enforce-first-as command causes a forced comparison of the first Autonomous System (AS) in the AS path of eBGP routes received from a specified BGP peer or peer group to the configured remote external peer Autonomous System Number (ASN). Updates from the specified eBGP peers that do not include an ASN as first AS path (in the AS_PATH attribute) are discarded.
This behavior is enabled globally by default upon BGP configuration, and disabled for the specified neighbor or peer group by the no form of the command. To configure first AS enforcement globally, use the bgp enforce-first-as command.
Command Mode
Router-BGP Configuration
Command Syntaxneighbor neighbor_ID enforce-first-as
no neighbor neighbor_ID enforce-first-as
default neighbor neighbor_ID enforce-first-as
Parameters
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
Example
switch(config-router-bgp)# no neighbor region-3 enforce-first-as
switch(config-router-bgp)#
The neighbor export-localpref command determines the LOCAL_PREF value that is sent in BGP UPDATE packets to the specified peer or peer group. This command has no effect on external peers.
The no neighbor export-localpref command resets the LOCAL_PREF value to the system default of 100 in packets sent to the specified peer or peer group.
The default neighbor export-localpref command resets the LOCAL_PREF value to the system default of 100 for individual neighbors, and applies the peer groups’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address or the specified peer group.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID export-localpref preference
no neighbor neighbor_ID export-localpref
default neighbor neighbor_ID export-localpref
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 10.1.1.45 export-localpref 200
switch(config-router-bgp)#
The neighbor graceful-restart command enables the BGP graceful restart mode for a specified BGP neighbor or peer group. When graceful restart mode is enabled, the switch retains routes from neighbors that are capable of graceful restart. By default, graceful restart is disabled for all BGP neighbors. Individual neighbor configuration takes precedence over the global configuration.
The no neighbor graceful-restart and default neighbor graceful-restart commands disable graceful restart mode for the specified BGP neighbor or peer group by removing the corresponding no neighbor graceful-restart command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID graceful-restart
no neighbor neighbor_ID graceful-restart
default neighbor neighbor_ID graceful-restart
Parameter
neighbor_ID neighbors’s IPv4 or IPv6 address or peer group name.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.168.12.1 graceful-restart
switch(config-router-bgp)#
The neighbor graceful-restart helper command enables BGP graceful restart helper mode for the specified BGP neighbor or peer group. When graceful restart helper mode is enabled, the switch will retain routes from neighbors which are capable of graceful restart while those neighbors are restarting BGP. The neighbor graceful-restart-helper is enabled by default for all BGP neighbors. To configure graceful restart helper mode for all BGP neighbors, use the graceful-restart-helper command. Individual neighbor configuration takes precedence over the global configuration.
The no neighbor graceful-restart helper command disables graceful restart helper mode for the specified BGP neighbor or peer group. The default neighbor graceful-restart helper command enables graceful restart helper mode for the specified BGP neighbor or peer group by removing the corresponding no neighbor graceful-restart helper command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID graceful-restart helper long-lived
no neighbor neighbor_ID graceful-restart helper long-lived
default neighbor neighbor_ID graceful-restart helper long-lived
Example
switch(config)# router bgp 1
switch(config-router-bgp)# no neighbor 192.168.12.1 graceful-restart-helper
switch(config-router-bgp)#
The neighbor import-localpref command determines the local preference assigned to routes received from the specified external peer or peer group. This command has no effect on routes received from internal peers.no neighbor import-localpref
The command resets the local preference to the default of 100 for routes received from the specified peer or peer group.
The default neighbor import-localpref command resets the local preference to the default of 100 for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID import-localpref preference
no neighbor neighbor_ID import-localpref
default neighbor neighbor_ID import-localpref
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 192.168.1.30 import-localpref 50
switch(config-router-bgp)#
The neighbor local-as command changes the local AS value sent to the specified peer in OPEN messages, allowing the switch to appear as a member of a different AS to the selected peer. Arista switches replace the local AS number with the modified value rather than prepending it to routes, so we implement the command only as neighbor local-as no-prepend replace-as.
The no neighbor local-as command disables this modification for the specified peer or peer group. The default neighbor local-as command disables this modification for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
Command Mode
Router-BGP Configuration
Command Syntaxneighbor neighbor_ID local-as as_id no-prepend replace-as
no neighbor neighbor_ID local-as
default neighbor neighbor_ID local-as
This parameter cannot be set to the switch’s AS number or to any AS number in the peer’s network.
These commands configure the switch to replace its local ASN in OPEN messages sent to the peer at 10.13.64.1 with ASN 64500, and configure the peer to expect that ASN in messages received from the switch.
Switch Configuration
switch(config)# router bgp 64497
switch(config-router-bgp)# neighbor 10.13.64.1 local-as 64500 no-prepend
switch(config-router-bgp)#
Peer Configuration
peer(config)# router bgp 64502
peer(config-router-bgp)# neighbor 10.4.3.10 remote-as 64500
peer(config-router-bgp)#
The neighbor local-v4-addr command specifies the next-hop value that the switch sends as the IPv4 NLRI value to neighbors with whom IPv6 transport peering is established.
The no neighbor local-v4-addr command applies the system default configuration.
The default neighbor local-v4-addr command applies the system default configuration for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
To configure the switch to automatically determine the IPv4 address to be sent as the next-hop in IPv4 NLRIs to an IPv6 neighbor, use the neighbor auto-local-addr command.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID local-v4-addr ipv4_local
no neighbor neighbor_ID local-v4-addr
default neighbor neighbor_ID local-v4-addr
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 2001:0DB8:c2a4:1761::2 local-v4-addr 10.7.5.11
switch(config-router-bgp)#
The neighbor local-v6-addr command specifies the next-hop value that the switch sends as the IPv6 NLRI value to neighbors with which IPv4 transport peering is established.
In IPv6 peering sessions, the switch sends the global IPv6 address of the interface that is used to transmit BGP updates.
The no neighbor local-v6-addr command applies the system default configuration.
The default neighbor local-v6-addr command applies the system default configuration for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID local-v6-addr ipv6_local
no neighbor neighbor_ID local-v6-addr
default neighbor neighbor_ID local-v6-addr
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 10.7.5.11 local-v6-addr 2001:0DB8:c2a4:1761::2
switch(config-router-bgp)# show active
router bgp 1
bgp log-neighbor-changes
bgp default ipv6-unicast
neighbor 10.7.5.11 local-v6-addr 2001:0DB8:c2a4:1761::2
switch(config-router-bgp)#
The neighbor maximum-routes command determines the number of BGP routes the switch accepts from a specified neighbor and defines an action when the limit is exceeded. The default value is 12000. To remove the maximum routes limit, select a limit of zero.
When the number of routes received from a peer exceeds the limit, the switch generates an error message. This command can also configure the switch to disable peering with the neighbor. In this case, the neighbor state is reset only through a clear ip bgp command.
The no neighbor maximum-routes command applies the system default maximum-routes value of 12000 for the specified peer.
The default neighbor maximum-routes command applies the system default value for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID maximum-routes quantity [ACTION]
no neighbor neighbor_ID maximum-routes
default neighbor neighbor_ID maximum-routes
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 110.3.16.210 maximum-routes 15000
switch(config-router-bgp)#
The neighbor next-hop-peer command configures the switch to list the peer address as the next hop in routes that it receives from the specified peer BGP-speaking neighbor or members of the specified peer group. This command overrides the next hop for all routes received from this neighbor or peer group.
The no neighbor next-hop-peer command applies the system default (no next-hop override) for the specified peer.
The default neighbor next-hop-peer command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address or the specified peer group.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID next-hop-peer
no neighbor neighbor_ID next-hop-peer
default neighbor neighbor_ID next-hop-peer
Parameters
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
Example
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.3.2.24 next-hop-peer
switch(config-router-bgp)#
The neighbor next-hop-self command configures the switch to list its address as the next hop in routes that it advertises to the specified BGP-speaking neighbor or neighbors in the specified peer group. This is used in networks where BGP neighbors do not directly access all other neighbors on the same subnet.
The no neighbor next-hop-self command applies the system default (no next-hop override) for the specified peer.
The default neighbor next-hop-self command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address or for the specified peer group.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID next-hop-self
no neighbor neighbor_ID next-hop-self
default neighbor neighbor_ID next-hop-self
Parameters
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 10.4.1.30 next-hop-self
switch(config-router-bgp)#
The neighbor next-hop resolution v4-mapped-v6 translation command configures the switch to enable translation of IPv4-mapped IPv6 addresses to IPv4 addresses. With this setting enabled, when the switch receives an IPv4-mapped IPv6 address for a next hop, it will translate it to an IPv4 address. This allows the next hop to be resolved in an IPv4 network.
The no neighbor next-hop resolution v4-mapped-v6 translation and default neighbor next-hop resolution v4-mapped-v6 translation commands disable the translation from IPv4-mapped IPv6 addresses to IPv4 addresses.
Command Mode
BGP IPv6 Labeled-Unicast Address Family Configuration
Command Syntax
neighbor {neighbor_ID} next-hop resolution v4-mapped-v6 translation
no neighbor {neighbor_ID} next-hop resolution v4-mapped-v6 translation
default neighbor {neighbor_ID} next-hop resolution v4-mapped-v6 translation
Parameters
Guidelines
Example
switch(config)# router bgp 64510
switch(config-router-bgp)# address-family ipv6 labeled-unicast
switch(config-router-bgp-af-label)# neighbor v6_pg next-hop resolution v4-mapped-v6 translation
switch(config-router-bgp-af-label)#
The neighbor out-delay command sets the period of time that a route update for the specified neighbor must be in the routing table before the switch exports it to BGP. The out delay interval is used for bundling routing updates.
The no neighbor out-delay command applies the system default (out-delay value of zero) for the specified peer.
The default neighbor out-delay command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the specified neighbor.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID out-delay delay_time
no neighbor neighbor_ID out-delay delay_time
default neighbor neighbor_ID out-delay delay_time
Example
switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 10.24.15.9 out-delay 5
switch(config-router-bgp)#
The neighbor passive command sets the TCP connection for the specified BGP neighbor or peer group to passive mode. When the peer’s transport connection mode is set to passive, it accepts TCP connections for BGP but does not initiate them.
The no neighbor passive command sets the specified BGP neighbor or peer group to active connection mode. BGP peers in active mode can both accept and initiate TCP connections for BGP. This is the default behavior.
The default neighbor passive command restores the default connection mode. The default mode is active for individual BGP peers, or the mode inherited from the peer group for peer group members.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID passive
no neighbor neighbor_ID passive
default neighbor neighbor_ID passive
Parameter
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
Example
switch(config)# router bgp 300
switch(config-router-bgp)# neighbor 10.2.2.14 passive
switch(config-router-bgp)#
The neighbor password command enables authentication on a TCP connection with a BGP peer. The plain-text version of the password is a string, up to 8 bytes in length. Peers must use the same password to ensure proper communication.
The running-config displays the encrypted version of the password. The encryption scheme is not strong by cryptographic standards; encrypted passwords should be treated in the same manner as plain-text passwords.
The no neighbor password command applies the system default for the specified peer, removing the neighbor password from the configuration and disabling authentication with the specified peer.
The default neighbor password command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor password and default neighbor password commands remove the neighbor password from the configuration, disabling authentication with the specified peer.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID password [ENCRYPT_LEVEL] key_text
no neighbor neighbor_ID password
default neighbor neighbor_ID password
Example
This command specifies a password in clear text.switch(config)# router bgp 1
switch(config-router-bgp)# neighbor 10.25.25.13 password 0 code123
switch(config-router-bgp)#
Running-config stores the password as an encrypted string.
Peer groups allow the user to apply settings to a group of BGP neighbors simultaneously. Once a peer group is created, the group name can be used as a parameter in neighbor configuration commands, and the configuration will be applied to all members of the group. Settings applied to an individual neighbor in the peer group override group settings.
The neighbor peer group (create) command is used to create static BGP peer groups. Static peer groups are peer groups whose members are added manually. To assign BGP neighbors to a static peer group, use the neighbor peer group (neighbor assignment) command. To create a dynamic peer group, use the bgp listen range command.
The no neighbor peer group (create) and default neighbor peer group (create) commands remove the specified static peer group from running-config. When a static peer group is deleted, the neighbors that were members of that peer group lose any configuration that was inherited from the peer group. The no form of the bgp listen range command removes a dynamic peer group.
The no neighbor command removes all configuration commands for the specified neighbor.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor group_name peer group
no neighbor group_name peer group
default neighbor group_name peer group
Parameters
group_name peer group name.
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor bgpgroup1 peer group
switch(config-router-bgp)# neighbor 10.1.1.1 peer group bgpgroup1
switch(config-router-bgp)# neighbor 10.2.2.2 peer group bgpgroup1
switch(config-router-bgp)# neighbor 10.3.3.3 peer group bgpgroup1
switch(config-router-bgp)# neighbor bgpgroup1 route-map corporate in
switch(config-router-bgp)# neighbor 10.3.3.3 maximum-routes 5000
switch(config-router-bgp)# show active
router bgp 9
bgp log-neighbor-changes
neighbor bgpgroup1 peer group
neighbor bgpgroup1 route-map corporate in
neighbor bgpgroup1 maximum-routes 12000
neighbor 10.1.1.1 peer group bgpgroup1
neighbor 10.2.2.2 peer group bgpgroup1
neighbor 10.3.3.3 peer group bgpgroup1
neighbor 10.3.3.3 maximum-routes 5000
switch(config-router-bgp)#
switch(config-router-bgp)# no neighbor bgpgroup1 peer group
switch(config-router-bgp)# show active
router bgp 9
bgp log-neighbor-changes
neighbor 10.1.1.1 maximum-routes 12000
neighbor 10.2.2.2 maximum-routes 12000
neighbor 10.3.3.3 maximum-routes 5000
switch(config-router-bgp)#
Peer groups allow the user to apply settings to a group of BGP neighbors simultaneously. Once a peer group is created, the group name can be used as a parameter in neighbor configuration commands, and the configuration will be applied to all members of the group. Settings applied to an individual neighbor in the peer group override group settings.
The neighbor peer group (neighbor assignment) command is used to assign BGP neighbors to an existing static peer group. To create a static peer group, use the neighbor peer group (create) command. A neighbor can only belong to one peer group, so issuing this command for a neighbor that is already a member of another group will remove it from that group.
The no neighbor peer group and default neighbor peer group commands remove the specified neighbor from all peer groups. When a neighbor is removed from a peer group, the neighbor retains the configuration inherited from the peer group.
The no neighbor command removes all configuration commands for the specified neighbor.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor NEIGHBOR_ADDR peer group group_name
no neighbor NEIGHBOR_ADDR peer group
default neighbor NEIGHBOR_ADDR peer group
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor bgpgroup1 peer group
switch(config-router-bgp)# neighbor 10.1.1.1 peer group bgpgroup1
switch(config-router-bgp)# neighbor 10.2.2.2 peer group bgpgroup1
switch(config-router-bgp)# neighbor 10.3.3.3 peer group bgpgroup1
switch(config-router-bgp)# neighbor bgpgroup1 route-map corporate in
switch(config-router-bgp)#
switch(config-router-bgp)# no neighbor 10.1.1.1 peer group
switch(config-router-bgp)#
The neighbor remote-as command configures the expected AS Number for a neighbor (peer). This configuration is required to establish a static peer connection. Internal neighbors have the same AS Number (ASN); external neighbors have different ASNs.
When a static peer is using the neighbor local-as command to replace its local ASN with a configured ASN in OPEN messages, use the neighbor remote-as command to configure the switch to expect the configured ASN for that peer.
The no neighbor remote-as command applies the system default for the specified peer or peer group.
The default neighbor remote-as command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID remote-as as_id
no neighbor neighbor_ID remote-as
default neighbor neighbor_ID remote-as
Example
switch(config)# router bgp 64497
switch(config-router-bgp)# neighbor 10.4.3.10 remote-as 64500
switch(config-router-bgp)#
The neighbor remove-private-as command removes private autonomous system numbers from outbound routing updates for external BGP (eBGP) neighbors. When the Autonomous System (AS) path includes only private autonomous system numbers, the REMOVAL parameter specifies how the private autonomous system number is removed.
The no neighbor remove-private-as command applies the system default (preserves private AS numbers) for the specified peer.
The default neighbor remove-private-as command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID remove-private-as [REMOVAL]
no neighbor neighbor_ID remove-private-as
default neighbor neighbor_ID remove-private-as
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.11 remove-private-as
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.11 remove-private-as all replace-as
switch(config-router-bgp)#
By default, inbound BGP routes that are filtered out by the inbound policy are still stored on the switch. Because all routes are retained, this allows policies to be changed without the need to reset the BGP sessions. All routes received by the switch (including those that were filtered out by the inbound policy) can be seen by issuing the show ip bgp neighbor received-routes command.
The no neighbor rib-in pre-policy retain command configures the switch to discard those routes received from the specified neighbor (or peer group) that are filtered out by the inbound policy.
The neighbor rib-in pre-policy retain command restores the system default behavior (retaining routes from the specified neighbor or group regardless of inbound policy).
The default neighbor rib-in pre-policy retain command applies the system default (retaining policy-rejected routes) for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID rib-in pre-policy retain [all]
no neighbor neighbor_ID rib-in pre-policy retain
default neighbor neighbor_ID rib-in pre-policy retain
Examples
switch(config)# router bgp 9
switch(config-router-bgp)# no neighbor 10.5.2.23 rib-in pre-policy retain
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# no neighbor 10.5.2.23 rib-in pre-policy retain all
switch(config-router-bgp)#
The neighbor route-map command applies a route map to inbound or outbound BGP routes. When a route map is applied to outbound routes, the switch will advertise only routes matching at least one section of the route map. Only one outbound route map and one inbound route map can be applied to a given neighbor. A new route map applied to a neighbor will replace the previous route map.
The no neighbor route-map command discontinues the application of the specified route map for the specified neighbor and direction. Removing a route map from one direction does not remove it from the other if it has been applied to both.
The default neighbor route-map command applies the system default (no route map) for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
Command Mode
Router-BGP Configuration
Router-BGP Address-Family Configuration
Command Syntax
neighbor neighbor_ID route-map map_name DIRECTION
Example
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.11 route-map inner-map in
switch(config-router-bgp)#
Participating BGP routers within an AS communicate eBGP-learned routes to all of their peers, but to prevent routing loops they must not re-advertise iBGP-learned routes within the AS. To ensure that all members of the AS share the same routing information, a fully meshed network topology (in which each member router of the AS is connected to every other member) can be used, but this topology can result in high volumes of iBGP messages when it is scaled. Instead, in larger networks one or more routers can be configured as route reflectors.
A route reflector is configured to re-advertise routes learned through iBGP to a group of BGP neighbors within the AS (its clients), eliminating the need for a fully meshed topology.
The neighbor route-reflector-client command configures the switch to act as a route reflector and configures the specified neighbor as one of its clients. Additional clients are specified by re-issuing the command.
The no neighbor route-reflector-client and default neighbor route-reflector-client commands disable route reflection by deleting the neighbor route-reflector-client command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID route-reflector-client
no neighbor neighbor_ID route-reflector-client
default neighbor neighbor_ID route-reflector-client
Parameters
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
Example
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.11 route-reflector-client
switch(config-router-bgp)#
The neighbor route-to-peer command allows BGP to establish a connection to reach the specified peer using kernel routing table information. By default, route-to-peer configuration is enabled for a peer or a peer group.
The no neighbor route-to-peer command prevents BGP from using kernel routing table information to establish a BGP connection to reach a peer and the default neighbor route-to-peer command enables route-to-peer configuration for a peer or a peer group by removing the corresponding no neighbor route-to-peer command from the running-config.
If the peer is directly connected, BGP instead uses ARP table or neighbor table information to establish a BGP connection to reach the peer.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID route-to-peer
no neighbor neighbor_ID route-to-peer
default neighbor neighbor_ID route-to-peer
Parameter
neighbor_ID neighbor’s IPv4 or IPv6 address or the peer group name.
Example
switch(config)# router bgp 64496
switch(config-router-bgp)# no neighbor 172.16.1.1 route-to-peer
switch(config-router-bgp)# neighbor 172.16.1.1 remote-as 100
switch(config-router-bgp)#
The neighbor send-community command configures the switch to include community path attributes for routes in the UPDATE messages advertised to the specified BGP neighbor. By default, the command enables the switch to send all community attributes: standard, extended, and large. To advertise only a subset of community attributes, use the keyword(s) for the community attribute(s) to be included. To add additional community attributes in a separate command, or to remove specific community attributes from advertised routes, use the neighbor send-community add / remove command.
The no neighbor send-community command applies the system default (not sending community attributes in BGP UPDATE messages) for the specified peer.
The default neighbor send-community command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID send-community [extended] [large][standard]
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.23 send-community
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.24 send-community large
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.25 send-community standard large
switch(config-router-bgp)#
The neighbor send-community add / remove command modifies the types of community path attributes included for routes in the UPDATE messages advertised to the specified BGP neighbor without having to issue the no neighbor send-community command.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID send-community {add | remove}{extended | large | standard}
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.24 send-community large
switch(config-router-bgp)# neighbor 10.5.2.24 send-community add extended
switch(config-router-bgp)# show active
switch(config-router-bgp)# neighbor 10.5.2.24 send-community add extended
switch(config-router-bgp)# show active
router bgp 9
neighbor 10.5.2.24 send-community extended large
neighbor 10.5.2.24 maximum-routes 12000
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.27 send-community extended large
switch(config-router-bgp)# neighbor 10.5.2.27 send-community remove large
switch(config-router-bgp)# show active
router bgp 600
neighbor 10.5.2.27 send-community extended
neighbor 10.5.2.27 maximum-routes 12000
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.28 send-community
switch(config-router-bgp)# neighbor 10.5.2.28 send-community remove large
switch(config-router-bgp)# show active
router bgp 600
neighbor 10.5.2.28 send-community
neighbor 10.5.2.28 maximum-routes 12000
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.29 send-community large
switch(config-router-bgp)# neighbor 10.5.2.28 send-community remove large
switch(config-router-bgp)# show active
router bgp 600
neighbor 10.5.2.29 send-community
neighbor 10.5.2.29 maximum-routes 12000
switch(config-router-bgp)#
The neighbor send-community link-bandwidth command is used to locally regenerate the link-bandwidth value to be advertised to a specific BGP neighbor or peer group. When this command is configured the regenerated link-bandwidth value is included in the extended community path attribute in UPDATE messages.
This command is used specifically for local regeneration of the link-bandwidth value. To send an explictly-configured link-bandwidth value, add an extended community to a route map instead. (see set extcommunity (route-map)) and include extended community attributes in UPDATE messages sent to that neighbor.
The no neighbor send-community command applies the system default (not sending community attributes in BGP UPDATE messages) for the specified peer.
The default neighbor send-community command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID send-community link-bandwidth {aggregate [reference_speed] | divide {equal | ratio}}
no neighbor neighbor_ID send-community
default neighbor neighbor_ID send-community
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor idaho send-community link-bandwidth divide ratio
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.24 send-community link-bandwidth aggregate 20G
switch(config-router-bgp)#
The neighbor shutdown command disables the specified neighbor. Disabling a neighbor also terminates all of its active sessions and removes associated routing information.
The no neighbor shutdown command enables the specified peer.
The default neighbor shutdown command enables individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID shutdown reason REASON
Parameter
neighbor_ID neighbor’s IPv4 or IPv6 address or peer group name.
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.23 shutdown
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.5.2.23 shutdown reason Planned upgrade
switch(config-router-bgp)#
The hold time must be at least 3 seconds and should be three times longer than the keepalive setting.
The no neighbor timers command applies the system default for the specified peer or group (the timers specified by the timers bgp command).
The default neighbor timers command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID timers keep_alive hold_time
no neighbor neighbor_ID timers
default neighbor neighbor_ID timers
Example
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.24.15.9 timers 30 90
switch(config-router-bgp)#
The neighbor ttl maximum-hops command configures the Generalized TTL Security Mechanism (GTSM) for the specified neighbor(s).
The no neighbor ttl maximum-hops command disables the GTSM configuration in the specified neighbor.
The default neighbor ttl maximum-hops command applies the system default configuration for individual neighbors; and applies the peer group’s setting for neighbors that are members of a peer group.
Command-Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID ttl maximum-hops hop_number
no sneighbor neighbor_ID ttl maximum-hops
default neighbor neighbor_ID ttl maximum-hops
Example
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.20.20.30 ttl maximum-hops 4
switch(config-router-bgp)#
The neighbor update-source command specifies the interface that BGP sessions use for TCP connections. By default, BGP sessions use the neighbor’s closest interface (also known as the best local address).
The no neighbor update-source command applies the system default (using best local address for TCP connections) for the specified peer or group.
The default neighbor update-source command applies the system default for individual neighbors and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID update-source INTERFACE
no neighbor neighbor_ID update-source
default neighbor neighbor_ID update-source
Example
switch(config)# router bgp 9
switch(config-router-bgp)# neighbor 10.2.2.14 update-source ethernet 10
switch(config-router-bgp)#
The neighbor weight command assigns a weight attribute value to paths from the specified neighbor. Weight is the first parameter that the BGP best-path selection algorithm considers. When multiple paths to a destination prefix exist, the best-path selection algorithm prefers the path with the highest weight. Other attributes are used only when all paths to the prefix have the same weight.
Weight values range from 0 to 65535 and are not propagated to other switches through route updates. The default weight for paths that the router originates is 32768; the default weight for routes received through BGP is 0.
A path’s BGP weight is also configurable through route maps. Weight values set through route-map commands have precedence over neighbor weight command values.
The no neighbor weight command applies the system default (32768 for router-originated paths, 0 for routes received through BGP) for the specified peer or group.
The default neighbor weight command applies the system default for individual neighbors, and applies the peer group’s setting for neighbors that are members of a peer group.
The no neighbor command removes all configuration commands for the neighbor at the specified address.
Command Mode
Router-BGP Configuration
Command Syntax
neighbor neighbor_ID weight weight_value
no neighbor neighbor_ID weight
default neighbor neighbor_ID weight
Example
switch(config)# router bgp 9
eswitch(config-router-bgp)#neighbor 10.1.2.5 weight 4000
switch(config-router-bgp)#
The network command specifies a network for advertisement through UPDATE packets to BGP peers. The configuration zeros the host portion of the specified network address; for example, 192.0.2.4/24 is stored as 192.0.2.0/24. A route map option is available for assigning attributes to the network.
The no network and default network commands remove the network from the routing table, preventing its advertisement.
Command Mode
Router-BGP Configuration
Router-BGP Address-Family Configuration
Command Syntax
network NET_ADDRESS [ROUTE_MAP]
no network NET_ADDRESS
default network NET_ADDRESS
Example
switch(config)# router bgp 9
switch(config-router-bgp)# network 10.1.2.5/24
switch(config-router-bgp)#
The no neighbor command removes all neighbor configuration commands for the specified neighbor.
Neighbor settings can also be removed individually; refer to the command description page of the desired command for details. Neighbor settings for a peer group must be removed individually.
Command Mode
Router-BGP Configuration
Command Syntax
no neighbor neighbor_ID
default neighbor neighbor_ID
Parameter
neighbor_ID neighbor’s IPv4 or IPv6 address. This command does not accept a peer group name as an argument; peer group settings must be removed individually.
Example
switch(config)# router bgp 9
switch(config-router-bgp)# no neighbor 10.1.1.1
switch(config-router-bgp)#
The peer-filter command creates a peer filter group and places the switch in peer-filter configuration mode for that group. The peer-filter group parameters are defined using the match as-range command.
The no peer-filter and default peer-filter commands remove the peer-filter group from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
peer-filter filter_name
no peer-filter filter_name
default peer-filter filter_name
Parameters
filter_name name of the peer filter.
Example
switch(config-router-bgp)# peer-filter group1
switch(config-peer-filter-group1)#
The rd command adds a Route Distinguisher (RD) to VRF and VNI configuration modes. RDs internally identify routes belonging to a VRF or VNI to distinguish overlapping or duplicate IP address ranges. This allows the creation of distinct routes to the same IP address for different VPNs. The RD is a 64-bit number made up of an AS number or IPv4 address followed by a user-selected ID number.
If the switch is not running EVPN, an RD is not required for a VRF or VNI to function. Use no or default command forms to remove an RD from a VRF or VNI.
Command Modes
Router-BGP VRF Configuration
Router-BGP VNI Configuration
Command Syntax
rd admin_ID:local_assignment
no rd
default rd
switch(config)# router bgp 50
switch(config-router-bgp)# vrf purple
switch(config-router-bgp-vrf-purple)# rd 530:12
switch(config-router-bgp-vrf-purple)#
cvx(config)# router bgp 100
cvx(config-router-bgp)# vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)# rd 530:12
cvx(config-macvrf-bundle1)#
The redistribute command enables the redistribution of specified routes to the BGP domain.
The no redistribute and default redistribute commands disable route redistribution from the specified domain by removing the corresponding redistribute command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
redistribute ROUTE_TYPE [ROUTE_MAP]
no redistribute ROUTE_TYPE
default redistribute ROUTE_TYPE
switch(config)# router bgp 1
switch(config-router-bgp)# redistribute ospf
switch(config-router-bgp)#
switch(config)# router bgp 1
switch(config-router-bgp)# address-family ipv4
switch(config-router-bgp-af)# redistribute isis level-1 route-map isis-to-bgp-v4
switch(config-router-bgp-af)#
switch(config)# router bgp 1
switch(config-router-bgp)# redistribute isis level-1 route-map isis-to-bgp
switch(config-router-bgp)#
The rib fib fec ecmp ordered command is configured to enforce ordering of next hops as determined by the protocol agents in the FEC programmed for the route.
The no rib fib fec ecmp ordered command removes the Ordered FEC configuration from the running-config.
Command Mode
Router General Configuration Mode
Command Syntax
rib fib fec ecmp ordered
no rib fib fec ecmp ordered
Example
switch(config)# router general
switch(config-router-general)# rib fib fec ecmp ordered
switch(config-router-general)#
The router bgp command places the switch in router-BGP configuration mode. If BGP was not previously instantiated, this command creates a BGP instance with the specified AS number. Router-BGP configuration mode is not a group-change mode; running-config is changed immediately after commands are executed. The exit command does not affect the configuration.
When a BGP instance exists, the command must include the AS number of the existing BGP instance. Running this command with a different AS number generates an error message.
The no router bgp and default router bgp commands delete the BGP instance.
The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
router bgp as_id
no router bgp
default router bgp
Parameters
as_id Autonomous System (AS) number. Values range from 1 to 4294967295.
Examplesswitch(config)# router bgp 64500
switch(config-router-bgp)#
switch(config)# router bgp 64501
% BGP is already running with AS number 64500
switch(config)#
switch(config-router-bgp)# exit
switch(config)#
switch(config)# no router bgp
switch(config)#
The router-id command sets the local router BGP router ID.
The no router-id and default router-id commands remove the router-id command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
router-id id_num
no router-id [id_num]
default router-id [id_num]
Parameter
id_num router ID number (32-bit dotted decimal notation).
Example
switch(config)# router bgp 9
switch(config-router-bgp)# router-id 10.10.4.11
switch(config-router-bgp)#
Large communities are an optional transitive attribute of variable length. There are no predefined large-community types or values. Large communities may be configured alongside standard and extended communities within route-maps using additional configuration commands.
Large community values (aa:nn:nn) must consist of three decimal values each in the range (0-4294967295). All three sub-values of a large community value must be present. As-plain and As-dot notation are supported for the leading ASN value.
The no and default versions of the command return the command to the original configuration.
Command Mode
Route map configuration
Command Syntax
set large-community [large-community-list LIST1 [[LIST2] [additive | delete]]]
no set large-community [large-community-list LIST1 [[LIST2] [additive | delete]]]
default set large-community [large-community-list LIST1 [[LIST2] [additive | delete]]]
Parameters
switch(config)# route-map LC permit 10
switch(config-route-map-LC)# set large-community 10.10:20:30 40.40:50:60 1000:80:90
switch(config)# route-map LC permit 10
switch(config-route-map-LC)# set large-community 50:50:50 51:51:51 additive
switch(config)# route-map LC permit 10
switch(config-route-map-LC)# set large-community 60:60:60 61:61:61 delete
switch(config)# ip large-community-list LC_1 permit 10:20:30 40:50:60
switch(config)# ip large-community-list LC_2 permit 70:80:90
switch(config)# route-map LC permit 10
switch(config-map-LC)# match large-community LC_1 LC_2 exact_match
switch(config-map-LC)# set local-pref 111
The show bgp labeled-unicast tunnel command displays the contents of the BGP Labeled-Unicast (LU) tunnel table. The user can optionally specify a tunnel index parameter to view the specific single tunnel information.
Command Mode
EXEC
Command Syntax
show bgp labeled-unicast tunnel tunnel_index
Parameters
tunnel_index index to view single tunnel information.
switch# show bgp labeled-unicast tunnel
Index Endpoint Nexthop Interface Labels Contributing Metric Metric 2 Pref Pref 2
----- ---------- -------- ----------- --------------- ------------ ------ -------- ---- ------
5 2.0.0.0/24 10.1.1.2 'Ethernet3' [ 123 899 900 ] Yes 0 100 200 0
6 2.0.1.0/24 10.1.1.2 'Ethernet3' [ 400 500 600 ] Yes 0 100 200 0
7 2.0.2.0/24 10.1.1.2 'Ethernet3' [ 400 500 600 ] Yes 0 100 200 0
switch#
switch# show bgp labeled-unicast tunnel 4
Index Endpoint Nexthop/Tunnel Index Interface Labels Contributing Metric Metric 2 Pref Pref 2
------ --------------- ---------------------- --------------- -------- ------------ ------ --------- ----- ------
4 10.253.0.10/32 10.1.0.0 Port-Channel111 [ 3 ] Yes 0 0 200 0
switch#
The show bgp convergence command displays information about the Border Gateway Protocol (BGP) convergence state and other statistics about the BGP instance in the specified VRF or in all VRFs.
Command Mode
EXEC
Command Syntax
show bgp convergence [VRF_INSTANCE]
Parameters
switch# show bgp convergence
BGP Convergence information for VRF: default
Configured convergence timeout: 00:02:30
Configured convergence slow peer timeout: 00:00:55
Convergence based update synchronization is enabled
Last Bgp convergence event : None
Bgp convergence state : Not Initiated (Waiting for the first peer to join)
Convergence timer is not running
Convergence timeout in use: 00:02:30
Convergence slow peer timeout in use: 00:00:55
First peer is not up yet
All the expected peers are up: no
All IGP protocols have converged: yes
Outstanding EORs: 0, Outstanding Keepalives: 0
Pending Peers: 2
Total Peers: 2
Established Peers: 0
Disabled Peers: 0
Peers that have not converged yet:
IPv4 peers:
201.1.1.1 (Session : Connect)
202.1.1.1 (Session : Connect)
IPv6 peers:
None
switch#
switch# show bgp convergence
BGP Convergence information for VRF: default
Configured convergence timeout: 00:02:30
Configured convergence slow peer timeout: 00:00:55
Convergence based update synchronization is enabled
Last Bgp convergence event 00:00:40 ago
Bgp convergence state : Pending (Waiting for EORs/Keepalives from peer(s) and IGP
convergence)
Convergence timer running, will expire in 00:01:50
Convergence timeout in use: 00:02:30
Convergence slow peer timeout in use: 00:00:55
First peer came up 00:00:13 ago
All the expected peers are up: no
All IGP protocols have converged: yes
Outstanding EORs: 0, Outstanding Keepalives: 0
Pending Peers: 1
Total Peers: 2
Established Peers: 1
Disabled Peers: 0
Peers that have not converged yet:
IPv4 peers:
201.1.1.1 (Session : Active)
IPv6 peers:
None
switch#
switch# show bgp convergence
BGP Convergence information for VRF: default
Configured convergence timeout: 00:02:30
Configured convergence slow peer timeout: 00:00:55
Convergence based update synchronization is enabled
Last Bgp convergence event 00:02:44 ago
Bgp convergence state : Timeout reached
Time taken to converge 00:02:30
Pending Peers: 1
Total Peers: 2
Established Peers: 1
Disabled Peers: 0
Peers that did not converge before local bgp convergence:
IPv4 peers:
201.1.1.1 (Session : Active)
202.1.1.1 (Session : Established)
IPv6 peers:
None
switch#
switch#show bgp convergence
BGP Convergence information for VRF: default
Configured convergence timeout: 00:05:00
Configured convergence slow peer timeout: 00:01:30
Convergence based update synchronization is enabled
Last Bgp convergence event 00:00:05 ago
Bgp convergence state : Converged
Time taken to converge 00:00:02
First peer came up 00:00:05 ago
Pending Peers: 0
Total Peers: 3
Established Peers: 3
Disabled Peers: 0
Peers that did not converge before local bgp convergence:
IPv4 peers:
None
IPv6 peers:
None
switch#
The show bgp flow-spec ipv4 displays a brief description of each flowspec rule, including the matching rule and actions.
Command Mode
EXEC
Command Syntax
show bgp flow-spec [ipv4 | ipv6] [summary | detail] [vrf VRFNAME]
Related Command
The show bgp flow-spec ipv4 summary command displays the count of flowspec rules received from each peer:
switch(config)# show bgp flow-spec ipv4 summary
BGP summary information for VRF default
Router identifier 0.0.0.1, local AS number 10
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State RulesRcd RulesAcc
10.0.0.2 4 10 12 4 0 0 00:02:18 Estab 2 2
10.0.1.2 4 10 6 4 0 0 00:02:18 Estab 0 0
switch(config)# show bgp flow-spec ipv4 detail
BGP Flow Specification rules for VRF default
Router identifier 0.0.0.1, local AS number 10
BGP Flow Specification Matching Rule for 10.2.3.0/24;*;
Rule identifier: 3882065752
Matching Rule:
Destination Prefix: 10.2.3.0/24
Source Prefix: *
Paths: 1 available
Local
from 10.0.0.2 (10.1.1.2)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Actions: Drop
BGP Flow Specification Matching Rule for 10.2.4.0/24;10.2.0.0/16;IP:=6|=17;DP:>1010&<1024;
Rule identifier: 3882090640
Matching Rule:
Destination Prefix: 10.2.4.0/24
Source Prefix: 10.2.0.0/16
IP Protocol: =6 | =17
Destination Port: >1010 & <1024
Paths: 1 available
Local
from 10.0.0.2 (10.1.1.2)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Actions: Drop
The show bgp instance command displays summary Border Gateway Protocol (BGP) information about the BGP instance in the specified VRF or in all VRFs.
Command Mode
EXEC
Command Syntax
show bgp instance [VRF_INSTANCE]
Parameters
switch# show bgp instance
BGP instance information for VRF purple
BGP Local AS: 64497, Router ID: 1.2.3.5
Total peers: 5
Configured peers: 3
UnConfigured peers: 2
Disabled peers: 0
Established peers: 3
Graceful restart helper mode enabled
End of rib timer timeout: 00:05:00
BGP Convergence timer is inactive
BGP Convergence information:
BGP has converged:no
Outstanding EORs:0,Outstanding Keepalives: 0
Convergence timeout: 00:10:00
switch#
switch# show bgp instance vrf default
BGP instance information for VRF default
BGP Local AS: 64503, Router ID: 1.2.3.5
Total peers: 1
Configured peers: 1
UnConfigured peers: 0
Disabled peers: 0
Established peers: 0
Graceful restart helper mode enabled
End of rib timer timeout: 00:05:00
BGP Convergence timer is inactive
BGP Convergence information:
BGP has converged:no
Outstanding EORs:0,Outstanding Keepalives: 0
Convergence timeout: 00:10:00
switch#
The show bgp neighbors history command stores and displays a list of failed BGP connection attempts for each peer. This may be particularly useful while troubleshooting flappy connections. If dynamic peering is enabled, the failure history will be remembered even after the peers are no longer present.
Command Mode
EXEC
Command Syntax
show bgp neighbors [PEER | PREFIX | peer-group PEER_GROUP] history [connect-failures][vrf VRF
Guidelines
switch# clear bgp [PEER|PREFIX|peer-group PEER_GROUP] history [connect-failures][vrf VRF]
If no peer, prefix, or peer-group is supplied, this command will clear the history for all peers in the specified VRF.
Related Command
Example
switch> show bgp neighbors history
1.1.1.2 VRF default
Type AS Time Event
Static 65538 Mon 2019-05-13 04:16:24 Connect (No route to host)
Static 65538 Mon 2019-05-13 04:16:31 Connect (No route to host)
Static 65538 Mon 2019-05-13 04:16:39 Connect (No route to host)
Static 65538 Mon 2019-05-13 04:16:47 Connect (No route to host)
Static 65538 Mon 2019-05-13 04:16:55 Connect (No route to host)
Static 65538 Mon 2019-05-13 04:17:03 Connect (No route to host)
Static 65538 Mon 2019-05-13 04:18:17 bad AS number
Static 65538 Mon 2019-05-13 04:19:40 bad AS number
The show bgp update-group command displays how peers are grouped into update groups and can be used to verify that peers with different RCF functions with identical contents are grouped together.
Command Mode
EXEC
Command Syntax
show bgp update-group
Examples
switch# show bgp update-group
switch#
The show flow-spec command displays an overall status of how many flowspec rules were received and how many were installed.
Command Mode
EXEC
Command Syntax
show flow-spec (ipv4 | ipv6) [summary][vrf VRFNAME]
Related Command
switch(config)# show flow-spec ipv4 summary
Flow specification rules summary for VRF default
Total number of rules: 2
Number of installed rules: 2
switch(config)# show flow-spec ipv4
Flow specification rules for VRF default
Applied on: Ethernet47/1
Flow-spec rule: 10.2.3.0/24;*;
Rule identifier: 3882065752
Matches:
Destination prefix: 10.2.3.0/24
Actions:
Police: 80 Mbps (10 MBps)
Redirect: VRF customer1
Route via LDP tunnel index 4, MPLS label 100123
Route via LDP tunnel index 1, MPLS label 116507
Status:
Installed: yes
Counter: 312 packets
Flow-spec rule: 10.2.4.0/24;10.2.0.0/16;IP:=6|=17;DP:>1010&<1024;
Rule identifier: 3882090640
Matches:
Destination prefix: 10.2.4.0/24
Source prefix: 10.2.0.0/16
Next protocol: 17
6
Destination port: 1011-1023
Actions:
Police: 80 Mbps (10 MBps)
Redirect: VRF customer1
Route via LDP tunnel index 4, MPLS label 100123
Route via LDP tunnel index 1, MPLS label 116507
Status:
Installed: yes
Counter: 0 packets
The show ip as-path access-list command displays BGP filters on the switch. Specifying an access list displays the statements from that access list. Entering the command without parameters displays the statements from all access lists on the switch.
Command Mode
EXEC
Command Syntax
show ip as-path access-list [list_name]
Parameters
list_name the name of an AS path access list.
Example
switch# show ip as-path access-list list1
ip as-path access-list list1 deny _3$
ip as-path access-list list1 permit .*
switch#
Command Mode
EXEC
Command Syntax
show ip bgp [FILTER][VRF_INSTANCE]
Guidelines
You must provide the IPv4 prefix in CIDR notation.
switch# show ip bgp
BGP routing table information for VRF default
Router identifier 0.0.0.1, local AS number 100
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > L 2.0.0.1/32 1.1.1.2 0 100 0 300 i
* # 2.0.0.1/32 1.0.0.2 0 100 0 200 ?
* > L 2.0.0.2/32 1.1.1.2 0 100 0 300 i
* # 2.0.0.2/32 1.0.0.2 0 100 0 200 ?
* > L 2.0.0.3/32 1.1.1.2 0 100 0 300 i
* # 2.0.0.3/32 1.0.0.2 0 100 0 200 ?
* > L 2.0.0.4/32 1.1.1.2 0 100 0 300 i
* # 2.0.0.4/32 1.0.0.2 0 100 0 200 ?
* > L 2.0.0.5/32 1.1.1.2 0 100 0 300 i
* # 2.0.0.5/32 1.0.0.2 0 100 0 200 ?
switch#
switch# show ip bgp
BGP routing table information for VRF default
Router identifier 0.0.0.1, local AS number 100
BGP routing table entry for 2.0.0.1/32
Paths: 2 available
300
1.1.1.2 labels [ 101 102 103 104 ] from 1.1.1.2 (1.1.1.2)
Origin IGP, metric 0, localpref 100, weight 0, valid, external, best
Rx path id: 0x0
200
1.0.0.2 from 1.0.0.2 (0.0.1.1)
Origin INCOMPLETE, metric 0, localpref 100, weight 0, valid, external,
not installed (labeled-route present)
switch#
switch# show ip bgp 10.100.1.0/24
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
BGP routing table entry for 10.100.1.0/24
Paths: 1 available
64496 64497 65536
10.1.0.100 from 10.1.0.100 (10.0.0.100)
Origin IGP, metric 0, localpref 100, IGP metric 1, weight 0, received
01:57:33 ago, valid, external, best
Community: 655:23590 64496:1000
Rx SAFI: Unicast
switch#
switch# show ip bgp detail
BGP routing table information for VRF default
Router identifier 0.0.0.1, local AS number 100
BGP routing table entry for 2.0.0.1/32
Paths: 2 available
200
1.0.0.2 from 1.0.0.2 (0.0.1.1)
Origin INCOMPLETE, metric 0, localpref 100, weight 0, valid, external, best
300
1.1.1.2 labels [ 101 102 103 104 ] from 1.1.1.2 (1.1.1.2)
Origin IGP, metric 0, localpref 100, weight 0, valid, external
Rx path id: 0x0
Rx SAFI: Labels
Tunnel RIB eligible
switch#
switch# show ip bgp 10.105.1.1/24 detail
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Route status: [a.b.c.d] - Route is queued for advertisement to peer.
BGP routing table entry for 10.105.1.0/24
Paths: 2 available
64510
10.2.0.101 from 10.2.0.101 (12.0.0.101)
Origin IGP, metric 0, localpref 100, IGP metric 1, weight 0, received
00:00:58 ago, valid, external, best
Rx SAFI: Unicast
64496
10.1.0.100 from 10.1.0.100 (10.0.0.100)
Origin INCOMPLETE, metric 42, localpref 100, IGP metric 1, weight 0, received
00:00:33 ago, valid, external
Rx SAFI: Unicast
Not best: Origin
Advertised to 2 peers:
peer-group EXTERNAL:
10.1.0.100
peer-group INTERNAL:
10.3.0.103
switch#
The show ip bgp community command displays Border Gateway Protocol (BGP) routing table entries, filtered by community.
Command Mode
EXEC
Command Syntax
show ip bgp community COMM_1 [COMM_2... COMM_n][MATCH_TYPE][DATA_OPTION][VRF_INSTANCE]
Guidelines
The interpretation of regular expressions is always based on string mode but not on the ACL configuration.
Example
switch# show ip bgp community 64496:1000 detail
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
BGP routing table entry for 10.100.1.0/24
Paths: 1 available
64496 64497 65536
10.1.0.100 from 10.1.0.100 (10.0.0.100)
Origin IGP, metric 0, localpref 100, IGP metric 1, weight 0, received 00:03:16 ago, valid, external, best
Community: 655:23590 64496:1000
Rx SAFI: Unicast
switch#
The show ip bgp installed command displays the list of installed routes in the RIB.
Command Mode
EXEC
Command Syntax
show ip bgp installed
Example
switch# show ip bgp installed
BGP routing table information for VRF default
Router identifier 1.0.0.2, local AS number 100
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 6.0.0.0/24 1.0.0.1 0 100 0 ?
switch#
The show ip bgp neighbors (route type) command displays information for next-hop routes to a specified IPv4 neighbor. The show ip bgp neighbors (route-type) community command displays the same information for routes filtered by communities.
Commands that do not include a route type revert to the show ip bgp neighbors command.
Command Mode
EXEC
Command Syntax
show ip bgp neighbors neighbor_addr HOPDIRECT [FILTER] [VRF_INSTANCE]
show ip bgp neighbors neighbor_addr [ROUTE_TYPE] HOPDIRECT [detail]
Example
switch# show ip bgp neighbors 10.3.0.103 advertised-routes
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 10.1.0.0/24 10.3.0.102 - 100 - i
* > 10.2.0.0/24 10.3.0.102 - 100 - i
* > 10.3.0.0/24 10.3.0.102 - 100 - i
* > 10.100.0.0/24 10.1.0.100 200 100 - 64496 i
* > 10.100.1.0/24 10.1.0.100 - 100 - 64496 64497 65536 i
* > 10.100.2.0/24 10.1.0.100 42 100 - 64496 ?
* > 10.101.0.0/24 10.2.0.101 - 100 - 64510 i
* > 10.101.1.0/24 10.2.0.101 - 100 - 64510 i
* > 10.101.2.0/24 10.2.0.101 - 100 - 64510 i
switch#
The show ip bgp neighbors (route type) community command displays information for next-hop routes to a specified neighbor. Routes are filtered by community.
The show ip bgp neighbors (route type) command displays the same information for routes filtered by IP addresses and subnets.
Command Mode
EXEC
Command Syntax
show ip bgp neighbors addr RTE community CM_1 [CM_2...CM_n][MATCH][INFO][VRF_INST]
Related Commands
Example
switch# show ip bgp neighbors 10.3.0.103 advertised-routes community 655:23590
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 10.100.1.0/24 10.1.0.100 - 100 - 64496 64497 65536 i
switch#
The show ip bgp neighbors regexp command displays information for next-hop routes to a specified IPv4 neighbor that match the AS path attributes specified in the given regular expression.
Command Mode
EXEC
Command Syntax
show ip bgp neighbors addr RTE regexp as_paths [VRF_INST]
Example
switch# show ip bgp neighbors 10.3.0.103 advertised-routes regex ^64496$
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L = labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST -Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 10.100.0.0/24 10.1.0.100 200 100 - 64496 i
* > 10.100.2.0/24 10.1.0.100 42 100 - 64496 ?
switch#
The show ip bgp neighbors command displays Border Gateway Protocol (BGP) and TCP-session data for a specified IPv4 BGP neighbor, or for all IPv4 BGP neighbors if an address is not specified.
Command Mode
EXEC
Command Syntax
show ip bgp neighbors [NEIGHBOR_ADDR] [VRF_INSTANCE]
switch# show ip bgp neighbors 10.1.0.100
BGP neighbor is 10.1.0.100, remote AS 64496, external link
BGP version 4, remote router ID 10.0.0.100, VRF default
Inherits configuration from and member of peer-group EXTERNAL
Negotiated BGP version 4
Member of update group 3
Last read 00:00:17, last write 00:00:18
Hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Connect timer is inactive
Idle-restart timer is inactive
BGP state is Established, up for 00:05:17
Number of transitions to established: 1
Last state was OpenConfirm
Last event was RecvKeepAlive
Neighbor Capabilities:
Multiprotocol IPv4 Unicast: advertised and received and negotiated
Four Octet ASN: advertised and received and negotiated
Route Refresh: advertised and received and negotiated
Send End-of-RIB messages: advertised and received and negotiated
Additional-paths recv capability:
IPv4 Unicast: advertised
Additional-paths send capability:
IPv4 Unicast: received
Restart timer is inactive
End of rib timer is inactive
Message Statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 4
Keepalives: 7 7
Route-Refresh: 0 0
Total messages: 12 12
Prefix Statistics:
Sent Rcvd
IPv4 Unicast: 9 4
IPv6 Unicast: 0 0
IPv4 SR-TE: 0 0
IPv6 SR-TE: 0 0
Inbound updates dropped by reason:
AS path loop detection: 0
Enforced First AS: 0
Originator ID matches local router ID: 0
Nexthop matches local IP address: 0
Unexpected IPv6 nexthop for IPv4 routes: 0
Nexthop invalid for single hop eBGP: 0
Inbound updates with attribute errors:
Resulting in removal of all paths in update (treat-as-withdraw): 0
Resulting in AFI/SAFI disable: 0
Resulting in attribute ignore: 0
Inbound paths dropped by reason:
IPv4 labeled-unicast NLRIs dropped due to excessive labels: 0
IPv6 labeled-unicast NLRIs dropped due to excessive labels: 0
Outbound paths dropped by reason:
IPv4 local address not available: 0
IPv6 local address not available: 0
Local AS is 64500, local router ID 10.0.0.102
TTL is 255, BGP neighbor may be upto 1 hops away
Local TCP address is 10.1.0.102, local port is 179
Remote TCP address is 10.1.0.100, remote port is 33171
Auto-Local-Addr is disabled
TCP Socket Information:
TCP state is ESTABLISHED
Recv-Q: 0/32768
Send-Q: 0/32768
Outgoing Maximum Segment Size (MSS): 1448
Total Number of TCP retransmissions: 0
Options:
Timestamps enabled: yes
Selective Acknowledgments enabled: yes
Window Scale enabled: yes
Explicit Congestion Notification (ECN) enabled: no
Socket Statistics:
Window Scale (wscale): 9,9
Retransmission Timeout (rto): 204.0ms
Round-trip Time (rtt/rtvar): 3.0ms/5.4ms
Delayed Ack Timeout (ato): 40.0ms
Congestion Window (cwnd): 10
TCP Throughput: 39.20 Mbps
Advertised Recv Window (rcv_space): 28960
switch#
switch# show ip bgp neighbors
BGP neighbor is 172.24.77.5, remote AS 100, external link
BGP version 4, remote router ID 172.24.77.5, VRF default
...
Neighbor Capabilities:
Multiprotocol IPv4 Unicast: advertised
Multiprotocol IPv4 Labeled Unicast: advertised and received and negotiated
Four Octet ASN: advertised and received
Route Refresh: advertised
Send End-of-RIB messages: advertised
Additional-paths Receive:
IPv4 Unicast: advertised
IPv4 Labeled Unicast: advertised
...
Inbound updates dropped by reason:
AS path loop detection: 0
Enforced First AS: 0
Malformed MPBGP routes: 0
Originator ID matches local router ID: 0
Nexthop matches local IP address: 0
Unexpected IPv6 nexthop for IPv4 routes: 0
Inbound paths dropped by reason:
IPv4 labeled-unicast NLRIs dropped due to excessive labels: 0
switch#
The show ip bgp not-installed command displays the list of non-installed routes in the RIB.
Command Mode
EXEC
Command Syntax
show ip bgp not-installed
Example
switch# show ip bgp not-installed
BGP routing table information for VRF default
Router identifier 1.0.0.2, local AS number 100
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* # 7.0.0.0/24 1.0.0.1 0 100 0 ?
switch#
The show ip bgp paths command displays all BGP AS paths in the database.
Command Mode
EXEC
Command Syntax
show ip bgp paths [VRF_INSTANCE]
Parameters
Example
switch# show ip bgp paths
Refcount Metric Path
6 0 64510 64505 64506 64507 i (HashID 9)
6 0 64510 ? (HashID 8)
12 0 65530 65531 65532 e (HashID 5)
12 0 i (HashID 6)
6 0 64100 64200 i (HashID 4)
28 0 i (HashID 1)
7 0 ? (HashID 2)
40 0 64510 i (HashID 10)
19 0 64510 i (HashID 7)
2 0 i (HashID 3)
switch#
The show ip bgp peer-group command displays the BGP version, address family, and group members for all BGP peer groups defined on the switch.
Command Mode
EXEC
Command Syntax
show ip bgp peer-group [GROUP][VRF_INSTANCE]
Example
switch# show ip bgp peer-group
BGP peer-group is EXTERNAL
BGP version 4
Static peer-group members:
VRF default:
10.1.0.100, state: Connect
Negotiated MP Capabilities:
IPv4 Unicast: No
IPv6 Unicast: No
IPv4 SR-TE: No
IPv6 SR-TE: No
10.2.0.101, state: Connect
Negotiated MP Capabilities:
IPv4 Unicast: No
IPv6 Unicast: No
IPv4 SR-TE: No
IPv6 SR-TE: No
BGP peer-group is INTERNAL
BGP version 4
Listen-range subnets:
VRF default:
10.3.0.0/24, remote AS 64500
Dynamic peer-group members:
VRF default:
switch#
The show ip bgp regexp command displays Border Gateway Protocol (BGP) IPv4 routing-table entries that match the AS path attributes specified in the given regular expression.
Command Mode
EXEC
Command Syntax
show ip bgp regexp as_paths [VRF_INSTANCE]
Example
switch# show ip bgp regex ^64510$
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L = labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST -Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* 10.2.0.0/24 10.2.0.101 0 100 0 64510 i
* > 10.101.0.0/24 10.2.0.101 0 100 0 64510 i
* > 10.101.1.0/24 10.2.0.101 0 100 0 64510 i
* > 10.101.2.0/24 10.2.0.101 0 100 0 64510 i
switch#
The show ip bgp summary command displays the summary of all IPv4 and IPv6 BGP neighbors based on exchanged Address Family Identifiers (AFI) and Subsequent Address Family Identifiers (SAFI) negotiations where AFI is “IP” and SAFI is “unicast” information.
Command Mode
EXEC
Command Syntax
show ip bgp summary [VRF_INSTANCE]
Display Values
After the maximum number of routes are received, the ninth field displays PfxRcd, and the connection becomes Idle. Maximum number of routes is set using the maximum paths (BGP) command.
Related Command
Example
switch# show ip bgp summary
BGP summary information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State PfxRcd PfxAcc
10.1.0.100 4 64496 1075 1083 0 0 00:04:04 Connect
10.2.0.101 4 64510 1079 1088 0 0 00:04:14 Connect
switch#
The show ip community-list command displays the BGP community lists configured on the switch.
Command Mode
EXEC
Command Syntax
show ip community-list [COMMUNITY_LIST]
Parameters
Example
switch# show ip community-list hs-comm-list
ip community-list hs-comm-list permit 0:10
switch#
The show ip extcommunity-list command displays the BGP extended community lists configured on the switch.
Command Mode
EXEC
Command Syntax
show ip extcommunity-list [COMMUNITY_LIST]
Parameters
Example
switch# show ip extcommunity-list
ip extcommunity-list hs-extcomm-list permit rt 3050:20
ip extcommunity-list hs-extcomm-list permit soo 172.17.52.2:30
ip extcommunity-list hs-extcomm-list permit rt 3050:70000
switch#
Command Mode
EXEC
Command Syntax
show ipv6 bgp [FILTER][VRF_INSTANCE]
Guidelines
You must provide the IPv6 prefix in CIDR notation.
Related Command
Example
switch# show ipv6 bgp 2001:10:1:0::102/64
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
BGP routing table entry for 2001:10:1::/64
Paths: 2 available
Local
- from - (10.0.0.102)
Origin IGP, metric 1, localpref 0, IGP metric -, weight -, received 00:16:27 ago, valid, local, best,
redistributed (Connected)
Rx SAFI: Unicast
64496
2001:10:1::100 from 2001:10:1::100 (10.0.0.100)
Origin INCOMPLETE, metric 42, localpref 100, IGP metric 1, weight 0, received 00:10:09 ago, valid,
external
Rx SAFI: Unicast
switch#
The show ipv6 bgp match community command displays IPv6 Border Gateway Protocol (BGP) routing-table entries, filtered by community.
Command Mode
EXEC
Command Syntax
show ipv6 bgp match community [COMM_1 ... COMM_n][MATCH_TYPE][INFO][VRF_INSTANCE]
Example
switch(config)# show ipv6 bgp match community 655:23590 detail
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
BGP routing table entry for 2001:10:100:1::/64
Paths: 1 available
64496 64497 65536
2001:10:1::100 from 2001:10:1::100 (10.0.0.100)
Origin IGP, metric 0, localpref 100, IGP metric 1, weight 0, received 01:09:29 ago, valid, external, best
Community: 655:23590 64496:1000
Rx SAFI: Unicast
switch(config)#
The show ipv6 bgp peers command displays IPv6 Border Gateway Protocol (BGP) and TCP session data for a specified neighbor. Command displays data for all neighbors if an address is not included.
Command Mode
EXEC
Command Syntax
show ipv6 bgp peers [NEIGHBOR_ADDR] [VRF_INSTANCE]
Related Command
Example
switch# show ipv6 bgp peers 2001:10:1:0::100
BGP neighbor is 2001:10:1::100, remote AS 64496, external link
BGP version 4, remote router ID 10.0.0.100, VRF default
Inherits configuration from and member of peer-group EXTERNAL
Negotiated BGP version 4
Member of update group 3
Last read 00:00:01, last write 00:00:01
Hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Connect timer is inactive
Idle-restart timer is inactive
BGP state is Established, up for 00:12:01
Number of transitions to established: 1
Last state was OpenConfirm
Last event was RecvKeepAlive
Neighbor Capabilities:
Multiprotocol IPv6 Unicast: advertised and received and negotiated
Four Octet ASN: advertised and received and negotiated
Route Refresh: advertised and received and negotiated
Send End-of-RIB messages: advertised and received and negotiated
Additional-paths recv capability:
IPv6 Unicast: advertised
Additional-paths send capability:
IPv6 Unicast: received
Restart timer is inactive
End of rib timer is inactive
Message Statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 5
Keepalives: 14 14
Route-Refresh: 0 0
Total messages: 19 20
Prefix Statistics:
Sent Rcvd
IPv4 Unicast: 0 0
IPv6 Unicast: 6 4
IPv4 SR-TE: 0 0
IPv6 SR-TE: 0 0
Inbound updates dropped by reason:
AS path loop detection: 0
Enforced First AS: 0
Originator ID matches local router ID: 0
Nexthop matches local IP address: 0
Unexpected IPv6 nexthop for IPv4 routes: 0
Nexthop invalid for single hop eBGP: 0
Inbound updates with attribute errors:
Resulting in removal of all paths in update (treat-as-withdraw): 0
Resulting in AFI/SAFI disable: 0
Resulting in attribute ignore: 0
Inbound paths dropped by reason:
IPv4 labeled-unicast NLRIs dropped due to excessive labels: 0
IPv6 labeled-unicast NLRIs dropped due to excessive labels: 0
Outbound paths dropped by reason:
IPv4 local address not available: 0
IPv6 local address not available: 0
Local AS is 64500, local router ID 10.0.0.102
TTL is 1
Local TCP address is 2001:10:1::102, local port is 45983
Remote TCP address is 2001:10:1::100, remote port is 179
Auto-Local-Addr is disabled
TCP Socket Information:
TCP state is ESTABLISHED
Recv-Q: 0/32768
Send-Q: 0/32768
Outgoing Maximum Segment Size (MSS): 1428
Total Number of TCP retransmissions: 0
Options:
Timestamps enabled: yes
Selective Acknowledgments enabled: yes
Window Scale enabled: yes
Explicit Congestion Notification (ECN) enabled: no
Socket Statistics:
Window Scale (wscale): 9,9
Retransmission Timeout (rto): 204.0ms
Round-trip Time (rtt/rtvar): 1.4ms/2.7ms
Delayed Ack Timeout (ato): 40.0ms
Congestion Window (cwnd): 10
TCP Throughput: 80.00 Mbps
Advertised Recv Window (rcv_space): 28800
switch#
The show ipv6 bgp peers (route type) command displays information about the routes either advertised to or received from a specified IPv6 BGP neighbor. The show ipv6 bgp peers (route type) community command displays the same information for routes filtered by communities. Commands that do not include a route type revert to the show ipv6 bgp peers command.
Output produced by the longer-prefixes option includes the specified route and all more specific routes.
Command Mode
EXEC
Command Syntax
show ipv6 bgp peers neighbor_addr HOPDIRECT [FILTER] [VRF_INSTANCE]
show ipv6 bgp peers neighbor_addr [ROUTE_TYPE] HOPDIRECT [detail]
Related Commands
show ipv6 bgp peers (route type) community
Example
switch# show ipv6 bgp peers 2001:10:1:0::100 advertised-routes
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 2001:10:1::/64 2001:10:1::102 - - - 64500 i
* > 2001:10:2::/64 2001:10:1::102 - - - 64500 i
* > 2001:10:3::/64 2001:10:1::102 - - - 64500 i
* > 2001:10:101::/64 2001:10:1::102 - - - 64500 64510 i
* > 2001:10:101:1::/64 2001:10:1::102 - - - 64500 64510 i
* > 2001:10:101:2::/64 2001:10:1::102 - - - 64500 64510 i
switch#
The show ipv6 bgp peers (route type) community command displays information about the routes either advertised to or received from a specified IPv6 BGP neighbor. The routes are filtered by community.
The show ipv6 bgp peers (route type) command displays the same information for routes filtered by IP addresses and prefixes.
Command Mode
EXEC
Command Syntax
show ipv6 bgp peers addr RTE community CM_1 [CM_2...CM_n] [MATCH] [INFO] [VRF_INST]
Related Command
Example
switch# show ipv6 bgp peers 2001:10:1:0::102 advertised-routes community 64496:1000
BGP routing table information for VRF default
Router identifier 10.0.0.100, local AS number 64496
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 2001:10:100:1::/64 2001:10:1::100 - - - 64496 64497 65536 i
switch#
The show ipv6 bgp peers regexp command displays information about routes (advertised or received) from a specified IPv6 neighbor that match the AS-path attributes specified in the given regular expression.
Command Mode
EXEC
Command Syntax
show ipv6 bgp peers addr ROUTE regexp as_paths [VRF_INST]
Example
switch# show ipv6 bgp peers 2001:10:1:0::100 received-routes regex 64496
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* 2001:10:1::/64 2001:10:1::100 42 - - 64496 ?
* > 2001:10:100::/64 2001:10:1::100 200 - - 64496 i
* > 2001:10:100:1::/64 2001:10:1::100 - - - 64496 64497 65536 i
* > 2001:10:100:2::/64 2001:10:1::100 42 - - 64496 ?
switch#
The show ipv6 bgp regexp command displays Border Gateway Protocol (BGP) IPv6 routing-table entries that match the AS-path attributes specified in the given regular expression.
Command Mode
EXEC
Command Syntax
show ipv6 bgp regexp as_paths [VRF_INSTANCE]
Related Command
Examples
switch# show ipv6 bgp regex _64496_
BGP routing table information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L = labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST -Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* 2001:10:1::/64 2001:10:1::100 42 100 0 64496 ?
* > 2001:10:100::/64 2001:10:1::100 200 100 0 64496 i
* > 2001:10:100:1::/64 2001:10:1::100 0 100 0 64496 64497 65536 i
* > 2001:10:100:2::/64 2001:10:1::100 42 100 0 64496 ?
switch#
The show ipv6 bgp summary command displays the summary of all IPv4 and IPv6 BGP neighbors based on Address Family Identifier (AFI) and Subsequent Address Family Identifier (SAFI) negotiations where AFI is “IPv6” and SAFI is “Unicast” information.
Command Mode
EXEC
Command Syntax
show ipv6 bgp summary [VRF_INSTANCE]
Parameters
Display Values
Related Command
Example
switch# show ipv6 bgp summary
BGP summary information for VRF default
Router identifier 10.0.0.102, local AS number 64500
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State PfxRcd PfxAcc
2001:10:1::100 4 64496 37 36 0 0 00:29:33 Estab 4 4
2001:10:2::101 4 64510 35 38 0 0 00:29:37 Estab 4 4
switch#
The show peer-filter command displays the definition of a peer filter.
Command Mode
EXEC
Command Syntax
show peer-filter filter_name
Parameters
filter_name name of the peer-filter group.
Example
switch# show peer-filter group3
peer-filter group3
10 match as-range 65003 result accept
20 match as-range 65007 result accept
30 match as-range 65009 result accept
switch#
When using the show run command, it displays the entire running configuration. Sometimes this is unnecessary, so to target your output you can use the show run|section bgp command which will display only the BGP section.
Command Mode
bgp-router
Command Syntax
show run | section bgp [name]
Parameter
name name of the peer-group.
Example
Once the peer group request are completed, then run the show run|section bgp command to display only the BGP section of the running configuration.
switch(config-router-bgp)# show run|section bgp router bgp 300
switch(config-router-bgp)# neighbor interface Et1-2,4-6 peer-group PG1 remote-as 100
switch(config-router-bgp)# neighbor interface Et3 peer-group PG2 remote-as 200
switch(config-router-bgp)# neighbor interface vlan2000-2002 peer-group PG1 remote-as 100
The show tunnel rib brief command displays the preferred tunnels for various IP endpoints, optionally filtered by endpoint. Each tunnel RIB entry in the output displays the type of the tunnel (such as BGP LU) and a numerical index uniquely identifying that tunnel within the type-specific tunnel table.
Command Mode
EXEC
Command Syntax
show bgp tunnel rib brief
Example
switch# show tunnel rib brief
Endpoint Tunnel Type Indexes
----------------- ----------------- -------
10.1.1.0/32 BGP LU 2
11.1.1.0/32 BGP LU 1, 3
switch#
The shutdown command disables BGP on the switch without modifying the BGP configuration.
The no shutdown and default shutdown commands enable the BGP instance by removing the shutdown command from running-config.
Command Mode
Router-BGP Configuration
Command Syntax
shutdown
no shutdown
default shutdown
switch(config)# router bgp 9
switch(config-router-bgp)# shutdown
switch(config-router-bgp)#
switch(config)# router bgp 9
switch(config-router-bgp)# no shutdown
switch(config-router-bgp)#
The hold time must be at least 3 seconds and should be three times longer than the keepalive setting.
Command Mode
Router-BGP Configuration
Command Syntax
timers bgp keep_alive hold_time
no timers bgp
default timers bgp
Example
switch(config)# router bgp 9
switch(config-router-bgp)# timers bgp 30 90
switch(config-router-bgp)#
The update wait-for-convergence command disables FIB updates and route advertisement when the BGP instance is initiated until the BGP convergence state is reached.
The no update wait-for-convergence command allows FIB updates and route advertisement irrespective of the BGP convergence state.
Command Mode
Router-BGP Configuration
Command Syntax
update wait-for-convergence
no update wait-for-convergence
default update wait-for-convergence
Guidelines
Configuration changes made by using this command are effective from the next initiation of a BGP instance.
Example
switch(config)# router bgp 9
switch(config-router-bgp)# update wait-for-convergence
switch(config-router-bgp)#
The vrf command places the switch in BGP VRF configuration mode for the specified VRF. Commands issued in this mode will override global BGP configuration for the specified VRF.
Command Mode
Router-BGP Configuration
Command Syntax
vrf vrf_instance
Parameters
vrf_instance VRF to be configured.
Example
switch(config)# router bgp 9
switch(config-router-bgp)# vrf purple
switch(config-router-bgp-vrf-purple)#
This section describes configuration for performing maintenance of switch elements.
Maintenance mode uses BGP to divert traffic away from the switch on which the maintenance tasks need to be performed, minimizing traffic impact. You can set the traffic thresholds and time limits at which the switch, or parts of the switch, is considered to be available for maintenance tasks.
The switch is placed into maintenance mode, serviced, and then returned to normal operation.
Maintenance mode elements include Units, Groups of Interfaces and BGP Peers, and Profiles. Arista Network switches provide maintenance mode operations performed on a fundamental, configurable element, referred to as a Unit. Maintenance mode will quiesce a unit, which places the unit into maintenance mode by gracefully transitioning traffic away from it.
The most common maintenance mode operations such as removing from service an entire switch system or individual components of the switch, including a single linecard, interface, or BGP peer, can be achieved using minimal configuration.
Units are configurable maintenance mode elements that comprise a collection of various groups. In addition, units contain policies which decide whether the member groups should be put into maintenance mode automatically upon boot. Built-in units are configured by default, such as the System unit representing the entire system. All maintenance mode operations are executed at the unit level.
An interface, interface range, and BGP peer (or peer-group) can be directly put under maintenance.
There are various built-in units such as System and Linecard<n>. Fixed systems contain only one built-in unit called System, which comprises the interface group containing all Ethernet interfaces and sub-interfaces; and BGP groups per VRF containing all the peers in the respective VRF.
Modular Systems have both System and Linecard<n> units. Linecard<n> units are present for each linecard which comprises the Linecard<n> groups containing all Ethernet interfaces and sub-interfaces of that linecard.
You can also configure customized units containing user-defined groups and policies as shown in the following example. A custom group called BG1 with a custom interface IG1 and a unit profile UP1 is created. The show command displays the details.
switch(config)# maintenance
switch(config-maintenance)# unit UNIT1
switch(config-unit-UNIT1)# group bgp BG1
switch(config-unit-UNIT1)# group interface IG1
switch(config-unit-UNIT1)# profile unit UP1
switch(config-unit-UNIT1)# exit
switch(config-maintenance)# show maintenance units
Unit Name: System
Origin: Built-in
Status: Not Under Maintenance
Unit Profile: Default
Time Since Last State Change: never
Bgp Groups:
AllBgpNeighborVrf-default
Interface Groups:
AllEthernetInterface
Unit Name: UNIT1
Origin: User Configured
Status: Under Maintenance
Unit Profile: UP1
Time Since Last State Change: 0:00:08 ago
Bgp Groups:
BG1
Interface Groups:
IG1
Maintenance mode group types include the groups for interfaces and BGP peers. Groups are identified by a group name unique to a particular group type.
By default, several built-in groups are available on the device such as linecard groups containing physical interfaces.
There are several built-in groups such as AllEthernetInterface, Linecard1, Linecard2, etc., AllBgpNeighborVrf-<vrf_name>. AllEthernetInterface is the built-in interface group which contains all physical Ethernet interfaces and sub-interfaces on the switch, and is a part of System unit. Whereas on modulars Linercard1, Linecard2, etc., are the built-in groups which contain respective linecard interfaces and sub-interfaces; and are part of the Linecard1 and Linecard2 units respectively. AllBgpNeighborVrf-<vrf_name> is the built-in BGP group which contains all the BGP peers in that particular VRF.
The following set of commands sets up a custom group (IG1) of interfaces, which includes physical ports, port-channels and SVIs.
switch(config)# group interface IG1
switch(config-group-if-IG1)# interface Ethernet1
switch(config-group-if-IG1)# interface Port-Channel1,20
switch(config-group-if-IG1)# interface Vlan1-20
switch(config-group-if-IG1)# exit
switch(config)#
The following set of commands sets up a custom group (BG1) of BGP peers.
switch(config)# group bgp BG1
switch(config-group-bgp-BG1)# neighbor 10.0.0.1
switch(config-group-bgp-BG1)# neighbor BGP_PG1
switch(config-group-bgp-BG1)# vrf vrf1
switch(config-group-bgp-BG1)# exit
switch(config)#
Profiles are configurable maintenance mode elements that define policies for related software or hardware components to carry out maintenance mode operations.
Default profiles are the built-in policies which are applied to groups interface/BGP and unit.
The default profile is used in the absence of an explicit interface/BGP profile associated with the group, or explicit unit profile associated with the unit.
switch(config-maintenance)# show maintenance profile bgp default
Bgp Profile: Default
Initiator route-map: SystemGenerated
route-map SystemGenerated permit 10
Description:
description System generated initiator route-map
Match clauses:
SubRouteMap:
Set clauses:
set local-preference 0
set community GSHUT additive
switch(config-maintenance)# show maintenance profile interface default
Interface Profile: Default
Rate Monitoring:
load-interval: 60 seconds
threshold (in/out): 100 kbps
shutdown:
enabled: no
max-delay: 300 seconds
switch(config-maintenance)# show maintenance profiles unit default
Unit Profile: Default
On-boot:
enabled: no
duration: 300 seconds
You can define your own profiles which can be associated to groups or set as default profiles.
Interface Profile: The following set of commands sets up an Interface Profile (IP1) with load interval set to 10 seconds, rate-monitoring threshold set to 100kbps and the maximum delay for shutting down the interface set to 100 seconds. The interface will be shutdown with cause maint-down if traffic does not drain below the threshold even after the specified maximum delay period of 100 seconds.
switch(config)# maintenance
switch(config-maintenance)# profile interface IP1
switch(config-profile-intf-IP1)# rate-monitoring load-interval 10
switch(config-profile-intf-IP1)# rate-monitoring threshold 100
switch(config-profile-intf-IP1)# shutdown max-delay 100
switch(config-profile-intf-IP1)# exit
switch(config-maintenance)#
An interface profile can be associated to only interface groups using the following set of commands.
switch(config)# group interface IG1
switch(config-group-if-IG1)# maintenance profile interface IP1
switch(config-group-if-IG1)# exit
switch(config)#
You can set the interface profile as the default interface profile using the following set of commands.
switch(config)# maintenance
switch(config-maintenance)# profile interface IP1 default
switch(config-maintenance)# exit
switch(config)#
BGP Profile: The following set of commands sets up a BGP profile (BP1) with initiator route-map called RM which will be applied for both inbound and outbound directions.
switch(config)# maintenance
switch(config-maintenance)# profile bgp BP1
switch(config-profile-bgp-BP1)# initiator route-map RM inout
switch(config-profile-bgp-BP1)# exit
switch(config-maintenance)#
A BGP profile can be associated to both interface and bgp groups using the following commands.
switch(config)# group interface IG1
switch(config-group-if-IG1)# maintenance profile bgp BP1
switch(config-group-if-IG1)# exit
switch(config)# group bgp BG1
switch(config-group-bgp-BG1)# maintenance profile bgp BP1
switch(config-group-bgp-BG1)# exit
switch(config)#
You can set the bgp profile as the default bgp profile using the following set of commands.
switch(config)# maintenance
switch(config-maintenance)# profile bgp BP1 default
switch(config-maintenance)# exit
switch(config)#
Unit Profile: The following set of commands sets up a Unit profile (UP1) with on-boot duration of 300 seconds. The unit will enter into maintenance mode at boot-up and exit maintenance mode at the end of 5 minutes (300sec) after boot-up.
switch(config-maintenance)# profile unit UP1
switch(config-profile-unit-UP1)# on-boot duration 300
switch(config-profile-unit-UP1)# exit
switch(config-maintenance)#
A Unit profile can be associated to a Unit using the following commands.
switch(config)# maintenance
switch(config-maintenance)# unit UNIT1
switch(config-unit-UNIT1)# profile unit UP1
switch(config-unit-UNIT1)# exit
switch(config-maintenance)#
You can set the Unit profile as the default Unit profile using the following set of commands.
switch(config)# maintenance
switch(config-maintenance)# profile unit UP1 default
switch(config-maintenance)# exit
switch(config)#
Arista Network switches provide maintenance mode features including rate monitoring, BGP maintenance route map, on-boot maintenance, and EventMgr integration.
Rate monitoring provides a mechanism to monitor traffic on interfaces identified for maintenance. You can set the traffic threshold and a time limit for the interface to be shutdown for maintenance tasks.
A shutdown parameter can be configured in the interface profile that signals the interface to be shutdown after it has entered maintenance mode.
The max-delay parameter specifies the maximum number of seconds to allow for traffic to dissipate from the interface before the interface is shutdown. The default interface profile settings are shown in the output of the show maintenance profile interface default command.
Route-maps are used within a BGP maintenance profile to tag the inbound and outbound routes in order to direct traffic away from the unit.
The default profile tags the inbound and outbound routes with the global shutdown community. Other methods can be configured under the route-map such as alternate communities, or by using AS_PATH prepend operations.
All electronic devices are subject to interference from cosmic radiation. Arista products use a combination of hardware and software to automatically detect and correct the results of this interference. For instance, many chip memories contain parity or Error Correcting Code (ECC) bits. However, Single Event Handling (SEU) is a randomevent, and following configuration determines the handling behavior.
switch(config)# platform sand seu
switch(config-sand-seu)#
The system,by default corrects the first instance of an ECC or parity event without any logging. If a further error occurs within a 4 hour time window, related to the first or not, a log message will be emitted.
The default 4 hours logging window can be changed as following. For example, a second SEU is detected within 3 hours of a prior SEU.
switch(config-sand-seu)# log window 10800 seconds
Static memories are used by hardware to hold configuration to determine switching behaviour. When SEUs occur, repairs are made automatically. The following command disables automatic repair by a specific agent.
switch(config-sand-seu)# repair table static manager SandFap disabled
The following command disables automatic repair by a specific memories, overriding any specific configurations.
switch(config-sand-seu)# repair table static disabled
The following command disables automatic repair of fabric chip memories on the modular or fixed systems which use fabric chip.
switch(config-sand-seu)# repair table fabric manager SandFabric disabled
switch(config-sand-seu)# repair table fabric disabled
switch(config-sand-seu)# repair table dynamic disabled
switch(config-sand-seu)# repair table dynamic action reset full disabled
switch(config-sand-seu)#repair action reset full interval 43200 seconds
SEU events generate interrupts, it can be seen along with all other interrupts.
switch# show platform fap interrupts
Jericho0
-------------------------------------------------------------------------------------
| Interrupt Bit | Count | First Occurrence | Last Occurrence |
-------------------------------------------------------------------------------------
| ... | ... | | |
| CFC_ECC_Ecc_2bErrInt[0] | 2 | 2020-10-15 04:27:59 | 2020-10-15 04:31:41 |
| ... | ... | | |
-------------------------------------------------------------------------------------
Single bit ECC errors do not affect correct operation of the switch. Two bit ECC and parity errors can disrupt correct operation, for example, by dropping one or more packets, or by mis-forwarding packets. The exact effect depends on the memory and location affected by the SEU.
You can configure maintenance mode for the entire device, specific linecards, or any other Unit. You can set up configuration for maintenance mode for the device at boot-up or while it is running.
switch(config-maintenance)# unit Linecardn
switch(config)# group interface Linecardn
For each Linecard n, there is a built-in unit which consists of all the Linecardn groups.
By default, the default interface and BGP profiles are applied to the built-in interface and BGP groups and the default built-in unit profile is applied to the built-in unit. You can also configure your own profiles and choose a default.
In the following example, traffic is flowing through multiple switches in the spine to and from one switch to another, when you elect to put one of the Units (entire switch or parts thereof) in the spine switch in maintenance mode. The traffic is then gracefully steered away from the Unit, provided other paths are available. Traffic will continue to flow through the Unit placed into maintenance mode, if no other path is available.
switch(config)# show maintenance units System
Unit Name: System
Origin: Built-in
Status: Not Under Maintenance
Unit Profile: Default
Time Since Last State Change: never
Bgp Groups:
AllBgpNeighborVrf-default
Interface Groups:
AllEthernetInterface
switch(config-maintenance)# unit System
switch(config-builtin-unit-System)# quiesce
switch(config-builtin-unit-System)# exit
switch(config-maintenance)# show maintenance
Flags:
o - On-boot maintenance
v - Violating traffic threshold
Unit Name Status Time since last change Flags
---------------------- ----------------------- -------------------------- -----
System Under Maintenance 0:02:03 ago
switch(config-maintenance)# show ip bgp summary
BGP summary information for VRF default
Router identifier 1.1.1.1, local AS number 101
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State
PfxRcd PfxAcc
m 1.1.1.2 4 100 24 17 0 0 00:00:40 Estab 5 5
m 3.3.3.33 4 102 15 16 0 0 00:06:23 Estab 1 1
You must perform the following tasks to place the Unit in maintenance mode on boot-up using the quiesce command.
The on-boot property in the Unit maintenance profile specifies that the Unit will be placed into maintenance mode as part of boot-up for the specified duration. You must perform the following tasks to use this method.
To configure the maintenance mode at interface-level, you must perform the following tasks:
Enter configuration commands unit and quiesce using the maintenance profile bgp mode command to place the switch into maintenance mode. The following code sequence places unit foo, the interface 3/3, and BGP 1.1.1.1 in maintenance mode.
switch(config)# maintenance
switch(config-maintenance)# unit foo
switch(config-unit-foo)# quiesce
switch(config-unit-foo)# exit
switch(config-maintenance)# interface ethernet 3/3
switch(config-maint-if-Et3/3)# quiesce
switch(config-unit-if-Et3/3)# exit
switch(config-maintenance)# bgp 1.1.1.1
switch(config-maint-bgp-1.1.1.1)# quiesce
switch(config-maint-bgp-1.1.1.1)# exit
switch(config-maintenance)#
Enter configuration commands unit and no quiesce using the maintenance profile bgp mode command for the switch to exit maintenance mode. The following code sequence causes unit foo, the interface 3/3, and BGP 1.1.1.1 to exit maintenance mode.
switch(config)# maintenance
switch(config-maintenance)# unit foo
switch(config-unit-foo)# no quiesce
switch(config-unit-foo)# exit
switch(config-maintenance)# interface ethernet 3/3
switch(config-maint-if-Et3/3)# quiesce
switch(config-unit-if-Et3/3)# exit
switch(config-maintenance)# bgp 1.1.1.1
switch(config-maint-bgp-1.1.1.1)# no quiesce
switch(config-maint-bgp-1.1.1.1)# exit
switch(config-maintenance)#
Enter configuration options for the show maintenance command to fire at different stages while entering or exiting maintenance mode.
switch(config)# event-handler foo
switch(config-handler-foo)# trigger on-maintenance enter unit unit-foo all
switch(config-handler-foo)# action bash /mnt/flash/mm-event-handler-script
switch(config-handler-foo)# timeout 20
switch(config-handler-foo)# exit
switch(config)#
switch(config)# event-handler bar
switch(config-handler-bar)# trigger on-maintenance exit unit unit-foo before
stage ratemon
switch(config-handler-bar)# action bash /mnt/flash/mm-event-handler-script
switch(config-handler-bar)# exit
switch(config)#
Enter the maintenance mode configuration options for groups with the maintenance and group bgp commands.
switch(config)# group interface IG1
switch(config-group-if-IG1)# interface Ethernet1
switch(config-group-if-IG1)# interface Port-Channel1,20
switch(config-group-if-IG1)# interface Vlan1-20
switch(config-group-if-IG1)# exit
switch(config)#
switch(config)# group bgp BG1
switch(config-group-bgp-BG1)# neighbor 10.0.0.1
switch(config-group-bgp-BG1)# neighbor BGP_PG1
switch(config-group-bgp-BG1)# vrf vrf1
switch(config-group-bgp-BG1)# exit
switch(config)#
Enter the maintenance mode configuration options for profiles with the profile interface, rate-monitoring threshold, profile bgp, and profile unit <profile_name> commands.
These command examples assign a user configured profile as the default profile.
switch(config)# maintenance
switch(config-maintenance)# profile interface IP1
switch(config-profile-intf-IP1)# rate-monitoring load-interval 10
switch(config-profile-intf-IP1)# rate-monitoring threshold 100
switch(config-profile-intf-IP1)# shutdown max-delay 100
switch(config-profile-intf-IP1)# profile interface IP1 default
switch(config-profile-intf-IP1)# exit
switch(config-maintenance)#
switch(config-maintenance)# profile bgp BP1
switch(config-profile-bgp-BP1)# initiator route-map rmap inout
switch(config-profile-bgp-BP1)# profile bgp BP1 default
switch(config-profile-bgp-BP1)# exit
switch(config-maintenance)#
switch(config-maintenance)# profile unit UP1
switch(config-profile-unit-UP1)# on-boot duration 300
switch(config-profile-unit-UP1)# profile unit UP1 default
switch(config-profile-unit-UP1)# exit
switch(config-maintenance)#
Enter the maintenance mode configuration options for associating profiles with groups using the maintenance and group bgp command.
switch(config)# group interface IG1
switch(config-group-if-IG1)# maintenance profile bgp BP1
switch(config-group-if-IG1)# maintenance profile interface IP1
switch(config-group-if-IG1)#
Enter the maintenance mode configuration options for units using the unit, group bgp, and maintenance commands.
switch(config)# maintenance
switch(config-maintenance)# unit foo
switch(config-unit-foo)# group bgp BG1
switch(config-unit-foo)# group interface IG1
switch(config-unit-foo)#profile unit UP1
The bgp <peer> [vrf <vrf-name>] command places the switch in maintenance dynamic BGP unit configuration mode. If no VRF is specified, the BGP peer is considered to be in the DEFAULT VRF, otherwise, in the specified VRF.
The command creates the dynamic BGP unit if the specified dynamic BGP unit does not exist prior to issuing the command.
The no bgp <peer> [vrf <vrf_name>] and default bgp <peer> [vrf <vrf_name>] removes the dynamic BGP unit from running-config.
Command Mode
Maintenance Configuration
Command Syntax
bgp ipv4_addr [vrf vrf_name]
bgp ipv4_addr [vrf vrf_name]
bgp ipv4_addr [vrf vrf_name]
no bgp [ipv4_addr | ipv6_addr | peer_group_name][vrf vrf_name]
default bgp [ipv4_addr | ipv6_addr | peer_group_name][vrf vrf_name]Commands available in maintenance dynamic interface unit configuration mode:
quiesce
Example
switch(config)# maintenance
switch(config-maintenance)# bgp 1.0.1.1
switch(config-maint-bgp-1.0.1.1)# exit
switch(config-maintenance)# bgp 1::1
switch(config-maint-bgp-1::1)# quiesce
switch(config-maint-bgp-1::1)# exit
switch(config-maintenance)# bgp PG vrf VRF1
switch(config-maint-bgp-PG)# exit
switch(config-maint-bgp-PG)# show active
maintenance
bgp 1.0.1.1
!
bgp 1::1
quiesce
!
bgp PG vrf VRF1
switch(config-maintenance)#
The group bgp <group_name> command places the switch in group-BGP configuration mode for configuring the members of a BGP group in a particular VRF and associating a BGP maintenance profile for these members.
The command creates the group if the specified group does not exist prior to issuing the command.
The no group bgp <group_name> and default group bgp <group_name> removes the BGP group.
Command Mode
Global Configuration
Command Syntax
group bgp group_name
no group bgp group_name
default group bgp group_name
Parameters
group_name name of the BGP group.
switch(config)# group bgp BG1
switch(config-group-bgp-BG1)# show active
group bgp BG1
exit
switch(config-group-bgp-BG1)#
switch(config)# group bgp AllBgpNeighborVrf-default
switch(config-builtin-group-bgp-AllBgpNeighborVrf-default)#
group bgp AllBgpNeighborVrf-default
exit
switch(config-builtin-group-bgp-AllBgpNeighborVrf-default)# exit
switch(config)# show maintenance groups bgp AllBgpNeighborVrf-default
BGP Group: AllBgpNeighborVrf-default
Origin: Built-in
Neighbors:
Ipv4 Peers: 1.0.0.1, 1.0.1.2
Bgp Profile: Default
Vrf: default
Units: System
switch(config)#
The group bgp <group_name> command adds a BGP group to a unit.
The no group bgp <group_name> and default group bgp <group_name> removes the BGP group from a unit.
Command Mode
Maintenance Unit Configuration
Command Syntax
group bgp group_name
no group bgp group_name
default group bgp group_name
Parameters
group_name name of the BGP group.
Example
switch(config)# maintenance
switch(config-maintenance)# unit UNIT1
switch(config-unit-UNIT1)# group bgp BG1
switch(config-unit-UNIT1)# show active
maintenance
unit UNIT1
group bgp BG1
switch(config-unit-UNIT1)
The group interface command places the switch in group-intf configuration mode for configuring the members of interface group and associating a BGP/interface maintenance profile for these members.
The command creates the group if the specified group does not exist prior to issuing the command.
The no group interface <group_name> and default group interface <group_name> removes the interface group.
Command Mode
Global Configuration
Command Syntax
group interface group_name
no group interface group_name
default group interface group_name
Parameters
group_name name of the interface group.
switch(config)# group interface IG1
switch(config-group-if-IG1)# show active
group interface IG1
exit
switch(config-group-if-IG1)#
switch(config)#group interface AllEthernetIntetrface
switch(config-builtin-group-if-AllEthernetInterface)# show active
group interface AllEthernetInterface
exit
switch(config-builtin-group-if-AllEthernetInterface)# exit
switch(config)# show maintenance groups interface AllEthernetInterface
Interface Group: AllEthernetInterface
Origin: Built-in
Interfaces:
Et1, Et2, Et3, Et4, Et5/1, … Et34, Et35, Et36
Profiles:
Interface Profile: Default
Bgp Profile: Default
Units: System#
The group interface <group_name> command adds an interface to a unit.
The no group interface <group_name> and default group interface <group_name> removes the interface group from a unit.
Command Mode
Maintenance Unit Configuration
Command Syntax
group interface group_name
no group interface group_name
default group interface group_name
Parameters
group_name name of the interface group.
Example
switch(config)# maintenance
switch(config-maintenance)# unit UNIT1
switch(config-unit-UNIT1)# group interface IG1
switch(config-unit-UNIT1)# show active
maintenance
unit UNIT1
group interface IG1
switch(config-unit-UNIT1)
The initiator route-map <route-map-name> inout command is a maintenance BGP profile configuration option for assigning the initiator route-map, which will be applied to inout (inbound and outbound).
The no initiator route-map <route-map-name> inout and default initiator route-map <route-map-name> inout removes this configuration from the BGP profile.
Command Mode
Maintenance-Profile-BGP Configuration
Command Syntax
initiator route-map route-map-name inout
no initiator route-map
default initiator route-map
Parameters
route-map-name initiator route-map name.Example
switch(config)# maintenance
switch(config-maintenance)# profile bgp BP1
switch(config-profile-bgp-BP1)# initiator route-map RM1 inout
switch(config-profile-bgp-BP1)# show active
maintenance
profile bgp BP1
initiator route-map RM1 inout
switch(config-profile-bgp-BP1)#
The interface command adds interfaces to interface group.
The interface <intf-name> and default interface <intf-name> removes the interface from the group.
Command Mode
Group-Interface Configuration
Command Syntax
interface interface-name
no interface interface-name
default interface interface-name
Valid e_range, p_range, and v_range formats include number, range, or comma-delimited list of numbers and ranges. Valid Ethernet numbers depend on the Ethernet interfaces available on the switch.
Example
switch(config)# group interface IG1
switch(config-group-if-IG1)# interface Ethernet8-9
switch(config-group-if-IG1)# interface port-channel10
switch(config-group-if-IG1)# show active
group interface IG1
interface Et8-9
interface Po10
switch(config-group-if-IG1)# exit
switch(config)#
The interface <intf-name> command places the switch in maintenance dynamic interface unit configuration mode.
The command creates the dynamic interface unit if the specified dynamic interface unit does not exist prior to issuing the command.
The no interface <intf-name> and default interface <intf-name> removes the dynamic interface unit from running-config.
Command Mode
Maintenance Configuration
Command Syntax
interface interface-name
no interface interface-name
default interface interface-name
Valid e_range, p_range and v_range formats include number, range, or comma-delimited list of numbers and ranges.
Commands available in maintenance dynamic interface unit configuration mode:
quiesce
Example
switch(config)# maintenance
switch(config-maintenance)# interface Ethernet1-2
switch(config-maint-if-Et1-2)# exit
switch(config-maintenance)# show active
maintenance
interface Ethernet1
!
interface Ethernet2
switch(config-maintenance)#
The maintenance command allows you to enter maintenance configuration mode and specify maintenance configuration options.
The no maintenance and default maintenance command removes the maintenance configuration from the running-config.
Command Mode
Global Configuration
Command Syntax
maintenance
no maintenance
default maintenance
Example
switch(config)# maintenance
switch(config-maintenance)# profile unit foo
switch(config-profile-unit-foo)# on-boot duration 300
switch(config-profile-unit-foo)# exit
switch(config-maintenance)# unit U1
switch(config-unit-U1)# group interface IG1
switch(config-unit-U1)# group bgp BG1
switch(config-unit-U1)# profile unit foo
switch(config-unit-U1)# exit
switch(config-maintenance)# show active
maintenance
profile unit foo
on-boot duration 300
unit U1
group interface IG1
group bgp BG1
profile unit foo
switch(config-maintenance)#
The maintenance profile bgp <profile-name> command associates a BGP maintenance profile to an interface/BGP group. A BGP profile can be associated to both the interface and BGP group.
The no maintenance profile bgp <profile-name> and default maintenance profile bgp <profile-name> removes the profile from the interface/BGP group.
Command Mode
Group-Interface Configuration
Group-BGP Configuration
Built-in-Group-Interface Configuration
Built-in-Group-BGP Configuration
Command Syntax
maintenance profile bgp profile-name
no maintenance profile bgp profile-name
default maintenance profile bgp profile-name
Parameters
profile name name of the BGP profile.
switch(config)# group bgp BG1
switch(config-group-bgp-BG1)# neighbor 1.0.1.1
switch(config-group-bgp-BG1)# neighbor 1::1
switch(config-group-bgp-BG1)# neighbor PG
switch(config-group-bgp-BG1)# maintenance profile bgp BP1
switch(config-group-bgp-BG1)# show active
group bgp BG1
neighbor 1.0.1.1
neighbor 1::1
neighbor PG
maintenance profile bgp BP1
switch(config-group-bgp-BG1)# exit
switch(config)#
switch(config)# group interface IG1
switch(config-group-if-IG1)# interface Ethernet8-9
switch(config-group-if-IG1)# maintenance profile bgp BP1
switch(config-group-if-IG1)# show active
group interface IG1
interface Et8-9
maintenance profile bgp BP1
switch(config-group-if-IG1)# exit
switch(config)#
switch(config)# group interface AllEthernetInterface
switch(config-builtin-group-if-AllEtherentInterface)# maintenance profile bgp BP1
switch(config-builtin-group-if-AllEtherentInterface)# show active
group interface AllEthernetInterface
maintenance profile bgp BP1
switch(config-builtin-group-if-AllEtherentInterface)#
The maintenance profile interface <profile-name> command associates interface profile to interface group.
The no maintenance profile interface <profile-name> and default maintenance profile interface <profile-name> removes the interface profile from interface group.
Command Mode
Group-Interface Configuration
Built-in-Group-Interface Configuration
Command Syntax
maintenance profile interface profile-name
no maintenance profile interface profile-name
default maintenance profile interface profile-name
Parameters
profile-name name of the interface profile.
switch(config)# group interface IG1
switch(config-group-if-IG1)# interface Ethernet8-9
switch(config-group-if-IG1)# maintenance profile interface IP1
switch(config-group-if-IG1)# show active
group interface IG1
interface Et8-9
maintenance profile interface IP1
switch(config-group-if-IG1)#
switch(config)# group interface AllEthernetInterface
switch(config-builtin-group-if-AllEtherentInterface)# maintenance profile
interface IP1
switch(config-builtin-group-if-AllEtherentInterface)# show active
group interface AllEthernetInterface
maintenance profile interface IP1
switch(config-builtin-group-if-AllEtherentInterface)#
The neighbor command adds BGP peer(s) to a BGP group. The neighbors can be IPv4, IPv6, or a peer group. The no neighbor <peer> and default neighbor <peer> removes the BGP peer from the group.
Command Mode
Group-BGP Configuration
Command Syntax
neighbor ipv4_addr
no neighbor ipv4_addr
default neighbor ipv4_addr
neighbor ipv6_addr
no neighbor ipv6_addr
default neighbor ipv6_addr
neighbor peer group name
no neighbor peer group name
default neighbor peer group name
Example
switch(config)# group bgp BG1
switch(config-group-bgp-BG1)# neighbor 1.0.1.1
switch(config-group-bgp-BG1)# neighbor 1::1
switch(config-group-bgp-BG1)# neighbor PG
switch(config-group-bgp-BG1)# group bgp BG1
switch(config-group-bgp-BG1)# neighbor 1.0.1.1
switch(config-group-bgp-BG1)# neighbor 1::1
switch(config-group-bgp-BG1)# neighbor PG
switch(config-group-bgp-BG1)# exit
switch(config)#
The on-boot duration command is a maintenance unit profile configuration option for specifying the duration after which the associated unit will be brought out of maintenance after reboot. The on-boot property in the maintenance unit profile specifies that the unit will be placed into maintenance mode as part of boot-up, and remain so for the specified duration.
The no on-boot and default on-boot removes this configuration from the unit profile.
Command Mode
Maintenance-Profile-Unit Configuration
Command Syntax
on-boot duration duration
no on-boot
default on-boot
Parameters
duration number of seconds for which unit will remain under maintenance after reboot (from 300 to 3600 seconds).
Example
switch(config)# maintenance
switch(config-maintenance)# profile unit UP1
switch(config-profile-unit-UP1)# on-boot duration 1000
switch(config-profile-unit-UP1)# show active
maintenance
profile unit UP1
on-boot duration 1000
switch(config-profile-unit-UP1)#
The profile bgp command places the switch in maintenance profile BGP configuration mode for configuring initiator route-map.
The command creates the profile if the specified BGP profile does not exist prior to issuing the command.
The no profile bgp <profile-name> and default profile bgp <profile-name> removes the profile from running-config.
Command Mode
Maintenance Configuration
Command Syntax
profile bgp profile-name
no profile bgp profile-name
default profile bgp profile-name
Parameters
profile-name name of the BGP profile.
Commands available in maintenance profile BGP configuration mode:
initiator route-map (route-map name) inout
Example
switch(config)# maintenance
switch(config-maintenance)# profile bgp BP1
switch(config-profile-bgp-BP1)# show active
maintenance
profile bgp BP1
switch(config-profile-bgp-BP1)#
The profile bgp <profile_name> default command configures a user-configured BGP profile as default BGP profile.
The no profile bgp <profile_name> default and default profile bgp <profile_name> default removes the user-configured BGP profile as default BGP profile.
Command Mode
Maintenance Configuration
Command Syntax
profile bgp profile_name default
no profile bgp profile_name default
default profile bgp profile_name default
Parameters
profile_name name of the BGP profile.
Example
switch(config)# maintenance
switch(config-maintenance)# profile bgp BP1
switch(config-profile-bgp-BP1)# initiator route-map RM1 inout
switch(config-profile-bgp-BP1)# exit
switch(config-maintenance)#
switch(config-maintenance)# show maintenance profile bgp default
Bgp Profile: Default
Initiator route-map: SystemGenerated
route-map SystemGenerated permit 10
Description:
description System generated initiator route-map
Match clauses:
Set clauses:
set community GSHUT additive
set local-preference 0
switch(config-maintenance)# profile bgp BP1 default
switch(config-maintenance)# show maintenance profile bgp default
Bgp Profile: BP1
Initiator route-map: RM1
switch(config-maintenance)#
switch(config-maintenance)# show active
maintenance
profile bgp BP1
initiator route-map RM1 inout
profile bgp BP1 default
switch(config-maintenance)#
The profile interface command places the switch in maintenance profile interface configuration mode for configuring rate-monitoring threshold, load-interval, and shutdown max-delay.
The command creates the profile if the specified interface profile does not exist prior to issuing the command.
The no profile interface <profile-name> and default profile interface <profile-name> removes the profile from running-config.
Command Mode
Maintenance Configuration
Command Syntax
profile interface profile-name
no profile interface profile-name
default profile interface profile-name
Parameters
profile-name name of the interface profile.
Example
switch(config)# maintenance
switch(config-maintenance)# profile interface IP1
switch(config-profile-intf-IP1)# show active
maintenance
profile interface IP1
switch(config-profile-intf-IP1)#
The profile interface <profile_name> default command configures a user-configured interface profile as default interface profile.
The no profile interface <profile_name> default and default profile interface <profile_name> default removes the user-configured interface profile as default interface profile.
Command Mode
Maintenance Configuration
Command Syntax
profile interface profile_name default
no profile interface profile_name default
default profile interface profile_name default
Parameters
profile_name name of the interface profile.
Example
switch(config)# maintenance
switch(config-maintenance)# profile interface IP1
switch(config-profile-intf-IP1)# rate-monitoring load-interval 100
switch(config-profile-intf-IP1)# rate-monitoring threshold 500
switch(config-profile-intf-IP1)# shutdown max-delay 100
switch(config-profile-intf-IP1)# exit
switch(config-maintenance)#
switch(config-maintenance)# show maintenance profile interface default
Interface Profile: Default
Rate Monitoring:
load-interval: 60 seconds
threshold (in/out): 100 kbps
shutdown:
enabled: no
max-delay: 300 seconds
switch(config-maintenance)#
switch(config-maintenance)# profile interface IP1 default
switch(config-maintenance)# show maintenance profile interface default
Interface Profile: IP1
Rate Monitoring:
load-interval: 100 seconds
threshold (in/out): 500 kbps
shutdown:
enabled: yes
max-delay: 100 seconds
switch(config-maintenance)#
switch(config-maintenance)# show active
maintenance
profile interface IP1 default
profile interface IP1
rate-monitoring load-interval 100
rate-monitoring threshold 500
shutdown max-delay 100
switch(config-maintenance)#
The profile unit command places the switch in maintenance profile unit configuration mode for configuring on-boot duration.
The command creates the profile if the specified BGP profile does not exist prior to issuing the command.
The no profile unit <profile-name> and default profile unit <profile-name> removes the profile from running-config.
Command Mode
Maintenance Configuration
Command Syntax
profile unit profile-name
no profile unit profile-name
default profile unit profile-name
Parameters
profile-name name of the unit profile.
Commands available in maintenance profile unit configuration mode:
on-boot duration
Example
switch(config)# maintenance
switch(config-maintenance)# profile unit UP1
switch(config-profile-unit-UP1)# show active
maintenance
profile unit UP1
switch(config-profile-unit-UP1)#
The profile unit <profile_name> command associates unit profile to a particular unit.
The no profile unit <profile_name> and default profile unit <profile_name> removes the unit profile from a unit.
Command Mode
Maintenance-Unit Configuration
Maintenance-Built-in-Unit Configuration
Command Syntax
profile unit profile-name
no profile unit profile-name
default profile unit profile-name
Parameters
profile-name name of the unit profile.
switch(config)# maintenance
switch(config-maintenance)# unit UNIT1
switch(config-unit-UNIT1)# group interface IG1
switch(config-unit-UNIT1)# exit
switch(config-maintenance)# show maintenance units UNIT1
Unit Name: UNIT1
Origin: User Configured
Status: Not Under Maintenance
Unit Profile: Default
Time Since Last State Change: never
Interface Groups:
IG1
switch(config-maintenance)# unit UNIT1
switch(config-unit-UNIT1)#profile unit UP1
switch(config-unit-UNIT1)# show maintenance units UNIT1
Unit Name: UNIT1
Origin: User Configured
Status: Not Under Maintenance
Unit Profile: UP1
Time Since Last State Change: never
Interface Groups:
IG1
switch(config-unit-UNIT1)# show active
maintenance
unit UNIT1
group interface IG1
profile unit UP1
switch(config-unit-UNIT1)#
switch(config)# maintenance
switch(config-maintenance)#profile unit UP2
switch(config-profile-unit-UP2)# on-boot duration 600
switch(config-profile-unit-UP2)# exit
switch(config-maintenance)#
switch(config-maintenance)# unit System
switch(config-builtin-unit-System)# show active
maintenance
unit System
switch(config-builtin-unit-System)# exit
switch(config-maintenance)# show maintenance units System
Unit Name: System
Origin: Built-in
Status: Not Under Maintenance
Unit Profile: Default
Time Since Last State Change: never
Interface Groups:
AllEthernetInterface
switch(config-maintenance)#
switch(config-maintenance)# unit System
switch(config-builtin-unit-System)# profile unit UP2
switch(config-builtin-unit-System)# show active
maintenance
unit System
profile unit UP2
switch(config-builtin-unit-System)# exit
switch(config-maintenance)# show maintenance units System
Unit Name: System
Origin: Built-in
Status: Not Under Maintenance
Unit Profile: UP2
Time Since Last State Change: never
Interface Groups:
AllEthernetInterface
switch(config-maintenance)#
The profile unit <profile_name> default command configures a user-configured unit profile as default unit profile.
The no profile unit <profile_name> default and default profile unit <profile_name> default removes the user-configured unit profile as default unit profile.
Command Mode
Maintenance Configuration
Command Syntax
profile unit profile_name default
no profile unit profile_name default
default profile unit profile_name default
Parameters
profile_name name of the interface profile.
Example
switch(config)# maintenance
switch(config-maintenance)# profile unit UP1
switch(config-profile-unit-UP1)# on-boot duration 1000
switch(config-profile-unit-UP1)# exit
switch(config-maintenance)#
switch(config-maintenance)# show maintenance profiles unit default
Unit Profile: Default
On-boot:
enabled: no
duration: 300 seconds
switch(config-maintenance)# profile unit UP1 default
switch(config-maintenance)# show maintenance profile unit default
Unit Profile: UP1
On-boot:
enabled: yes
duration: 1000 seconds
switch(config-maintenance)#
switch(config-maintenance)# show active
maintenance
profile unit UP1 default
profile unit UP1
on-boot duration 1000
switch(config-maintenance)#
The quiesce command places a unit or dynamic interface/BGP unit into maintenance mode, gracefully transitioning traffic away from it.
The no quiesce and default quiesce exits the unit from maintenance.
Command Mode
Maintenance-Unit Configuration
Maintenance-Built-in-Unit Configuration
Maintenance Dynamic-Interface Unit Configuration
Maintenance Dynamic-Bgp Unit Configuration
Command Syntax
quiesce
no quiesce
default quiesce
Example
switch(config)# group interface IG1
switch(config-group-if-IG1)# interface Ethernet3-6
switch(config-group-if-IG1)# maintenance profile interface IP1
switch(config-group-if-IG1)# exit
switch(config)# maintenance
switch(config-maintenance)# unit UNIT1
switch(config-unit-UNIT1)# group interface IG1
switch(config-unit-UNIT1)# quiesce
switch(config-unit-UNIT1)# exit
switch(config-maintenance)# interface Ethernet1
switch(config-maint-if-Et1)# quiesce
switch(config-maint-if-Et1)# exit
switch(config-maintenance)# bgp 1.0.1.1
switch(config-maint-bgp-1.0.1.1)# quiesce
switch(config-maint-bgp-1.0.1.1)# exit
switch(config-maintenance)# bgp 1::1 vrf VRF1
switch(config-maint-bgp-1::1)# quiesce
switch(config-maint-bgp-1::1)# exit
switch(config-maintenance)# show active
maintenance
bgp 1.0.1.1
quiesce
!
bgp 1::1 vrf VRF1
quiesce
interface Et1
quiesce
unit UNIT1
quiesce
switch(config-maintenance)# show maintenance
Flags:
o - On-boot maintenance
v - Violating traffic threshold
Unit Name Status Time since last change Flags
---------------------- ----------------------- -------------------------- -----
System Not Under Maintenance never
UNIT1 Under Maintenance 0:00:06 ago
Interface Name Status Time since last change Flags
---------------------- ----------------------- -------------------------- -----
Ethernet1 Entering Maintenance 0:00:06 ago
Bgp Neighbor(vrf: defa Status Time since last change Flags
---------------------- ----------------------- -------------------------- -----
1.0.1.1 Under Maintenance 0:00:06 ago
Bgp Neighbor(vrf: VRF1 Status Time since last change Flags
---------------------- ----------------------- -------------------------- -----
1::1 Under Maintenance 0:00:06 ago
switch(config-maintenance)#
The rate-monitoring load-interval command is a maintenance interface profile configuration option for configuring the interfaces rate monitoring load interval with a load interval value between 5 and 600 seconds.
Command Mode
Maintenance-Profile-Interface Configuration
Command Syntax
rate-monitoring load-interval load_interval
no rate-monitoring load-interval load_interval
default rate-monitoring load-interval load_interval
Parameters
load_interval load interval value between 5 and 600 seconds.
Example
switch(config)# maintenance
switch(config-maintenance)# profile interface IP1
switch(config-profile-intf-IP1)# rate-monitoring load-interval 10
switch(config-profile-intf-IP1)# show active
maintenance
profile interface IP1
rate-monitoring load-interval 10
switch(config-profile-intf-IP1)#
The rate-monitoring threshold command is a maintenance interface profile configuration option for configuring the interfaces rate monitoring threshold with a threshold value between 1 and 4294967295 kilobytes.
The no rate-monitoring threshold and default rate-monitoring threshold removes this configuration from the interface profile.
Command Mode
Maintenance-Profile-Interface Configuration
Command Syntax
rate-monitoring threshold threshold_in_kbps
no rate-monitoring threshold threshold_in_kbps
default rate-monitoring threshold threshold_in_kbps
Parameters
threshold_in_kbps threshold in kilobytes per second (kbps) between 1 and 4294967295 kilobytes.
Example
switch(config)# maintenance
switch(config-maintenance)# profile interface IP1
switch(config-profile-intf-IP1)# rate-monitoring threshold 1000
switch(config-profile-intf-IP1)# show active
maintenance
profile interface IP1
rate-monitoring threshold 1000
switch(config-profile-intf-IP1)#
The show interface command displays detailed information about the interface.
It displays an extra line that reads: Under maintenance for time in hours and minutes.
Command Mode
EXEC
Command Syntax
show interface intf_name
Parameters
Example
switch# show interface ethernet 16/1
Ethernet16/1 is up, line protocol is up (connected)
Hardware is Ethernet, address is 001c.7373.efc7
Internet address is 1.0.1.1/24
Broadcast address is 255.255.255.255
Address determined by manual configuration
IP MTU 1500 bytes, BW 40000000 kbit
Full-duplex, 40Gb/s, auto negotiation: off, uni-link: n/a
Up 4 hours, 44 minutes, 36 seconds
Under maintenance for 4 hours, 22 minutes, 26 seconds
Loopback Mode : None
2 link status changes since last clear
Last clearing of "show interface" counters 4:45:12 ago
5 minutes input rate 20 bps (0.0% with framing overhead), 0 packets/sec
5 minutes output rate 20 bps (0.0% with framing overhead), 0 packets/sec
580 packets input, 46286 bytes
Received 1 broadcasts, 0 multicast
0 runts, 0 giants
0 input errors, 0 CRC, 0 alignment, 0 symbol, 0 input discards
0 PAUSE input
601 packets output, 48954 bytes
Sent 7 broadcasts, 15 multicast
0 output errors, 0 collisions
0 late collision, 0 deferred, 0 output discards
0 PAUSE output
switch#
The show interface <intf_name> status command displays an m flag if the interface is undergoing maintenance operation.
Command Mode
EXEC
Command Syntax
show interface [intf_name] status
Parameters
Example
switch# show interface Ethernet16/1 status
Port Name Status Vlan Duplex Speed Type Flags
Et1 disabled 1 auto auto 1000BASE-T
...
Et14/1 connected 2 full 40G 40GBASE-CR4
Et15/1 connected 2 full 40G 40GBASE-CR4
Et16/1 connected routed full 40G 40GBASE-CR4 m
Et17/1 notconnect 1 full 10G Not Present
...
switch#
The show ip | ipv6 bgp command displays maintenance related information when relevant.
Command Mode
EXEC
Command Syntax
show ip bgp neighbors peer_addr [vrf vrf_name]
show ipv6 bgp peers peer_addr [vrf vrf_name]
Parameters
Example
switch# show ip bgp neighbors 1.0.1.2
BGP neighbor is 1.0.1.2, remote AS 300, external link
BGP version 4, remote router ID 0.0.2.1, VRF default
Negotiated BGP version 4
Last read 00:00:09, last write 00:00:11
Hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Connect timer is inactive
Idle-restart timer is inactive
Session is under maintenance
BGP state is Established, up for 04:55:11
Number of transitions to established: 1
Last state was OpenConfirm
Last event was RecvKeepAlive
Neighbor Capabilities:
Multiprotocol IPv4 Unicast: advertised and received and negotiated
Four Octet ASN: advertised and received
Route Refresh: advertised and received and negotiated
Send End-of-RIB messages: advertised and received and negotiated
Additional-paths Receive:
IPv4 Unicast: advertised and received
Restart timer is inactive
End of rib timer is inactive
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 6 2
Keepalives: 297 297
Route-Refresh: 0 0
Total messages: 304 300
Prefix statistics:
Sent Rcvd
IPv4 Unicast: 2 1
IPv6 Unicast: 0 0
Inbound updates dropped by reason:
AS path loop detection: 0
Enforced First AS: 0
Malformed MPBGP routes: 0
Originator ID matches local router ID: 0
Nexthop matches local IP address: 0
Unexpected IPv6 nexthop for IPv4 routes: 0
Nexthop invalid for single hop eBGP: 0
Inbound paths dropped by reason:
IPv4 labeled-unicast NLRIs dropped due to excessive labels: 0
Outbound paths dropped by reason:
IPv4 local address not available: 0
IPv6 local address not available: 0
Maintenance-mode:
Inbound and Outbound policy
Route map is SystemGenerated
Local AS is 200, local router ID 0.0.1.1
TTL is 1
Local TCP address is 1.0.1.1, local port is 179
Remote TCP address is 1.0.1.2, remote port is 51936
Auto-Local-Addr is disabled
TCP Socket Information:
TCP state is ESTABLISHED
Recv-Q: 0/32768
Send-Q: 0/32768
Outgoing Maximum Segment Size (MSS): 1448
Total Number of TCP retransmissions: 0
Options:
Timestamps enabled: yes
Selective Acknowledgments enabled: yes
Window Scale enabled: yes
Explicit Congestion Notification (ECN) enabled: no
Socket Statistics:
Window Scale (wscale): 9,7
Retransmission Timeout (rto): 204.0ms
Round-trip Time (rtt/rtvar): 7.5ms/3.0ms
Delayed Ack Timeout (ato): 40.0ms
Congestion Window (cwnd): 10
TCP Throughput: 15.45 Mbps
Advertised Recv Window (rcv_space): 14480
switch#
The show ip | ipv6 bgp summary [ vrf <vrf_name>] command displays the m flag if the BGP IPv4 or IPv6 peer is undergoing maintenance operation.
Command Mode
EXEC
Command Syntax
show ip bgp summary [vrf vrf_name]
show ipv6 bgp summary [vrf vrf_name]
Parameter
vrf_name name of the VRF.
Example
switch# show ip bgp summary
BGP summary information for VRF default
Router identifier 0.0.1.1, local AS number 200
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State PfxRcd
PfxAcc
1.0.0.1 4 100 292 296 0 0 04:47:44 Estab 1 1
m 1.0.1.2 4 300 292 296 0 0 04:47:44 Estab 1 1
switch#
The show maintenance command provides brief information about all units/dynamic interface unit/dynamic bgp unit and status.
o'- flag displays that unit is undergoing or has undergone a maintenance operation because of on-boot.
v - flag displays that one/some of the interfaces are violating traffic, i.e. traffic for those interfaces is above threshold.
Command Mode
EXEC
Command Syntax
show maintenance
Example
switch# show maintenance
Flags:
o - On-boot maintenance
v - Violating traffic threshold
Unit Name Status Time since last change Flags
---------- ----------------------- ---------------------- -----
System Not Under Maintenance never
Foo Under Maintenance 0:00:40 ago o
Interface Name Status Time since last change Flags
-------------- -------------------- ---------------------- -----
Ethernet16/1 Entering Maintenance 0:00:02 ago v
Bgp Neighbor(vrf: defa Status Time since last change Flags
-------------- ---------------------- ----------------------- -----
1.0.0.2 Not Under Maintenance never
Bgp Neighbor(vrf: red) Status Time since last change Flags
------------- ----------------------- ----------------------- -----
2.0.1.2 Under Maintenance 0:00:16 ago
switch#
The show maintenance bgp command displays detailed maintenance information about BGP peers.
Command Mode
EXEC
Command Syntax
show maintenance bgp ipv4_addr [vrf vrf_name] | ipv6_addr [vrf vrf_name] | peer_group [vrf vrf_name] | ip all [vrf vrf_name | vrf all] | ipv6 all [vrf vrf_name | vrf all]
Example
switch# show maintenance bgp ip all vrf all
BGP peer maintenance information for VRF default
Router identifier 0.0.1.1, local AS number 200
Neighbor: 1.0.0.1
Maintenance state: Under Maintenance
Maintenance route-map: SystemGenerated
Neighbor: 1.0.1.2
Maintenance state: Under Maintenance
Maintenance route-map: SystemGenerated
switch#
The show maintenance bgp receiver route-map command displays receiver route-map which is applied during maintenance operation.
Command Mode
EXEC
Command Syntax
show maintenance bgp receiver route-map
Example
switch# show maintenance bgp receiver route-map
route-map SystemGenerated permit 10
Description:
description System generated receiver route-map
Match clauses:
match community GSHUT-LIST
SubRouteMap:
Set clauses:
route-map SystemGenerated permit 50
Description:
description System generated receiver route-map
Match clauses:
SubRouteMap:
Set clauses:
switch#
This example of the show maintenance interface status quisced command displays maintenance mode interface status details for quiesced interfaces.
switch(config)#show maintenance interface status quiesced
Flags:
v - Violating traffic threshold
s - Shutdown for maintenance
Rate (Mbps)
Interface Status In Out Flags
--------- ----------------- --- --- -----
Ethernet1 Under Maintenance 0.3 0.0 v
Ethernet2 Under Maintenance 0.0 0.0
Ethernet4 Under Maintenance 0.0 0.0
switch(config)#
The show maintenance debug command displays the history of various maintenance operations on a unit/interface/BGP peer.
Command Mode
EXEC
Command Syntax
show maintenance debug bgp [peer_name] | interface [intf_name] | units [unit_name]
Example
switch# show maintenance debug interface Ethernet 16/1-4
Interface Ethernet16/1
History:
Maintenance Enter Stage Progression started 4:07:07 ago @ 2016-08-29 22:38:54
0.000000 maintEnter stages started
0.000091 stage begin started
0.000151 event begin:EventMgr started
0.004222 event begin:EventMgr completed
0.004256 stage begin is complete
0.004315 stage before_bgp started
0.004368 event before_bgp:EventMgr started
0.005820 event before_bgp:EventMgr completed
0.005843 stage before_bgp is complete
0.005904 stage bgp started
0.005947 event bgp:Rib started
0.013821 event bgp:Rib completed
0.013855 stage bgp is complete
0.013921 stage after_bgp started
0.013974 event after_bgp:EventMgr started
0.015848 event after_bgp:EventMgr completed
0.015878 stage after_bgp is complete
0.015935 stage before_ratemon started
0.015982 event before_ratemon:EventMgr started
0.017394 event before_ratemon:EventMgr completed
0.017423 stage before_ratemon is complete
0.017470 stage ratemon started
0.017506 event ratemon:MaintenanceMode started
5.021404 event ratemon:MaintenanceMode completed
5.021438 stage ratemon is complete
5.021500 stage after_ratemon started
5.021556 event after_ratemon:EventMgr started
5.023223 event after_ratemon:EventMgr completed
5.023247 stage after_ratemon is complete
5.023300 stage end started
5.023352 event end:EventMgr started
5.024683 event end:EventMgr completed
5.024705 stage end is complete
5.024762 maintEnter stages complete
The show maintenance groups command displays all the interface/BGP groups along with their members and associated profiles.
Command Mode
EXEC
Command Syntax
show maintenance groups interface | bgp group_name
Example
switch# show maintenance groups
Interface Group: AllEthernetInterface
Origin: Built-in
Interfaces:
Et1, Et2, Et3, Et4, Et5/1, Et5/2, Et5/3, Et5/4, Et6/1, Et6/2, Et6/3, Et6/4,
Et7/1, Et7/2, Et7/3, Et7/4, Et8/1, Et8/2, Et8/3, Et8/4, Et9/1, Et9/2, Et9/3,
Et9/4, Et10/1, Et10/2, Et10/3, Et10/4, Et11/1, Et11/2, Et11/3, Et11/4, Et12/1,
Et12/2, Et12/3, Et12/4, Et13/1, Et13/2, Et13/3, Et13/4, Et14/1, Et14/2, Et14/3,
Et14/4, Et15/1, Et15/2, Et15/3, Et15/4, Et16/1, Et16/2, Et16/3, Et16/4, Et17/1,
Et17/2, Et17/3, Et17/4, Et18/1, Et18/2, Et18/3, Et18/4, Et19/1, Et19/2, Et19/3,
Et19/4, Et20/1, Et20/2, Et20/3, Et20/4, Et21/1, Et21/2, Et21/3, Et21/4, Et22/1,
Et22/2, Et22/3, Et22/4, Et23/1, Et23/2, Et23/3, Et23/4, Et24/1, Et24/2, Et24/3,
Et24/4, Et25/1, Et25/2, Et25/3, Et25/4, Et26/1, Et26/2, Et26/3, Et26/4, Et27/1,
Et27/2, Et27/3, Et27/4, Et28/1, Et28/2, Et28/3, Et28/4, Et29, Et30, Et31, Et32,
Et33, Et34, Et35, Et36
Profiles:
Interface Profile: low-load-interval-profile
Bgp Profile: Default
Units: System
Interface Group: IG1
Origin: User Configured
Interfaces:
Et1, Et2, Et3, Et4, Po10, Po11, Po12
Profiles:
Interface Profile: IP1
Bgp Profile: BP1
Units: UNIT1
Bgp Group: AllBgpNeighborVrf-default
Origin: Built-in
Neighbors:
Ipv4 Peers: 1.0.0.1, 1.0.1.2
Bgp Profile: Default
Vrf: default
Units: System
switch#
The show maintenance interface command displays detailed information about interfaces and their maintenance status with traffic rates.
Command Mode
EXEC
Command Syntax
show maintenance interface [intf_name [detail] | detail]
Guidelines
Valid e_range, p_range, and p_range formats include number, range, or comma-delimited list of numbers and ranges.
switch# show maintenance interface
Flags:
v - Violating traffic threshold
s - Shutdown for maintenance
Rate (Mbps)
Interface Status In Out Flags
-------------------- ---------------------------- --------- ---------- ------
Ethernet1 Not Under Maintenance - -
Ethernet2 Not Under Maintenance - -
Ethernet3 Under Maintenance 0.0 0.0
Ethernet4 Not Under Maintenance - -
...
Ethernet35 Entering Maintenance 8.7 2.9
Ethernet36 Not Under Maintenance - -
switch#
switch# show maintenance interface Ethernet16/1 detail
Ethernet16/1 is Under Maintenance
Groups: AllEthernetInterface
Selected profiles from Interface groups:
Interface Maintenance profile: low-load-interval-profile
Bgp Maintenance profile: Default
Bgp:
Maintenance State: Under Maintenance
Vrf: default
Neighbor: 1.0.1.2
Maintenance routemap: SystemGenerated
Rate Monitoring:
Passive monitoring since 0:42:25 ago
Total samples taken: 236
Before Maintenance:
Below threshold: 1
Above threshold: 0
After Maintenance:
Below threshold: 235
Above threshold: 0
Last sample information:
Sample taken 0:00:04 ago
In: 0.0 Mbps
Out: 0.0 Mbps
switch#
The show maintenance interface status command displays maintenance status and rates for interfaces.
Command Mode
EXEC
Command Syntax
show maintenance interface status active | entering | exiting | quiesced
Example
switch# show maintenance interface status quiesced
Flags:
v - Violating traffic threshold
s - Shutdown for maintenance
Rate (Mbps)
Interface Status In Out Flags
-------------------- ---------------------------- ----- ------ ------
Ethernet1 Not Under Maintenance - -
Ethernet2 Not Under Maintenance - -
Ethernet3 Not Under Maintenance - -
Ethernet4 Not Under Maintenance - -
Ethernet16/1 Under Maintenance 0.0 0.0
Port-Channel10 Under Maintenance 100.5 50.5v
Port-Channel11 Entering Maintenance 15.5 10.5
Port-Channel10 Under Maintenance - -
switch#
The show maintenance profiles command displays all the interface/BGP/unit profiles configuration.
Command Mode
EXEC
Command Syntax
show maintenance profiles interface | bgp | unit profile_name
Example
switch# show maintenance profiles
Interface Profile: IP1
Rate Monitoring:
load-interval: 444 seconds
threshold (in/out): 4000 Kbps
shutdown:
enabled: yes
max-delay: 399 seconds
Bgp Profile: BP1
Initiator route-map:
name: RM1
Unit Profile: UP1
On-boot:
enabled: yes
duration: 340 seconds
switch #
The show maintenance stages command displays stages of maintenance operation while entering/exiting maintenance.
Command Mode
EXEC
Command Syntax
show maintenance stages [enter | exit]
switch# show maintenance stages
No. Stage Description
--------- ------------- -----------------
1 bgp BGP Maintenance processing
2 ratemon Interface Rate Monitoring
Maintenance Exit Stage Sequence
No. Stage Description
--------- ------------- ------------------
1 ratemon Interface Rate Monitoring
2 bgp BGP Maintenance processing
switch #
switch# show maintenance stages enter
No. Stage Description
--------- ------------- --------------------
1 bgp BGP Maintenance processing
2 ratemon Interface Rate Monitoring
switch#
The show maintenance summary command displays summarized information about the maintenance mode operations such as number of units configured, number of units Entering/Exiting maintenance etc.
Command Mode
EXEC
Command Syntax
show maintenance summary
Example
switch# show maintenance summary
Number of Units Configured: 0
Number of Units Exiting Maintenance: 0
Number of Units Entering Maintenance: 0
Number of Units Not Under Maintenance: 1
Number of Units Under Maintenance: 0
Directly Put Under Maintenance:
Number of interfaces Entering Maintenance: 0
Number of interfaces Under Maintenance: 1
Number of bgp peers Entering Maintenance: 0
Number of bgp peers Under Maintenance: 1
Rate Monitoring:
Number of interfaces Entering Maintenance: 0
Number of interfaces Under Maintenance: 1
Number of interfaces Under Maintenance with threshold violation: 0
Number of interfaces shutdown for maintenance: 0
switch#
The show maintenance units command displays detailed information about the particular unit.
Command Mode
EXEC
Command Syntax
show maintenance units [unit_name]
Parameters
unit_name name of unit.
Example
switch# show maintenance units
Unit Name: System
Origin: Built-in
Status: Not Under Maintenance
Unit Profile: Default
Time Since Last State Change: never
Bgp Groups:
AllBgpNeighborVrf-default
Interface Groups:
AllEthernetInterface
Unit Name: UNIT1
Origin: User Configured
Status: Under Maintenance
Unit Profile: UP1
Time Since Last State Change: 0:00:08 ago
Bgp Groups:
BG1
Interface Groups:
IG1
History:
2016-08-29 23:05:30 old state: 'maintenanceModeEnter' to new state:
'underMaintenance' 0:00:08 ago
2016-08-29 23:05:30 old state: 'active' to new state: 'maintenanceModeEnter'
0:00:08 ago
switch#
The shutdown max-delay command is a maintenance interface profile configuration option for configuring the maximum duration after which the interface is shutdown with a value between 1 and 4294967295 seconds.
The no shutdown and default shutdown removes this configuration from the interface profile.
Command Mode
Maintenance-Profile-Interface Configuration
Command Syntax
shutdown max-delay delay
no shutdown max-delay delay
default shutdown max-delay delay
Parameters
delay maximum shutdown delay between 1 and 4294967295 seconds.
Example
switch(config)# maintenance
switch(config-maintenance)# profile interface IP1
switch(config-profile-intf-IP1)# shutdown max-delay 500
switch(config-profile-intf-IP1)# show active
maintenance
profile interface IP1
shutdown max-delay 500
switch(config-profile-intf-IP1)#
The trigger on-maintenance command is an event handler configuration for triggering actions during the maintenance operation of a unit, interface and BGP peer at specified stages.
The event-handler configuration takes effect only after exiting the event-handler configuration mode.
Command Mode
Event-handler Configuration
Command Syntax
trigger on-maintenance [enter | exit][unit unit_name | bgp [ipv4_addr | ipv6_addr | peer_group][vrf vrf_name] | [interface intf_name] [begin | end | all] |[before | after][stage stage_name]
switch(config)# event-handler E1
switch(config-handler-E1)# trigger on-maintenance enter unit UNIT1 all
switch(config-handler-E1)# action bash FastCli -c "show maintenance"
switch(config-handler-E1)# exit
switch(config)# show event-handler E1
Event-handler E1
Trigger: Asynchronous on-maintenance enter unit UNIT1 all delay 0 seconds
Threshold Time Window: 0 Seconds, Event Count: 1 times
Action: FastCli -c "show maintenance"
Action expected to finish in less than 10 seconds
Last Trigger Detection Time: Never
Total Trigger Detections: 0
Last Trigger Activation Time: Never
Total Trigger Activations: 0
Last Action Time: Never
Total Actions: 0
switch(config)#
switch(config)# event-handler E2
switch(config-handler-E2)# trigger on-maintenance exit interface Ethernet1 before
stage bgp
switch(config-handler-E2)# action bash FastCli -c "show maintenance summary"
switch(config-handler-E2)# exit
switch(config)# show event-handler E2
Event-handler E2
Trigger: Asynchronous on-maintenance exit interface Ethernet1 before stage bgp
delay 0 seconds
Threshold Time Window: 0 Seconds, Event Count: 1 times
Action: FastCli -c "show maintenance summary"
Action expected to finish in less than 10 seconds
Last Trigger Detection Time: Never
Total Trigger Detections: 0
Last Trigger Activation Time: Never
Total Trigger Activations: 0
Last Action Time: Never
Total Actions: 0
switch(config)#
switch(config)# event-handler E3
switch(config-handler-E3)# trigger on-maintenance enter bgp 1::1 vrf VRF1 end
switch(config-handler-E3)# action bash FastCli -c "show maintenance bgp ip all vrf
all"
switch(config-handler-E3)# exit
switch(config)# show event-handler E3
Event-handler E3
Trigger: Asynchronous on-maintenance enter bgp 1::1 vrf VRF1 end delay 0 seconds
Threshold Time Window: 0 Seconds, Event Count: 1 times
Action: FastCli -c "show maintenance bgp ip all vrf all"
Action expected to finish in less than 10 seconds
Last Trigger Detection Time: Never
Total Trigger Detections: 0
Last Trigger Activation Time: Never
Total Trigger Activations: 0
Last Action Time: Never
Total Actions: 0
switch(config)#
The unit <unit_name> command places the switch in maintenance unit configuration mode for configuring BGP/interface groups in the unit.
The command creates the unit if the specified unit profile does not exist prior to issuing the command.
The no unit <unit-name> and default unit <unit-name> removes the unit from running-config.
Command Mode
Maintenance Configuration
Command Syntax
unit linecard [l_range | unit_name]
no unit linecard [l_range | unit_name]
default unit linecard [l_range | unit_name]
switch(config)# maintenance
switch(config-maintenance)# unit UNIT1
switch(config-unit-UNIT1)# show active
maintenance
unit UNIT1
switch(config-unit-UNIT1)#
switch(config)# maintenance
switch(config-maintenance)# unit Linecard1
switch(config-builtin-unit-Linecard1)# show active
maintenance
unit Linecard1
switch(config-builtin-unit-Linecard1)#
The vrf command specifies the VRF for BGP group. All the neighbors configured in the BGP group are considered to be members of the BGP group in the particular VRF context.
The no vrf <vrf-name> and default vrf <vrf-name> removes the VRF configuration from the BGP group and sets the VRF context to default.
Command Mode
Group-BGP Configuration
Command Syntax
vrf vrf_name
no vrf vrf_name
default vrf vrf_name
Parameters
vrf_name name of the VRF in a group belonging to neighbors in that group.
Example
switch(config)# group bgp BG1
switch(config-group-bgp-BG1)# neighbor 1.0.1.1
switch(config-group-bgp-BG1)# neighbor 1::1
switch(config-group-bgp-BG1)# neighbor PG
switch(config-group-bgp-BG1)# vrf VRF1
switch(config-group-bgp-BG1)# show active
group bgp BG1
neighbor 1.0.1.1
neighbor 1::1
neighbor PG
vrf VRF1
switch(config-group-bgp-BG1)# exit
switch(config)#
Routing transmits network layer data packets over connected independent subnets. Each subnet is assigned an IP address range and each device on the subnet is assigned an IP address from that range.
Connected subnets have IP address ranges that do not overlap. A router is a network device connecting multiple subnets. Routers forward inbound packets to the subnet whose address range includes the packets’ destination address.
IPv4 and IPv6 are Internet layer protocols that define packet-switched inter-networking, including source-to-destination datagram transmission across multiple networks. The switch supports IP version 4 (IPv4) and IP version 6 (IPv6).
IPv6 is described by RFC 2460: Internet Protocol, Version 6 (IPv6) Specification. RFC 2463 describes ICMPv6 for IPv6. ICMPv6 is a core protocol of the Internet Protocol suite.
Internet Protocol version 6 (IPv6) is a communications protocol used for relaying network packets across a set of connected networks using the Internet Protocol suite. Each network device is assigned a 128 bit IP address that identifies its network location.
Example
d28e:0000:0000:0000:0234:812f:61ed:4419
d28e:0:0:0:234:812f:61ed:4419
d28e::234:812f:61ed:4419
IPv6 addresses typically denote a 64-bit network prefix and a 64-bit host address.
Unicast addressing defines a one-to-one association between the destination address and a network endpoint. Each destination address uniquely identifies a single receiver endpoint. Anycast addressing defines a one-to-one-of-many association: packets to a single member of a group of potential receivers identified by the same destination address.
Link-local addresses are created by the switch and are not configurable. The following figure depicts the switch’s link local address derivation method.
Multicast addressing defines a one-to-many association: packets are simultaneously routed from a single sender to multiple endpoints in a single transmission. The network replicates packets as required by network links that contain a recipient endpoint. One multicast address is assigned to an interface for each multicast group to which the interface belongs.
A solicited-node multicast address is an IPv6 multicast address whose scope extends only to the link to which the interface is directly connected. All IPv6 hosts have at least one such address per interface. Solicited-node multicast addresses are used by the Neighbor Discovery Protocol to obtain Layer 2 link-layer addresses of other nodes.
Dynamic Host Configuration Protocol (DHCP) snooping is a Layer 2 feature that is configured on LAN switches. The Arista EOS switch supports Option-37 insertion that allows relay agents to provide remote-id information in DHCP request packets. DHCP servers use this information to determine the originating port of DHCP requests and associate a corresponding IP address to that port. DHCP servers use port information to track host location and IP address usage by authorized physical ports.
DHCP snooping uses the information option (Option-37) to include the switch MAC address (router-id) along with the physical interface name and VLAN number (remote-id) in DHCP packets. After adding the information to the packet, the DHCP relay agent forwards the packet to the DHCP server as specified by the DHCP protocol.
The ipv6 unicast-routing command enables the forwarding of IPv6 unicast packets. When routing is enabled, the switch attempts to deliver inbound packets to destination addresses by forwarding them to interfaces or next hop addresses specified by the IPv6 routing table.
Example
switch(config)# ipv6 unicast-routing
switch(config)#
The ipv6 route command creates an IPv6 static route. The destination is a IPv6 prefix; the source is an IPv6 address or a routable interface port. When multiple routes exist to a destination prefix, the route with the lowest administrative distance takes precedence.
By default, the administrative distance assigned to static routes is 1. Assigning a higher administrative distance to a static route configures it to be overridden by dynamic routing data. For example, a static route with a distance value of 200 is overridden by OSPF intra-area routes, which have a default distance of 110.
Example
switch(config)# ipv6 route 10:23:31:00:01:32:93/24 vlan 300
switch(config)#
The default route denotes the packet forwarding rule that takes effect when no other route is configured for a specified IPv6 address. All packets with destinations that are not established in the routing table are sent to the destination specified by the default route.
The IPv6 default route source is ::/0. The default route destination is referred to as the default gateway.
Example
switch(config)# ipv6 route ::/0 fd7a:629f:52a4:fe61::2
switch(config)#
Multiple routes that are configured to the same destination with the same administrative distance comprise an Equal Cost Multi-Path (ECMP) route. The switch attempts to spread outbound traffic across all ECMP route paths equally. All ECMP paths are assigned the same tag value; commands that change the tag value of any ECMP path change the tag value of all paths in the ECMP.
Resilient ECMP is available for IPv6 routes. Equal Cost Multipath Routing (ECMP) and Load Sharing describes resilient ECMP. The ipv6 hardware fib ecmp resilience command implements IPv6 resilient ECMP.
Example
switch(config)# ipv6 hardware fib ecmp resilience 2001:db8:0::/64 capacity 5
redundancy 3
switch(config)#
The ipv6 enable command enables IPv6 on the configuration mode interface if it does not have a configured IPv6 address. It also configures the interface with an IPv6 address.
The no ipv6 enable command disables IPv6 on a configuration mode interface not configured with an IPv6 address. Interfaces configured with an IPv6 address are not disabled by this command.
Example
switch(config)# interface vlan 200
switch(config-vl200)# ipv6 enable
switch(config-vl200)#
The ipv6 address command enables IPv6 on the configuration mode interface, assigns a global IPv6 address to the interface, and defines the prefix length. This command is supported on routable interfaces. Multiple global IPv6 addresses can be assigned to an interface.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 address 10:23:31::1:32:93/64
switch(config-if-Vl200)#
IPv6 Neighbor Discovery is defined by RFC 2461. IPv6 Stateless Address Autoconfiguration is described by RFC 2462.
The following sections describe Neighbor Discovery configuration tasks.
The ipv6 nd reachable-time command specifies the time period that the switch includes in the reachable time field of Router Advertisements (RAs) sent from the configuration mode interface. The reachable time defines the period that a remote IPv6 node is considered reachable after a reachability confirmation event.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd reachable-time 25000
switch(config-if-Vl200)# show active
interface Vlan200
ipv6 address fd7a:4321::1/64
ipv6 nd reachable-time 25000
switch(config-if-Vl200)#
The ipv6 nd ra interval command configures the interval between IPv6 RA transmissions from the configuration mode interface.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra interval 60
switch(config-if-Vl200)# show active
interface Vlan200
ipv6 nd ra interval 60
switch(config-if-Vl200)#
The ipv6 nd ra lifetime command specifies the value that the switch places in the router lifetime field of IPv6 RAs sent from the configuration mode interface.
If the value is set to 0, IPv6 peers connected to the specified interface will remove the switch from their lists of default routers. Values greater than 0 indicate the time in seconds that peers should keep the router on their default router lists without receiving further RAs from the switch. Unless the value is 0, the router lifetime value should be equal to or greater than the interval between unsolicited RAs sent on the interface.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra lifetime 2700
switch(config-if-Vl200)# show active
interface Vlan200
ipv6 nd ra lifetime 2700
switch(config-if-Vl200)#
The ipv6 nd prefix command configures neighbor discovery router advertisement prefix inclusion for RAs sent from the configuration mode interface.
By default, all prefixes configured as IPv6 addresses are advertised in the interface’s RAs. The ipv6 nd prefix command with the no-advertise option prevents advertising of the specified prefix without affecting the advertising of other prefixes specified as IPv6 addresses. When an interface configuration includes at least one ipv6 nd prefix command that enables prefix advertising, RAs advertise only prefixes specified through ipv6 nd prefix commands.
Commands enabling prefix advertising also specify the advertised valid and preferred lifetime periods. Default periods are 2,592,000 (valid) and 604,800 (preferred) seconds.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd prefix 3012:D678::/64 1296000
switch(config-if-Vl200)#
The ipv6 nd ra disabled command suppress IPv6 RA transmissions on the configuration mode interface. By default, only unsolicited RAs that are transmitted periodically are suppressed. The all option configures the switch to suppress all RAs, including those responding to a router solicitation.
Example
switch(config)# interface vlan 200
switch(config-vl200)# ipv6 nd ra disabled all
switch(config-vl200)#
The ipv6 nd ra mtu suppress command suppresses the router advertisement MTU option on the configuration mode interface. The MTU option causes an identical MTU value to be advertised by all nodes on a link. By default, the router advertisement MTU option is not suppressed.
Example
switch(config)# interface vlan 200
switch(config-vl200)# ipv6 nd ra mtu suppress
switch(config-vl200)#
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd managed-config-flag
switch(config-if-Vl200)#
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd other-config-flag
switch(config-if-Vl200)#
The IPv6 Router Preference protocol supports an extension to RA messages for communicating default router preferences and more specific routes from routers to hosts. This provides assistance to hosts when selecting a router. RFC 4191 describes the IPv6 Router Preference Protocol.
The ipv6 nd router-preference command specifies the value that the switch enters in the Default Router Preference (DRP) field of RAs that it sends from the configuration mode interface. The default field entry value is medium.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd router-preference medium
switch(config-if-Vl200)#
Unicast Reverse Path Forwarding (uRPF) verifies the accessibility of source IP addresses in packets that the switch forwards. Unicast Reverse Path Forwarding (uRPF) describes uRPF. uRPF is enabled for IPv6 packets entering the configuration mode interface through the ipv6 verify command.
Example
switch(config)# interface vlan 100
switch(config-if-Vl100)# ipv6 verify unicast source reachable-via rx allow-default
switch(config-if-Vl100)# show active
interface Vlan100
ipv6 verify unicast source reachable-via rx allow-default
switch(config-if-Vl100)#
The ipv6 dhcp snooping command enables DHCP snooping globally on the switch. DHCP snooping is a Layer 2 feature that can be configured on LAN switches. The Arista switch supports Option-37 insertion that allows relay agents to provide remote-ID information in DHCP request packets.
switch(config)# ipv6 dhcp snooping
switch(config)# ipv6 dhcp snooping remote-id option
switch(config)# ipv6 dhcp snooping vlan <vlan|vlan-range>
switch(config)# ipv6 dhcp snooping
switch(config)# show ipv6 dhcp snooping
DHCPv6 Snooping is enabled
DHCPv6 Snooping is operational
DHCPv6 Snooping is configured on following VLANs:
2789-2790
DHCPv6 Snooping is operational on following VLANs:
2789
Insertion of Option-37 is enabled
Use the show rib route ipv6 command view the IPv6 Routing Information Base (RIB) information.
Example
switch# show rib route ipv6 bgp
VRF name: default, VRF ID: 0xfe, Protocol: bgp
Codes: C - Connected, S - Static, P - Route Input
B - BGP, O - Ospf, O3 - Ospf3, I - Isis
> - Best Route, * - Unresolved Nexthop
L - Part of a recursive route resolution loop
B 2001:10:1::/64 [200/42]
via 2001:10:1::100 [0/1]
via Ethernet1, directly connected
>B 2001:10:100::/64 [200/200]
via 2001:10:1::100 [0/1]
via Ethernet1, directly connected
>B 2001:10:100:1::/64 [200/0]
via 2001:10:1::100 [0/1]
via Ethernet1, directly connected
>B 2001:10:100:2::/64 [200/42]
via 2001:10:1::100 [0/1]
via Ethernet1, directly connected
switch#
The show ipv6 route command displays routing table entries that are in the Forwarding Information Base (FIB), including static routes, routes to directly connected networks, and dynamically learned routes. Multiple equal cost paths to the same prefix are displayed contiguously as a block, with the destination prefix displayed only on the first line.
Example
switch> show ipv6 route fd7a:3418:52a4:fe18::/64
IPv6 Routing Table - 77 entries
Codes: C - connected, S - static, K - kernel, O - OSPF, B - BGP, R - RIP, A -
Aggregate
O fd7a:3418:52a4:fe18::/64 [10/20]
via f180::21c:73ff:fe00:1319, Vlan3601
via f180::21c:73ff:fe00:1319, Vlan3602
via f180::21c:73ff:fe00:1319, Vlan3608
via f180::21c:73ff:fe0f:6a80, Vlan3610
via f180::21c:73ff:fe00:1319, Vlan3611
switch>
The show ipv6 route age command displays the IPv6 route age to the specified IPv6 address or prefix.
Example
switch> show ipv6 route 2001::3:0/11 age
IPv6 Routing Table - 74 entries
Codes: C - connected, S - static, K - kernel, O - OSPF, B - BGP, R - RIP, A -
Aggregate
C 2001::3:0/11 age 00:02:34
switch>
Example
switch# show ipv6 route host
R - receive F - FIB, A - attached
F ::1 to cpu
A fee7:48a2:0c11:1900:400::1 on Vlan102
R fee7:48a2:0c11:1900:400::2 to cpu
F fee7:48a2:0c11:1a00::b via fe80::21c:73ff:fe0b:a80e on Vlan3902
R fee7:48a2:0c11:1a00::17 to cpu
F fee7:48a2:0c11:1a00::20 via fe80::21c:73ff:fe0b:33e on Vlan3913
F fee7:48a2:0c11:1a00::22 via fe80::21c:73ff:fe01:5fe1 on Vlan3908
via fe80::21c:73ff:fe01:5fe1 on Vlan3902
switch#
The show ipv6 route summary command displays the current number of routes of the IPv6 routing table in summary format.
Example
switch> show ipv6 route summary
Route Source Number Of Routes
------------------ ----------------
connected 2
static 0
ospf 5
bgp 7
isis 0
internal 1
attached 0
aggregate 2
Total Routes 17
switch>
The ipv6 dhcp relay always-on command enables the switch DHCP relay agent globally regardless of the DHCP relay agent status ond any interface. The DHCP relay agent is enabled by default if at least one routable interface is configured with an ipv6 dhcp relay destination statement.
Example
switch(config)# ipv6 dhcp relay always-on
switch(config)#
The ipv6 dhcp relay destination command enables the DHCPv6 relay agent function and specifies the client message destination address on an interface.
Example
switch(config)# interface ethernet 4
switch(config-if-Et4)# ipv6 dhcp relay destination 2001:0db8:0:1::1
switch(config-if-Et4)
The ipv6 dhcp relay option link-layer address command enables the DHCPv6 relay agent to configure the client link layer address option to solicit and request messages. In other words, the command enables the link layer address option (79) in the global configuration mode. The no ipv6 dhcp relay option link-layer address command disables the link layer address option (79) in the global configuration mode.
Example
switch(config)# ipv6 dhcp relay option link-layer address
switch(config-if-Et4)# exit
switch(config)# clear ipv6 dhcp relay counters
switch(config)#
switch(config)# interface ethernet 4
switch(config-if-Et4)# clear ipv6 dhcp relay counters
switch(config)#
The show ip dhcp relay command displays the status of DHCP relay agent parameters on the switch and each interface where at least one feature parameter is listed. The command displays the status for both global and interface configurations.
Example
switch(config)# interface ethernet 1/2
switch(config-if-Et1/2)# show ip dhcp relay
DHCP Relay is active
DHCP Relay Option 82 is disabled
DHCPv6 Relay Link-layer Address Option (79) is disabled
DHCP Smart Relay is disabled
Interface: Ethernet1/2
DHCP Smart Relay is disabled
DHCP servers: 1::1
2001:db8:0:1::1
switch(config-if-Et1/2)#
The show ipv6 dhcp relay counters command displays the number of DHCP packets received, forwarded, or dropped on the switch and on all interfaces enabled as DHCP relay agents.
Example
switch> show ipv6 dhcp relay counters
| Dhcp Packets |
Interface | Rcvd Fwdd Drop | Last Cleared
----------|----- ---- -----|---------------------
All Req | 376 376 0 | 4 days, 19:55:12 ago
All Resp | 277 277 0 |
| |
Ethernet4 | 207 148 0 | 4 days, 19:54:24 ago
switch>
TCP MSS clamping limits the value of the Maximum Segment Size (MSS) in the TCP header of TCP SYN packets transiting a specified Ethernet or tunnel interface. Setting the MSS ceiling can avoid IP fragmentation in tunnel scenarios by ensuring that the MSS is low enough to account for the extra overhead of GRE and tunnel outer IP headers. TCP MSS clamping can be used when connecting via GRE to cloud providers that require asymmetric routing.
When MSS clamping is configured on an interface, if the TCP MSS value in a SYN packet transiting that interface exceeds the configured ceiling limit it will be overwritten with the configured limit and the TCP checksum will be recomputed and updated.
TCP MSS clamping is handled by default in the software data path, but the process can be supported through hardware configuration to minimize possible packet loss and a reduction in the number of TCP sessions which the switch can establish per second.
The TCP MSS ceiling limit is set on an interface using command tcp mss ceiling ipv6. This also enables TCP MSS clamping on the switch.
switch(config)# interface ethernet 26
switch(config-if-Et5)# no switchport
switch(config-if-Et5)# tcp mss ceiling ipv6 1436 egress
switch(config-if-Et5)#
The clear ipv6 dhcp relay counters command resets the DHCP relay counters. When no port is specified, the command clears the counters for the switch and for all interfaces. Otherwise, the command clears the counter for the specified interface.
Command Mode
Privileged EXEC
Command Syntax
clear ipv6 dhcp relay counters [PORT]
Parameters
Example
switch(config)# show ipv6 dhcp relay counters
| Dhcp Packets |
Interface | Rcvd Fwdd Drop | Last Cleared
----------|----- ---- -----|---------------------
All Req | 376 376 0 | 4 days, 19:55:12 ago
All Resp | 277 277 0 |
| |
Ethernet4 | 207 148 0 | 4 days, 19:54:24 ago
switch(config)# interface ethernet 4
switch(config-if-Et4)# clear ipv6 dhcp relay counters
| Dhcp Packets |
Interface | Rcvd Fwdd Drop | Last Cleared
----------|----- ---- -----|---------------------
All Req | 380 380 0 | 4 days, 21:19:17 ago
All Resp | 281 281 0 |
| |
Ethernet4 | 0 0 0 |4 days, 21:18:30 ago
These commands clear all DHCP relay counters on the switch.
switch(config-if-Et4)# exit
switch(config)# clear ipv6 dhcp relay counters
switch(config)# show ipv6 dhcp relay counters
| Dhcp Packets |
Interface | Rcvd Fwdd Drop | Last Cleared
----------|----- ---- -----|-------------
All Req | 0 0 0 | 0:00:03 ago
All Resp | 0 0 0 |
| |
Ethernet4 | 0 0 0 | 0:00:03 ago
switch(config)#
The clear ipv6 dhcp snooping counters command resets the DHCP snooping packet counters.
Command Mode
Privileged EXEC
Command Syntax
clear ipv6 dhcp snooping counters [COUNTER_TYPE]
debug command clears aggregate counters and drop cause counters.
switch# clear ipv6 dhcp snooping counters
switch# show ipv6 dhcp snooping counters
| Dhcpv6 Request Pkts | Dhcpv6 Reply Pkts |
Vlan | Rcvd Fwdd Drop | Rcvd Fwdd Drop | Last Cleared
-----|------ ------ -------|------ ----- ------|-------------
2789 | 1 1 0 | 1 1 0 | 0:03:09 ago
switch# clear ipv6 dhcp snooping counters debug
switch# show ipv6 dhcp snooping counters debug
Counter Snooping to Relay Relay to Snooping
----------------------------- ----------------- -----------------
Received 1 1
Forwarded 1 1
Dropped - Invalid VlanId 0 0
Dropped - Parse error 0 0
Dropped - Invalid Dhcp Optype 0 0
Dropped - Invalid Remote-ID Option 0 0
Dropped - Snooping disabled 0 0
Last Cleared: 0:04:29 ago
The clear ipv6 neighbors command removes the specified dynamic IPv6 neighbor discovery cache entries. Commands that do not specify an IPv6 address remove all dynamic entries for the listed interface. Commands that do not specify an interface remove all dynamic entries.
Command Mode
Privileged EXEC
Command Syntax
clear ipv6 neighbors [PORT][DYNAMIC_IPV6]
Example
switch# clear ipv6 neighbors vlan 200
switch#
The ipv6 address command assigns a global IPv6 address to the IPv6 interface, and defines the prefix length. This command is supported on routable interfaces. Multiple global IPv6 addresses can be assigned to an interface.
The no ipv6 address and default ipv6 address commands remove the IPv6 address assignment from the configuration mode interface by deleting the corresponding ipv6 address command from running-config. If the command does not include an address, all address assignments are removed from the interface. IPv6 remains enabled on the interface after the removal of all IPv6 addresses only if an ipv6 enable command is configured on the interface.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 address [ipv6_prefix]
no ipv6 address [ipv6_prefix]
default ipv6 address [ipv6_prefix]
Parameter
ipv6_prefix address assigned to the interface (CIDR notation).
Guidelines
This command is supported on routable interfaces.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 address 10:23:31:00:01:32:93/64
switch(config-if-Vl200)#
The iv6p dhcp relay always-on command enables the switch DHCP relay agent on the switch regardless of the DHCP relay agent status on any interface. By default, the DHCP relay agent is enabled only if at least one routable interface is configured with an ipv6 dhcp relay destination statement.
The no ipv6 dhcp relay always-on and default ipv6 dhcp relay always-on commands remove the ipv6 dhcp relay always-on command from running-config.
Command Mode
Global Configuration
Command Syntax
ipv6 dhcp relay always-on
no ipv6 dhcp relay always-on
default ipv6 dhcp relay always-on
Exampleswitch(config)# ipv6 dhcp relay always-on
switch(config)#
The ipv6 dhcp relay destination command enables the DHCPv6 relay agent and sets the destination address on the configuration mode interface.
The no ipv6 dhcp relay destination and default ipv6 dhcp relay destination commands remove the corresponding ipv6 dhcp relay destination command from running-config. When the commands do not list an IPv6 address, all ipv6 dhcp relay destination commands are removed from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 dhcp relay destination [ipv6_addr][source-address ipv6_addr]
no ipv6 dhcp relay destination [ipv6_addr]
default ipv6 dhcp relay destination [ipv6_addr]
Guidelines
If the source-address parameter is specified, then the DHCP client receives an IPv6 address from the subnet of source IP address. The source-address must be one of the configured addresses on the interface.
Example
This command enables the DHCPv6 relay agent and sets the destination address to 2001:0db8:0:1::1 on interface ethernet 4.
switch(config)# interface ethernet 4
switch(config-if-Et4)# ipv6 dhcp relay destination 2001:0db8:0:1::1
switch(config-if-Et4)# show ip dhcp relay
DHCP Relay is active
DHCP Relay Option 82 is disabled
DHCPv6 Relay Link-layer Address Option (79) is disabled
DHCP Smart Relay is disabled
Interface: Ethernet4
DHCP Smart Relay is disabled
DHCP servers: 1::1
2001:db8:0:1::1
switch(config-if-Et4)#
The ipv6 dhcp relay option link-layer address command enables the DHCPv6 relay agent to configure the client link layer address option to solicit and request messages. In other words, the command enables the link layer address option (79) in the global configuration mode.
The no ipv6 dhcp relay option link-layer address command disables the link layer address option (79) in the global configuration mode.
Command Mode
Global Configuration
Command Syntax
ipv6 dhcp relay option link-layer address
no ipv6 dhcp relay option link-layer address
default ipv6 dhcp relay option link-layer address
Example
switch(config)# ipv6 dhcp relay option link-layer address
The ipv6 enable command enables IPv6 on the configuration mode interface. Assigning an IPv6 address to an interface also enables IPv6 on the interface.
The no ipv6 enable and default ipv6 enable command remove the corresponding ipv6 enable command from running-config. This action disables IPv6 on interfaces that are not configured with an IPv6 address.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 enable
no ipv6 enable
default ipv6 enable
Example
switch(config)# interface vlan 200
switch(config-vl200)# ipv6 enable
switch(config-vl200)#
The ipv6 hardware fib aggregate-address command specifies the routing table repository of specified IPv6 route.
By default, routes that are created statically through the CLI or dynamically through routing protocols are initially stored in software routing tables, then entered in the hardware routing table by the routing agent. This command prevents the entry of the specified route into the hardware routing table. Specified routes that are in the hardware routing table are removed by this command. Specific routes that are encompassed within the specified route prefix are affected by this command.
The no ipv6 hardware fib aggregate-address and default ipv6 hardware fib aggregate-address commands remove the restriction from the hardware routing table for the specified routes by removing the corresponding ipv6 hardware fib aggregate-address command from running-config.
Command Mode
Global Configuration
Command Syntax
ipv6 hardware fib aggregate-address ipv6_prefix summary-only software-forward
no ipv6 hardware fib aggregate-address ipv6_prefix
default ipv6 hardware fib aggregate-address ipv6_prefix
Parameters
ipv6_prefix IPv6 prefix that is restricted from the hardware routing table (CIDR notation).
Example
switch(config)# ipv6 hardware fib aggregate-address fd77:4890:5313:ffed::/64
summary-only software-forward
switch(config)# show ipv6 hardware fib aggregate-address
Codes: S - Software Forwarded
S fd77:4890:5313:ffed::/64
switch(config)#
The ip hardware fib ecmp resilience command configures a fixed number of next hop entries in the hardware ECMP table for the specified IPv6 address prefix. In addition to specifying the maximum number of next hop addresses that the table can contain for the prefix, the command introduces a redundancy factor that allows duplication of each next hop address. The fixed table space for the address is the maximum number of next hops multiplied by the redundancy factor.
The default method of adding or removing next hop entries when required by the active hashing algorithm leads to inefficient management of the ECMP table, which can result in the rerouting of packets to different next hops that breaks TCP packet flows. Implementing fixed table entries for a specified IP address allows data flows that are hashed to a valid next hop number to remain intact. Additionally, traffic is evenly distributed over a new set of next hops.
The no ip hardware fib ecmp resilience and default ip hardware fib ecmp resilience commands restore the default hardware ECMP table management by removing the ip hardware fib ecmp resilience command from running-config.
Command Mode
Global Configuration
Command Syntax
ipv6 hardware fib ecmp resilience net_prfx capacity nhop_max redundancy duplicates
no ipv6 hardware fib ecmp resilience net_addr
default ipv6 hardware fib ecmp resilience net_addr
Example
switch(config)#ipv6 hardware fib ecmp resilience 2001:db8:0::/64 capacity 5 redundancy 3
The ipv6 hardware fib nexthop-index command deterministically selects the next hop used for ECMP routes. By default, routes that are created statically through the CLI or dynamically through routing protocols are initially stored in software routing tables, then entered in the hardware routing table by the routing agent. This command specifies the method of creating an index-offset number that points to the next hop from the list of the route’s ECMP next hops.
The command specifies the number of bits that comprise the prefix offset. The prefix offset is set to the prefix when the command specifies a prefix size larger than the prefix. If the command specifies an prefix size of zero, the prefix-offset is also zero and the index-offset is set to the next hop index.
When the index-offset is greater than the number of next hops in the table, the position of the next hop is the remainder of the division of the index-offset by the number of next hop entries.
The no ipv6 hardware fib nexthop-index and default ipv6 hardware fib nexthop-index commands remove the specified nexthop used for ECMP routes by removing the ipv6 hardware fib nexthop-index command from running-config.
Command Mode
Global Configuration
Command Syntax
ipv6 hardware fib nexthop nxthop_index [PREFIX]
no ipv6 hardware fib nexthop
default ipv6 hardware fib nexthop
Example
switch(config)# ipv6 hardware fib nexthop-index 5 prefix-bits 10
switch> show ip
IP Routing : Enabled
IP Multicast Routing : Disabled
VRRP: Configured on 0 interfaces
IPv6 Unicast Routing : Enabled
IPv6 ECMP Route support : False
IPv6 ECMP Route nexthop index: 5
IPv6 ECMP Route num prefix bits for nexthop index: 10
switch>
The ipv6 nd managed-config-flag command causes the managed address configuration flag to be set in IPv6 RA packets transmitted from the configuration mode interface.
The no ipv6 nd managed-config-flag and default ipv6 nd managed-config-flag commands restore the default setting where the managed address configuration flag is not set in IPv6 RA packets transmitted by the interface by removing the corresponding ipv6 nd managed-config-flag command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd managed-config-flag
no ipv6 nd managed-config-flag
default ipv6 nd managed-config-flag
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd managed-config-flag
switch(config-if-Vl200)#
The ipv6 nd ns-interval command configures the interval between IPv6 Neighbor Solicitation (NS) transmissions from the configuration mode interface.
The no ipv6 nd ns-interval and default ipv6 nd ns-interval commands return the IPv6 NS transmission interval for the configuration mode interface to the default value of 1000 milliseconds by removing the corresponding ipv6 nd ns-interval command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ns-interval period no ipv6 nd ns-interval
default ipv6 nd ns-interval
Parameter
period interval in milliseconds between successive IPv6 neighbor solicitation transmissions. Values range from 1000 to 4294967295. The default period is 1000 milliseconds.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ns-interval 30000
switch(config-if-Vl200)#
The ipv6 nd other-config-flag command configures the configuration mode interface to send IPv6 RAs with the other stateful configuration flag set.
The no ipv6 nd other-config-flag and default ipv6 nd other-config-flag commands restore the default setting by removing the corresponding ipv6 nd other-config-flag command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd other-config-flag
no ipv6 nd other-config-flag
default ipv6 nd other-config-flag
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd other-config-flag
switch(config-if-Vl200)#
The ipv6 nd prefix command configures neighbor discovery Router Advertisements (RAs) prefix inclusion for RAs sent from the configuration mode interface.
By default, all prefixes configured as IPv6 addresses are advertised in the interface’s RAs. The ipv6 nd prefix command with the no-advertise option prevents advertising of the specified prefix without affecting the advertising of other prefixes specified as IPv6 addresses. When an interface configuration includes at least one ipv6 nd prefix command that enables prefix advertising, RAs advertise only prefixes specified through ipv6 nd prefix commands.
Commands enabling prefix advertising also specify the advertised valid and preferred lifetime periods. Default periods are 2,592,000 (valid) and 604,800 (preferred) seconds.
The no ipv6 nd prefix and default ipv6 nd prefix commands remove the corresponding ipv6 nd prefix command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd prefix ipv6_prefix LIFETIME [FLAGS]
ipv6 nd prefix ipv6_prefix no-advertise
no ipv6 nd prefix ipv6_prefix
default ipv6 nd prefix ipv6_prefix
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd prefix 3012:D678::/64 1296000
The ipv6 nd ra disabled command suppress IPv6 Router Advertisement (RA) transmissions on the configuration mode interface. By default, only unsolicited RAs that are transmitted periodically are suppressed. The all option configures the switch to suppress all RAs, including those responding to a router solicitation.
The no ipv6 nd ra disabled and default ipv6 nd ra disabled commands restore the transmission of RAs on the configuration mode interface by deleting the corresponding ipv6 nd ra disabled command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra disabled [SCOPE]
no ipv6 nd ra disabled
default ipv6 nd ra disabled
Parameters
Example
switch(config)# interface vlan 200
switch(config-vl200)# ipv6 nd ra disabled all
switch(config-vl200)#
The ipv6 nd ra dns-server command configures the IPv6 address of a preferred Recursive DNS Server (RDNSS) for the command mode interface to include in its neighbor-discovery Router Advertisements (RAs). Including RDNSS information in RAs provides DNS server configuration for connected IPv6 hosts without requiring DHCPv6.
Multiple servers can be configured on the interface by using the command repeatedly. A lifetime value for the RDNSS can optionally be specified with this command, and overrides any default value configured for the interface using the ipv6 nd ra dns-servers lifetime command.
The no ipv6 nd ra dns-server and default ipv6 nd ra dns-server commands remove the corresponding ipv6 nd ra dns-server command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra dns-server ipv6_addr SERVER_LIFE
no ipv6 nd ra dns-server ipv6_addr
default ipv6 nd ra dns-server ipv6_addr
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra dns-server 2001:0db8:0:1::1 lifetime 300
switch(config-if-Vl200)#
The ipv6 nd ra dns-servers lifetime command sets the default value that the configuration mode interface uses for the lifetime of any Recursive DNS Server (RDNSS) configured on the interface. A lifetime value set for an individual RDNSS overrides this value. The lifetime value is the maximum amount of time after a route advertisement packet is sent that the RDNSS referenced in the packet may be used for name resolution.
The no ipv6 nd ra dns-servers lifetime and default ipv6 nd ra dns-servers lifetime commands remove the default lifetime value from the interface by removing the corresponding ipv6 nd ra dns-servers lifetime command from running-config. When there is no default RDNSS lifetime value configured on the interface, an RDNSS without a custom lifetime value will default to 1.5 times the RA interval configured on the interface. A lifetime of zero seconds means that the RDNSS must not be used for name resolution.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra dns-servers lifetime period
no ipv6 nd ra dns-servers lifetime
default ipv6 nd ra dns-servers lifetime
Parameters
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra dns-servers lifetime 350
switch(config-if-Vl200)#
The ipv6 nd ra dns-suffix command creates a DNS Search List (DNSSL) for the command mode interface to include in its neighbor-discovery Router Advertisements as defined in RFC 6106 . The DNSSL contains the domain names of DNS suffixes for IPv6 hosts to append to short, unqualified domain names for DNS queries.
Multiple DNS domain names can be added to the DNSSL by using the command repeatedly. A lifetime value for the DNSSL can optionally be specified with this command, and overrides any default value configured for the interface using the ipv6 nd ra dns-suffixes lifetime command.
The no ipv6 nd ra dns-suffix and default ipv6 nd ra dns-suffix commands remove the corresponding ipv6 nd ra dns-suffix command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra dns-suffix domain SUFFIX_LIFE
no ipv6 nd ra dns-suffix ipv6_addr
default ipv6 nd ra dns-suffix ipv6_addr
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra dns-suffix test.com lifetime 300
switch(config-if-Vl200)#
The ipv6 nd ra dns-suffixes lifetime command sets the default value that the configuration mode interface uses for the lifetime of any DNS Search List (DNSSL) configured on the interface. A lifetime value set for an individual DNSSL overrides this value. The lifetime value is the maximum amount of time after a route advertisement packet is sent that the DNSSL included in the packet may be used for name resolution.
The no ipv6 nd ra dns-suffixes lifetime and default ipv6 nd ra dns-suffixes lifetime commands remove the default lifetime value from the interface by removing the corresponding ipv6 nd ra dns-suffixes lifetime command from running-config. When there is no default DNSSL lifetime value configured on the interface, a DNSSL without a custom lifetime value will default to 1.5 times the RA interval configured on the interface. A lifetime of zero seconds means that the DNSSL must not be used for name resolution.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra dns-suffixes lifetime period
no ipv6 nd ra dns-suffixes lifetime
default ipv6 nd ra dns-suffixes lifetime
Parameters
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra dns-suffixes lifetime 350
switch(config-if-Vl200)#
The ipv6 nd ra hop-limit command sets a suggested hop-limit value to be included in Router Advertisement (RA) packets. The hop-limit value is to be used by attached hosts in outgoing packets.
The no ipv6 nd ra hop-limit and default ipv6 nd ra hop-limit commands remove the corresponding ipv6 nd ra hop-limit command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra hop-limit quantity
no ipv6 nd ra hop-limit lifetime
default ipv6 nd ra hop-limit lifetime
Parameters
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra hop-limit
switch(config-if-Vl200)#
The ipv6 nd ra interval command configures the interval between IPv6 Router Advertisement transmissions from the configuration mode interface.
The no ipv6 nd ra interval and default ipv6 nd ra interval commands return the IPv6 RA transmission interval for the configuration mode interface to the default value of 200 seconds by removing the corresponding ipv6 nd ra interval command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra interval [SCALE] ra_period [minimum_period]
no ipv6 nd ra interval
default ipv6 nd ra interval
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra interval 60
switch(config-if-Vl200)# show active
interface Vlan200
ipv6 nd ra interval 60
switch(config-if-Vl200)#
The ipv6 nd ra lifetime command specifies the value that the switch places in the router lifetime field of IPv6 Router Advertisements sent from the configuration mode interface.
If the value is set to 0, IPv6 peers connected to the specified interface will remove the switch from their lists of default routers. Values greater than 0 indicate the time in seconds that peers should keep the router on their default router lists without receiving further RAs from the switch. Unless the value is 0, the router lifetime value should be equal to or greater than the interval between unsolicited RAs sent on the interface.
The no ipv6 nd ra lifetime and default ipv6 nd ra lifetime commands return the IPv6 RA lifetime data entry filed for the configuration mode interface to the default value of 1800 seconds by removing the corresponding ipv6 nd ra lifetime command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra lifetime ra_lifetime
no ipv6 nd ra lifetime
default ipv6 nd ra lifetime
Parameters
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd ra lifetime 2700
switch(config-if-Vl200)# show active
interface Vlan20
ipv6 nd ra lifetime 2700
switch(config-if-Vl200)#
The ipv6 nd ra mtu suppress command suppresses the Router Advertisement (RA) MTU option on the configuration mode interface. The MTU option causes an identical MTU value to be advertised by all nodes on a link. By default, the RA MTU option is not suppressed.
The no ipv6 nd ra mtu suppress and default ipv6 nd ra mtu suppress commands restores the MTU option setting to enabled by for the configuration mode interface by removing the corresponding ipv6 nd ra mtu suppress command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd ra mtu suppress
no ipv6 nd ra mtu suppress
default ipv6 nd ra mtu suppress
Example
switch(config)# interface vlan 200
switch(config-vl200)# ipv6 nd ra mtu suppress
switch(config-vl200)#
The ipv6 nd reachable-time command specifies the time period that the switch includes in the reachable time field of RAs sent from the configuration mode interface. The reachable time defines the period that a remote IPv6 node is considered reachable after a reachability confirmation event.
RAs that advertise zero seconds indicate that the router does not specify a reachable time. The default advertisement value is 0 seconds. The switch reachability default period is 30 seconds.
The no ipv6 nd reachable-time and default ipv6 nd reachable-time commands restore the entry of the default value (0) in RAs sent from the configuration mode interface by deleting the corresponding ipv6 nd reachable-time command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd reachable-time period
no ipv6 nd reachable-time
default ipv6 nd reachable-time
Parameter
period Reachable time value (milliseconds). Value ranges from 0 to 4294967295. Default is 0.
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd reachable-time 25000
interface Vlan200
ipv6 address fd7a:4321::1/64
ipv6 nd reachable-time 25000
switch(config-if-Vl200)#
The ipv6 nd router-preference command specifies the value that the switch enters in the Default Router Preference (DRP) field of Router Advertisements (RAs) that it sends from the configuration mode interface. The default field entry value is medium.
The no ipv6 nd router-preference and default ipv6 nd router-preference commands restore the switch to enter the default DRP field value of medium in RAs sent from the configuration mode interface by deleting the corresponding ipv6 nd router-preference command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 nd router-preference RANK
no ipv6 nd router-preference
default ipv6 nd router-preference
Parameters
Example
switch(config)# interface vlan 200
switch(config-if-Vl200)# ipv6 nd router-preference medium
switch(config-if-Vl200)#
The ipv6 neighbor cache persistent command restores the IPv6 neighbor cache after reboot.
The no ipv6 neighbor cache persistent and default ipv6 neighbor cache persistent commands remove the ARP cache persistant configuration from the running-config.
Command Mode
Global Configuration
Command Syntax
ipv6 neighbor cache persistent
no ipv6 neighbor cache persistent
default ipv6 neighbor cache persistent
Example
switch(config)# ipv6 neighbor cache persistent
switch(config)#
The ipv6 neighbor command creates an IPv6 neighbor discovery cache static entry. The command converts pre-existing dynamic cache entries for the specified address to static entries.
The no ipv6 neighbor and default ipv6 neighborcommands remove the specified static entry from the IPV6 neighbor discovery cache and delete the corresponding ipv6 neighbor command from running-config. These commands do not affect any dynamic entries in the cache.
Command Mode
Global Configuration
Command Syntax
ipv6 neighbor ipv6_addr PORT mac_addr
no ipv6 neighbor ipv6_address PORT
default ipv6 neighbor ipv6_addr PORT
Example
switch(config)# ipv6 neighbor 3100:4219::3EF2 vlan 200 0100.4EA1.B100
switch(config)#
The ipv6 route command creates an IPv6 static route. The destination is a IPv6 prefix; the source is an IPv6 address or a routable interface port. When multiple routes exist to a destination prefix, the route with the lowest administrative distance takes precedence.
By default, the administrative distance assigned to static routes is 1. Assigning a higher administrative distance to a static route configures it to be overridden by dynamic routing data. For example, a static route with a distance value of 200 is overridden by OSPF intra-area routes, which have a default distance of 110.
Multiple routes that are configured to the same destination with the same administrative distance comprise an Equal Cost Multi-Path (ECMP) route. The switch attempts to spread outbound traffic across all ECMP route paths equally. All ECMP paths are assigned the same tag value; commands that change the tag value of any ECMP path change the tag value of all paths in the ECMP.
The no ipv6 route and default ipv6 route commands delete static routes by removing the corresponding ipv6 route statements from running-config. Commands not including a source delete all statements to the destination. Only statements with parameters that match specified command arguments are deleted. Parameters that are not in the command line are not evaluated.
Command Mode
Global Configuration
Command Syntax
ipv6 route dest_prefix NEXTHOP [DISTANCE][TAG_OPT][RT_NAME]
no ipv6 route dest_prefix [nexthop_addr][DISTANCE]
default ipv6 route dest_prefix [nexthop_addr][DISTANCE]
Example
switch(config)# ipv6 route 10:23:31:00:01:32:93/24 vlan 300
The ipv6 unicast-routing command enables the forwarding of IPv6 unicast packets. When routing is enabled, the switch attempts to deliver inbound packets to destination addresses by forwarding them to interfaces or next hop addresses specified by the IPv6 routing table.
The no ipv6 unicast-routing and default ip ipv6 unicast-routing commands disable IPv6 unicast routing by removing the ipv6 unicast-routing command from running-config. Dynamic routes added by routing protocols are removed from the routing table. Static routes are preserved by default; the delete-static-routes option removes static entries from the routing table.
IPv6 unicast routing is disabled by default.
Command Mode
Global Configuration
Command Syntax
ipv6 unicast-routing
no ipv6 unicast-routing [DELETE_ROUTES]
default ipv6 unicast-routing [DELETE_ROUTES]
Parameters
Example
switch(config)# ipv6 unicast-routing
switch(config)#
The ipv6 verify command configures Unicast Reverse Path Forwarding (uRPF) for inbound IPv6 packets on the configuration mode interface. uRPF verifies the accessibility of source IP addresses in packets that the switch forwards.
The no ipv6 verify and default ipv6 verify commands disable uRPF on the configuration mode interface by deleting the corresponding ipv6 verify command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Loopback Configuration
Interface-Management Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 verify unicast source reachable-via RPF_MODE
no ipv6 verify unicast
default ipv6 verify unicast
Parameters
Guidelines
The first IPv6 uRPF implementation briefly disables IPv6 unicast routing. Subsequent ip verify commands on any interface do not disable IPv6 routing.
Example
switch(config)# interface vlan 100
switch(config-if-Vl100)# ipv6 verify unicast source reachable-via rx allow-default
switch(config-if-Vl100)# show active
interface Vlan100
ipv6 verify unicast source reachable-via rx allow-default
switch(config-if-Vl100)#
The ipv6 dhcp snooping command enables DHCP snooping globally on the switch.
The no ipv6 dhcp snooping and default ipv6 dhcp snooping commands disable global DHCP snooping by removing the ipv6 dhcp snooping command from running-config.
Command Mode
Global Configuration
Command Syntax
ipv6 dhcp snooping [remote-id option | vlan [$ | vlan-range]]
no ipv6 dhcp snooping [remote-id option | vlan [$ | vlan-range]]
default ipv6 dhcp snooping [remote-id option | vlan [$ | vlan-range]]
Examples
The following configuration enables IPv6 DHCP snooping feature at the global level.
switch(config)# ipv6 dhcp snooping
switch(config)# ipv6 dhcp snooping remote-id option
switch(config)# ipv6 dhcp snooping vlan <vlan|vlan-range>
switch(config)# ipv6 dhcp snooping
switch(config)# show ipv6 dhcp snooping
DHCPv6 Snooping is enabled
DHCPv6 Snooping is operational
DHCPv6 Snooping is configured on following VLANs:
2789-2790
DHCPv6 Snooping is operational on following VLANs:
2789
Insertion of Option-37 is enabled
The pim ipv6 sparse-mode command enables PIM Sparse Mode (PIM-SM) and IGMP (router mode) on the configuration mode interface.
The no pim ipv6 sparse-mode and default pim ipv6 sparse-mode commands restore the default PIM and IGMP (router mode) settings of disabled on the configuration mode interface by removing the pim ipv6 sparse-mode command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel
Configuration Interface-VLAN Configuration
Command Syntax
pim ipv6 sparse-mode
no pim ipv6
no pim ipv6 sparse-mode
default pim ipv6
default pim ipv6 sparse-mode
Example
switch(config)# interface vlan 4
switch(config-if-Vl4)# pim ipv6 sparse-mode
switch(config-if-Vl4)#
The show ipv6 dhcp relay counters command displays the number of DHCP packets received, forwarded, or dropped on the switch and on all interfaces enabled as DHCP relay agents.
Command Mode
EXEC
Command Syntax
show ipv6 dhcp relay counters
Example
switch> show ipv6 dhcp relay counters
| Dhcp Packets |
Interface | Rcvd Fwdd Drop | Last Cleared
----------|----- ---- -----|---------------------
All Req | 376 376 0 | 4 days, 19:55:12 ago
All Resp | 277 277 0 |
| |
Ethernet4 | 207 148 0 | 4 days, 19:54:24 ago
switch>
The show ipv6 dhcp snooping command displays information about the DHCP snooping configuration.
Command Mode
EXEC
Command Syntax
show ipv6 dhcp snooping
Example
This command displays the switch’s DHCP snooping configuration.
switch# show ipv6 dhcp snooping
DHCPv6 Snooping is enabled
DHCPv6 Snooping is operational
DHCPv6 Snooping is configured on following VLANs:
2789-2790
DHCPv6 Snooping is operational on following VLANs:
2789
Insertion of Option-37 is enabled
The show ipv6 dhcp snooping counters command displays counters that track the quantity of DHCP request and reply packets that the switch receives. Data is either presented for each VLAN or aggregated for all VLANs with counters for packets dropped.
Command Mode
EXEC
Command Syntax
show ipv6 dhcp snooping counters [COUNTER_TYPE]
switch# show ipv6 dhcp snooping counters
| Dhcpv6 Request Pkts | Dhcpv6 Reply Pkts |
Vlan | Rcvd Fwdd Drop | Rcvd Fwdd Drop | Last Cleared
-----|------ ------ -------|------ ----- ------|-------------
2789 | 1 1 0 | 1 1 0 | 0:03:09 ago
switch# show ipv6 dhcp snooping counters debug
Counter Snooping to Relay Relay to Snooping
----------------------------- ----------------- -----------------
Received 1 1
Forwarded 1 1
Dropped - Invalid VlanId 0 0
Dropped - Parse error 0 0
Dropped - Invalid Dhcp Optype 0 0
Dropped - Invalid Remote-ID Option 0 0
Dropped - Snooping disabled 0 0
Last Cleared: 0:04:29 ago
The show ipv6 dhcp snooping hardware command displays internal hardware DHCP snooping status on the switch.
Command Mode
EXEC
Command Syntax
show ipv6 dhcp snooping hardware
Example
This command displays DHCP snooping hardware status.
switch# show ipv6 dhcp snooping hardware
DHCPv6 Snooping is enabled
DHCPv6 Snooping is enabled on following VLANs:
2789
Vlans enabled per Slice
Slice: Linecard0-0
2789
Slice: Linecard0-1
2789
Slice: Linecard0-2
2789
Slice: Linecard0-3
2789
The show ipv6 hardware fib aggregate-address command displays the IPv6 prefixes that are restricted from entry into the hardware routing table. The ipv6 hardware fib aggregate-address command configures IPv6 prefix restictions.
Command Mode
EXEC
Command Syntax
show ipv6 address fib aggregate-address [ADDRESS][RESTRICTION]
Example
switch> show ipv6 hardware fib aggregate-address
Codes: S - Software Forwarded
S fd77:4890:5313:aaed::/64
S fd77:4890:5313:ffed::/64
switch>
The ipv6 interface command displays the status of specified routed interfaces that are configured for IPv6.
Command Mode
EXEC
Command Syntax
show ipv6 interface [INTERFACE_NAME][INFO_LEVEL]
Example
switch> show ipv6 interface vlan 903
Vlan903 is up, line protocol is up (connected)
IPv6 is enabled, link-local is fe80::21c:73ff:fe01:21e/64
Global unicast address(es):
fd7a:629f:52a4:fe10::3, subnet is fd7a:629f:52a4:fe10::/64
Joined group address(es):
ff02::1
ff02::1:ff01:21e
ff02::1:ff00:3
ff01::2
switch>
The ipv6 nd ra internal state command displays the state of the IPv6 Router Advertisement (RA) daemon for the specified routable interface.
Command Mode
EXEC
Command Syntax
show ipv6 nd ra internal state [INTERFACE_NAME]
Parameters
Example
switch> show ipv6 nd ra internal state vlan 1243
INTERFACE: Vlan3908
ifindex : 0x00000021
mtu : 9212
numIpv6Addr : 2
numPrefixToAdvertise : 0
numPrefixToSuppress : 0
RaSuppress : 0
RsRspSuppress : 0
raIntervalMaxMsec : 200000
raIntervalMinMsec : 0
managedConfigFlag : 0
otherConfigFlag : 0
raMtuSuppress : 0
raLifetime : 1800
reacheableTime : 0
routerPreference : 0
lastRaTime : 2012-05-01 09:22:57.020634
lastRsRspSentTime :
nextTimeout : 171.474535 (sec)
raNotSentIntfNotReady : 0
numRaSent : 219
numRsRcvd : 0
numRsSuppressed : 0
numRsRspSent : 0
numRsDroppedInvalidHopLimit : 0
numPktDroppedUnexpectedType : 0
initialized : 1
switch>
The show ipv6 neighbors command displays the IPv6 neighbor discovery cache. The command provides filters to restrict the list to a specified IPv6 address or routable interface.
Command Mode
EXEC
Command Syntax
show ipv6 neighbors [PORT][SOURCE][INFO_LEVEL]
Example
switch> show ipv6 neighbors fe80::21c:73ff:fe01:5fe1
IPv6 Address Age Hardware Addr State Interface
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Et12
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Po999
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl102
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl103
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl205
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl207
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl3901
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl3902
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl3903
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl3904
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl3905
fe80::21c:73ff:fe01:5fe1 0 001c.d147.8214 REACH Vl3996
The show ipv6 route command displays IPv6 routing table entries that are in the Forwarding Information Base (FIB), including static routes, routes to directly connected networks, and dynamically learned routes. Multiple equal cost paths to the same prefix are displayed contiguously as a block, with the destination prefix displayed only on the first line.
The show running-config command displays all configured routes.
Command Mode
EXEC
Command Syntax
show ipv6 route [ADDRESS][ROUTE_TYPE][INFO_LEVEL]
Parameters
Example
switch> show ipv6 route fd7a:3418:52a4:fe18::/64
IPv6 Routing Table - 77 entries
Codes: C - connected, S - static, K - kernel, O - OSPF, B - BGP, R - RIP, A -
Aggregate
O fd7a:3418:52a4:fe18::/64 [10/20]
via fe80::21c:73ff:fe00:1319, Vlan3601
via fe80::21c:73ff:fe00:1319, Vlan3602
via fe80::21c:73ff:fe00:1319, Vlan3608
via fe80::21c:73ff:fe0f:6a80, Vlan3610
via fe80::21c:73ff:fe00:1319, Vlan3611
switch>
The show ipv6 route age command displays the IPv6 route age to the specified IPv6 address or prefix.
Command Mode
EXEC
Command Syntax
show ipv6 route ADDRESS age
Parameters
Example
switch>show ipv6 route 2001::3:0/11 age
IPv6 Routing Table - 74 entries
Codes: C - connected, S - static, K - kernel, O - OSPF, B - BGP, R - RIP, A -
Aggregate
C 2001::3:0/11 age 00:02:34
switch>
Command Mode
EXEC
Command Syntax
show ipv6 route host
Example
switch> show ipv6 route host
R - receive F - FIB, A - attached
F ::1 to cpu
A fee7:48a2:0c11:1900:400::1 on Vlan102
R fee7:48a2:0c11:1900:400::2 to cpu
F fee7:48a2:0c11:1a00::b via fe80::21c:73ff:fe0b:a80e on Vlan3902
R fee7:48a2:0c11:1a00::17 to cpu
F fee7:48a2:0c11:1a00::20 via fe80::21c:73ff:fe0b:33e on Vlan3913
F fee7:48a2:0c11:1a00::22 via fe80::21c:73ff:fe01:5fe1 on Vlan3908
via fe80::21c:73ff:fe01:5fe1 on Vlan3902
switch>
The show ipv6 route interface command displays routing table entries on a specified routed port.
Command Mode
EXEC
Command Syntax
show ipv6 route [ADDRESS] interface PORT_NAME [INFO_LEVEL]
Parameters
detail displays all routes.
Example
switch> show ipv6 route interface ethernet 8
IPv6 Routing Table - 77 entries
Codes: C - connected, S - static, K - kernel, O - OSPF, B - BGP, R - RIP, A -
Aggregate
O fd7a:629f:63af:1232::/64 [150/11]
via fe80::823c:73ff:fe00:3640, Ethernet8
O fd7a:629f:63af:4118::/64 [150/11]
via fe80::823c:73ff:fe00:3640, Ethernet8
O fd7a:629f:63af:4119::/64 [150/11]
via fe80::823c:73ff:fe00:3640, Ethernet8
O fd7a:629f:63af:411a::/64 [150/11]
via fe80::823c:73ff:fe00:3640, Ethernet8
O fd7a:629f:63af:fe78::/64 [150/11]
via fe80::823c:73ff:fe00:3640, Ethernet8
C fd7a:629f:63af:fe88::/64 [0/1]
via ::, Ethernet12
O fd7a:629f:63af:fe8c::/64 [10/20]
via fe80::21c:73ff:fe00:3640, Ethernet8
C fe80:0:40::/64 [0/1]
via ::, Ethernet8
The show ipv6 route match tag command displays the route tag assigned to the specified IPv6 address or prefix. Route tags are added to static routes for use by route maps.
Command Mode
EXEC
Command Syntax
show ipv6 route ADDRESS match tag
Parameters
Example
switch> show ipv6 route 2001:0DB8::/64 match tag
IPv6 Routing Table - 74 entries
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B
- BGP Aggregate, I L1 - IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG -
Nexthop Group Static Route, M - Martian, DP - Dynamic Policy Route, L - VRF Leaked
C 2001:0DB8::/64 tag 0
switch>
The show ipv6 route summary command displays the information about the IPv6 routing table.
Command Mode
EXEC
Command Syntax
show ipv6 route summary
Example
switch> show ipv6 route summary
Route Source Number Of Routes
------------------ ----------------
connected 2
static 0
ospf 5
bgp 7
isis 0
internal 1
attached 0
aggregate 2
Total Routes 17
switch>
The show platform fap mroute ipv6 command enables PIM Sparse Mode (PIM-SM) and IGMP (router mode) on the configuration mode interface.
Command Mode
EXEC
Command Syntax
show platform
Example
This command enables PIM sparse mode on VLAN 4 interface.
switch# show platform fap mroute ipv6
Jericho0 Multicast Routes:
--------------------------
Location GroupId Group Source IIF McId OIF
FLP/TT FLP/TT TT FLP FLP FLP FLP
----------------------------------------------------------------------------------------------------
4096/2048 1/1 ff33::1:0:0:23/128 101:1::2/128 Vlan1357 21504 Vlan1044(Et7/1) Vlan1123(Et9/1)
Vlan1200(Et8/1) Vlan1223(Et2/1)
Vlan1226(Et5/1) Vlan1232(Et3/1)
Vlan1307(Et6/1) Vlan1337(Et4/1)
The show rib route ipv6 command displays a list of IPv6 Routing Information Base (RIB) routes.
Command Mode
EXEC
Command Syntax
show rib route ipv6 [vrf vrf_name] [PREFIX][ROUTE TYPE]
switch# show rib route ipv6 bgp
VRF name: default, VRF ID: 0xfe, Protocol: bgp
Codes: C - Connected, S - Static, P - Route Input
B - BGP, O - Ospf, O3 - Ospf3, I - Isis
> - Best Route, * - Unresolved Nexthop
L - Part of a recursive route resolution loop
B 2001:10:1::/64 [200/42]
via 2001:10:1::100 [0/1]
via Ethernet1, directly connected
>B 2001:10:100::/64 [200/200]
via 2001:10:1::100 [0/1]
via Ethernet1, directly connected
>B 2001:10:100:1::/64 [200/0]
via 2001:10:1::100 [0/1]
via Ethernet1, directly connected
>B 2001:10:100:2::/64 [200/42]
via 2001:10:1::100 [0/1]
via Ethernet1, directly connected
switch#
switch# show rib route ipv6 connected
VRF name: default, VRF ID: 0xfe, Protocol: connected
Codes: C - Connected, S - Static, P - Route Input
B - BGP, O - Ospf, O3 - Ospf3, I - Isis
> - Best Route, * - Unresolved Nexthop
L - Part of a recursive route resolution loop
>C 2001:10:1::/64 [0/1]
via 2001:10:1::102, Ethernet1
>C 2001:10:2::/64 [0/1]
via 2001:10:2::102, Ethernet2
>C 2001:10:3::/64 [0/1]
via 2001:10:3::102, Ethernet3
switch#
This feature provides support for per-interface ingress and egress packet and byte counters for both IPv4 and IPv6.
IPv4 and IPv6 ingress counters (count bridged and routed traffic, supported only on front-panel ports) can be enabled and disabled using the hardware counter feature ip in command:
For IPv4 and IPv6 ingress and egress counters that include only routed traffic (supported on Layer3 interfaces such as routed ports, L3 subinterfaces only):
On the DCS-7300X, DCS-7250X, DCS-7050X, and DCS-7060X platforms, IPv4 and IPv6 packet counters for only routed traffic do not require any configuration. They are collected by default. Other platforms (DCS-7280SR, DCS-7280CR and DCS-7500-R) need the feature enabled.
Use the show interfaces counters ip command to display IPv4, IPv6 packets, and octets.
switch# show interfaces counters ip
Interface IPv4InOctets IPv4InPkts IPv6InOctets IPv6InPkts
Et1/1 0 0 0 0
Et1/2 0 0 0 0
Et1/3 0 0 0 0
Et1/4 0 0 0 0
...
Interface IPv4OutOctets IPv4OutPkts IPv6OutOctets IPv6OutPkts
Et1/1 0 0 0 0
Et1/2 0 0 0 0
Et1/3 0 0 0 0
Et1/4 0 0 0 0
...
The output from the show interfaces counters ip can also be queried through SNMP via the ARISTA-IP-MIB.
To clear the the IPv4 or IPv6 counters, use the clear counters command
switch# clear counters
IPv4/IPv6 egress Layer 3 (hardware counter feature ip out layer3) counting on DCS-7280SR, DCS-7280CR and DCS-7500-R platforms work, based on ARP entry of the nexthop. By default, IPv4 next hop and IPv6 next hop both resolve to the same MAC address and interface that have shared ARP entry. To differentiate the counters between IPv4 and IPv6, disable arp entry sharing with following command:
ip hardware fib next-hop arp dedicated
On the DCS-7280SR, DCS-7280CR and DCS-7500-R platforms, this command is required for IPv4 and IPv6 egress counters to operate.
The switch uses rule-based lists to control packet access to ports and to select routes for redistribution to routing domains defined by dynamic routing protocols. This section describes the construction of Access Control Lists (ACLs), prefix lists, and route maps.
Access Control Lists (ACLs), Service ACLs, route maps, and prefix lists are all processed in order, beginning with the first rule and proceeding until a match is encountered.
An Access Control List (ACL) is a list of rules that control the inbound flow of packets into Ethernet interfaces, subinterfaces, and port channel interfaces or the switch control plane. The switch supports the implementation of a wide variety of filtering criteria including IP and MAC addresses, TCP/UDP ports with include/exclude options without compromising its performance or feature set. Filtering syntax is industry standard.
A Service ACL is an ACL applied by a control-plane process to control connections to, or packets processed by, the agent process.
A route map is a list of rules that control the redistribution of IP routes into a protocol domain on the basis of such criteria as route metrics, access control lists, next hop addresses, and route tags. Route maps can also alter parameters of routes as they are redistributed.
A prefix list is a list of rules that defines route redistribution access for a specified IP address space. Route maps often use prefix lists to filter routes.
The RACL divergence optimizes the usage of hardware resourcesoccupied on each forwarding ASIC by installing ACLs only on the hardware components corresponding to the member interfaces belonging to the SVIs on which ACL is applied. Hence, saving the hardware resources used and enables RACLs to scale-up to a larger configuration. The show commands are used to display the interface mapping, TCAM entries, and TCAM utilization information.
ACLs can also be made dynamic (not persisting in the EOS), and the payload keyword can be used to turn an ACL into a User-Defined Field (UDF) alias for use in other ACLs.
An ACL is an ordered list of rules that defines access restrictions for the entities (the control plane, or an interface) to which it is applied. ACLs are also used by route maps to select routes for redistribution into specified routing domains.
Upon its arrival at an interface, a packet’s fields are compared to the first rule of the ACL applied to the interface. Packets that match the rule are forwarded (permit rule) or dropped (deny rule). Packets that do not match the rule are compared to the next rule in the list. This process continues until the packet either matches a rule or the rule list is exhausted. The interface drops packets not matching a rule.
The sequence number designates the rule's placement in the ACL.
ACL rules consist of a command list that is compared to inbound packet fields. When all of a rule’s criteria match a packet’s contents, the interface performs the action specified by the rule.
The set of available commands depend on the ACL type and the specified protocol within the rule. The following is a list of commands available for supported ACL types
Standard ACLs filter only on the source address.
Lists that are created in one mode cannot be modified in any other mode.
A sequence number designates the rule’s placement in a list. New rules are inserted into a list according to their sequence numbers. A rule’s sequence number can be referenced when deleting it from a list.
ACL Configuration describes procedures for configuring ACLs.
An Access Control List (ACL) is implemented by assigning the list to an Ethernet interface or subinterface, to a port channel interface, or to the control plane. The switch assigns a default ACL to the control plane unless the configuration contains a valid control-plane ACL assignment statement. Ethernet and port channel interfaces are not assigned an ACL by default. Standard ACLs are applied to interfaces in the same manner as other ACLs.
IPv4 and MAC ACLs are separately applied for inbound and outbound packets. An interface or subinterface can be assigned multiple ACLs, with a limit of one ACL per packet direction per ACL type. Egress ACLs are supported on a subset of all available switches. The control-plane does not support egress ACLs.
Applying ACLs describes procedures for applying ACLs to interfaces or the control plane.
ACL rules provide a log option that produces a log message when a packet matches the rule. ACL logging creates a syslog entry when a packet matches an ACL rule where logging is enabled. Packets that match a logging-enabled ACL rule are copied to the CPU by the hardware. These packets trigger the creation of a syslog entry. The information provided in the entry depends on the ACL type or the protocol specified by the ACL. Hardware rate limiting is applied to packets written to the CPU, avoiding potential DoS attacks. The rate of logging is also software limited to avoid the creation of syslog lists that are too large for practical use by human operators.
ACL Rule Tracking Configuration describes procedures for configuring and enabling ACL logging.
An ACL counter is assigned to each ACL rule. The activity of the ACL counters for rules within a list depend on the list’s counter state. When the list is in counting state, the ACL counter of a rule increments when the rule matches a packet. When the list is in a non-counting state, the counter does not increment. A list’s counter state applies to all rules in the ACL. The default state for new ACLs is non-counting.
When an ACL changes from counting state to non-counting state, or when the ACL is no longer applied to any interfaces that increment counters, counters for all rules in the list maintain their values and do not reset. When the ACL returns to counting mode or is applied to an interface that increments counters, the counter operation resumes from its most recent value.
Counters never decrement and are reset only through CLI commands.
ACL Rule Tracking Configuration describes procedures for configuring and enabling ACL counters.
Egress ACL counters count the number of packets matching rules associated with egress ACLs applied to various interfaces in a switch. For 7050 and 7060 series switches, these counters are maintained for every TCAM rule; on these platforms, packet counters greater than zero are always shown by commands such as show platform trident tcam, show platform trident counters, and show ip access-list. For other switches, counters are not enabled by default and must be configured for each ACL, and the counters can be shown with the show hardware counter and show ip access-list commands.
For 7050 and 7060 series switches, egress ACL counters are always enabled, and no configuration is required.
For other platforms, to enable egress ACL counters for a specific ACL, use the counter per-entry command in the configuration mode for the ACL.
Example
In the following example, configure the counters per-entry command in the ACL configuration mode.
switch(config)# ip access-list acl1
switch(config-acl-acl1)# counters per-entry
For 7050 and 7060 series switches, egress counters are always enabled.
For other switches, both IPv4 and IPv6 egress ACL counters are enabled in the global configuration mode by using the hardware counter feature acl out command.
Example
switch(config)# hardware counter feature acl out ipv4
switch(config)#
switch(config)# hardware counter feature acl out ipv6
switch(config)#
For 7050 and 7060 series switches, egress counters cannot be disabled.
For other switches, both IPv4 and IPv6 egress ACL counters are also disabled in the global configuration mode by using the hardware counter feature acl out command.
The following example shows how to disable IPv4 egress ACL counters.
switch(config)# no hardware counter feature acl out ipv4
switch(config)#
The following example shows how to disable IPv6 egress ACL counters.
switch(config)# no hardware counter feature acl out ipv6
switch(config)#
The counters roll over when the counter value for an ACL rule exceeds 2^64.
Example
In the following example, the hardware counter feature acl ipv6 out command is configured using units and packets.
switch(config)# hardware counter feature acl ipv6 out units packets
switch(config)#
The clear ip access-lists counters command clears the counters for all of the IPv4 ACLs or a specific IPv4 ACL, either globally or per-CLI session.
Example
In the following example the ACL list named red is selected.
switch(config)# clear ip access-list counters red session
switch(config)#
The IPv6 egress ACL counters do not work in unshared mode.
Example
Use the hardware access-lists resource sharing vlan ipv6 out command to enable egress IPv6 ACL sharing.
switch(config)#hardware access-list resource sharing vlan ipv6 out
switch(config)#
The clear ipv6 access-list counters command clears the counters for all of the IPv6 ACLs or a specific IPv6 ACL, either globally or per-CLI session.
Example
In the following example the ACL list named green is selected.
switch(config)# clear ipv6 access-list counters green session
switch(config)#
Use the following show commands to display Egress ACL Counters information.
switch(config)# show ip access-list acl1
IP Access List acl1
counter per-entry
10 deny ip 11.1.1.0/24 any dscp af11
20 deny ip any any [match 39080716, 0:00:00 ago]
switch(config)# show ipv6 access-list acl1
IPV6 Access List acl1
counter per-entry
10 permit ipv6 any any [match 3450000, 0:00:10 ago]
20 deny ipv6 any any
switch(config)# show hardware counter drop
Summary:
Total Adverse (A) Drops: 0
Total Congestion (C) Drops: 0
Total Packet Processor (P) Drops: 250
Type Chip CounterName : Count : First Occurrence : Last Occurrence
-------------------------------------------------------------------------------
P Fap0 EgressAclDropCounter : 250 : 2015-11-11 22:39:02 : 2015-11-11 22:51:44
The switch enters the appropriate ACL configuration mode for the list. If the command is followed by the name of an existing ACL, subsequent commands edit that list (see Modifying an ACL for additional information).
switch(config)# ip access-list test1
switch(config-acl-test1)#
switch(config)# ip access-list standard stest1
switch(config-std-acl-stest1)#
switch(config)# mac access-list mtest1
switch(config-mac-acl-mtest1)#
ACL configuration modes are group-change modes. Changes made in a group-change mode are saved by exiting the mode. To exit the group-change mode, changes can also be discarded using the `abort` command instead of exit.
switch(config-acl-test1)# permit ip 10.10.10.0/24 any
switch(config-acl-test1)# permit ip any host 10.20.10.1
switch(config-acl-test1)# deny ip host 10.10.10.1 host 10.20.10.1
To view the edited list, type show.
switch(config-acl-test1)# show
IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip 10.30.10.0/24 host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
Because the changes were not yet saved, the ACL remains empty, as shown by show ip access-lists.
switch(config-acl-test1)# show ip access-lists test1
switch(config-acl-test1)#
To save all current changes to the ACL and exit ACL configuration mode, type exit.
switch(config-acl-test1)# exit
switch(config)# show ip access-lists test1
IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip 10.30.10.0/24 host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
The abort command exits ACL configuration mode without saving pending changes.
switch(config-acl-test1)# permit ip 10.10.10.0/24 any
switch(config-acl-test1)# permit ip any host 10.20.10.1
switch(config-acl-test1)# deny ip host 10.10.10.1 host 10.20.10.1
To view the edited list, type show.
switch(config-acl-test1)# show
IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip 10.30.10.0/24 host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
To discard the changes, enter abort. If the ACL existed before entering ACL-configuration mode, abort restores the version that existed before entering ACL-configuration mode. Otherwise, show ip access-lists shows the ACL was not created.
switch(config-acl-test1)# abort
switch(config)#
An existing ACL, including those currently applied to interfaces, can be modified by entering the appropriate configuration mode for the ACL as described in Creating and Opening a List. By default, while an ACL is being modified all traffic is blocked on any interface to which the ACL has been applied.
Because blocking ports during ACL modifications can result in packet loss and can interfere with features such as routing and dynamic NAT, 7050X, 7060X, 7150, 7250X, 7280, 7280R, 7300X, 7320X, and 7500 series switches can be configured instead to permit all traffic on Ethernet and VLAN interfaces while ACLs applied to those interfaces are being modified. This is done with the hardware access-list update default-result permit command.
To append a rule to the end of a list, enter the rule without a sequence number while in ACL configuration mode for the list. The new rule’s sequence number is derived by adding 10 to the last rule’s sequence number.
switch(config)# hardware access-list update default-result permit
switch(config-acl-test1)# permit ip 10.10.10.0/24 any
switch(config-acl-test1)# permit ip any host 10.20.10.1
switch(config-acl-test1)# deny ip host 10.10.10.1 host 10.20.10.1
To view the edited list, type show.
switch(config-acl-test1)# show
IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
switch(config-acl-test1)# permit ip any any
switch(config-acl-test1)# show
IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
To insert a rule into a ACL, enter the rule with a sequence number between the existing rules’ numbers.
Switch(config-acl-test1)# 15 permit ip 10.30.10.0/24 host 10.20.10.1
Switch(config-acl-test1)# show
IP Access List test1
10 permit ip 10.10.10.0/24 any
15 permit ip 10.30.10.0/24 host 10.20.10.1
20 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
switch(config-acl-test1)# no 20
switch(config-acl-test1)# no permit ip any host 10.20.10.1
switch(config-acl-test1)# default permit ip any host 10.20.10.1
This ACL results from entering one of the preceding commands.
switch(config-acl-test1)# show
ip access list test1
10 permit ip 10.10.10.0/24 any
15 permit ip 10.30.10.0/24 host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
Sequence numbers determine the order of the rules in an access control list. After a list editing session where existing rules are deleted and new rules are inserted between existing rules, the sequence number distribution may not be uniform. Resequencing rule numbers changes the sequence number of rules to provide a constant difference between adjacent rules. The resequence (ACLs) command adjusts the sequence numbers of ACL rules.
switch(config-acl-test1)# show
IP Access List test1
10 permit ip 10.10.10.0/24 any
25 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
50 permit ip any any
90 remark end of list
switch(config-acl-test1)# resequence 100 20
switch(config-acl-test1)# show
IP Access List test1
100 permit ip 10.10.10.0/24 any
120 permit ip any host 10.20.10.1
140 deny ip host 10.10.10.1 host 10.20.10.1
160 permit ip any any
180 remark end of list
ACL rules provide a log option that produces a syslog message about the packets matching packet. ACL logging creates a syslog entry when a packet matches an ACL rule with logging enabled.
This feature is currently available on Arad switches and on 7100 series switches. On 7100 series switches, matches are logged only on ingress, not on egress.
switch(config-acl-test1)# 15 permit ip 10.30.10.0/24 host 10.20.10.1 log
switch(config-acl-test1)#
IPACCESS: list acl intf filter protocol src-ip(src_port) -> dst-ip(dst_port)
IPACCESS: list acl intf filter icmp src-ip(src-port) -> dst-ip(dst-port) type= n code= m
IPACCESS: list acl intf filter protocol src-ip -> dst-ip
MACACCESS: list acl intf filter vlan ether src_mac -> dst_mac
MACACCESS: list acl intf filter vlan ether ip-prt src-mac src-ip : src-prt -> dst-mac dst-ip : dst-prt
MACACCESS: list acl intf filtervlan ether src_mac src_ip -> dst_mac dst_ip
ACLs provide a command that configures its counter state (counting or non-counting). The counter state applies to all rules in the ACL. The initial state for new ACLs is non-counting.
The counters per-entry (ACL configuration modes) command places the ACL in counting mode.
switch(config-acl-test1)# counters per-entry
switch(config-acl-test1)#exit
switch(config-acl-test1)#show ip access-list test1
IP Access List test1
counters per-entry
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
50 remark end of list
The clear ip access-lists counters and clear ipv6 access-lists counters commands set the IP access list counters to zero for the specified IP access list.
switch(config)# clear ip access-lists counters test1
switch(config)#
ACLs can be displayed by a show running-config command. The show ip access-lists also displays ACL rosters and contents, as specified by command parameters.
When editing an ACL, the show (ACL configuration modes) command displays the current or pending list, as specified by command parameters.
To display the roster of ACLs on the switch, enter show ip access-lists with the summary option.
switch(config)# show ip access-list summary
IPV4 ACL default-control-plane-acl
Total rules configured: 12
Configured on: control-plane
Active on : control-plane
IPV4 ACL list2
Total rules configured: 3
IPV4 ACL test1
Total rules configured: 6
IPV4 ACL test_1
Total rules configured: 1
IPV4 ACL test_3
Total rules configured: 0
switch(config)#
ACLs that are in counting mode display the number of inbound packets each rule in the list matched and the elapsed time since the last match.
switch# show ip access-lists default-control-plane-acl
IP Access List default-control-plane-acl [readonly]
counters per-entry
10 permit icmp any any
20 permit ip any any tracked [match 1725, 0:00:00 ago]
30 permit ospf any any
40 permit tcp any any eq ssh telnet www snmp bgp https
50 permit udp any any eq bootps bootpc snmp [match 993, 0:00:29 ago]
60 permit tcp any any eq mlag ttl eq 255
70 permit udp any any eq mlag ttl eq 255
80 permit vrrp any any
90 permit ahp any any
100 permit pim any any
110 permit igmp any any [match 1316, 0:00:23 ago]
120 permit tcp any any range 5900 5910
switch# show ip access-lists
IP Access List default-control-plane-acl [readonly]
counters per-entry
10 permit icmp any any
20 permit ip any any tracked [match 1371, 0:00:00 ago]
30 permit ospf any any
40 permit tcp any any eq ssh telnet www snmp bgp https
50 permit udp any any eq bootps bootpc snmp
60 permit tcp any any eq mlag ttl eq 255
70 permit udp any any eq mlag ttl eq 255
80 permit vrrp any any
90 permit ahp any any
100 permit pim any any
110 permit igmp any any [match 1316, 0:00:23 ago]
120 permit tcp any any range 5900 5910
IP Access List list2
10 permit ip 10.10.10.0/24 any
20 permit ip 10.30.10.0/24 host 10.20.10.1
30 permit ip any host 10.20.10.1
40 deny ip host 10.10.10.1 host 10.20.10.1
50 permit ip any any
IP Access List test1
Switch(config)#
The examples in this section assume these ACL commands were previously entered.
These commands are stored in the configuration:
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.21.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
50 remark end of list
The current edit session removed this command. This change is not yet stored to running-config:
20 permit ip any host 10.21.10.1
The current edit session added these commands ACL. They are not yet stored to running-config:
20 permit ip 10.10.0.0/16 any
25 permit tcp 10.10.20.0/24 any
45 deny pim 239.24.124.0/24 10.5.8.4/30
switch(config-acl-test_1)# show pending
IP Access List test_1
10 permit ip 10.10.10.0/24 any
20 permit ip 10.10.0.0/16 any
25 permit tcp 10.10.20.0/24 any
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
45 deny pim 239.24.124.0/24 10.5.8.4/30
50 remark end of list
switch(config-acl-test_1)#show active
IP Access List test_1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.21.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
50 remark end of list
This command displays the difference between the saved and modified ACLs.
switch(config-acl-test_1)#show diff
---
+++
@@ -1,7 +1,9 @@
IP Access List test_1
10 permit ip 10.10.10.0/24 any
- 20 permit ip any host 10.21.10.1
+ 20 permit ip 10.10.0.0/16 any
+ 25 permit tcp 10.10.20.0/24 any
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
+ 45 deny pim 239.24.124.0/24 10.5.8.4/30
To configure per-port per-VLAN QoS, first, configure the ACL policing for QoS, and then apply the policy-map on a single Ethernet or port-channel interfaces on a per-port per-VLAN basis. The per port per VLAN QoS allows a class-map to match traffic for a single VLAN or for a range of VLANs separated by commas. Per-port per-VLAN works with QoS-based class-maps only.
switch# config
switch(config)# hardware tcam profile qos
switch(config)# ip access-list acl1
switch(config-acl-acl1)# permit vlan 100 0xfff ip any any
switch(config-acl-acl1)# exit
switch(config)# class-map match-any class1
switch(config-cmap-qos-class1)# match vlan 20-40, 1000-1250, 2000
switch(config-cmap-qos-class1)# exit
The following show commands display the status, traffic hit counts, tcam profile information, and policy-maps configured on an interface.
The show policy-map command displays the policy-map information of the configured policy-map.
switch# show policy-map policy1
Service-policy policy1
Class-map: class1 (match-any)
Match: ip access-group name acl1
Police cir 512000 bps bc 96000 bytes
Class-map: class-default (match-any)
The show policy-map interface command displays the policy-map configured on an interface.
switch# show policy-map interface ethernet 1
Service-policy input: p1
Hardware programming status: Successful
Class-map: c2001 (match-any)
Match: vlan 2001 0xfff
set dscp 4
Class-map: c2002 (match-any)
Match: vlan 2002 0xfff
set dscp 8
Class-map: c2003 (match-any)
Match: vlan 2003 0xfff
set dscp 12
Access Control Lists (ACLs) are configured to permit or deny traffic between source and destination ports on Strata-based platforms. Mirror ACLs are used in mirroring traffic by matching VLAN ID of the configured ACLs. Mirror ACLs are applied for IPv4, IPv6, and MAC ACLs.
switch(config)# ip access-list acl1
switch(config-acl-acl1)# permit vlan 1234 0x0 ip any any
switch(config)# monitor session sess1 source ethernet 1 rx ip access-group acl1
switch(config)# monitor session sess1 destination ethernet 2
Access Control Lists become active when they are assigned to an interface or subinterface or to the control plane. This section describes the process of adding and removing ACL interface assignments.
IPv4, IPv6, and MAC ACLs are separately applied for inbound and outbound packets. An interface or subinterface can be assigned with multiple ACLs, with a limit of one ACL per packet direction per ACL type. Egress ACLs are supported on a subset of all available switches. IPv6 egress ACLs have limited availability, and IPv6 egress ACLs applied to routed interfaces or subinterfaces across the same chip on the DCS-7500E and the DCS-7280E series can be shared. In addition to that, the DSCP value can match on IPv6 egress ACLs. This result in a more efficient utilization of system resources, and is particularly useful for environments with few, potentially large, IPv6 egress ACLs applied across multiple routed interfaces.
switch(config)# interface ethernet 3
switch(config-if-Et3)# ip access-group test1 in
switch(config-if-Et3)# show running-config interfaces ethernet 3
interface Ethernet3
ip access-group test1 in
switch(config-if-Et3)#
switch(config)# control-plane
switch(config-cp)# ip access-group test_cp in
switch(config)# hardware access-list resource sharing vlan ipv6 out
switch(config)#
switch(config)# no hardware access-list resource sharing vlan ipv6 out
switch(config)#
switch(config)# interface ethernet 5.1
switch(config-if-Et5.1)# ipv4 access-group test_ACL in
switch(config-if-Et5.1)#
The no ip access-group command removes an IP ACL assignment statement from running-config for the configuration mode interface. After an ACL is removed, the interface is not associated with an IP ACL.
The no mac ip access-group command removes a MAC ACL assignment statement from running-config for the configuration mode interface. After a MAC ACL is removed, the interface is not associated with an MAC ACL.
To remove an ACL from the control plane, enter the no ip access-group command in control plane configuration mode. Removing the control plane ACL command from running-config reinstates default-control-plane-acl as the control plane ACL.
switch(config)# interface ethernet 3
switch(config-if-Et3)# no ip access-group test in
switch(config-if-Et3)#
switch(config)# control-plane
switch(config-cp)# no ip access-group test_cp in
switch(config-cp)#
Service ACL enforcement is a feature added to a control plane service (the SSH server, the SNMP server, routing protocols, etc) that allows the switch administrator to restrict the processing of packets and connections by the control plane processes that implement that service. The control plane program run by the control plane process checks already received packets and connections against a user configurable Access Control List (ACL), a Service ACL. The Service ACL contains permit and deny rules matching any of the source address, destination address, and TCP or UDP ports of received packets or connections. After receiving a packet or connection, the control plane process evaluates the packet or connection against the rules of the Service ACL configured for the control plane process, and if the received packet or connection matches a deny rule the control plane process drops or closes it without further processing.
Control Plane Process Enforced Access Control enables the system administrator to restrict which systems on the network can access the services provided by the switch. Each service has its own access control list, giving the system administrator fine grained control over access to the switch's control plane services. The CLI for this uses the familiar pattern of access control lists assigned for a specific purpose, in this case for each control plane service.
To apply the SSH server Service ACLs for IPv4 and IPv6 traffic, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands in mgt-ssh configuration mode as shown below.
switch(config)# management ssh
switch(config-mgmt-ssh)# ip access-group <acl_name> [vrf <vrf_name>] inswitch(config-mgmt-ssh)#ipv6 access-group <acl_name> [vrf <vrf_name>] in
In Release EOS-4.19.0, all VRFs are required to use the same SSH server Service ACL. The Service ACL assigned without the vrf keyword is applied to all VRFs where the SSH server is enabled.
To display the status and counters of the SSH server Service ACLs, use the following commands.
switch> show management ssh ip access-list
switch> show management ssh ipv6 access-list
To apply the SNMP server Service ACLs to restrict which hosts can access SNMP services on the switch, use the snmp-server community command as shown below.
snmp-server community community-name [view viewname] [ro | rw] acl_name
snmp-server community community-name [view viewname] [ro | rw] ipv6 ipv6_acl_name
To apply Service ACLs to the EOS application programming interface (EAPI) server, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)# vrf <vrf_name>
switch(config-mgmt-api-http-cmds-vrf-<vrf>)# ip access-group <acl_name>
switch(config-mgmt-api-http-cmds-vrf-<vrf>)# ipv6 access-group <ipv6_acl_name>
To display the status and counters of the EAPI server Service ACLs, use the following commands.
switch> show management api http-commands ip access-list
switch> show management api http-commands ipv6 access-list
To apply Service ACLs for controlling connections to the BGP routing protocol agent, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
switch(config)# router bgp <asn>
switch(config-router-bgp)# ip access-group <acl_name>
switch(config-router-bgp)# ipv6 access-group <ipv6_acl_name>
switch(config-router-bgp)# vrf <vrf_name>
switch(config-router-bgp-vrf-<vrf>)# ip access-group <acl_name>
switch(config-router-bgp-vrf-<vrf>)# ipv6 access-group <ipv6_acl_name>
To display the status and counters of the BGP routing protocol Service ACLs, use the following commands.
switch> show bgp ipv4 access-list
switch> show bgp ipv6 access-list
UnequalCcost Multi-Path (UCMP) for BGP forwards traffic based on weight assignments for next hops of routes of ECMP traffic. The weights are programmed in the FIB. By disseminating BGP link-bandwidth extended community attribute information with BGP routes, the receiver device of all routes, programs the next hops in the FIB using the received link-bandwidth values. The percentage of interface speed is appended to the received link bandwidth extended community value of the route. The weight ratio of the traffic sent over egress ports is adjusted to forward more traffic towards the peer with higher interface speed.
The following command enables the weight adjustment.
This command configures the adjust auto to 62.3 percent.
switch(config-router-bgp)# neighbor group1 link-bandwidth adjust auto percent 62.3
PERCENT is a float value between 0.0 to 100.0 and is optional.
To apply Service ACLs for controlling packets processed by the OSPF routing protocol agent, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
switch(config)# router ospf <id>
switch(config-router-ospf)# ip access-group <acl_name>
switch(config-router-ospf)# ipv6 access-group <ipv6_acl_name>
When using VRFs, each per-VRF OSPF instance must be assigned its Service ACL explicitly.
To display the status and counters of the OSPF routing protocol Service ACLs, use the following commands.
switch> show ospf ipv4 access-list
switch> show ospf ipv6 access-list
To apply Service ACLs for controlling packets processed by the PIM routing protocol agent, use the access-group command as shown below.
switch(config)# router pim
switch(config-router-pim)# ipv4
switch(config-router-pim-ipv4)# access-group <acl_name>
switch(config-router-pim-ipv4)# vrf <vrf_name>
switch(config-router-pim-vrf-<vrf>)# ipv4
switch(config-router-pim-vrf-<vrf>-ipv4)# access-group <acl_name>
To display the status and counters of the PIM routing protocol Service ACLs, use the following commands.
switch> show ip pim access-list
To apply Service ACLs for controlling packets processed by the IGMP management protocol agent, use the ip igmp access-group command as shown below.
switch(config)# router igmp
switch(config-router-igmp)# ip igmp access-group <acl_name>
switch(config-router-igmp)# vrf <vrf_name>
switch(config-router-igmp-vrf-<vrf>)# ip igmp access-group <acl_name>
To display the status and counters of the IGMP management protocol Service ACLs, use the following commands.
switch> show ip igmp access-list
To apply Service ACLs for controlling packets processed by the DHCP relay agent, use the ip dhcp relay access-group and ipv6 dhcp relay access-group commands as shown below.
switch(config)# ip dhcp relay access-group <acl_name> [vrf <vrf_name>]
switch(config)# ipv6 dhcp relay access-group <acl_name> [vrf <vrf_name>]
To display the status and counters of the DHCP relay agent Service ACLs, use the following commands.
switch> show ip dhcp relay access-list
switch> show ipv6 dhcp relay access-list
To apply Service ACLs for controlling packets and connections processed by the LDP MPLS label distribution protocol, use thecommand as shown below.
ip access-group (Service ACLs)
switch(config)# mpls ldp
switch(config-mpls-ldp)# ip access-group <acl_name>
To display the status and counters of the LDP Service ACLs, use the following command.
switch> show mpls ldp access-list
To apply Service ACLs for controlling connections accepted by the LANZ agent, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
switch(config)# queue-monitor streaming
switch(config-qm-streaming)# ip access-group <acl_name>
switch(config-qm-streaming)# ipv6 access-group <ipv6_acl_name>
To display the status and counters of the LDP Service ACLs, use the following command.
switch> show queue-monitor streaming access-lists
To apply Service ACLs for controlling connections accepted by the MPLS Ping agent, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
switch(config)# mpls ping
switch(config-mpls-ping)# ip access-group <acl_name> [vrf <vrf_name>]
switch(config-mpls-ping)# ipv6 access-group <ipv6_acl_name> [vrf <vrf_name>]
To apply Service ACLs to the Telnet server, use the ip access-group (Service ACLs) and ipv6 access-group (Service ACLs) commands as shown below.
switch(config)# management telnet
switch(config-mgmt-telnet)# ip access-group <acl_name> [vrf <vrf_name>] in
switch(config-mgmt-telnet)# ipv6 access-group <ipv6_acl_name> [vrf <vrf_name>] in
In EOS 4.19.0, all VRFs are required to use the same Telnet server Service ACL. The Service ACL assigned without the vrf keyword is applied to all VRFs where the Telnet server is enabled.
To display the status and counters of the LDP Service ACLs, use the following commands.
switch> show management telnet ip access-list
switch> show management telnet ipv6 access-list
Configure the ACLs on subinterfaces, use the following command:
ip|ipv6 access-group acl-name in | out
To unconfigure the ACLs on subinterfaces, use the following command:
no ip|ipv6 access-group in | out
The show ip|ipv6 access-lists displays the summary of a configured ACL including the subinterface on which the ACL is configured and active.
show ip|ipv6 access-lists acl-name summary
Examples
switch(config)# show ip access-lists acl1 summary
IPV4 ACL acl1
Total rules configured: 1
Configured on Ingress: Et5.1
Active on Ingress: Et5.1
switch(config)# show ipv6 access-lists acl1 summary
IPV6 ACL acl1
Total rules configured: 1
Configured on Egress: Et5.1
Active on Egress: Et5.1
The IPv4 ingress sharing optimizes the utilization of hardware resources by sharing the hardware resources between different VLAN interfaces when they have same ACL attached.
Larger deployments are benefited with this function, where IPv4 ingress sharing is applied on multiple SVIs with member interfaces on same forwarding ASIC. For example, a trunk port carrying multiple VLANs and an ingress sharing is applied on all VLANs, it occupies lesser hardware resources irrespective of number of VLANs. By default, IPv4 ingress sharing is disabled on the switches.
To enable IPv4 Ingress Sharing use no hardware access-list resource sharing vlan in command. Note, enabling or disabling the IPv4 ingress sharing requires the restart of software agents on the switches which is a disruptive process and will impact the traffic forwarding. The no form of the command disables the IPv4 ingress sharing on the switch. To display the IPv4 ingress sharing information use show platform trident command on the switch.
The IPv4 Egress Sharing optimizes the utilization of hardware resources by sharing TCAM entries for a group of SVIs on which IPv4 ACLs shared. The TCAM entries are shared for all the SVIs per chip, hence, saving a lot of hardware resources and enabling ACLs to scale to a larger configurations.
Larger deployments are benefited, where IPv4 Egress Sharing is applied on multiple SVIs with member interfaces on same forwarding ASIC. For example, a trunk port carrying multiple VLANs, and when Egress Sharing is applied on all VLANs it occupies lesser hardware resources irrespective of number of VLANs. By default, IPv4 Egress Sharing is enabled on the switches. However, both IPv4 Egress Sharing and uRPF cannot be enabled at the same time. Disabling IPv4 RACL sharing will allow uRPF configuration and make sure RACL configuration, non-shared mode, is configured at the same time.
To enable unicast Reverse Path Forwarding (uRPF) on the switche, the IPv4 Egress Sharing must me disabled using the no hardware access-list resource sharing vlan ipv4 out command.
To enable IPv4 Egress Sharing if previously disabled from the default configuration, use hardware access-list resource sharing vlan ipv4 out command. Note, enabling or disabling the IPv4 Egress Sharing requires the restart of software agents on the switches which is a disruptive process and will impact the traffic forwarding.
Use hardware access-list resource sharing vlan ipv4 out command to enable the IPv4 Egress Sharing on the switch. By default, IPv4 Egress Sharing is enabled on the switche.The no form of the command disables the IPv4 Egress Sharing on the switch and user is allowed to configure the uRPF on the switch.
switch# show ip access-lists summary
IPV4 ACL default-control-plane-acl [readonly]
Total rules configured: 17
Configured on Ingress: control-plane(default VRF)
Active on Ingress: control-plane(default VRF)
IPV4 ACL ipAclLimitTest
Total rules configured: 0
Configured on Egress: Vl2148,2700
Active on Egress: Vl2148,2700
switch# show vlan
VLAN Name Status Ports
----- -------------- --------- -----------------
1 default active
2148 VLAN2148 active Cpu, Et1, Et26
2700 VLAN2700 active Cpu, Et18
switch# show platform arad acl tcam detail
ip access-list ipAclLimitTest (Shared RACL, 0 rules, 1 entries, direction out,
state success, Acl Label 2)
Fap: Arad0, Shared: true, Interfaces: Vl2148, Vl2700
Bank Offset Entries
0 0 1
Fap: Arad1, Shared: true, Interfaces: Vl2148
Bank Offset Entries
0 0 1
switch# show platform arad acl tcam summary
The total number of TCAM lines per bank is 1024.
========================================================
Arad0:
========================================================
Bank Used Used % Used By
0 1 0 IP Egress PACLs/RACLs
Total Number of TCAM lines used is: 1
========================================================
Arad1:
========================================================
Bank Used Used % Used By
0 1 0 IP Egress PACLs/RACLs
Total Number of TCAM lines used is: 1
switch# show ip route
VRF name: default
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I - ISIS, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route
Gateway of last resort is not set
C 10.1.0.0/16 is directly connected, Vlan2659
C 10.2.0.0/16 is directly connected, Vlan2148
C 10.3.0.0/16 is directly connected, Vlan2700
S 172.17.0.0/16 [1/0] via 172.24.0.1, Management1
S 172.18.0.0/16 [1/0] via 172.24.0.1, Management1
S 172.19.0.0/16 [1/0] via 172.24.0.1, Management1
S 172.20.0.0/16 [1/0] via 172.24.0.1, Management1
S 172.22.0.0/16 [1/0] via 172.24.0.1, Management1
C 172.24.0.0/18 is directly connected, Management1
switch# show platform arad ip route
Tunnel Type: M(mpls), G(gre)
-------------------------------------------------------------------------------
| Routing Table | |
|------------------------------------------------------------------------------
|VRF| Destination | | | | Acl | |
ECMP| FEC | Tunnel
| ID| Subnet | Cmd | Destination | VID | Label | MAC / CPU Code
|Index|Index|T Value
--------------------------------------------------------------------------------
|0 |0.0.0.0/8 |TRAP | CoppSystemL3DstMiss|0 | - | ArpTrap | - |1031 | -
|0 |10.1.0.0/16 |TRAP | CoppSystemL3DstMiss|2659 | - | ArpTrap | - |1030 | -
|0 |10.2.0.0/16 |TRAP | CoppSystemL3DstMiss|2148 | - | ArpTrap | - |1026 | -
|0 |10.3.0.0/16 |TRAP | CoppSystemL3DstMiss|2700 | - | ArpTrap | - |1034 | -
|0 |127.0.0.0/8 |TRAP | CoppSystemL3DstMiss|0 | - | ArpTrap | - |1031 | -
|0 |172.17.0.0/16 |TRAP | CoppSystemL3DstMiss|0 | - | ArpTrap | - |1025 | -
|0 |172.18.0.0/16 |TRAP | CoppSystemL3DstMiss|0 | - | ArpTrap | - |1025 | -
|0 |172.19.0.0/16 |TRAP | CoppSystemL3DstMiss|0 | - | ArpTrap | - |1025 | -
|0 |172.20.0.0/16 |TRAP | CoppSystemL3DstMiss|0 | - | ArpTrap | - |1025 | -
|0 |172.22.0.0/16 |TRAP | CoppSystemL3DstMiss|0 | - | ArpTrap | - |1025 | -
|0 |172.24.0.0/18 |TRAP | CoppSystemL3DstMiss|0 | - | ArpTrap | - |1032 | -
|0 |0.0.0.0/0 |TRAP | CoppSystemL3LpmOver|0 | - | SlowReceive | -
|1024 | -
|0 |10.1.0.0/32* |TRAP | CoppSystemIpBcast |0 | - | BcastReceive | -
|1027 | -
|0 |10.1.0.1/32* |TRAP | CoppSystemIpUcast |0 | - | Receive | - |32766| -
|0 |10.1.255.1/32* |ROUTE| Po1 |2659 |4094 | 00:1f:5d:6b:ce:45
| - |1035 | -
|0 |10.1.255.255/32* |TRAP | CoppSystemIpBcast |0 | - | BcastReceive | -
|1027 | -
|0 |10.2.0.0/32* |TRAP | CoppSystemIpBcast |0 | - | BcastReceive | -
|1027 | -
|0 |10.2.0.1/32* |TRAP | CoppSystemIpUcast |0 | - | Receive | - |32766| -
|0 |10.2.255.1/32* |ROUTE| Et1 |2148 |2 | 00:1f:5d:6d:54:dc |
- |1036 | -
|0 |10.2.255.255/32* |TRAP | CoppSystemIpBcast |0 | - | BcastReceive | -
|1027 | -
|0 |10.3.0.0/32* |TRAP | CoppSystemIpBcast |0 | - | BcastReceive | -
|1027 | -
|0 |10.3.0.1/32* |TRAP | CoppSystemIpUcast |0 | - | Receive | - |32766| -
|0 |10.3.255.1/32* |ROUTE| Et18 |2700 |2 | 00:1f:5d:6b:00:01 |
- |1038 | -
A route map is an ordered set of rules that control the redistribution of IP routes into a protocol domain on the basis of such criteria as route metrics, access control lists, next hop addresses, and route tags. Route maps can also alter parameters of routes as they are redistributed.
Route maps are composed of route map statements, each of which consists of a list of match and set commands.
Set commands modify parameters for redistributed routes. Set commands are valid in permit statements.
switch# route-map MAP_1 permit 10
match as 10
set local-preference 100
A route map consists of statements with the same name and different sequence numbers. Statements filter routes in ascending order of their sequence numbers. When a statements passes a route, the redistribution action is performed as specified by the filter type and all subsequent statements are ignored. When the statement fails the route, the statement with the smallest sequence number that is larger than the current one filters the route.
All route maps have an implied final statement that contains a single deny statement with no match command. This denies redistribution to routes that are not passed by any statement.
switch# route-map MAP_1 permit 10
match as 10
set local-preference 100
!
switch# route-map MAP_1 permit 20
match metric-type type-1
match as 100
Route Map Configuration describes route map configuration procedures.
Route map statements that contain a continue (route map) command support additional route map evaluation of routes whose parameters meet the statement’s match commands. Routes that match a statement containing a continue command are evaluated against the statement specified by the continue command.
When a route matches multiple route map statements, the filter action (deny or permit) is determined by the last statement that the route matches. The set commands in all statements matching the route are applied to the route after the route map evaluation is complete. Multiple set commands are applied in the same order by which the route was evaluated against the statements containing them.
route-map MAP_2 permit 10
match as 10
continue 20
set local-preference 100
!
route-map MAP_2 deny 20
match metric-type type-1
match as 100
The route is redistributed if it passes statement 10 and is rejected by statement 20. The route is denied redistribution in all other instances. The continue command guarantees the evaluation of all routes against both statements.
To create a route map, enter route-map followed by the map name and filter type (deny or permit). The default sequence number is assigned to the statement if the command does not include a number.
switch(config)# route-map map1 permit 50
switch(config-route-map-map1)#
To edit an existing route map statement, enter route-map with the map’s name and statement’s number. The switch enters route map configuration mode for the statement. Subsequent match (route-map) and set (route-map) commands add the corresponding commands to the statement.
The show command displays contents of the existing route map.
switch(config)# route-map MAP2
switch(config-route-map-MAP2)#show
Match clauses:
match as 10
match tag 333
Set clauses:
set local-preference 100
switch(config-route-map-MAP2)#
Route map configuration mode is a group-change mode. Changes are saved by exiting the mode, either with an explicit exit command or by switching directly to another configuration mode. This includes switching to the configuration mode for a different route map.
The first command creates the map1 statement with sequence number of 10. The second command is not yet saved to the route map, as displayed by the show command.
switch(config)# route-map map1 permit
switch(config-route-map-map1)# match as 100
switch(config-route-map-map1)# show
switch(config-route-map-map1)#
The exit command saves the match command.
switch(config-route-map-map1)# exit
switch(config)# show route-map map1
route-map map1 permit 10
Match clauses:
match as 100
Set clauses:
switch(config)#
The abort command discards all pending changes and exits route map configuration mode.
switch(config)# route-map map1 permit
switch(config-route-map-map1)# match as 100
switch(config-route-map-map1)# abort
switch(config)# show route-map map1
switch(config)#
These commands add rules to the configuration mode route map:
To insert a new statement into an existing route map, create a new statement with a sequence number that differs from any existing statement in the map.
switch(config)# route-map Map1 permit 50
switch(config-route-map-Map1)# match as 150
switch(config-route-map-Map1)#exit
switch(config)#show route-map Map1
route-map Map1 deny 10
Match clauses:
match as 10
match tag 333
Set clauses:
set local-preference 100
route-map Map1 permit 50
Match clauses:
match as 150
Set clauses:
switch(config)#
Protocol redistribution commands include a route map parameter that determines the routes to be redistributed into the specified protocol domain.
switch(config)# router bgp 1
switch(config-router-bgp)# redistribute ospf route-map Map1
switch(config-router-bgp)# exit
switch(config)#
A prefix list is an ordered set of rules that defines route redistribution access for a specified IP address space. A prefix list rules consists of a filter action (deny or permit), an address space identifier (IPv4 subnet address or IPv6 prefix), and a sequence number.
A prefix list is an ordered set of rules that defines route redistribution access for a specified IP address space. A prefix list rule consists of a filter action (deny or permit), a network address (IPv4 subnet or IPv6 prefix), and a sequence number. A rule may also include a alternate mask size.
The switch supports IPv4 and IPv6 prefix lists. The switch is placed in a Prefix-list configuration mode to create and edit IPv4 or IPv6 prefix lists.
IPv4 prefix lists are created or modified by adding an IPv4 prefix list rule in the Prefix-list configuration mode. Each rule includes the name of a prefix list, in addition to the sequence number, network address, and filter action. A list consists of all rules that have the same prefix list name.
The ip prefix-list command creates a prefix list or adds a rule to an existing list. Route map match commands use prefix lists to filter routes for redistribution into OSPF, RIP, or BGP domains.
To create an IPv4 prefix list, enter the ip prefix-list command, followed by the name of the list. The switch enters IPv4 prefix-list configuration mode for the list. If the command is followed by the name of an existing ACL, subsequent commands edit that list.
switch(config)# ip prefix-list route-one
switch(config-ip-pfx)#
switch(config)# ip prefix-list route-one
switch(config-ip-pfx)# seq 10 deny 10.1.1.0/24
switch(config-ip-pfx)# seq 20 deny 10.1.0.0/16
switch(config-ip-pfx)# seq 30 permit 12.15.4.9/32
switch(config-ip-pfx)# seq 40 deny 1.1.1.0/24
To view the list, save the rules by exiting the Prefix-list command mode, then re-enter the configuration mode and type show active.
switch(config-ip-pfx)# exit
switch(config)# ip prefix-list route-one
switch(config-ip-pfx)# show active
ip prefix-list route-one
seq 10 deny 10.1.1.0/24
seq 20 deny 10.1.0.0/16
seq 30 permit 12.15.4.9/32
seq 40 deny 1.1.1.0/24
switch(config-ip-pfx)# ip prefix-list route-one
IPv4 prefix lists are referenced in match (route-map) command.
The switch provides IPv6 prefix-list configuration mode for creating and modifying IPv6 prefix lists. A list can be edited only in the mode where it was created.
To create an IP ACL, enter the ipv6 prefix-list command, followed by the name of the list. The switch enters IPv6 prefix-list configuration mode for the list. If the command is followed by the name of an existing ACL, subsequent commands edit that list.
switch(config)# ipv6 prefix-list map1
switch(config-ipv6-pfx)#
To append a rule to the end of a list, enter the rule without a sequence number while in Prefix-List configuration mode for the list. The new rule’s sequence number is derived by adding 10 to the last rule’s sequence number.
switch(config-ipv6-pfx)# permit 3:4e96:8ca1:33cf::/64
switch(config-ipv6-pfx)# permit 3:11b1:8fe4:1aac::/64
To view the list, save the rules by exiting the prefix-list command mode, then re-enter the configuration mode and type show active.
switch(config-ipv6-pfx)# exit
switch(config)# ipv6 prefix-list map1
switch(config-ipv6-pfx)# show active
ipv6 prefix-list map1
seq 10 permit 3:4e96:8ca1:33cf::/64
seq 20 permit 3:11b1:8fe4:1aac::/64
switch(config-ipv6-pfx)#
This command appends a rule to the end of the prefix list. The new rule’s sequence number is 30.
switch(config-ipv6-pfx)# permit 3:1bca:1141:ab34::/64
switch(config-ipv6-pfx)# exit
switch(config)# ipv6 prefix-list map1
switch(config-ipv6-pfx)# show active
ipv6 prefix-list map1
seq 10 permit 3:4e96:8ca1:33cf::/64
seq 20 permit 3:11b1:8fe4:1aac::/64
seq 30 permit 3:1bca:1141:ab34::/64
switch(config-ipv6-pfx)#
To insert a rule into a prefix list, use the seq (IPv6 Prefix Lists) command to enter a rule with a sequence number that is between numbers of two existing rules.
switch(config-ipv6-pfx)# seq 15 deny 3:4400::/64
switch(config-ipv6-pfx)# exit
switch(config)# show ipv6 prefix-list map1
ipv6 prefix-list map1
seq 10 permit 3:4e96:8ca1:33cf::/64
seq 15 deny 3:4400::/64
seq 20 permit 3:11b1:8fe4:1aac::/64
seq 30 permit 3:1bca:3ff2:634a::/64
switch(config)#
To remove a rule from the configuration mode prefix list, enter no seq (see seq (IPv6 Prefix Lists)), followed by the sequence number of the rule to be removed.
switch(config-ipv6-pfx)# no seq 20
switch(config-ipv6-pfx)# exit
switch(config)# show ipv6 prefix-list map1
ipv6 prefix-list map1
seq 10 permit 3:4e96:8ca1:33cf::/64
seq 15 deny 3:4400::/64
seq 30 permit 3:1bca:3ff2:634a::/64
switch(config)#
Route map match commands include an option that matches a specified prefix list.
Example
switch(config)# route-map MAP_1 permit
switch(config-route-map-MAP_1)# match ip address prefix-list PL_1
switch(config-route-map-MAP_1)# set community 500
switch(config-route-map-MAP_1)# exit
Use match ip next-hop route-map, while redistributing static routes into IGPs to redistribute the static routes whose configured next-hops satisfies the route-map policy.
The following example applies match ip next-hop clause for static routes redistributed into IGPs for multi-agent mode as well. The following configures a static route.
switch(config)# ip route 10.20.30.0/24 1.2.3.4
The following configures a prefix-list.
switch (config)# ip prefix-list prefixListName
switch(config-ip-pfx)# permit 1.2.3.4/32
1.2.3.4 is a configured next-hop for static route 10.20.30.0/24.
The following configures a route map.
switch(config)# route-map routeMapName
switch(config-route-map-routeMapName)# match ip next-hop prefix-list prefixListName
To redistribute static routes with ‘match ip next-hop’ route-map clause in IS-IS.
switch(config-router-isis)# redistribute static route-map routeMapName
Redistributed routes can be seen using the following show commands. If routes are redistributed into IS-IS then show isis database detailIf routes are redistributed into OSPFv2 then show ip ospf database detail.
switch# show ip route
VRF: default
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B - BGP, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route, L - VRF Leaked
Gateway of last resort is not set
...
I L2 10.20.30.0/24 [115/10] via 1.2.3.4, Ethernet1
switch# show isis database detail
IS-IS Instance: B VRF: default
IS-IS Level 1 Link State Database
LSPID Seq Num Cksum Life IS Flags
...
IS-IS Level 2 Link State Database
LSPID Seq Num Cksum Life IS Flags
0000.0000.0001.00-00 6 10364 840 L2 <>
...
Reachability : 10.20.30.0/24 Metric: 0 Type: 1 Up
...
Describes the support for specifying User-Defined Fields (UDF) in Port ACLs including IPv4, IPv6, and MAC ACLs. The purpose of the User-Defined Fields feature is to permit or deny packets based on custom offset pattern matching.
User-Defined Fields, or UDFs, are defined as part of an access-list filter and are comprised of an offset, length, pattern match and mask. This describes a single portion of any incoming packet to match the provided value upon.
UDFs may also be defined via aliases. Aliases are a way to save a UDF configuration for reuse in multiple access-lists and or access-list rules. An alias may substitute for a fully defined UDF including the offset, pattern and mask. The pattern or mask may be overridden when the alias is used in an access-list rule.
The behavior, CLI syntax and configuration of UDFs are identical to Traffic Steering UDF and Mirroring ACL UDF.
User-Defined Fields are specified as part of an access-list. The type of access-list however, dictates the base position of the UDF and the options available. In addition, a TCAM profile must be configured to include UDFs as part of the Port ACL feature’s key.
User-Defined Fields are defined as additional fields in the Port ACL feature’s key. By default, UDFs are not included in the keys for the Port ACL features. Adding a UDF to the key requires removal of different key fields to fit within the TCAM width restrictions.
Below are example configurations of the TCAM profile.
The following configurations create a new profile based on the default profile. This new profile replaces the Layer 4 port key fields with one 16-bit UDF and one 32-bit UDF.
switch(config)# hardware tcam
switch(config-hw-tcam)# profile ipv4Udf copy default
switch(config-hw-tcam-profile-ipv4Udf)# feature acl port ip
switch(config-hw-tcam-profile-ipv4Udf-feature-acl-port-ip)# no key field l4-ops
switch(config-hw-tcam-profile-ipv4Udf-feature-acl-port-ip)# no key field l4-src-port
switch(config-hw-tcam-profile-ipv4Udf-feature-acl-port-ip)# no key field l4-dst-port
switch(config-hw-tcam-profile-ipv4Udf-feature-acl-port-ip)# key field udf-16b-1
switch(config-hw-tcam-profile-ipv4Udf-feature-acl-port-ip)# key field udf-32b-1
switch(config-hw-tcam-profile-ipv4Udf-feature-acl-port-ip)# exit
switch(config-hw-tcam-profile-ipv4Udf)# exit
switch(config-hw-tcam)# system profile ipv4Udf
The following configurations match IPv4 packets based on the Identification(ID) field. Packets ingressing into interface ethernet 7 with an ID equal to 1000 is forwarded. Packets with an ID different than 1000 is dropped.
(config)# ip access-list udfAcl
(config-acl-udfAcl)# permit ip any any payload header start offset 1 pattern 0x03E80000 mask 0x0000FFFF
(config-acl-udfAcl)# deny ip any any
(config-acl-udfAcl)# exit
(config)# interface ethernet 7
(config-if-Et7)#
The following configurations create a new profile based on the default profile. This new profile replaces the destination IPv6 address key field with two 32-bit UDFs.
switch(config)# hardware tcam
switch(config-hw-tcam)# profile ipv6Udf copy default
switch(config-hw-tcam-profile-ipv6Udf)# feature acl port ipv6
switch(config-hw-tcam-profile-ipv6Udf-feature-acl-port-ipv6)# no key field dst-ipv6
switch(config-hw-tcam-profile-ipv6Udf-feature-acl-port-ipv6)# key field udf-32b-1
switch(config-hw-tcam-profile-ipv6Udf-feature-acl-port-ipv6)# key field udf-32b-2
switch(config-hw-tcam-profile-ipv6Udf-feature-acl-port-ipv6)# exit
switch(config-hw-tcam-profile-ipv6Udf)# exit
switch(config-hw-tcam)# system profile ipv6Udf
The following configurations match IPv6 UDP packets based on the first 32 bits of the packet payload. UDP packets ingressing into interface ethernet 7 that starts with 0x1234567X (where X can be any valid hexadecimal) in the payload are forwarded. Any other packets are dropped. The offset is set to 2 (2 x 4-byte words) to skip the UDP header.
(config)# ipv6 access-list udfAcl
(config-ipv6-acl-udfAcl)# permit udp any any payload offset 2 pattern 0x12345670 mask 0x0000000f
(config-ipv6-acl-udfAcl)# deny ipv6 any any
(config-ipv6-acl-udfAcl)# exit
(config)# interface ethernet 7
(config-if-Et7)# ipv6 access-group udfAcl in
This section describes CLI commands that this chapter references.
The clear ip access-lists counters command sets ACL counters to zero for the specified IPv4 Access Control List (ACL). The session parameter limits ACL counter clearing to the current CLI session.
Command Mode
Privileged EXEC
Command Syntax
clear ip access-lists counters [ACL_NAME][SCOPE]
Example
switch(config)# clear ip access-lists counters
switch(config)#
The clear ipv6 access-lists counters command sets ACL counters to zero for the specified IPv6 Access Control List (ACL). The session parameter limits ACL counter clearing to the current CLI session.
Command Mode
Privileged EXEC
Command Syntax
clear ipv6 access-lists counters [ACL_NAME][SCOPE]
Example
switch(config)# clear ipv6 access-lists counters
switch(config)#
The continue command creates a route map statement entry that enables additional route map evaluation of routes whose parameters meet the statement's matching criteria.
A statement typically contains a match (route-map) and a set (route-map) command. The evaluation of routes whose settings are the same as match command parameters normally ends and the statement's set commands are applied to the route. Routes that match a statement containing a continue command are evaluated against the statement specified by the continue command.
When a route matches multiple route map commands, the filter action (deny or permit) is determined by the last statement that the route matches. The set commands in all statements matching the route are applied to the route after the route map evaluation is complete. Multiple set commands are applied in the same order by which the route was evaluated against the statement containing them.
The no continue and default continue commands remove the corresponding continue command from the configuration mode route map statement by deleting the corresponding command from running-config.
Command Mode
Route-Map Configuration
Command Syntax
continue NEXT_SEQ
no continue NEXT_SEQ
default continue NEXT_SEQ
Parameters
Restrictions
A continue command cannot specify a sequence number smaller than the sequence number of its route map statement.
Related Command
route-map command enters route map configuration mode.
Example
switch(config)# route-map map1 deny 40
switch(config-route-map-map1)# match as 15
switch(config-route-map-map1)# continue 100
switch(config-route-map-map1)# set local-preference 50
switch(config-route-map-map1)#
Only the below platforms support ACL byte counting
On the FM6000 platform, this command has no effect when used in an ACL that is part of a PBR class map.
The no counters per-entry and default counters per-entry commands place the ACL in non-counting mode.
Command Mode
ACL Configuration
IPv6-ACL Configuration
Std-ACL Configuration
Std-IPv6-ACL Configuration
MAC-ACL Configuration
Command Syntax
counters per-entry
no counters per-entry
default counters per-entry
switch(config)# ip access-list test1
switch(config-acl-test1)# counters per-entry
switch(config-acl-test1)#
switch# show ip access-lists
IP Access List default-control-plane-acl [readonly]
counters per-entry
10 permit icmp any any
20 permit ip any any tracked [match 12041 packets, 0:00:00 ago]
30 permit ospf any any
40 permit tcp any any eq ssh telnet www snmp bgp https [match 11 packets, 1:41:07 ago]
50 permit udp any any eq bootps bootpc snmp rip [match 78 packets, 0:00:27 ago]
60 permit tcp any any eq mlag ttl eq 255
70 permit udp any any eq mlag ttl eq 255
80 permit vrrp any any
90 permit ahp any any
100 permit pim any any
110 permit igmp any any [match 14 packets, 0:23:27 ago]
120 permit tcp any any range 5900 5910
130 permit tcp any any range 50000 50100
140 permit udp any any range 51000 51100
switch#show ip access-lists
IP Access List default-control-plane-acl [readonly]
counters per-entry
10 permit icmp any any [match 30 packets, 0:02:08 ago]
20 permit ip any any tracked [match 97777 packets, 0:00:00 ago]
30 permit udp any any eq bfd ttl eq 255
40 permit udp any any eq bfd-echo ttl eq 254
50 permit udp any any eq multihop-bfd micro-bfd sbfd
60 permit udp any eq sbfd any eq sbfd-initiator
70 permit ospf any any
80 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp netconf-ssh gnmi [match 72 packets, 0:00:00 ago]
90 permit udp any any eq bootps bootpc snmp rip ntp ldp ptp-event ptp-general
100 permit tcp any any eq mlag ttl eq 255
110 permit udp any any eq mlag ttl eq 255
120 permit vrrp any any
130 permit ahp any any
140 permit pim any any
IP Access List ipCountersTest:The ipCountersTest ACL is applied to the data plane. Hence, it displays the byte count information as shown below:
counters per-entry
10 permit tcp host 10.1.1.1 range 2000 4000 host 10.2.1.1 [match 486 bytes in 3 packets, 0:00:26 ago]
20 permit tcp host 10.1.1.1 range 14000 16000 host 10.2.1.1 [match 486 bytes in 3 packets, 0:00:18 ago]
30 permit udp host 10.1.1.1 range 62000 64000 host 10.2.1.1 [match 450 bytes in 3 packets, 0:00:00 ago]
40 permit tcp host 10.1.1.1 range 50000 52000 host 10.2.1.1 [match 486 bytes in 3 packets, 0:00:02 ago]
50 permit tcp host 10.1.1.1 range 38000 40000 host 10.2.1.1 [match 486 bytes in 3 packets, 0:00:10 ago]
60 permit tcp host 10.1.1.1 range 26000 28000 host 10.2.1.1 [match 486 bytes in 3 packets, 0:00:18 ago]
The deny command adds a deny rule to the configuration mode IPv4 Access Control List (ACL). Packets filtered by a deny rule are dropped by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL's last rule.
The no deny and default deny commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes the specified rule from the ACL.
Command Mode
ACL Configuration
Command Syntax
[SEQ_NUM] deny PROTOCOL SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT][FLAGS][MESSAGE][fragments][tracked][DSCP_FILTER][TTL_FILTER][log]
no deny PROTOCOL SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT][FLAGS][MESSAGE][fragments][tracked][DSCP_FILTER][TTL_FILTER][log]
default deny PROTOCOL SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT][FLAGS][MESSAGE][fragments][tracked][DSCP_FILTER][TTL_FILTER][log]
Subnet addresses support discontiguous masks.
switch(config)# ip access-list text1
switch(config-acl-text1)# deny ospf 10.1.1.0/24 any
switch(config-acl-text1)#
switch(config-acl-text1)# 65 deny pim any any
switch(config-acl-text1)#
The deny command adds a deny rule to the configuration mode IPv6 Access Control List (ACL). Packets filtered by a deny rule are dropped by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL's last rule.
The no deny and default deny commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes the specified rule from the ACL.
Command Mode
IPv6-ACL Configuration
Command Syntax
[SEQ_NUM] deny PROT SRC_ADDR [SRC_PT] DEST_ADDR [DEST_PT][FLAG] [MSG][hop][tracked][DSCP_FILTER] [log]
no deny PROT SRC_ADDR [SOURCE_PT] DEST_ADDR [DEST_PT][FLAG][MSG][hop][tracked][DSCP_FILTER][log]
default deny PROT SRC_ADDR [SOURCE_PT] DEST_ADDR [DEST_PT][FLAG][MSG] [hop][tracked][DSCP_FILTER][log]
Example
switch(config)# ipv6 access-list text1
switch(config-acl-text1)# deny ipv6 3710:249a:c643:ef11::/64 any
switch(config-acl-text1)#
The deny command adds a rule to the configuration mode IPv6 prefix list. Route map match commands use prefix lists to filter routes for redistribution into OSPF, RIP, or BGP domains. Routes are denied access when they match the prefix that a deny statement specifies.
The no deny and default deny commands remove the specified rule from the configuration mode prefix list. The no seq (IPv6 Prefix Lists) command also removes the specified rule from the prefix list.
Command Mode
IPv6-pfx Configuration
Command Syntax
[SEQUENCE] deny ipv6_prefix [MASK]
Example
switch(config)# ipv6 prefix-list route-five
switch(config-ipv6-pfx)# deny 3100::/64
switch(config-ipv6-pfx)#
The deny command adds a deny rule to the configuration mode MAC Access Control List (ACL). Packets filtered by a deny rule are dropped by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL's last rule.
The no deny and default deny commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes the specified rule from the ACL.
Command Mode
MAC-ACL Configuration
Command Syntax
[SEQ_NUM] deny SOURCE_ADDR DEST_ADDR [PROTOCOL][log]
no deny SOURCE_ADDR DEST_ADDR [PROTOCOL][log]
default deny SOURCE_ADDR DEST_ADDR [PROTOCOL][log]
switch(config)# mac access-list text1
switch(config-mac-acl-text1)# deny 10.1000.0000 0.0.FFFF any aarp
switch(config-mac-acl-text1)# 25 deny any any
The deny command adds a deny rule to the configuration mode standard IPv4 Access Control List (ACL). Standard ACL rules filter on the source field.
Packets filtered by a deny rule are dropped by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL's last rule.
The no deny and default deny commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes the specified rule from the ACL.
Command Mode
Std-ACL Configuration
Command Syntax
[SEQ_NUM] deny SOURCE_ADDR [log]
no deny SOURCE_ADDR [log]
default deny SOURCE_ADDR [log]
Subnet addresses support discontiguous masks.
Example
switch(config)# ip access-list standard text1
switch(config-std-acl-text1)# deny 10.1.1.1/24
switch(config-std-acl-text1)#
The deny command adds a deny rule to the configuration mode standard IPv6 Access Control List (ACL). Standard ACL rules filter on the source field.
Packets filtered by a deny rule are dropped by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL's last rule.
The no deny and default deny commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes the specified rule from the ACL.
Command Mode
Std-IPv6-ACL Configuration
Command Syntax
[SEQ_NUM] deny SOURCE_ADDR
no deny SOURCE_ADDR
default deny SOURCE_ADDR
Example
switch(config)# ipv6 access-list standard text1
switch(config-std-acl-ipv6-text1)# deny 2103::/64
switch(config-std-acl-ipv6-text1)#
The description command adds a text string to the configuration mode route map. The string has no functional impact on the route map.
The no description and default description commands remove the text string from the configuration mode route map by deleting the corresponding description command from running-config.
Command Mode
Route-Map Configuration
Command Syntax
description label_text
no description
default description
Parameters
label_text Character string assigned to the route map configuration.
Related Command
Example
switch(config)# route-map XYZ-1
switch(config-route-map-XYZ-1)# description This is the first map.
switch(config-route-map-XYZ-1)# exit
switch(config)# show route-map XYZ-1
route-map XYZ-1 permit 10
Description:
description This is the first map.
Match clauses:
Set clauses:
switch(config)#
The hardware access-list resource sharing vlan in command enables the IPv4 Ingress Sharing of hardware resources on the switch same ACL is applied on different VLANs.
The no hardware access-list resource sharing vlan in command disables the IPv4 Ingress Sharing of hardware resources on the switch.
Command Mode
Global Configuration
Command Syntax
hardware access-list resource sharing vlan in
no hardware access-list resource sharing vlan in
Use the show platform trident command to verify the Ingress IPv4 Sharing information.
The hardware access-list resource sharing vlan ipv4 out command enables the IPv4 Egress RACL TCAM sharing on the switch.
The no hardware access-list resource sharing vlan ipv4 out command disables the IPv4 Egress RACL TCAM sharing on the switch. By default, the IPv4 Egress RACL sharing is enabled on the switch.
Command Mode
Global Configuration
Command Syntax
hardware access-list resource sharing vlan ipv4 out
no hardware access-list resource sharing vlan ipv4 out
Example
switch# show running-config all | include sharing
hardware access-list resource sharing vlan ipv4 out
---->It returns the following output if IPv4 RACL sharing is enabled.
The hardware access-list update default-result permit command configures the switch to permit all traffic on Ethernet and VLAN interfaces with ACLs applied to them while those ACLs are being modified. Traffic is permitted when the ACL is available for modification using one of the ip access-list commands, and ends when the ACL configuration mode is exited and rules are populated in hardware. This command is disabled by default.
The no hardware access-list update default-result permit and default hardware access-list update default-result permit commands restore the switch to its default state (blocking traffic during ACL modifications) by removing the corresponding hardware access-list update default-result permit command from the running-config.
Command Mode
Global Configuration
Command Syntax
hardware access-list update default-result permit
no hardware access-list update default-result permit
default hardware access-list update default-result permit
Restrictions
This command is available on the Arista 7050X, 7060X, 7150, 7250X, 7280, 7280R, 7300X, 7320X, and 7500 series switches.
This command does not support egress ACLs.
While this command is enabled, static NAT, and ACL-based mirroring are affected during ACL updates.
Example
switch(config)# hardware access-list update default-result permit
switch(config)#
The hardware counter feature acl out command enables egress ACL hardware counters for IPv4 or IPv6, which count the number of packets hitting rules associated with egress ACLs applied to various interfaces on a switch.
The no hardware counter feature acl out and default hardware counter feature acl out commands disable or return the egress ACL hardware counters to the default state.
Command Mode
Global Configuration
Command Syntax
hardware counter feature acl out [OPTIONS]
no hardware counter feature acl out [OPTIONS]
default hardware counter feature acl out [OPTIONS]
switch(config)# hardware counter feature acl out ipv4
switch(config)#
switch(config)# no hardware counter feature acl out ipv4
switch(config)#
The ip access-group (Service ACLs) command configures a Service ACL to be applied by a control-plane service. The service is specified by the command mod (Service ACLs)e in which the Service ACL is applied.
The no ip access-group (Service ACLs) and default ip access-group (Service ACLs) commands remove the corresponding ip access-group (Service ACLs) command from running-config.
Command Mode
Mgmt-SSH Configuration
Mgmt-API Configuration
Router-BGP Configuration
Router-OSPF Configuration
Router-IGMP Configuration
MPLS-LDP Configuration
Queue-Monitor-Streaming Configuration
MPLS-Ping Configuration
Mgmt-Telnet Configuration
Command Syntax
ip access-group acl_name [vrfvrf_name][in]
no ip access-group acl_name [vrfvrf_name][in]
default ip access-group acl_name [vrfvrf_name][in]
Parameters
Example
(config)# router bgp 5
(config-router-bgp)# vrf purple
(config-router-bgp-vrf-purple)# ip access-group bgpacl
For additional configuration examples, see Configuring Service ACLs and Displaying Status and Counters.
The ip access-group command applies an IPv4 or standard IPv4 Access Control List (ACL) to the configuration mode interface or subinterface.
The no ip access-group and default ip access-group commands remove the corresponding ip access-group command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ip access-group list_name DIRECTION
no ip access-group list_name DIRECTION
default ip access-group list_name DIRECTION
Restrictions
Filtering of outbound packets by ACLs is not supported on Petra platform switches.
Filtering of outbound packets by ACLs on FM6000 switches is supported on physical interfaces only (Ethernet and port channels).
ACLs on sub-interfaces are supported on DCS-7280E, DCS-7500E, DCS-7280R, and DCS-7500R.
Example
switch(config)# interface ethernet 3
switch(config-if-Et3)# ip access-group test2 in
switch(config-if-Et3)#
The ip access-list command places the switch in ACL configuration mode, which is a group change mode that modifies an IPv4 access control list. The command specifies the name of the IPv4 ACL that subsequent commands modify and creates an ACL if it references a nonexistent list. All changes in a group change mode edit session are pending until the end of the session.
The exit command saves pending ACL changes to running-config, then returns the switch to global configuration mode. ACL changes are also saved by entering a different configuration mode.
The abort command discards pending ACL changes, returning the switch to global configuration mode.
The no ip access-list and default ip access-list commands delete the specified IPv4 ACL.
Command Mode
Global Configuration
Command Syntax
ip access-list list_name
no ip access-list list_name
default ip access-list list_name
Parameters
list_name Name of ACL. Must begin with an alphabetic character. Cannot contain spaces or quotation marks.
switch(config)# ip access-list filter1
switch(config-acl-filter1)#
switch(config-acl-filter1)# exit
switch(config)#
switch(config-acl-filter1)# abort
switch(config)#
The ip access-list standard command places the switch in std-ACL configuration mode, which is a group change mode that modifies a standard IPv4 access control list. The command specifies the name of the standard IPv4 ACL that subsequent commands modify, and creates an ACL if it references a nonexistent list. All group change mode edit session changes are pending until the session ends.
The exit command saves pending ACL changes to running-config, then returns the switch to global configuration mode. Pending changes are also saved by entering a different configuration mode.
The abort command discards pending ACL changes, returning the switch to global configuration mode.
The no ip access-list standard and default ip access-list standard commands delete the specified ACL.
Command Mode
Global Configuration
Command Syntax
ip access-list standard list_name
no ip access-list standard list_name
default ip access-list standard list_name
Parameters
list_name Name of standard ACL. Must begin with an alphabetic character. Cannot contain spaces or quotation marks.
switch(config)# ip access-list standard filter2
switch(config-std-acl-filter2)#
switch(config-std-acl-filter2)# exit
switch(config)#
switch(config-std-acl-filter2)# abort
switch(config)#
The ip prefix-list command creates a prefix list or adds an entry to an existing list. Route map match commands use prefix lists to filter routes for redistribution into OSPF, RIP, or BGP domains.
A prefix list comprises all prefix list entries with the same label. The sequence numbers of the rules in a prefix list specify the order that the rules are applied to a route that the match command is evaluating.
The no ip prefix-list and default ip prefix-list commands delete the specified prefix list entry by removing the corresponding ip prefix-list statement from running-config. If the no or default ip prefix-list command does not list a sequence number, the command deletes all entries of the prefix list.
Command Mode
Global Configuration
Command Syntax
ip prefix-list list_name [SEQUENCE] FILTER_TYPE network_addr [MASK]
no ip prefix-list list_name [SEQUENCE]
default ip prefix-list list_name [SEQUENCE]
switch(config)# ip prefix-list route-one
switch(config-ip-pfx)#
switch(config)# ip prefix-list route-one
switch(config-ip-pfx)# seq 10 deny 10.1.1.0/24
switch(config-ip-pfx)# seq 20 deny 10.1.0.0/16
switch(config-ip-pfx)# seq 30 permit 12.15.4.9/32
switch(config-ip-pfx)# seq 40 deny 1.1.1.0/24
The ipv6 access-groupcommand applies an IPv6 or standard IPv6 Access Control List (ACL) to the configuration mode interface.
The no ipv6 access-group and default ipv6 access-group commands remove the corresponding ipv6 access-group command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Interface-VLAN Configuration
Command Syntax
ipv6 access-group list_name DIRECTION
no ipv6 access-group list_name DIRECTION
default ipv6 access-group list_name DIRECTION
Examples
switch(config)# interface ethernet 3
switch(config-if-Et3)# ipv6 access-group test2 in
switch(config-if-Et3)#
The ipv6 access-group (Service ACLs) command configures an IPv6 or standard IPv6 Service ACL to be applied by a control-plane service. The service is specified by the command mode in which the Service ACL is applied.
The no ipv6 access-group (Service ACLs) and default ipv6 access-group (Service ACLs) commands remove the corresponding ipv6 access-group (Service ACLs) command from running-config.
Command Mode
Mgmt-SSH Configuration
Mgmt-API Configuration
Router-BGP Configuration
Router-OSPF Configuration
MPLS-LDP Configuration
Queue-Monitor-Streaming Configuration
MPLS-Ping Configuration
Mgmt-Telnet Configuration
Command Syntax
ipv6 access-group ipv6_acl_name [vrfvrf_name][in]
no ipv6 access-group [ipv6_acl_name][vrfvrf_name][in]
default ipv6 access-group ipv6_acl_name [vrf vrf_name][in]
Parameters
Example
(config)# router bgp 5
(config-router-bgp)# vrf purple
(config-router-bgp-vrf-purple)# ipv6 access-group bgpacl
For additional configuration examples, see Configuring Service ACLs and Displaying Status and Counters.
The ipv6 access-list command places the switch in IPv6-ACL configuration mode, which is a group change mode that modifies an IPv6 access control list. The command specifies the name of the IPv6 ACL that subsequent commands modify and creates an ACL if it references a nonexistent list. All changes in a group change mode edit session are pending until the end of the session.
The exit command saves pending ACL changes to running-config, then returns the switch to global configuration mode. ACL changes are also saved by entering a different configuration mode.
The abort command discards pending ACL changes, returning the switch to global configuration mode.
The no ipv6 access-list and default ipv6 access-list commands delete the specified IPv6 ACL.
Command Mode
Global Configuration
Command Syntax
ipv6 access-list list_name
no ipv6 access-list list_name
default ipv6 access-list list_name
Parameters
list_name Name of ACL. Must begin with an alphabetic character. Cannot contain spaces or quotation marks.
switch(config)# ipv6 access-list filter1
switch(config-ipv6-acl-filter1)#
switch(config-ipv6-acl-filter1)# exit
switch(config)#
switch(config-ipv6-acl-filter1)# abort
switch(config)#
The ipv6 access-list standard command places the switch in std-IPv6-ACL-configuration mode, which is a group change mode that modifies a standard IPv6 access control list. The command specifies the name of the standard IPv6 ACL that subsequent commands modify and creates an ACL if it references a nonexistent list. All group change mode edit session changes are pending until the session ends.
The exit command saves pending ACL changes to running-config, then returns the switch to global configuration mode. Pending changes are also saved by entering a different configuration mode.
The abort command discards pending ACL changes, returning the switch to global configuration mode.
The no ipv6 access-list standard and default ipv6 access-list standard commands delete the specified ACL.
Command Mode
Global Configuration
Command Syntax
ipv6 access-list standard list_name
no ipv6 access-list standard list_name
default ipv6 access-list standard list_name
Parameters
list_name Name of ACL. Must begin with an alphabetic character. Cannot contain spaces or quotation marks.
switch(config)# ipv6 access-list standard filter2
switch(config-std-ipv6-acl-filter2)#
switch(config-std-ipv6-acl-filter2)# exit
switch(config)#
switch(config-std-ipv6-acl-filter2)# abort
switch(config)#
The ip prefix-list command places the switch in IPv6 prefix-list configuration mode, which is a group change mode that modifies an IPv6 prefix list. The command specifies the name of the IPv6 prefix list that subsequent commands modify and creates a prefix list if it references a nonexistent list. All changes in a group change mode edit session are pending until the end of the session.
The exit command saves pending prefix list changes to running-config, then returns the switch to global configuration mode. ACL changes are also saved by entering a different configuration mode.
The abort command discards pending changes, returning the switch to global configuration mode.
The no ipv6 prefix-list and default ipv6 prefix-list commands delete the specified IPv6 prefix list.
Command Mode
Global Configuration
Command Syntax
ipv6 prefix-list list_name
no ipv6 prefix-list list_name
default ipv6 prefix-list list_name
Parameter
list_name Name of prefix list. Must begin with an alphabetic character. Cannot contain spaces or quotation marks.
switch(config)# ipv6 prefix-list route-five
switch(config-ipv6-pfx)#
switch(config-ipv6-pfx)# exit
switch(config)#
switch(config-ipv6-pfx)# interface ethernet 3
switch(config-if-Et3)#
switch(config-ipv6-pfx)# abort
switch(config)#
The mac access-group command applies a MAC Access Control List (MAC ACL) to the configuration mode interface.
The no mac access-group and default mac access-group commands remove the specified mac access-group command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Command Syntax
mac access-group list_name DIRECTION
no mac access-group list_name DIRECTION
default mac access-group list_name DIRECTION
Restrictions
Filtering of outbound packets by MAC ACLs is supported only on Helix, Trident, and Trident II platform switches.
Example
switch(config)# interface ethernet 3
switch(config-if-Et3)# mac access-group mtest2 in
switch(config-if-Et3)#
The mac access-list command places the switch in MAC-ACL configuration mode, which is a group change mode that modifies a MAC access control list. The command specifies the name of the MAC ACL that subsequent commands modify and creates an ACL if it references a nonexistent list. All changes in a group change mode edit session are pending until the end of the session.
The exit command saves pending ACL changes to running-config, then returns the switch to global configuration mode. ACL changes are also saved by entering a different configuration mode.
The abort command discards pending ACL changes, returning the switch to global configuration mode.
The no mac access-list and default mac access-list commands delete the specified list.
Command Mode
Global Configuration
Command Syntax
mac access-list list_name
no mac access-list list_name
default mac access-list list_name
Parameters
list_name Name of MAC ACL. Names must begin with an alphabetic character and cannot contain a space or quotation mark.
switch(config)# mac access-list mfilter1
switch(config-mac-acl-mfilter1)#
switch(config-mac-acl-mfilter1)# exit
switch(config)#
switch(config-mac-acl-mfilter1)# interface ethernet 3
switch(config-if-Et3)#
switch(config-mac-acl-mfilter1)# abort
switch(config)#
The match command creates a route map statement entry that specifies one route filtering command. When a statement contains multiple match commands, the permit or deny filter applies to a route only if its properties are equal to corresponding parameters in each match command. When a route properties do not equal the command parameters, the route is evaluated against the next statement in the route map, as determined by sequence number. If all statements fail to permit or deny the route, the route is denied.
The no match and default match commands remove the match command from the configuration mode route map statement by deleting the corresponding command from running-config.
Command Mode
Route-Map Configuration
Command Syntax
match CONDITION
no match CONDITION
default match CONDITION
Related Command
Example
switch(config)# route-map map1
switch(config-route-map-map1)# match as 15
switch(config-route-map-map1)#
The no <sequence number> command removes the rule with the specified sequence number from the ACL. The default <sequence number> command also removes the specified rule.
Command Mode
ACL Configuration
IPv6-ACL Configuration
Std-ACL Configuration
Std-IPv6-ACL Configuration
MAC-ACL Configuration
Command Syntax
no line_num
default line_num
Parameters
line_num Sequence number of rule to be deleted. Values range from 1 - 4294967295.
Example
switch(config-acl-test1)# show IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
50 remark end of list
switch(config-acl-test1)# no 30
switch(config-acl-test1)# show IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.20.10.1
40 permit ip any any
50 remark end of list
The permit command adds a permit rule to the configuration mode IPv4 Access Control List (ACL). Packets filtered by a permit rule are accepted by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL's last rule.
The no permit and default permit commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes a specified rule from the ACL.
Command Mode
ACL Configuration
Command Syntax
[SEQ_NUM] permit PROTOCOL SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT][FLAGS][MESSAGE][fragments][tracked][DSCP_FILTER][TTL_FILTER][log]
no permit PROTOCOL SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT][FLAGS [MESSAGE] [fragments] [tracked][DSCP_FILTER][TTL_FILTER][log]
default permit PROTOCOL SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT][FLAGS][MESSAGE][fragments][tracked][DSCP_FILTER][TTL_FILTER][log]
Commands use a subset of the listed fields. Available parameters depend on specified protocol. Use CLI syntax assistance to view options for specific protocols when creating a permit rule.
Source and destination subnet addresses support discontiguous masks.
switch(config)# ip access-list text1
switch(config-acl-text1)# permit ospf 10.1.1.0/24 any
switch(config-acl-text1)#
switch(config-acl-text1)# 25 permit pim any any
switch(config-acl-text1)#
switch(config)# ip access-list acl1
switch(config-acl-acl1)# permit vlan 1234 0x0 ip any any
The permit command adds a permit rule to the configuration mode IPv6 Access Control List (ACL). Packets filtered by a permit rule are accepted by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL’s last rule.
The no permit and default permit commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes a specified rule from the ACL.
Command Mode
IPv6-ACL Configuration
Command Syntax
[SEQ_NUM] permit PROT SRC_ADDR [SRC_PT] DEST_ADDR [DEST_PT] [FLAG] [MSG] [HOP] [tracked] [DSCP_FILTER] [FLOW_LABEL] [log]
no permit PROT SRC_ADDR [SRC_PT] DEST_ADDR [DEST_PT] [FLAG] [MSG] [HOP] [tracked] [DSCP_FILTER] [FLOW_LABEL] [ log]
default permit PROT SRC_ADDR [SRC_PT] DEST_ADDR [DEST_PT] [FLAG] [MSG] [HOP] [tracked] [DSCP_FILTER] [FLOW_LABEL] [log]
switch(config)#ipv6 access-list acl1
switch(config-acl-acl1)#permit ipv6 3710:249a:c643:ef11::/64 any
switch(config-acl-acl1)#exit
switch(config)#
switch(config)#ip access-list acl2
switch(config-acl-acl2)#permit ipv6 vlan 1234 0x0 ip any any
switch(config-acl-acl2)#exit
switch(config)#
switch(config)#ipv6 access-list acl3
switch(config-acl-acl3)#permit ipv6 any any flow-label eq 23
switch(config-acl-acl3)#exit
switch(config)#
switch(config)#ipv6 access-list acl4
switch(config-acl-acl4)#permit ipv6 any any flow-label 23 0x5678
switch(config-acl-acl4)#exit
switch(config)#
The permit command adds a rule to the configuration mode IPv6 prefix list. Route map match commands use prefix lists to filter routes for redistribution into OSPF, RIP, or BGP domains. Routes are redistributed into the specified domain when they match the prefix that a permit statement specifies.
The no permit and default permit commands remove the specified rule from the configuration mode prefix list. The no seq (IPv6 Prefix Lists) command also removes the specified rule from the prefix list.
Command Mode
IPv6-pfx Configuration
Command Syntax
[SEQUENCE] permit ipv6_prefix [MASK]
Example
switch(config)# ipv6 prefix-list route-five
switch(config-ipv6-pfx)# permit 3100::/64
switch(config-ipv6-pfx)#
The permit command adds a permit rule to the configuration mode MAC access control list packets through the interface to which the list is applied. Rule filters include protocol, source, and destination.
The no permit and default permit commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes the specified rule from the ACL.
Command Mode
MAC-ACL Configuration
Command Syntax
[SEQ_NUM] permit SOURCE_ADDR DEST_ADDR [PROTOCOL][log]
no permit SOURCE_ADDR DEST_ADDR [PROTOCOL][log]
default permit SOURCE_ADDR DEST_ADDR [PROTOCOL][log]
mac_address Specifies a MAC address in 3x4 dotted hexadecimal notation (hhhh.hhhh.hhhh).
switch(config)# mac access-list text1
switch(config-mac-acl-text1)# permit 10.1000.0000 0.0.FFFF any aarp
switch(config-mac-acl-text1)#
switch(config-mac-acl-text1)# 25 permit any any
switch(config-mac-acl-text1)#
The permit command adds a permit rule to the configuration mode standard IPv4 Access Control List (ACL). Standard ACL rules filter on the source field.
Packets filtered by a permit rule are accepted by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL's last rule.
The no permit and default permit commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes the specified rule from the ACL.
Command Mode
Std-ACL Configuration
Command Syntax
[SEQ_NUM] permit SOURCE_ADDR [log]
no permit SOURCE_ADDR [log]
default permit SOURCE_ADDR [log]
Subnet addresses support discontiguous masks.
Example
switch(config)# ip access-list standard text1
switch(config-std-acl-text1)# permit 10.1.1.1/24
switch(config-std-acl-text1)#
The permit command adds a permit rule to the configuration mode standard IPv6 access control list. Standard ACL rules filter on the source field.
Packets filtered by a permit rule are accepted by interfaces to which the ACL is applied. Sequence numbers determine rule placement in the ACL. Sequence numbers for commands without numbers are derived by adding 10 to the number of the ACL's last rule.
The no permit and default permit commands remove the specified rule from the configuration mode ACL. The no <sequence number> (ACLs) command also removes the specified rule from the ACL.
Command Mode
Std-IPv6-ACL Configuration
Command Syntax
[SEQ_NUM] permit SOURCE_ADDR
no permit SOURCE_ADDR
default permit SOURCE_ADDR
Example
switch(config)# ipv6 access-list standard text1
switch(config-std-acl-ipv6-text1)# permit 2103::/64
switch(config-std-acl-ipv6-text1)#
The remark command adds a non-executable comment statement into the pending ACL. Remarks entered without a sequence number are appended to the end of the list. Remarks entered with a sequence number are inserted into the list as specified by the sequence number.
The default remark command removes the comment statement from the ACL.
The no remark command removes the comment statement from the ACL. The command can specify the remark by content or by sequence number.
Command Mode
ACL Configuration
IPv6-ACL Configuration
Std-ACL Configuration
Std-IPv6-ACL Configuration
MAC-ACL Configuration
Command Syntax
remark text
line_num remark [text]
no remark text
default remark text
Example
switch(config-acl-test1)# remark end of list
switch(config-acl-test1)# show
IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
50 remark end of list
The resequence command assigns sequence numbers to rules in the configuration mode ACL. Command parameters specify the number of the first rule and the numeric interval between consecutive rules.
Maximum rule sequence number is 4294967295.
Command Mode
ACL Configuration
IPv6-ACL Configuration
Std-ACL Configuration
Std-IPv6-ACL Configuration
MAC-ACL Configuration
Command Syntax
resequence [start_num [inc_num]]
Example
The resequence command re-numbers the list, starting the first command at number 100 and incrementing subsequent lines by 20.
switch(config-acl-test1)# show
IP Access List test1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
50 remark end of list
switch(config-acl-test1)# resequence 100 20
switch(config-acl-test1)# show
IP Access List test1
100 permit ip 10.10.10.0/24 any
120 permit ip any host 10.20.10.1
140 deny ip host 10.10.10.1 host 10.20.10.1
160 permit ip any any
180 remark end of list
The route-map command places the switch in route map configuration mode, which is a group change mode that modifies a route map statement. The command specifies the name and number of the route map statement that subsequent commands modify and creates a route map statement if it references a nonexistent statement. All changes in a group change mode edit session are pending until the end of the session.
Route maps define commands for redistributing routes between routing protocols. A route map statement is identified by a name, filter type (permit or deny), and sequence number. Statements with the same name are components of a single route map; the sequence number determines the order in which the statements are compared to a route.
The exit command saves pending route map statement changes to running-config, then returns the switch to global configuration mode. ACL changes are also saved by entering a different configuration mode.
The abort command discards pending changes, returning the switch to global configuration mode.
The no route-map and default route-map commands delete the specified route map statement from running-config.
Command Mode
Global Configuration
Command Syntax
route-map map_name [FILTER_TYPE] [sequence_number]
no route-map map_name [FILTER_TYPE] [sequence_number]
default route-map map_name [FILTER_TYPE][sequence_number]
switch(config)# route-map map1 permit 20
switch(config-route-map-map1)#
switch(config-route-map-map1)# exit
switch(config)#
switch(config-route-map-map1)# interface ethernet 3
switch(config-if-Et3)#
switch(config-route-map-map1)# abort
switch(config)#
The no seq command removes the rule with the specified sequence number from the ACL. The default seq command also removes the specified rule.
The seq keyword is a command option used at the beginning of deny (IPv6 Prefix List) and permit (IPv6 Prefix List) commands that places a new rule between two existing rules.
Command Mode
IPv6-pfx Configuration
Command Syntax
no seq line_num
default seq line_num
Parameters
line_num Sequence number of rule to be deleted. Valid rule numbers range from 0 to 65535.
Example
switch(config)# ipv6 prefix-list map1
switch(config-ipv6-pfx)# no seq 20
switch(config-ipv6-pfx)# exit
switch(config)# show ipv6 prefix-list map1
ipv6 prefix-list map1
seq 10 permit 3:4e96:8ca1:33cf::/64
seq 15 deny 3:4400::/64
seq 30 permit 3:1bca:3ff2:634a::/64
seq 40 permit 3:1bca:1141:ab34::/64
switch(config)#
The set command specifies modifications to routes that are selected for redistribution by the configuration mode route map.
The no set and default set commands remove the specified set command from the configuration mode route map statement by deleting the corresponding set command from running-config.
Command Mode
Route-Map Configuration
Command Syntax
set CONDITION
no set CONDITION
default set CONDITION
Example
switch(config)# route-map map1
switch(config-route-map-map1)# set local-preference 100
switch(config-route-map-map1)#
The set as-path match command configures the AS_PATH attribute for prefixes that are either received from a BGP neighbor or advertised to a BGP neighbor in the route map configuration mode.
The no set as-path match command removes the AS path specified for the BGP prefix.
Command Mode
Route-Map Configuration
Command Syntax
set as-path match all replacement [[none | auto] as_path]
no set as-path match all replacement [[none | auto] as_path]
switch# show ip bgp neighbors 80.80.1.2 advertised-routes
BGP routing table information for VRF default
Router identifier 202.202.1.1, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued
for advertisement
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 101.101.1.0/24 80.80.1.1 - - - 200 i
* > 102.102.1.0/24 80.80.1.1 - - - 200 i
* > 103.103.1.0/24 80.80.1.1 - - - 200 302 i
* > 202.202.1.0/24 80.80.1.1 - - - 200 i
switch# configure terminal
switch(config)# route-map foo permit 10
switch(config-route-map-foo)# set as-path match all replacement none
switch(config-route-map-foo)# exit
switch(config)# router bgp 200
switch(config-router-bgp)# neighbor 80.80.1.2 route-map foo out
switch(config-router-bgp)# end
switch# show ip bgp neighbors 80.80.1.2 advertised-routes
BGP routing table information for VRF default
Router identifier 202.202.1.1, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued
for advertisement
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 101.101.1.0/24 80.80.1.1 - - - 200 i
* > 102.102.1.0/24 80.80.1.1 - - - 200 i
* > 103.103.1.0/24 80.80.1.1 - - - 200 i
* > 202.202.1.0/24 80.80.1.1 - - - 200 i
switch(config)# route-map foo permit 10
switch(config-route-map-foo)# set as-path match all replacement auto
switch(config-route-map-foo)# end
switch# show ip bgp neighbors 80.80.1.2 advertised-routes
BGP routing table information for VRF default
Router identifier 202.202.1.1, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued
for advertisement
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 101.101.1.0/24 80.80.1.1 - - - 200 200 i
* > 102.102.1.0/24 80.80.1.1 - - - 200 200 i
* > 103.103.1.0/24 80.80.1.1 - - - 200 200 i
* > 202.202.1.0/24 80.80.1.1 - - - 200 200 i
The AS-Path of matching prefixes are replaced with the locally configured AS 200.
switch(config)# route-map foo permit 10
switch(config-route-map-foo)# set as-path match all replacement 500 600
switch(config-route-map-foo)# end
switch# show ip bgp neighbors 80.80.1.2 advertised-routes
BGP routing table information for VRF default
Router identifier 202.202.1.1, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued
for advertisement
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 101.101.1.0/24 80.80.1.1 - - - 200 500 600 i
* > 102.102.1.0/24 80.80.1.1 - - - 200 500 600 i
* > 103.103.1.0/24 80.80.1.1 - - - 200 500 600 i
* > 202.202.1.0/24 80.80.1.1 - - - 200 500 600 i
The AS-Path of matching prefixes are replaced with 500 600 as configured.
switch(config)# route-map foo permit 10
switch(config-route-map-foo)# set as-path match all replacement auto 500 600
switch(config-route-map-foo)# end
switch# show ip bgp neighbors 80.80.1.2 advertised-routes
BGP routing table information for VRF default
Router identifier 202.202.1.1, local AS number 200
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast, q - Queued
for advertisement
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* > 101.101.1.0/24 80.80.1.1 - - - 200 200 500 600 i
* > 102.102.1.0/24 80.80.1.1 - - - 200 200 500 600 i
* > 103.103.1.0/24 80.80.1.1 - - - 200 200 500 600 i
* > 202.202.1.0/24 80.80.1.1 - - - 200 200 500 600 i
The AS-Path of matching prefixes are replaced with the locally configured AS 200 and 500 600.
The set as-path prepend command adds a set statement to a route map to prepend one or more Autonomous System (AS) numbers to the AS_PATH attribute of a BGP route.
The no set as-path prepend and default set as-path prepend commands remove the specified set statements from the route map and update all corresponding routes.
Command Mode
Route-Map Configuration
Command Syntax
set as-path prepend {{auto | as_number... [auto | as_number]} | last-as count}
no set as-path prepend {{auto | as_number... [auto | as_number]} | last-as count}
default set as-path prepend {{auto | as_number... [auto | as_number]} | last-as count}
switch(config)# route-map map1
switch(config-route-map-map1)# set as-path prepend 64496 auto auto
switch(config-route-map-map1)# exit
switch(config)# show route-map map1
route-map map1 permit 10
Description:
Match clauses:
SubRouteMap:
Set clauses:
set as-path prepend 64496 auto auto
switch(config)#
switch(config)# route-map map2
switch(config-route-map-map2)# set as-path prepend 64496 64498 1.16
switch(config-route-map-map2)# exit
switch(config)# show route-map map2
route-map map2 permit 10
Description:
Match clauses:
SubRouteMap:
Set clauses:
set as-path prepend 64496 64498 65552
switch(config)#
switch(config)# route-map map3
switch(config-route-map-map3)# set as-path prepend last-as 12
switch(config-route-map-map3)# exit
switch(config)# show route-map map3
route-map map3 permit 10
Description:
Match clauses:
SubRouteMap:
Set clauses:
set as-path prepend last-as 12
switch(config)#
The set community command specifies community attribute modifications to routes that are selected for redistribution by the configuration mode route map. The set community none command removes community attributes from the route.
The no set community and default set community commands remove the specified community from the configuration mode route map statement by deleting the corresponding statement from the running config.
Command Mode
Route-Map Configuration
Command Syntax
set community [GSHUT | aa:nn | community-list | internet | local-as | no-advertise | no-export | none | number]
no set community [GSHUT | aa:nn | additive | community-list | delete | internet | local-as | no-advertise | no-export | none | number]
default set community [GSHUT | aa:nn | additive | community-list | delete | internet | local-as | no-advertise | no-export | none | number]
Guideline
EOS does not support disabling the process of graceful shutdown community.
Example
switch(config-route-map-map1)# show active
route-map map1 permit 10
match community instances <= 50
set community 0:456 0:2345
switch(config-route-map-map1)# set community local-as
switch(config-route-map-map1)# ip community-list 345 permit 23
switch(config)# route-map map1
switch(config-route-map-map1)# show active
route-map map1 permit 10
match community instances <= 50
set community 0:456 0:2345 local-as
switch(config-route-map-map1)#
The set extcommunity command specifies extended community attribute modifications to routes that are selected for redistribution by the configuration mode route map. The set extcommunity none command removes extended community attributes from the route.
The no set extcommunity and default set extcommunity commands remove the specified set extcommunity command from the configuration mode route map statement by deleting the corresponding statement from running-config.
Command Mode
Route-Map Configuration
Command Syntax
set extcommunity COND_X [COND_2][COND_N][MOD_TYPE]
set extcommunity none
no set extcommunityCOND_X[COND_2][COND_N][MOD_TYPE]
no set extcommunity none
default set extcommunity COND_X [COND_2][COND_N][MOD_TYPE]
default set extcommunity none
Example
switch(config)# route-map map1
switch(config-route-map-map1)# set extcommunity rt 10.13.2.4:100
switch(config-route-map-map1)#
Exiting the ACL configuration mode stores all pending ACL changes to running-config.
Command Mode
ACL Configuration
IPv6-ACL Configuration
Std-ACL Configuration
Std-IPv6-ACL Configuration
MAC-ACL Configuration
Command Syntax
show
show active
show comment
show diff
show pending
Examples
The examples in this section assume these ACL commands are entered as specified.
These commands are stored in none:
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.21.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
50 remark end of list
The current edit session removed this command. This change is not yet stored to none:
20 permit ip any host 10.21.10.1
The current edit session added these commands ACL. They are not yet stored to none:
20 permit ip 10.10.0.0/16 any
25 permit tcp 10.10.20.0/24 any
45 deny pim 239.24.124.0/24 10.5.8.4/30
switch(config-acl-test_1)# show active
IP Access List test_1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.21.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
50 remark end of list
switch(config-acl-test_1)# show pending
IP Access List test_1
10 permit ip 10.10.10.0/24 any
20 permit ip 10.10.0.0/16 any
25 permit tcp 10.10.20.0/24 any
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
45 deny pim 239.24.124.0/24 10.5.8.4/30
50 remark end of list
switch(config-acl-test_1)# show diff
---
+++
@@ -1,7 +1,9 @@
IP Access List test_1
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.21.10.1
20 permit ip 10.10.0.0/16 any
25 permit tcp 10.10.20.0/24 any
30 deny ip host 10.10.10.1 host 10.20.10.1
40 permit ip any any
45 deny pim 239.24.124.0/24 10.5.8.4/30
The show hardware tcam profile command displays the hardware specific information for the current operational TCAM profile in the running configuration.
This command is applicable to DCS-7280(E/R) and DCS-7500(E/R) series switches only.
Command Mode
EXEC
Command Syntax
show hardware tcam profile
Example
switch# show hardware tcam profile
Configuration Status
FixedSystem default default
The show ip access-list command displays the contents of IPv4 and standard IPv4 Access Control List (ACLs) on the switch. Use the summary option to display only the name of the lists and the number of lines in each list.
Command Mode
Privileged EXEC
Command Syntax
show ip access-list [LIST][SCOPE]
switch# show ip access-list list2
IP Access List list2
10 permit ip 10.10.10.0/24 any
20 permit ip any host 10.20.10.1
30 deny ip host 10.10.10.1 host 10.20.10.1
switch#
switch# show ip access-list summary
IPV4 ACL default-control-plane-acl
Total rules configured: 12
Configured on: control-plane
Active on : control-plane
IPV4 ACL list2
Total rules configured: 3
IPV4 ACL test1
Total rules configured: 6
Standard IPV4 ACL test_1
Total rules configured: 1
IPV4 ACL test_3
Total rules configured: 0
switch#
switch # show ip access-lists summary
IPV4 ACL default-control-plane-acl [readonly]
Total rules configured: 17
Configured on Ingress: control-plane(default VRF)
Active on Ingress: control-plane(default VRF)
IPV4 ACL ipAclLimitTest
Total rules configured: 0
Configured on Egress: Vl2148,2700
Active on Egress: Vl2148,2700
The show ip prefix-list command displays all rules for the specified IPv4 prefix list. The command displays all IPv4 prefix list rules if a prefix list name is not specified.
Command Mode
EXEC
Command Syntax
show ip prefix-list [DISPLAY_ITEMS]
Parameters
Example
switch(config-ip-pfx)# show ip prefix-list
ip prefix-list route-one
seq 10 deny 10.1.1.0/24
seq 20 deny 10.1.0.0/16
seq 30 permit 12.15.4.9/32
seq 40 deny 1.1.1.0/24
switch(config-ip-pfx)#
The show ipv6 access-list command displays the contents of all IPv6 Access Control List (ACLs) on the switch. Use the summary option to display only the name of the lists and the number of lines in each list.
Command Mode
Privileged EXEC
Command Syntax
show ipv6 access-list [LIST][SCOPE]
switch# show ipv6 access-list list2
IP Access List list2
10 permit ipv6 3891:3c58:6300::/64 any
20 permit ipv6 any host 2fe1:b468:024a::
30 deny ipv6 host 3411:91c1:: host 4210:cc23:d2de:::
switch#
switch# show ipv6 access-list summary
IPV6 ACL list2
Total rules configured: 3
IPV6 ACL test1
Total rules configured: 6
IPV6 ACL test_1
Total rules configured: 1
Standard IPV6 ACL test_3
Total rules configured: 0
switch#
The show ipv6 prefix-list command displays all rules for the specified IPv6 prefix list. The command displays all IPv6 prefix lists if a prefix list name is not specified.
Command Mode
EXEC
Command Syntax
show ipv6 prefix-list [DISPLAY_ITEMS]
Parameters
switch> show ipv6 prefix-list map1
ipv6 prefix-list map1
seq 10 permit 3:4e96:8ca1:33cf::/64
seq 15 deny 3:4400::/64
seq 20 permit 3:11b1:8fe4:1aac::/64
seq 30 permit 3:1bca:3ff2:634a::/64
seq 40 permit 3:1bca:1141:ab34::/64
switch>
switch> show ipv6 prefix-list
ipv6 prefix-list map1
seq 10 permit 3:4e96:8ca1:33cf::/64
seq 15 deny 3:4400::/64
seq 20 permit 3:11b1:8fe4:1aac::/64
seq 30 permit 3:1bca:3ff2:634a::/64
seq 40 permit 3:1bca:1141:ab34::/64
ipv6 prefix-list FREDD
ipv6 prefix-list route-five
ipv6 prefix-list map2
seq 10 deny 10:1:1:1::/64 ge 72 le 80
seq 20 deny 10:1::/32
switch>
The show mac access-list command displays the contents of all MAC Access Control List (ACLs) on the switch. Use the summary to display only the name of the lists and the number of lines in each list.
Command Mode
Privileged EXEC
Command Syntax
show mac access-lists [LIST][SCOPE]
switch# show mac access-list mlist2
IP Access List mlist2
10 permit 1024.4510.F125 0.0.0 any aarp
20 permit any 4100.4500.0000 0.FF.FFFF novell
30 deny any any
switch#
switch# show mac access-list summary
MAC ACL mlist1
Total rules configured: 6
MAC ACL mlist2
Total rules configured: 3
MAC ACL mlist3
Total rules configured: 1
MAC ACL mlist4
Total rules configured: 0
switch#
The show platform arad tcam summary command displays the percentage of TCAM utilization per forwarding ASIC.
Command Mode
EXEC
Command Syntax
show platform arad acl tcam summary
Parameter
summary Displays the ACL TCAM summary.
Example
switch# show platform arad acl tcam summary
The total number of TCAM lines per bank is 1024.
========================================================
Arad3/0:
========================================================
Bank Used Used % Used By
1 4 0 IP RACLs
Total Number of TCAM lines used is: 4
========================================================
Arad3/4:
========================================================
Bank Used Used % Used By
1 2 0 IP RACLs
Total Number of TCAM lines used is: 2
The show platform arad acl tcam command displays the number of TCAM entries (hardware resources) occupied by the ACL on each forwarding ASIC.
This command is applicable only on DCS-7500E, DCS-7280E series switches.
Command Mode
EXEC
Command Syntax
show platform arad acl tcam [scope]
Parameters
switch# show platform arad acl tcam detail
ip access-list ipAclLimitTest (Shared RACL, 0 rules, 1 entries, direction out,
state success, Acl Label 2)
Fap: Arad0, Shared: true, Interfaces: Vl2148, Vl2700
Bank Offset Entries
0 0 1
Fap: Arad1, Shared: true, Interfaces: Vl2148
Bank Offset Entries
0 0 1
switch# show platform arad acl tcam summary
The total number of TCAM lines per bank is 1024.
========================================================
Arad0:
========================================================
Bank Used Used % Used By
0 1 0 IP Egress PACLs/RACLs
Total Number of TCAM lines used is: 1
========================================================
Arad1:
========================================================
Bank Used Used % Used By
0 1 0 IP Egress PACLs/RACLs
Total Number of TCAM lines used is: 1
The show platform arad mapping command displays the mapping between the interfaces and the forwarding ASICs.
Command Mode
EXEC
Command Syntax
show platform arad chip_name mapping
Parameter
chip_name Specifies the Arad chip name.
Example
switch# show platform arad arad3/0 mapping
Arad3/0 Port SysPhyPort Voq ( Fap,FapPort) Xlge Serdes
-------------------------------------------------------------------------------
Ethernet3/1/1 34 288 (0 , 2) n/a (20)
...............................................................................
The show platform fap acl command displays the ACL information of Sand platform devices.
Command Mode
Privileged EXEC
Command Syntax
show platform fap acl [ipkgv | l4ops | mirroring | opkgv | pmf | tcam | udf | vsicfg]
Guidelines
This command is supported on DCS-7280SE and DCS-7500E series platforms only.
Example
switch(config)# show platform fap acl mirroring
==============
Aggregate ACLs
==============
(list2:0->2) type=2; version=0
- list2 [ prio 0 ] => session 2
(list1:10->1,list3:20->3) type=0; version=13
- list3 [ prio 20 ] => session 3
- list1 [ prio 10 ] => session 1
======================
Interface-ACL Mapping
======================
Ethernet1 => (list1:10->1,list3:20->3) [ ipv4 ]
Ethernet33 => (list2:0->2) [ mac ]
The show platform fap tcam command displays the number of TCAM entries (hardware resources) occupied by the ACL on each forwarding ASIC of Sand platform devices.
Command Mode
Privileged EXEC
Command Syntax
show platform fap acl tcam [detail | diff | hw | shadow | summary]
Example
switch# show platform fap acl tcam detail
ip access-list ipAcl0000 (RACL, 1 rules, 2 entries, direction in, state success)
Shared: false
Interface: Vlan0002
-------------------
Fap: Arad3/0
Bank Offset Entries
1 0 2
Interface: Vlan0003
-------------------
Fap: Arad3/0
Bank Offset Entries
1 2 2
Fap: Arad3/4
Bank Offset Entries
1 0 2
The show platform fap acl tcam hw command displays the TCAM entries configured for each TCAM bank including policy-maps and corresponding traffic match.
This command is applicable only on DCS-7280(E/R), DCS-7500(E/R) series switches.
Command Mode
EXEC
Command Syntax
show platform fap fap_name acl tcam hw
Example
switch# show platform fap Arad1 acl tcam hw
================================================================================
Arad1 Bank 0 Type: dbPdpIp, dbPdpIp6, dbPdpMpls, dbPdpNonIp, dbPdpTunnel
================================================================================
----------------------------------------------------
|Offs|X|PR|TT|R|QI|V6MC|DPRT|SPRT|F|DEST |V|ACT |H|
----------------------------------------------------
|29 |4|59| | |01| | | | | |3|0008f|0|
| |4|59| | |01| | | | | |0|00000|0|
|30 |4|33| | |01| | | | | |3|0008f|0|
| |4|33| | |01| | | | | |0|00000|0|
|31 |4|32| | |01| | | | | |3|0008f|0|
| |4|32| | |01| | | | | |0|00000|0|
|32 |4| | | |01|ff02| | | | |3|00097|0|
| |4| | | |01|ff02| | | | |0|00000|0|
|33 |4|06| | |01| | |00b3| |26ffd|3|0009b|0|
| |4|06| | |01| | |00b3| |26ffd|0|00000|0|
|34 |4|06| | |01| |00b3| | |26ffd|3|0009b|0|
----------------------------------------------
|Offs|X|R|QI|DAHI|PT|DALO |DEST |V|ACT |H|
----------------------------------------------
-----------------------------------------------------------------------------
|Offs|X|TT0|QI|FOI|TT1|DEST |TT1P |PT|VX_DP|PN|F|MC|O|V|HDR OFFSETS |ACT |H|
================================================================================
Arad1 Bank 1 Type: dbIpQos
================================================================================
----------------------------------------------------------------------
|Offs|X|TC|CL|DPRT|SPRT|VQ|L4OPS |PP|PR|F|V4_DIP |V4_SIP |V|ACT |H|
----------------------------------------------------------------------
|0 |0| | | | | | |01| | | | |3|00000|0|
| |0| | | | | | |01| | | | |0|00000|0|
----------------------------------------------------------------------
<-------OUTPUT OMITTED FROM EXAMPLE-------->
The show platform fap acl tcam summary command displays for each forwarding ASIC, the number of TCAM entries consumed per ACL type, and in which TCAM bank the entries are installed. A mirroring ACL does not consume TCAM resources unless attached to a mirroring source interface, and a mirroring destination is configured. If the mirroring destination is a GRE tunnel, at least one nexthop entry for the tunnel destination must be resolved before a TCAM entry is installed.
Command Mode
EXEC
Command Syntax
show platform fap acl tcam summary
Example
switch# show platform fap acl tcam summary
========================================================
Arad0:
========================================================
Bank Used Used % Used By
0, 1 2 0 IP Mirroring
Total Number of TCAM lines used is: 4
========================================================
Arad1:
========================================================
Bank Used Used % Used By
2 1 0 Mac Mirroring
The show platform trident tcam command displays the TCAM entries configured for each TCAM group including policy maps and corresponding hits.
Command Mode
EXEC
Command Syntax
show platform trident tcam [acl | cpu-bound | detail | directed-broadcast | entry | mirror | pbr | pipe | qos | shared | summary]
Guidelines
This command is applicable only on DCS-7010, DCS-7050/DCS-7050X, DCS7250X, DCS-7300X series switches.
switch(config)# show platform trident tcam mirror
=== Mirroring ACLs on switch Linecard0/0 ===
Session: mir-sess2
INGRESS ACL mirAcl2* uses 2 entries
Assigned to ports: Ethernet32/1
switch# show platform trident tcam directed-broadcast
DirectedBroadcast Feature Tuples.
Src Ip Dst Ip Action Hits
--------------- --------------- ------- ------------
10.1.1.1 192.164.2.15 Permit 0
20.1.1.1 192.164.2.15 Permit 0
30.1.1.1 192.164.2.15 Permit 0
10.1.1.1 192.166.2.15 Permit 0
20.1.1.1 192.166.2.15 Permit 0
30.1.1.1 192.166.2.15 Permit 0
10.1.1.1 192.168.2.255 Permit 0
20.1.1.1 192.168.2.255 Permit 0
30.1.1.1 192.168.2.255 Permit 0
* 192.164.2.15 Deny 0
* 192.166.2.15 Deny 0
* 192.168.2.255 Deny 0
.switch# show platform trident tcam detail
=== TCAM detail for switch Linecard0/0 ===
TCAM group 9 uses 42 entries and can use up to 1238 more.
Mlag control traffic uses 4 entries.
589826 0 hits - MLAG - SrcPort UDP Entry
589827 0 hits - MLAG - DstPort UDP Entry
589828 0 hits - MLAG - SrcPort TCP Entry
589829 0 hits - MLAG - DstPort TCP Entry
CVX traffic reserves 6 entries (0 used).
L3 Control Priority uses 23 entries.
589836 0 hits - URM - SelfIp UDP Entry
589837 0 hits - URM - SelfIp TCP Entry
589848 0 hits - OSPF - unicast
589849 71196 hits - OSPFv2 - Multicast
589850 0 hits - OSPFv3 - Multicast
589851 0 hits - OSPF Auth ESP - Multicast
589852 0 hits - OSPF Auth ESP - Unicast
589853 0 hits - IP packets with GRE type and ISIS protocol
589854 0 hits - RouterL3 Vlan Priority 6,7 Elevator
589855 0 hits - RouterL3 DSCP 48-63 Elevator
589856 0 hits - RouterL3 Priority Elevator
589857 0 hits - NextHopToCpu, Glean
589858 0 hits - L3MC Cpu OIF
IGMP Snooping Flooding reserves 8 entries (6 used).
589864 0 hits - IGMP Snooping Restricted Flooding L3 from local
mlag peer
589865 0 hits - IGMP Snooping Restricted Flooding L3
L4 MicroBfd traffic reserves 1 entries (0 used).
TCAM group 13 uses 99 entries and can use up to 1181 more.
Dot1x MAB traffic uses 1 entries.
851968 0 hits - Dot1xMab Rule
<-------OUTPUT OMITTED FROM EXAMPLE-------->
ck338.22:14:38(config-pmap-qos-policy1)#
The show route-map command displays the contents of configured route maps.
Command Mode
EXEC
Command Syntax
show route-map [map_name]
switch(config)# show route-map map1
route-map map1 permit 10
Description:
Match clauses:
SubRouteMap:
Set clauses:
set as-path prepend last-as 12
set as-path prepend auto auto
switch> show route-map map
route-map map permit 5
Match clauses:
match as 456
Set clauses:
route-map map permit 10
Match clauses:
match ip next-hop 2.3.4.5
match as-path path_2
Set clauses:
set local-preference 100
The system profile command creates a new Ternary Content-Addressable Memory (TCAM) profile in the running configuration.
The default system profile and no system profile commands delete non-default TCAM profiles from the running configuration.
Command Mode
Hardware TCAM
Command Syntax
system profile [profile_name| default | mirroring-acl | pbr-match-nexthop-group | qos | tap-aggregation-default | tap-aggregation-extended | tc-counters]
default system profile
no system profile
Guideline
These commands are compatible with the DCS-7280SE and DCS-7500E series switches only.
switch(config)# hardware tcam
switch(config-hw-tcam)# system profile mirroring-acl
switch(config-hw-tcam)# show hardware tcam profile
Configuration Status
FixedSystem mirroring-acl mirroring-acl
switch(config-hw-tcam)#
switch(config)# hardware tcam
switch(config-hw-tcam)#show hardware tcam profile
Configuration Status
Linecard9 mirroring-acl mirroring-acl
Linecard8 mirroring-acl mirroring-acl
Linecard3 mirroring-acl mirroring-acl
Linecard4 mirroring-acl mirroring-acl
Linecard6 mirroring-acl mirroring-acl
switch(config-hw-tcam)# default system profile
switch(config-hw-tcam)# show hardware tcam profile
Configuration Status
Linecard9 default default
Linecard8 default default
Linecard3 default default
Linecard4 default default
Linecard6 default default
switch(config-hw-tcam)#
switch(config-hw-tcam)# show hardware tcam profile
Configuration Status
Linecard9 tc-counters tc-counters
Linecard8 tc-counters tc-counters
Linecard3 tc-counters tc-counters
Linecard4 tc-counters tc-counters
Linecard6 tc-counters tc-counters
switch(config-hw-tcam)# no system profile
switch(config-hw-tcam)# show hardware tcam profile
Configuration Status
Linecard9 default default
Linecard8 default default
Linecard3 default default
Linecard4 default default
Linecard6 default default
switch(config-hw-tcam)#