ERX Edge Routers

System Basics
Configuration Guide
Release 4.0.x

Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part No. 162-00469-02 Rev. A00

Juniper Networks is registered in the U.S. Patent and Trademark Office and in other countries as a
trademark of Juniper Networks, Inc. Broadband Cable Processor, ERX, ESP, G1, G10, G-series,
Internet Processor, JUNOS, JUNOScript, M5, M10, M20, M40, M40e, M160, M-series, NMC-RX,
SDX, ServiceGuard, T320, T640, T-series, UMC, and Unison are trademarks of Juniper Networks,
Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the
property of their respective owners. All specifications are subject to change without notice.
Products made or sold by Juniper Networks (including the M5, M10, M20, M40, M40e, M160, and
T320 routers, T640 routing node, and the JUNOS software) or components thereof might be covered
by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S.
Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,333,650, 6,359,479, and 6,406,312.
ERX Edge Routers System Basics Configuration Guide, Release 4.0.x
Copyright 2002, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Writers: Justine Kangas, Helen Shaw, Brian Wesley Simmons, Michael Taillon
Editor: Fran Mues
Revision History
November 2002
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

SOFTWARE LICENSE AGREEMENTa

JUNIPER NETWORKS, INC. IS WILLING TO LICENSE THE ENCLOSED SOFTWARE AND
ACCOMPANYING USER DOCUMENTATION (COLLECTIVELY, THE PROGRAM) TO YOU ONLY
UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS
LICENSE AGREEMENT. PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY
BEFORE COPYING OR USING THE ACCOMPANYING SOFTWARE OR INSTALLING THE
HARDWARE UNIT WITH PRE-ENABLED SOFTWARE OR USING THE ACCOMPANYING USER
DOCUMENTATION.
BY USING THE ACCOMPANYING SOFTWARE OR INSTALLING THE HARDWARE UNIT WITH
PRE-ENABLED SOFTWARE, YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS
OF THIS LICENSE AGREEMENT. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS OF
THIS LICENSE AGREEMENT, JUNIPER NETWORKS IS UNWILLING TO LICENSE THE
PROGRAM TO YOU, IN WHICH EVENT YOU SHOULD PROMPTLY WITHIN TEN (10) DAYS
FROM SHIPMENT RETURN THE UNUSED SOFTWARE, USER DOCUMENTATION, AND
RELATED EQUIPMENT AND HARDWARE TO THE PLACE OF PURCHASE AND YOU WILL
RECEIVE A FULL REFUND OF YOUR LICENSE FEE. THIS LICENSE AGREEMENT
REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE PROGRAM BETWEEN YOU AND
JUNIPER NETWORKS, AND IT SUPERSEDES ANY PRIOR PROPOSAL, REPRESENTATION OR
UNDERSTANDING BETWEEN THE PARTIES.
1. License Grant. Juniper Networks, Inc. (Juniper Networks) and its suppliers and licensors
hereby grant to you and you hereby accept a nonexclusive, personal and nontransferable license to
use the computer software and/or hardware unit with pre-enabled software, including all patches,
error corrections, updates, and revisions thereto in machine-readable, object code form only (the
Software), and the accompanying User Documentation on the Juniper Networks product owned by
you and only as authorized in this License Agreement. You may make one (1) archival copy of the
Software for backup purposes provided you affix to such copy all copyright, confidentiality, and
proprietary notices that appear on the original. Except as authorized under this paragraph, no copies
of the Program or any portions thereof may be made, in whole or in part, by you or any person under
your authority or control.
The Software and User Documentation are protected under copyright laws. The title to Software and
User Documentation shall remain solely with Juniper Networks and its suppliers.
Except as authorized above, you shall not: copy, in whole or in part, the Software or the related User
Documentation; modify, reverse assemble, reverse compile, or otherwise translate, dissemble, or
obtain source code for the Software or User Documentation, in whole or in part, or permit a third party
to do so; rent, lease, distribute, sell, or create derivative works of the Software; pledge, lease, rent,
sublicense or share its rights under this License Agreement; or, without Juniper Networks prior
written consent, assign or transfer its rights hereunder.
2. Juniper Networks' Rights. You agree that the Software, including the User Documentation,
embodies Juniper Networks' and its suppliers' and licensors' confidential and proprietary intellectual
property protected under U.S. copyright law and you will use your best efforts to maintain their
confidentiality. You further acknowledge and agree that Juniper Networks or its suppliers and
licensors own all right, title, and interest in and to the Software, including all intellectual property
rights therein. You shall take no action inconsistent with Juniper Networks' or its suppliers' ownership
of such Software. You shall not sublicense, assign, or otherwise disclose to any third party the
Software or any information about the operation, design, performance, or implementation of the
Software and User Documentation without prior written consent of Juniper Networks. You agree to
implement reasonable security measures to protect such confidential and proprietary information and
copyrighted material. This License Agreement does not convey to you an interest in or to the
Program, but only the limited right of use revocable in accordance with the terms of this License
Agreement.
3. License Fees. The license fees paid by you are paid in consideration of the license granted
under this License Agreement.
4. Term. This license is effective upon opening of the package(s) or use of the hardware containing
the Software, and shall continue until terminated. You may terminate this License at any time by
returning the Software, including any User Documentation, and all copies or portions thereof to
Juniper Networks. This License will terminate immediately without notice from Juniper Networks if
you breach any term or provision of this License. Upon such termination by Juniper Networks, you

a. If you and Juniper Networks, Inc., have executed another license agreement for the Program which
is now in effect, then such agreement (Negotiated Agreement) shall supersede this Software License Agreement and shall exclusively govern the use and license terms of the Program.

must return the Software, including any User Documentation, and all copies or portions thereof to
Juniper Networks. Termination of this License Agreement shall not prejudice Juniper Networks' rights
to damages or other available remedy.
5. Limited Software Warranty: Juniper Networks warrants, for your benefit alone, that for a period
of ninety (90) days from the date of shipment from Juniper Networks that the Software substantially
conforms to its published specifications.
The limited warranty extends only to you as the original licensee. Your exclusive remedy and the
entire liability of Juniper Networks and its suppliers under this limited warranty will be, at Juniper
Networks' option, repair or replacement of the Software, or refund of the amounts paid by you under
this License Agreement. You agree that this is your sole and exclusive remedy for breach by Juniper
Networks, its suppliers or its licensors of any warranties made under this License Agreement.
In no event does Juniper Networks warrant that the Software is error free or that you will be able to
operate the Software without problems or interruptions. Juniper Networks does not warrant: 1) that
the functions contained in the software will meet your requirements; 2) that the Software will operate
in the hardware or software combination that you may select; 3) that the operation of the Software
will be uninterrupted or error free; or 4) that all defects in the operation of the Software will be
corrected.
This warranty does not apply if the product: 1) has been altered, except by Juniper Networks; 2) has
not been installed, operated, repaired, or maintained in accordance with instruction supplied by
Juniper Networks; or 3) has been subjected to or damaged by improper environment, abuse, misuse,
accident, or negligence.
EXCEPT FOR THE WARRANTIES SET FORTH ABOVE, THE SOFTWARE IS LICENSED AS IS,
AND JUNIPER NETWORKS DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS,
CONDITIONS, AND WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY,
INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES FOR NONINFRINGEMENT OR
ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. ANY AND ALL SUCH
WARRANTIES ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
JUNIPER NETWORKS' SUPPLIERS AND LICENSORS DO NOT MAKE OR PASS ON TO YOU OR
ANY THIRD PARTY ANY EXPRESS, IMPLIED, OR STATUTORY WARRANTY OR
REPRESENTATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES FOR
NONINFRINGEMENT.
6. Proprietary Rights Indemnification. Juniper Networks shall at its expense defend you against
and, subject to the limitations set forth elsewhere herein, pay all costs and damages made in
settlement or awarded against you resulting from a claim that the Program as supplied by Juniper
Networks infringes a United States copyright or a United States patent, or misappropriates a United
States trade secret, provided that you: (a) provide prompt written notice of any such claim, (b) allow
Juniper Networks to direct the defense and settlement of the claim, and (c) provide Juniper Networks
with the authority, information, and assistance that Juniper Networks reasonably deems necessary
for the defense and settlement of the claim. You shall not consent to any judgment or decree or do
any other act in compromise of any such claim without first obtaining Juniper Networks written
consent. In any action based on such a claim, Juniper Networks may, at its sole option, either: (1)
obtain for you the right to continue using the Program, (2) replace or modify the Program to avoid the
claim, or (3) if neither (1) nor (2) can reasonably be effected by Juniper Networks, terminate the
license granted hereunder and give you a pro rata refund of the license fee paid for such Program,
calculated on the basis of straight-line depreciation over a five-year useful life. Notwithstanding the
preceding sentence, Juniper Networks will have no liability for any infringement or misappropriation
claim of any kind if such claim is based on: (i) the use of other than the current unaltered release of
the Program and Juniper Networks has provided or offers to provide such release to you for its then
current license fee, or (ii) use or combination of the Program with programs or data not supplied or
approved by Juniper Networks if such use or combination caused the claim.
7. Limitation of Liability. IN NO EVENT WILL JUNIPER NETWORKS OR ITS SUPPLIERS OR
LICENSORS BE LIABLE FOR ANY COST FOR SUBSTITUTE PROCUREMENT; SPECIAL,
INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES; OR ANY
DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS
ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN
IF JUNIPER NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Juniper Networks' cumulative liability to you or any other party for any loss or damages resulting from
any claims, demands, or actions arising out of or relating to this License Agreement shall not exceed
the total fees paid to Juniper Networks for the Software.
8. Export Control. Software, including technical data, is subject to U.S. export control laws,
including the U.S. Export Administration Act and its associated regulations, and may be subject to

export or import regulations in other countries. You agree to comply strictly with all such regulations
and acknowledge that you have the responsibility to obtain licenses to export, re-export, or import
Software.
9. Government Licensees: If any Software or associated documentation is acquired by or on
behalf of a unit or agency of the United States government, the government agrees that such
Software or documentation is a commercial item as that term is defined in 48 C.F.R. 2.101,
consisting of commercial computer software or commercial computer software documentation as
such terms are used in 48 C.F.R. 12.212 of the Federal Acquisition Regulations and its successors
and 48 C.F.R. 227.7202-1 through 227.7202-4 of the DoD FAR Supplement and its successors. The
use, duplication, or disclosure by the United States government of technical, data, computer software
and documentation is subject to the restrictions set forth in FAR section 12.212(a), FAR section
52.227-14(g)(2), FAR section 52.227-19, DFARS section 252.227-7015(b), DFARS section
227.7202-1(a), and DFARS section 227.7202-3(a), as applicable. All United States government end
users acquire the Software with only the rights set forth in this License Agreement.
10. General: This License shall be governed by and construed in accordance with the laws of the
Commonwealth of Massachusetts, United States of America, as if performed wholly within the state
and without giving effect to the principles of conflict of law. Any dispute arising out of this Agreement
shall be referred to an arbitration proceeding in Boston, Massachusetts, in accordance with the
commercial arbitration rules of the American Arbitration Association (the AAA). If the parties cannot
agree upon an arbitrator, arbitration shall be conducted by a neutral arbitrator selected by the AAA
who is knowledgeable in electronics equipment manufacturing and software licensing. The parties
shall share the procedural costs of arbitration equally, and each party shall pay its own attorneys'
fees and other costs and expenses associated with the arbitration, unless the arbitrator decides
otherwise. The arbitrator's award shall be in writing and shall include a statement of reasons, but the
arbitrator shall not be permitted to award punitive or indirect damages. The arbitrator's decision and
award shall be final and binding and may be entered in any court having jurisdiction. The terms of
this section shall not prevent any party from seeking injunctive relief in any court of competent
jurisdiction in order to protect its proprietary and confidential information. If any term or provision
hereof is found to be void or unenforceable by a court of competent jurisdiction, the remaining
provisions of this License Agreement shall remain in full force and effect. This License Agreement
constitutes the entire agreement between the parties with respect to the use of the Software and
User Documentation and supersedes any and all prior oral or written agreements, discussions,
negotiations, commitments, or understandings. No amendment, modification, or waiver of any
provision of this License Agreement will be valid unless in writing and signed by the authorized
representative of the party against which such amendment, modification, or waiver is sought to be
enforced. The waiver by either party of any default or breach of this License Agreement shall not
constitute a waiver of any other or subsequent default or breach. This License Agreement shall be
binding upon the parties and their respective successors and permitted assigns.
Should you have any questions about this agreement, please contact:
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
Attn: Contracts Administrator

Contents

About This Guide

ERX Edge Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Using the Online Documentation CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Comments About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Chapter 1

Planning Your Network

Applications Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Private Line Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
xDSL Session Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Layered Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Line Modules and I/O Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
interface Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
General Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Configuring Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Configuring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Configuring Physical Layer Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Line Module Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Configurable HDLC Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Configuring CT3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Configuring T3 and E3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Configuring CT1 and CE1 Line Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Configuring OC3 (Dual-Port) and OCx/STMx Interfaces . . . . . . . . . . . . . . 1-15
Configuring Channelized OCx/STMx Line Interfaces . . . . . . . . . . . . . . . . . 1-16
Configuring Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
Configuring HSSI Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

viii
Contents

Configuring X.21/V.35 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Configuring IPSec Service Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
Configuring TSM Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
Configuring Data Link Layer Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
Configuring IP/Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
Configuring IP/ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Configuring IP/PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Configuring IP/HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Configuring IP over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
Configuring Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Configuring Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31
Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31
Chapter 2

Command Line Interface

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Command Line Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Keywords and Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Keywords and Parameters Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Using CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Abbreviated Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
The ? Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
<Backspace> or <Delete> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
<Enter> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
<Tab> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Arrow Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
The no Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
run Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
The - - More - - Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Responding to Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Levels of Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
User Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Privileged Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Initialization Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Privileged-Level Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Exiting Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Using Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
? (Question Mark Key) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
help Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
Partial-keyword <Tab> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

ix
ERX Edge Routers

Using Command Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

Basic Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
Command Line Editing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27
Command History Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28
Pagination Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28
Accessing Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
User Exec Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33
Privileged Exec Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
Password Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Global Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36
Executing a Script File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36
Address Family Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Controller Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
DHCP Pool Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Domain Map Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
Domain Map Tunnel Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Explicit Path Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Interface Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
IPSec Manual Key Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-41
ISAKMP Policy Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-41
L2TP Destination Profile Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . 2-42
L2TP Destination Profile Host Configuration Mode . . . . . . . . . . . . . . . . . . . 2-42
LDP Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43
Line Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43
Map Class Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-44
Map List Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-44
Policy Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
Profile Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
QoS Profile Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46
Queue Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47
RADIUS Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47
Rate Limit Profile Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
Remote Neighbor Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Route Map Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50
Router Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50
RSVP Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-51
RTR Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-51
Scheduler Profile Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-52
Subinterface Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-52
Traffic Class Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-53
Traffic Class Group Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-53
Tunnel Profile Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-54
VRF Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-54

x
Contents

Chapter 3

Configuring SNMP
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
SNMP Features Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
SNMP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
SNMP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Standard SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Juniper Networks ERX Enterprise MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Accessing Supported SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Creating SNMP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Communicating with the SNMP Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
SNMP Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
SNMP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
SNMP PDU Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Before You Configure SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
SNMP Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Enabling SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Configuring SNMP v1/v2c Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Community Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
IP Access List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Configuring SNMPv3 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Setting Server Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Configuring SNMP Packet Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Configuring Memory Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Configuring Encoding Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Managing Interface Sublayers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Compressing Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Controlling Interface Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Monitoring Interface Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
IP Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Trap Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Trap Severities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Specifying an Egress Point for SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Collecting Bulk Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Configuring Collectors and Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Monitoring Collection Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Configuring Schemas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37
if-stats Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37
Monitoring Schema Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40

xi
ERX Edge Routers

Using the Bulk Statistics Formatter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41

Setting Remote Filenames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Specifying End of Line Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
Managing Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
Monitoring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
Establishing a Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
Viewing SNMP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44
Output Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-49
Chapter 4

Managing the System

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Naming the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Configuring Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Monitoring Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Managing vty Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Configuring vty Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Clearing vty Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Monitoring vty Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Configuring the System Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Saving the Current Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Customizing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13
Setting the Console Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Configuring the Display Terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Specifying the Character Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
Configuring Login Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
Setting Time Limits for User Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
Setting Time Limits for User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
Configuring CLI Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17
Monitoring the Console Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
Sending Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
Managing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
Managing the User Space from a Network Host . . . . . . . . . . . . . . . . . . . . . . 4-23
File Commands and FTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Renaming Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Deleting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Monitoring Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Transferring Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Using the copy Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
Configuring the FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
FTP Passive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Monitoring the FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Copying Partial Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-36
Using the Telnet Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39

xii
Contents

Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41
Assigning Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41
Using One Name Resolver for Multiple Virtual Routers . . . . . . . . . . . . . . . . 4-42
Monitoring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
Creating Core Dump Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
Boot Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
Global Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
Accessing the Core Dump File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47
Understanding the Core Dump File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48
Monitoring the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48
Chapter 5

Managing Line Modules and SRP Modules

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Disabling and Reenabling Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Removing an SRP Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Replacing Line Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Replacing SRP Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Software Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Line Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
I/O Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Configuring Performance Rate of Line Modules . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Choosing a Combination of Line Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Restricted Line Module Combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Slot Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
SRP Modules Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Line Modules Bandwidth and Switch Usage . . . . . . . . . . . . . . . . . . . . . . . 5-8
Allowed Combinations for Line Rate Performance . . . . . . . . . . . . . . . . . . 5-9
Specifying the Type of Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
Monitoring Bandwidth Oversubscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Optimizing Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Line Module Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Automatic Switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Limitations of Automatic Switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Reversion after Switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
Configuring Line Module Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
Managing Line Module Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
Monitoring Line Module Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
SRP Module Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Installing a Redundant SRP Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Managing SRP Module Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Switching to the Redundant SRP Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
Upgrading Software on a Redundant SRP Module . . . . . . . . . . . . . . . . . . . . 5-23
Monitoring the Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23

xiii
ERX Edge Routers

Managing NVS Cards on SRP Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24

NVS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Installing and Removing NVS Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Synchronizing NVS Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Synchronizing NVS Cards of Different Capacities . . . . . . . . . . . . . . . . . 5-26
Disabling Autosynchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27
Reformatting the Primary NVS Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
Copying the Image on the Primary SRP Module . . . . . . . . . . . . . . . . . . . . . 5-28
Scanning NVS Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29
Monitoring NVS Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31
Managing the Ethernet Port on the SRP Module . . . . . . . . . . . . . . . . . . . . . . . . 5-31
Monitoring Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31
Monitoring the Ethernet Configuration for the SRP Module . . . . . . . . . . . . 5-32
Monitoring Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33
Chapter 6

Passwords and Security

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Setting Basic Password Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Creating Encrypted Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Creating Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Encrypting Passwords in Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Commands and Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Setting and Erasing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Accessing Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Setting Enable Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Erasing Enable Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Setting a Console Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Erasing the Console Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Monitoring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Vty Line Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Configuring Simple Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Configuring AAA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
Virtual Terminal Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Secure System Administration with SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
User Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Host Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Before You Configure SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20

xiv
Contents

SSH Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21

Configuring Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21
Configuring User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
Configuring Message Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Enabling and Disabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24
Displaying SSH Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Terminating an SSH Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26
Restricting User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27
Restricting Access to Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27
Per-User Enable Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28
Restricting Access to Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28
VSA Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-29
Commands Available to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30
Chapter 7

Writing CLI Macros

Writing Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Environment Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Literals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Increment and Decrement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
String Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Extraction Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Arithmetic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
Relational Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Logical Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Miscellaneous Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
Conditional Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
If Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11
While Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13
Invoking Other Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
Running Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16
Practical Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
Configuring Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
Configuring ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27

Chapter 8

Booting the System

Configuring Your System for Booting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Rebooting Your System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Rebooting When a Command Takes a Prolonged Time to Execute . . . . . . . . 8-7
Configuration Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Operations in Boot Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Displaying Boot Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Output Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

xv
ERX Edge Routers

Chapter 9

Configuring the System Clock

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
System Operation as an NTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
System Operation as an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Setting the System Clock Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Before You Configure NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Choosing NTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
NTP Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Enabling NTP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
NTP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Directing Responses from NTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Refusing Broadcasts from NTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
NTP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
Monitoring NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

Chapter 10

Configuring Virtual Routers

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Router Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VPNs and VRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 11

10-1
10-1
10-2
10-2
10-2
10-3
10-3
10-3
10-4
10-8

Logging System Events

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Log Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Log Verbosity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Persistent Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Configuring Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Configuring Log Severity for Individual and Systemwide Logs . . . . . . . . . . 11-7
Configuring Log Verbosity for Individual Logs or All Logs . . . . . . . . . . . . . 11-8
Setting the Timestamp for Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
Configuring Log Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Turning Off Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11
Monitoring Logging System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
List of Event Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16

xvi
Contents

Appendix A

Abbreviations and Acronyms

Appendix B

References
RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Draft RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-8
Other Software Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9
Hardware Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-10

Index 1

About This Guide

The ERX System Basics Configuration Guide provides general

information you will need to manage your system. It covers basic tasks
such as configuring passwords, security, the system clock, and virtual
routers.
Note: If the information in the ERX Release Notes differs from the information in
this guide, follow the ERX Release Notes.

Your ERX system is shipped with the latest system software installed. If
you need to install a future release or reinstall the system software, refer to
the procedures in the ERX Installation and User Guide, Appendix E,
Installing ERX System Software.

ERX Edge Routers

Four models of ERX edge router are available:
ERX-1440 system
ERX-1410 system
ERX-705 system
ERX-700 system
All models use the same software. For information about the differences
between the models, see ERX Installation and User Guide, Chapter 1,
ERX System Overview.
In the ERX documentation, the term ERX-1400 series refers to both the
ERX-1440 system and the ERX-1410 system. Similarly, the term
ERX-700 series refers to both the ERX-705 system and the ERX-700

xviii
About This Guide

system. The terms ERX-1440 system, ERX-1410 system, ERX-705

system, and ERX-700 system refer to the specific models.

Audience
This guide is intended for experienced system and network specialists who
will configure a Juniper Networks ERX system in an Internet access
environment.

Conventions
Table 1, Table 2, and Table 3 list all the conventions used in the ERX
documentation. Table 1 defines notice icons. Table 2 shows text
conventions used throughout the book, except for command syntax.
Table 3 provides command syntax conventions used primarily in the
ERX Command Reference Guide. For more information about
command syntax, see ERX System Basics Configuration Guide,
Chapter 2, Command Line Interface.
Table 1 Notice icons
Icon

Meaning

Description

Informational note

Indicates important features or instructions.

Caution

Indicates that you may risk losing data or damaging your hardware.

Warning

Alerts you to the risk of personal injury.

Table 2 Text conventions (except for command syntax)

Convention

Description

Examples

Bold typeface

Represents commands and

keywords in text.

Command example:
Issue the clock source command.

Keyword example:
Specify the keyword exp-msg.

Bold Courier typeface

Represents text that the user must

type.

user input

Key name in angle brackets

Indicates the name of a key on the

keyboard.

Press <Enter>.

Key names linked with a plus sign

(+) in angle brackets.

Indicates that you must press two or

more keys simultaneously.

Press <Ctrl+B>.

Documentation
ERX Edge Routers

Table 2 Text conventions (except for command syntax) (continued)

Convention

Description

Plain Courier typeface

Represents information as displayed

on your terminals screen.

Examples
host1#show ip ospf 2
Routing Process OSPF 2 with
Router ID 5.5.0.250
Router is an Area Border
Router (ABR)

Italics

Emphasize words.

Identify variables.

Identify chapter, appendix, and

book names.

There are two levels of access,

user and privileged.

clusterId, ipAddress.

Appendix A, System Specifications.

Table 3 Syntax conventions in Command Reference Guide

Convention

Description

Examples

Words in plain text

Represent keywords.

terminal length

Words in italics

Represent variables.

mask, accessListName

Words separated by the | symbol

Represent a choice to select one

keyword or variable to the left or
right of this symbol. (The keyword or
variable may be either optional or
required.)

diagnostic | line

Words enclosed in [ brackets ]

Represent optional keywords or

variables.

[ internal | external ]

Words enclosed in [ brackets ]*

Represent optional keywords or

variables that can be entered more
than once.

[ level1 | level2 | l1 ]*

Words enclosed in { braces }

Represent required keywords or

variables.

{ permit | deny } { in | out }

{ clusterId | ipAddress }

Documentation
The ERX Installation Quick Start poster is shipped in the box with all
new systems. This poster provides the basic procedures to help you get the
system up and running quickly.
The document set contains the following books and online resources:
ERX Installation and User Guide Provides the necessary procedures
for getting your system operational, including information on
installing, cabling, powering up, configuring your system for
management access, and general troubleshooting.
ERX System Basics Configuration Guide Describes planning and
configuring your network, managing the system, passwords, and
security, and configuring the system clock and virtual routers.

xix

xx
About This Guide

ERX Physical and Link Layers Configuration Guide Describes

configuring physical and link layer interfaces.
ERX Routing Protocols Configuration Guide, Vol. 1 - Provides
information about configuring routing policy and configuring IP, IP
routing, and IP security.
ERX Routing Protocols Configuration Guide, Vol. 2 Describes BGP
Routing, MPLS, and related VPNs.
ERX Policy and QoS Configuration Guide - Provides information
about configuring policy management and quality of service (QoS).
ERX Broadband Access Configuration Guide Provides information
about configuring remote access.
ERX Command Reference Guide Contains important information
about all system commands implemented in the system software. Use
to look up command descriptions, command syntax, a commands
related mode, or a description of a commands parameters. It is
intended to be used with the ERX Configuration Guides.
ERX Product Overview Guide Gives a thorough overview of the
system from a software and hardware perspective. It provides
illustrations and configuration examples that present the big picture.
ERX Release Notes Contains information about features, changes,
known problems, and limitations. Provides final information that did
not make it into the documentation.
ERX Online Documentation CD Provides an online version of this
guide and the documents listed above. The online documents contain
numerous links between guides, giving easy access to a vast amount of
technical information.
Abbreviations

A complete list of abbreviations used in this document set, along with

their spelled-out terms, is provided in the ERX System Basics
Configuration Guide, Appendix A, Abbreviations and Acronyms.

Using the Online Documentation CD

ERX Edge Routers

Using the Online Documentation CD

To use the Online Documentation CD:
1

Place the Online Documentation CD in your CD drive.

Follow the instructions located on the inside cover of your CD jewel

case to install Acrobat Reader.

From the Documentation folder on the CD, open the CDtips.pdf file
for information on using Adobe Acrobat Reader.

From the Documentation folder on the CD, open the Welcome.pdf

file for access to the documentation set.

Comments About the Documentation

We encourage you to provide feedback, comments, and suggestions so
that we can improve the documentation to better meet your needs. Please
e-mail your comments to:
[email protected]
Along with your comments, be sure to indicate:
Document name
Document part number
Page number

xxi

xxii
About This Guide

Planning Your Network

This chapter describes planning steps that will make it easier to configure
the physical interfaces, logical interfaces, and routing protocols for the
ERX system in:
A new network that you are creating and implementing
An existing network that you are expanding
Topic

Page

Applications Overview

1-2

Layered Approach

1-4

Line Modules and I/O Modules

1-5

Interfaces

1-6

General Configuration Tasks

1-8

Configuring Virtual Routers

1-9

Configuring IPSec

1-10

Configuring Physical Layer Interfaces

1-10

Configuring Data Link Layer Interfaces

1-20

Configuring Routing Protocols

1-28

Configuring VRRP

1-29

Configuring Routing Policy

1-30

QoS

1-30

Policy Management

1-31

Configuring Remote Access

1-31

1-2

CHAPTER 1
Planning Your Network

Applications Overview
The system can be used for a number of edge aggregation applications.
Two of the most common are:
Private line aggregation
xDSL session termination
Private Line Aggregation

A major application for the ERX edge router is for private line
aggregationthe consolidation of multiple high-speed access lines into
one access point. See Figure 1-1.
In this application, the service provider can use a single system to offer
high-speed access (FT1/FE1 through T3/E3) to thousands of subscribers.
The individual subscriber lines can be multiplexed into T3 lines by the
service provider and fed into the system. (The system can also accept
unchannelized T3 or E3 connections from high-speed users and
channelized E1 connections directly into the unit.) Once the traffic is
received, the system then handles all IP packet processing, including the
assignment of QoS and routing policies. The packets are then routed into
the backbone network.
Business Users

Edge
FT1/fE1

ERX System

ADM

T1/E1
SONET
Ring

nxT1
T3/E3

Tier 2/3
ISP
Network

Core

Gig Eth

ADM
DACS

ADM

T3/E3/E1
ATM/FR/PPP

Internet

OC3/STM1
POS/ATM Backbone
OC12/STM4
POS/ATM

Telco
Network

Figure 1-1 Private line aggregation with the ERX system

Service
Provider
Network

Applications Overview
ERX Edge Routers

The system supports a number of access and uplink methods; the most
common pairings are listed in Table 1-1.
Table 1-1 Common access/uplink pairings
Access

Uplink

PPP

ATM, Fast Ethernet,

Gigabit Ethernet, or
POS

Frame Relay
ATM

xDSL Session Termination

The system supports Broadband Remote Access Server (B-RAS)

applications, as shown in Figure 1-2. In this application, the system
handles the aggregated output from the digital subscriber line access
multiplexers (DSLAMs). Directly connected to the subscriber premises,
the DSLAMs handle the copper termination and aggregate the traffic
into a higher-speed uplink. The output from the DSLAM is fed into the
system through a DS3 or OC3 link.
Consumer and
Business
Users (xDSL)

CLEC

ERX System

IP/PPP/ATM

ATM/FR
DS3 FR/ATM
OC3/STM1 ATM

IP/PPP/FR

OC3/STM1

ISP

OC12/STM4
POS/ATM
GE

DSLAM
IP/PPPoE/ATM

VPN

DHCP RADIUS

IP/PPPoE/FR

Access
Network
Provider

Figure 1-2 B-RAS application

Service
Network
Provider

Internet

1-3

1-4

CHAPTER 1
Planning Your Network

The system then performs several functions:

PPP session termination and authentication checking through PAP or
CHAP
Coordination with DHCP servers and local IP pools to assign IP
addresses
Connection to RADIUS servers or use of domain names to associate
subscribers with user profile information
Support for RADIUS accounting to gather detailed billing
information
Application of the user profile to the user traffic flow, which could
include QoS, VPN, and routing profiles
The output of the system is typically a high-speed link, such as
OC3/STM1 to feed a core backbone router. Virtual routers can also be
used to keep the traffic logically separate and to direct packets to different
destinations. As shown in Figure 1-2, the packets can be directed to a
CLEC, ISP, corporate VPN, or the Internet.
A large number of xDSL protocols are supported, including:
IP/PPP/ATM
IP/PPP/Ethernet/ATM
IP/bridged Ethernet/ATM
See ERX Broadband Access Configuration Guide, Chapter 1,
Configuring Remote Access to the ERX System, for information on
configuring B-RAS.

Layered Approach
The ERX Configuration Guides use a bottom-up approach to describe
the configuration process. Figure 1-3 shows the relationship of layers,
protocols, and interfaces to the configuration process. Software functions
are layered on top of physical (copper or optical) interfaces. The system
supports a number of access protocols (PPP/POS, Frame Relay, ATM)
that allow service providers to offer a number of access methods and line
speeds to their subscribers. The system is optimized to handle IP
connections regardless of the access protocol used. The system also
supports a number of protocols that are specific to the B-RAS
application. These are shown in Figure 1-3, and include IP/PPP/ATM
and IP/PPP/Ethernet/ATM.

Line Modules and I/O Modules

ERX Edge Routers

Routing
Protocols

BGP4

Layer 4
Transport Protocol

OSPF

TCP

Layer 3
Network Layer

Layer 2
Data Link Layer

Layer 1
Physical Layer

IS-IS

RIP

UDP

IP

Frame
Relay

DSx/Ex
FDS1/FE1
DS1/E1
DS3/E3

PPP

PPPoE

ATM

Ethernet
100 Base-T
Gigabit Ethernet

Ethernet

SONET
OC3/STM1
OC12/STM4

Figure 1-3 Network configuration using a bottom-up approach

Layer 2 (data link) defines how the data is packaged and sent to an IP
data connection point in layer 3 (IP interfaces). In layer 3, you define the
global attributes for IP services that serve as a platform from which you
add routing information.

Line Modules and I/O Modules

A range of line modules and input/output (I/O) modules is available for
the system. With the exception of the IPSec Service line module and
Tunnel Service line module (TSM), each line module pairs with a
corresponding I/O module.
I/O modules provide the input and output connections from the network
to the system. Line modules connect to their corresponding I/O modules
through a passive midplane. A line module receives packets through its
I/O module, and processes those packets. The system then routes the
packets out to the network through the designated I/O module.
Each line module and I/O module has a label on its faceplate. In this
documentation, line modules and I/O modules are identified by that
label. For example, the 3-port CT3 line module is called the CT3 line
module, and its corresponding I/O module is the CT3/T3 I/O module.

1-5

1-6

CHAPTER 1
Planning Your Network

When referring to a related set of line modules or I/O modules, the

generic information from the module labels is used in this
documentation. For example, the term OCx/STMx line modules refers
to both the OCx/STMx ATM and the OCx/STMx POS line modules.
Similarly, the term GE I/O modules refers to both the GE Multimode
I/O module and the GE Single Mode I/O module.
For a complete list of the line modules and I/O modules available, see
ERX Installation and User Guide, Appendix B, Module Specifications.

Interfaces
The term interfaces is used in a very specific way in this documentation.
Interfaces are both physical and logical channels on the system that
define how data is transmitted to and received from lower layers in the
protocol stack. Conceptually, you configure an interface as part of the
physical layer, layer 1.
You configure the physical and logical characteristics of T3 and T1 lines
coming directly from your customers premises or from a central office
switch and OC3 lines going out to the core of your network
infrastructure. These physical and logical characteristics define an
interface.
Interface layering must always be configured in order from the lowest
layer to the highest layer. For example, if you have already configured IP
to run over ATM and you want to reconfigure the interface to run IP
over PPP over ATM, you must first remove the IP interface, apply PPP,
and then reapply IP.
Subinterfaces

A subinterface is a mechanism that allows a single physical interface to

support multiple logical interfaces or networks. Several logical interfaces
or networks can be associated with a single physical interface.
Configuring multiple virtual interfaces, or subinterfaces, on a single
physical interface allows greater flexibility and connectivity on the
network.
Protocols such as Frame Relay and ATM require that you create one or
more virtual circuits over which your data traffic is transmitted to higher
layers in the protocol stack. The system requires that you define a
subinterface on top of a physical interface as a platform for a virtual
circuit, such as a permanent virtual circuit (PVC).

Interfaces
ERX Edge Routers

Once you have defined the underlying characteristics of an interface, use

the interface command to:
1

Assign an interface type, such as POS or ATM.

Assign the associated interface specifier to the interface, such as the

slot/port and channel/subchannel.

Assign one or more subinterfaces.

interface Command

The interface command has the following format:

interface interfaceType interfaceSpecifier
Each interface type has an interface specifier associated with it. The
interface specifier identifies the physical location of the interface on the
system, such as the chassis slot and port number, and logical channel
information, such as an OC3/STM1 channel on an OC48/STM16
interface.
The system supports the interface types shown in Table 1-2.
Table 1-2 Interface types
Interface Type
Variable

Interface Specifier Variable

To configure, see

atm

slot/port[.subinterface]

ERX Physical and Link Layers Configuration Guide,

Chapter 10, Configuring ATM

ethernet

slot/port.subinterface

ERX Physical and Link Layers Configuration Guide,

Chapter 6, Configuring Ethernet Interfaces

hssi

slot/port

ERX Physical and Link Layers Configuration Guide,

Chapter 7, Configuring HSSIs

loopback

loopback number

ERX Command Reference Guide

mlframe-relay

bundle-name [.subinterface ]

ERX Physical and Link Layers Configuration Guide,

Chapter 12, Configuring Multilink Frame Relay

mlppp

bundle-name

ERX Physical and Link Layers Configuration Guide,

Chapter 14, Configuring Multilink PPP

pos

slot/port

ERX Physical and Link Layers Configuration Guide,

Chapter 15, Configuring Packet over SONET

1-7

1-8

CHAPTER 1
Planning Your Network

Table 1-2 Interface types (continued)

Interface Type
Variable

Interface Specifier Variable

To configure, see

serial

Depends on type of interface

ERX Physical and Link Layers Configuration Guide,

Chapter 1, Configuring Channelized T3 Interfaces
ERX Physical and Link Layers Configuration Guide,
Chapter 2, Configuring T3 and E3 Interfaces
ERX Physical and Link Layers Configuration Guide,
Chapter 3, Configuring CT1 and CE1 Interfaces
ERX Physical and Link Layers Configuration Guide,
Chapter 5, Configuring Channelized OCx/STMx
Interfaces
ERX Physical and Link Layers Configuration Guide,
Chapter 8, Configuring X.21/V.35 Interfaces

tunnel

tunnel-type:tunnel-name

ERX Routing Protocols Configuration Guide, Vol. 1,

Chapter 4, Configuring IP Tunnels
ERX Routing Protocols Configuration Guide, Vol. 1,
Chapter 10, Configuring IPSec
ERX Broadband Access Configuration Guide,
Chapter 3, Configuring L2TP
ERX Broadband Access Configuration Guide,
Chapter 4, Configuring L2F

null

ERX Command Reference Guide and ERX Routing

Protocols Configuration Guide, Vol. 1, Chapter 1,
Configuring Routing Policy.

For detailed information about interface types and specifiers and for
specific syntax for the interface command, see the ERX Command
Reference Guide.

General Configuration Tasks

The configuration process involves the following general tasks:
1

Determine information about physical and logical characteristics

and IP-addressing information of the various interfaces you want to
configure.

Determine information about the link layer protocols.

Determine how to organize virtual routers on the system.

Determine how IPSec will be used to provide security.

Determine routing information that defines all or part of the

network.

Create the virtual routers.

Configuring Virtual Routers

ERX Edge Routers

Configure the interfaces and subinterfaces (such as CT3,

OCx/STMx, and HDLC data channels) over which the higher-layer
protocols run.

Configure the data link layer protocols, such as Frame Relay, PPP,
and ATM, that run over these physical interfaces.

Configure the general IP information from which the other routing

protocols will operate.

10 Configure IP tunnels.
11 Configure IPSec.
12 Configure the routing protocols that will run on the system, such as

IP multicasting, OSPF, IS-IS, RIP, BGP-4, and MPLS.

13 Configure Virtual Router Redundancy Protocol (VRRP) on

IP/Ethernet interfaces.
14 Configure QoS and policy management.
15 Configure the system for remote access.
16 Use the appropriate show commands to display network activity on

each of the interfaces that you have configured. Do this to verify that
they are operating as you expect and to help improve the
management of your network.

Configuring Virtual Routers

Multiple distinct routers are supported within a single system, which
allows service providers to configure multiple, separate, secure routers
within a single chassis. These routers are identified as virtual routers
(VRs). Applications for this function include the creation of individual
routers dedicated to wholesale customers, corporate virtual private
network (VPN) users, or a specific traffic type.
The system implements the virtual routers by maintaining a separate
instance of each data structure for each virtual router and allowing each
protocol to be enabled on a case-by-case basis. Virtual routers provide full
support for all supported routing protocols (unicast, multicast, and
MPLS).
For information on configuring virtual routers, see Chapter 10,
Configuring Virtual Routers.

1-9

1-10

CHAPTER 1
Planning Your Network

Configuring IPSec
IPSec provides security to IP flows through the use of authentication and
encryption.
Authentication verifies that data is not altered during transmission and
ensures that users are communicating with the individual or
organization that they believe they are communicating with.
Encryption makes data confidential by making it unreadable to
everyone except the sender and intended recipient.
IPSec comprises two encapsulating protocols:
Encapsulating Security Payload (ESP) provides confidentiality and
authentication functions to every data packet.
Authentication Header (AH) provides authentication to every data
packet.
For information about configuring IPSec, see ERX Routing Protocols
Configuration Guide, Vol. 1, Chapter 10, Configuring IPSec.

Configuring Physical Layer Interfaces

The system supports a number of line rates; some of these are listed per
line module below.
E3 line module and COCX-F3 line module support unchannelized
E3.
CE1 module supports E1 and fractional E1.
Channelized OCx/STMx (cOCx/STMx) line module supports
channelized DS3 (channelized to DS1, fractional DS1, or the DS0
level), unchannelized DS3, channelized E1/T1 (channelized to
fractional DS1), unframed E1.
CT1 line module supports T1 and fractional T1.
CT3 and CT3 12-FO line modules support channelized DS3
(channelized to DS1, fractional DS1, or the DS0 level).
FE-2 line module supports Fast Ethernet.
HSSI line module supports high-speed serial interfaces.
IPSec Service module provides tunnel service for secure tunnels.
GE/FE line module supports Gigabit Ethernet and Fast Ethernet.
OC3/STM1 (dual-port) line module supports OC3/STM1.

Configuring Physical Layer Interfaces

ERX Edge Routers

OCx/STMx ATM line module supports OC3/STM1 and

OC12/STM4 ATM.
OCx/STMx POS line module supports OC3/STM1 and OC12/STM4
POS.
T3 line module and COCX-F3 line module support unchannelized
DS3.
TSM provides tunnel service for IP tunnels, L2F tunnels, and LNS
termination.
X.21/V.35 line module supports X.21/V.35 serial interfaces.
A variety of protocols are supported over these interfaces, including
IP/Frame Relay, IP/ATM, IP/PPP, as well as the protocols to enable
B-RAS services. The systems DSx and E1/E3 implementations support
termination, statistics gathering, alarm surveillance, and performance
monitoring. These links can be used for either network ingress or network
egress.

CT3
Business
and
Consumer
Users

FT1
T1
T3
fE1

ERX System Uplink to core

OC3/STM1

E1

DS3/E3

E1
Core
Edge
Service Provider Network
Figure 1-4 ERX system support for fractional T1/E1 through T3/E3 interfaces

As shown in Figure 1-4, the system can support fractional, full, and
channelized interfaces.
Note: See ERX Installation and User Guide, Chapter 3, Installing ERX Modules,
for a discussion of slot groups and the combination of line modules allowed in the
ERX system.

1-11

1-12

CHAPTER 1
Planning Your Network

Line Module Features

The following features are supported by the system line modules:

Three different clocking options: internal timing, loop timing, and
chassis timing
DS3 framing type both M23 framing and C-bit parity
DS1 framing type both D4 framing mode and ESF framing mode
DS3 loopback for line, payload, diagnostic, and DS1 loopbacks (see
Diagnostics in ERX Product Overview Guide, Chapter 5, Statistics,
Accounting, and Diagnostics, for more information)
DS1 loopback for line, payload, and diagnostic loopbacks (see
Diagnostics in ERX Product Overview Guide, Chapter 5, Statistics,
Accounting, and Diagnostics, for more information)
DS3/DS1 line status/alarm monitoring
DS1 line coding type both AMI line encoding and B8ZS line
encoding
Unique IP interface support for each PPP or Frame Relay PVC
interface
Configurable HDLC Parameters

The following HDLC parameters are configurable:

Mapping of DS0 timeslots for T1/FT1 DS0 mapping
Setting the speed of the DS0 to Nx56 or Nx64
HDLC CRC checking (enable/disable)
HDLC CRC algorithm (CRC16 or CRC32)
Channel data inversion (enable/disable)
Maximum receive unit (MRU)
Maximum transmit unit (MTU)
Statistics are also gathered per line module.

Configuring Physical Layer Interfaces

ERX Edge Routers

Configuring CT3 Interfaces

There are three T3 controllers available on each CT3 line module and 12
T3 controllers available on each CT3 12-FO line module. When you
configure these T3 controllers, you are actually configuring T3 (DS3)
lines. Each T3 controller has, by definition, 28 T1 controllers
representing T1 (DS1) lines.
Use the T3 and T1 commands described in ERX Physical and Link
Layers Configuration Guide, Chapter 1, Configuring Channelized T3
Interfaces, to:
Specify the line characteristics, such as framing format and clock
source, for T3s and associated T1s.
Assign full and fractional T1 channels (DS0) to a virtual channel.
Figure 1-5 shows sample parameters for a CT3 interface configuration.

HDLC controller
Fractional T1 channels
Layer 1
Physical Layer

T1 controllers

T3 controllers
CT3

data inversion: no
MTU size: 1600 bytes
MRU size: 1600 bytes
loopback: none
fractional T1 (DS0) timeslots: 1, 3-8, 1
channel/subchannel: 2/1
line speed: 64kbps
framing: esf
linecode: B8ZS
clock source: line
slot/port on the ERX system chassis:
framing: c-bit
cable length: 220 feet
clock source: line
loopback: none

Figure 1-5 CT3 interface configuration parameters

The following sample command sequence configures a serial interface for

a CT3 module. See ERX Physical and Link Layers Configuration Guide,
Chapter 1, Configuring Channelized T3 Interfaces, for details.
host1(config)#controller t3 0/1
host1(config-controll)#framing c-bit
host1(config-controll)#clock source line
host1(config-controll)#cablelength 220
host1(config-controll)#t1 2/1
host1(config-controll)#t1 2 framing esf
host1(config-controll)#t1 lineCoding b8zs
host1(config-controll)#t1 timeslots 2/1 1,3-8,10-12
host1(config-controll)#interface serial 0/1:2/1

1-13

1-14

CHAPTER 1
Planning Your Network

Configuring T3 and E3 Interfaces

The T3 and E3 line modules support the following wide-area network

(WAN) protocol encapsulations:
IP over PPP
IP over ATM
IP over PPP over ATM
IP over PPP over PPPoE over ATM
The T3 and E3 modules support the following WAN protocol
encapsulations:
IP over PPP
IP over Frame Relay
Figure 1-6 shows sample configuration parameters for a T3 interface
configuration.

Layer 1
Physical Layer

HDLC controller
T3 controller

T3

CRC: 32 bit
data inversion: yes
MTU size: 1600 bytes
MRU size: 1600 bytes
loopback: none
slot/port on the ERX system chassis: 0/1
framing: m23
cable length: 300 feet
ds-3 scramble: enabled
clock source: line
loopback: none

Figure 1-6 T3 interface configuration parameters

The following sample command sequence configures a serial interface for

a T3 module. See ERX Physical and Link Layers Configuration Guide,
Chapter 2, Configuring T3 and E3 Interfaces, for details.
host1(config)#controller t3 0/1
host1(config-controll)#framing m23
host1(config-controll)#cablelength 300
host1(config-if)#ds3-scramble
host1(config)#interface serial 0/1
host1(config-if)#invert data
host1(config-if)#mtu 1600
host1(config-if)#mru 1600

Configuring Physical Layer Interfaces

ERX Edge Routers

Configuring CT1 and CE1 Line Interfaces

Figure 1-7 shows the configuration parameters for a sample T1 interface

configuration on a CT1 line module.

Layer 1
Physical Layer

HDLC controller
T1 controller

T1

CRC: 32 bit
data inversion: yes
MTU size: 1600 bytes
MRU size: 1600 bytes
loopback: none
slot/port on the ERX system chassis: 0/1
fractional T1 (DS0) timeslots: 1, 3-8, 10
framing: sf
line coding: ami
cable length: 200 feet
ds-3 scramble: enabled
clock source: line
loopback: none
trap link status: enabled

Figure 1-7 T1 Interface configuration parameters

The following sample command sequence configures a serial interface for

a T1 module. See ERX Physical and Link Layers Configuration Guide,
Chapter 3, Configuring CT1 and CE1 Interfaces, for details.
host1(config)#controller t1 0/1
host1(config-controll)#channel group 2 timeslots 1,3-8,10
host1(config-controll)#framing sf
host1(config-controll)#lineCoding ami
host1(config-controll)#cablength short 200
host1(config-controll)#channel-group 2 trap link-status
host1(config)#interface serial 0/1:2
host1(config-controll)#crc 32
host1(config-if)#invert data
host1(config-if)#mtu 1600
host1(config-if)#mru 1600

Configuring OC3 (Dual-Port) and OCx/STMx Interfaces

The system supports IP/ATM and IP/PPP over SONET on the OC3
(dual-port) and OCx/STMx interfaces. This interface support allows
service providers to accept incoming optical connections or connect the
system to the backbone network through optical connections. The
systems SONET implementation supports termination, statistic
gathering, and alarm surveillance at the section, line, and path layers of a
SONET interface.

1-15

1-16

CHAPTER 1
Planning Your Network

ERX System
Business
and
Consumer
Users

FT1

Uplink to Core
OCx/STMx

T1
E3

OC12/STM4

OC3/STM1
Edge

Core
Service Provider
Network

Figure 1-8 SONET interfaces

The following sample command sequence configures POS for an OC3

interface. See ERX Physical and Link Layers Configuration Guide,
Chapter 15, Configuring Packet over SONET, for details.
host1(config)#interface pos 0/1
host1(config-if)#encapsulation ppp
host1(config-controll)#clock source internal module
host1(config-controll)#loopback line
host1(config-controll)#pos framing sdh
host1(config-controll)#mtu 1600
host1(config-controll)#mru 1600
host1(config-controll)#pos scramble-atm

Configuring Channelized OCx/STMx Line Interfaces

The cOCx/STMx modules are generally used for circuit aggregration on

the system. This line module supports the following controllers over
OC3/STM1 or OC12/STM4, depending on the I/O module used with
the line module:
Fractional T1/E1 over SONET/SDH virtual tributaries or T3
Unframed E1
Unchannelized DS3
Figure 1-9 shows the configuration parameters for a sample T1 over DS3
interface configuration.

Configuring Physical Layer Interfaces

ERX Edge Routers

HDLC controller
Fractional T1 channels
T1 controllers
T3 controllers
Layer 1
Physical Layer

SONET path
controllers
SONET line/section
controllers

CRC: 16 bit
data inversion: no
MRU size: 1600 bytes
fractional T1 (DS0) timeslots: 1, 3-8, 10-12
channel/subchannel: 3/0
clock source: line
slot/port on the ERX system chassis: 3/0
clock source: line
framing: c-bit
loopback: none
SNMP trap link-status processing:disabled
path number 12
SNMP trap link-status processing:disabled
SNMP trap link-status processing:enabled

cOCx/STMx

Figure 1-9 Parameters for cOCx/STMx interface configuration

The following sample command sequence configures T1 over DS3 on a

channelized SONET interface. See ERX Physical and Link Layers
Configuration Guide, Chapter 5, Configuring Channelized OCx/STMx
Interfaces, for details.
host1(config)#controller sonet 3/0
host1(config-controller)#path 12 oc1 4/1
host1(config-controller)#path 12 ds3 1 channelized
host1(config-controller)#path 12 ds3 1 t1 4
host1(config-controller)#path 12 ds3 1 t1 4/2 timeslots 1,
3-8, 10-12
host1(config)#interface serial 3/0:12/1/4/2

Configuring Ethernet Interfaces

Ethernet interfaces support IP, PPPoE, multinetting (multiple IP

addresses), and VLANs (subinterfaces). Ethernet modules use the Address
Resolution Protocol (ARP) to obtain MAC addresses for outgoing
Ethernet frames and support quality of service (QoS) classification. See
ERX Physical and Link Layers Configuration Guide, Chapter 6,
Configuring Ethernet Interfaces, for a description of limitations for
individual modules.

1-17

1-18

CHAPTER 1
Planning Your Network

Use the FE and GE commands described in Configuring Ethernet

Interfaces to:
Configure with IP only, with PPPoE only, with both IP and PPPoE,
and with or without VLANs.
Specify the line speed and duplex mode.
Specify the MTU.
Set the time interval at which the ERX system calculates bit and
packet rate counters.
The following sample command sequence configures an IP interface on a
VLAN on an Ethernet interface:
host1(config)#interface fastethernet 2/0.1
host1(config-if)#vlan id 100
host1(config-if)#interface fastethernet 2/0.1.1
host1(config-if)#ip address 192.1.1.1 255.255.255.0

The following sample command sequence adds an IP interface over

PPPoE to the same VLAN:
host1(config)#interface fastethernet 2/0.1.2
host1(config-if)#encapsulation pppoe
host1(config-if)#interface fastethernet 2/0.1.2.1
host1(config)#encapsulation ppp
host1(config-if)#ip address 192.2.2.1 255.255.255.0

Configuring HSSI Interfaces

High-speed serial interfaces (HSSIs) support high-speed WAN switching

services such as Frame Relay and SMDS (SMDS trunk encapsulation).
You can configure an interface to act as data communication equipment
(DCE) or data terminal equipment (DTE).
Figure 1-10 shows sample configuration parameters for a HSSI
configuration.

Layer 1
Physical Layer

DTE

CRC: 32 bit
MTU size: 1600 bytes
SNMP trap link-status processing: enabled

HSSI
Figure 1-10 Parameters for HSSI configuration

Configuring Physical Layer Interfaces

ERX Edge Routers

The following sample configuration shows how to use the HSSI as a

DTE. See ERX Physical and Link Layers Configuration Guide,
Chapter 7, Configuring HSSIs, for details.
host1(config)#interface hssi 3/0
host1(config-if)#crc 32
host1(config-if)#mtu 1200
host1(config-if)#snmp trap link-status

Configuring X.21/V.35 Interfaces

X.21/V.35 interfaces are serial interfaces that support the following:

Data communications equipment (DCE) or data terminal equipment
(DTE) operation
Maximum data rate of 10 Mbps per port, 50 Mbps across all ports
Figure 1-11 shows sample configuration parameters for an X.21/V.35
interface configuration.

Layer 1
Physical Layer

DCE

Clock rate: 1536000

CRC: 32 bit
Load interval 100
MTU size: 1600 bytes

X.21/V.35
Figure 1-11 Parameters for X.21/V.35 configuration

The following example shows how to configure the X.21/V.35 interface as

a DCE. See ERX Physical and Link Layers Configuration Guide,
Chapter 8, Configuring X.21/V.35 Interfaces, for details.
host1(config)#interface serial 3/1
host1(config-if)#clock rate 1536000
host1(config-if)#crc 32
host1(config-if)#mtu 1200
host1(config-if)#nrzi-encoding

1-19

1-20

CHAPTER 1
Planning Your Network

Configuring IPSec Service Interfaces

IPSec Service modules support interfaces associated with secure IP

tunnels. You configure and delete these interfaces statically; however, the
system assigns tunnels to the interfaces dynamically. This mechanism
means that you must manage the interfaces for tunnels manually;
however, the system will add and remove tunnels when required.
For information on configuring secure IP interfaces, see ERX Routing
Protocols Configuration Guide, Vol. 1, Chapter 10, Configuring IPSec.
For information about managing IPSec service interfaces, see ERX
Physical and Link Layers Configuration Guide, Chapter 9, Managing
Tunnel Service and IPSec Service Interfaces.
Configuring TSM Interfaces

You can configure both dynamic tunnels associated with L2TP and L2F
and static IP tunnels on your ERX system; however, you must first install
a TSM. Dynamic tunnels, which are not associated with a particular
interface, are described in ERX Broadband Access Configuration Guide,
Chapter 3, Configuring L2TP. Static tunnels, in which the tunnel is
assigned to a particular interface and specified in slot/port format, are
described in ERX Routing Protocols Configuration Guide, Vol. 1,
Chapter 4, Configuring IP Tunnels.
For information about managing these types of tunnels on the system, see
ERX Physical and Link Layers Configuration Guide, Chapter 9,
Managing Tunnel Service and IPSec Service Interfaces.

Configuring Data Link Layer Interfaces

You can configure the following data link layer interfaces:
IP/ATM
IP/Cisco HDLC
IP/Ethernet
IP/Frame Relay or multilink Frame Relay
IP/PPP or multilink PPP

Configuring Data Link Layer Interfaces

ERX Edge Routers

Configuring IP/Frame Relay

The system supports IP over Frame Relay PVCs on the CT3, CT1, CE1,
T3, and E3 modules. The interface presented to the incoming traffic is an
IP/Frame Relay router. In addition, IP/PPP/Frame Relay is supported on
the T3 and E3 modules. With this interface, the service provider can:
Receive traffic from subscribers that have CPE equipment, such as
routers with Frame Relay interfaces
Take in traffic from other network devices that use Frame Relay, such
as DSLAMs and Frame Relay switches
Use Frame Relay as an uplink technology on an unchannelized T3 or
E3 link
Figure 1-12 shows the structure of the system Frame Relay interface.
Each system Frame Relay major interface sits on top of an HDLC
interface. The Frame Relay implementation is divided into two levels: a
major interface and one or more subinterfaces. This division allows a
single physical interface to support multiple logical interfaces. Multiple IP
interfaces can also be assigned to each Frame Relay major interface
through the subinterfaces.
IP interface

Frame Relay
subinterface 1

IP interface

OSI interface

Frame Relay
subinterface 2

IP interface

Frame Relay
subinterface N

Frame Relay
Major Interface
Frame Relay layer
HDLC

Figure 1-12 Frame Relay interface design

Figure 1-13 shows the structure of the Frame Relay protocols with the
physical layer as the foundation. For Frame Relay, the physical layer can
be CE1, E3, CT1, T3, or a fractional service, as supported by the
different line module ports. The HDLC layer is on top of the physical
layer and can support flexible assignment of physical resources.
For example, an HDLC channel can support one DS0, fractional T1s, or
an entire T1. The major Frame Relay interface sits on top of the HDLC

1-21

1-22

CHAPTER 1
Planning Your Network

resource, and the subinterfaces sit on top of the major interface. The
Frame Relay subinterfaces connect to the IP interface layer.

IP
Frame Relay

LMI

HDLC
Physical (DSx/Ex)

Figure 1-13 Structure of Frame Relay protocols

The system supports Frame Relay LMI (local management interface) to

provide the operator with configuration and status information relating
to the Frame Relay VCs in operation. LMI specifies a polling mechanism
to receive incremental and full-status updates from the network. The
system can represent either side of the User-to-Network Interface (UNI)
and supports unidirectional LMI. Bidirectional support for
Network-to-Network Interface (NNI) is also supported.
Figure 1-14 shows sample configuration parameters for Frame Relay on a
serial interface.

Layer 2
Data Link Layer

PVCs

Frame Relay

DLCI Number: 17
IP address of interface: 192.30.10.2
encapsulation: frame relay
dce or dte: dte
link management type: Annex D
MTU size: 8188 bytes
LMI counters and timers:
accept ERX system defaults

Figure 1-14 Serial interface configuration parameters for a Frame Relay connection

The following sample command sequence configures a serial interface for

Frame Relay. See ERX Physical and Link Layers Configuration Guide,
Chapter 11, Configuring Frame Relay, for information.
host1(config-if)#interface serial 0/1:1/5
host1(config-if)#encapsulation frame-relay ietf
host1(config-if)#frame-relay intf-type dte
host1(config-if)#frame-relay lmi-type ansi
host1(config-if)#interface serial 0/1:1/5.1
host1(config-subif)#frame-relay interface-dlci 17 ietf
host1(config-subif)#ip address 192.32.10.2 255.255.255.0

Configuring Data Link Layer Interfaces

ERX Edge Routers

Configuring IP/ATM

The system supports IP over ATM PVCs on the T3 ATM, E3 ATM,

OC3 (dual-port), and OCx/STMx ATM line modules. This support
allows service providers to receive traffic from subscribers who have CPE
equipment, such as routers with ATM interfaces, to take in traffic from
other network devices that use ATM, such as DSLAMs, and to connect to
service providers with ATM backbone structures. See Figure 1-15.
Business and
Consumer Users

ERX System
IP/ATM
IP/PPP/ATM
DSLAM

ATM
Uplink to core

ATM

IP/PPP/ATM
Service Provider Network
IP/PPPoE/ATM

Figure 1-15 ERX system IP/ATM access connection

Figure 1-16 shows the structure of the ATM interface. For ATM, this can
be SONET, DS3, or E3 as supported by the different line modules. The
major ATM interface sits on top of the SONET/DS3/E3 resource, and
the subinterfaces sit on top of the major interface. The ATM
subinterfaces connect to the IP interface layer.

1-23

1-24

CHAPTER 1
Planning Your Network

IP interface

IP interface

IP interface

ATM
subinterface 1

ATM
subinterface 2

ATM
subinterface N

ATM
Major Interface
ATM Layer
SONET

DS3/E3

Figure 1-16 Structure of the ATM interface design

Figure 1-17 shows the structure of the ATM protocols. The physical layer
(SONET and/or DSx/Ex) is the foundation and provider of layer 1
framing service. The ATM layer is on top and provides cell, circuit, and
OAM services. The AAL5 layer provides a frame-oriented interface to
the ATM layer. The integrated local management interface (ILMI)
provides local management across the UNI.
IP
PPP
RFC1483 Data Service
LLC

I
L
M
I

AAL5
ATM
SONET

DSx/Ex

Figure 1-17 Structure of ATM protocol

Figure 1-18 shows sample configuration parameters for a typical ATM

interface configuration.

Configuring Data Link Layer Interfaces

ERX Edge Routers

Layer 2
Data Link Layer

PVCs

virtual cicruit descriptor: 22

virtual path identifier: 100
virtual channel identifier: 10
IP address of interface: 192.32.10.20

ATM

encapsulation: aal5snap

Figure 1-18 ATM interface configuration parameters

The following sample command sequence configures an ATM interface

on port 0 of the line module in slot 1. See ERX Physical and Link Layers
Configuration Guide, Chapter 10, Configuring ATM, for information on
how to configure an ATM interface.
host1(config)#interface atm 0/1
host1(config-if)#interface atm 0/1.20
host1(config-if)#atm pvc 10 22 100 aal5snap
host1(config-subif)#ip address 192.32.10.20 255.255.255.0

Configuring IP/PPP

The system supports IP/PPP on the CT3, E1, and T3/E3 interfaces and
IP/PPP/SONET on the OC3/STM1 and OC12/STM4 interfaces. This
support allows service providers to accept traffic from subscribers who
have CPE equipment, such as routers with PPP interfaces, and to
transmit traffic in PPP format to other network devices.
Business Users

ERX System
IP/PPP

Uplink to core
IPP/PPP/SONET
IP/PPP

Service Provider Network

Figure 1-19 The ERX system supports IP/PPP connections from the CPE

1-25

1-26

CHAPTER 1
Planning Your Network

Figure 1-19 shows that the system supports the incoming IP/PPP traffic
from the CPE. This traffic can then be routed to the uplink(s) attached to
the system or to other CPEs that are attached to the system.
As shown in Figure 1-20, the PPP protocol can exist directly on top of the
HDLC layer or on top of a layer 2 Frame Relay or ATM interface. In
either case, IP rides on top of PPP, providing support for IP/PPP/ATM,
IP/PPP/HDLC, and IP/PPP/Frame Relay. Both SONET and DSx/Ex
interfaces are supported at the physical layer.
IP

PPP

ATM

Frame
Relay
HDLC

SONET

DSx/Ex

Figure 1-20 Structure of PPP

Figure 1-21 shows sample configuration parameters for PPP on a serial

interface.

Layer 2
Data Link Layer

PPP

IP address of interface: 192.32.22.10

encapsulation: ppp

Figure 1-21 ATM interface configuration parameters

The following sample command sequence configures PPP on a serial

interface. See ERX Physical and Link Layers Configuration Guide,
Chapter 13, Configuring Point-to-Point Protocol, for details.
host1(config)#interface serial 3/0:2/5
host1(config-if)#encapsulation ppp
host1(config-if)#ip address 192.32.22.10 255.255.255.0

Configuring Data Link Layer Interfaces

ERX Edge Routers

Configuring IP/HDLC

The ERX system supports IP over Cisco HDLC on many types of serial
interfaces. Cisco HDLC monitors line status on a serial interface by
exchanging keepalive request messages with peer network devices. It also
allows routers to discover IP addresses of neighbors by exchanging Serial
Link Address Resolution Protocol (SLARP) address request and address
response messages with peer network devices.
The system Cisco HDLC is compatible with Cisco Systems Cisco-HDLC
protocol, the default protocol for all Cisco serial interfaces.
The system supports the following framing features:
HDLC for data-link framing
18,000-byte information field size
IP
Cisco
HDLC
HDLC
ATM
SONET

HDLC
DSx/Ex

Figure 1-22 Structure of Cisco HDLC protocol

As shown in Figure 1-22, the Cisco HDLC protocol can exist directly on
top of the HDLC layer or ATM or SONET interface. Both SONET and
DSx/Ex interfaces are supported at the physical layer.
Configuring IP over Ethernet

The ERX system supports IP/Ethernet. When you select an Ethernet

interface, you can assign an IP address to it, as the following example
shows:
host1(config)#interface fastethernet 4/1
host1(config-if)#ip address 192.5.127.8 255.255.255.0

Figure 1-23 shows the IP/Ethernet interface stack.

1-27

1-28

CHAPTER 1
Planning Your Network

IP interface
192.5.127.8

Gigabit
Ethernet
T3 controllers
interface
4/1
CT3
Figure 1-23 Example of IP over Ethernet stacking configuration steps

Configuring Routing Protocols

After you have set up the interfaces on which IP traffic flows, you can
configure the following routing protocols:
IP Multicast IP multicasting allows a device to send packets to a
group of hosts, rather than to a list of individual hosts. Routers use
multicast routing algorithms to determine the best route and transmit
datagrams throughout the network. See ERX Policy Management and
QoS Configuration Guide, Chapter 3, Configuring IP Multicasting,
for information on how to configure IP Multicast.
Open Shortest Path First (OSPF) This interior gateway protocol
(IGP) advertises the states of network links within an autonomous
system. An autonomous system is a set of routers having a single
routing policy running under a single technical administration. See
ERX Routing Protocols Configuration Guide, Vol. 1, Chapter 7,
Configuring OSPF, for information on how to configure OSPF.
Integrated Intermediate SystemtoIntermediate System (integrated
IS-IS) The integrated IS-IS protocol provides routing for IP
networks and is an extension of the original IS-IS protocol, which
provides routing for pure Open Systems Interconnection (OSI)
environments. This link state protocol builds a complete and consistent
picture of a networks topology by sharing link state information across
network devices in a routing domain. A routing domain is a collection
of contiguous networks that provide full connectivity to all end systems
located within them. See ERX Routing Protocols Configuration
Guide, Vol. 1, Chapter 8, Configuring IS-IS, for information on how
to configure IS-IS.

Configuring VRRP
ERX Edge Routers

Border Gateway Protocol (BGP) An external gateway protocol (EGP)

that provides loop-free interdomain routing between autonomous
systems. See ERX Routing Protocols Configuration Guide, Vol. 2,
Chapter 1, Configuring BGP Routing, for information on how to
configure BGP.
Routing Information Protocol (RIP) An IGP created for use in small,
homogeneous networks. RIP uses distance-vector routing to route
information through IP networks. See ERX Routing Protocols
Configuration Guide, Vol. 1, Chapter 6, Configuring RIP, for
information on how to configure RIP.
Multiprotocol Label Switching (MPLS) A hybrid protocol that
integrates network layer routing with label switching to provide a layer
3 network with traffic management capability. Traffic engineering
enables more effective use of network resources while maintaining high
bandwidth and stability. MPLS enables service providers to offer their
customers the best service available given the providers resources.
There are two fundamental aspects to MPLS:
> Label distribution The set of actions MPLS performs to establish

and maintain a label-switched path (LSP), also known as an MPLS

tunnel.
> Data mapping The process of getting data packets onto an

established LSP.
See ERX Routing Protocols Configuration Guide, Vol. 2,
Chapter 2, Configuring MPLS, for information about configuring
MPLS.
In addition, if you want to make configuration adjustments to IP, see
ERX Routing Protocols Configuration Guide, Vol. 1, Chapter 2,
Configuring IP, for details.

Configuring VRRP
The Virtual Router Redundancy Protocol (VRRP) can prevent loss of
network connectivity to end hosts if the static default IP gateway fails. By
implementing VRRP, you can designate a number of routers as backup
routers in the event that the default master router fails. You can
configure VRRP on IP/Ethernet interfaces.
For information on configuring VRRP, see ERX Routing Protocols
Configuration Guide, Vol. 1, Chapter 9, Configuring VRRP.

1-29

1-30

CHAPTER 1
Planning Your Network

Configuring Routing Policy

The system supports a number of features that allow the service provider
to control the exchange of routing information between virtual routers in
the system, between routers in the network, and between protocols within
a router:
Access lists Provide filters that can be applied to route maps or
distribution lists. They allow policies to be created, such as a policy to
prevent forwarding of specified routes between the BGP-4 and IS-IS
routing tables.
Route maps Modify the characteristics of a route (generally to set its
metric or to specify additional attributes) as it is transmitted or
accepted by a router. Route maps may use access lists to identify the set
of routes to modify.
Distribution lists Control the routing information that is accepted or
transmitted to peer routers. Distribution lists always use access lists to
identify routes for distribution. For example, distribution lists could use
access lists to specify routes to advertise.
Redistribute routes Allow routes to be shared between routing
protocols and routing domains. For example, a subset of BGP-4 routes
could be leaked into the IS-IS routing tables.
See ERX Routing Protocols Configuration Guide, Vol. 1, Chapter 1,
Configuring Routing Policy, for details.

QoS
QoS is a suite of features that configure queuing and scheduling on the
forwarding path of your ERX system. QoS provides a level of
predictability and control beyond the current best-effort service. Your
ERX system provides best-effort data delivery by default. Packets not
assigned to a specific traffic class are carried in the best-effort traffic class.
Best-effort service provides packet transmission with no guarantee of
results.
The major QoS features that the ERX system provides are:
Multiple traffic classes
Configurable scheduling
Configurable buffer management
For information on configuring QoS, see ERX Policy Management and
QoS Configuration Guide, Chapter 2, Configuring Quality of Service.

Policy Management
ERX Edge Routers

Policy Management
Policy management allows network service providers to implement packet
forwarding and routing specifically tailored to their customers
requirements. Using policy management, customers can implement
policies that selectively cause packets to take different paths. Policy
management provides several types of services:
Policy routing Predefines packet flow to a destination port or IP
address
QoS classification and marking Marks packets of a packet flow.
Packet forwarding Allows forwarding of a packet flow.
Packet filtering Drops packets of a packet flow.
Packet logging Logs packets of a packet flow.
Rate limiting Enforces line rates below the physical line rate of the
port and sets limits on packet flows.
RADIUS policy support Allows you to attached a preconfigured
policy to an interface through RADIUS.
See ERX Policy Management and QoS Configuration Guide, Chapter 1,
Configuring Policy Management, for details about configuring policy
management.

Configuring Remote Access

The ERX system supports the following remote access functionality:
Broadband Remote Access Server (B-RAS) This application runs on
the system and is responsible for:
> Aggregating the output from DSLAMs
> Providing user PPP sessions and PPP session termination
> Enforcing QoS policies
> Routing traffic into an ISPs backbone network

See ERX Broadband Access Configuration Guide, Chapter 1,

Configuring Remote Access to the ERX System.

1-31

1-32

CHAPTER 1
Planning Your Network

Layer 2 Tunneling Protocol (L2TP) A method of encapsulating layer

2 packets, such as PPP, for transmission across a network. In an L2TP
relationship, an L2TP Access Concentrator (LAC) forms a
client-server relationship with a destination, known as an L2TP
Network Server (LNS), on a remote network.
You can configure the system to act as an LAC in PPP pass-through
mode. The system creates tunnels dynamically by using AAA
authentication parameters and transmits L2TP packets to the LNS
through IP/UDP. See ERX Broadband Access Configuration Guide,
Chapter 3, Configuring L2TP.
Layer Two Forwarding (L2F) A method that provides virtual dial-up
service over the Internet. The traditional method for a remote user to
access a companys network is through remote access equipment that is
directly attached to the corporate network. This method requires a
significant investment in equipment and support in addition to the cost
of telephone charges for remote workers calling into the access
equipment.
By employing L2F, an ISP can provide local access for the remote
worker and forward the data traffic through a tunnel to the corporate
network. This method allows a company to outsource the investment
in remote access equipment to the ISP, while retaining full control over
access to the corporate network. In particular, L2F allows leveraging
multiple protocols and private addressing across the existing Internet
infrastructure. See ERX Broadband Access Configuration Guide,
Chapter 4, Configuring L2F.
Non-PPP equal access A method of allowing remote access in which
the system provides IP addresses to subscribers computers through
Dynamic Host Configuration Protocol (DHCP). This method is
particularly convenient for broadband (cable and DSL) environments
or environments that use bridged Ethernet over ATM, because
network operators can support one central system rather than an
individual PPPoE client on each subscribers computer. See ERX
Broadband Access Configuration Guide, Chapter 5, Configuring
DHCP Local Server.

Command Line
Interface

This chapter provides information about your ERX systems command

line interface (CLI).
Topic

Page

Overview

2-1

Accessing the CLI

2-21

Using Help

2-22

Using Command Line Editing

2-26

Accessing Command Modes

2-29

Overview
Managing your system using the CLI gives you access to thousands of
commands. The systems CLI uses an industry de facto standard look and
feel, which may be familiar to you. If you are new to this CLI, it is helpful
to read this entire chapter, where you can learn about CLI shortcuts and
other helpful information.
Command Modes

Command modes set a context for the CLI. Each command in the CLI is
available from one or more command modes. From some command
modes you can only view router information; from others you can
perform configuration tasks. For example, you can access User Exec
mode to display information and then access Global Configuration mode
to set parameters or enable a particular feature. By recognizing the
command line prompt, you can identify where you are in the CLI at any

2-2

CHAPTER 2
Command Line Interface

given point. When you can easily identify where you are, it is easy to get
to where you want to be.

Start
(User-established connection)

View
User EXEC
Mode

Privileged
EXEC Mode

Controller
Configuration

Line
Configuration

Route Map
Configuration
Router
Configuration

Global
Configuration
VRF
Configuration

Policy
Configuration

Interface
Configuration

Subinterface
Configuration

Configuration Modes
Figure 2-1 Command mode architecture

Overview
ERX Edge Routers

Figure 2-1 illustrates the command mode architecture. Only some of the
many Global Configuration modes are shown.
Command modes are discussed in greater detail in the section Accessing
Command Modes. See the ERX Command Reference Guide to find a
commands related command mode.
Command Line Prompts

Within the CLI, the command line prompt identifies both the hostname
and the command mode. The hostname is the name of your system; the
command mode indicates your location within the CLI system.
For example:
hostname

command mode

RX-01-01-01(config-router)#

Keywords and Parameters

CLI commands are made up of two primary elements: keywords and

parameters.
Keywords

Every command requires at least one keyword; however, a command can

contain other optional keywords. The keyword(s) must be typed into the
CLI accurately for it to be recognized. These are examples of keywords:
reload
run
router
map-class
map-list
clear ip isis redistribution
show vlan subinterface
qos-port-type-profile
no rtr reset
radius calling-station-delimiter

You can abbreviate keywords; however, you must enter enough initial
characters to unambiguously identify the command. For example, if the
keyword you want to specify is map-class and you enter only map-, an

2-3

2-4

CHAPTER 2
Command Line Interface

error appears. The error indicates that one or more possible keywords
begin with map-, thus making your entry ambiguous.
Parameters

Parameters are often required elements of a command; however, for some

commands, parameters are not required. A parameter is most often a
value that you specify after the keyword. There are different types of
parameters, such as strings, integers, or IP addresses. The CLI indicates
the type of parameter that you must enter. When you see a range of
numbers or uppercase letters, it indicates that you must specify a value.
For example:
CLI Parameter Placeholder or Range

Sample Parameter User Input

ROUTER[:VRF]

charlie:1234

INTERFACE

3/2:20/15

WORD

windtunnel

<04294967295>

5600

A.B.C.D

192.56.32.2

Keywords and Parameters Together

By combining keywords and parameters in the correct sequence, you can

begin using the CLI to configure and monitor your system. For example,
you could specify the command hostname to change the name of your
system by entering a keyword and a parameter. You need to type only the
portion of the keyword that makes it unambiguous, such as hostn. Here,
the value of the parameter, which is the name you assign to the host, is a
string of up to 64 characters.
command
line prompt

command
keyword

parameter

host1(config)#hostn unispshere

When you enter this command, the new hostname appears in the
prompt.
unisphere(config)#
new command line prompt

Another example is a command that requires you to enter a number from

within a given range. The command ip http port requires that a value be

Overview
ERX Edge Routers

entered for the portNumber parameter. The value of this parameter is a

number in the range of 065535. For example, you could enter:
juniper(config)#ip http port 56789

Note: You can find detailed information about command syntax, with parameter
values defined, in the ERX Command Reference Guide.

Using CLI Commands

This section introduces some useful shortcuts and command-related

highlights. These include:
Abbreviated Commands
The ? Key
<Backspace> or <Delete>
<Enter>
<Tab>
Arrow Keys
The no Version (no Commands)
run Commands
show Commands
The - - More - - Prompt
Responding to Prompts
Abbreviated Commands

Remember, you can abbreviate keywords to save time if you enter at least
enough leading characters to uniquely identify the desired keyword. For
example:
host1(config-if)#ip re

This abbreviation is for the command ip redirects. The string ip re is

enough information for the system CLI to identify the command you are
using. See the section Using Help for additional information.

2-5

2-6

CHAPTER 2
Command Line Interface

The ? Key

Use the ? key at any time to see all the choices you can enter next. For
example:
host1(config)#router ?
bgpConfigure the Border-Gateway Protocol (BGP)
isisConfigure ISO IS-IS
ospfConfigure the Open Shortest Path First protocol (OSPF)
ripConfigure the Routing Information Protocol
host1(config)#router

When you enter the ? character, all available choices are displayed. The
system again displays the command you typed. You then only have to
type in the choice you want and press the <Enter> key.
A <cr> in the list of choices means that you can press the <Enter> key to
execute the command. For example:
host1(config-if)#isis metric 40 level-2 ?
<cr>
host1(config-if)#isis metric 40 level-2

Note: If the list of options extends beyond one screen, the last line on your screen
displays the --More-- prompt.
Note: If you want to use the ? character as part of a string, such as a hostname or
a regular expression, you must enter the following key sequence: <Ctrl+V+?>.
Otherwise, the CLI considers the ? to be a request for assistance in completing the
command.

<Backspace> or <Delete>

Use either key to delete the character immediately preceding the cursor.
<Enter>

Always use this key to execute the command you entered.

<Tab>

Use this key to complete the current keyword. For example, if you entered
a portion of a lengthy command, such as
host1(config)#class

and press the <Tab> key, the full name of the command appears:
host1(config)#classifier-list

Overview
ERX Edge Routers

Arrow Keys

Some terminals have arrow (or cursor) keys on their keyboards. These
arrow keys are very useful; however, to use them you must have an
ANSI/VT100 emulating terminal.
The <Up Arrow> and <Down Arrow> keys display command history.
The <Up Arrow> key displays the previous command; you can also use
<Ctrl +P>. The <Down Arrow> key displays the next command; you can
also use <Ctrl+N>.
The <Left Arrow> and <Right Arrow> keys allow the user to move the
cursor back and forth in the command line.
The no Version

With very few exceptions, every system configuration command has a no

version, which you can use to negate a command (or a portion of it as
specified by an optional keyword) or to restore its default setting. When
you use a command without the keyword no, you can reenable a disabled
feature or override a default setting.
You have the option of using the default keyword whenever the no
keyword is also a choice; simply enter the keyword default instead of no.
In most cases, when you execute the default version of a command, it
produces the exact results as the no version. There are some commands
for which the default version yields a different result from the no version.
Commands for which the default behavior differs from the no behavior
are clearly identified in the ERX Command Reference Guide. Unless
otherwise specified, therefore, the default command is identical to the
no command and will neither be documented nor discussed.
The syntax for each no command is described in the ERX Command
Reference Guide. The few system configuration commands that do not
have a no version are indicated in the individual command description.
Because show commands are for the purpose of monitoring your
configurations, they do not have no versions. Most User Exec and
Privileged Exec commands do not have no versions.
The CLI can act on no versions of commands when you have entered
sufficient information to distinguish the command syntactically; the CLI
ignores all subsequent input on that line.
To be compatible with some non-Juniper Networks implementations, the
no versions of commands will accept the same options as the affirmative
version of the commands. The CLI ignores the optional input if it has no
effect on the command behavior. If using the option changes the behavior

2-7

2-8

CHAPTER 2
Command Line Interface

of the no version, the individual command entry in this guide describes

the difference in behavior.
run Command

You can run User Exec mode commands while in any Configuration
mode by preceding the command with the keyword run. For example:
host1(config)run show users

By using the run command in this way, you can obtain show command
information without leaving Configuration mode.
The only commands that cannot be preceded by run are the config
command and those commands that are already available in all modes,
such as sleep or exit.
Example 1

host1(config)#run show config | begin interface

interface null 0
!
interface fastEthernet 0/0
ip address 10.6.129.41 255.255.128.0
!
interface gigabitEthernet 5/0
!
interface atm 6/0
interface atm 6/0.1 point-to-point
encapsulation pppoe
!
interface atm 6/0.1.7
!
interface atm 6/0.1.5
!
interface atm 6/0.1.2
!
interface atm 6/0.1.9
!
interface atm 6/0.1.11
!
interface atm 6/0.1.15
!
interface atm 6/0.1.18
!
ip route 0.0.0.0 0.0.0.0 10.6.128.1
ip route 10.10.121.72 255.255.255.255 10.6.128.1
!

Overview
ERX Edge Routers

!
route-map adsf permit 10
router dvmrp
!
router igmp
!
snmp-server community private view everything rw
snmp-server contact Mary
snmp-server
!
! End of generated configuration script.
host 1(config)#int fa 0/0

Example 2

host1(config-if)#run dir

Please wait...
unshared

in

file

size

size

date (UTC)

use

------------------

---

--------

--------

-------------------

reboot.hty

31040

31040

10/30/2001 15:31:10

system.log

20481

20481

10/26/2001 17:24:16

8578

8578

soft_clear_in.mac

10/24/2001 14:39:02

erx_3-3-1.rel

71082105

71082105

10/25/2001 13:02:50

erx_3-3-1.rel

70502991

70502991

10/24/2001 19:58:08

autocfg.scr

355

355

09/28/2001 13:33:04

Capacity = 224133120, Bytes Free = 44986177, Reserved = 36700160

host1(config-if)#

show Commands

You have access to a variety of show commands that display system and
protocol information. You can filter the output of a show command by
specifying | (the UNIX pipe symbol), one of the following keywords, and
either a case-sensitive text string or a regular expression.
begin displays output beginning with the first line that contains the
text string or regular expression
include displays output lines that contain the text string or regular
expression and excludes lines that do not contain the text string or
regular expression
exclude displays output lines that do not contain the text string or
regular expression and excludes lines that do contain the text string or
regular expression

2-9

2-10

CHAPTER 2
Command Line Interface

For a list of regular expressions, see ERX Routing Protocols

Configuration Guide, Vol. 1, Chapter 1, Configuring Routing Policy. You
can press <Ctrl+C> to interrupt the show command output.
Note: The system does not recognize beginning spaces of the text string. For
example, if you enter include IP as the text string on which to filter, the system
ignores the space and displays lines that include words such as RIP.

Example 1

In the following example, the output display starts with the first line that
contains the string inter. The system omits all the preceding lines of the
output from the display because none of them contains the string inter.
host1#show config include-defaults | begin inter
Please wait...log verbosity low internalNetwork
log verbosity low ipEngine
log verbosity low ipProfileMgr
log verbosity low ipProfileMgrEngineering
no log engineering
log fields timestamp instance no-calling-task
!
timing select primary
timing source primary internal
timing source secondary internal
timing source tertiary internal
!
no disable-autosync
no disable-switch-on-error
no redundancy lockout 0
!
virtual-router default
ip domain-lookup
ip name-server 10.2.0.3
ip domain-name 789df
!
host f 10.10.133.11 ftp anonymous null
interface null 0
interface ip 0/0
arp timeout 21600
!
interface ip 2/0
arp timeout 21600
!
interface ip s10
arp timeout 21600
!
interface atm 2/0
no shutdown

Overview
ERX Edge Routers

atm sonet stm-1

loopback line
atm uni-version 3.0
atm oam loopback-location 0xFFFFFFFF
atm vc-per-vp 32768
atm vp-tunnel 1 10
load-interval 300
no atm snmp trap link-status
no atm shutdown
!
no atm aal5 snmp trap link-status
no atm aal5 shutdown
!
interface atm 2/0.1 point-to-point
no shutdown
no atm atm1483 shutdown
no atm atm1483 snmp trap link-status
!
ip route 0.0.0.0 0.0.0.0 10.13.5.1
ip debounce-time 0
ip source-route
!
router ospf 5
no ospf shutdown
ip route-type both
timers spf 3
maximum-paths 4
ospf auto-cost reference-bandwidth 100
distance ospf intra-area 110
distance ospf inter-area 112
distance ospf external 114
! Area 0.0.0.0
!
! Trap Source: <not configured>
! Note: SNMP server not running.
!
host1#

Example 2

In the following example, the output display consists only of lines that
contain the string ip. The system omits all other lines of the output from
the display because none of them contains the string ip.
host1#show config include-defaults | include ip
! Configuration script generated on WED JUN 06 2001 02:17:00
UTC
strip-domain disable
Please wait...log verbosity low ipEngine

2-11

2-12

CHAPTER 2
Command Line Interface

log verbosity low ipEngineering

log verbosity low ipGeneral
log verbosity low ipInterface
log verbosity low ipNhopTrackerEngineering
log verbosity low ipNhopTrackerGeneral
log verbosity low ipProfileMgr
log verbosity low ipProfileMgrEngineering
!
bandwidth oversubscription
ip domain-lookup
ip name-server 10.2.0.3
ip domain-name 789df
interface ip 0/0
interface ip 2/0
interface ip s10
ip address 10.13.5.61 255.255.255.0
no ip proxy-arp
no ip directed-broadcast
ip redirects
ip route 0.0.0.0 0.0.0.0 10.13.5.1
ip debounce-time 0
ip source-route
no ip ftp source-address
type echo protocol ipIcmpEcho 10.5.0.200 source
fastEthernet0/0
type pathEcho protocol ipIcmpEcho 10.2.0.3
type echo protocol ipIcmpEcho 10.5.0.11 source-ipaddr
10.13.5.61
!
controller t1 6/0
framing esf
lineCoding b8zs
clock source line
cablelength short 0
no remote-loopback
!
log engineering
log verbosity low
no log severity
log verbosity low NameResolverLog
log verbosity low atm
log verbosity low atm1483
log verbosity low atmAal5
log verbosity low bgpConnections
log verbosity low bgpDampening
!
host1#

Overview
ERX Edge Routers

Example 3

In the following example, the output display consists only of lines that do
not contain the string !. The system omits all other lines of the output
from the display because each line contains the string !.
host1#show config include-defaults | exclude !
boot config running-configuration
boot system 3-3-1.rel
no boot backup
no boot subsystem
no boot backup subsystem
boot revert-tolerance 3 1800
no boot force-backup
no boot slot
aaa domain-map jacksonville
virtual-router miami
strip-domain disable
aaa domain-map jak
virtual-router default
strip-domain disable
aaa domain-map northeast
virtual-router default
strip-domain disable
aaa delimiter realmName "/"
hostname host1
no aaa new-model
no service ctrl-x-reboot
no service password-encryption
no baseline show-delta-counts
clock timezone UTC 0 0
no exception dump
exception protocol ftp anonymous null
controller sonet 2/0
sdh
loopback network
clock source line
no shutdown
path 0 overhead j1 msg hello
path 0 overhead j1 exp-msg
ftp-server enable
no login
log engineering
log verbosity low
no log severity
log verbosity low NameResolverLog
log verbosity low aaaAtm1483Cfg
log verbosity low atm1483

2-13

2-14

CHAPTER 2
Command Line Interface

log verbosity low atmAal5

log verbosity low bgpConnections
log verbosity low bgpDampening
log verbosity low bgpEng1
log verbosity low bgpEngineering
log verbosity low bgpEvents
log verbosity low bgpKeepAlives
no log engineering
log fields timestamp instance no-calling-task
timing select primary
timing source primary internal
timing source secondary internal
timing source tertiary internal
no atm aal5 snmp trap link-status
no atm aal5 shutdown
interface atm 2/0.1 point-to-point
no shutdown
no atm atm1483 shutdown
no atm atm1483 snmp trap link-status
ip route 0.0.0.0 0.0.0.0 10.13.5.1
ip debounce-time 0
ip source-route

Redirection of show Command Output You can redirect the

output of show commands to network files or local files (in NVS
memory) using the redirection operators described in the following table:
Redirect Operator

Use

>

Redirects output to the specified file, overwriting the file if it

already exists, creating the file if it does not.

>>

Appends output to the end of the specified file, creating the file
if it does not exist.

&>

Redirects output to the specified file, overwriting the file if it

already exists, and displays the output on the screen. The
redirection is synchronized with the screen display; for
example, if a --More-- prompt appears, the redirection halts
until you take further action.

&>>

Appends output to the end of the specified file and displays the
output to the screen. The redirection is synchronized with the
screen display; for example, if a --More-- prompt appears, the
redirection halts until you take further action.

For example, you can redirect the output of the show config command
to a script file and later run that script:
host1#show config > showconfig.scr

Overview
ERX Edge Routers

The following command writes the output to a text file, version.txt, on a

remote system:
host1#show hardware > pc:/erxfiles/version.txt

The following command appends the output to version.txt:

host1#show hardware >> version.txt

You can use redirection with output filtering. The general syntax is:
show options [ { > | >> | &> | &>> } filename ]
[ | { begin | include | exclude } filterstring ]
The filtering is performed before redirection. In the following example,
the cnfgfltr.txt file will contain the output of show config
include-defaults beginning with the first occurrence of the string inter.
host1#show config include-defaults &> cnfgfltr.txt | begin inter

The - - More - - Prompt

When command output continues beyond the available space on your

monitor screen, the system displays the -More- prompt. If you press
<Return>, the system displays the next line of output. If you press the
space bar, the system displays the next screen of output.
You can begin filtering the output from the -More- prompt, or change a
filter that is already in effect, by entering one of the following characters
and a text string:
+ (plus)

displays all output lines that contain the text string

(minus)

displays all output lines that do not contain the text string

/ (forward slash)

displays all output lines starting at the first line that

contains the text string

Initial spaces are not ignored when you filter at the -More- prompt.
Example 1

In the following example, the output is displayed until the screen is filled
and the -More- prompt appears. By entering the filter /interf, the user
forces the system to filter out all output lines until the first occurrence of
the string interf. The system displays that line and all following lines of
the output.
host1#show config include-defaults
! Juniper Networks Edge Routing Switch ERX-700
! Version: 3.3.1 (Nov 16, 2001

12:07)

! Copyright (c) 1999-2001 Juniper Networks, Inc.

reserved.
!

All rights

2-15

2-16

CHAPTER 2
Command Line Interface

! Configuration script generated on THU JUN 07 2001 04:40:04

UTC
boot config running-configuration
boot system 3-3-1.rel
no boot backup
no boot subsystem
no boot backup subsystem
boot revert-tolerance 3 1800
no boot force-backup
no boot slot
!
aaa domain-map jacksonville
virtual-router miami
strip-domain disable
!
aaa domain-map jak
virtual-router default
strip-domain disable
!
aaa domain-map northeast
virtual-router default
/interf
(Suppressing output until 'interf' is found, press ^C to
end...)
interface null 0
interface ip 0/0
arp timeout 21600
!
interface ip 2/0
arp timeout 21600
!
interface ip s10
arp timeout 21600
!
interface atm 2/0
no shutdown
atm sonet stm-1
loopback line
atm uni-version 3.0
atm oam loopback-location 0xFFFFFFFF
--More--

Example 2

In the following example, the output is displayed until the screen is filled
and the -More- prompt appears. By entering the filter +ip, the user
forces the system to filter out all lines from the remainder of the output

Overview
ERX Edge Routers

that do not contain the string ip. The system displays only lines that
contain the string ip.
host1#show config include-defaults
! Juniper Networks Edge Routing Switch ERX-700
! Version: 3.3.1 (Nov 16, 2001

12:07)

! Copyright (c) 1999-2001 Juniper Networks, Inc.

reserved.

All rights

!
! Configuration script generated on THU JUN 07 2001 04:43:26
UTC
boot config running-configuration
boot system 3-3.1.rel
no boot backup
no boot subsystem
no boot backup subsystem
boot revert-tolerance 3 1800
no boot force-backup
no boot slot
!
aaa domain-map jacksonville
virtual-router miami
strip-domain disable
!
aaa domain-map jak
virtual-router default
strip-domain disable
!
aaa domain-map northeast
virtual-router default
--More-+ip
(Displaying only lines that include 'ip', press ^C to
end...)
strip-domain disable
log verbosity low ipEngine
log verbosity low ipEngineering
log verbosity low ipGeneral
log verbosity low ipInterface
log verbosity low ipNhopTrackerEngineering
log verbosity low ipNhopTrackerGeneral
log verbosity low ipProfileMgr
log verbosity low ipProfileMgrEngineering
log verbosity low ipRoutePolicy
log verbosity low ipRoute
log verbosity low ipTraffic
log verbosity low ipTunnel

2-17

2-18

CHAPTER 2
Command Line Interface

log verbosity low ripEngineering

log verbosity low ripGeneral
log verbosity low ripRoute
log verbosity low ripRtTable
bandwidth oversubscription
ip domain-lookup
ip name-server 10.2.0.3
ip domain-name 789df
ip explicit-path name xyz disable
interface ip 0/0
interface ip 2/0
--More--

Example 3

In the following example, the output is displayed until the screen is filled
and the -More- prompt appears. By entering the filter -!, the user forces
the system to filter out all comments from the remainder of the output;
that is, output lines that contain the string !. The system displays only
lines that do not contain the string !.
host1#show config include-defaults
! Juniper Networks Edge Routing Switch ERX-700
! Version: 3.3.1 (Nov 16, 2001

12:07)

! Copyright (c) 1999-2001 Juniper Networks, Inc.

reserved.

All rights

!
! Configuration script generated on THU JUN 07 2001 04:46:00
UTC
boot config running-configuration
boot system 3-3.1.rel
no boot backup
no boot subsystem
no boot backup subsystem
boot revert-tolerance 3 1800
no boot force-backup
no boot slot
!
aaa domain-map jacksonville
virtual-router miami
strip-domain disable
!
aaa domain-map jak
virtual-router default
strip-domain disable
!
aaa domain-map northeast
virtual-router default
--More--

Overview
ERX Edge Routers

-!
(Displaying only lines that exclude '!'. press ^C to end...)
strip-domain disable
aaa delimiter realmName "/"
hostname host1
no aaa new-model
no service ctrl-x-reboot
no service password-encryption
no baseline show-delta-counts
clock timezone UTC 0 0
no exception dump
exception protocol ftp anonymous null
line vty 4
exec-timeout 0 0
exec-banner
motd-banner
timeout login response 30
data-character-bits 8
no login
log engineering
log verbosity low
no log severity
log verbosity low NameResolverLog
log verbosity low aaaAtm1483Cfg
log verbosity low aaaEngineGeneral
log verbosity low aaaServerGeneral
log verbosity low aaaUserAccess
log verbosity low addressServerGeneral
log verbosity low atm
log verbosity low atm1483
log verbosity low atmAal5
log verbosity low bgpConnections
log verbosity low bgpDampening
log verbosity low bgpEng1
--More--

Responding to Prompts

For some actions, the system prompts you for a response. The acceptable
default responses are the following:
You can press <y> or <Enter> to agree with the prompt and continue.
You can press any other key to disagree with the prompt and cancel
the action.
You can use the confirmations explicit command to require a more
explicit response to CLI prompts.

2-19

2-20

CHAPTER 2
Command Line Interface

confirmations explicit

Use to require an explicit response to a CLI prompt, as follows:

To agree with the prompt and continue, you must type y and press <Enter>,
type ye and press <Enter>, or type yes and press <Enter>.

To disagree with the prompt and cancel the action, you must type n and
press <Enter> or type no and press <Enter>.

Pressing <Enter> alone, or entering any other characters, is not an

acceptable response, and the CLI will repeat the prompt.

Acceptable responses to a prompt are not case sensitive.

Use the no version to restore the default state, where pressing <y> or <Enter>
alone will respond in the affirmative, and any other entry is accepted as a
negative response.
Note: The systems CLI supports a powerful command line editor, enabling you to
easily correct, edit, and recall previously entered commands. See the section Using
Command Line Editing in this chapter.
Note: For a description of the commands that you use to get around the CLI, see
Chapter 4, Managing the System.

Levels of Access

The CLI has two levels of access: user and privileged.

User Level

User level allows you only to view a routers status. This level restricts you
to User Exec mode.
Privileged Level

Privileged level allows you to view a router configuration, change a

configuration, and run debugging commands. You need a password to
access this level. This level gives you full CLI privileges. Passwords are
covered in more detail in Chapter 6, Passwords and Security.
Initialization Sequence

Each system line module is initialized independently. As a result, the CLI

on the SRP module may become available before the line modules have
completed initialization. Commands relating to a line module may fail if
the module has not completed initialization. The show version
command can be used to display line module status. Do not enter
commands for a line module until its state is online.

Accessing the CLI

ERX Edge Routers

Accessing the CLI

This section describes logging in to and exiting from the router.
Logging In

The system supports a local console session and up to 20 virtual terminal

(vty) sessions simultaneously. A virtual terminal session can be a Telnet
session or a Secure Shell Server (SSH) protocol session.
Note: The vty session factory default is 5. Use the line command to configure up
to a maximum of 20 vtys.

To access the system via a local console, attach a terminal to the system
console port. To access the system via Telnet, Telnet client software must
be installed on your host system. To access the system via SSH, SSH
version 2.0 client software must be installed on your host system.
You can configure Telnet to validate login requests. See Vty Line
Authentication in Chapter 6, Passwords and Security, for more
information. Once Telnet is running on your host system, type in the
ERX systems name or its IP address and press <Enter>. To use a name,
your network must have a name server.
For example, for Microsoft Windows 95/Windows NT enter:
telnet 192.168.1.13

or
telnet westford2

You are connected to your ERX system when the following prompt
appears:
Logging in.
host1>

Note: At this point, you have access only to User Exec commands.

To connect via SSH, refer to your SSH client documentation.

Privileged-Level Access

To access Privileged Exec mode:

1

At the prompt, type enable and press <Enter>.

host1>enable
Password:

2-21

2-22

CHAPTER 2
Command Line Interface

Note: You will be prompted for a password only if your system has been
configured with one. Refer to the enable secret and enable password Global
Configuration commands described in Chapter 6, Passwords and Security.

Type your password and press <Enter>.

Password:******<Enter>
host1#

You can tell that you have access to Privileged Exec mode when the
command prompt changes from a > character to a # character.
Exiting Modes

You can exit from any command mode at any time by entering the exit
command.
host1#exit
host1>

Using Help
The system CLI provides a variety of useful context-sensitive help
features. An important thing to remember about using the help features is
that the use of a space or the lack of a space before the ? gives different
results. Table 2-1 describes the help system.
Table 2-1 Help commands
Command

Description

Lists all keywords applicable to the current command mode.

help

Displays a brief description of the help system (available in

all command modes).

partial-keyword?

Lists the keywords that begin with a certain character string.

partial-keyword<Tab>

Completes the partial keyword you entered, if you have

provided an unambiguous abbreviation.

command<Space>?

Lists the set of all valid next available choices.

Commands listed in the left column of Table 2-1 are further described
with examples in the following sections.

Using Help
ERX Edge Routers

? (Question Mark Key)

You can use the question mark (?) key whenever you need additional
information. When you enter ?, all available choices are displayed. The
CLI then redisplays the command you typed. The following examples
show different ways you can use the ?.
When you use ? on a line by itself or when it is preceded by one or more
spaces, a list of all next available choices is displayed.
Example 1
host1(config)#?
aaa

Configure authentication, authorization, and

accounting characteristics

access-list

Configure an access list entry

arp

Configure a static ARP entry

bandwidth

Configure slot-group bandwidth control

banner

Define a banner line

baseline

Configure baseline operations

boot

Configure boot time behavior

bulkstats

Configure bulkstats parameters

cbf

Configure connection-based forwarding

classifier-list

Configure a classifier list entry

clns

Configure CLNS characteristics

clock

Set the system's clock

confirmations

Configure confirmation mode

controller

Configure controller parameters

crypto

Configure cryptographic parameters

default

Set a command to its default(s)

disable-autosync

Disable automatic synchronization of redundant

disable-switch-on-error

Disable automatic switch to redundant system

enable

Configure security related options

end

Exit Global Configuration mode

system controller file system

controller upon software/hardware error

exception

Configure core dump

exclude-subsystem

Exclude copying a subsystem from the release

exit

Exit from the current command mode

ftp-server

Configure FTP Server characteristics

help

Describe the interactive help system

host

Add/modify an entry to the host table

hostname

Set the host (system) name

interface

Enter Interface Configuration mode

ip

Configure IP characteristics

l2f

Configure L2F parameters

l2tp

Configure L2TP parameters

license

Configure licenses

2-23

2-24

CHAPTER 2
Command Line Interface

line

Enter Line Configuration mode

log

Configure logging settings

macro

Run a CLI macro

map-list

Create an NBMA static map

memory

Configure and administer memory operations

mpls

Configure MPLS global parameters

no

Negate a command or set its default(s)

ntp

Configure the Network Time Protocol

policy-list

Enter Policy Configuration mode

pppoe

Configure PPPoE

profile

Specify a profile

radius

Configure RADIUS server

rate-limit-profile

Enter rate limit profile configuration mode

redundancy

Perform a redundancy configuration

route-map

Configure a route map

router

Configure a routing protocol

rtr

Configure rtr parameters

run

Run an exec mode command

service

Configure system-level services

set

Configure

sleep

Make the Command Interface pause for a specified

duration

slot

Configure and administer slot operation

snmp-server

Configure SNMP parameters

sscc

The SSC Client telnet

telnet

telnet daemon configuration

timing

Configure network timing

traffic-shape-profile

Enter traffic shape profile configuration mode

virtual-router

Specify a virtual router

host1(config)#

Example 2
host1(config)#ip ?
address-pool

Configure address pool for PPP Broadband RAS

clients

as-path

Configure a path filter for AS-Paths in BGP

bgp-community

Format for BGP community

community-list
debounce-time

Configure an entry in a community list

Specify the minimum amount of time that an event
needs to be in same state before being reported

dhcp-local

The DHCP Local Server protocol

dhcp-server

DHCP Server for Proxy Client

domain-lookup

Enable DNS lookup

domain-name

Specify local Domain name

dvmrp

configure dvmrp paramaters

Using Help
ERX Edge Routers

dynamic-interface-prefix

Specify name prefix for dynamic Ip shared

explicit-path

Configure an explicit path

extcommunity-list

The extended community list

ftp

Configure FTP characteristics

http

Configure http server

interfaces

local

Local IP address assignment

multicast-routing

Enable IP multicast forwarding

name-server

Configure DNS server

pim

Configure PIM Protocol

prefix-list

Configure a prefix list entry

prefix-tree

Configure a prefix tree entry

route

Define a static IP route

router-id

Configure the router-id to be used

rpf-route

Define a static IP route for mcast RPF check

source-route

Configure source-routing capabilities

ssh

Configure SSH characteristics

ttl

Configure the default value to be used by IP

for Time-To-Live

tunnel

Configure tunnel parameter

vpn-id

Configure the VPN ID associated with this

router

vrf

Specify a VRF

host1(config)#ip

Example 3

host1(config)#ip community-list ?
<1 - 99>

The community list

host1(config)#ip community-list

When you want to see a list of commands that begin with a particular set
of characters, type a question mark ? immediately after the last letter. Do
not use a space between the partial keyword and the ?. For example:
host1#sh?
show shutdown
host1#sh

Note: If you want to use the ? character as part of a string, such as a hostname or
a regular expression, you must enter the following key sequence: <Ctrl+V+?>.
Otherwise, the CLI considers the ? to be a request for assistance in completing the
command.

2-25

2-26

CHAPTER 2
Command Line Interface

help Command

Use the help command when you want to see a brief description of the
context-sensitive help system.
host1>help
Use the help options as follows:
?, or command<Space>? - Lists the set of all valid next keywords or arguments
partial-keyword?

- Lists the keywords that begin with a certain character

partial-keyword<Tab>

- Completes the partial keyword

string
host1>

Partial-keyword <Tab>

When you cannot recall a complete command name or keyword, type in

the first few letters, press <Tab>, and the system completes your partial
entry. You must type enough characters to provide a unique abbreviation.
If you type a few letters, press <Tab>, and your terminal beeps, then you
have not typed enough characters to be unambiguous.
host1(config)#int<Tab>
host1(config)#interface

Using Command Line Editing

This section provides information about the command line editor.
Basic Editing

Here are a few basic command line editing notes:

Case Keywords are not case sensitive; that is, they can be entered in
uppercase, lowercase, or a mix of both. Filenames may be case
sensitive. Local filenames are case sensitive; remote filenames are case
sensitive if the host system treats filenames as case sensitive. Passwords
are case sensitive.
Abbreviating keywords You may abbreviate keywords using as few
characters as you want, as long as the characters provide a unique
abbreviation.
Executing a command Always use the <Enter> key.

Using Command Line Editing

ERX Edge Routers

Command Line Editing Keys

You can use several keys to edit the command line. Table 2-2 defines the
keys for editing the command line.
Table 2-2 Command line editing keys
Key(s)

Function

Delete or Backspace

Removes characters to left of cursor.

Left

Arrowa

Moves cursor one character to left.

Right Arrowa

Moves cursor one character to right.

Ctrl+A

Moves cursor to beginning of command line.

Ctrl+B

Moves cursor back one character.

Ctrl+D

Deletes character at cursor.

Ctrl+E

Moves cursor to end of command line.

Ctrl+F

Moves cursor forward one character.

Ctrl+H

Deletes character to left of cursor.

Ctrl+K

Deletes all characters from cursor to end of command line.

Ctrl+L

Redisplays system prompt and command line.

Ctrl+O

Toggles overwrite/insert mode.

Ctrl+T

Transposes character to left of cursor with character located at

cursor.

Ctrl+U

Deletes entire command line.

Ctrl+V

Allows the ? character to be used as a character instead of

as a request for help.

Ctrl+W

Deletes the previous word.

Ctrl+X

In all modes, reboots the system. This feature is useful if a

command is taking a prolonged time to complete and hangs
the console. The command has no effect if you access the
system via Telnet.
Set the boot option flag using the service ctrl-x-reboot
command from Global Configuration mode.

Ctrl+Y

Recalls most recent entry from delete buffer; recalled

characters overwrite or are inserted in current line depending
on overwrite/insert toggle.

Ctrl+Z

In all modes, except User Exec mode, returns you to

Privileged Exec mode.

Esc+B

Moves cursor back one word.

Esc+Backspace

Deletes previous word.

Esc+D

Deletes current or next word.

a. Arrow keys function only on ANSI-compatible terminals, such as VT100s.

2-27

2-28

CHAPTER 2
Command Line Interface

Command History Keys

The CLI maintains two separate command histories. The first command
history maintains only User Exec and Privileged Exec mode commands.
The second history maintains all commands entered in any of the
configuration modes. The appropriate history will automatically be
restored as you transition between Global Configuration mode and
Privileged Exec mode.
Table 2-3 defines the keys related to command history.
Table 2-3 Command history keys
Key

Function

Up Arrowa or Ctrl+P

Recalls commands in history buffer, starting with most recent

command. Repeat key sequence to recall successively older
commands.

Down Arrowa or
Ctrl+N

Returns to more recent commands in history buffer after

recalling commands with Up Arrow or Ctrl+P. Repeat key
sequence to recall successively more recent commands.

Ctrl+R

Begin a reverse search for a previously entered string in the

history buffer by providing a character string when prompted.
Enter <Ctrl+R> to continue searching. <Ctrl+H> or <Del>
deletes the last character in the string and starts a search on
the new string.

a. Arrow keys function only on ANSI-compatible terminals, such as VT100s.

Pagination Keys

If the system needs to display more text than you can fit on the screen, the
output pauses and the -More- prompt appears. Table 2-4 defines the
pagination keys that you can use when the -More- prompt appears. See
The - - More - - Prompt section earlier in this chapter for more
information.
Table 2-4 Pagination keys
Key

Function

Enter

Scrolls down one more line

Space bar

Displays one more screen

Displays all output lines that contain the text string

Displays all output lines that do not contain the text string

Displays all output lines starting at the first line that contains the
text string

Any other key

Aborts output and returns you to command prompt

Accessing Command Modes

ERX Edge Routers

Accessing Command Modes

Table 2-5 describes the command modes available in the CLI.
Table 2-5 Command mode overview
Mode name

Use this mode to . . .

To access this mode . . .

To exit this mode . . .

Address Family
Configuration

Use the exit command

twice to return to Global
Configuration mode.

Press <Ctrl+Z> to return

to Privileged Exec mode.

Use the exit command

once to return to Global
Configuration mode.

Press <Ctrl+Z> to return

to Privileged Exec mode.

From Global Configuration mode,

use the ip dhcp-local pool
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Configure BGP
address family
parameters.

From Global Configuration mode,

use router bgp to enter Router
Configuration mode. From Router
Configuration, use the
address-family command.
Prompt:

host1(config-router-af)#
Controller
Configuration

Configure physical
interfaces (for
example, T3).

From Global Configuration mode,

use the controller command.

Prompt:

host1(config-controll)#
DHCP Pool
Configuration

Configure DHCP local

pools.

host1(config-dhcp-local)#
Domain Map
Configuration

Configure domain
maps.

From Global Configuration mode,

use the aaa domain-map
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Use the exit command

twice to return to Global
Configuration mode.

host1(config-domain-map-tunnel)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

From Global Configuration mode,

specify the mpls explicit-path
name command.

Use the exit command

twice to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Use the exit command, or

press <Ctrl+Z> to return
to Privileged Exec mode.

Use the interface

command to enter
Interface Configuration
mode.

host1(config-domain-map)#
Domain Map
Tunnel
Configuration

Explicit Path
Configuration

Configure tunnel
parameters.

Configure MPLS
explicit path
parameters.

From Domain-Map Configuration

mode, use the tunnel command.

Prompt:

host1(config-expl-path)#
Global
Configuration

Enable a feature or
function.

From Privileged Exec mode, use

the configure command.

Disable a feature or
function.

Prompt:

Configure a feature or
function.

host1(config)#

2-29

2-30

CHAPTER 2
Command Line Interface

Table 2-5 Command mode overview (continued)

Mode name

Use this mode to . . .

To access this mode . . .

To exit this mode . . .

Interface
Configuration

Create an interface.

Modify the operation

of an interface, such
as bandwidth or clock
rate.

From Global Configuration mode,

use the interface command and
identify the interface by slot/port.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

IPSec Manual
Key
Configuration

Enter manual keys.

host1(config-if)#

From the Global Configuration

mode, use the ipsec key manual
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

host1(config-manual-key)#
ISAKMP Policy
Configuration

Define an
ISAKMP/IKE policy.

From the Global Configuration

mode, use the ipsec
isakmp-policy-rule command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

host1(config-isakmp-policy)#
L2TP
Destination
Profile
Configuration

Define the location of

an LAC.

From Global Configuration mode,

use the l2tp destination profile
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

host1(config-l2tp-dest-profile)#

L2TP
Destination
Profile Host
Configuration

Configure host profile

attributes.

From L2TP Destination Profile

Configuration mode, use the
remote host command.

Use the exit command

twice to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

host1(config-l2tp-dest-profile-host)#

LDP
Configuration

Configure MPLS LDP

profile parameters.

From Global Configuration mode,

specify the mpls ldp profile
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Use the exit command

once to return to Global
Configuration mode.

Press <Ctrl+Z> to return

to Privileged Exec mode.

host1(config-ldp)#
Line
Configuration

Modify a virtual
terminal line.

From Global Configuration mode,

use the line command.

Prompt:

host1(config-line)#
Map Class
Configuration

Specify fragmentation
for a map class.

From Global Configuration mode,

specify the map-class frame-relay

command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

host1(config-map-class)#

Accessing Command Modes

ERX Edge Routers

Table 2-5 Command mode overview (continued)

Mode name

Use this mode to . . .

To access this mode . . .

To exit this mode . . .

Map List
Configuration

From Global Configuration mode,

use the map-list command.

Prompt:

Use the exit command

once to return to Global
Configuration mode.

host1(config-maplist)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

From Global Configuration mode,

use the policy-list command.

Prompt:

Use the exit command

once to return to Global
Configuration mode.

host1(config-policy)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

Use the disable or exit

command to return to
User Exec mode.

host1#

Use the configure

command to enter Global
Configuration mode.

From Global Configuration mode,

use the profile command.

Prompt:

Use the exit command

once to return to Global
Configuration mode.

host1(config-profile)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

From Global Configuration mode,

use the qos-profile command.

Prompt:

Use the exit command

once to return to Global
Configuration mode.

host1(config-qos-profile)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

From Global Configuration mode,

use the queue-profile command.

Prompt:

Use the exit command

once to return to Global
Configuration mode.

host1(config-queue)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

From Global Configuration mode,

use the radius server command.

Prompt:

Use the exit command

once to return to Global
Configuration mode.

host1(config-radius)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

From Global Configuration mode,

use the rate-limit-profile
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Policy
Configuration

Configure map list

parameters.

Configure a policy.

Privileged Exec

Show system
information.

From User Exec mode, use the

enable command.

Set operating
parameters.

Prompt:

Profile
Configuration

QoS Profile
Configuration

Queue
Configuration

RADIUS
Configuration

Rate Limit
Profile
Configuration

Access Global
Configuration mode.

Configure profiles.

Configure QoS
profiles.

Configure queue
profiles.

Configure Broadband
Remote Access
Server (B-RAS)
parameters.
Configure rate limit
parameters.

host1(config-rate-limit-profile)#

2-31

2-32

CHAPTER 2
Command Line Interface

Table 2-5 Command mode overview (continued)

Mode name

Use this mode to . . .

Remote
Neighbor
Configuration

To access this mode . . .

Configure remote

neighbor parameters
for OSPF, PIM, or RIP.

To exit this mode . . .

From Router Configuration mode,

use the remote-neighbor
command.

Use the exit command

twice to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Configure routing
From Global Configuration mode,
tables and source and
use the route-map command.
destination
Prompt:
information.
host1(config-route-map)#

Use the exit command

once to return to Global
Configuration mode.

Press <Ctrl+Z> to return

to Privileged Exec mode.

Configure a routing
protocol.

host1(config-router-rn)#
Route Map
Configuration

Router
Configuration

From Global Configuration mode,

specify a routing protocol with the
router command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

host1(config-router)#
RSVP
Configuration

Configure an RSVP
profile.

From Global Configuration mode,

use the mpls rsvp profile
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Use the exit command

once to return to Global
Configuration mode.

host1(config-rtr)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

From Global Configuration mode,

use the scheduler-profile
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec menu.

Use the exit command

once to return to Global
Configuration mode.

Press <Ctrl+Z> to return

to Privileged Exec mode.

Use the exit command

once to return to Global
Configuration mode.

Press <Ctrl+Z> to return

to Privileged Exec mode.

host1(config-rsvp)#
RTR
Configuration

Scheduler
Profile
Configuration

Configure RTR
parameters.

Configure shaping
parameters.

Configure scheduler
profile.

From Global Configuration mode,

use the rtr command.

Prompt:

host1(config-scheduler-profile)#

Subinterface
Configuration

Configure multiple
virtual interfaces on a
single physical
interface.

From Global Configuration mode,

use the interface command and
identify the interface (slot/port.
subinterface).

Prompt:

host1(config-subif)#
Traffic Class
Configuration

Configure a traffic
class.

From Global Configuration mode,

use the traffic-class command.

Prompt:

host1(config-traffic-class)#

Accessing Command Modes

ERX Edge Routers

Table 2-5 Command mode overview (continued)

Mode name

Use this mode to . . .

To access this mode . . .

To exit this mode . . .

Traffic Class
Group
Configuration

From Global Configuration mode,

use the traffic-class-group
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Configure a traffic
class group.

host1(config-traffic-class-group)

Tunnel Profile
Configuration

Configure tunnel
profile parameters.

From Global Configuration, specify

the mpls tunnels profile
command.

Use the exit command

once to return to Global
Configuration mode.

Prompt:

Press <Ctrl+Z> to return

to Privileged Exec mode.

Use the exit command

once to return to Global
Configuration mode.

host1(config-vrf)#

Press <Ctrl+Z> to return

to Privileged Exec mode.

Log into system.

Prompt:

Use the enable command

to enter Privileged Exec
mode.

host1(config-tunnelprofile)#
VRF
Configuration

User Exec

Configure VRF
parameters for
BGP/MPLS VPNs.

Change terminal
settings on a
temporary basis.

Show system
information.

Access Privileged
Exec mode.

From Global Configuration mode,

use the ip vrf command.

Prompt:

host1>

Note: Within any configuration mode, the commands that are available to the user
include the commands defined for that configuration mode and all commands
defined for Global Configuration mode. See Figure 2-1. For example, from Router
Configuration mode, you could use the interface Global Configuration mode
command without first explicitly going back to Global Configuration mode.
host1(router-config)# interface atm 4/0.3
host1(config-if)#

User Exec Mode

After you log in to the system, the CLI is in User Exec mode. The
commands you can execute from User Exec mode provide only user-level
access. The User Exec commands allow you to perform such functions as:
Change terminal settings on a temporary basis.
Perform ping and trace commands.
Display system information.
host1>?
baseline

Set a baseline for statistics

clear

Clear active state

2-33

2-34

CHAPTER 2
Command Line Interface

default

Set a command to its default(s)

dir

Display a list of local files

disable

Reduce the command privilege level

enable

Enable access to privileged commands

erase

Erase configuration settings

exit

Exit from the current command mode

help

Describe the interactive help system

ip

Configure IP attributes on an interface

log

Configure logging setting

macro

Run a CLI macro

mpls

Execute MPLS commands

mtrace

Trace the path that packets will traverse from source to

destination for a given group

no

Negate a command or set its default(s)

ping

Send echo request to remote host

show

Display system information

sleep

Make the Command Interface pause for a specified duration

terminal

Configure the terminal line settings

traceroute

Trace the path that packets traverse to their destination

host1>

Privileged Exec Mode

Privileged Exec mode provides privileged-level access and therefore

should be password protected to prevent unauthorized use. Privileged
Exec commands allow you to perform such functions as:
Display system information.
Set operating parameters.
Gain access to Global Configuration mode.
In addition, you can execute a script file (.scr), which is simply a file
containing a sequence of CLI commands, via the configure command.
host1#?
PolicyRoutingTestPolicyRoutingTest information
baseline

Set a baseline for statistics

clear

Clear a state

clock

Set the system's clock

configure

Enter Global Configuration mode

copy

Copy files

debug

Configure debugging functions

default

Set a command to its default(s)

delete

Delete a local file

dir

Display a list of local files

disable

Reduce the command privilege level

Accessing Command Modes

ERX Edge Routers

disconnect

Disconnect remote CLI session

enable

Enable access to privileged commands

exit

Exit from the current command mode

halt

Halt the system in preparation for power down

help

Describe the interactive help system

ip

Configure IP attributes on an interface

log

Configure logging settings

logout

Logout Subscribers

macro

Run a CLI macro

mpls

Execute MPLS commands

mtrace

Trace the path that packets will traverse from source to

destination for a given group

no

Negate a command or set its default(s)

ping

Send echo request to remote host

pppoe

Set PPPoE information

redundancy

Perform a redundancy action

reload

Halt and perform a cold restart

rename

Rename a local file

send

Send a message to specified lines

show

Display system information

sleep

Make the Command Interface pause for a specified duration

srp

Perform SRP operations

synchronize

Manually synchronize redundant system controller file

system

telnet

Access a remote system via telnet

terminal

Configure the terminal line settings

test

Test a feature

traceroute

Trace the path that packets traverse to their destination

undebug

Disable debug logging functions

virtual-router

Specify a virtual router

write

Write the system's running configuration to a destination

host1#

Password Protection

If the system administrator has configured the system to have a password,

the CLI prompts you to enter that password before you receive access to
Privileged Exec mode. The password is case sensitive and appears as
asterisks on the screen.
To access Privileged Exec mode:
1

At the prompt, type enable and press <Enter>.

host1>enable
Password:

2-35

2-36

CHAPTER 2
Command Line Interface

At the password prompt, type your password and press <Enter>.

Password:*********
host1#

Note: The > character in the command line prompt changes to the # character.

Global Configuration Mode

Within Global Configuration mode, you can:

Apply features globally to a router.
Enable a feature or function.
Disable a feature or function.
Configure a feature or function.
Access all Configuration modes.
To access Global Configuration mode, you begin in Privileged Exec
mode. Type configure terminal and press <Enter>.
host1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
host1(config)#

The system is now in Global Configuration mode.

Executing a Script File

To execute a script file:

1

From Privileged Exec mode, type configure and the filename you
want to execute, and press <Enter>.
host1#configure file
File name:/myFile.scr
Proceed with configure? [confirm]

Note: The filename must end with an .scr extension, and the file must contain a
series of valid CLI commands. The file can be a local file on the router or a remote
file on a host system.

Press <y> or <Enter> to confirm; pressing any other key aborts the
procedure.
host1#

For more information, see the section Managing Files in Chapter 4,

Managing the System.

Accessing Command Modes

ERX Edge Routers

Address Family Configuration Mode

From this mode, you can configure address family parameters for BGP
VPN services.
From Global Configuration mode, type the router bgp command to
enter Router Configuration mode. Type either the address-family ipv4
or address-family vpnv4 command, and then press <Enter>.
host1(config)#router bgp 100
host1(config-router)#address-family ?
ipv4

Configure IPv4 address family

vpnv4

Configure VPN-IPv4 address family

host1(config-router)#address-family

Controller Configuration Mode

You can configure physical interfaces such as a T3 in Controller

Configuration mode.
From Global Configuration mode, type the appropriate controller
command and its attributes, and then press <Enter>.
host1(config)#controller t3 9/1
host1(config-controll)#
host1(config)#controller ?
e1

Configure a channelized E1 controller

e3

Configure a E3 controller

sonet

Configure a Sonet controller

t1

Configure a channelized T1 controller

t3

Configure a T3 controller

host1(config)#controller

DHCP Pool Configuration Mode

In this mode, you can configure DHCP local pools. For example, you can
specify a DNS or Net-Bios server.
From Global Configuration mode, type the command ip dhcp-local
pool and a poolName, and then press <Enter>.
host1(config)#ip dhcp-local pool charlie
host1(config-dhcp-local)#?
default

Set a command to its default(s)

default-router

The default-router to use for this pool

dns-server

The dns-server to use for this pool

domain-name

The domain name for the pool

2-37

2-38

CHAPTER 2
Command Line Interface

exit

Exit from the current command mode

help

Describe the interactive help system

lease

The lease time for addresses from this pool

link

Link to another DHCP Pool

log

Configure logging settings

macro

Run a CLI macro

netbios-name-server

The netbios-name-server to use for this pool

netbios-node-type

The netbios-node-type to use for this pool

network

The network specified for this pool

no

Negate a command or set its default(s)

reserve

Reserve an ip address for a specific Mac Address

run

Run an exec mode command

server-address

The DHCP Server address to send to clients

sleep

Make the Command Interface pause for a specified

duration

host1(config-dhcp-local)#

Domain Map Configuration Mode

In this mode, you can map a user domain name to a virtual router and
loopback interface.
From Global Configuration mode, type the aaa domain-map command
and the domain name value as found in the clients login name. Then
press <Enter>.
host1(config)#aaa domain-map charlie76
host1(config-domain-map)#?
atm

Configure ATM parameters

default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

ip-hint

Configure the IP hint feature for the domain

log

Configure logging settings

loopback

Configure the loopback interface to use when RX has an

macro

Run a CLI macro

unnumbered interface to the PPP client

no

Negate a command or set its default(s)

override-user

Configure the username and password values to use instead of

sleep

Make the Command Interface pause for a specified duration

strip-domain

Configure the domain name stripping feature for the domain

the values from the remote client

tunnel

Configure tunnel tag

virtual-router

Configure the virtual-router for the domain name

host1(config-domain-map)#

Accessing Command Modes

ERX Edge Routers

Domain Map Tunnel Configuration Mode

In this mode, you can configure tunnel parameters such as the tunnels
endpoint.
From Domain-Map Configuration mode, type tunnel and a
tunnelNumber, and press <Enter>.
host1(config-domain-map)#tunnel 17
host1(config-domain-map-tunnel)#?
address

Configure tunnel endpoint address

exit

Exit from the current command mode

help

Describe the interactive help system

hostname

Configure hostname of tunnel

identification

Configure tunnel identification

log

Configure logging settings

macro

Run a CLI macro

medium

Configure tunnel medium

no

Negate a command or set its default(s)

password

Configure tunnel password

preference

Configure tunnel preference

server-name

Configure the hostname of the tunnel server

sleep

Make the Command Interface pause for a

specified duration

source-address

Configure tunnel source address

type

Configure tunnel type

host1(config-domain-map-tunnel)#

Explicit Path Configuration Mode

From this mode, you can name and configure an explicit path within
MPLS.
From Global Configuration mode, type mpls explicit-path name and
the explicitPathName, and press <Enter>.
host1(config)#mpls explicit-path name xyz
host1(config-expl-path)#?
append-after

Add an entry after a specified index

default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

index

Specify the index of the entry to be added or edited

list

List part or all of the entries in current explicit path

log

Configure logging settings

macro

Run a CLI macro

next-address

Configure an IP address at the last hop of the explicit path

no

Negate a command or set its default(s)

2-39

2-40

CHAPTER 2
Command Line Interface

sleep

Make the Command Interface pause for a specified duration

host1(config-expl-path)#

Interface Configuration Mode

From Interface Configuration mode, you can enable many system

features for each interface you create. Interface Configuration commands
allow you to:
Create an interface.
Modify the operation of an interface.
Access Subinterface mode.
From Global Configuration mode, type interface and identify the
interface you want to configure.
host1(config)#interface atm 0/1
host1(config-if)#

The CLI is now in Interface Configuration mode.

host1(config)#interface ?
atm

ATM interface

fastEthernet

IEEE 802.3 fastEthernet interface

gigabitEthernet

IEEE 802.3 gigabitEthernet interface

hssi

High Speed Serial interface

ip

Ip shared interface

loopback

Loopback interface

mlframe-relay

Multilink frame-relay interface

mlppp

Multilink PPP interface

null

Null interface

pos

Packet over SONET interface

serial

Serial interface

sonet

SONET interface

tunnel

Tunnel interface

host1(config)#interface

Some Interface Configuration commands can affect general interface

parameters, such as bandwidth and clock rate. For interface-specific
commands, such as for ATM interfaces, see the appropriate chapter in
this guide.

Accessing Command Modes

ERX Edge Routers

IPSec Manual Key Configuration Mode

In this mode, you can enter the manual key that a peer uses for
authentication during the tunnel establishment phase.
From the Global Configuration mode, type ipsec key manual
pre-share and the peerIPaddress, and press <Enter>.
host1(config)#ipsec key manual pre-share 10.10.1.1
host1(config-manual-key)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

key

Manually specify a key

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

run

Run an exec mode command

sleep

Make the Command Interface pause for a specified duration

ISAKMP Policy Configuration Mode

In this mode, you can create an ISAKMP/IKE policy, which is used

during ISAKMP/IKE phase 1 negotiation.
From the Global Configuration mode, type ipsec isakmp-policy-rule
and the policyNumber, and press <Enter>.
host1(config)#ipsec isakmp-policy-rule 10
host1(config-isakmp-policy)#?
aggressive-mode

Allows aggressive mode negotiation for the tunnel

authentication

Configure the authentication method

default

Set a command to its default(s)

encryption

Configure the encryption algorithm within an IKE policy

exit

Exit from the current command mode

group

Configure the Diffie-Hellman group identifier

hash

Configure the hash algorithm within an IKE policy

help

Describe the interactive help system

lifetime

Configure the time an SA will live before expiration

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

run
sleep

Run an exec mode command

Make the Command Interface pause for a specified duration

host1(config-isakmp-policy)#

2-41

2-42

CHAPTER 2
Command Line Interface

L2TP Destination Profile Configuration Mode

In this mode, you can create the destination profile that defines the
location of an L2TP Access Concentrator (LAC) and define the attributes
used when an L2TP Network Server (LNS) communicates with an LAC.
The destination is necessary to enable an LAC to connect to the LNS.
From Global Configuration mode, type l2tp destination profile, the
profileName, an ipAddress, and press <Enter>.
host1(config)#l2tp destination profile augusta ip address 123.45.76.16
host1(config-l2tp-dest-profile)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

remote

Configure L2TP remote parameters

sleep

Make the Command Interface pause for a specified duration

host1(config-l2tp-dest-profile)#

L2TP Destination Profile Host Configuration Mode

In this mode, you can set and modify L2TP host profile attributes, such
as the proxy Link Control Protocol (LCP), the local hostname, the local
IP address, or the interface profile.
From Global Configuration mode, enter L2TP Destination Profile mode
(see above), and type remote host and a hostName, and press <Enter>.
host1(config-l2tp-dest-profile)#remote host george
host1(config-l2tp-dest-profile-host)#?
default

Set a command to its default(s)

disable

Disable L2TP parameter for remote host

enable

Enable L2TP parameter for remote host

exit

Exit from the current command mode

help

Describe the interactive help system

local

Configure L2TP local parameters for remote host

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

profile

Assign a profile for remote host

sleep

Make the Command Interface pause for a specified duration

tunnel

Configure L2TP tunnel parameters for remote host

host1(config-l2tp-dest-profile-host)

Accessing Command Modes

ERX Edge Routers

LDP Configuration Mode

In this mode, you can create and configure MPLS Label Distribution
Protocol (LDP) profile parameters.
From Global Configuation mode, type mpls ldp profile and the
profileName, and press <Enter>.
host1(config)#mpls ldp profile shell
host1(config-ldp)#?
cr-ldp

Enable CR-LDP at interface level

default Set a command to its default(s)

exit

Exit from the current command mode

hello

Configure hello parameters

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

sleep

Make the Command Interface pause for a specified duration

host1(config-ldp)#

Line Configuration Mode

In this mode, you can modify the operation of a virtual terminal (vty) line.
From Global Configuration mode, type the line vty command and
either the lineNumber or the rangeOfLineNumbers you want to
configure, and press <Enter>.
Note: The system defaults to 5 vty lines at factory default. You can increase the
number of vty lines available by typing the start number and end number of the vty
line range. Once you execute the line vty command, you will have access to line
numbers up to the ending line number.
host1(config)#line vty 0 19
host1(config-line)#?
data-character-bitsSet the number of bits per character used by the
display
default

Set a command to its default(s)

dsr-detect

Enable data-set-ready detection

exec-banner

Enable the exec banner

exec-timeout Set the inactivity timeout

exit

Exit from the current command mode

help

Describe the interactive help system

log

Configure logging settings

login

Require the use of passwords for vty logins

macro

Run a CLI macro

motd-banner

Enable the message of the day banner

no

Negate a command or set its default(s)

2-43

2-44

CHAPTER 2
Command Line Interface

password

Configure the password for line access

sleep

Make the Command Interface pause for a specified

duration

speed

Set the console baud rate in bits per second

timeout

Specify the login timeout value for the selected line(s)

host1(config-line)#

Map Class Configuration Mode

In this mode, you can specify Frame Relay End-to-End fragmentation

and reassembly for a map class. Optionally, you can specify the
maximum payload size of a fragment or specify fragmentation only or
reassembly only.
From Global Configuration mode, type map-class frame-relay
command and the mapClassName you want to configure, and press
<Enter>.
host1(config)#map-class frame-relay testmapclass
host1(config-map-class)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

frame-relay

Configure frame relay parameters

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

run

Run an exec mode command

sleep

Make the Command Interface pause for a specified duration

host1(config-map-class)#

Map List Configuration Mode

In this mode, you can configure map list parameters. In Map List
Configuration mode, commands such as map-list and ip atm-vc are
used to configure ATM NBMA interfaces.
From Global Configuration mode, type map-list and a mapListName,
and press <Enter>.
host1(config)#map-list mjt3330
host1(config-map-list)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

ip

Add IP address to the map

Accessing Command Modes

ERX Edge Routers

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

sleep

Make the Command Interface pause for a specified duration

host1(config-map-list)#

Policy Configuration Mode

In this mode, you can configure a policy, or set of rules, that you can
attach to an interface. You can modify a policy and update it wherever
the policy is used on the configuration.
From Global Configuration mode, type policy-list and press <Enter>.
host1(config)#policy-list tswells923
host1(config-policy)#?
color

Create a color policy

default

Set a command to its default(s)

exit

Exit from the current command mode

filter

Create a filter policy

forward

Create a forward policy

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

mark

Create a set TOS byte policy

next-hop

Create a next-hop policy

next-interface

Create a next-interface policy

no

Negate a command or set its default(s)

rate-limit-profile

Create a rate-limit policy

sleep

Make the Command Interface pause for a specified duration

suspend

Suspend a policy rule

traffic-shape-profile

Create a traffic-shape policy

host1(config-policy)#

Profile Configuration Mode

In this mode, you can configure a profile to subsequently configure

dynamic IP interfaces.
From Global Configuration mode, type the profile command followed
by a profile name of up to 80 characters, and press <Enter>.
host1(config)#profile germany78
host1(config-profile)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

2-45

2-46

CHAPTER 2
Command Line Interface

ip

Configure IP characteristics

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

ppp

Configure PPP parameters

pppoe

Configure pppoe parameters

sleep

Make the Command Interface pause for a specified duration

host1(config-profile)#

QoS Profile Configuration Mode

In this mode, you can specify queue profiles and scheduler profiles in
combination with interface types.
From Global Configuration mode, type the qos-profile command
followed by a QosProfileName, and press <Enter>.
host1(config)#qos-profile testabc
host1(config-qos-profile)#?
atm

ATM interface

atm-vc

ATM 1483 subinterface

cbf

Cbf interface

default

Set a command to its default(s)

ethernet

Ethernet interface

exit

Exit from the current command mode

fr-vc

Frame relay subinterface

help

Describe the interactive help system

ip

IP interface

ip-tunnel

IP tunnel interface

l2tp-tunnel

L2tp tunnel inteface

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

run

Run an exec mode command

serial

Serial interface

server-port

Server Port interface

sleep

Make the Command Interface pause for a specified duration

vlan

Ethernet subinterface

host1(config-qos-profile)#

Accessing Command Modes

ERX Edge Routers

Queue Configuration Mode

In this mode, you can configure queue profiles and various queue profile
parameters, such as constraints on queue lengths or queue buffer weights.
From Global Configuration mode, type the queue-profile command
followed by a queueProfileName, and press <Enter>.
host1(config)#queue-profile testabcd1234
host1(config-queue)#?
buffer-weight

Set the buffer length of the queue as relative to other

committed-length

Set the queue length for committed traffic

conformed-fraction

Set the maximum percentage of queue occupied by conformed

conformed-length

Set the queue length for conformed traffic

queues

traffic
default

Set a command to its default(s)

exceeded-fraction

Set the maximum percentage of queue occupied by exceeded

exceeded-length

Set the queue length for exceeded traffic

exit

Exit from the current command mode

help

Describe the interactive help system

log

Configure logging settings

traffic

macro

Run a CLI macro

no

Negate a command or set its default(s)

run

Run an exec mode command

sleep

Make the Command Interface pause for a specified duration

host1(config-queue)#

RADIUS Configuration Mode

In this mode, you can configure various parameters of your RADIUS

authentication and accounting servers.
From Global Configuration mode, type either the radius
authentication server or radius accounting server command with
the server ipAddress, and press <Enter>.
host1(config)#radius authentication server 1.2.1.3
host1(config-radius)#?
deadtime

Configure the amount of time a timed-out server is dropped for usage

default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

key

Configure the secret used in RADIUS client to server exchange

log

Configure logging settings

macro

Run a CLI macro

max-sessions

Configure the number of outstanding requests allowed to the server

2-47

2-48

CHAPTER 2
Command Line Interface

no

Negate a command or set its default(s)

retransmit

Configure number of times to retransmit RADIUS request before failing

run

Run an exec mode command

sleep

Make the Command Interface pause for a specified duration

timeout

Configure the number of seconds to wait for a RADIUS

response before retransmitting

udp-port

Configure the RADIUS server's UDP port

host1(config-radius)#

Rate Limit Profile Configuration Mode

In this mode, you can set parameters for a rate limit profile, which is a set
of bandwidth attributes and associated actions that become part of a
policy list. The policy list is then applied to the ingress or egress of an
interface.
From Global Configuration mode, type rate-limit-profile and a
profileName, and press <Enter>.
host1(config)#rate-limit-profile fm78930
host1(config-rate-limit-profile)#?
committed-action

Set the committed access rate action

committed-burst

Set the committed access rate burst size

committed-rate

Set the committed access rate value

conformed-action

Set the conformed access rate action

default

Set a command to its default(s)

exceeded-action

Set the exceeded action

exit

Exit from the current command mode

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

mask-val

Set mask to be applied with mark values

no

Negate a command or set its default(s)

peak-burst

Set the peak burst size

peak-rate

Set the peak access rate

sleep

Make the Command Interface pause for a specified

duration

host1(config-rate-limit-profile)#

Accessing Command Modes

ERX Edge Routers

Remote Neighbor Configuration Mode

In this mode, you can configure remote neighbor parameters for Routing
Information Protocol (RIP), Protocol Independent Multicast (PIM), and
Open Shortest Path First (OSPF).
From Global Configuration mode, type either router rip, router pim,
or router ospf and the processID. Press <Enter>. You are now in Router
Configuration mode.
From Router Configuration mode, type the remote-neighbor
command and the appropriate attributes, and press <Enter>.
host1(config-router)#remote-neighbor 10.13.5.61 area 34534
host1(config-router-rn)#?
authentication

Specify authentication type to be used for the OSPF

interface

authentication-key

Configure an authentication key

authentication-none

Specify to use no authentication

cost

Specify the interface cost for OSPF

dead-interval

Specify the interval (in seconds) until a silent

neighbor is declared dead

default

Set a command to its default(s)

exit

Exit from the current command mode

hello-interval

Configure the interval between sending hello packets

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

message-digest-key

Specify an authentication password/key

no

Negate a command or set its default(s)

retransmit-interval

Configure the time between retransmissions of lost

LSAs

run

Run an exec mode command

sleep

Make the Command Interface pause for a specified

duration

transmit-delay

Configure the transmit delay interval for link state

updates

ttl

Specify the TTL value for OSPF unicast packet

update-source

Specify the local source address for OSPF connection

host1(config-router-rn)#

2-49

2-50

CHAPTER 2
Command Line Interface

Route Map Configuration Mode

In this mode, you can create and modify route maps.

From Global Configuration mode, type the route-map command and
the appropriate routeMapNumber, and press <Enter>.
host1(config)#route-map unis889
host1(config-route-map)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

match

Identify this entry as requiring an attribute match

match-set

Identify this entry to match and set attributes

no

Negate a command or set its default(s)

set

Configure this entry to set attributes

sleep

Make the Command Interface pause for a specified duration

host1(config-route-map)#

Router Configuration Mode

In this mode, you can configure a routing protocol using router

commands.
From Global Configuration mode, type the router command and the
appropriate router attributes, and press <Enter>.
host1(config)#router bgp 2378
host1(config-router)#
host1(config)#router ?
bgp

Configure the Border-Gateway Protocol (BGP)

dvmrp

Configure the Distance Vector Multicast Routing Protocol

igmp

Configure the Internet Group Membership Protocol (IGMP)

isis

Configure ISO IS-IS

ospf

Configure the Open Shortest Path First protocol (OSPF)

pim

Configure PIM

rip

Configure the Routing Information Protocol

host1(config)#router

Accessing Command Modes

ERX Edge Routers

RSVP Configuration Mode

In this mode, you can create and configure MPLS Resource Reservation
Protocol (RSVP) parameters.
From Configuration mode, type mpls rsvp profile and the
profileName, and press <Enter>.
host1(config)#mpls rsvp profile sprint
host1(config-rsvp)#?
cleanup-timeout-factor

Configure the timeout factor

default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

refresh-period

Configure refresh period

sleep

Make the Command Interface pause for a specified

duration

host1(config-rsvp)

RTR Configuration Mode

In this mode, you can configure Response Time Reporter (RTR)

parameters. The RTR feature allows you to monitor your networks
performance and its resources by measuring response times and the
availability of your network devices.
From Configuration mode, type rtr and the mapNumber, and press
<Enter>.
host1(config)#rtr 784078348
host1(config-rtr)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

frequency

Specify the frequency interval

help

Describe the interactive help system

hops-of-statistics-kept Specify the hops capture

log

Configure logging settings

macro

Run a CLI macro

max-response-failure

Specify the maximum number of consecutive failures

no

Negate a command or set its default(s)

operations-per-hop

Specify a number of operations per hop

owner

Specify the owner of entry

request-data-size

Specify the request payload size

samples-of-history-kept Specify the maximum history samples

sleep

Make the Command Interface pause for a specified

2-51

2-52

CHAPTER 2
Command Line Interface

duration
tag

Specify the user defined tag

timeout

Specify the operation timeout

tos

Specify a value for the ToS byte

type

Specify the type of the entry

host1(config-rtr)#

Scheduler Profile Configuration Mode

In this mode, you can configure a scheduler profile. You can then set the
shaping rate value, enable the strict-priority scheduling for the scheduler
node, or set the weighted-round-robin (WRR) value of the scheduler node
or queue.
From Global Configuration mode, type scheduler-profile and the
scheduleProfileName that you want to create or configure, and press
<Enter>.
host1(config)#scheduler-profile A990
host1(config-scheduler-profile)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

run

Run an exec mode command

shaping-rate

Shape the node or queue to the specified rate

sleep

Make the Command Interface pause for a specified duration

strict-priority

Dequeue strict priority packets ahead of other packets

weight

Set the relative weight of the node or queue

host1(config-scheduler-profile)#

Subinterface Configuration Mode

In this mode, you can configure one or more virtual interfaces called
subinterfaces on a single physical interface. The system supports this
feature with ATM and Frame Relay.
Both ATM and Frame Relay provides permanent virtual circuits (PVCs)
that can be grouped under separate subinterfaces configured on a single
physical interface. Subinterfaces allow multiple encapsulations for a
protocol on a single interface.

Accessing Command Modes

ERX Edge Routers

From Interface Configuration mode, indicate a subinterface by typing

the interface command and an interfaceSpecifier in
slot/port.subinterface format, and then press <Enter>. For example:
host1(config-if)#interface atm 3/2.6
host1(config-subif)#

Traffic Class Configuration Mode

In this mode, you can create a traffic class and configure the level of
service to packets assigned to the traffic class.
From Configuration mode, type the traffic-class command followed by
a trafficClassName, and then press <Enter>.
host1(config)#traffic-class test123
host1(config-traffic-class)#?
default
Set a command to its default(s)
exit
Exit from the current command mode
fabric-strict-priority Allow packets in this class to be dequeued out of the
fabric ahead of other traffic classes
fabric-weight
Set the relative weight for fabric queue in this
traffic class
help
Describe the interactive help system
log
Configure logging settings
macro
Run a CLI macro
no
Negate a command or set its default(s)
run
Run an exec mode command
sleep
Make the Command Interface pause for a specified
duration
host1(config-traffic-class)#

Traffic Class Group Configuration Mode

In this mode, you can create and configure traffic class groups, which can
contain multiple traffic classes.
From Global Configuration mode, type traffic-class-group command
and a trafficClassGroupName, and press <Enter>.
host1(config)#traffic-class-group trafclasnameabcd
host1(config-traffic-class-group)#?
default
Set a command to its default(s)
exit
Exit from the current command mode
help
Describe the interactive help system
log
Configure logging settings
macro
Run a CLI macro
no
Negate a command or set its default(s)
run
Run an exec mode command

2-53

2-54

CHAPTER 2
Command Line Interface

sleep
traffic-class

Make the Command Interface pause for a specified duration

Set the traffic class belong to this group

host1(config-traffic-class-group)#

Tunnel Profile Configuration Mode

In this mode, you can create and configure MPLS tunnel profiles.
From Global Configuration mode, type mpls tunnels profile and the
profileName, and press <Enter>.
host1(config)#mpls tunnels profile storm
host1(config-tunnelprofile)#?
default

Set a command to its default(s)

exit

Exit from the current command mode

help

Describe the interactive help system

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

sleep

Make the Command Interface pause for a specified duration

tunnel

Configure tunnel interface parameters

host1(config-tunnelprofile)#

VRF Configuration Mode

In this mode, you can create and configure VRF parameters for
BGP/MPLS VPNs.
From Global Configuration mode, type ip vrf and the vrfName, and
press <Enter>. Confirm the new VRF by pressing <Return>.
host1(config)#ip vrf yankee
Proceed with new vrf creation? [confirm]
host1(config-vrf)#?
default
Set a command to its default(s)
description
Configure VRF specific description
exit
Exit from the current command mode
export
Specify VRF export characteristics
help
Describe the interactive help system
import
Specify VRF import characteristics
log
Configure logging settings
macro
Run a CLI macro
no
Negate a command or set its default(s)
rd
Specify route distinguisher
route-target Specify VPN extended community Target
run
Run an exec mode command
sleep
Make the Command Interface pause for a specified duration
host1(config-vrf)#

Configuring SNMP

This chapter provides information for configuring Simple Network

Management Protocol (SNMP) on your ERX system.
Topic

Page

Overview

3-1

References

3-11

Before You Configure SNMP

3-11

SNMP Configuration Tasks

3-12

Configuring Traps

3-19

Collecting Bulk Statistics

3-24

Using the Bulk Statistics Formatter

3-41

Managing Virtual Routers

3-42

Monitoring SNMP

3-43

Overview
SNMP is a protocol that manages network devices, such as your ERX
system. The goal of SNMP is to simplify network management in two
ways:
By defining a single management protocol that can be used to manage
any network device from any vendor.
This feature reduces the complexity of the network management
application because the application does not need to support a large
number of proprietary management protocols for the mix of vendors
devices in the network.

3-2

CHAPTER 3
Configuring SNMP

By defining a single, consistent representation of managed information

that is commonly deployed in network devices.

For example, SNMP uses a common form and semantics for

interface statistics, a process that supports consistent interpretation
and meaningful comparison.
SNMP is an application-level protocol that comprises the following three
elements:
An SNMP client (manager)
An SNMP server (agent)
A Management Information Base (MIB)
SNMP defines a client-server model in which a client (manager) obtains
information from the server (agent) through two mechanisms:
A request/response protocol by which the client configures and
monitors the server. In this instance, the information is solicited.
Asynchronous notifications (called traps) by which the server, on its
own initiative, reports notable changes in the systems status to the
client. In this instance, the information is unsolicited.
Terminology

Table 3-1 provides definitions for the basic SNMP terms.

Table 3-1 SNMP terminology
Term

Meaning

agent

Also referred to as server; a managed device, such as a router,

that collects and stores management information

client

Sometimes called a network management station (NMS) or

simply a manager; a device that executes management
applications that monitor and control network elements

community

A logical group of SNMP-managed devices and clients in the

same administrative domain

entity

Refers to both a server and a client

event

A condition or state change that may cause the generation of a

trap message

managed object

A characteristic of something that can be managed, such as a list

of currently active TCP circuits in a device

group

SNMPv3 term; a set of users with the same access privileges to

the system

MIB

Management Information Base; a collection of managed objects

residing in a virtual information store

Overview
ERX Edge Routers

Table 3-1 SNMP terminology (continued)

Term

Meaning

network element

Also known as a managed device; a hardware device, such as a

PC or a router

notification

A message that indicates a status change (equivalent to a trap)

server

Also referred to as agent; a managed device, such as a router,

that collects and stores management information

trap

Message sent by an SNMP server to a client to indicate the

occurrence of a significant event, such as a specifically defined
condition or a threshold that was reached. Managed devices use
traps to asynchronously report certain events to clients.

user

SNMPv3 term; an individual who accesses the system

view

SNMPv3 term; defines the management information available to

the user: read, write, or notification

SNMP Features Supported

This SNMP implementation provides the following:

Standard SNMP MIB support for services and interfaces as defined by
the Internet Engineering Task Force (IETF)
A set of ASN.1 notated enterprise MIBs for all management functions
not addressed by standard MIBs
A multilingual SNMP server that supports SNMPv1, SNMPv2c, and
SNMPv3 protocols
Enhanced security and management features supported in SNMPv3
Traps for alarm and state change events
Bulk data collection and retrieval
Management of virtual routers
Note: Your system allows you to disable the management interface via SNMP. If
you disable the management interface, you can no longer access the system via
SNMP.

SNMP Client

The SNMP client runs on a network host and communicates with one or
more SNMP servers on other network devices, such as routers, to
configure and monitor the operation of those network devices.

3-3

3-4

CHAPTER 3
Configuring SNMP

SNMP Server

The SNMP server operates on a network device, such as a router, a

switch, or a workstation. It responds to SNMP requests received from
SNMP clients and generates trap messages to alert the client(s) about
notable state changes in the network device.
The SNMP server implementation operates over UDP/IP only. It can
receive requests directed to any IP address configured on the system.
SNMP requests and responses are received or sent on UDP port 161.
SNMP traps are sent from UDP port 162 by default or from a
configurable port. For traps sent from UDP port 162, you can configure
the destination UDP port for each recipient with the snmp-server host
command.
SNMP MIBs

A MIB specifies the format of managed data for a device function. The
goal of a MIB is to provide a common and consistent management
representation for that function across networking devices.
Your system supports both standard and enterprise SNMP MIBs.
Standard SNMP MIBs

A standard MIB is defined by a body such as the IETF and fosters

consistency of management data representation across many vendors
networking products.
Juniper Networks ERX Enterprise MIBs

An enterprise MIB is defined by a single vendor. In addition to providing

consistency of management data representation across that vendors
product line, the enterprise MIB also accounts for proprietary functions
and value-added features not addressed by standard MIBs.
For example, boot record extensions to the enterprise MIB enable
configuration of the release (.rel) files for each system, slot, and
subsystem. The extensions also enable booting via the factory defaults,
the running configuration, or a configuration (.cnf) file.
Accessing Supported SNMP MIBs

For complete information on the SNMP MIBs supported by your system,

see the System Software CD, shipped with your system. In the MIBs
folder you will find information on all supported standard and Juniper
Networks ERX Enterprise (proprietary) MIBs.

Overview
ERX Edge Routers

SNMP Versions

This SNMP server implementation supports:

SNMPv1 (defined in RFC 1157)
SNMPv2c (Community-based SNMPv2, defined in RFC 1901 and
RFC 1905)
SNMPv3 (compliant with RFCs 25702575)
The server encodes SNMP responses using the same SNMP version
received in the corresponding request and encodes traps using the SNMP
version configured for the trap recipient.
SNMPv2c supports the capabilities defined for SNMPv1 and provides
greater power and flexibility through the addition of several features,
including:
More detailed error codes
GetBulk operation for efficient retrieval of large amounts of data
64-bit counters
SNMPv3 is an extensible SNMP framework that supplements the
SNMPv2c framework by supporting the following:
Security for messages
Explicit access control
Security Features

As users transfer more sensitive information, such as billing details, via the
Internet, security becomes more critical for SNMP and other protocols.
SNMPv3 provides the user-based security model (USM) to address
authentication and data encryption.
Authentication provides the following benefits:
Only authorized parties can communicate with each other.
Consequently, a management station can interact with a device only if
the administrator configured the device to allow the interaction.
Messages are received promptly; users cannot save messages and
replay them to alter content. This feature prevents users from
sabotaging SNMP configurations and operations. For example, users
can change configurations of network devices only if authorized to do
so.
SNMPv3 authenticates users via the HMAC-MD5-96 or
HMAC-SHA-96 protocols; CBC-DES is the encryption or privacy

3-5

3-6

CHAPTER 3
Configuring SNMP

protocol. The SNMP agent recognizes up to 32 usernames that can have

one of the following security levels:
No authentication and no privacy (none)
Authentication only (auth only)
Authentication and privacy (priv)
In contrast, SNMPv1/v2c provide only password protection, via the
community name and IP address. When an SNMP server receives a
request, the server extracts the clients IP address and the community
name. The SNMP community table is searched for a matching
community. If a match is found, its access list, if nonzero, is used to
validate the IP address. If the access list number is zero, the IP address is
accepted. A nonmatching community or an invalid IP address causes an
SNMP authentication error. Each entry in the community table
identifies:
An SNMP community name
An SNMP view name
A users privilege level
> Read-only (ro)
> Read-write (rw)
> Administrator (admin)

An IP access list name

Management Features

Management features of SNMPv3 allow you to specify who will receive

notifications and to define MIB views that users in different groups can
access:
Notification Message that informs you of a status change; the
equivalent of a trap in SNMPv1.
View Definition of the management information that is available:
read, write, or notification. Three predefined views are available for
each group:
> everything Includes all MIBs associated with the system
> user Includes all MIBs associated with the system, except

standard and enterprise MIBs used to configure SNMP operation

> nothing Excludes all MIBs

Overview
ERX Edge Routers

User An individual who requires access to the system. The system

may provide authentication and privacy for the user via SNMPv3.
Each user is associated with a group.
Group A set of users with the same access privileges to the system.
Three predefined groups are available: admin, public, and private.
Table 3-2 shows the security levels and views associated with these
groups.
Table 3-2 Relationship between groups, security levels, and views

Group Name

Security Level Read View

Write View

Notification/
Trap View

admin

authentication
and privacy

everything

everything

everything

public

none

user

nothing

nothing

private

authentication
only

user

user

user

Virtual Routers

All SNMP-related CLI commands operate in the context of the virtual

router, which means that you must configure users, traps, communities,
and so on for each server. You must set the context using the
virtual-router command and then configure SNMP.
The show snmp commands show only statistics and configuration
information for the server/SNMP agent that corresponds to the current
virtual router context.
The exceptions to this convention are the snmp-server contact and the
snmp-server location commands. With these commands, single
instances of the contact and the location are created regardless of the
number of virtual routers.
Creating SNMP Proxy

Your system software allows you to configure multiple virtual routers.

Each virtual router has its own SNMP server. At system initialization,
SNMP creates a server for each existing virtual router.
In cases where router-specific data is required, the requestor can direct a
request to a particular server for a virtual router via the base community
string extension: for example, SNMP get public@megaRouter.
Note: In addition to the @ selector character, the system also supports the %
selector character. For example, SNMP get public%megaRouter.

3-7

3-8

CHAPTER 3
Configuring SNMP

When any router server parses a request and detects an extended

community string, it acts as proxy by forwarding the request to the server
corresponding to the virtual router name in the extension (for example,
megaRouter). The target server then processes the request and generates
a response, which is then returned to the proxy server and subsequently
transmitted to the requester.
The ERX system implementation of SNMPv3 communicates with virtual
routers by assigning each proxy agent an SNMP engineID. This
difference is unimportant to users of the CLI. However, if you use other
SNMPv3 applications to manage the system, refer to the following
section.
Communicating with the SNMP Engine

The SNMP engine performs the following tasks for SNMPv3:

Sends and receives messages.
Prepares messages and extracts data from messages.
Authenticates, encrypts, and decrypts messages.
Determines whether access to a managed task is allowed.
Each SNMP engine has an SnmpEngineID, a hexadecimal number 15
octets long. Table 3-3 shows the structure of the SnmpEngineID.
Table 3-3 Structure of the SnmpEngineID
Octet Assignment

Description

14

The Juniper Networks SNMP management private enterprise

number

Indicates that octets 615 contain information determined by

Juniper Networks

6 11

The MAC address for the device

12 15

The 32-bit (4 octet) router index (or routerUID)

Request protocol data units (PDUs) for the SNMP engine must contain
the corresponding contextEngineID and contextName for the SNMP
engine. When the system receives a PDU, it examines the
contextEngineID and contextName, and forwards the request to the
corresponding virtual router.
The contextEngineID is the same as the SnmpEngineID.
The contextName is an internally derived ASCII string associated with
the router. It has the format routerN, where N is a number (with no

Overview
ERX Edge Routers

leading zeros) in the range 116777215, corresponding to the least

significant 24 bits of the 32-bit router index (or router UID). You can
obtain the contextName for a specific router via the
Unisphere-Data-ROUTER-MIB from the usdRouterContextName
object in the usdRouterTable, which is indexed by the 32-bit router
index (usdRouterIndex).
Examples

The following table shows examples of the ERX system SNMP engine
objects that are associated with the default virtual router.
.

Object

Value

SnmpEngineID

0x80:00:13:0a:05:00:90:1a:00:04:6c:80:00:00:01

contextEngineID

0x80:00:13:0a:05:00:90:1a:00:04:6c:80:00:00:01

contextName

router1

SNMP Attributes

The software automatically maps predefined SNMPv1/v2c attributes to

predefined SNMPv3 attributes, as shown in Table 3-4.
Table 3-4 Relationship between SNMPv1/v2c and SNMPv3 attributes
Attribute

SNMPv1/v2C Value

SNMPv3 Value

Community

admin

admin

View

everything

Privilege

rw

rw

Community

public

public

View

user

Privilege

ro

ro

Community

private

private

View
Privilege

user
rw

rw

3-9

3-10

CHAPTER 3
Configuring SNMP

SNMP Operations

SNMP has the five operations defined in Table 3-5.

Table 3-5 SNMP operations
SNMP
Operation

Definition

Get

Allows the client to retrieve an object instance from the server.

GetNext

Allows the client to retrieve the next object instance from a table or
list within a server.

GetBulk

Makes it easier to acquire large amounts of related information

without initiating repeated GetNext operations. GetBulk is not
available in SNMPv1.

Set

Allows the client to set values for the objects managed by the
server.

Notification

Used by the server to asynchronously inform the client of some

event. (Called a trap in SNMPv1.)

SNMP PDU Types

SNMP offers the six types of PDUs defined in Table 3-6.

Table 3-6 SNMP PDU types
SNMP PDU Type Definition
Get Bulk

Transmitted by the client to the server to obtain the identifiers and

the values of a group or collection of variables rather than one
variable at a time. GetBulk is not available in SNMPv1.

Get Next
Request

Transmitted by the client to the server to obtain the identifiers and

the values of variables located after the designated variables.

Get Request

Transmitted by the client to the server to obtain the values of

designated variables.

Get Response

Transmitted by the server to the client in response to a Get

request, a Get Next request, or a Set request.

Set Request

Transmitted by the client to the server to modify the values of

designated variables.

Notification

Transmitted by the server, on its own initiative, to inform the client

of a special event noted on a network device. (Called a trap in
SNMPv1.)

References
ERX Edge Routers

References
For more information about SNMP, consult the following resources:
RFC 1157 A Simple Network Management Protocol (SNMP)
(May 1990)
RFC 1901 Introduction to Community-based SNMPv2
(January 1996)
RFC 1905 Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2) (January 1996)
RFC 2570 Introduction to Version 3 of the Internet-standard
Network Management Framework (April 1999)
RFC 2571 An Architecture for Describing SNMP Management
Frameworks (April 1999)
RFC 2572 Message Processing and Dispatching for the Simple
Network Management Protocol (SNMP) (April 1999)
RFC 2573 SNMPv3 Applications (April 1999)
RFC 2574 User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3) (April 1999)
RFC 2575 View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP) (April 1999)

Before You Configure SNMP

Before you configure SNMP, ensure that at least one IP address is
configured on your system. See ERX Installation and User Guide,
Chapter 5, Accessing the ERX System.
You should also have the necessary configuration information for:
Communities and their assigned privileges
IP addresses of SNMP clients and trap recipients
SNMPv3 users

3-11

3-12

CHAPTER 3
Configuring SNMP

SNMP Configuration Tasks

To configure the SNMP server:
1

Enable the SNMP server.

host1(config)#snmp-server

Configure at least one authorized SNMP community (SNMPv1/v2c)

or user (SNMPv3), which provides SNMP client access.
host1(config)#snmp-server community boston view everything
rw
host1(config)#snmp-server user fred auth sha fred-password
priv des password group user

(Optional) Set the server parameterscontact and location.

host1(config)#snmp-server contact Bob Smith
host1(config)#snmp-server location 3rdfloor

(Optional) Reconfigure the maximum SNMP packet size.

host1(config)#snmp-server packetsize 1000

(Optional) Configure memory warning parameters.

host1(config)#memory warning 80 70

(Optional) Configure the method the system uses to encode the

ifDescr and ifName objects.
host1(config)#snmp interfaces description-format common

(Optional) Manage the interface sublayers (compress interfaces and

control interface numbering).
host1(config)#snmp-server interfaces compress atmAal5
host1(config)#snmp-server interface compress-restriction
ifadminstatusdown
host1(config)#snmp interfaces rfc1213 55000 100000

You can also set up SNMP traps and set up the system to collect bulk
statistics. See Configuring Traps and Collecting Bulk Statistics later in
this chapter.

SNMP Configuration Tasks

ERX Edge Routers

Enabling SNMP

To enable the SNMP server, use the following command.

snmp-server

Use to enable SNMP server operation.

Example
host1(config)#snmp-server

Use the no version to disable the SNMP server operation.

Configuring SNMP v1/v2c Community

For SNMPv1/v2c, access to an SNMP server by an SNMP client is

governed by a proprietary SNMP community table that identifies those
communities that have read-only, read-write, or administrative
permission to the SNMP MIB stored on a particular server.
When an SNMP server receives a request, the server extracts the clients
IP address and the community name. The SNMP community table is
searched for a matching community. If a match is found, its access list
name is used to validate the IP address. If the access list name is null, the
IP address is accepted. A nonmatching community or an invalid IP
address results in an SNMP authentication error.
Each entry in the community table identifies:
An SNMP community name
A users privilege level
An IP access list
Community Name

The community name acts as a password and is used to authenticate

messages sent between an SNMP client and a router containing an
SNMP server. The community name is sent in every packet between the
client and the server.

3-13

3-14

CHAPTER 3
Configuring SNMP

Privilege Levels

SNMP has three privilege levels:

Read-only Read-only access to the entire MIB except for SNMP
configuration objects
Read-write Read-write access to the entire MIB except for SNMP
configuration objects
Admin Read-write access to the entire MIB
IP Access List

The IP access list identifies those IP addresses of SNMP clients permitted

to use a given SNMP community.
snmp-server community

Use to configure an authorized SNMP community for access to the SNMP

MIBs and to associate SNMPv1/v2c communities with SNMP MIB views.

The community name serves as a password and permits access to an SNMP

server. The name can be up to 31 characters, and it must be enclosed in
quotation marks.

The maximum number of communities in each virtual router is 32.

By default, an SNMP community permits only read-only access.

Example
host1(config)#snmp-server community boston view everything
rw

Use the no version to delete a community from the SNMP community table.

Configuring SNMPv3 Users

To configure SNMPv3 users, use the following command.

snmp-server user

Use to create and modify SNMPv3 users.

Example
host1(config)#snmp-server user fred auth sha fred-password
priv des password group user

Use the no version to delete users.

Setting Server Parameters

Setting the servers contact person and location provides helpful

identifiers for the SNMP server. These identifiers are arbitrary and do
not affect the servers function, but they are useful to have.

SNMP Configuration Tasks

ERX Edge Routers

snmp-server contact
snmp-server location

Use these commands to configure the SNMP servers contact person and the
servers location.

The contact is the person who manages the server.

The location is the servers physical location.

Each of these parameters can be up to 64 characters.

Example
host1(config)#snmp-server contact Bob Smith
host1(config)#snmp-server location 3rdfloor

Use the no version of these commands to clear the contact or location identifier
from the SNMP configuration.

Configuring SNMP Packet Size

The SNMP server must support a PDU with an upper limit of 484 bytes
or greater. There is no need to coordinate the maximum packet size
across the entire network. Many requests and responses tend to be smaller
than the maximum value.
snmp-server packetsize

Use to set the SNMP servers maximum packet size.

Increase this value to improve the efficiency of the GetBulk operation.

Example
host1(config)#snmp-server packetsize 1000

Use the no version to set the SNMP packet size to the default maximum size,
1500 bytes.

Configuring Memory Warning

You can set up the system to send memory warning messages when
memory utilization reaches a specified value.
memory

Use to configure memory warning parameters. You set a high memory

utilization value and an abated memory utilization value. When the system
reaches the high utilization value, it sends warning messages. When memory
usage falls to the abated utilization value, the system stops sending warning
messages.

Example
host1(config)#memory warning 80 70

Use the no version to return to the default values, 85 for high utilization and 75
for abated memory utilization.

3-15

3-16

CHAPTER 3
Configuring SNMP

Configuring Encoding Method

You can control how the system encodes the ifDescr and ifName objects
in the SNMP agents interface table and in the bulkstats application.
There are two choices of encoding schemes: an ERX system proprietary
method and a conventional industry method.
The proprietary method identifies each interface sublayer with its
type.
The industry method bases the type information for each interface
sublayer on the lowest layer 1 or layer 2 interface type.
For example a PPP interface configured on top of an ATM interfaces is:
PPP3/0.1 proprietary method
ATM3/0.1 industry method
snmp-server interfaces description-format common

Use to set the encoding scheme of the ifDescr and ifName objects to the
conventional industry method.

This command provides compatibility with software that uses the industry
encoding scheme.

Example
host1(config)#snmp interfaces description-format common

Use the no version to return to the proprietary method of encoding.

Managing Interface Sublayers

You can set up the SNMP agent to compress the number of interface
instances in the standard interface and stack tables. You can also control
the interface numbering method used in the interface tables.
Compressing Interfaces

You can compress interfaces by interface type and by the administrative

status of the interface. Compressing interfaces removes them from the
ifTable and the ifStackTable, which increases table retrieval
performance. For example, if you want statistics kept only on IP
interfaces, then you can compress all interfaces except IP; subsequently,
only IP interfaces will appear in the ifTable and the ifStackTable.
To compress interfaces that have an administrative status of down, use the
snmp interfaces compress-restriction command.

SNMP Configuration Tasks

ERX Edge Routers

To compress interfaces according to type, use the snmp interfaces

compress command. To see the list of interfaces that you can remove,
use the CLI help:
host1(config)#snmp interfaces compress ?
Atm

Atm interface layer

Atm1483

Atm1483 interface layer

AtmAal5

AtmAal5 interface layer

.
.
.
SonetVT

SonetVT interface layer

VlanMajor

VlanMajor interface layer

VlanSub

VlanSub interface layer <cr>

If you enter the snmp interfaces compress command without

keywords, the following interface types are removed from the interface
tables:
ip
ppp
ethernetSubinterface
hdlc
ipLoopback
ipVirtual
pppLinkInterface
pppoeInterface
slepInterface/ciscoHdlc
snmp-server interfaces compress

Use to remove interface sublayers from the ifTable and the ifStackTable.

Example
host1(config)#snmp-server interfaces compress atmAal5

Use the no version to add interface sublayers to the ifTable and the
ifStackTable.

3-17

3-18

CHAPTER 3
Configuring SNMP

snmp-server interfaces compress-restriction

Use to exclude interfaces from the ifTable and the ifStackTable if the
administrative status of the interface is down.

Example
host1(config)#snmp-server interface compress-restriction
ifadminstatusdown

Use the no version to remove the restriction and allow interfaces with an
administrative status of down in the ifTable and the ifStackTable.

Controlling Interface Numbering

Each interface in the ifTable is assigned an ifIndex number. RFC 1213

required that ifIndexes use contiguous integers and that the ifIndex be
less than the value of the total number of interfaces (ifNumber). More
recent RFCs1573, 2232, and 2863removed these restrictions to
accommodate interface sublayers. The ERX system implementation of
SNMP derives index numbers in 32-bit values that are unique on a given
system. This numbering scheme can result in large gaps in the ifIndex.
Legacy network management software that was designed to work with
RFC 1213 implementations expects contiguous integers and can fail when
the software encounters large gaps in the ifIndex.
By default, the system uses a numbering scheme based on RFC 1573. For
compatibility with RFC 1213, you can set up the system to use contiguous
numbers and to limit the values of the ifIndex and the ifNumber.
snmp-server interfaces rfc1213

Use to set up the interface numbering method in the IfTable to use contiguous
integers, which provides compatibility with versions of SNMP that are based on
RFC 1213.

The maxIfIndex option sets the maximum value of the ifIndex field that the
system will allocate.

The maxIfNumber option sets the maximum number of interfaces allowed in the
interface tables.
Caution: Reducing the value of the maxIfIndex and/or maxIfNumber causes the
system to automatically reboot to factory default settings.

When the IfIndex and IfNumber maximums are reached, the system logs the
event and ignores the creation of additional interfaces, which means that new
interfaces are not visible in the interface table.

Configuring Traps
ERX Edge Routers

Example
host1(config)#snmp interfaces rfc1213 55000 100000
WARNING: Execution of this command will cause all
configuration settings to revert to factory defaults upon
the next system reboot.
Proceed with 'snmp interfaces rfc1213'? [confirm]

Use the no version to return to the default method of interface numbering.

Monitoring Interface Tables

Use the following command to view the configuration of your interface

tables.
show snmp interfaces

Use to display a list of interface types that are compressed in the interface
tables and the interface numbering method configured on the system.

Field descriptions

Compressed(Removed) Interface Types list of interface types that are

removed from the ifTable and ifStackTable

Armed Interface Numbering Mode interface numbering method configured

on the system: RFC1213, RFC1573

maxIfIndex maximum value that the system will allocate to the ifIndex field
maxIfNumber maximum number of interfaces allowed in the ifTable
Interface Description Setting method used to encode the ifDescr and
ifName objects: industry-common, proprietary
host1#show snmp interfaces
Compressed(Removed) Interface Types:
HDLC, FT1, ATM, ATM1483
Armed Interface Numbering Mode:
RFC1213, maxIfIndex=65535, maxIfNumber=65535
Interface Description Setting: proprietary

Configuring Traps
This section provides information for:
Enabling trap generation
Setting up filtering of traps by severity
Configuring trap destinations
Setting a source address for traps
Enabling link status traps
Specifying an egress point for traps

3-19

3-20

CHAPTER 3
Configuring SNMP

The system generates SNMP traps according to operating specifications

defined in supported MIBs.
IP Hosts

Traps are sent to IP hosts. The IP hosts are configured in a proprietary

trap host table maintained by the system (the server). Each entry in the
table contains:
IP address of the trap destination
Community name (v1 or v2c) or user name (v3) to send in the trap
message
SNMP format (v1 or v2) of the notification/trap PDU to use for that
destination
Types of traps enabled to be sent to that destination
Trap filters configured for the destination
The maximum number of entries in the SNMP trap host table in each
virtual router is eight.
Trap Categories

The system supports the following trap categories:

addrPool local address pool
atmPing ERX system proprietary ATM ping
bgp BGP state change
bulkstats bulk statistics file full and nearly full
cliSecurityAlert security alert
dvmrp DVMRP
dvmrpUni ERX system proprietary DVMRP
environment power, temperature, fan, and memory utilization
fileXfer file transfer status change
inventory system inventory and status
link SNMP linkUp and linkDown
log system log capacity
ospf OSPF
ping ping operation (in disman remops MIB)

Configuring Traps
ERX Edge Routers

snmp SNMP coldstart, warmstart, authenticationFailure; the trap

option. The snmp-server enable traps snmp authentication
command allows customized treatment for SNMP authentication
failure traps
traceroute traceroute operation (in disman remops MIB)
To enable global trap categories, use the snmp-server enable traps
command. To enable trap categories for a specific host, use the
snmp-server host command.
Trap Severities

The system provides a method of filtering traps according to severity.

Table 3-7 describes the supported severity levels.
Table 3-7 Trap severity descriptions
Severity Number Severity Name

System Response

Emergency

System unusable

Alert

Immediate action needed

Critical

Critical conditions exist

Error

Error conditions exist

Warning

Warning conditions exist

Notice

Normal but significant conditions exist

Informational

Informational messages

Debug

Debug messages

You can set up a global filter to filter all traps and/or set up a filter for
each host. Trap filters work as follows:
1

An event is posted to the SNMP agent.

The system checks whether the corresponding trap category is

globally enabled and whether the trap meets the minimum global
severity level.
a

If the trap does not meet these criteria, the system discards the
trap.

If the trap does meet these criteria, the trap is handed to the trap
host processor.

3-21

3-22

CHAPTER 3
Configuring SNMP

The trap host processor checks whether the trap category is enabled
on the host and whether the trap meets the minimum severity level
set for the host.
a

If the trap does not meet these criteria, the system discards the
trap.

If the trap does meet these criteria, the trap is sent to the trap
recipient.

To set up global severity filters, use the snmp-server enable traps

command. To set up a severity filter for a specific host, use the
snmp-server host command.
snmp-server enable traps

Use to enable and configure SNMP trap generation on a global basis.

Traps are unsolicited messages sent from an SNMP server (agent) to an

SNMP client (manager).

You can enable the traps listed in Trap Categories earlier in this chapter.

You can filter traps according to the trap severity levels described in Table 3-7.

If you do not specify a trap option, all options are enabled or disabled for the
trap type.

Example
host1(config)#snmp-server enable traps atmPing trapfilters
critical

Use the no version to disable SNMP trap generation.

Use to configure an SNMP trap host to refine the type and severity to traps that
the host receives.

A trap destination is the IP address of a client (network management station)

that receives the SNMP traps.

You can configure up to eight trap hosts on each virtual router.

You can enable the traps listed in Trap Categories earlier in this chapter.

You can filter traps according to the trap severity levels described in Table 3-7.

Example

snmp-server host

host1(config)# snmp-server host 126.197.10.5 version 2c

westford udp-port 162 snmp link trapfilters alert

Use the no version to remove the specified host from the list of recipients.

Configuring Traps
ERX Edge Routers

snmp-server trap-source

Use to specify the interface whose IP address is used as the source address
for all SNMP traps.
Note: When there are multiple IP addresses configured on the IP interface that is
chosen as the SNMP trap source, the SNMP agent automatically uses the primary
IP address of the interface as the SNMP source address on SNMP traps.

Example
host1(config)#snmp-server trap-source fastethernet 0/0

Use the no version to remove the interface from the trap configuration.

Use to enable link status traps on an IP interface.

Example

snmp trap ip link-status

host1(config-if)#snmp trap ip link-status

Use the no version to disable link status traps on an IP interface.

Use to configure the SNMP link status traps on a particular interface.

A link-up trap recognizes that a previously inactive link in the network has come
up.

A link-down trap recognizes a failure in one of the communication links

represented in the servers configuration.

Example

snmp trap link-status

host1(config-controll)#snmp trap link-status

Use the no version to disable these traps for the interface.

Note: This command operates in Controller Configuration mode. It is supported only
by the DS3, DS1, and FT1 interface layers.

Specifying an Egress Point for SNMP Traps

You can now enable SNMP trap proxy, which allows you to specify a
single SNMP agent as the egress point for SNMP traps from virtual
routers. This feature removes the need to configure a network path from
each virtual router to a single trap collector.
You can enable SNMP trap proxy from either SNMP or the CLI. Only
one SNMP trap proxy can exist for a system.
The SNMP trap proxy does not forward global traps that it receives from
other virtual routers. The corresponding SNMP agent handles global
traps locally and does not forward them to the SNMP trap proxy.

3-23

3-24

CHAPTER 3
Configuring SNMP

To configure the SNMP trap proxy:

1

Access the virtual router context.

Enable or disable the SNMP trap proxy.

snmp-server trap-proxy

Use to enable the SNMP trap proxy.

Example
host1(config)#snmp-server trap-proxy enable

Use the no version to disable the SNMP trap proxy.

Collecting Bulk Statistics

The system offers an efficient data collection and transfer facility for
accounting applications. The ERX system SNMP MIBs extend the
accounting data collection mechanism defined in the
Accounting-Control-MIB (RFC 2513) to include support for
connectionless networks.
Service providers need reasonably accurate data about customers use of
networks. This data is used for billing customers and must be available at
a customers request. Accounting applications based on SNMP polling
models consume significant network bandwidth because they poll large
volumes of data frequently.
Unfortunately, SNMP is not well suited for gathering large volumes of
data, especially over short time intervals. It is inadequate for use by
accounting applications because:
The SNMP PDU layout has a low payload-to-overhead ratio.
It is expensive to process SNMP PDUs because objects and tables need
to be sorted in lexicographic order.
The system avoids the need for continuous polling of SNMP statistics by
using applications known as collectors to retrieve data. You can configure
up to six collectors. The system sends collected statistics via FTP to
assigned hosts, known as receivers. You must assign a primary receiver to
each collector, and you can assign a secondary receiver for redundancy.
Note: The BER (basic encoding rules) encoding choice is not supported.

Collecting Bulk Statistics

ERX Edge Routers

Configuring Collectors and Receivers

To configure the system to collect statistics:

1

Add names to the FTP host table for the primary and secondary
(optional) receivers.
See Using the copy Command in Chapter 4, Managing the System,
for information about adding names to the host table.

Specify the type of interface on which you want to collect statistics.

host1(config)#bulkstats interface-type ppp collector 2

Specify the parameters for the receivers.

host1(config)#bulkstats receiver 1 remote-name
js:/ftptest/bulk%s%s.sts sysName sysUpTime

Assign the data collector.

host1(config)#bulkstats collector 2

Specify the method for data collection.

host1(config)#bulkstats collector 2 collect-mode auto

Assign the primary receiver.

host1(config)#bulkstats collector 2 primary-receiver 7

(Optional) Assign the secondary receiver.

host1(config)#bulkstats collector 2 secondary-receiver 5

(Optional) Specify the time for which the system transfers data.
host1(config)#bulkstats collector 2 interval 1000

(Optional) Set the maximum size of the bulk statistics file.

host1(config)#bulkstats collector 2 max-size 20480

10 (Optional) Add descriptive information to the bulk statistics file.

host1(config)#bulkstats collector 2 description customer xyz

11 (Optional) Set the encoding scheme of the ifDescr and ifName

objects.
host1(config)#bulkstats interfaces description-format common

12 (Optional) Set the system to retrieve bulk statistics once only.

host1(config)#bulkstats collector 2 single-interval

3-25

3-26

CHAPTER 3
Configuring SNMP

13 (Optional) Configure bulk statistics traps.

host1(config)#bulkstats traps nearly-full

Note: Bulk statistics supports generating files on a per interface basis.

bulkstats collector

Use to assign the data collector.

Example
host1(config)#bulkstats collector 2

Use the no version to delete the collector.

bulkstats collector collect-mode

Use to specify the way the collector retrieves bulk statistics.

Example
host1(config)#bulkstats collector 2 collect-mode auto

Use the no version to specify that either the user or the system will initiate
transfers manually.

bulkstats collector description

Use to add descriptive information to the bulk statistics file.

Example
host1(config)#bulkstats collector 2 description customer xyz

Use the no version to remove descriptive text from the bulk statistics file.

bulkstats collector interval

Use to specify the time interval in seconds for which the collector transfers data
to the receivers.

Example
host1(config)#bulkstats collector 2 interval 1000

Use the no version to set this time to the default, 360 seconds (6 minutes).

bulkstats collector max-size

Use to set the maximum size of the bulk statistics file.

Example
host1(config)#bulkstats collector 2 max-size 20480

Use the no version to set the size of the bulk statistics file to the default,
3670016 bytes.

Collecting Bulk Statistics

ERX Edge Routers

bulkstats collector primary-receiver

Use to assign the primary receiver to which the system transfers data.

The index for the receiver must match the index that you specified with the
bulkstats receiver remote-name command.

Example
host1(config)#bulkstats collector 2 primary-receiver 7

Use the no version to clear the primary receiver and disable the collector.

bulkstats collector secondary-receiver

Use to assign the secondary (that is, the backup) receiver to which the system
transfers data.

The index for the receiver must match the index you specified with the
bulkstats receiver remote-name command.

Example
host1(config)#bulkstats collector 2 secondary-receiver 5

Use the no version to clear the secondary receiver.

bulkstats collector single-interval

Use to set the system to retrieve bulk statistics once only, rather than
periodically.

Example
host1(config)#bulkstats collector 2 single-interval

Use the no version to set the system to retrieve bulk statistics periodically, the
default situation.

bulkstats interfaces description-format common

Use to set the encoding scheme of the ifDescr object that the bulkstats
application reports to the conventional industry method.

This command provides compatibility with software that uses the industry
encoding scheme.

For more information, see Configuring Encoding Method earlier in this chapter.

Example
host1(config)#bulkstats interfaces description-format common

Use the no version to return to the proprietary method of encoding.

Use to configure the interface type on which you want to collect statistics.

The supported interface types are:

bulkstats interface-type

ATM
ATM 1483
Ethernet

3-27

3-28

CHAPTER 3
Configuring SNMP

Frame Relay
Frame Relay subinterface
Cisco HDLC
IP
PPP

Example
host1(config)#bulkstats interface-type ppp collector 2

If you define more than one collector, you must specify a unique collector index,
in the range 165535.

You can collect statistics on interfaces for the FE-2 module and the Gigabit
Ethernet module. You cannot collect statistics on the SRP Ethernet interface.

Example
host1(config)#bulkstats interface-type ethernet collector 2

Use the no version to delete the interface type from bulk statistics collection.
Deletion of a particular interface type takes effect at the next collection interval.

bulkstats receiver remote-name

Use to configure the parameters for receivers.

Bulk statistics transfers require the configuration of a remote FTP server.

The FTP file transfer supports only anonymous transfers to remote servers.
Other user names and passwords are not supported.

The receivers must appear in the FTP host table (see Using the copy
Command in Chapter 4, Managing the System). The name of the host must
match the name you specify with this command. The hostname is relative to
the virtual routers context when you issue this command.

When specifying the remote filename for bulk statistics, you must precede the
filename with the hostname followed by the :/ characters.

Example
host1(config)#bulkstats receiver 1 remote-name
js:/ftptest/bulk%s%s.sts sysName sysUpTime

Note: The % variables in the remote name are replaced at run time with the
sysName and sysUpTime parameters to produce variable filenames on the remote
host.

Use the no version to delete the receiver.

Use to configure bulk statistics traps.

You must configure SNMP correctly and specify a valid trap source. Otherwise,
the system will not send SNMP traps.

Example

bulkstats traps

host1(config)#bulkstats traps nearly-full

Use the no version to disable the trap.

Collecting Bulk Statistics

ERX Edge Routers

Monitoring Collection Statistics

To view the parameters the system uses to collect statistics, use the
following show bulkstats commands.
To include or exclude lines of output based on a text string that you
specify, use the output filtering feature for show commands. For details,
see Chapter 2, Command Line Interface.
show bulkstats

Use to display the bulk statistics data collection configuration.

Field descriptions

AdminStatus administrative status of the bulk statistics application

OperStatus operational status of the bulk statistics application
Interface Description Setting method used to encode the ifDescr object:
common, proprietary

File Format end of the line format in bulkstats files, carriage return and line
feed (CR+LF) or LF

Current Time current system time used to compare against the collection
stop/start time

Intervals number of times the bulk statistics collector has cycled through a
collection

PrimaryXfers number of times the bulk statistics collector has attempted a

data file transfer to a primary server

PrimaryFails number of primary server transfer failures

SecondaryXfers number of times the bulk statistics collector has attempted
a data file transfer to a secondary server

SecondaryFails number of secondary server transfer failures

BulkStats Collector Information:
Index bulk statistics collector index
CurrSize current size of the bulk statistics file in bytes
MaxSize maximum size configured for the bulk statistics file in bytes
Intrvl time interval between bulk collections in seconds
Mode how often the collector is set up to collect statistics:
periodic collects statistics periodically
single-interval collects statistics once only

XferMode collect mode configured for the collector:

auto agent transfers file when interval expires
manual NMS or the user initiates transfers
onFull agent transfers file when it reaches the maximum size

State
inProg collector is properly configured and currently active
notInSvc collector has been decommissioned by a management client

3-29

3-30

CHAPTER 3
Configuring SNMP

notReady collector does not have enough configuration information to

go active
error configuration/operational error

Index bulk statistics collector index

Primary-Receiver index of the primary receiver to which the system
transfers data

Second-Receiver index of the secondary receiver to which the system

transfers data

Last Transfer Failure last time that the collector attempted to retrieve
statistics and was unsuccessful

Index bulk statistics collector index

Interval Start Time start of current interval of bulk collections. The collector
began collecting bulk statistics at this time.

Interval Stop Time end of current interval of bulk collections.

Schema Information:
Index index number of the schema
Subtree type of bulk statistics schema configured on the collector: if-stack,
if-stats, or system

CollectorIndex bulk statistics collector index

State
active schema is properly configured and currently active
notInSvc schema has been decommissioned by a management client
notReady schema does not have enough configuration information to
go active
error configuration/operational error

Index index number of the schema

Subtree List type(s) of statistics the schema is configured to receive
Interface Types:
Index index number of the interface type entry
Type interface type for which bulk statistics collection is configured
CollectorIndex index of the collector to which the interface type applies
State
active interface type is properly configured and currently active
notInSvc interface type has been decommissioned by a management
client
notReady interface type does not have enough configuration
information to go active
error configuration/operational error

Receiver Information:
Index index number of the receiver
RemoteFileName hostname, path, and filename of the remote FTP server
Index index number of the receiver

Collecting Bulk Statistics

ERX Edge Routers

State
active receiver is properly configured and currently active
notInSvc receiver has been decommissioned by a management client
notReady receiver does not have enough configuration information to
go active
error configuration/operational error

Status
Success
Copy source does not exist or is unreachable
Copy failed
File in use

Example

host1#show bulkstats
AdminStatus:

enabled

OperStatus:

enabled

Interface Description Setting: industry-common

File Format: CR+LF
Current Time: TUE AUG 15 2000 15:54:20 UTC
Intervals PrimaryXfers PrimaryFails SecondaryXfers SecondaryFails

--------- ------------ ------------ -------------- -------------0

BulkStats Collector Information:

Index

CurrSize

MaxSize

Intrvl

Mode

-----

--------

--------

------

--------- --------

-------

490

3670016

600

periodic

manual

inProg

3670016

360

periodic

manual

notReady

Index

Primary-Receiver

Second-Receiver

Last Transfer Failure

-----

----------------

---------------

--------------------

not defined

not defined

not defined

Index Interval Start Time

XferMode

State

Interval Stop Time

----- ---------------------------- ------------------------1

TUE AUG 15 2000 15:52:33 UTC TUE AUG 15 2000 16:02:33 UTC

Not started

N/A

Schema Information:
Index

Subtree

-----

------------ --------------

CollectorIndex

State
--------

ifStats

active

ifStack

active

3-31

3-32

CHAPTER 3
Configuring SNMP

Index

Subtree List

-----

-------------------------------------------------------

ifInOctets; ifOutUcastPkts; ifOutPolicedOctets

N/A

Interface Types:
Index

CollectorIndex

State

-----

----------------------

Type

--------------

--------

Ppp

active

Ethernet

active

11

Atm1483

active

Receiver Information:
Index

RemoteFileName

-----

-------------------------------------------------------

host:/upload/bulkStas.sts

Index

State

Status

-----

--------

---------------------------------------------

notReady

Copy source does not exist or is unreachable

show bulkstats collector description

Use to display information on the collectors file description.

Field descriptions

Index index number of the bulk statistics collector

FileDescription descriptive information added to the bulk statistics file with
the bulkstats collector description command

Example
host1#show bulkstats collector description
Index

FileDescription

-----

-----------------------

Bulk SNMP Statistics Collection

show bulkstats collector interval

Use to display information on the collector transfer interval configuration.

Field descriptions

Index index number of the bulk statistics collector

Interval amount of time, in seconds, that the collector transfers data to the
receiver

Example
host1#show bulkstats collector interval
Index

Interval

-----

--------

360

Collecting Bulk Statistics

ERX Edge Routers

show bulkstats collector max-size

Use to display information on the bulk statistics maximum file size

configuration.

Field descriptions

Index index number of the bulk statistics collector

MaxSize maximum size of the bulk statistics file in bytes

Example
host1#show bulkstats collector max-size
Index

MaxSize

-----

------------

2097152

show bulkstats collector transfer-mode

Use to display information on the bulk statistics transfer mode configuration.

Field descriptions

Index index number of the bulk statistics collector

Transfer-Mode:
auto-xfer server automatically transfers the bulk statistics files to a
remote FTP server
manual-xfer server expects the user to transfer bulk statistics files
on-file-full server transfers the bulk statistics file when the file reaches
its maximum size

Primary-Receiver receives the bulk statistics sent by the collector

Secondary-Receiver serves as a backup to the primary receiver

Example
host1#show bulkstats collector transfer-mode
Index

Transfer-Mode

Primary-Receiver

-----

-------------

----------------

auto-xfer

Secondary-Receiver
-----------------2

show bulkstats interface-type

Use to display information on the bulk statistics interface types configuration.

Field descriptions

Interface Types:
Index index number of the interface type entry
Type interface type for which bulk statistics collection is configured
CollectorIndex index of the collector to which the interface type applies
State
active interface type is properly configured and currently active
notInSvc interface type has been decommissioned by a management
client

3-33

3-34

CHAPTER 3
Configuring SNMP

notReady interface type does not have enough configuration

information to go active
error configuration/operational error

Example
host1#show bulkstats interface-type
Interface Types:
Index

Collector

State

-----

----------------------

Type

---------

--------

ppp

active

show bulkstats receiver

Use to display information on the bulk statistics receivers remote file

configuration.

Field descriptions

Index index number of the receiver

RemoteFileName hostname, path, and filename of the remote FTP server
Index index number of the receiver
State
active receiver is properly configured and currently active
notInSvc receiver has been decommissioned by a management client
notReady receiver does not have enough configuration information to
go active
error configuration/operational error

Status
Success
Copy source does not exist or is unreachable
Copy failed
File in use

Example

host1#show bulkstats receiver

Index

RemoteFileName

-----

----------------------------------------------

f:/upload/bulkStas.sts

Index

State

Status

-----

--------

---------------------------------------------

notReady

Copy source does not exist or is unreachable

Collecting Bulk Statistics

ERX Edge Routers

show bulkstats statistics

Use to display bulk statistics counters.

Field descriptions

AdminStatus administrative status of the bulk statistics application

OperStatus operational status of the bulk statistics application
HdwDetects number of times the bulk statistics application detected a line
module bulkstat collectors presence

HdwCollectorCreates number of line module collectors created

CollectorCreateReqs number of times the bulk statistics application
requested the creation of a line module collector

CollectorStopReqs number of times the bulk statistics application

requested the line module collectors to stop

CollectorDeleteReqs number of times the bulk statistics application

requested the deletion of a line module collector

CollectorStarts number of times the bulk statistics collector has started

CollectorIncompleteCfgs number of times the bulk statistics collector
attempted to start a collector, but failed because the collectors configuration
was incomplete

CollectorStopFailures number of times the bulk statistics collector failed

during a collector stop request

DriverErrors number of bulk statistics driver errors

FileSizeFulls number of times the bulk statistics application ran out of
storage space

CollectorFileNearlyFullTraps number of nearly full events posted to the

SNMP agent on this system

CollectorFileFullTraps number of file full events posted to the SNMP agent

on this system

Intervals number of times the bulk statistics collector has cycled through a
collection

PrimaryXfers number of times the bulk statistics collector has attempted a

data file transfer to a primary server

PrimaryFails number of primary server transfer failures

SecondaryXfers number of times the bulk statistics collector has attempted
a data file transfer to a secondary server

SecondaryFails number of secondary server transfer failures

BulkStats Collector Statistics:
Index bulk statistics collector index
CurrSize current size of the bulk statistics storage file in bytes
CreateErrs number of bulk statistics collector create errors
Last Transfer Failure last time that the collector attempted to retrieve
statistics and was unsuccessful

Index bulk statistics collector index

3-35

3-36

CHAPTER 3
Configuring SNMP

Interval Start Time start of current interval or bulk collections. The collector
began collecting bulk statistics at this time.

Interval Stop Time end of current interval of bulk collections

Example

host1#show bulkstats statistics

AdminStatus:

enabled

OperStatus:

enabled

HdwDetects:

HdwCollectorCreates:

CollectorCreateReqs:

CollectorStopReqs:

CollectorDeleteReqs:

CollectorStarts:

25

CollectorIncompleteCfgs:

CollectorStopFailures:

DriverErrors:

FileSizeFulls:

CollectorFileNearlyFullTraps: 0
CollectorFileFullTraps:

Intervals PrimaryXfers PrimaryFails SecondaryXfers

SecondaryFails

--------- ------------ ------------ -------------24

18

--------------

BulkStats Collector Statistics:

Index

CurrSize

CreateErrs

Last Transfer Failure

-----

--------

----------

----------------------------

331

MON JAN 24 2001 17:21:33 UTC

Index Interval Start Time

Interval Stop Time

----- ---------------------------- ------------------------1

MON JAN 24 2001 19:09:33 UTC MON JAN 24 2001 19:15:33 UTC

Not started

N/A

show bulkstats traps

Use to display information on the bulk statistics traps configured to collect

statistics.

Field descriptions

Trap Type
nearly-full trap will be posted to the SNMP entity on this system when
the threshold is reached
file-full trap will be posted to the SNMP entity on this system when the
trap reaches 100%

Collecting Bulk Statistics

ERX Edge Routers

State configuration setting: enabled, disabled

Threshold nearly full trap will be posted to the SNMP entity on this system
when this percentage is reached

Traps Sent number of times this event was posted to the SNMP entity on
this system

Example
host1#show bulkstats traps
Trap Type

State

-----------

-------

Threshold
----------

Traps Sent
----------

file-full

enabled

N/A

nearly-full

enabled

Configuring Schemas

You can also set a management schema for bulk statistics. A schema is a
group of attributes or counters that provide an efficient way to retrieve
specific types of information about the system. The bulk statistics
application supports four schema configurations: if-stack, if-stats, policy,
and system. Table 3-8 shows the type of data each schema retrieves.
Table 3-8 Data retrieved according to schema
Schema

Retrieves . . .

if-stack

The interface and interface column configuration. It is a complete

retrieval of the ifStackTable, and using it can dramatically reduce the
time to discover the configured interfaces and their stacking
relationship on a system.

if-stats

Usage data on sets of interface types. The interface usage data is the
ifTable/ifXTable counters. Note that the ifXTable supports 64-bit
counters and the data written into the bulk statistics file supports the
64-bit counters.

policy

Statistics associated with a specified policy, a policy type, or traffic

tagged by a policy with a color tag.

system

Global system and per-module statistics and information. The global

system statistics retrieved are the sysUpTime and nvsUtilPct. The
per-module statistics and information retrieved include the
intPhysicalDesc, the cpuUtilPct, and the memUtilPct.

if-stats Objects

Table 3-9 presents if-stats objects you can configure using the bulkstats
schema subtree command.

3-37

3-38

CHAPTER 3
Configuring SNMP

Table 3-9 Schema ifStats objects

Object

Definition

usdAcctngifInBroadcastPkts

Broadcast packets received

usdAcctngIfInOctets

Octets received; support 64-bit counters

usdAcctngIfInUcastPkts

Unicast packets received

usdAcctngIfInDiscards

Packets received and discarded

usdAcctngIfInErrors

Packets received with errors

usdAcctngifInMulticastPkts

Multicast packets received

usdAcctngIfInUnknownProtos

Packets received with unknown protocols

usdAcctngifOutBroadcastPkts

Broadcast packets sent

usdAcctngIfOutOctets

Octets sent; support 64-bit counters

usdAcctngIfOutUcastPkts

Unicast packets sent

usdAcctngIfOutDiscards

Packets sent and discarded

usdAcctngIfOutErrors

Packets sent with errors

usdAcctngifOutMulticastPkts

Multicast packets sent

usdAcctngIfCorrelator

Customer correlation:

FR = DLCI

ATM = VPI, VCI

IP = RouterName

Everything else = not used

usdAcctngIfInPolicedOctets

Octets dropped due to ingress policy; support

64-bit counters.

usdAcctngIfInPolicedPkts

Packets dropped due to ingress policy

usdAcctngIfInSpoofedPkts

Packets dropped due to invalid source address

usdAcctngIfOutPolicedOctets

Octets dropped due to egress policy; support

64-bit counters

usdAcctngIfOutSpoofedPkts

Packets dropped due to invalid source address

usdAcctngIfOutSchedulerDropPks

Scheduler packets dropped

usdAcctngIfOutSchedulerOctets

Scheduler octets dropped

usdAcctngIfLowerInterface

The ifIndex of the lower interface

Note: All the schema if-stats objects in Table 3-9 apply to both layer 2 and layer 3
interfaces, except usdAcctngSpoofedPkts, which is specific to layer 3.

You can get more accurate rate statistics by using the time-offset
parameter. To use this parameter you must navigate to the if-stats
subtreelist. The time-offset parameter is included in each bulk statistics
interface record and is the offset from the master interval at which the
record was collected.

Collecting Bulk Statistics

ERX Edge Routers

bulkstats schema

Use to create the schema for collecting bulk statistics.

Example
host1(config)#bulkstats schema 4

Use the no version to delete the specified schema.

Note: If you create a collector but there is no schema for that collector, the collector
will not be active, and a schema will be created automatically for that collector to
collect if-stats for all subtree attributes.

bulkstats schema policy-name

Use to collect statistics on a specified policy.

You create policies using the policy-list command. See ERX Policy and QoS
Configuration Guide, Chapter 1, Configuring Policy Management.

Example
host1(config)#bulkstats schema 4 policy-name XMYpolicy

Use the no version to delete the specified schema.

bulkstats schema policy-type

Use to collect data based on policy type.

Use keywords to collect data on input policies, local input policies, or output
policies. You can also collect data based on type of packet.

Example
host1(config)#bulkstats schema 4 policy-type input

Use the no version to delete the specified schema.

bulkstats schema subtree

Use to set the schema for collecting data. Specify one of the following
keywords:

if-stack retrieves the interface and interface column configuration

if-stats retrieves interface usage data on sets of interface types; using the
subtreelist keyword along with the if-stats keyword lets you specify specific
counters and lets you set the time-offset parameter.

policy retrieves information on traffic tagged with a color-coded policy tag

system retrieves global system and per-module statistics and information

Example
host1(config)#bulkstats schema 4 subtree policy subtreelist
green-packets upper-green-packets

Use the no version to delete the specified schema.

3-39

3-40

CHAPTER 3
Configuring SNMP

Monitoring Schema Statistics

You are able to display your configuration and monitor the data
generated by schemas.
show bulkstats schema

Use to display data on the bulk statistics schema.

Field descriptions

Schema Information:
Index index number of the schema
Subtree type of bulk statistics schema configured on the collector: if-stack,
if-stats, policy, or system

CollectorIndex bulk statistics collector index (same as the SNMP table

index)

State
active schema is properly configured and currently active
notInService schema has been decommissioned by a management
client
notReady schema does not have enough configuration information to
go active
error configuration/operational error

Index index number of the schema

Subtree List type(s) of statistics the schema is configured to receive

Example 1
host1#show bulkstats schema
Schema Information:

Index

Subtree

CollectorIndex

State

-----

-----------------

--------------

--------

ifStack

active

system

active

Index

Subtree List

-----

-------------------------------------------------

N/A

N/A

Example 2
host1#show bulkstats schema
Schema Information:
Index

Subtree

CollectorIndex

State

-----

-----------------

--------------

--------

ifStats

active

system

active

Using the Bulk Statistics Formatter

ERX Edge Routers

Index

Subtree List

-----

--------------------------------------------------

ifOutErrors; ifLowerInterface; ifTimeOffset

N/A

Using the Bulk Statistics Formatter

The bulk statistics formatter allows you to set a remote filename
dynamically and specify the format for the end of each line in the
bulkstats file.
Setting Remote Filenames

The system supports the following special characters for remote

filenames:
%x An integer in hexadecimal format (base 16)
%s A character string
%u An unsigned integer in decimal (base 10)
%d An integer in decimal (base 10)
The % variables in the remote name are replaced at run time with the
sysName and sysUpTime parameters to produce variable filenames on
the remote host.
See the bulkstats receiver remote-name command.
host1(config)#bulkstats receiver 1 remote-name
bulk%s%d.sts sysName collectorSequence

Guidelines

The current capabilities and limitations of the bulk statistics formatter

are:
If you add %d or any numeric formatter for a string value (such as
sysName), the attribute name will be used (for instance, sysName).
The opposite is also true, except for sysUptime, which will use %s as a
%u.
You can use %% if you want a % character to be part of the parsed
name.
You can use the same attribute multiple times. For example, you may
want a name that has %x and %u of collectorSequence.

3-41

3-42

CHAPTER 3
Configuring SNMP

Currently, there is no control over sequence numbers, except for the

guarantee that the formatter will:

(1) Use sequential values, beginning from 1

(2) Persist through system reboot
If you need the sequential number to restart, remove and then re-add
the bulk statistics receiver.
You can use up to 128 characters for the remoteFileName. Anything
beyond that is truncated when the filename is stored in nonvolatile
memory, but this truncation is not visible until the next time the
system reboots.
Specifying End of Line Format

By default, the bulkstats file contains a CR and LF at the end of each line.
You can you can set up the system to remove the CR and leave only an
LF at the end of each line.
bulkstats file-format endOfLine-Lf

Use to strip the CR from the end of each line in the bulkstats file.

Example
host1(config)#bulkstats file-format endOfLine-LF

Use the no version to return to the default, CR and LF.

Managing Virtual Routers

Your system supports SNMP management of virtual routers. This
support is based on an SNMP community string proxy to select particular
instances of virtual routers. The entity MIB is used to model the physical
container to the logical relationship of the virtual router implementation.
See Chapter 10, Configuring Virtual Routers.

Monitoring SNMP
ERX Edge Routers

Monitoring SNMP
To monitor the status of SNMP operations on your network, enter
Privileged Exec mode. You can then establish a baseline and use the
show commands to view statistics.
Establishing a Baseline

SNMP statistics are stored in system counters. The only way to reset the
system counters is to reboot the system. You can, however, establish a
baseline for SNMP statistics by setting a group of reference counters to
zero.
baseline snmp

Use to establish a baseline for SNMP statistics.

The system implements the baseline by reading and storing the statistics at the
time the baseline is set and then subtracting this baseline whenever
baseline-relative statistics are retrieved.

To display statistics relative to the current baseline, use the delta keyword with
SNMP show commands.

SNMP operations (such as Get and Set) continue to use and report statistics
from the system counters.

See Viewing SNMP Status later in this chapter for a sample display when you
enter the show snmp command. If you establish a baseline and then enter
show snmp, the statistics now have zero or low values.

Example
host1#baseline snmp
host1#show snmp
Contact: Joe Administrator
Location: Network Lab, Bldg 3 Floor 1
2 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
1 Get-request PDUs
1 Get-next PDUs
0 Set-request PDUs
0 Unknown security models
0 Unavailable contexts
2 SNMP packets out
0 Too big errors (Maximum packet size 1500)
1 No such name errors
0 Bad values errors

3-43

3-44

CHAPTER 3
Configuring SNMP

0 General errors
2 Get-response PDUs
0 SNMP trap PDUs
0 Invalid Message Report PDUs
0 Unknown PDU Handler Report PDUs
0 Unknown Context Report PDUs
0 Unsupported Security Level Report PDUs
0 Not in time Window Report PDUs
0 Unknown Username Report PDUs
0 Unknown Engine ID Report PDUs
0 Wrong Digest Report PDUs
0 Decryption Error Report PDUs

There is no no version.

Viewing SNMP Status

To view SNMP status on your network, use the following show

commands.
show snmp

Use to display all the information on SNMP status.

To display statistics relative to the current baseline, use the delta keyword.

Field descriptions

Contact routers contact person

Location routers location
SNMP packets input total number of SNMP packets received by the router
Bad SNMP version errors number of SNMP PDUs with a bad version
number
Unknown community name number of SNMP PDUs that had an
unrecognized community name
Illegal operation for community name supplied number of access
violations based on the configured privilege level for community strings
Encoding errors number of ASN.I encoding and decoding errors
Number of requested variables number of variable bindings processed
by the SNMP agent
Number of altered variables number of variable bindings processed
successfully in SNMP set commands
Get-request PDUs number of get-exact SNMP PDUs processed
Get-next PDUs number of get-next SNMP PDUs processed
Set-request PDUs number of set SNMP PDUs processed
Unknown security models number of SNMP PDUs with unrecognized
security
Unavailable contexts number of SNMP proxy requests to unknown
entities

Monitoring SNMP
ERX Edge Routers

SNMP packets out total number of SNMP packets sent by the router
Too big errors number of processed PDUs that resulted in SNMP PDUs
too large to encode
No such name errors number of requests that resulted in noSuchName
errors. If interfaces configured on modules that do not support 64-bit
counters are accessed, the system returns a noSuchName message.
Bad values errors number of requests that resulted in badValues errors
General errors number of general errors
Get-response PDUs number of requests that resulted in getResponse
PDUs
SNMP trap PDUs number of SNMP trap PDUs generated by this agent
Invalid Message Report PDUs number of packets received by the
SNMP engine that were dropped because there were invalid or
inconsistent components in the SNMP message
Unknown PDU Handler Report PDUs number of packets received by
the SNMP engine that were dropped because the PDU in the packet
could not be passed to an application responsible for handling the
pduType; for example, no SNMP application had registered for the proper
combination of the contextEngineID and pduType
Unknown Context Report PDUs number of packets received by the
SNMP engine that were dropped because the context contained in the
message was unknown
Unsupported Security Level Report PDUs number of packets received
by the SNMP engine that were dropped because they requested a
security level that was unknown to the SNMP engine or otherwise
unavailable
Not in time Window Report PDUs number of packets received by the
SNMP engine that were dropped because they appeared outside of the
authoritative SNMP engine window
Unknown Username Report PDUs number of packets received by the
SNMP engine that were dropped because they referenced a user that
was not known to the SNMP engine
Unknown Engine ID Report PDUs number of packets received by the
SNMP engine that were dropped because they referenced an
snmpEngineID that was not known to the SNMP engine
Wrong Digest Report PDUs number of packets received by the SNMP
engine that were dropped because they did not contain the expected
digest value
Decryption Error Report PDUs number of packets received by the
SNMP engine that were dropped because they could not be decrypted

Example
host1#show snmp
Contact: Joe Administrator
Location: Network Lab, Bldg 3 Floor 1
538 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name

3-45

3-46

CHAPTER 3
Configuring SNMP

0 Illegal operation for community name supplied

0 Encoding errors
695 Number of requested variables
0 Number of altered variables
26 Get-request PDUs
512 Get-next PDUs
0 Set-request PDUs
0 Unknown security models
0 Unavailable contexts
538 SNMP packets out
0 Too big errors (Maximum packet size 1500)
10 No such name errors
0 Bad values errors
0 General errors
538 Get-response PDUs
0 SNMP trap PDUs
0 Invalid Message Report PDUs
0 Unknown PDU Handler Report PDUs
0 Unknown Context Report PDUs
0 Unsupported Security Level Report PDUs
0 Not in time Window Report PDUs
0 Unknown Username Report PDUs
0 Unknown Engine ID Report PDUs
0 Wrong Digest Report PDUs
0 Decryption Error Report PDUs

show snmp access

Use to display information about the groups you configured.

Field descriptions

Group Name name of the group

Model security model; for example, user-based security model (USM)
Level method for authentication and privacy
none no authentication and no privacy
auth authentication only
priv authentication and privacy

Read name of the view for read access

Write name of the view for write access
Notify name of the view for notification

Monitoring SNMP
ERX Edge Routers

Example

host1#show snmp access

Group Name

Model

Level

Read

Write

Notify

------------------- -----

-----

----------

----------

---------

admin

usm

priv

everything

everything

everything

public

usm

none

user

none

none

private

usm

auth

user

user

user

show snmp community

Use to display information about the SNMP communities.

Field descriptions

Community name of the community and the associated virtual router

View name of the view
Priv access privilege for the view
ro read-only access
rw read-write access
admin all privileges

AccList number of access lists associated with this community

Example
host1#show snmp community
Community

Priv

AccList

------------------------------------------

View

----

-------

admin@default

everything

rw

private@default

user

rw

public@default

user

ro

show snmp trap

Use to display status information on configured SNMP traps and trap

destinations only.

Field descriptions

Enabled Categories trap categories that are enabled on the router

SNMP authentication failure trap enabled or disabled
Trap Source interface whose IP address is used as the source address for
all SNMP traps

Trap Proxy enabled or disabled

Global Trap Severity Level global severity level filter; if a trap does not
meet this severity level, it is discarded

Trap PDUs sent number of trap PDUs sent by the system

Trap PDUs filtered number of trap PDUs that were dropped by the system
because they were filtered

Address IP address of the trap recipient

Security String name of the SNMP community

3-47

3-48

CHAPTER 3
Configuring SNMP

Ver SNMP version (v1 or v2) of the SNMP trap packet

Port UDP port on which the trap recipient accepts traps
Trap Categories types of traps that the trap recipient can receive
TrapSeverityFilter severity level filter for this SNMP host
TrapPDUsSent number of trap PDUs sent by this host
TrapPDUsFiltered total number of trap PDUs that were dropped by the
host because they were filtered

Example

host1#show snmp trap

Enabled Categories: Snmp, Link, Bulkstats, FileXfer, Bgp, Log, CliSecurity,
Ping, Ospf, AddressPool, AtmPing
SNMP authentication failure trap is enabled
Trap Source: fastEthernet 0/0
Trap Proxy: disabled
Global Trap Severity Level: 4 - warning
Trap PDUs sent: 0
Trap PDUs filtered: 53
Address

Security String

Ver

Port

--------------

------------------------------

---

----- ----------------

10.5.0.200

private

v2c

Trap Categories

162

SnmpLinkInvEnvBstFxfBgpLogcliPingOspfTraceDvmrpDvmrpUniAdrPatmPing
Address

TrapSeverityFilter

TrapPDUsSent

TrapPDUsFiltered

---------------

------------------

------------

----------------

10.5.0.200

5 - notice

show snmp user

Use to display information about users.

Field descriptions

User name of the user

Auth authorization protocol for this user
no no authorization protocol
md5 HMAC-MD5-96 authorization protocol
sha HMAC-SHA-96 authorization protocol

Priv privacy protocol for this user

no no privacy protocol
des DES encryption algorithm for privacy

Group name of the group to which the user belongs

The following example is an SNMPv3 display.

Monitoring SNMP
ERX Edge Routers

Example
host1#show snmp user
User

Auth

Priv

Group

------------------------ ----

----

-------------------

josie

md5

des

admin

nightfly

md5

no

private

steelydan

no

no

public

show snmp view

Use to display information about the views you created.

Field descriptions

View Name name of the view

View Type access privilege for the view
included specified object identifier (OID) trees are available in this view
excluded specified OID trees are not available in this view

Oid Tree OID of the ASN.1 subtree

Example
host1#show snmp view
View Name

View Type

Oid Tree

--------------

---------

---------------------------

everything

included

1.3.6.1.

user

included

1.3.6.1.

user

excluded

1.3.6.1.4.1.2773.2.16.

user

excluded

1.3.6.1.4.1.4874.2.2.16.

user

excluded

1.3.6.1.6.3.11.

user

excluded

1.3.6.1.6.3.12.

user

excluded

1.3.6.1.6.3.13.

user

excluded

1.3.6.1.6.3.14.

user

excluded

1.3.6.1.6.3.15.

user

excluded

1.3.6.1.6.3.16.

user

excluded

1.3.6.1.6.3.18.

nothing

excluded

1.3.6.1.

Output Filtering

You can use the output filtering feature of the show commands to include
or exclude lines of output based on a text string you specify. See
Chapter 2, Command Line Interface, for details.

3-49

3-50

CHAPTER 3
Configuring SNMP

Managing the System

This chapter describes general tasks associated with managing the ERX
system.
Topic

Page

Overview

4-2

Naming the System

4-2

Configuring Timing

4-3

Using the CLI

4-5

Managing vty Lines

4-7

Configuring the System Automatically

4-10

Saving the Current Configuration

4-10

Customizing the User Interface

4-13

Sending Messages

4-20

Managing Files

4-22

Transferring Files

4-27

Using the Telnet Client

4-39

Configuring DNS

4-39

Troubleshooting

4-43

Monitoring the System

4-48

4-2

CHAPTER 4
Managing the System

Overview
Managing the ERX system involves a variety of tasks. This chapter covers
those tasks associated with the system in general rather than specific
networking protocols. Each section in the chapter covers a different topic;
where appropriate, a section contains an overview of the topic,
configuration tasks, and information about monitoring the associated
settings.
For additional management information, CLI commands, and
procedures, refer to the following table.
Task

Reference

Find detailed information on commands

described in this chapter.

ERX Command Reference Guide

Configure the system as an SNMP agent. Chapter 3, Configuring SNMP

Set system passwords.

Chapter 6, Passwords and Security

Write CLI macros.

Chapter 7, Writing CLI Macros

Boot the system.

Chapter 8, Booting the System

Manage line modules and SRP modules. Chapter 5, Managing Line Modules
and SRP Modules

Naming the System

When you receive the system, it has a factory default host name. To
rename the system, use the hostname command.
hostname

Use to rename the system.

The assigned name is displayed in the command line interface (CLI) prompts.

Example
host1(config)#hostname host1
host1(config)#

There is no no version.

Configuring Timing
ERX Edge Routers

Configuring Timing
You can use the timing source command to configure three timing
sources for the system. These sources are known as the primary,
secondary, and tertiary sources. The system periodically polls the status
of the current timing source. If the system discovers that the current
source has become unavailable, it polls the timing source you specified as
next in line. If this source is available, it switches to this source; if not, it
then polls the next source in line. If the lowest source is unavailable, the
system maintains the SRP clock as the source.
If you enable auto-upgrade, in the event of a source failure, the
systemafter switching to a lower sourcepolls all higher configured
sources and automatically switches back to the highest timing source
when that source becomes available.
The timing select command enables you to specify which source
(primary, secondary, or tertiary) the system is to use by default. The
system will never attempt to upgrade to a source higher than the selected
source.
timing disable-auto-upgrade

Use to disable the auto-upgrade feature of the systems timing selector.

The system starts out by setting the operational timing selector to the
administratively configured selector. See the timing select command.

Example
host1(config)#timing disable-auto-upgrade

The no version of this command restores the factory default, which is

auto-upgrade enabled.

Use to specify which of the configured timing sources is used by default.

Primary timing source is preferred over secondary, and secondary is preferred

over tertiary. See the timing source command.

If you enable the auto-upgrade feature, the system does not try to upgrade
beyond the administratively configured selector.

Example

timing select

host1(config)#timing select secondary

There is no no version.

4-3

4-4

CHAPTER 4
Managing the System

timing source

Use to specify how the SRP module exchanges timing signals with an
interface.

You can specify primary, secondary, and tertiary timing sources.

You can specify one external source received on an I/O module other than the
SRP I/O module.

You can specify two or more internal sources or external sources received via
the SRP I/O module external timing ports.

The available sources to choose are:

ds1 DS1 interface

ds3 DS3 interface
e1 E1 interface
e3 E3 interface
sonet SONET interface
internal internal system controller (SC) oscillator
line external timing input on SRP module

Example
host1#timing source secondary sonet 3/0

There is no no version.

Monitoring Timing

Use the show timing command to view the timing settings for the
system.
show timing

Use to display the timing settings and the operational status of the system
timing.

If a timing source fails, the system uses the next time source in the hierarchy,
and a message appears in the system log at the warning level. If auto-upgrade
is enabled, the system upgrades to a higher-priority timing source when one
becomes available, and a message appears in the system log at the notice
level.

Example
host1#show timing
timing: tertiary (failover from primary)
primary: external SC E1 (A) (ERROR)
secondary: ds3 3/0 (ERROR)
tertiary: internal SC oscillator (ok)
auto-upgrade enabled

Using the CLI

ERX Edge Routers

Using the CLI

Use the commands described in this section to navigate the CLI. For a
complete description of the CLI, see Chapter 2, Command Line
Interface.
configure

Use to enter Global Configuration mode.

Global Configuration mode provides access to other configuration modes, such

as Interface Configuration mode. See Chapter 2, Command Line Interface.

This command allows other commands to be executed from a terminal or a file.

Example 1
host1#configure
Configuring from terminal or file [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
host1(config)#

Example 2
host1#configure
Configuring from terminal or file [terminal]? file
File name: system1.scr
Proceed with configure? [confirm]
host1(config)#

There is no no version.

Use to exit Privileged Exec mode and return to User Exec mode.

Example

disable

host1#disable
host1>

There is no no version.

4-5

4-6

CHAPTER 4
Managing the System

enable

Use to move from User Exec to Privileged Exec mode.

Privileged Exec mode allows you to access all other user interface modes.
From here you can configure, monitor, and manage all aspects of the system.

Set a password for this mode by using either the enable password or the
enable secret command in Global Configuration mode. This protects the
system from any unauthorized use.

Once a password is set, anyone trying to use Privileged Exec mode will be
asked to provide the password.

Example
host1>enable
password:*******
host1#

There is no no version.

Use to exit Global Configuration mode or any of the other Configuration modes.
You may also use <Ctrl+Z> to exit these modes.

Executing this command returns you to the User Exec mode.

Example

end

host1(config)#end
host1#

There is no no version.

Use to exit the current command mode.

Example

exit

host1#exit
host1>

There is no no version.

Managing vty Lines

ERX Edge Routers

help

Use to display basic information about the interactive help system.

Example

host1#help
Use the help options as follows:
?, or command<Space>? - Lists the set of all valid next keywords or
arguments
partial-keyword?

- Lists the keywords that begin with a certain

character string

partial-keyword<Tab>

- Completes the partial keyword

There is no no version.

Use to issue a User Exec mode from command from another CLI mode.

Example

run

host1(config)#run show config | begin interface

There is no no version.

Use to make the CLI pause for a specified period of time (in seconds).

Pausing is very useful in configuration script files.

Example

sleep

host1#sleep 60

There is no no version.

Managing vty Lines

The system supports 20 virtual tty (vty) lines for Telnet, SSH, and FTP
services. Each Telnet, SSH, or FTP session requires one vty line. When
you connect to the system via a vty line, the number of the vty line is not
assigned sequentially; instead, the system assigns the first vty line that
passes the host access list check rules.
Configuring vty Lines

By default five vty lines (04) are open. You can open additional lines
using the line vty command. Once lines are open, login is enabled by
default. Before users can access the lines, you must configure a password,
disable login using the no login command, or configure AAA
authentication on the lines.

4-7

4-8

CHAPTER 4
Managing the System

line vty

Use to open or configure vty lines.

You can specify a single line or a range of lines. The range is 019.

Example
host1(config)#line vty 6 10
host1(config-line)#

Use the no version to remove a vty line or a range of lines from the
configuration. Lines that you remove will no longer be available for use by
Telnet, FTP, or SSH. When you remove a vty line, the system removes all lines
above that line. For example, no line vty 6 causes the system to remove lines
6 through 19. You cannot remove lines 0 through 4.

Use to specify a password on a single line or a range of lines.

If you enable login but do not configure a password, the system will not allow
you to access virtual terminals.

Specify a password in plain text (unencrypted) or cipher text (encrypted). In

either case, the system stores the password as encrypted.

You can use the following keywords:

password

0 (zero) specifies an unencrypted password

5 specifies a secret
7 specifies an encrypted password

Example 1 (unencrypted password)

host1(config-line)#password 0 mypassword

Example 2 (secret)
host1(config-line)#password 5 y13_x

Example 3 (encrypted password)

host1(config-line)#password 7 x13_2

Use the no version to remove the password. By default, no password is

specified.

For more information about configuring security for vty lines, see
Chapter 6, Passwords and Security.
Clearing vty Lines

Use the clear line command to clear a vty line. Using this command
terminates any service, such as an FTP session, on this line and closes any
open files.

Managing vty Lines

ERX Edge Routers

clear line

Use to remove any services on a vty line and close any files opened as a result
of services on that line.

Specify the number of the vty line.

Example
host1#clear line 2

There is no no version.

Monitoring vty Lines

Use the show line vty command to monitor vty lines.

show line vty

Use to display the configuration of a vty line.

Field descriptions

access-class access-class associated with the vty line

data-character-bits number of bits per character
7 setting for the standard ASCII set
8 setting for the international character set

exec-timeout time interval that the terminal waits for expected user input
Never indicates that there is no time limit

exec-banner status for the exec banner: enabled or disabled. This banner
is displayed by the CLI after user authentication (if any) and before the first
prompt of a CLI session.

motd-banner status for the MOTD banner: enabled or disabled. This

banner is displayed by the CLI when a connection is initiated.

login-timeout time interval during which the user must log in.
Never indicates that there is no time limit

Example
host1#show line vty 0
no access-class in
data-character-bits 8
exec-timeout 3w 3d 7h 20m 0s
exec-banner enabled
motd-banner enabled
login-timeout 30 seconds

4-9

4-10

CHAPTER 4
Managing the System

Configuring the System Automatically

You can create an autoconfiguration script that runs whenever you reset
the system. The following guidelines apply:
You must name the script autocfg.scr.
The script must begin with the following lines:
enable
conf t

Add the commands desired to configure the system.

For some configuration tasks, you might need to pause the CLI for 10
or so seconds by adding a sleep seconds command.
Note: The autocfg.scr script is bypassed if you arm the system to load from a script
(not autocfg.scr) via the boot config or boot backup commands.

Saving the Current Configuration

By default, the system automatically saves any change to the system
configuration to nonvolatile storage (NVS). This feature is known as
Automatic Commit mode, but has no effect on the CLI prompt. You can
disable this feature by issuing the service manual-commit command. In
Manual Commit mode (again with no effect on the CLI prompt), any
configuration change affects only the current system configuration (the
running configuration).
If you are in Manual Commit mode and want to save the configuration
changes to NVS, you must issue either the write memory command or
the copy running-configuration startup-configuration command.
If you change the configuration while in Manual Commit mode and issue
the reload command without saving the changes to the startup
configuration, the system provides a warning, allowing you to save the
changes before reloading.
copy running-configuration

Use to save the current configuration to a system configuration (*.cnf) file.

This command is available only if the system is in Automatic Commit mode.

The destination filename must have a .cnf extension.

The destination file can be either a local or a network file.

If you want to restore a previously saved configuration, use the boot config
filename command.

Saving the Current Configuration

ERX Edge Routers

Example
host1#copy running-configuration system2.cnf

There is no no version.

copy running-configuration startup-configuration

Use to save all outstanding (unsaved) configuration changes to NVS.

This command is an exact alias of the write memory command.

This command is available if the system is in either Automatic Commit mode or

Manual Commit mode. If issued while in Automatic Commit mode, the CLI
notifies you that the command is not necessary, but allows you to proceed.

Example
host1#copy running-configuration startup-configuration

There is no no version.

copy startup-configuration

Use to copy the previously saved startup configuration to a system

configuration (*.cnf) file. If you have made but not saved any configuration
changes, those changes are not in the startup configuration.

This command is available only if the system is in Manual Commit mode.

Example
host1#copy startup-configuration system1.cnf

There is no no version.

Use to stop the system from automatically saving configuration changes to

NVS.

Issuing this command places the system into Manual Commit mode. This mode
has no effect on the CLI prompt.

Issuing this command causes an immediate save of configuration data not yet
committed to NVS.

Example

service manual-commit

host1(config)#service manual-commit

Use the no version to revert to Automatic Commit mode; the no version has no
effect if the system is already in Automatic Commit mode.

4-11

4-12

CHAPTER 4
Managing the System

show configuration

Use to display the current (running) configuration of the system, a specified

virtual router, or a specified interface within the current VR context.

You can create a configuration script from the output by saving it as a file with
the .scr extension.

You can exclude information about particular types of interfaces.

This command was formerly documented as show config; that abbreviation is

still supported.

You can use the output filtering feature of the show command to include or
exclude lines of output based on a text string you specify. See Chapter 2,
Command Line Interface, for details.

This command is available only if the system is in Automatic Commit mode.

Example
host1#show configuration
! Configuration script being generated on TUE JAN 29 200X
00:31:12 UTC! Juniper Networks Edge Routing Switch ERX-700
! Version: x.y.z (January 18, 200X 15:01)
! Copyright (c) 1999-200X Juniper Networks, Inc.
reserved.

All rights

! Juniper Networks Edge Routing Switch ERX-700

boot config running-configuration
boot system erx_x-y-z.rel
no boot backup
no boot subsystem
no boot backup subsystem
no boot force-backup
no boot slot
!
! Note: The following commands are here to ensure that all
virtual routers and
! vrfs are created before other commands that may need to
reference them.
! These commands will be repeated further on as each virtual
router and vrf
! has its configuration presented.
!
virtual-router default
virtual-router boston
!
ip vrf vpna
virtual-router vrA
!
hostname host1
exception protocol ftp anonymous null
!
controller t1 6/0
channel-group 2 timeslots 1,3-8,10 speed 64

Customizing the User Interface

ERX Edge Routers

.
.
.
!
virtual-router vrA
aaa authentication ppp default radius
aaa accounting ppp default radius
!
ip address-pool local
interface null 0
ip bgp-community new-format
no ip source-route
!
snmp-server
!
! End of generated configuration script.

write memory

Use to save all outstanding (unsaved) configuration changes to NVS.

This command is an exact alias of the copy running-configuration

startup-configuration command.

This command is available if the system is in either Automatic Commit mode or

Manual Commit mode. If issued while in Automatic Commit mode, the CLI
notifies you that the command is not necessary, but allows you to proceed.

Example
host1#write memory

There is no no version.

show running-configuration

Use to display the configuration currently running on the system.

This command is available only if the system is in Manual Commit mode.

Example
host1#show running-configuration

Customizing the User Interface

You can access the CLI via a console connected directly to the system or
via a Telnet session. This section describes how you can customize the
user interface. Some commands apply to the console, and some
commands apply to vty lines that support Telnet sessions.

4-13

4-14

CHAPTER 4
Managing the System

Setting the Console Speed

You can specify the console speed for only the current console session or
for the current console session and all subsequent console sessions.
speed

Use to set the speed for the current and all subsequent console sessions
immediately.

Example
host1(config)#line console 0
host1(config-line)#speed 14400

Use the no version to revert to the default, 9600 bps.

Use to set the speed for the current console session.

Example

terminal speed

host1#terminal speed 14400

There is no no version.

Configuring the Display Terminal

You can specify the number of lines that appear on a terminal screen and
the number of characters that appear on a line.
terminal length

Use to set the number of lines on a screen.

If a command generates more lines than the number configured, the output
pauses after each screen.

Set the number of lines on a screen in the range 0512.

Use 0 for no pausing.

Example
host1#terminal length 25

There is no no version.

Use to set the width of the display terminal.

Set the number of characters on a screen line in the range 30512.

Example

terminal width

host1#terminal width 80

There is no no version.

Customizing the User Interface

ERX Edge Routers

Specifying the Character Set

You can specify the number of data bits per character for the current vty
session and for all subsequent sessions on the specified vty lines. This
feature allows you to display international characters on the terminals
screen.
data-character-bits

Use to set the number of bits per character on the terminals screen for all
future sessions on the specified lines.

Use the default setting, 8, to view the full set of 8-bit international characters.
Be sure that the software on other devices in the network also supports
international characters.

Set the number of bits to 7 to view only characters in the standard ASCII set.

Example
host1(config)#line vty 1 3
host1(config-line)#data-character-bits 7

There is no no version.

terminal data-character-bits

Use to set the number of bits per character on the terminals screen for the
current session.

Use the default setting, 8, to view the full set of 8-bit international characters.
Be sure that software on other devices in the network also supports
international characters.

Set the number of bits to 7 to view only characters in the standard ASCII set.

Example
host1#terminal data-character-bits 7

There is no no version.

Configuring Login Conditions

You can issue the dsr-detect command to configure the system so that a
data set ready (DSR) signal is required to log in to the console. If a session
is in progress and the DSR signal is lost, the user is logged out
automatically.
host1(config)#line console 0
host1(config-line)#dsr-detect

DSR is carried on pin 6 of the SRP modules RS-232 (DB-9) connector.

The DSR input must be connected to the DSR output of a modem or the
DTR output of another DTE device, such as a terminal server, that
supports this signal.

4-15

4-16

CHAPTER 4
Managing the System

dsr-detect

Use to require that a DSR signal be detected on the line for a user to log in to
the console.

By default, DSR is not required and DSR detection is disabled.

Example
host1(config-line)#dsr-detect

Use the no version to remove the DSR requirement for login.

Setting Time Limits for User Login

You can specify a time interval that the CLI waits for a user to provide a
password when logging in to the console or a vty line. To do so:
1

Access the line configuration mode using either the console or vty
keyword.

Specify the time during which the user must enter the password. For
example:
host1(config)#line console 0
host1(config-line)#login
host1(config-line)#boston
host1(config-line)#timeout login response 15

timeout login response

Use to set the time interval that the console or vty lines wait for the user to log
in.

If the interval passes and the user has not responded, the system closes the
session or lines.

Specify an interval in the range 0300 seconds. A value of 0 means that there
is no time limit during which the user must respond.

The default value is 30 seconds.

Example
host1(config-line)#timeout login response 15

Use the no version to restore the default interval, 30 seconds.

Setting Time Limits for User Input

You can specify a time interval that the CLI waits for user input on the
console or vty lines. To do so:
1

Access the line configuration mode using either the console or vty
keyword.

Customizing the User Interface

ERX Edge Routers

Specify the time during which the user must enter information. For
example:
host1(config)#line vty 0
host1(config-line)#exec-timeout 4192 13

exec-timeout

Use to set the time interval that the console or vty lines wait for expected user
input.

If the interval passes and the user has not responded, the system closes the
session or lines.

Specify a time limit in the range 035791 minutes, and optionally specify the
number of seconds.

By default, there is no time limit.

Example
host1(config-line)#exec-timeout 4192 13

Use the no version to remove the time limit.

Configuring CLI Messages

You can configure text banners for the CLI to display to users at different
times in the connection process.
banner

Use to configure message-of-the-day (MOTD), login, or exec banner to be

displayed by the CLI:

motd displays the banner when a console or vty connection is initiated

login displays the banner before any user authentication (line or RADIUS
authentication). The banner is also displayed if user authentication is not
configured.

exec displays the banner after user authentication (if any) and before the
first prompt of a CLI session

If you do not specify an option, the default behavior is to display the banner as
an MOTD.

The first character in the banner string must be repeated at the end of the
string; these characters delimit the banner. The CLI prompts you if you fail to
repeat the opening delimiter. All text following the second occurrence of the
delimiter is ignored without warning. The delimiter is case sensitive.

Banner text can span multiple lines. It is truncated after 1,024 characters.

Insert \n where you want the banner text to split and start a new line.
Alternatively, you can press <Enter> on the CLI when you want the text to
break. In the second case, you will be prompted for the remainder of the text
after you press <Enter>. To display a backslash as part of the message, it must
be immediately preceded by another backslash, like this: \\. Do not use a
backslash as a delimiter or end a line with a backslash.

4-17

4-18

CHAPTER 4
Managing the System

To insert a ? character inside the text of a banner, you must enter <Ctrl+V>
before entering the ? character. Failure to do so may produce undesired
results.

Examples
host1(config)#banner motd x This is an MOTD banner x
host1(config)#banner Y This is also an MOTD banner Y
host1(config)#banner "Quotes make good delimiters"
host1(config)#banner Xno space is required between the
delimiter and the real banner textX
host1(config)#banner b bad choice for a delimiter;
everything after that second b was ignored b
host1(config)#banner "This is one way\nto specify a
multiple line banner"
host1(config)#banner "This is another way to specify a
Enter remainder of text message.
'"'.

End with the character

multiple line banner

Use the no version to remove the banner.

You can configure MOTD or exec banners, but not login banners, for the
CLI to display on a per-line basis.
exec-banner

Use to display an exec banner on a particular line after user authentication (if
any) and before the first prompt of a CLI session.

Banners on the lines are enabled by default; the no version does not reenable
banners on the lines.

See the banner command description for more information on configuring an

exec banner.

Example
host1(config-line)#exec-banner

Use the no version to disable the exec banner on the line. If both the exec and
MOTD banners are enabled on a line, issuing the no exec-banner command
disables both the exec banner and the MOTD banner. The no motd-banner
command behaves differently from the no exec-banner command.

Use to display an MOTD banner on a particular line when a connection is

initiated.

Banners on the lines are enabled by default; the no version does not reenable
banners on the lines.

See the banner command description for more information on configuring an

MOTD banner.

Example

motd-banner

host1(config-line)#motd-banner

Customizing the User Interface

ERX Edge Routers

Use the no version to disable the MOTD banner on the line. If both MOTD and
exec banners are enabled on a line, issuing the no motd-banner command
disables the MOTD banner and leaves the exec banner enabled. The no
motd-banner command behaves differently from the no exec-banner
command.

Monitoring the Console Settings

You can use the following commands to monitor console settings.

show line console 0

Use to view the parameters configured for all future console sessions and the
current console session.

Example
host1#show line console 0
dsr-detect disabled
configured speed 9600, current speed 9600
exec-timeout never

show terminal

Use to view parameters of the current console session.

Field descriptions

Length number of lines on the screen

Width number of characters on each line of the screen
data-character-bits number of bits per character
7 setting for the standard ASCII set
8 setting for the international character set

Speed speed of the console session

dsr-detect status of DSR signal detection
enabled DSR signal must be detected for a user to log in to the console.
disabled DSR signal need not be detected for a user to log in to the
console.

exec-timeout time interval that the terminal waits for expected user input
Never indicates that there is no time limit

exec-banner status for the exec banner: enabled or disabled. This banner
is displayed by the CLI after user authentication (if any) and before the first
prompt of a CLI session.

motd-banner status for the MOTD banner: enabled or disabled. This

banner is displayed by the CLI when a connection is initiated.

login-timeout time interval during which the user must log in.
Never indicates that there is no time limit

4-19

4-20

CHAPTER 4
Managing the System

Example
host1#show terminal
Length: 25 lines, Width: 80 columns
data-character-bits: 8 bits per character
Speed: 9600 bits per second
dsr-detect disabled
exec-timeout never
exec-banner enabled
motd-banner enabled
login-timeout 30 seconds

Sending Messages
You can send a message to one or more terminals with the send
command. You can specify a line number, a console number, or a vty
number. You can also send the message to all terminals.
The following command sends the message hello console to line 0:
host1#send 0 hello console

The following command sends the message hello everyone to all

terminals:
host1#send * hello everyone

If you begin the message on the same line as the send command, the first
character of the message is considered to be a delimiter. You must use the
same character to terminate the message. In both examples above, the
delimiter was a double quotation mark (). If you press <Enter> without
typing the second delimiter, the CLI prompts you for more message text
and reminds you to complete the message with the delimiter, as shown in
the following example:
host1#send vty4 XYou can start a message on the same line
Enter remainder of text message.
'X'.

End with the character

and continue it on subsequent lines; the CLI prompts you for

Enter remainder of text message.
'X'.

End with the character

more message text until you enter the second delimiterX

Proceed with send? [confirm]

Sending Messages
ERX Edge Routers

If you do not begin the message on the same line as the send command,
the CLI prompts you for the message text after you press <Enter>. The
CLI does not recognize delimiters for these messages; you must enter
<Ctrl+Z>, as shown in the following example:
host1#send 0
Enter remainder of text message.

End with ^Z.

Good morning, Major Tom^Z

Proceed with send? [confirm]

The receiving terminals display the message without regard to other

output currently displayed on the terminal. Pagination is not affected.
The sending terminal is not affected by the state of the intended receiving
terminal. For example, if the receiving terminal is flow-controlled off or
at a --More-- prompt, the message is still sent, and the sending terminal is
available for further commands. The receiving terminal in this case
displays the message when subsequently flow-controlled on or when the
user responds to the --More-- prompt.
The receiving terminal displays the message, the line number of the
sender, the username of the sender if the user was authenticated via
RADIUS, and the time the message was sent.
send

Use to send a message to one or more terminals. You can specify a line
number, a console number, or a vty number. You can use the * keyword to send
the message to all terminals.

If you begin the message on the same line as the send command, the first
character of the message is considered to be a delimiter. You must use the
same character to terminate the message.

The CLI prompts you for message text if you do not begin or complete the
message on the same line as the send command. The CLI reminds you to
signal the end of the message either with the delimiter or <Ctrl+Z>.

Example
host1#send 0 hello console

There is no no version.

4-21

4-22

CHAPTER 4
Managing the System

Managing Files
You are responsible for file management. Table 4-1 shows the types of
system files and their corresponding extensions.
Table 4-1 Types of system files and corresponding extensions
Type of File

Extension

Description

Configuration

*.cnf

Snapshot of the systems configuration

Core dump

*.dmp

File you can create for troubleshooting if a

module fails

History

*.hty
(reboot.hty)

Details of when and why modules rebooted

Log

*.log

A series of messages that describe events that

occurred on the system

Macro

*.mac

A macro program

Release

*.rel

Software releases you can install in the system

Script

*.scr

A sequence of CLI commands. When you run a

script file, the system executes the commands
as though they were entered at the terminal

Secure Shell (SSH)

Server public key

*.pub

Host key for the SSH server

Statistics

*.sts

Bulk statistics created when you run the

bulkstats commands

Text

*.txt

Text file

System files may reside in four locations:

The system space
The user space
A network host
The standby SRP module
The system space contains files for system operation. For example, the
current software configuration is stored in the system space.
The user space is reserved for FTP server operations and has the typical
directory structure of a secure FTP server. The root or top level directory
is a read-only directory that contains two subdirectories:
/incoming read-write directory to and from which an FTP client can
send and retrieve files.
/outgoing read-only directory from which an FTP client can retrieve
files.

Managing Files
ERX Edge Routers

Users can transfer files via FTP to the user space from a network host and
vice versa. However, users cannot access the system space via FTP. To
install a file from the user space to the system space, use the copy
command. For detailed information on transferring files between
locations, see Transferring Files later in this chapter.
In order to conserve NVS and minimize the installation time, files are not
stored in both the system space and the user space. When you issue the
copy command to install a file from user space to system space, the ERX
system establishes a link to the file, but does not make a physical copy.
Managing the User Space from a Network Host

If you enable the systems FTP server (see Configuring the FTP Server
later in this chapter), you can manage files on the user space from an FTP
client on a network host. Table 4-2 lists the FTP protocol commands that
the ERX system supports. Whether you can perform these functions on
the user space depends on the features that the FTP client offers.
Table 4-2 FTP protocol commands that the system supports
FTP Protocol
Command

Function

HELP

List supported commands.

USER

Verify user name.

PASS

Verify password for the user.

QUIT

Quit the session.

LIST

List contents of a directory.

NLST

List directory contents using a concise format.

RETR

Retrieve a file.

STOR

Store a file.

CWD

Change working directory.

CDUP

Change working directory to parent.

TYPE

Change the data representation type.

PORT

Change the port number.

PWD, XPWD

Get the name of current working directory.

STRU

Change file structure settings (only stream mode supported).

MODE

Change file transfer mode (only stream mode supported).

PASV

Make the server listen on a port for data connection.

NOOP

Do nothing.

DELE

Delete a file.

MKD, XMKD

Make directory.

4-23

4-24

CHAPTER 4
Managing the System

Table 4-2 FTP protocol commands that the system supports (continued)
FTP Protocol
Command

Function

RMD, XRMD

Remove directory.

RNFR

Rename from (i.e., from half of file or directory rename)

RNTO

Rename to (i.e., to half of file or directory rename)

File Commands and FTP Servers

Commandscopy, configure file, and macrothat invoke a remote

FTP server take place in the context of the current virtual router rather
than the default VR. You must configure the remote FTP server so that
any traffic destined for the virtual router can reach the virtual router;
typically, you configure the FTP server to reach the default address of the
system, which will always be able to reach the virtual router.
Renaming Files

To rename files, use the rename command. Table 4-3 shows the types of
files you can rename in different locations.
rename

Use to rename a local file.

You can change the base name but not the extension of a file.

Example
host1#rename boston1.cnf boston2.cnf

There is no no version.

Table 4-3 File types you can rename

Destination
Source

System Space

User Space
(linked files and
unlinked files)

System

*.cnf

*.cnf

*.dmp

*.dmp

*.hty

*.hty

*.log

*.log

*.mac

*.mac

*.rel

*.scr

*.scr

*.txt

*.txt
Nonsystem files

Network Host Within

a Firewall

Standby SRP Module

*.sts

None

Managing Files
ERX Edge Routers

Table 4-3 File types you can rename (continued)

Destination
System Space

Source

User Space
(linked files and
unlinked files)

User Space

*.cnf

*.cnf

*.hty (excluding
reboot.hty)

*.dmp

*.log (excluding
system.log)

*.log

*.mac

Network Host Within

a Firewall

Standby SRP Module

None

None

*.hty
*.mac
*.pub

*.scr

*.rel

*.txt

*.scr
*.sts
*.txt
Nonsystem files

Network Host Within

a Firewall

None

None

None

None

Standby SRP Module None

None

None

None

Deleting Files

Use the delete command to delete files in NVS. Table 4-4 shows the
types of files you can delete in different locations.
delete

Use to delete files in NVS.

To delete a file in user space, specify the incoming or outgoing directory on the FTP
server.

You can specify the name of a subdirectory in the incoming or outgoing directory.

Examples:
host1#delete test.scr
host1#delete /outgoing/test.scr

There is no no version.

4-25

4-26

CHAPTER 4
Managing the System

Table 4-4 File types you can delete

Location
System Space

User Space
(linked files and
unlinked files)

*.cnf

*.cnf

*.dmp

*.dmp

*.hty

*.hty

*.log

*.log

*.mac

*.mac

*.rel

*.pub

*.scr

*.rel
(deletes *.rel file only
and not associated
files)

*.sts
*.txt

Network Host Within

a Firewall

Standby SRP
Module

None

None

*.scr
*.sts
*.txt
Nonsystem files

Monitoring Files

Use the dir command to view files in NVS.

dir

Use to show a list of files in NVS.

Specify a directory path to view files in the user space.
Note: If you issue the dir command from Boot mode, existing .scr and .mac files are
not displayed.

Field descriptions

file name of file or directory (DIR indicates a directory)

size physical size of file
unshared size size of file in user space
value of zero indicates that this file has been installed onto the system
space and that there is a link to this file
value other than zero indicates that the file has not been installed onto the
system space and equals the physical size of the file

date date that file was created

in use an exclamation point (!) indicates that the system is using this file

Transferring Files
ERX Edge Routers

Examples

host1#dir
unshared
file

in

size

size

date (UTC)

use

-------------

--------

--------

-------------------

---

/incoming <DIR>

38023824

/outgoing <DIR>

3584

reboot.hty

5632

5632

12/20/2000 10:01:40

38797998

38797998

12/20/2000 23:40:46

1204

1204

12/18/2000 03:01:04

3-0-0a3-7.rel
test.scr

12/19/2000 07:13:00
12/19/2000 07:13:00
!

Capacity = 220200960, Bytes Free = 120616448, Reserved = 36700160

host1#dir /incoming
unshared

in

file

size

size

-------------

--------

--------

3-0-0a3-7.rel

256

12/19/2000 07:14:01

srp.exe

date (UTC)
-------------------

30012312

12/19/2000 07:14:12

srpIc.exe

1801208

12/19/2000 07:20:32

srpDiag.exe

6984222

12/19/2000 07:22:08

use
---

Capacity = 220200960, Bytes Free = 120616448, Reserved = 36700160

host1#dir /outgoing
unshared
file

size

size

-------------

in
date (UTC)

--------

--------

-------------------

test.scr

1204

12/18/2000 03:01:04

foo.scr

1278

1278

12/20/2000 04:02:12

use
---

Capacity = 220200960, Bytes Free = 120616448, Reserved = 36700160

There is no no version.

Transferring Files
You may need to transfer files between the following locations:
System space
User space
Network host
Standby SRP module

4-27

4-28

CHAPTER 4
Managing the System

There are two ways of transferring files: using the copy command and
using the systems FTP server. Table 4-5 shows the types of files that you
can transfer between the locations using the copy command, which
activates a hidden FTP client on the ERX system.
The systems FTP server allows the transfer of files between a network
host and the user space. When a firewall separates the ERX system from
the network host, you must use the FTP server to transfer files to the user
space. You can then install the files from the user space to the system
space using the copy command. However, if there is no firewall between
the ERX system and the network host, you can use the copy command or
the FTP server to transfer files.
For example, you can transfer a file from a network host to an ERX
system via FTP, and then transfer the file via the copy command from
the ERX system to other ERX systems. See Figure 4-1.
ERX system
Transfer system
file via copy command
ERX system

ERX system
Transfer system
file via copy command

Transfer system
file via FTP
Firewall

Network
host
Figure 4-1 Transferring system files to the ERX system

Using the copy Command

Table 4-5 shows the types of files that you can transfer between the
locations by using the copy command.

Transferring Files
ERX Edge Routers

Table 4-5 File types you can transfer using the copy command
Destination
Source

System

User Space
(linked files and
unlinked files)

System

Network Host Within

a Firewall

Standby SRP Module

None

*.cnf

*.cnf

*.cnf

*.hty (excluding
reboot.hty)

*.hty

*.dmp

*.log

*.hty

*.log (excluding
system.log)

*.mac

*.log

*.pub

*.mac

*.scr

*.pub

*.txt

*.scr

*.mac
*.scr
*.txt

*.sts
*.txt

User Space

*.cnf

*.cnf

*.mac

*.hty

None

None

*.rel

*.log

*.scr

*.mac

*.txt

*.pub

None

None

None

system.log

system.log

None

reboot.hty

reboot.hty

*.dmp

*.dmp

*.rel
( *.rel file only, not
files associated with
the *.rel file)
*.scr
*.txt
Nonsystem files
Network Host Within
a Firewall

*.cnf
*.mac
*.rel
*.scr
*.txt

Standby SRP Module system.log

reboot.hty

To transfer files via the copy command between the system space and a
network host:
1

Check whether there is a route to the network host, and create one if
necessary. See ERX Routing Protocols Configuration Guide, Vol. 1,
Chapter 2, Configuring IP.

Configure the network host as an FTP server.

4-29

4-30

CHAPTER 4
Managing the System

Note: This command takes place in the context of the current virtual router (VR)
rather than the default VR. You must configure the FTP server so that any traffic
destined for the VR can reach the VR; typically, you configure the FTP server to
reach the default address of the ERX system, which will always be able to reach
the VR.

Add the FTP server to the static host table, so that the ERX system
can access the network host.

(Optional) Specify a source interface to use in FTP packets leaving

the router.

Copy the files.

copy

Use to copy a file from one location to another.

Note: You cannot copy script (.scr) or macro (.mac) files while in Boot mode. You
can copy only .cnf, .hty, and .rel files. If you issue the dir command from Boot mode,
existing .scr and .mac files are not displayed.

See Table 4-1 for the types of files you can copy.

Specify a network path to copy to or from another device on the network.

Specify the incoming or outgoing directory to copy to or from the user space.

Specify a subdirectory name to create a subdirectory within the incoming or

outgoing directory in the user space.

You cannot use wildcards.

You cannot create or copy over files generated by the system; however, you
can copy such files to an unreserved filename.

Examples
host1#copy host1:westford.cnf boston.cnf
host1#copy /incoming/releases/2-8-0a3-7.rel 2-8-0a3-7.rel

There is no no version.

Use to add or modify an entry to the host table.

Specify the number 8 before the user name and before the password to encrypt
these values. By default, the user name and password are not encrypted.

This command allows network files to be accessible from a host.

Example

host

host1(config)#host westford 10.10.8.7 ftp 8 user25 8

kxu83m41

Use the no version to remove a specified host.

Transferring Files
ERX Edge Routers

ip ftp source-address

Use to specify an operational interface by IP address as the source interface

for FTP packets sent via the systems FTP client.

This command overrides a setting you configured previously with the ip ftp
source-interface command.

If you issue this command, the output of the show configuration command
includes an entry of the following format:
ip ftp source-address ipAddress

ipAddress IP address of the interface

This entry also appears in the output if you delete an interface or change its IP
address after issuing the ip ftp source-interface command, in which case the
IP address is the one that was configured on the interface before you issued
the ip ftp source-interface command

Example
host1(config)#ip ftp source-address 10.10.5.21

Use the no version to restore the default, in which the source address in the
FTP packets is that of the interface where the FTP connection is made.

Use to specify an operational interface by interface type and location as the

source interface for FTP packets sent via the systems FTP client.

The interface you specify must have an IP address.

This command overrides a setting you configured previously with the ip ftp
source-address command.

If you issue this command and the interface is valid, the output of the show
configuration command includes an entry of the following format:

ip ftp source-interface

ip ftp source-interface interfaceType interfaceSpecifier

interfaceType type of interface

interfaceSpecifier location of the interface
For information about interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

If you delete the interface or change its IP address, the output of the show
configuration command appears as if you had entered the ip ftp
source-address command:
ip ftp source-address ipAddress

ipAddress IP address of the interface when you issued the ip ftp

source-interface command

Example
host1(config)#ip ftp source-interface loopback1

Use the no version to restore the default, in which the source address in the
FTP packets is that of the interface where the FTP connection is made.

4-31

4-32

CHAPTER 4
Managing the System

Configuring the FTP Server

To transfer files via the systems FTP server, you must configure the FTP
server and ensure that FTP client software is installed on the network
host.
Although you can transfer any type of file via FTP to the ERX system,
the principal aim of this feature is to allow the transfer of system files to
NVS. You can transfer files via FTP to the user space. You can then
install files from the user space onto the system using the copy command.
It is not possible to access the system files directly via FTP operations.
FTP sessions on the ERX system use the vty lines. The ERX system
divides its vty resources between Telnet, SSH, and FTP services. Each
FTP session requires one vty line. The FTP service uses the
authentication method configured for the vty lines.
Features

The system supports the following FTP features:

Compliance with RFC 959 File Transfer Protocol (FTP)
(October 1985)
FTP passive mode
Efficient NVS organization
User authentication via RADIUS or password checking
FTP Passive Mode

Normally, when a client connects to an FTP server, the client establishes

the control channel with the server, and the server responds by opening a
data channel to the client. However, when the FTP client and server are
on opposite sides of a firewall that prohibits inbound FTP connections,
the server cannot open a data channel to the client.
FTP passive mode overcomes this connection limitation. In passive mode,
the client opens a control channel to the server, tells the server it wants to
operate in passive mode, and opens the data channel to the server. This
method of establishing the FTP connection allows both the control
channel and the data channel to pass through the firewall in the allowed
direction.

Transferring Files
ERX Edge Routers

Configuring Authentication

Before you enable the FTP server, configure the authentication

procedure for the vty lines, as follows:
1

Configure host access lists.

Configure user authentication methods.

Configure the vty lines to use the host access lists and user
authentication methods.

You can specify authentication via a RADIUS server or via password

checking. If you choose no authentication service, any client can access
the FTP server. For information about authentication on vty lines, see
Chapter 6, Passwords and Security.
Configuration Tasks

FTP is disabled by default. You must enable the FTP server with the
ftp-server enable command before the system allows FTP clients to
connect.
ftp-server enable

Use to enable the FTP server and to monitor the FTP port for attempts to
connect to the FTP server.

You can enable the FTP server on the default virtual router only.

Example
host1(config)#ftp-server enable

Use the no version to terminate current FTP sessions and to disable the FTP
server.

Configuration Example

Figure 4-2 shows the scenario for this configuration example.

4-33

4-34

CHAPTER 4
Managing the System

ERX system
(FTP server)
RADIUS
server
Authentication via
password if RADIUS
server not available

Authentication via
RADIUS server only

Data center
subnet

POP subnet

Figure 4-2 FTP configuration example

In this example, two FTP lines are required for administrators on the
data center subnet, and two more lines are required for users on the POP
subnet. The system verifies passwords of administrators on the data
center subnet via either a RADIUS server or via simple line
authentication if the RADIUS server is unreachable. However, the
system verifies passwords of users on the POP subnet only via the
RADIUS server.
The following example shows all steps for configuring this scenario, from
specifying a RADIUS server to enabling the FTP line:
1

Configure the RADIUS server.

host1(config)#radius authentication server 10.6.131.51
host1(config-radius)#key abc123
host1(config-radius)#udp-port 1645

Configure two access lists; one named DataCenter, permitting

only the data center subnet, and one named Pops, permitting only
the POP subnet.
host1(config)#access-list DataCenter permit 10.6.128.0
255.255.128.0
host1(config)#access-list DataCenter deny any
host1(config)#access-list Pops permit 199.125.128.0
255.255.128.0
host1(config)#access-list Pops deny any

Configure two authentication method lists, named

RadiusAndLine and RadiusOnly.
host1(config)#aaa new-model
host1(config)#aaa authentication login RadiusAndLine radius
line
host1(config)#aaa authentication login RadiusOnly radius

Transferring Files
ERX Edge Routers

Configure two FTP lines to be used by data center administrators.

host1(config)#line vty 0 1
host1(config-line)#password foobar
host1(config-line)#access-class DataCenter in
host1(config-line)#login authentication RadiusAndLine

Configure the remaining FTP lines to be used by POP

administrators.
host1(config)#line vty 2 4
host1(config-line)#password foobar
host1(config-line)#access-class Pops in
host1(config-line)#login authentication RadiusOnly

Enable the FTP server.

host1(config)#ftp-server enable

Monitoring the FTP Server

Use the dir command to monitor files on the FTP server. Use the show
ftp-server and show users commands to monitor settings of the FTP
server.
show ftp-server

Use to display information about the FTP server.

Field descriptions

FTP Server state status of the FTP server: enabled or disabled

Open connections number of open connections to the FTP server
Statistics since server was last started data about the connection attempts
since you enabled the FTP server

Statistics since last system reload data about the connection attempts
since you last booted the system
attempts number of attempts to connect
failed hosts number of connection attempts that failed because of
disallowed host addresses
failed users number of connection attempts that failed because users
were not authenticated

4-35

4-36

CHAPTER 4
Managing the System

Example
host1#show ftp-server
FTP Server state: enabled, 0 open connections
Statistics since server was last started:
attempts: 32
failed hosts: 5
failed users: 7
Statistics since last system reload:
attempts: 35
failed hosts: 5
failed users: 8

show users

Use to display information about users of the vty lines.

Specify the detail keyword to view detailed information.

Field descriptions

line number number of the line to which the user is connected

line name name of the line and the service the line offers
user name of the user
connected from location or IP address of the user
connected since date and time that the user connected to the line

Example

host1#show users
line
number

connected
line name

------

--------------

0*

console 0

vty 3 (ftp)

vty 4 (telnet)

user
----fred

from

connected since

----------

----------------

console

02/12/2001 19:57

10.10.0.64

02/12/2001 20:04

10.10.0.64

02/12/2001 20:04

Note: '*' indicates current user.

Copying Partial Releases

You can shorten the time it takes to copy a release from a server and
reduce the amount of storage needed for a release. At the default setting,
all subsystems are included when you copy a release from a server. Use
the exclude-subsystem command to specify subsystems that you do not
want to copy from the server. Use the show subsystems command to
verify which files are included and excluded when you copy a release
from a server. Follow this example:
1

Determine which subsystems are included in the release on the

server.
host1#show subsystems file m:/x/images/x-y-z.rel

Transferring Files
ERX Edge Routers

Exclude any subsystems in the release that you do not need for the
configuration.
host1#(config)#exclude-subsystem ct1
host1#(config)#exclude-subsystem coc12
host1#(config)#exclude-subsystem oc12s

(Optional) Remove a subsystem from the exclude list.

host1#(config)#no exclude-subsystem oc12s

(Optional) Verify the subsystems that will be included and excluded

in future release copies.
host1#show subsystems file x8.rel

(Optional) After copying a release, view which subsystems were

excluded.
host1#show configuration
...
exclude-subsystem ct1
exclude-subsystem coc12

(Optional) Determine whether the currently running software is a

result of a copy with excluded subsystems. The word Partial
indicates that subsystems were excluded.
host1#show version
Juniper Networks, Inc. Operating System Software
Copyright (c) 200X Juniper Networks, Inc. All rights
reserved.
System Release: x-y-z.rel Partial

exclude-subsystem

Use to exclude any subsystems that are in a release that you do not need for
the system configuration.

Example
host1(config)#exclude-subsystem ct1

The subsystems that you indicate are added to the exclude list. All
subsequent release copies will exclude the images for these subsystems from
the release copy.

Example
host1(config)#no exclude-subsystem ct1

Use the no version of this command with the subsystem name to remove a
subsystem from the exclude list. Use the no version of this command without a
subsystem name to remove all subsystems from the exclude list.

4-37

4-38

CHAPTER 4
Managing the System

show subsystems

Use to determine which subsystems are included in the current software

release on the system or in a specified software release file.

Specify either a local filename or remote path and filename to view the
subsystems that are included in a software release file other than the current
software release on the system.

Field descriptions

Required number of bytes of data for the required portion of the release
Included Subsystems number of bytes of data for the included subsystems
listed. All included subsystems in the release are listed.

Excluded Subsystems number of bytes of data for the excluded

subsystems listed. All excluded subsystems in the release are listed.

Use the command before you copy a release to verify which subsystems are
present in the release.

Example
host1#show subsystems file m:/x/images/x-y-z.rel
oc3
ct3
ut3f
ut3a
ct1
dpfe
oc12p
oc12a
ge
fe8
coc12
oc12s

Use the command after copying a release to verify which subsystems are
included and excluded.

Example
host1#show subsystems file x8.rel
Required: 1423005

bytes

Included Subsystems:
ct3
ut3f
ut3a
dpfe
oc12p
oc12a
ge
fe8
coc12
oc12s

27882192

bytes

Using the Telnet Client

ERX Edge Routers

Excluded Subsystems:

6840211

bytes

oc3
ct1

Using the Telnet Client

The system has an embedded Telnet client that enables you to connect to
remote systems. You can configure a Telnet daemon to listen in virtual
routers other than the default virtual router. You must be in the context of
the desired virtual router to issue the command.
telnet

Use to open a Telnet connection to a remote system.

Specify the IP address or name of the remote host.

You can specify a VRF context in which the request takes place.

Depending on how the remote system accepts Telnet requests, you can specify
a port number or port name through which the system will connect to the
remote host. In the Transmission Control Protocol (TCP), ports define the ends
of logical connections that carry communications. In most cases, you can
accept the default, port number 23, the Telnet port. For more information on
port numbers and associated processes, see www.iana.org.

You can force Telnet to use the IP address of an interface that you specify as its
source address.

Example
host1#telnet 192.168.35.13 fastEthernet 0

There is no no version.

Use to create a Telnet daemon to listen in a virtual router.

Example

telnet listen

host1(config)#virtual-router 3
host1:3(config)#telnet listen port 3223

Use the no version of the command to delete the daemon.

Configuring DNS
You can configure virtual routers to act as name resolvers for Domain
Name Service (DNS). DNS is a client/server mechanism that maps IP
addresses to hostnames.
The name resolver is the client side of DNS and receives
address-to-hostname requests from its own clients when they want to
contact hosts on other networks. By polling name servers, the name

4-39

4-40

CHAPTER 4
Managing the System

resolver learns name-to-address translations for the hosts its clients want
to contact.
A name server may provide the translation from its cache or may poll
servers lower in the DNS hierarchy to obtain a translation. Typically,
name servers at the top of the hierarchy recognize top level domain
names and know which servers to contact for information about more
detailed domain names. See Figure 4-3.
Clients for name
resolver Boston

Clients for name

resolver Chicago

ERX system with

configured name
resolvers

Name server for

.com domain

Name server for

bigcompany.com
domain
Name server for
sales.bigcompany.com
domain
Figure 4-3 DNS hierarchy example

DNS messages from a name resolver to a name server must include the
domain name for the resolvers clients. Consequently, you must specify a
default domain name for the clients. The default domain name is
appended to unqualified hostnames (those without domain names).
The name resolver must be able to access at least one name server.
Accordingly, you must configure a static route to a gateway that provides
access to the name server and assign the name server to the name
resolver. See Assigning Name Servers, later in this chapter.
Each virtual router can have its own name resolver and domain name.
However, if two virtual routers use the same name servers and belong to
the same local domain, you do not need to configure name resolvers on
both virtual routers. See Using One Name Resolver for Multiple Virtual
Routers, later in this chapter.

Configuring DNS
ERX Edge Routers

References

For more information about the DNS, consult the following resources:
RFC 1035 Domain Names Implementation and Specification
(November 1987)
RFC 2308 Negative Caching of DNS Queries (DNS NCACHE)
(March 1998)
Assigning Name Servers

To assign name servers to the system:

1

Access the virtual router context.

Define static routes to the gateways that provide access to the name
servers.

Enable the virtual router to query name servers.

Specify a default domain name for the hosts.

Specify the name servers.

Example

host1(config)#virtual-router boston
host1:boston(config)#ip route 0.0.0.0 0.0.0.0
gatewayIpAddress
host1:boston(config)#ip domain-lookup
host1:boston(config)#ip domain-name urlofinterest.com
host1:boston(config)#ip name-server 10.2.0.3
host1:boston(config)#ip name-server 10.2.5.5

ip domain-lookup

Use to enable the system to query the configured DNS name servers when it
needs an IP-hostname-to-IP-address translation.

Domain lookup is disabled by default.

Example
host1(config)#ip domain-lookup

Use the no version to disable domain lookup.

4-41

4-42

CHAPTER 4
Managing the System

ip domain-name

Use to define a default domain name for the clients that a name resolver
serves.

You must define a default domain name for each name resolver. Multiple name
resolvers can use the same default domain name.

If you map an unqualified hostname (one without a domain name) to an IP

address with the host ftp command, the domain name is appended to the
hostname before the name is stored in the host table.

Example
host1(config)#ip domain-name bigcompany.com

Use the no version to delete the domain name; that is, the domain name will no
longer be appended to hostnames in the static host table.

Use to specify a DNS name server that the system can query for
hostname-to-IP-address resolution.

Example

ip name-server

host1(config)#ip name-server 192.168.25.100

Use the no version to delete the name server.

Using One Name Resolver for Multiple Virtual Routers

You can use one name resolver for multiple virtual routers if those virtual
routers use the same name servers and belong to the same local domain.
To do so, complete the following steps:

Example

Configure a name resolver for the first virtual router.

Access the context for the second virtual router.

Specify that the second virtual router should use the name resolver
you configured for the first virtual router.

Repeat steps 2 and 3 for other virtual routers that you want to point
to this name resolver.

To configure the virtual router boston to use the same name servers as the
default router, enter the following commands.
host1(config)#virtual router boston
host1:boston(config)#ip domain-lookup transit-virtual-router
default

Troubleshooting
ERX Edge Routers

ip domain-lookup transit-virtual-router

Use to configure a virtual router to use the name servers you configured for
another virtual router.

Example
host1:boston(config)#ip domain-lookup transit-virtual-router
default

Use the no version to stop a virtual router from using the same name servers
you configured for another virtual router.

Monitoring DNS

After you configure DNS, you can use the show ip domain-lookup
command to view information about the name servers.
show ip domain-lookup

Use to display the name servers that you have specified on the system with the
ip name-server command.

Field descriptions

Bind to client name of the virtual router context in parentheses, followed by

the name of the virtual router providing the name resolver

Using following Domain Name Servers name servers you assigned

Using following Local Domain Names default domain names you specified

Example

In this example, the virtual router boston uses the name resolver on the
default virtual router.
host1#show ip domain-lookup
Bind to client: (boston)default
Using following Domain Name Servers:
10.2.0.3
11.1.1.1
10.1.1.1
Using following Local Domain Names :
urlofinterest.com
concord

Use the no version to disassociate this NFS server from the current virtual
router.

Troubleshooting
You can use log commands to discover and isolate problems with the
system. For information on using the log commands, see Chapter 11,
Logging System Events. You can also use dump files to troubleshoot line
module failures.

4-43

4-44

CHAPTER 4
Managing the System

Creating Core Dump Files

You can enable the system to create a core dump file if a module fails.
You can choose to send the core dump file to an FTP server or save the
file in a compressed form to NVS. Juniper Networks Customer Service
can then access the core dump file and analyze it to determine what went
wrong. The core dump is disabled by default. You can enable the core
dump from Boot mode or Global Configuration mode.
Caution: Create a core dump file only under the direction of Juniper Networks
Customer Service. Network function can be disrupted if you create a core dump file
while the system is running in a network.

Boot Mode

To enable the core dump from Boot mode:

1

Access Boot mode by reloading the SRP module; then press the
<mb> key sequence (case insensitive) during the countdown.

Specify where the system should transfer the core dump file.

Set the IP address and mask of the system interface over which you
want to send the core dump file.

Specify the gateway through which the system sends the core dump
file to the FTP server.

(Optional) Set a username and password for FTP access to the server
where you transferred the core dump file.

Reload the operating system.

Example

:boot##exception dump 192.168.56.7 CORE_DUMPS

:boot##exception protocol ftp user_name user_password
:boot##exception gateway 192.168.12.3
:boot##exception source 10.10.33.8 255.255.255.0
:boot##reload

Global Configuration Mode

To enable the core dump from Global Configuration mode:

1

Access Global Configuration mode.

Specify where the system should transfer the core dump file.

Set the IP address and mask of the system interface over which you
want to send the core dump file.

Troubleshooting
ERX Edge Routers

Specify the gateway through which the system sends the core dump
file to the FTP server.

(Optional) Set a username and password for FTP access to the server
where you want to transfer the core dump file.

(Optional) View parameters associated with creating a core dump

file.

Example

host1(config)#exception dump 192.168.56.7 CORE_DUMPS

host1(config)#exception protocol ftp username userpassword
host1(config)#exception gateway 192.168.12.3
host1(config)#exception source 10.10.33.8 255.255.255.0
host1(config)#reload

exception dump

Use to specify where the system should transfer the core dump file.

To send the file to an FTP server, enter the IP address of the FTP server and
the name of the directory on the server to which the system will transfer the
file.

To send the core dump file to NVS memory, use the local keyword.

Example
host1(config)#exception dump 192.168.56.7 CORE_DUMPS

Use the no version to disable the core dump.

Use to specify the gateway through which the system sends the core dump file
to the FTP server.

Example

exception gateway

host1(config)#exception gateway 10.10.1.15

Use the no version to restore the IP address to the null default value.

Use to set a user name and password for FTP access to the server where you
transferred a core dump file. The default settings are the username anonymous
and no password.

Specify the number 8 before the user name and before the password to encrypt
these values. By default, the user name and password are not encrypted.

Example

exception protocol ftp

host1(config)#exception protocol ftp 8 user_core 8

user_password

Use the no version to restore the default settings.

4-45

4-46

CHAPTER 4
Managing the System

exception source

Use to set the IP address and mask of the system interface over which you
want to send the core dump file to the FTP server.

You can optionally include an IP address mask.

Example
host1(config)#exception source 192.168.1.33 255.255.255.0

Use the no version to restore the IP address and mask to the default null
values.

Use to reload the software on the router immediately.

Reloads the system software (.rel) file and the configuration (.cnf) file on the
router.

Example

reload

host1#reload

There is no no version.

Use to display the parameters associated with the core dump operation.

Field descriptions

show exception dump

Dump host IP address address of the host where the system is configured
to transfer the dump file

Dump directory name of directory on the host where the system is

configured to transfer the dump file

Dump protocol protocol used to send the core dump file; currently only
FTP is supported

User name name configured for access to the core dump file on the FTP
server

Password password configured for access to the core dump file on the
FTP server

Interface IP address address of the system interface configured to send

the core dump file

Interface netmask mask of the system interface configured to send the

core dump file

Gateway IP address address of gateway configured between the system

and the FTP server

Example
host1#show exception dump
Dump host IP address: 192.168.56.7
Dump directory:CORE_DUMPS/
Dump protocol: FTP
User name: user_name

Troubleshooting
ERX Edge Routers

Password: user_password
Interface IP address:
Interface netmask:
Gateway IP address:

Accessing the Core Dump File

If a module fails and saves a core dump file to NVS memory (which can
take several minutes), you must transfer the file to a network host to
examine it. You can transfer the core dump file when the module is back
online or has assumed a redundant status. For information about the
status of modules, see ERX Installation and User Guide, Chapter 8,
Troubleshooting. To transfer the core dump file to a network host, use the
copy command.
In a system with two SRP modules, the following behavior applies if you
have configured the SRP modules to save core dump files to an FTP
server:
If the primary SRP module fails, it saves the core dump file to the FTP
server before the standby SRP module assumes control.
If the standby SRP module fails, it must save the core dump file to
NVS because it has no access to any configured network host.
The show version command output indicates the failed SRP module
state as not responding during the save process. Consequently, when
the failed SRP module recovers and assumes the role of redundant
module, the show version command output indicates the SRP module
state as standby. You can now transfer the core dump file to a network
host for examination. For example, to transfer the file
SRP_1_SC_05_24_2000_02_20.dmp from NVS of the failed SRP
module to the host server1, enter the following command:
host1#copy SRP_1_SC_05_24_2000_02_20.dmp
host:/public/server1/SRP-5G_1_SC_05_24_2000_02_20.dmp

copy

Use to copy a core dump file.

You cannot use wildcards.

The file can be either a local or network file.

You cannot create or copy over files generated by the system; however, you
can copy such files to an unreserved filename.

Example
host1#copy fault.dmp host:/public/server1/fault.dmp

There is no no version.

4-47

4-48

CHAPTER 4
Managing the System

Understanding the Core Dump File

The dump file indicates which module has failed by referencing that
modules hardware slot number. The hardware slot number is the slot
number designation on the systemss backplane. This slot number is
different from the chassis slot number that appears on the front of the
chassis and in screen displays (for example, in the display resulting if you
issue the show version command). Table 4-6 shows how the chassis slot
numbers relate to the hardware slot numbers.
Table 4-6 Chassis slot numbers vs. hardware slot numbers
ERX-700 series
Hardware Slot
Number

Slot Number
on Chassis

ERX-1400 series
Hardware Slot
Number

10

11

10

12

11

13

12

14

13

15

Monitoring the System

This section provides basic system commands that allow you to display
information about the systems state. The show configuration
command, for example, allows you to display the systems entire
configuration.

Monitoring the System

ERX Edge Routers

baseline show-delta-counts

Use to configure the system to always display statistics relative to the most
recent appropriate baseline.

The system collects many statistics during its operation. Various show
commands are available to display these statistics. Baselining allows the user
to identify a point in time relative to which such statistics can be reported.

Typically, the optional delta keyword is used with show commands to specify
that baselined statistics are to be shown. This command applies the delta
function implicitly.

Example
host1#baseline show-delta-counts

Use the no version to have access to the total statistics.

Use to display the systems current configuration.

You can create a configuration script from the output by saving it as a file with
the .scr extension.

You can exclude information about a particular type of interface.

This command was formerly documented as show config; that abbreviation is

still supported.

You can use the output filtering feature of the show command to include or
exclude lines of output based on a text string you specify. See Chapter 2,
Command Line Interface, for details.

This command is available only if the system is in Automatic Commit mode.

Example - see the description on page 4-12.

Use to display information on the systems physical environment, such as

voltage or temperature.

Optionally, specify the all keyword to view both the system environment
information and the detailed temperature status table, or specify the table
keyword to view only the temperature status table.

The system displays a message if the voltage or temperature exceeds normal

operating limits.

The system enters thermal protection mode if the temperature exceeds

maximum operating limits. For information about thermal protection mode, see
ERX Installation and User Guide, Chapter 8, Troubleshooting.

Field descriptions

show configuration

show environment

chassis number of slots, midplane identifier, and hardware revision number

midplaneId14Slot 5 Gbps, 14 slot midplane
midplaneId7Slot 5 Gbps, 7 slot midplane

4-49

4-50

CHAPTER 4
Managing the System

midplaneIdRx1400 10 Gbps ASIC compatible, 12 line card slots, 2 SRP

slots for ERX-1400 series
midplaneIdRx700 10 Gbps ASIC compatible, 5 line card slots, 2 SRP
slots for ERX-700 series

fabric capacity and hardware revision of fabric

fans status of fans
nvs capacity of NVS and amount of space used
power states of power feeds
srp redundancy availability of a redundant SRP card
slots: cards missing or offline status of each slot
online
standby
offline
empty

line redundancy number of redundancy groups installed

width number of slots the redundant midplane covers
spare slot that contains spare line module
primary slot that contains the primary line module

temperature status of system temperature

timing source of the timing signal
primary type and status of the primary timing signal
secondary type and status of the secondary timing signal
tertiary type and status of the tertiary timing signal
auto-upgrade status of the auto-upgrade parameter, which enables the
system to revert to a higher-priority timing source after switching to a
lower-priority timing source.

system operational status of system

slot number of the slot in which the module resides
processor temperature temperature of line or SRP module
processor temperature status temperature condition of the line module
normal temperature is in normal range
too hot module is too hot; system will go into thermal protection mode if
temperature of any module exceeds 80 C
too cold module is too cold; system will go into thermal protection mode
if temperature of any module drops below 5 C

IOA temperature temperature of corresponding I/O module

IOA temperature status temperature condition of the corresponding
module
normal temperature is in normal range
too hot module is too hot; system will go into thermal protection mode if
temperature of any module exceeds 80 C
too cold module is too cold; system will go into thermal protection mode
if temperature of any module drops below 5 C

Monitoring the System

ERX Edge Routers

Example
host1#show environment all
chassis: 14 slot (id 0x3, rev. 0x0)
fabric: 5 Gbps (rev. 1)
fans: ok
nvs: ok (81MB flash disk, 54% full)
power: A ok, B not present
srp redundancy: none
*** slots: cards missing or offline
online: 6 9
standby: 8
offline: 2
empty: 0 1 3 4 5 7 10 11 12 13
line redundancy: 1 redundancy group(s)
width 6, spare 8, primary 9
temperature: ok
timing: primary
primary: internal SC oscillator (ok)
secondary: internal SC oscillator (ok)
tertiary: internal SC oscillator (ok)
auto-upgrade enabled
*** system operational: no
processor

processor

IOA

IOA

temperature

temperature

temperature

temperature

slot

(10C - 70C)

status

(10C - 70C)

status

----

-----------

-----------

-----------

-----------

31

normal

30

normal

31

normal

30

normal

31

normal

30

normal

31

normal

30

normal

processor temperature ranges

below -5C is too cold
above 80C is too hot
low temperature warning below 10C
high temperature warning above 70C
IOA temperature ranges
below -5C is too cold
above 80C is too hot
low temperature warning below 10C
high temperature warning above 70C

4-51

4-52

CHAPTER 4
Managing the System

show hosts

Use to display a list of configured network servers.

Field Descriptions

Static Host Table information about the connected static hosts

name name of the host
ip address IP address of the host
type of host type of host, for example ftp means an FTP server

Example
host1#show hosts
Static Host Table
----------------name

ip address

type

----

-----------

----

host1

10.2.0.124

ftp

show processes

Use to show amount of resources used by the system processes.

Use no keywords or use the cpu keyword to display the CPU utilization.

Use the memory keyword to display amount of memory used. Field

descriptions

name name of process

bytes allocated bytes of memory allocated to the process
bytes free bytes of memory freed by the process, regardless of who
originally allocated it

blocks allocated amount of memory currently allocated to the process

blocks free amount of memory freed by the process
max free block number of bytes in the one largest free block
task name name of process
times invoked number of times process has been invoked
invocations per second frequency of process invocation
total running time (msec) time the process has been running
percent running time percentage of total running time attributable to this
process

average time per invocation (usec) average number of microseconds per

invocation of this process

5 second utilization (%) CPU utilization by process for the last 5 seconds
1 minute utilization (%) CPU utilization by process for the last minute
5 minute utilization CPU utilization by process for the last 5 minutes

Monitoring the System

ERX Edge Routers

Examples

host1#show processes memory

Heap Statistics
--------------max
bytes
name

bytes

blocks

blocks

allocated

free

---------------------

---------

--------

---------

------

--------

system

110430808

84680416

5284

256

84530744

207600

303776

621

145

7216

10120

252008

252008

file system
Crldp.osHeap 1
IpTemplateMgr General

allocated

free

free
block

104

2097032

2096992

134872

127256

21

127216

32752

32752

637536

411000

14

364832

radius-rx*

39984

39984

radius-tx*

39984

39984

rip *

32752

32752

router buffer

524272

ssscHeap

2097136

Lsm.osHeap
Rsvp.networkBuffers 1
Rsvp.osHeap 1
.
.
.

host1#show processes cpu

Process Statistics
-----------------total
invocations
times

per

task name

invoked
-------

-----------

aaaServer
agent1
ar1EthHelp

percent

time

--------------------aaaAtm1483Config

running

second

running

(msec)

time

--------

-------

0%

52

260

0%

399

3600

0%

362856

590

0%

.
.
.
templateMgr

48

540

0%

timerd

2346566

32

0%

~GONE~

405202

184700

0%

~IDLE~

360

0%

8840490

121

51050

0%

~INTERRUPT~

524272
2097136

4-53

4-54

CHAPTER 4
Managing the System

average
time

per

second

minute

minute

invocation

utilization

utilization

utilization

task name

(usec)

(%)

---------------------

----------

-----------

aaaAtm1483Config

(%)

(%)

-----------

----------0

aaaServer

5000

agent1

9022

ar1EthHelp
.
.
.
templateMgr

11250

timerd

~GONE~

455

~IDLE~

---

~INTERRUPT~

show reboot-history

Use to display the history of system and module resets.

You can display the current reboot.hty file or a saved reboot history file.

If you have a redundant system, it can be convenient to copy the redundant

modules reboot.hty file to another filename for viewing with this command.

Field descriptions

Entry number of entry in reboot history; numbers range from lowest (most
recent reset) to highest (oldest reset)

time of reset timestamp for reset

run state state of system at reset
image type type of image running when the record is written
boot module is running the boot file
diagnostics module is running the diagnostics file
application module is running the software file

location slot that reset

build date build date of software version
reset type cause of reset

Example

host1#show reboot-history
*** Entry

1 ***

time of reset: TUE APR 10 2001 20:25:59 UTC

run state: unknown
image type: diagnostics
location: slot (7)
build date: 0x3abf4337 MON MAR 26 2001 13:25:11 UTC

Monitoring the System

ERX Edge Routers

reset type: user reboot, task "scheduler", reason "not specified"

*** Entry

2 ***

time of reset: TUE APR 10 2001 20:25:44 UTC

run state: unknown
image type: diagnostics
location: slot (8)
build date: 0x3abf5d5f MON MAR 26 2001 15:16:47 UTC
reset type: user reboot, task "scheduler", reason "not specified"
*** Entry

3 ***

time of reset: TUE APR 10 2001 20:25:03 UTC

run state: unknown
image type: diagnostics
location: slot (4)
build date: 0x3abf3ee0 MON MAR 26 2001 13:06:40 UTC
reset type: user reboot, task "scheduler", reason "not specified"

show version

Use to display the configuration of the system hardware and the software
version.

Field descriptions

Model identification
Copyright copyright details for the system software
System Release filename, version, and date of the system software
currently running on the system

System running for time elapsed since the last boot of the system, date
and time of last boot

slot physical slot that contains the line module

state status of the line module
booting line module is booting
disabled (assessing) system is evaluating the status of this line module
disabled (admin) line module disabled via slot disable command
disabled (cfg error) use of the line module in this slot violates the
permitted configuration for the system. For example, the fabric cannot
supply sufficient bandwidth to the line module in this position.
disabled (image error) software for this line module is missing or
corrupted
disabled (mismatch) line module in this slot is a different type from that
specified in the software. Correct the condition by inserting the original
module, or use the slot accept command to find information about the
new module.
hardware error line module has a hardware fault
inactive either the I/O module is not present, or this primary line module
is fully booted and ready to resume operation. In the latter case, the spare
is currently providing services.

4-55

4-56

CHAPTER 4
Managing the System

initializing transitional state before the line module proceeds to the

online, standby, or inactive state; diagnostics are complete, module is
initializing software
online line module is operating
not present line module configured for this slot is missing
not responding line module has a hardware or ROM problem
standby spare line module or SRP module is fully booted and ready to
operate if the primary line module or active SRP module fails
unknown transitional state while the SRP is initializing

type kind of module; an e at the end of an SRP module type (for example,
SRP-5Ge) indicates that the module includes error checking code (ECC)

admin status of the slot in the software

enabled slot is enabled
disabled slot is disabled

spare line module is a spare for line module redundancy

running release software that is running on the line module
The following symbols and notices may be displayed at the end of the report:
# This release is a result of a subsystem override
* This release is a result of a boot slot override
# The running or armed release on the slot is the same as the armed
release for a subsystem. A subsystem is all the line modules of one type,
such as OC3.
* This release reflects whichever release the system is armed with at
startup.

slot uptime length of time for which the module has been operational; a
value of --- indicates that the module is not available.

Example

host1#show version
Juniper Networks Edge Routing Switch ERX-700
Copyright (c) 1999-200X Juniper Networks, Inc.

All rights reserved.

System Release: rx x-y-z.rel

Version: x.y.z (November 28, 200X 10:22)
System running for: 17 days, 17 hours, 15 minutes, 25 seconds
(since THU NOV 30 200X 03:44:36 UTC)
running
slot state

type

admin

spare

release

slot uptime

---- ------ ------- ------- ----- ---------- ------------0

online SRP-10G enabled

---

mc_341.rel 0d00h:12m:52s

---

---

---

---

---

---

---

---

---

---

---

---

3
4
5
6

online CT3
---

---

online GE
---

---

enabled
--enabled
---

---------

mc_341.rel 0d00h:12m:33s
--mc_341.rel
---

-------

Managing Line
Modules and SRP
Modules

This chapter describes how to manage line modules and SRP modules in
the ERX system.
Topic

Page

Overview

5-1

Disabling and Reenabling Modules

5-2

Removing an SRP Module

5-2

Replacing Line Modules

5-4

Replacing SRP Modules

5-5

Software Compatibility

5-5

Configuring Performance Rate of Line Modules

5-6

Line Module Redundancy

5-14

SRP Module Redundancy

5-19

Managing NVS Cards on SRP Modules

5-24

Managing the Ethernet Port on the SRP Module

5-31

Monitoring Modules

5-33

Overview
When managing line modules and SRP modules, you need to consider
both software and hardware procedures. For example, before you remove
an SRP module, you must enter the halt command to prevent damage to
nonvolatile storage (NVS).
This chapter describes the software issues associated with managing
modules. Each section in the chapter covers a different topic; where

5-2

CHAPTER 5
Managing Line Modules and SRP Modules

appropriate, a section contains an overview of the topic, configuration

tasks, and information about monitoring the associated settings.
The ERX Installation and User Guide contains information about
related procedures. For information about installing modules, see ERX
Installation and User Guide, Chapter 3, Installing ERX Modules. For
information about upgrading software on SRP modules, see ERX
Installation and User Guide, Appendix E, Installing ERX System
Software.

Disabling and Reenabling Modules

Disabling a line module or SRP module has the same effect as removing
that module from a slot. A disabled module cannot operate, although its
configuration remains in NVS. To allow the module to operate, you must
reenable it.
slot disable

Use to disable the line module or SRP module in the specified slot.

You can use this command to disable a module so that you can run diagnostic
tests on the module.

Example
host1(config)#slot disable 3

There is no no version.

Use to enable the line module or SRP module in the specified slot.

Allows you to restart the module that was installed in the slot.

The default is enable.

Example

slot enable

host1(config)#slot enable 3

There is no no version.

Removing an SRP Module

Before you remove an SRP module, you must issue the halt command,
which stops operation on that module. If the system contains both
primary and redundant SRP modules, you can specify which modules the
command should affect.You can also configure the system to prompt you
if the modules are in a state that could lead to loss of configuration data
or NVS corruption.

Removing an SRP Module

ERX Edge Routers

Caution: If you do not use the halt command before removing or powering down
an SRP module, the systems NVS may become corrupted.

For information about physically removing an SRP module, see ERX

Installation and User Guide, Chapter 3, Installing ERX Modules.
halt

Use to stop the systems operation before you remove or power down an SRP
module.

Specify neither the primary nor the secondary keyword to stop operation on
both SRP modules.

Specify the keyword primary to stop operation on the primary SRP module
only. This action causes the redundant SRP module to assume the primary
role.

Specify the keyword secondary to stop operation on the redundant SRP

module only.

If you specify the force keyword, the procedure will fail if the SRP modules are
in certain states, such as during a synchronization. In these cases, the system
will display a message that indicates that the procedure cannot currently be
performed and the reason why. However, if the SRP modules are in other
states that could lead to a loss of configuration data or NVS corruption, the
system displays a message that explains the state of the SRP modules and
asks you to confirm (enter yes or no) whether you want to proceed.

If you do not specify the force keyword, the procedure will fail if the SRP
modules are in any state that could lead to loss of configuration data or NVS
corruption, and the system will display a message that explains why the
command failed.

When you issue this command, the system prompts you for a confirmation
before the procedure starts.

Remove or power down the SRP module within 2 minutes of executing the halt
command. Otherwise, the SRP module will automatically reboot.

Examples
host1#halt
host1#halt primary
host1#halt standby force

There is no no version.

5-3

5-4

CHAPTER 5
Managing Line Modules and SRP Modules

Replacing Line Modules

When you configure a line module, the system stores the configuration in
NVS. If you plan to install modules in slots previously occupied by
different types of modulesfor example, an FE-2 line module and a FE-2
I/O module in slots that previously contained a CT3 line module and a
CT3/T3 I/O moduleyou must do one of the following:
Before installing the different type of module, issue the slot erase
command.
After installing the different type of module, issue the slot accept
command.
slot accept

Use to delete the configuration of the line module in the selected slot after you
install a different type of line module.

This command allows you to create a fresh configuration for the module
installed in the slot.

You can also use this command to accept an empty slot that was previously
occupied.

Depending on the slots previous configuration, this system may take a few
moments to execute this command.

The following is a sample Log message resulting from putting an OC3 line
module in a slot that was previously configured for a CT3 line module:
ERROR 04/05/1999 07:50:32 system (slot 4): boardid mismatch:
read 0x5 (OC3 single port), configured 0x7 (Channelized
T3)

To resolve the problem, issue the slot accept command for slot 4.

Example
host1(config)#slot accept 4

There is no no version.

Use to delete the configuration of the line module in the selected slot before
you install a different type of line module.

This command allows you to create a fresh configuration for the module
installed in the slot.

Example

slot erase

host1(config)#slot erase 3

There is no no version.

Replacing SRP Modules

ERX Edge Routers

Replacing SRP Modules

If you perform one of the following actions, you must reset the
configuration of the system to factory default:
Replace a 5-Gbps SRP module with a 10-Gbps SRP module or vice
versa.
Transfer an SRP module from an ERX-700 system to an ERX-1410
system or vice versa.
You cannot use the slot accept command to force the system to accept
the new SRP module.
When you have installed the SRP module in the new location, reset the
configuration of the system to factory defaults as follows:
1

Reload the operating system, then press <mb> key sequence

(case-insensitive) during the countdown.
host1#reload

Reboot the system with the factory defaults.

:boot##boot config factory-defaults

Reload the operating system.

:boot##reload

Software Compatibility
An ERX software release supports a specific set of line modules and I/O
modules. Before you install a new line module or I/O module, you should
install a software release that supports the new module.
Line Modules

If the system uses a software version that does not support a line module
that you install, you see the message unrecognized board type, and the
system disables the module. When you issue a show version command,
the state of the line module is disabled (admin).
If you subsequently boot the system with software that supports the line
module, the line module becomes available and its state is enabled.

5-5

5-6

CHAPTER 5
Managing Line Modules and SRP Modules

I/O Modules

If the system uses a software version that does not support an I/O module
that you install, the I/O module will be unavailable, and you will not be
able to upgrade the software on the system. To upgrade the software:
1

Remove the I/O module.

Reboot the line module that corresponds to this I/O module. See
ERX System Basics Configuration Guide, Chapter 8, Booting the
System.

When the line module has rebooted, install the I/O module.

Upgrade the software on the system. See ERX Installation and User
Guide, Appendix E, Installing ERX System Software.

Configuring Performance Rate of Line Modules

Note: This section does not apply to the ERX-1440 system.

Line modules in an ERX-1440 system always operate at line rate

performance. However, you can configure the ERX-700 series and the
ERX-1410 system to enable the line modules either to operate at full line
rate performance or to allow line modules to operate at a rate dependent
on the resources available.
Operating at full line rate performance restricts the combination of line
modules in the system. Operating at a rate dependent on the resources
available allows a much more extensive combination of line modules in
the system and is known as bandwidth oversubscription.
To configure performance, complete the following steps:
1

Choose a combination of line modules appropriate for the

performance. See Choosing a Combination of Line Modules, later in
this chapter.

Disable slots that contain unwanted line modules or modify the

combination of line modules in the system. See Disabling and
Reenabling Modules, earlier in this chapter, and ERX Installation
and User Guide, Chapter 3, Installing ERX Modules.

Specify the type of performance. See Specifying the Type of

Performance, later in this chapter.

Configuring Performance Rate of Line Modules

ERX Edge Routers

Choosing a Combination of Line Modules

For line rate performance, the total bandwidth required by the line
modules in the slot group must not exceed the bandwidth available from
the SRP module. In this case, the combination of line modules that can
reside in a slot group depends on the following:
Restrictions on certain combinations of line modules
The number of slots per group
The bandwidth available from the SRP module
The bandwidth required by each line module
In the case of the SRP-5G+ and SRP-10G modules, the switches
(upper and lower) that the line module can use.
Restricted Line Module Combinations

The following restrictions on line modules apply:

The SRP-5G module does not support the cOCx/STMx, CT3 12,
COCX-F3, GE/FE, IPSec Service, OCx/STMx or TSM line modules.
The SRP-5G+ and SRP-10G modules do not support OC3 (dual port)
line modules in the same slot group as cOCx/STMx, CT3 12,
COCX-F3, GE/FE, IPSec Service, OCx/STMx POS or TSM line
modules.
In bandwidth oversubscription mode, the SRP-5G+ and SRP-10G
modules do not support an OC3 (dual port) line module in the same
slot group as an OCx/STMx ATM line module.
However, in nonbandwidth oversubscription mode, the SRP-5G+
and SRP-10G modules support one OC3 (dual port) line module and
one OCx/STMx ATM line module in the same slot group.
Slot Groups

The number of slots in a group depends on the ERX model. For

information about slot groups, see ERX Installation and User Guide,
Chapter 3, Installing ERX Modules.

5-7

5-8

CHAPTER 5
Managing Line Modules and SRP Modules

SRP Modules Bandwidth

Different SRP modules offer different bandwidths:

The SRP-5G module provides 1.25 Gbps bandwidth per slot group.
The SRP-10G module provides 2.5 Gbps bandwidth per slot group.
The SRP-5G+ module (ERX-705 system only) provides:
> 2.5 Gbps bandwidth per slot group
> 5 Gbps bandwidth per system
Line Modules Bandwidth and Switch Usage

The SRP-5G module has one switch that supplies 100% of the bandwidth
for line modules. However, the SRP-5G+ and SRP-10G modules
comprise two switches; each switch provides 50% of the bandwidth. The
line modules in a slot group cannot operate at line rate if:
The sum of their bandwidths exceeds the bandwidth that the SRP
module can supply per slot group.
The sum of the bandwidths they require from one SRP switch exceeds
the bandwidth that the SRP switch can supply per slot group.
For example, the T3 line module requires 0.54 Gbps bandwidth and uses
only the top switch of the SRP-10G module. To operate three T3 line
modules in a slot group at line rate, you would need 1.62 Gbps bandwidth
from the top switch. The top switch of the ERX-1410 system offers 1.25
Gbps bandwidth per slot group. Three T3 line modules cannot operate at
line rate with an SRP-10G module.
Table 5-1 shows the bandwidth that each line module requires for line
rate performance and the switches that the line module can use on the
SRP-5G+ and SRP-10G modules.
Table 5-1 Bandwidth statistics for line modules

Line Module

Total Bandwidth
Required (Gbps)

Switches Used on SRP-5G+ and

SRP-10G Modules

CE1

0.20

Top switch only

cOCx/STMx

2.46

Both switchesa

COCX-F3

2.46

Both switchesa

CT1

0.20

Top switch only

CT3

0.54

Top switch only

CT3/T3 FO

2.46

Both switchesa

E3

0.54

Top switch only

Configuring Performance Rate of Line Modules

ERX Edge Routers

Table 5-1 Bandwidth statistics for line modules (continued)

Line Module

Total Bandwidth
Required (Gbps)

Switches Used on SRP-5G+ and

SRP-10G Modules

FE-2

0.52

Either switch

GE/FE

2.46

Both switchesa

HSSI

0.54

Top switch only

IPSec Service

2.46

Both switchesa

OC3 (dual port)

1.2

Either switch

OCx/STMx ATM

1.22

Both switchesa

OCx/STMx POS

2.46

Both switchesa

T3

0.54

Top switch only

TSM

2.46

Both switchesa

X.21/V.35

0.20

Top switch only

a In bandwidth oversubscription mode, 50% per switch; in nonbandwidth oversubscription mode,

up to 100% per switch

Allowed Combinations for Line Rate Performance

Table 5-2 shows a list of combinations of line modules that allow line rate
performance. However, if performance lower than line rate is acceptable,
you can use any combination of line modules (other than the restricted
combinations) in a slot group.
For example, the SRP-10G module offers a total bandwidth of 2.5 Gbps
for each slot group. The GE line module requires 2.46 Mbps bandwidth
for operation at line rate, and can use both switches in the SRP-10G
module. If you require line rate from a GE line module, install only one
GE line module in the slot group. However, if lower performance is
acceptable, you can install two or three GE line modules in a slot group
and enable bandwidth oversubscription.
When bandwidth oversubscription is enabled, all line modules, except the
OC3 (dual port) and FE-2 line modules, optimize use of the resources
available. For example, if two GE line modules are installed in a slot
group, each line module is allocated 50% of the available bandwidth.
However, if one line module is using less bandwidth than it is allocated,
the other line module can use more bandwidth than it is allocated and
can operate at a greater line rate. The OC3 (dual port) and FE-2 line
modules use a fixed portion of the available bandwidth; they cannot take
advantage of resources unused by other line modules.
To ensure the best performance, when you change line modules in a slot
group that contains FE-2 or OC3 (dual port) line modules, you should
optimize the bandwidth. See Optimizing Bandwidth, later in this chapter.

5-9

5-10

CHAPTER 5
Managing Line Modules and SRP Modules

Table 5-2 Combinations of line modules for line rate performance

SRP Module and
System
SRP-5G in ERX-700
system

Possible Combinations of Line Modules

One CE1, CT1, CT3, E3, FE-2, HSSI, OC3 (dual port), T3, or X.21/V.35 line module,
and one empty slot in slot group 1

Two CE1, CT1, CT3, E3, FE-2, HSSI, T3, or X.21/V.35 line modules in any
combination in slot group 1

One CE1, CT1, CT3, E3, FE-2, HSSI, OC3 (dual port), T3, or X.21/V.35 line module in
slot groups 2, 3, and 4

No cOCx/STMx, COCX-F3, CT3/T3 FO, GE/FE, IPSec Service, or OCx/STMx line

modules or TSMs.

Examples of combinations that allow line rate performance

Two CT1 line modules in slot group 1, one CT3 line module in slot group 2, OC3 (dual
port) line modules in slot groups 3 and 4

One CE1 and one E3 line module in slot group 1, one HSSi module in slot group 2, one
FE-2 module in slot group 3, and one OC3 (dual port) line module in slot group 4

Examples of combinations that do not allow line rate performance

SRP-10G in ERX-700
system

Two OC3 (dual port) line modules in slot group 1

An OCx/STMx line module in any slot group

One of any supported line module and one empty slot in slot group 1

One OCx/STMx ATM line module and one CE1, CT1, CT3, E3, FE-2, HSSI, OC3 (dual
port), T3, or X.21/V.35 line module in slot group 1

Two OCx/STMx ATM line modules in slot group 1

Two CE1, CT1, CT3, E3, FE-2, HSSI, OC3 (dual port), T3, or X.21/V.35 line modules in
any combination in slot group 1

One CE1, cOCx/STMx, COCX-F3, CT1, CT3, CT3/T3 FO, OC3 (dual port), E3, FE-2,
GE/FE, HSSI, IPSec Service, OCx/STMx, T3, or X.21/V.35 line module or one TSM
line module in slot groups 2, 3 or 4

Examples of combinations that allow line rate performance

Two CT1 line modules in slot group 1, one CT3 line module in slot group 2, an
OCx/STMx POS line module in slot group 3, and a HSSI module in slot group 4

One CE1 and one E3 line module in slot group 1, one HSSi module in slot group 2, one
FE-2 module in slot group 3, and one OC3 (dual port) line module in slot group 4

Examples of combinations that do not allow line rate performance

A GE/FE line module and any other line module in slot group 1

Two OCx/STMx line modules in slot group 1

Configuring Performance Rate of Line Modules

ERX Edge Routers

Table 5-2 Combinations of line modules for line rate performance (continued)
SRP Module and
System
SRP-10G in ERX-1410
system

Possible Combinations of Line Modules

One of any supported line module and two empty slots in any slot group

One OC3 (dual port) line module and one or two CE1, CT1, CT3, E3, HSSI, T3, or
X.21/V.35 line modules in any combination in any slot group

One OC3 (dual port) line module and one FE-2 line module in any slot group

One OCx/STMx ATM line module and one or two CE1, CT1, FE-2, or X.21/V.35 line
modules in any combination in any slot group

One OCx/STMx ATM line module and one CT3, E3, HSSI, or T3 line module and one
empty slot in any slot group

Two OCx/STMx ATM line modules and one empty slot in any slot group

Two CE1, CT1, CT3, E3, FE-2, HSSI, OC3 (dual port), T3, or X.21/V.35 line modules in
any combination and one empty slot in any slot group

Two CT3, E3, HSSI, or T3 line modules and one CE1, CT1, FE-2, or X.21/V.35 line
module in any combination in any slot group

One CT3, E3, HSSI, or T3 line module and two CE1, CT1, FE-2, or X.21/V.35 line
modules in any combination in any slot group

Three CE1, CT1, FE-2, or X.21/V.35 line modules in any combination in any slot group

Examples of combinations that allow line rate performance

Two OC3 (dual port) line modules in slot group 1, a GE/FE line module in slot group 2,
three CT1 line modules in slot group 3, and two T3 Frame line modules in slot group 4

Two CE1 and one E3 line modules in slot group 1, two HSSI modules in slot group 2,
an OCx/STMx POS line module in slot group 3, and a GE/FE line module in slot
group 4

Examples of combinations that do not allow line rate performance

Three OC3 (dual port) line modules in any slot group

Two OCx/STMx POS line modules in any slot group

5-11

5-12

CHAPTER 5
Managing Line Modules and SRP Modules

Table 5-2 Combinations of line modules for line rate performance (continued)
SRP Module and
System
SRP-5G+ in ERX-705
system

Possible Combinations of Line Modules

Note: The total bandwidth of all line modules must not exceed 5 Gbps. To make optimal
use of the available bandwidth, put line modules that require maximum bandwidth in slots
2, 3, or 4.

One of any supported line module and one empty slot in slot group 1

One OCx/STMx ATM line module and one CE1, CT1, CT3, E3, FE-2, HSSI, OC3 (dual
port), T3, or X.21/V.35 line module in slot group 1

Two OCx/STMx ATM line modules in slot group 1

Two CE1, CT1, CT3, E3, FE-2, HSSI, OC3 (dual port), T3, or X.21/V.35 line modules in
any combination in slot group 1

One CE1, cOCx/STMx, COCX-F3, CT1, CT3, CT3/T3 FO, OC3 (dual port), E3, FE-2,
GE/FE, HSSI, IPSec Service, OCx/STMx, T3, or X.21/V.35 line module or one TSM in
slot groups 2, 3 or 4

Examples of combinations that allow line rate performance

Two OCx/STMx ATM line modules (total 2.44 Gbps) in slot group 1 and a GE/FE line
module (2.46 Gbps) in slot group 4

Two OCx/STMx ATM line modules (total 2.44 Gbps) in slot group 1, a HSSI module
(0.54 Gbps) in slot group 2, a CT3 3 line module (0.54 Gbps) in slot group 3, and a T3
Frame (0.54 Gbps) line module in slot group 4

Examples of combinations that do not allow line rate performance

Two OCx/STMx ATM line modules (total 2.44 Gbps) in slot group 1, a GE/FE line
module (2.46 Gbps) in slot group 3, and an OCx/STMx POS line module (2.46 Gbps) in
slot 4 (violates chassis limitation)

Two OCx/STMx POS line modules (total 4.92 Gbps) in slot group 1 (violates slot group
limitation)

Specifying the Type of Performance

After you have installed a suitable combination of line modules, you must
specify the type of performance. To specify the type of performance:
1

Issue the show bandwidth oversubscription command.

If the setting is not the one you want, enable or disable bandwidth
oversubscription.

Reboot the system.

Configuring Performance Rate of Line Modules

ERX Edge Routers

bandwidth oversubscription

Use to enable bandwidth oversubscription for an ERX-700, ERX-705, or

ERX-1410 system. Reboot the system after you have issued this command to
change the bandwidth oversubscription status.

By default, bandwidth oversubscription is enabled.

Example
host1#bandwidth oversubscription

Use the no version to disable bandwidth oversubscription. Reboot the system

after you have issued this command to change the bandwidth oversubscription
status.

Monitoring Bandwidth Oversubscription

Use the show bandwidth oversubscription and show utilization (see

Monitoring Modules, later in this chapter) commands to monitor the
status of bandwidth oversubscription.
show bandwidth oversubscription

Use to display the bandwidth oversubscription status for an ERX-700,

ERX-705, or ERX-1410 system.

Example 1: This example shows the display when bandwidth oversubscription

is enabled.
host1#show bandwidth oversubscription
Bandwidth oversubscription is currently in effect.

Example 2: This example shows the display that appears after you issue the no
bandwidth oversubscription command to disable bandwidth
oversubscription.
host1#no bandwidth oversubscription
host1#show bandwidth oversubscription
Bandwidth oversubscription is currently in effect.
Bandwidth oversubscription will not be in effect the next
time the system reboots.

Example 3: This example shows the display when bandwidth oversubscription

is disabled.
host1#show bandwidth oversubscription
Bandwidth oversubscription is currently not in effect.

Example 4: This example shows the display that appears after you issue the
bandwidth oversubscription command to enable bandwidth
oversubscription.
host1#bandwidth oversubscription
host1#show bandwidth oversubscription
Bandwidth oversubscription is currently not in effect.
Bandwidth oversubscription will be in effect the next time
the system reboots.

5-13

5-14

CHAPTER 5
Managing Line Modules and SRP Modules

Troubleshooting

If you enter a forbidden combination of line modules or exceed the slot

group bandwidth when you have not configured bandwidth
oversubscription, you will see an error message.
For example, suppose you originally configure the system for bandwidth
oversubscription and then want to change to full line rate performance.
You forget to remove line modules or disable slots, and enter the no
bandwidth oversubscription command. The following message
appears:
host1(config)#no bandwidth oversubscription
% failed : bandwidth over subscribed at slot 0-2

To resolve the problem, remove the unwanted line modules, or disable

the slots that contain those line modules.
Optimizing Bandwidth

If you change line modules in a quadrant that contains FE-2 or OC3

(dual port) line modules, issue the reload slot command on the slots that
contain the FE-2 or OC3 (dual port) line modules. This action optimizes
the bandwidth in the quadrant. If you do not optimize the bandwidth,
the line modules in the quadrant may not operate at the optimal rate or
may be disabled.
If a line module is disabled because of insufficient bandwidth, when you
issue the show version commands, the description disabled (cfg error)
appears in the display for the affected modules. In addition, depending on
the log configuration, the following message may appear on the console:
Line card in slot xx is disabled because of lack of fabric
bandwidth in the quadrant

Line Module Redundancy

You can install an extra line module in a group of identical line modules
to provide redundancy if one of the modules fails. To use this feature, you
must also install a redundancy midplane and a redundancy I/O module.
For a detailed explanation of how the system provides redundancy for line
modules and procedures for installing the modules, see the ERX
Installation and User Guide.
The process by which the system switches to the spare line module is
called switchover or failover. During switchover, the line, circuit, and IP
interfaces on the I/O module appear to go down temporarily. The
duration of the downtime depends on the number of interfaces and the

Line Module Redundancy

ERX Edge Routers

size of the routing table, because the system must reload the interface
configuration and the routing table from the SRP module.
If the line module software is not compatible with the running SRP
module software release, a warning message appears on the console.
Automatic Switchover

Provided you have not issued the redundancy lockout command for the
primary line module, the system switches over to the spare line module
automatically if it detects any of the following failures on the primary line
module:
Power-on self-test (POST) failure
Software-detected unrecoverable error
Software watchdog timer expiration
Primary line module failure to respond to keepalive polling from the
SRP module
Removal, disabling, or reloading of the primary line module
Missing or disabled primary line modules when the system reboots
Resetting the primary line module via the concealed push button
Limitations of Automatic Switchover

If automatic switchover is enabled on a slot (the default configuration)

and a spare line module is available, issuing some CLI commands for the
primary line module causes a switchover (see Table 5-3).
You can also disable automatic switchover on individual slots. See
Configuring Line Module Redundancy, later in this chapter.
Table 5-3 Commands that can cause automatic switchover
Command

Reason for Automatic Switchover

slot disable <primary-line-module-slot>

The command disables the primary line module but not

the primary I/O module.

reload slot <primary-line-module-slot>

The command is equivalent to pushing the reset button

on the primary line module.

5-15

5-16

CHAPTER 5
Managing Line Modules and SRP Modules

Reversion after Switchover

You can install only one spare line module in the group of slots covered
by the redundancy midplane. If the system is using the spare line module,
no redundancy is available. It is desirable to revert to the primary module
as soon as possible. By default, the system does not automatically revert to
the primary module after switchover; however, you can configure it to do
so. (See Configuring Line Module Redundancy, later in this chapter.)
Before reversion can take place, the primary line module must complete
the POST diagnostics.
Configuring Line Module Redundancy

You can modify the default redundancy operations on the system as

follows:
Disable automatic switchover on a slot.
Enable automatic reversion after switchover.
redundancy lockout

Use to prevent the system from switching automatically to a spare line module
if the primary module in the specified slot fails.

The redundancy force-failover command overrides the redundancy lockout

command.

Example
host1(config)#redundancy lockout 5

Use the no version to restart redundancy protection for the slot.

Use to enable the system to revert from all spare line modules to the
associated primary line modules automatically.

Reversion takes place when the primary line module is once again available
unless you specify a time of day. In that case, reversion takes place only when
the primary module is available and after the specified time.

Example

redundancy revertive

host1(config)#redundancy revertive 23:00:00

Use the no version to disable automatic reversion.

Managing Line Module Redundancy

When the system is running and a redundancy group is installed, you can
manage the redundancy situation as follows:
Force switchover manually.
Force reversion manually.

Line Module Redundancy

ERX Edge Routers

redundancy force-failover

Use to force the system to switch from the primary line module in the specified
slot to the spare line module.

The command causes a single switchover. When you reboot, the system will
revert to the configured setting for this slot.

The redundancy force-failover command overrides the redundancy lockout

command.

Example
host1#redundancy force-failover 5

There is no no version.

Use to force the system to revert to the primary line module in the specified
slot.

The system acts on this command immediately unless you specify a time or a
time and date that the action is to take place.

The command causes a single reversion. When you reboot, the system uses
the configured setting for this slot.

Example

redundancy revert

host1#redundancy revert 4 23:00:00 5 September 200X

There is no no version.

Monitoring Line Module Redundancy

You can use show commands to monitor the status of redundancy groups
and line modules.
show environment

Use to display information about the hardware installed for redundancy.

See ERX System Basics Configuration Guide, Chapter 4, Managing the

System, for details and examples.

Use to display detailed information about the line modules and SRP modules.

See Monitoring Modules, later in this chapter, for details and examples.

show hardware

5-17

5-18

CHAPTER 5
Managing Line Modules and SRP Modules

show redundancy

Use to display the configuration for line module redundancy.

Field descriptions

slot slot in which the line module resides

hardware role function of the line module: primary or spare
redundancy midplane type identifier for the type of midplane
redundancy midplane rev hardware revision number of the redundancy
midplane

lockout config status of redundancy on this line module

protected line module redundancy is enabled
locked out line module redundancy is disabled

backed up by slot slot that contains the line module that is a spare for this
primary line module

sparing for slot slot that contains the primary line module for which this line
module is a spare

Example
In the following example, the user issues a show redundancy command, then
a force failover command. Finally, the user issues another show redundancy
command. The two displays show how the states of the primary and spare line
modules change.

host1#show redundancy
automatic reverting is off
hardware
slot

role

----

--------

redundancy midplane
type

rev

-------------------

lockout

backed up

config

by slot

for slot

sparing

------

---------

--------

---

---

---

---

---

---

---

---

---

---

---

---

spare

---

---

---

primary

protected

---

---

host1#redundancy force-failover 9
host1#show redundancy
automatic reverting is off
hardware
slot

role

----

--------

redundancy midplane
ID

rev

-------------------

lockout

backed up

config

by slot

for slot

sparing

------

---------

--------

---

---

---

---

---

---

---

---

---

---

---

---

spare

---

---

primary

protected

---

SRP Module Redundancy

ERX Edge Routers

show version

Use to display information about each module in the system.

See ERX System Basics Configuration Guide, Chapter 4, Managing the

System, for details and examples.

SRP Module Redundancy

This section covers general issues of SRP module redundancy. For
information about managing NVS in a system that contains two SRP
modules, see Managing NVS Cards on SRP Modules.
The SRP module uses a 1:1 redundancy scheme. When two SRP
modules are installed in the system, one acts as a primary and the second
as a redundant module. Both SRP modules share a single SRP I/O
module located in the rear of the chassis.
After you install two SRP modules, the modules negotiate for the primary
role. A number of factors determine which module becomes the primary;
however, preference is given to the module in the lower slot. The SRP
modules record their latest roles and retain them the next time you switch
on the system.
With the default software settings, if the primary SRP module fails, the
redundant SRP module assumes control without rebooting itself. For
information about preventing the redundant SRP module from assuming
control, see Managing Line Module Redundancy, earlier in this chapter.
When the redundant SRP module assumes control, the following
sequence of events occurs:
1

The original primary SRP module reboots and assumes the

redundant role.

The redundant SRP module restarts and assumes the primary role
without reloading new code. (When upgrading software, you must
reload the software on the redundant SRP module. See ERX
Installation and User Guide, Appendix E, Installing ERX System
Software.)

All line modules reboot.

The following actions activate the redundant SRP module:

Failure of the primary SRP module (hardware or software)
Pushing the recessed reset button on the primary SRP module (see
Figure 5-1)
Issuing the srp switch command

5-19

5-20

CHAPTER 5
Managing Line Modules and SRP Modules

board reset button

Figure 5-1 SRP module

Installing a Redundant SRP Module

You can install a redundant SRP module into a running system, provided
that the redundant SRP module has a valid software release on its NVS
card. Access to a software release in NVS ensures that the redundant SRP
module can boot; the release need not be the same as that on the primary
SRP module. To install a redundant SRP module into a running system,
follow these steps:
Warning: Do not insert any metal object, such as a screwdriver, or place your hand
into an open slot or the backplane when the system is on. Remove jewelry
(including rings, necklaces, and watches) before working on equipment that is
connected to power lines. These actions prevent electric shock and serious burns.
Caution: When handling modules, use an antistatic wrist strap connected to the
systemss ESD grounding jack, and hold modules by their edges. Do not touch the
components, pins, leads, or solder connections. These actions help to protect
modules from damage by electrostatic discharge.

Install the redundant SRP module into the open SRP slot (slot 6 or 7
for the ERX-1400 series; slot 0 or 1 for the ERX-700 series).
For detailed information about installing the SRP module, see the
ERX Installation and User Guide.

SRP Module Redundancy

ERX Edge Routers

Wait for the redundant SRP module to boot, initialize, and reach the
standby state.
When the module is in standby state, the REDUNDANT LED is on
and the ONLINE LED is off. If you issue the show version
command, the state field for the slot that contains the redundant
SRP module should be standby.

Synchronize the NVS file system of the redundant SRP module to

that of the primary SRP module.

Reboot the redundant SRP module.

Use to reboot a selected slot on the router.

Example

reload slot

host1#reload slot 7

There is no no version.

Use to force the file system of the redundant SRP module to synchronize with
the NVS file system of the primary SRP module.

If you synchronize the redundant SRP module with the primary SRP module
and the redundant module is armed with a release different than the one it is
currently running, the redundant SRP module is automatically rebooted to load
the armed release.

Example

synchronize

host1#synchronize

There is no no version.

Managing SRP Module Redundancy

You can prevent the redundant SRP module from taking over when:
The primary SRP module experiences a software failure.
You push the reset button on the primary SRP module.
Note: If you do not configure this option, when troubleshooting an SRP module,
disconnect the other SRP module from the system. This action prevents the
redundant SRP module from taking over if you push the reset button on the
primary SRP module.

5-21

5-22

CHAPTER 5
Managing Line Modules and SRP Modules

To configure this option:

1

Issue the disable-switch-on-error command.

Synchronize the NVS file system of the redundant SRP module to

that of the primary SRP module.

Refer to the commands and guidelines in the previous section and below.
disable-switch-on-error

Use to prevent the redundant SRP module from taking over if the primary SRP
module experiences a software failure or if you push the reset button on the
primary SRP module.

Issue the sync command immediately before you issue this command.

If you issue the disable-switch-on-error command, and later issue the srp
switch command, the redundant SRP module waits about 30 seconds before it
takes over from the primary SRP module.

Example
host1(config)#disable-switch-on-error

Use the no version to revert to the default situation, in which the redundant
SRP module takes over if the primary SRP module experiences a software
failure.

Use to force the NVS file system of the redundant SRP module to synchronize
with the NVS file system of the primary SRP module.

If you synchronize the redundant SRP module with the primary SRP module
and the redundant module is armed with a release different than the one it is
currently running, the redundant SRP module is automatically rebooted to load
the armed release.

Example

synchronize

host1#synchronize

There is no no version.

Switching to the Redundant SRP Module

To switch immediately from the primary SRP module to the redundant

SRP module, issue the srp switch command. You can configure the
system to prompt you if the modules are in a state that could lead to loss
of configuration data or NVS corruption.

SRP Module Redundancy

ERX Edge Routers

srp switch

Use to switch from the primary SRP module to the redundant SRP module.

If you specify the force keyword, the procedure will fail if the SRP modules are
in certain states, such as during a synchronization. In these cases, the system
will display a message that indicates that the procedure cannot currently be
performed and the reason why. However, if the SRP modules are in other
states that could lead to a loss of configuration data or an NVS corruption, the
system displays a message that explains the state of the SRP modules, and
asks you to confirm (enter yes or no) whether you want to proceed.

If you do not specify the force keyword, the procedure will fail if the SRP
modules are in any state that could lead to a loss of configuration data or an
NVS corruption, and the system will display a message that explains why the
command failed.

When you issue this command, the system prompts you for a confirmation
before the command takes effect.

If you issue the disable-switch-on-error command, and later issue the srp
switch command, the redundant SRP module waits about 30 seconds before it
takes over from the primary SRP module.

If the system does not contain a redundant SRP module, this command has no
effect.

Example
host1#srp switch
host1#srp switch force

There is no no version.

Upgrading Software on a Redundant SRP Module

For information about upgrading software on SRP modules, see ERX

Installation and User Guide, Appendix E, Installing ERX System
Software
Monitoring the Status LEDs

You can determine the redundancy state of line modules and SRP
modules by examining their status LEDs. See Table 5-4 for a
description of the LEDs functions. In addition, if you issue the show
version command, the state field for the slot that contains the
redundant SRP module should be standby.
Table 5-4 Function of the online and redundant LEDs
ONLINE
LED

REDUNDANT LED State of the Module

Off

Off

Module is booting or is an inactive primary line

module.

5-23

5-24

CHAPTER 5
Managing Line Modules and SRP Modules

Table 5-4 Function of the online and redundant LEDs (continued)

ONLINE
LED

REDUNDANT LED State of the Module

On

Off

Module is active, but no redundant module is

available.

Off

On

Module is in standby state.

On

On

Module is active, and a redundant module is

available.

Managing NVS Cards on SRP Modules

Each SRP module contains an NVS card that stores system files. In this
documentation, the NVS card on the primary SRP module is referred to
as the primary NVS card; the NVS card on the redundant SRP module is
referred to as the redundant NVS card.
If you have two SRP modules installed in a system, you can use NVS
cards of different capacities on the SRP modules. The effective capacity
of the higher-capacity NVS card will equal that of the lower-capacity
NVS card.
NVS Features

The software contains a number of features that optimize the way the
system restores its configuration if it is shut down improperly:
The system tracks improper shutdowns.
If you shut down the system improperly, it will run an investigation of
the file allocation table (FAT) the next time it reboots.
The system creates backups of critical files.
When you install a new NVS card or restart the system after shutting it
down incorrectly, a utility scans the NVS card to detect corrupt
sectors. If the utility finds files or directories that contain corrupt
sectors, it removes the files and directories, because they can no longer
be used. The utility also fixes problems with unused sectors. If the
utility cannot correct a corrupt sector, it marks the sectors so that they
cannot be reused.
In a system that contains two SRP modules, if the scanning utility
detects corrupt sectors in NVS on the primary SRP module during
rebooting, the primary SRP module will reboot again. Both SRP
modules will now have standby status and will be rebooting. The first
SRP module to complete rebooting will assume the primary role.

Managing NVS Cards on SRP Modules

ERX Edge Routers

Because the former redundant module started to reboot first, it will

probably assume the primary role. When the former primary has
rebooted and the scan utility has fixed corrupt sectors in its NVS, the
SRP modules will synchronize. Any files or directories removed by the
scan utility will be restored during the synchronization.
If you reboot the system before it has completely written configuration
updates to NVS, the system will start with the last saved configuration.
If you reboot the system after it has written the configuration updates
to NVS, but before it has applied those updates to actual configuration
data, the configuration update process resumes immediately following
the reboot and completes before any application accesses its
configuration data.
To prevent corruption of NVS cards, always issue the halt command
before you remove an NVS card or an SRP module (see Removing an
SRP Module). Always reboot the system using the rebooting procedure
(see Chapter 8, Booting the System); do not reboot the system by
switching it off and on.
Installing and Removing NVS Cards

For information about replacing NVS cards, see ERX Installation and
User Guide, Chapter 3, Installing ERX Modules.
Synchronizing NVS Cards

If the system contains two SRP modules, it is important to keep the

contents of the modules NVS cards synchronized. Synchronization
prevents the redundant NVS card from overwriting saved files on the
primary NVS card if the primary SRP module fails and the redundant
SRP module assumes control.
By default, autosynchronization is enabled on the system.
Autosynchronization runs as a background process every 5 minutes,
tracking changes in image, configuration, and script files, and keeping
the two SRP modules synchronized. You can also synchronize the SRP
modules manually by issuing the synchronization command.
Before synchronization, the system does the following:
Checks that critical files on the primary SRP module are present. If
there are missing files, the system does not proceed with the
synchronization.
Checks whether there is enough space on the redundant NVS to copy
all the new or changed files from the primary NVS card.

5-25

5-26

CHAPTER 5
Managing Line Modules and SRP Modules

Depending on the outcome of the second check, the system proceeds as

follows:
If there is enough space, the system copies new or changed files from
the primary NVS card to the redundant NVS card without deleting
any files on the redundant NVS card. If the system is interrupted when
it is synchronizing with this method, the synchronization will resume
when it has recovered from the interruption.
If there is not enough space, the system deletes any files on the
redundant NVS card that do not appear on the primary NVS card,
then copies new or changed files from the primary NVS card to the
redundant NVS card. If the system is interrupted when it is
synchronizing with this method, it will not resume with the
synchronization when it has recovered from the interruption.
If an SRP synchronization is in progress or has failed and the system is
recovering, the system will prevent the redundant SRP module from
assuming the primary role while the primary is rebooting, and for thirty
seconds after the primary has rebooted. These conditions prevent a
redundant SRP module with corrupted or missing files from becoming
the primary and overwriting files or directories on the primary module.
synchronize

Use to force the file system of the redundant SRP module to synchronize with
the NVS file system of the primary SRP module.

If you synchronize the redundant SRP module with the primary SRP module
and the redundant module is armed with a release different than the one it is
currently running, the redundant SRP module is automatically rebooted to load
the armed release.

Example
host1#synchronize

There is no no version.

Synchronizing NVS Cards of Different Capacities

If the capacity of the primary NVS card is equal to or smaller than that of
the redundant NVS card, the system copies all the files from the primary
NVS card to the redundant NVS card. However, if the capacity of the
primary NVS card exceeds that of the redundant NVS card, the system
creates an invisible synchronization reserve file on the primary NVS
card, provided that there is enough space for the file.

Managing NVS Cards on SRP Modules

ERX Edge Routers

The purpose of the synchronization file is to prevent the creation of data

that will not fit on the redundant NVS card. The file contains no useful
data, and is not visible when you view the files in NVS. The size of the file
is equal to the difference in capacities of the two NVS cards. For example,
if the primary NVS card has a capacity of 224 MB, and the redundant
NVS card has a capacity of 220 MB, the size of the synchronization file is
4 MB, and only 220 MB of space is available on the primary NVS card.
If there is not enough space on the primary NVS card to create the
synchronization reserve file, the synchronize command fails, and you
see a warning message on the console. To resolve this issue, either delete
unwanted files from the primary NVS card or replace the redundant
NVS card with a higher-capacity NVS card.
Disabling Autosynchronization

If autosync is enabled while you are copying very long scripts or installing
new software releases, it detects a disparity between the modules during
the middle of the process. This feature causes significant unnecessary
synchronization, resulting in prolonged copy times.
If you have installed a redundant SRP module, perform the following
steps before copying long scripts:
1

Turn off autosynchronization with the disable-autosync command.

Perform the installation or copy the script.

Reenable autosynchronization with the no disable-autosync

command.

Manually synchronize the modules with the synchronize

command.

Refer to the commands and guidelines in the previous section and below.
disable-autosync

Use to turn off automatic synchronization between the primary and redundant
SRP modules.

Example
host1(config)#disable-autosync

Use the no version to revert to the default situation, in which automatic

synchronization runs as a background process every 5 minutes.

5-27

5-28

CHAPTER 5
Managing Line Modules and SRP Modules

Reformatting the Primary NVS Card

You can reformat the primary NVS card. To do so:

1

Access Boot mode.

a

From Privileged Exec mode, enter the reload command.

Information on the reloading process displays.

When the countdown begins, press the <mb> key sequence

(case-insensitive).
This puts the CLI in Boot mode (:boot## prompt).
If you do not press the <mb> key sequence, the reloading process
continues and returns the CLI to the normal User Exec mode.

Issue the flash-disk initialize command.

flash-disk initialize

Use to reformat the NVS card.

You can perform a low-level format of the NVS card.
Note: This command is available only in the Boot mode.

Example
host1#halt primary
host1#reload
WARNING: Execution of this command will cause the system to
reboot.
Proceed with reload? [confirm]
Reload operation commencing, please wait...
[ Press mb]
:boot##flash-disk initialize

There is no no version.

Copying the Image on the Primary SRP Module

You can copy the contents of NVS on the primary SRP module to a spare
NVS card. To do so:
1

Access Boot mode.

a

From Privileged Exec mode, enter the reload command.

Information on the reloading process displays.

When the countdown begins, press the <mb> key sequence

(case-insensitive).
This action puts the CLI in Boot mode (:boot## prompt).
If you do not press the <mb> key sequence, the reloading process
continues and returns the CLI to the normal User Exec mode.

Managing NVS Cards on SRP Modules

ERX Edge Routers

Issue the flash-disk duplicate command.

Follow the instructions on the screen. When prompted, insert the

original or spare NVS card in the primary SRP module.

flash-disk duplicate

Use to copy the contents of the primary NVS card to a spare NVS card.

The primary and spare NVS cards must be from the same manufacturer and
must have the same size.
Note: This command is available only in the Boot mode.

When you issue the flash-disk duplicate command, insert the original and
spare NVS cards when prompted. The system copies the NVS contents
incrementally, so you may need to exchange the NVS cards several times.

Example
host1#halt primary
host1#reload
WARNING: Execution of this command will cause the system to
reboot.
Proceed with reload? [confirm]
Reload operation commencing, please wait...
[ Press mb]
:boot##flash-disk duplicate

There is no no version.

Scanning NVS Cards

You can scan NVS to find files with errors. You can also run a scan that
will remove files with errors and attempt to repair corrupted areas in
NVS. If the repair fails, the system will no longer use the corrupted areas.
flash-disk scan

Use to scan and repair files on the NVS cards.

Note: This command is available only in the Boot mode.

If the system contains primary and redundant modules, NVS on the primary
SRP module will be scanned.

Example
In this example, the user scans NVS and finds one file with an error. The user
then issues the flash-disk scan with the repair keyword to remove the file.
Finally, the user scans NVS again, and finds no files with errors.
:boot##flash-disk scan
Proceed with Flash disk scan? [confirm]
Srp PCMCIA Card Scan...
Boot Block OK
File Allocation Table OK
Root Directory OK

5-29

5-30

CHAPTER 5
Managing Line Modules and SRP Modules

Checking File Space

Please Wait...
Checking Free Space
Please Wait...
PCMCIA Card Scan Detected Errors in:
\\images\ct1Diag\ct1Diag3c440e9e.cmp
PCMCIA Card Scan successful!

:boot##flash-disk scan repair

WARNING: Execution of this command may cause the contents of
the Flash disk to
be modified.
Proceed with Flash disk scan? [confirm]
Srp PCMCIA Card Scan...
Boot Block OK
File Allocation Table OK
Root Directory OK
Checking File Space
Please Wait...
Checking Free Space
Please Wait...
PCMCIA Card Scan Removed:
\\images\ct1Diag\ct1Diag3c440e9e.cmp
PCMCIA Card Scan successful!

:boot##flash-disk scan
Proceed with Flash disk scan? [confirm]
Srp PCMCIA Card Scan...
Boot Block OK
File Allocation Table OK
Root Directory OK
Checking File Space
Please Wait...
Checking Free Space
Please Wait...
PCMCIA Card Scan successful!

There is no no version.

Managing the Ethernet Port on the SRP Module

ERX Edge Routers

Monitoring NVS Cards

Use the show nvs command to monitor information about NVS on the
primary SRP module.
show nvs

Use to monitor NVS status.

Field descriptions

total nvs file sizes sum of sizes of all files in NVS, in bytes
total nvs file errors number of read and write errors in all files in NVS
nvs flash in use NVS used, in bytes
available nvs flash NVS available, in bytes
total nvs file sizes =

228864

total nvs file errors = 0

nvs flash in use =

1265152

available nvs flash =

35435008

Managing the Ethernet Port on the SRP Module

For information about configuring the Fast Ethernet port on the SRP I/O
module, see ERX Installation and User Guide, Chapter 5, .
Use the Fast Ethernet port on the SRP I/O module only as a system
management port. Do not use this port to route Fast Ethernet traffic,
because doing so affects the performance of the system.
Use an FE-2 line module and an FE-2 I/O module or a GE/FE line
module and an FE-8 I/O module to route 10/100BaseT traffic. For
information about configuring Ethernet interfaces, see Chapter 6,
Configuring Ethernet Interfaces.
interface fastEthernet

Use to select an FE interface on a line module or SRP module.

Example
host1-0-1-90(config)#interface fastEthernet 1/0

Use the no version to remove IP from an interface or subinterface.

Monitoring Statistics

You can set a baseline and view statistics on the Fast Ethernet port of the
SRP I/O module in the same way that you would for other Ethernet
interfaces. See Chapter 6, Configuring Ethernet Interfaces.

5-31

5-32

CHAPTER 5
Managing Line Modules and SRP Modules

Monitoring the Ethernet Configuration for the SRP Module

Slots 0 and 1 are reserved for SRP modules on the ERX-700 series; slots 6
and 7 are reserved for SRP modules on the ERX-1400 series. When you
configure the Fast Ethernet interface on an SRP module, the output of
the show config command always indicates that the interface is
configured in the lower of the two slots (slot 0 or slot 6). This is true if you
configure the interface on a redundant SRP module in the higher slot or
even if you have only one SRP module and it is installed in the higher slot,
as shown in the following example:
host1#show version
Juniper Networks Edge Switch Router ERX1400
Copyright (c) 1998-2001 Juniper Networks, Inc.

All rights reserved.

System Release: x-y-z.rel

Version: x-y-z (April 25, 200X 09:44)
System running for: 0 days, 0 hours, 4 minutes, 43 seconds
(since TUE MAY 01 2001 20:27:19 UTC)
running
slot

state

type

admin

spare

release

----

-------

------------

-------

-----

-------------

---

---

---

---

---

---

---

---

---

online

UT3a

enabled

---

x-y-z.rel

online

OC3dP2

enabled

---

x-y-z.rel

---

---

---

---

---

---

---

---

---

---

---

---

---

---

online

SRP-10G

enabled

---

x-y-z.rel

standby

OC3/OC12-ATM

enabled

spare

x-y-z.rel

---

---

---

---

---

---

---

10

online

OC3-4A

enabled

---

x-y-z.rel

11

online

OC3-4A

enabled

---

x-y-z.rel

12

online

OC3-4A

enabled

---

x-y-z.rel

13

---

---

---

---

---

host1#configure terminal
Enter configuration commands, one per line.

End with CNTL/Z.

host1(config)#interface fastethernet 7/0

host1(config-if)#ip address 10.6.130.83 255.255.128.0
host1(config-if)#exit
host1(config)#ip route 0.0.0.0 0.0.0.0 10.6.128.1
host1(config)#exit
host1#show config
! Juniper Networks Edge Switch Router RX1400
! Version: x-y-z (April 25, 2001

09:44)

! Copyright (c) 1998-2001 Juniper Networks, Inc.

All rights reserved.

Monitoring Modules
ERX Edge Routers

!
! Configuration script generated on TUE MAY 01 2001 20:33:20 UTC
boot config running-configuration
boot system x-y-z.rel
no boot backup
no boot subsystem
no boot backup subsystem
no boot force-backup
no boot slot
!
hostname "host1"
exception protocol ftp anonymous null
!
controller t3 2/0
[...]
!
interface fastEthernet 6/0
ip address 10.6.130.83 255.255.128.0
!
ip route 0.0.0.0 0.0.0.0 10.6.128.1
! Trap Source: <not configured>
! Note: SNMP server not running.
!

Monitoring Modules
Use the following commands to view information about line modules and
SRP modules.
show hardware

Use to display information about the SRP modules, line modules, and I/O
modules in the system.

Field descriptions

slot physical slot that contains the module

type kind of module; an e at the end of an SRP module type (for example,
SRP-5Ge) indicates that the module includes error-checking code (ECC).

serial number serial number of the module

assembly number part number of the module
assembly rev. hardware revision of the module
ram (MB) memory capacity of the host processor
number of MAC addresses total number of Ethernet addresses on an I/O
module

base MAC address lowest Ethernet address on an I/O module

5-33

5-34

CHAPTER 5
Managing Line Modules and SRP Modules

Example

host1#show hardware
serial

assembly

assembly

slot

type

number

number

rev.

ram
(MB)

----

------

----------

----------

--------

----

SRP-5G

7199160022

3400002900

A03

128

---

---

---

---

---

---

---

---

---

---

OC3dP2

7199190218

3401002800

---

---

A02

64

---

---

---

CT3P2

7199160121

3401002501

A02

64

CT2

7199160311

3401002011

A03

64
number
of

serial

assembly

assembly

MAC

slot

type

number

number

rev.

addresses

----

----------

----------

----------

--------

---------

SRP-5G I/O

7199170147

3400003301

---

2
3

---

---

---

OC3dP2 I/O

7199030030
---

A01

16

---

---

---

---

---

---

3400003400

---

CT3P2 I/O

7199150162

3400003200

A03

CT1 I/O

7199460217

3400006401

A02

slot

base MAC address

----

-----------------

00-90-1a-00-09-a0

---

---

---

A01
---

---

3
4

---

5
6

show utilization

Use to display information about the resources that modules consume.

Field descriptions

slot slot in which the line module resides

type type of module
heap % percentage of the RAM that is currently in use by software running
on the line module

cpu % percentage of line modules CPU capacity currently used

Monitoring Modules
ERX Edge Routers

bw exceed status of bandwidth oversubscription for this slot (this field

appears only when bandwidth oversubscription is configured)
Y indicates that this slot is in an oversubscribed slot group
--- indicates no line module installed or no bandwidth oversubscription
host1#show utilization
System Resource Utilization
--------------------------heap

cpu

bw

(%)

(%)

exceed

----

---

------

slot

type

----

------------

DPFE

65

35

OC12Atm(P2)

59

44

OC3/OC12-ATM

67

53

3
4

---

---

---

---

---

---

---

---

OC3d

79

---

SRP-10G

27

---

---

---

---

---

---

---

---

---

---

---

---

---

45

25

---

---

---

---

---

---

---

10

CE1

11
12
13

UT3a

77

---

---

---

5-35

5-36

CHAPTER 5
Managing Line Modules and SRP Modules

Passwords and
Security

Passwords and security are of utmost importance for the security of your
system. This chapter provides the information you need to configure your
ERX system to be secure for all levels of users.
Topic

Page

Overview

6-1

Setting Basic Password Parameters

6-2

Setting and Erasing Passwords

6-5

Vty Line Authentication

6-11

Virtual Terminal Access Lists

6-16

Secure System Administration with SSH

6-16

Restricting User Access

6-27

Overview
One of your major management responsibilities is to secure your system.
To do this, assign passwords or secrets to the system. In Global
Configuration mode, you can set passwords or secrets to prevent
unauthorized users from accessing the system in Privileged Exec mode.
Passwords and secrets have the same degree of security on your system,
and they are used interchangeably. You can define either a password or a
secret for your system, but not both.

6-2

CHAPTER 6
Passwords and Security

Setting Basic Password Parameters

This section shows how to set up basic passwords and secrets on your
system. You cannot create your own encrypted passwords and secrets.
You must use encrypted passwords and secrets that the system generates.
Note: See Setting and Erasing Passwords later in this chapter for additional
commands for erasing and monitoring passwords.

Creating Encrypted Passwords

This example encrypts password t1meout1 and creates a password for

privilege level 10.
1

Enable and configure the password. The 0 keyword specifies that

you are entering an unencrypted password.
host1(config)#enable password level 10 0 t1meout1

Display the encrypted password.

host1(config)#exit
host1#show secrets
Current Password Settings
------------------------encryption

encrypted

level

type

password/secret

-----

------------

--------------------

----------

7 (password)

dq]XG`,%N"SS7d}o)_?Y

configured

mode

0
1
2
3
4
5
6
7
8
9
10

You or users with high privilege levels can now use the encrypted
password, dq]XG`,%N"SS7d}o)_?Y, with the password command.

Setting Basic Password Parameters

ERX Edge Routers

Creating Secrets

This example generates a secret for the password rocket, and creates a
secret for privilege level 15.
1

Enable and configure the secret. The 0 keyword specifies that you
are entering an unencrypted secret.
host1(config)#enable secret level 15 0 rocket

Display the secret.

host1(config)#exit
host1#show secret
Current Password Settings
------------------------encryption

encrypted

level

type

password/secret

-----

----------

--------------------

----------

5 (secret)

bcA";+1aeJD8)/[1ZDP6

configured

mode

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

You or users with high privilege levels can now use the encrypted
password, bcA";+1aeJD8)/[1ZDP6, with the password command.
Encrypting Passwords in Configuration File

You can also direct the system software to encrypt passwords saved in the
configuration file by using the service password-encryption
command. This command is useful to keep unauthorized individuals
from viewing your password in your configuration file. It is important to
remember that this command uses a simple cipher and is not intended to
protect against serious analysis. You can tell if a string is encrypted if it is
preceded by an 8.

6-3

6-4

CHAPTER 6
Passwords and Security

Commands and Guidelines

Use the following commands and guidelines to set passwords or secrets for
the privilege levels.
enable password

Use to set a password, which controls access to Privileged Exec mode and
some configuration modes.

Enter the password in plain text (unencrypted) or cipher text (encrypted). In

either case, the system stores the password as encrypted.

The first time you define a password, you must enter it in plain text. To view its
encrypted form, use the show config display. To redefine the password at a
later date, you can enter the password in its encrypted form.

You can use the following keywords:

0 (zero) specifies an unencrypted password

7 specifies an encrypted password

Example 1 (unencrypted password)

host1(config)#enable password 0 mypassword

Example 2 (encrypted password)

host1(config)#enable password 7 x13_2

Use the no version to remove the password.

Use to set a secret, which controls access to the Privileged Exec mode and
some configuration modes.

Enter the secret in plain text (its unencrypted form) or cipher text (its encrypted
form). In either case, the system stores the secret as encrypted.

The first time you define a secret, you must enter it in plain text. To view its
encrypted form, use the show config display. To redefine the secret at a later
date, you can enter the secret in its encrypted form.

You can use the following keywords:

erase secrets

0 (zero) specifies an unencrypted secret

5 specifies an encrypted secret

Example 1 (unencrypted secret)

host1(config)#enable secret 0 yalta45

Example 2 (encrypted secret)

host1(config)#enable secret 5 y13_x

Use the no version to remove the secret.

Setting and Erasing Passwords

ERX Edge Routers

service password-encryption

Use to encrypt passwords that are saved in the systems configuration file. The
command converts plain text to cipher text. The default is no encryption.

Use of this command prevents casual observers from viewing passwords, for
example, in data obtained from show config displays. The command is not
intended to provide protection from serious analysis.

This command does NOT apply to passwords set with enable secret, enable
password, or password (Line Configuration mode).

This command does apply to authentication key passwords and BGP neighbor
passwords.

Example
host1(config)#service password-encryption

Use the no version to remove the encryption assignment.

Setting and Erasing Passwords

You can set the following passwords:
Enable passwords that control access to different groups of commands.
A console password that controls access to the console.
Passwords for individual vty lines or groups of vty lines.
Privilege Levels

Different groups of commands are associated with privilege levels

(Table 6-1). You can set enable passwords to allow users to access
commands at different privilege levels.
Table 6-1 Commands available at different privilege levels
Privilege Level

Commands Available

help, exit, enable, and disable commands

User Exec commands plus commands at level 0

Privileged Exec show commands plus commands at levels 0 and 1

10

All commands except support commands

15

Support commands that Juniper Technical Support may provide

and all other commands

To maximize security and usability, set different passwords for levels 1, 5,

10, and 15. By default, no enable passwords exist.

6-5

6-6

CHAPTER 6
Passwords and Security

Accessing Privilege Levels

If users have access to the console, they automatically have access to

privilege level 0. To access higher levels of privilege, they must enter the
enable privilege-level command. When users specify a privilege level, the
system checks to see if there is a password at that level. If there is not, the
system prompts the user for the password for the lower level closest to the
requested level.
Setting Enable Passwords

To set up enable passwords, use the commands described in Setting Basic

Password Parameters earlier in this chapter.
Erasing Enable Passwords

If you forget an enable password or secret, you can erase all enable
passwords and secrets.
Two commands allow you to erase passwords and secrets: erase secrets
and service unattended-password-recovery. It is important to fully
understand the purpose of these commands and how they work with each
other.
The erase secrets command can be used to delete all existing passwords.
To use this command, you must be physically present at the router to
complete the operation. Once the command is executed, you have a finite
number of seconds to press the software reset button on the SRP module.
You can execute this command from the console or any vty.
The service unattended-password-recovery command provides you
with a way to delete existing passwords and secrets without physically
being present at the router. You must have the proper privilege level to
execute the command, and you can execute it from either the console or
any vty.
When you execute service unattended-password-recovery, you
change the behavior of erase secrets. You can now delete passwords and
secrets from the console by executing erase secrets without a time
restraint or having to be physically present at the router. When you use
the no version of service unattended-password-recovery, you revert
the functionality of erase secrets to the factory default setting.

Setting and Erasing Passwords

ERX Edge Routers

To erase all enable passwords or secrets:

1

Log in to the system.

Erase the existing enable password or secret. Specify the number of

seconds to allow for the erase operation.
host1>erase secrets 60

Within the time limit that you specified for the erase secrets
command, press the recessed software reset button on the primary
SRP module (see Figure 6-1).

board reset button

software reset button

Figure 6-1 Location of the software reset button

Note: If you do not press the software reset button within the time limit, the system
will not erase the password, and you will need to repeat the process.

erase secrets

Use to delete all CLI passwords and secrets.

After you issue this command, press the software reset button (see Figure 6-1)
within the time you specify for this command.

6-7

6-8

CHAPTER 6
Passwords and Security

Allows you to set the number of seconds (160) for this procedure to be
accomplished.

Allows you to set a new password when you have forgotten your password.

Can be used with the service unattended password-recovery command.

Example
host1>erase secrets 60

There is no no version.

service unattended password-recovery

Use to allow you to delete all passwords and secrets from the console without
being physically present at the router.

When executed, this command changes the behavior of the erase secrets
command, which will not take any parameters and will not be available through
a vty session.

Example
host1(config)#service unattended password-recovery

Use the no version to revert erase secrets to factory default settings.

Setting a Console Password

By default, there is no console password. To set a console password:

1

Make sure that you know the enable password for the system.
If you need to reset the enable password, see Privilege Levels earlier
in this chapter.

Access Privileged Exec mode, and enter the enable password if

prompted.

Access Global Configuration mode.

Access Line Configuration mode.

host1(config)#line console 0

Enable password checking at login.

host1(config-line)#login

Specify a password.
host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y

Setting and Erasing Passwords

ERX Edge Routers

line

Use to specify the vty lines or the console.

Example
host1(config)#line vty 1 4

Use the no version to remove a vty line or a range of lines from your
configuration; users will not be able to run Telnet, SSH, or FTP to lines that you
remove. When you remove a vty line, the system removes all lines above that
line. For example, no line vty 6 causes the system to remove lines 6 through
19. You cannot remove lines 0 through 4.

Use to enable password checking at login.

The default setting is to enable a password.

Example

login

host1(config)#line vty 1 4
host1(config-line)#login

Use the no version to disable password checking and allow access without a
password.

Use to specify a password on the console, a line or a range of lines.

If you enable password checking, but do not configure a password, the system
will not allow you to access virtual terminals.

Use the following keywords to specify the type of password you will enter:

password

0 (zero) unencrypted password

5 secret
7 encrypted password
Note: To use an encrypted password or a secret, you must follow the procedure in
Setting Basic Password Parameters earlier in this chapter to obtain the encrypted
password or secret. You cannot create your own encrypted password or secret; you
must use a system-generated password or secret.

Example 1 (unencrypted password)

host1(config-line)#password 0 mypassword

Example 2 (secret)
host1(config-line)#password 5 bcA";+1aeJD8)/[1ZDP6

Example 3 (encrypted password)

host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y

Use the no version of this command to remove the password. By default, no

password is specified.

6-9

6-10

CHAPTER 6
Passwords and Security

Erasing the Console Password

If you forget the console password, you can erase the existing value and
configure a new one. This action deletes all authentication for the console
line. To erase existing passwords:
1

Reboot the system by pressing the recessed software reset button on

the primary SRP module (see Figure 6-1) and then pressing the
<mb> key sequence during the countdown.

Disable authentication at the console level.

:boot##disable console authentication

If you remember the password at this point, you can override this
action by entering:
:boot##no disable console authentication

Reload the operating system.

:boot##reload

When the operating system reloads, you can access the console without a
password.
Note: You will be able to log in to the console without a password until you set a
new password.

Monitoring Passwords

You can use the show secrets command to view all current passwords
and secrets.
show secrets

Use to display all passwords and secrets.

Passwords and secrets appear in their encrypted form.

In the mode column, inherited indicates whether a secret was inherited from a
lower password level. The show config command displays only secrets
configured by the user; it does not display inherited secrets.

Example
host1#show secrets
Current Password Settings
------------------------encryption

encrypted

level

type

password/secret

-----

------------

0
1
2

--------------------

mode
----------

Vty Line Authentication

ERX Edge Routers

3
4
5

7 (password)

zRFj_6>^]1OkZR@e!|S$

configured

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

10

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

11

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

12

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

13

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

14

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

15

7 (password)

zRFj_6>^]1OkZR@e!|S$

inherited

Vty Line Authentication

The system supports 20 virtual tty (vty) lines for Telnet, Secure Shell
Server (SSH) and FTP services. Each Telnet, SSH, or FTP session
requires one vty line. You can add security to your system by configuring
the software to validate login requests. There are two modes of
authentication for a vty line:
Simple authentication password-only authentication via the local
configuration
AAA authentication username and password authentication via a set
of authentication servers
Configuring Simple Authentication

To configure simple authentication:

1

Specify a vty line or a range of vty lines on which you want to enable
the password.
host1(config)#line vty 8 13
host1(config-line)#

Specify the password for the vty lines.

host1(config-line)#password 0 mypassword

Enable login authentication on the lines.

host1(config-line)#login

Display your vty line configuration.

host1#show line vty 8
no access-class in

6-11

6-12

CHAPTER 6
Passwords and Security

data-character-bits 8
exec-timeout never
exec-banner enabled
motd-banner enabled
login-timeout 30 seconds

line

Use to specify the vty line(s) on which you want to enable the password.

You can set a single line or a range of lines. The range is 019.

Example
host1(config)#line vty 8 13

Use the no version to remove a vty line or a range of lines from your
configuration; users will not be able to run Telnet, SSH, or FTP to lines that you
remove. When you remove a vty line, the system removes all lines above that
line. For example, no line vty 6 causes the system to remove lines 6 through
19. You cannot remove lines 0 through 4.

Use to enable password checking at login.

The default setting is to enable a password.

Example

login

host1(config-line)#login

Use the no version to disable password checking and allow access without a
password.

Use to specify a password on a single line or a range of lines.

If you enable password checking but do not configure a password, the system
will not allow you to access virtual terminals.

Specify a password in plain text (unencrypted) or cipher text (encrypted). In

either case, the system stores the password as encrypted.

Use the following keywords to specify the type of password you will enter:

password

0 (zero) unencrypted password

5 secret
7 encrypted password
Note: To use an encrypted password or a secret, you must follow the procedure in
Setting Basic Password Parameters earlier in this chapter to obtain the encrypted
password or secret. You cannot create your own encrypted password or secret; you
must use a system-generated password or secret.

Example 1 (unencrypted password)

host1(config-line)#password 0 mypassword

Example 2 (secret)
host1(config-line)#password 5 bcA";+1aeJD8)/[1ZDP6

Vty Line Authentication

ERX Edge Routers

Example 3 (encrypted password)

host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y

Use the no version to remove the password. By default, no password is

specified.

Use to display the configuration of a vty line.

Field descriptions

show line vty

access-class access-class associated with the vty line

data-character-bits number of bits per character
7 setting for the standard ASCII set
8 setting for the international character set

exec-timeout time interval that the terminal waits for expected user input
Never indicates that there is no time limit

exec-banner status for the exec banner: enabled or disabled. This banner
is displayed by the CLI after user authentication (if any) and before the first
prompt of a CLI session.

motd-banner status for the MOTD banner: enabled or disabled. This

banner is displayed by the CLI when a connection is initiated.

login-timeout time interval during which the user must log in.
Never indicates that there is no time limit

Example
host1#show line vty 0
no access-class in
data-character-bits 8
exec-timeout 3w 3d 7h 20m 0s
exec-banner enabled
motd-banner enabled
login-timeout 30 seconds

Configuring AAA Authentication

Before you configure AAA authentication, you need to configure a

RADIUS authentication server.
To configure AAA new model authentication for inbound sessions to vty
lines on your system:
1

Specify AAA new model authentication.

host1(config)#aaa new-model

Create an authentication list that specifies the type(s) of

authentication methods allowed.
host1(config)#aaa authentication login my_auth_list radius
line none

6-13

6-14

CHAPTER 6
Passwords and Security

Specify the range of vty lines.

host1(config)#line vty 6 10
host1(config-line)#

If you specified that a password is required in step 2, specify a

password for the vty lines.
host1(config-line)#password xyz

Apply the authentication list to the vty lines.

host1(config-line)#login authentication my_auth_list

aaa authentication login

Use to create a list that specifies the methods of authentication.

Once you specify AAA new model as the authentication method for vty lines, an
authentication list called default is automatically assigned to the vty lines. To
allow users to access the vty lines, you must create an authentication list and
either:

Name the list default.

Assign a different name to the authentication list and assign the new list to
the vty line using the login authentication command.

You can enter up to three authentication methods in an authentication list.

The system traverses the list of authentication methods to determine if a user is

allowed to start a Telnet session. If a specific method is available but the user
information is not valid (such as an incorrect password), the system does not
continue to traverse the list and denies the user a session.

If a specific method is unavailable, the system continues to traverse the list. For
example, if radius is the first authentication type element on the list and the
RADIUS server is unreachable, the system attempts to authenticate with the
next authentication type on the list.

The system assumes an implicit denial of service if it reaches the end of the
authentication list without finding an available method.

Example
host1(config)#aaa authentication login my_auth_list radius
line none

Use the no version to remove the authentication list from your configuration.

Use to specify AAA new model as the authentication method for the vty lines on
your system.

If you specify AAA new model and you do not create an authentication list,
users will not be able to access the system through a vty line.

Example

aaa new-model

host1(config)#aaa new-model

Use the no version to restore simple authentication.

Vty Line Authentication

ERX Edge Routers

line

Use to specify the virtual terminal lines.

You can set a single line or a range of lines. The range is 019.

Example
host1(config)#line vty 6 10

Use the no version to remove a vty line or a range of lines from your
configuration; users will not be able to run Telnet, SSH, or FTP to lines that you
remove. When you remove a vty line, the system removes all lines above that
line. For example, no line vty 6 causes the system to remove lines 6 through
19. You cannot remove lines 0 through 4.

Use to apply an authentication list to the vty lines you specified on your system.

Example

login authentication

host1(config-line)#login authentication my_auth_list

Use the no version to specify that the system should use the default
authentication list.

Use to specify a password on a line or a range of lines if you specified the line
option with the aaa authentication login command.

If you enable password checking but do not configure a password, the system
will not allow you to access virtual terminals.

Use the following keywords to specify the type of password you will enter:

password

0 (zero) unencrypted password

5 secret
7 encrypted password
Note: To use an encrypted password or a secret, you must follow the procedure in
Setting Basic Password Parameters earlier in this chapter to obtain the encrypted
password or secret. You cannot create your own encrypted password or secret; you
must use a system-generated password or secret.

Example 1 (unencrypted password)

host1(config-line)#password 0 mypassword

Example 2 (secret)
host1(config-line)#password 5 bcA";+1aeJD8)/[1ZDP6

Example 3 (encrypted password)

host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y

Use the no version to remove the password. By default, no password is

specified.

6-15

6-16

CHAPTER 6
Passwords and Security

Virtual Terminal Access Lists

You can provide additional security for your system by using access lists to
restrict access to vty lines.
When the system attempts to authenticate a user, it always selects the first
vty line that has an access class that permits that users host. The vty lines
configuration must authenticate the user to allow access. Otherwise, the
user can never gain access. Consequently, it is recommended that you use
identical authentication configurations for all vtys that have the same
access class list.
To set up access lists:
Associate the access list with inbound Telnet sessions.
host1(config)#line vty 12 15
host1(config-line)#access-class boston in

Configure an access list.

host1(config)#access-list boston permit any

access-class in

Use to associate the access list with vty lines.

Example this example sets the virtual terminal lines to which you want to
restrict access and specifies an access class to grant access to incoming
requests.
host1(config)#line vty 12 15
host1(config-line)#access-class boston in

Use the no version to remove access restrictions.

Use to configure an access list.

Example

access-list

host1(config)#access-list boston permit any

The no version of this command removes the access list.

Secure System Administration with SSH

The system supports the SSH protocol version 2 as a secure alternative to
Telnet for system administration.
Note: Versions earlier than 2.0.12 of the SSH protocol client are not supported.
The SSH server embedded within the system recognizes SSH clients that report
an SSH protocol version of 1.99, with the expectation that such clients are
compatible with SSH protocol version 2.0. Clients that report an SSH protocol

Secure System Administration with SSH

ERX Edge Routers

version of 1.99 apparently do so to determine the protocol version supported by the

server.

SSH provides the following major features:

Server authentication via a Diffie-Hellman key exchange Protects
against hackers interjecting mimics to obtain your password. You can
be confident that you are connected to your own router.
User authentication Ensures that the system is allowing connection
from a permitted host and remote user.
Note: Digital Signature Standard (DSS) public key user authentication for SSH is
not supported. RADIUS password authentication is the only method of user
authentication currently supported. It is enabled by default. If RADIUS
authentication is disabled, then all SSH clients that pass protocol negotiation are
accepted.

Data encryption and key-protected hashing Provides a secure,

trustable session to the upper-layer user interface. Encryption provides
confidentiality by preventing unauthorized persons from listening in
on management traffic. Encryption and hashing ensure data integrity
to obstruct man-in-the-middle attacks, where unauthorized persons
access messages and modify them without detection.
Transport

The SSH transport layer handles algorithm negotiation between the

server and client over TCP/IP. Negotiation begins when the SSH client
and server send each other textual information that identifies their SSH
version. If they both agree that the versions are compatible, the client and
server exchange lists that specify the algorithms that they support for key
exchange, encryption, data integrity via a message authentication code
(MAC), and compression. Each party sends two lists. One list has the
algorithms supported for transmission; the other has the algorithms
supported for receipt. The algorithms are specified in order of preference
in each list. The client and server use the algorithm for each process that
matches the clients highest preference and is supported by the server. If
no intersection is found, the negotiation attempt fails and the connection
is terminated.
If algorithm negotiation is successful, the server sends its public host key
to the client for authentication so the client can be certain it is connected
to the intended host rather than to an imposter. The client compares the
key to its host key database. The client authenticates the server if the key
is found in the database. If the key is not present, then the client can

6-17

6-18

CHAPTER 6
Passwords and Security

accept or reject this new, unknown key depending on how you have
configured the client. See Host Key Management later in this chapter.
When the client authenticates the servers host key, it begins the transport
key exchange process by sending the key data required by the negotiated
set of algorithms. The server responds by sending its own key data set. If
both sides agree that the keys are consistent and authentic, the keys are
applied so that all subsequent messages between client and server are
encrypted, authenticated, and compressed according to the negotiated
algorithms.
User Authentication

User authentication begins after the transport keys are applied. The client
typically asks the server which authentication methods it supports. The
server responds with a list of supported methods with no preference.
The client specifies a user authentication method. If the chosen method is
supported by the server, the client then challenges the userthat is, the
client prompts the user for a password or public-key pass phrase. The
client sends the challenge response from the user and the username to the
server. The server authenticates the user based on this response.
The system software currently supports only RADIUS password
authentication, which is enabled by default. The RADIUS server
validates the username and password from its database. If user
authentication is disabled, then all SSH clients that pass protocol
negotiation are accepted.
Connection

The SSH connection layer creates the user session when the user is
authenticated. The server waits for a connection request. The system
currently supports only shell requests, which the server interprets as a
request for a hook into a CLI session. The server ignores any other
requests, such as X11 or TCP/IP tunneling.
Key Management

The ERX system implementation of SSH provides for management of

user keys and host keys.
User Key Management

Key administration is still under development for the server environment.

Secure System Administration with SSH

ERX Edge Routers

Host Key Management

You create a host key for the SSH server with the crypto key generate
dss command. If a host key already exists, this command replaces it with
a new key and terminates all ongoing SSH sessions. Any SSH clients that
previously accepted the old host key reject the new key the next time the
client and server connect. The client then typically instructs the end user
to delete the locally cached host key and to try to connect again.
Caution: Use caution issuing the crypto key generate dss command from an
SSH client. Issuing this command will terminate that SSH session; it will be the last
command you send from that session.

The public half of the host key is sent from the server to the client as part
of the transport layer negotiation. The client attempts to find a match for
this key with one stored locally and assigned to the server. If the client
does not find a match, it can accept or reject the key sent from the server.
Refer to your client documentation for detailed information. You
typically configure the client to do one of the following:
Never accept an unknown key.
Always accept an unknown key.
Query the administrator before accepting an unknown key.
If you do not want the client ever to trust the server when it sends an
unknown key, you must manually copyusing the copy commandthe
host key from each server to each intended client. This is the only way to
be certain that each client has a local copy of the necessary keys for
matching during negotiation.
If you configure the client to accept unknown keyseither automatically
or with administrator approvalthis acceptance policy applies only to the
first time the client receives a key from a particular server. When the SSH
client accepts a host key, it stores the key locally and uses it for all future
comparisons with keys received from that host. If the client subsequently
receives a different keya new unknownfrom that server, it is rejected.
You cannot configure an SSH client to accept a new key after it has
accepted a key from an SSH server. You must delete the old key before a
new key can be accepted.
Performance

Generating a host key is computationally intensive and can take up to

several minutes depending on the load of the system. The system cannot
accept any CLI inputs from that session while it is generating the key.

6-19

6-20

CHAPTER 6
Passwords and Security

Encryption, data integrity validation, and compression are all

computationally intensive. These features can affect system performance
in the following ways:
Reduce the effective baud rate compared with Telnet or the local CLI.
Users are unlikely to notice this performance degradation because user
interaction is inherently slow compared with other system operations.
Increase the general load on the system CPU.
Security Concerns

There are two areas where you might be concerned about security with
the current support of SSH:
Only RADIUS user authentication is supported. If you disable user
authentication, all users are accepted if the client and server
successfully complete negotiation.
Because the load on the system CPU increases with use of SSH, you
might be concerned about denial-of-service attacks. However, the
forwarding engine takes care of this issue, because it limits the rate at
which it sends packets to the system controller. A flood of packets from
a packet generator does not cause problems regardless of whether SSH
is enabled.
Before You Configure SSH

You must obtain and install a commercial SSH client on the host from
which you want to administer the system. Versions earlier than 2.0.12 of
the SSH client are not supported.
Determine your Telnet policy before you configure SSH on your system.
Effective use of SSH implies that you should severely limit Telnet access
to the system. To limit Telnet access, create access control lists that
prevent almost all Telnet usage, permitting only trusted administrators to
access the system via Telnet. For example, you might limit access to
administrators who need to Telnet to the system from a remote host that
does not have the SSH client installed.
You must install and configure a RADIUS server on a host machine
before you configure SSH on your system. Refer to your RADIUS server
documentation for information on choosing a host machine and installing
the server software. You must also configure the RADIUS client on your
system. See ERX Broadband Access Configuration Guide, Chapter 1,
Configuring Remote Access to the ERX System for more information.

Secure System Administration with SSH

ERX Edge Routers

SSH Configuration Tasks

You configure SSH on individual virtual routers, rather than the global
system. To configure SSH:
1

Access the context of the virtual router.

Configure encryption.

Configure user authentication, including connection parameters.

Configure message authentication.

Enable SSH.

Display SSH to verify configuration.

Configuring Encryption

The embedded SSH server and external SSH client maintain separate
lists of the encryption algorithms that each supports. Lists are kept for
inbound and outbound algorithms. For the server:
Inbound means the algorithms that the server supports for
information coming in from a client.
Outbound means the algorithms that the server supports for
information it sends out to a client.
You must configure each list separately. Refer to your SSH client
documentation for details on configuring encryption on your client. The
system supports the following SSH algorithms for encryption:
3des-cbc A triple DES block cipher with 8-byte blocks and 24 bytes
of key data. The first 8 bytes of the key data are used for the first
encryption, the next 8 bytes for the decryption, and the following 8
bytes for the final encryption.
blowfish-cbc A block cipher with 8-byte blocks and 128-bit keys that
provides strong encryption and is faster than DES.
twofish-cbc A block cipher with 16-byte blocks and 256-bit keys that
is stronger and faster than Blowfish encryption.
Although it is not recommended, you can also specify none. In this case,
the system does not perform encryption.

6-21

6-22

CHAPTER 6
Passwords and Security

ip ssh crypto

Use to add an encryption algorithm to the specified support list for the SSH
server.
Example 1 this example adds the blowfish-cbc algorithm to the list of
supported inbound algorithms.
host1(config)#ip ssh crypto client-to-server blowfish-cbc

Example 2 this example removes the 3des-cbc algorithm from the list of
supported outbound algorithms.
host1(config)#ip ssh crypto server-to-client no 3des-cbc

The default version restores the specified list to the factory default, which
includes all supported algorithms (3des-cbc, twofish-cbc, and blowfish-cbc).
The default list does not include the none option.
Example
host1(config)#ip ssh crypto server-to-client default
3des-cbc

If you do not specify a direction (client-to-server or server-to-client), the

command applies the algorithm to both inbound and outbound lists.

Use the no version to remove or exclude an algorithm from the specified list.

Configuring User Authentication

The system supports RADIUS for user authentication. RADIUS

authentication is enabled by default. You must have previously
configured a RADIUS server on a host machine and the RADIUS client
on your system.
You can specify timeout and retry limits to control the SSH connection
process. The limits apply only from the time the user first tries to connect
until the user has been successfully authenticated. The timeout limits are
independent of any limits configured for virtual terminals (vtys). The
following limits are supported:
SSH timeout The maximum time allowed for a user to be
authenticated, starting from the receipt of the first SSH protocol
packet.
Authentication retry The number of times a user can try to correct
incorrect informationsuch as a bad passwordin a given connection
attempt.
Sleep Prevents a user that has exceeded the authentication retry
limit from connecting from the same host within the specified period.
See the following commands.

Secure System Administration with SSH

ERX Edge Routers

ip ssh authentication-retries

Use to set the number of times that a user can retry a failed authentication,
such as trying to correct a wrong password. The SSH server terminates the
connection when the limit is exceeded.

Specify an integer from 020.

Example
host1(config)#ip ssh authentication-retries 3

Use the no version to restore the default value of 20 retry attempts.

ip ssh disable-user-authentication

Use to disable RADIUS password authentication. If you disable RADIUS

authentication, all SSH clients that pass protocol negotiation are accepted.

RADIUS authentication is enabled by default.

Example
host1(config)#ip ssh disable-user-authentication

Use the no version to restore RADIUS authentication.

Use to set a sleep period in seconds for users that have exceeded the
authentication retry limit. Connection attempts from the user at the same host
are denied until this period expires.

Specify any nonnegative integer.

Example

ip ssh sleep

host1(config)#ip ssh sleep 300

Use the no version to restore the default value of 600 seconds.

Use to set a timeout period in seconds. The SSH server terminates the
connection if protocol negotiationincluding user authenticationis not
completed within this timeout.

Specify an integer from 10600.

Example

ip ssh timeout

host1(config)#ip ssh timeout 480

Use the no version to restore the default value of 600 seconds.

Configuring Message Authentication

The SSH server and SSH client maintain separate lists of the message
authentication algorithms that each supports. Lists are kept for inbound
and outbound algorithms. For the server, inbound means the algorithms
that the server supports for information coming in from a client. For the
server, outbound means the algorithms that the server supports for

6-23

6-24

CHAPTER 6
Passwords and Security

information it sends out to a client. You must configure each list

separately. The system supports the following SSH algorithms for hash
function-based message authentication:
hmac-sha1 Uses Secure Hash Algorithm 1 (SHA-1) to create a
160-bit message digest from which it generates the MAC.
hmac-sha1-96 Uses the first 96 bits of the SHA-1 message digest to
generate the MAC.
hmac-md5 Uses MD5 hashing to create a 128-bit message digest
from which it generates the MAC.
Although it is not recommended, you can also specify none. In this case,
the system does not verify the integrity of the data.
ip ssh mac

Use to add a message authentication algorithm to the specified support list for
the SSH server.
Example
host1(config)#ip ssh mac server-to-client hmac-md5

This example adds the hmac-md5 algorithm to the list of supported outbound
algorithms.

If you to not specify a direction (client-to-server or server-to-client), the

command applies the algorithm to both inbound and outbound lists.

The default version restores the specified list to the factory default, which
includes all supported algorithms (hmac-md5, hmac-sha1, and hmac-sha1-96).
The default list does not include the none option.
Example
host1(config)#ip ssh mac client-to-server default hmac-sha1

This example restores the hmac-sha1 algorithm to the list of supported inbound
algorithms.

Use the no version to remove or exclude an algorithm from the specified list.
Example
host1(config)#ip ssh mac client-to-server no hmac-sha1

This example removes the hmac-sha1 algorithm from the list of supported
inbound algorithms.

Enabling and Disabling SSH

The SSH server daemon starts only if the server host key exists when the
system boots. The host key resides in NVS and is persistent across system
reboots. Once started, the daemon listens for traffic on TCP port 22. The
server daemon is disabled by default.

Secure System Administration with SSH

ERX Edge Routers

crypto key dss

Use the generate keyword to create the SSH server host key and enable the
daemon.

Example
host1(config)#crypto key generate dss

Use the zeroize keyword to remove the SSH server host key and stop the SSH
daemon if it is running. Issuing this command terminates any active client
sessions. The next time the system boots after this command is issued, the
SSH server daemon is not started.
The command is not displayed by the show config command.
Note: SSH can be enabled or disabled regardless of the state of the Telnet daemon.
If SSH is enabled, use access control lists to limit access via Telnet. See Virtual
Terminal Access Lists in this chapter for information on using access control lists.

Example
host1(config)#crypto key zeroize dss

There is no no version.

Displaying SSH Status

You can monitor the current state of the SSH server with the show ip
ssh command.
show ip ssh

Use to display the current state of the SSH server.

Use the detail keyword to display the encryption and MAC algorithm lists for
the client and server. For each active session, detail shows the version of SSH
running on the client and the algorithms in use for encryption and message
authentication.

Example
host1#show ip ssh

Field descriptions

daemon status indicates whether the SSH server is enabled; if so, how
long it has been up

supported encryption, inbound encryption algorithms supported inbound

from the client

supported encryption, outbound encryption algorithms supported outbound

to the client

supported MAC, inbound message authentication code algorithms

supported inbound from the client

supported MAC outbound message authentication code algorithms

supported outbound to the client

connections since last system reset number of connections made via SSH
since the last time the system was reset

6-25

CHAPTER 6
Passwords and Security

6-26

connections since daemon startup number of connections made since the

SSH server was enabled

active sessions number of SSH sessions currently active

id session ID number
username username for the remote user that initiated the session
host IP address of the remote client
uptime (d:h:m:s) duration of the session
client version version of the SSH software run by the remote client
ciphers inbound/outbound encryption algorithms used by the client and
the system for this session
MAC inbound/outbound message authentication code algorithms used
by the client and the system for this session

Example

host1#show ip ssh detail

SSH Server version: SSH-2.0-2.0.12
daemon status: enabled, up since MON NOV 08 1999 14:38:19 UTC
supported encryption, inbound: 3des-cbc,blowfish-cbc,twofish-cbc
supported encryption, outbound: 3des-cbc,blowfish-cbc,twofish-cbc
supported MAC, inbound: hmac-sha1,hmac-sha1-96,hmac-md5
supported MAC, outbound: hmac-sha1,hmac-sha1-96,hmac-md5
connections since last system reset: 4 out of 4 attempts
connections since daemon startup:

4 out of 4 attempts

active sessions: 1

id
3

username
mcarr

host

uptime
(d:h:m:s)

client version

10.0.0.145

0:00:00:19

SSH-2.0-2.0.12 F-SECURE SSH

ciphers
inbound/outbound
3des-cbc/3des-cbc

MAC
inbound/outbound
hmac-md5/hmac-md5

To view failed connection attempts and other protocol errors logged at

the error severity level, use the show log data command:
host1#show log data category ssh severity error

Terminating an SSH Session

You can use the session identifier to terminate an SSH session.

disconnect ssh

Use to terminate an active SSH session.

Use the show ip ssh command to determine the session identifier for the
session to terminate.

Restricting User Access

ERX Edge Routers

Example
host1(config)#disconnect ssh 12
Note: You can also use the clear line vty terminal command to terminate SSH
sessions. In that case, use the show users command to determine the virtual
terminal number to specify with the clear line vty terminal command.

There is no no version.

Restricting User Access

Users who are authenticated via RADIUS can be restricted to certain sets
of commands and virtual routers (VRs).
Restricting Access to Commands

You can use RADIUS authentication to specify a level of command

access for users. If you do not configure RADIUS authentication for the
console or virtual terminals, all users who successfully log in are
automatically granted Level 1 access.
The vendor-specific attribute (VSA) admin-auth-level supports the levels
of access shown in Table 6-2.
Table 6-2 CLI user access levels
Access Level Commands Available
0

disable, enable, exit, and help commands

Level 0 commands and all other commands available in User Exec

mode

Level 1 commands and all Privileged show commands

10

All commands except support commands

15

Commands that Juniper Networks Technical Support may provide and

all other commands

In addition to VSA access level support, the software provides access to

levels 1 and 10 through the initial-auth-level in the standard RADIUS
service-type attribute. If the RADIUS service-type attribute is included in
the RADIUS access-accept message, the standard attribute overrides any
VSA setting.

6-27

6-28

CHAPTER 6
Passwords and Security

If you are using the RADIUS service-type attribute to assign access levels,
the system sets the initial-auth-level as follows:
If the service-type attribute is set to administrative, then the
initial-auth-level is set to 10.
If the service-type attribute is set to nas prompt or login, the
initial-auth-level is set to 1.
Per-User Enable Authentication

Once a user is authenticated through RADIUS, the RADIUS server

provides the ERX system with the names of the privilege levels (for
example, 10) that the user has enable access to. When the user
attempts to access a privilege level through the enable command, the
system either denies or approves the users request. The decision to deny
or approve the users request is based on the list the system received
through RADIUS. See Table 6-3.
Table 6-3 Juniper Networks-specific CLI access VSA descriptions

VSA

Description

Type

Length

Subtype
Subtype Length

Juniper-Initial-CLIAccess-Level

Specifies the initial level of

access to CLI commands.

26

len

18

sublen

Single attribute;
enter only: 0, 1,
5, 10, or 15

Juniper-Alt-CLIAccess-Level

Specifies level of access to

CLI commands.

26

len

20

sublen

Single attribute;
enter only: 0, 1,
5, 10, or 15

Value

Note: All levels to which a user can have access must explicitly be specified in the
Admin-Auth-Set VSA.

The user is not prompted for a password, since the system knows whether
or not the user should have access to the requested level. If the user is not
authenticated through RADIUS, the system uses the system-wide enable
passwords instead.
Restricting Access to Virtual Routers

You can use RADIUS authentication to specify whether users can access
all virtual routers (VRs), one specific VR, or a set of specific VRs.
Note: This classification is independent of the command access levels
configurable via the Juniper-Initial-CLI-Access-Level VSA.

The VSA Juniper-Allow-All-VR-access controls access; the VSA

Juniper-Virtual-Router controls the VR to which the user logs in, and the

Restricting User Access

ERX Edge Routers

VSA Juniper-Alt-CLI-Virtual-Router-Name specifies which VRs other

than the VR specified by the VSA Juniper-virtual-router are accessible to
restricted users. See Table 6-4.
Table 6-4 Juniper Networks-specific virtual router access VSA descriptions

VSA

Description

Type

Length

Subtype
Subtype Length Value

Juniper-Allow-All-VRAccess

Specifies user access to all

virtual routers.

26

len

19

sublen

Integer:
0 disable,
1 enable

Juniper-Virtual-Router

Specifies the VR to which the

user logs in or the only VR to
which a user has access. The
default setting is the default VR.

26

len

sublen

String:
virtual-routername

Juniper-Alt-CLI-Virtual-Ro Specifies a VR, other than the

uter-Name
VR specified by the
Juniper-Virtual-Router VSA, to
which the user has access. You
can define this VSA multiple
times to define a set of VRs to
which a user has access.

26

len

21

sublen

String:
virtual-routername

VSA Configuration Examples

Consider a system on which five VRs have been configured. The VRs are
called Boston, Chicago, Detroit, Los Angeles, and San Francisco. The
following examples illustrate how to use the VSAs to control a users
access to these VRs.
Example 1

In this example, you want the user to have access to all VRs and to log in
to the default VR. Accept the default setting or set the following VSA:
Juniper-Allow-All-VR-Access 1

Example 2

In this example, you want the user to have access to all VRs and to log in
to the VR Boston. Set the VSAs as follows:
Juniper-Allow-All-VR-Access 1
Juniper-Virtual-Router Boston

Example 3

In this example, you want the user to have access only to the VR Boston.
Set the VSAs as follows:
Juniper-Allow-All-VR-Access 0
Juniper-Virtual-Router Boston

6-29

6-30

CHAPTER 6
Passwords and Security

Example 4

In this example, you want the user to log in to VR Boston, and to have
access to VRs Chicago, Los Angeles, and San Francisco. Set the VSAs as
follows:
Juniper-Allow-All-VR-Access 0
Juniper-Virtual-Router Boston
Juniper-Alt-CLI-Virtual-Router-Name Chicago
Juniper-Alt-CLI-Virtual-Router-Name Los Angeles
Juniper-Alt-CLI-Virtual-Router-Name San Francisco
Commands Available to Users

If you do not configure RADIUS authentication for the console or virtual

terminals, there are no restrictions on VR access for any user who
successfully logs onto the system. For example, nonrestricted users can
Issue the virtual-router command in Privileged Exec mode, to switch
to another previously created virtual router.
Issue the virtual-router command in Global Configuration mode to
create a new virtual router and switch to its context.
Access Global Configuration mode to configure the system and virtual
routers.
View all settings for the system and all virtual routers.
User restricted to one or a set of specific VRs can see and use only a
limited set of commands to monitor the status of those VRs and view
some configuration settings on those VRs. More specifically, such users
Can issue the virtual-router command in Privileged Exec mode to
switch to another previously configured VR to which they have access.
Cannot create new VRs or access VRs other than those to which they
have access.
Cannot access Global Configuration mode and cannot configure VRs
to which they have access.
Cannot see or use any commands associated with the file system, boot
settings, or system configuration.
Table 6-5 lists some, but not all, commands accessed from User Exec or
Privileged Exec mode that are available only to users with no VR
restriction.

Restricting User Access

ERX Edge Routers

Table 6-5 User Exec or Privileged Exec mode commands

clear line

reload

show redundancy

clock set

reload slot

show secrets

copy

rename

show subsystems

copy running-configuration

redundancy force-failover

show timing

delete

redundancy revert

show users

dir

show boot

show utilization

disconnect ssh

show config

srp switch

configure

show exception dump

synchronize

erase secrets

show ip ssh

halt

show line

6-31

6-32

CHAPTER 6
Passwords and Security

Writing CLI Macros

The ERX system has an embedded macro language that enables you to
define and run macros that will generate and execute CLI commands.
Macro filesidentified by the .mac extensioncan be used to store more
than one macro. Depending on your needs, you might want to store all of
your macros in one file, group macros by function, or store only one
macro per file.
Topic

Page

Writing Macros

7-1

Running Macros

7-16

Practical Examples

7-19

Writing Macros
You must write macros on your computer, not on the ERX system. The
macros can contain loops, variables, string and numeric values, and
conditional statements. Macros can invoke other macros (as long as they
are contained within the same macro file), including themselves, but
infinite recursion is not permitted. Macros are case-insensitive.
Macros consist of control expressions and noncontrol expressions.
Control expressions are enclosed by control brackets, which are
angle-bracket and number sign pairs, like this: <# controlExpression #>.
Examples of control expressions include the macro name and macro end
statements, and while loops. A control expression can include multiple
operation statements if you separate the statements with semicolons (;).
For example:
<# i:=0; while i++ < 3 #>

7-2

CHAPTER 7
Writing CLI Macros

All macros must have names consisting only of letters, numbers, and the
underline character (_). The first character of a macro name cannot be a
number. If you include more than one macro within a macro file, each
macro must have a unique name. The first line of a macro defines the
macros name:
<# macroName #>

Noncontrol expressions are not enclosed by control brackets and simply

become part of the generated CLI command text.
You must end all macros with the following control expression:
<# endtmpl #>

You can add comments to your control expressions to clarify the code by
prefacing the comment with forward slashes (//) inside the control
brackets:
<# endtmpl //A comment in the macro end expression #>

Text after the // is ignored when the macro is run and is not displayed by
the CLI.
You can also add comments outside the control expressions by prefacing
the comment with an exclamation point (!). The CLI displays these
comments if you use the test or verbose keywords with the macro
command; the CLI never regards these comments as commands.
!This is a comment outside any control expression

You can improve the readability of a macro by using tabs to indent

expressions. Leading and trailing tabs have no effect on the macro
output, because they are removed when the macro is run.
Example

The following is a simple macro that you can use to configure the IP
interface on the Fast Ethernet port of the SRP module after you have
restored the factory defaults:
<# ipInit #>
<# ipAddress := env.getline (IP Address of System?) #>
ena
conf t
int f0/0
ip addr <# ipAddress; \n #>
ip route 10.0.0.0 255.0.0.0 192.168.1.1
host pk 10.10.0.166 ftp
<# endtmpl #>

Writing Macros
ERX Edge Routers

Environment Commands

Macros use environment commands to write data to the macro output, to

determine a value, or to call other commands. Table 7-1 describes the
environment commands that are currently supported.
Table 7-1 Environment commands
Command

Description

env.delay(int delay)

Causes the macro to delay further execution

for the number of seconds specified by delay

env.getLine

Prompts the user with a question mark (?) and

waits for a response

env.getLine(string prompt-string)

Prompts the user with the value of

prompt-string and waits for a response

env.getLineMasked

Prompts the user with a question mark (?),

waits for a response, and echoes the response
with an asterisk (*) for each character entered
by the user

env.getLineMasked(string
prompt-string)

Prompts the user with the value of

prompt-string, waits for a response, and
echoes the response with an asterisk (*) for
each character entered by the user

env.argc

Returns the number of arguments passed to

the macro

env.argv(n)

Returns the value of the nth argument, such

that 1 <= n <= env.argc
The returned value is a string, not a number; if
you want to use this value for a subsequent
numeric operation, you must first convert it to
a number with the env.atoi(string) command

env.argv(0)

Returns the name of the macro

env.atoi(string)

Converts the specified string to a numeric

value

env.atoi(env.argv(n))

Converts input values to integers

Variables

A local variable enables you to store a value used by the macro while it
executes. The macro can modify the value during execution. Local
variables can be integers, real numbers, or strings. The initial value of
local variables is zero.
Like macros, local variables must have a name consisting only of letters,
numbers, or the underline character (_). The variable name must not
begin with a number. You must not use a reserved keyword as a variable
name.

7-3

7-4

CHAPTER 7
Writing CLI Macros

Literals

A literal is an exact representation of numeric or string values. Every

number is a literal. Place single or double quotation marks around a
string to identify it as a string literal. You can specify special characters
within a literal string by prefacing them with a backslash as follows:
quotation mark

double quotation mark \

Examples

tab

\t

carriage return

\r

new line

\n

string end

\0

backslash

\\

42
98.6
string literal
count
\t this string starts with a tab and ends with a tab \t

Operators

You can use operators to perform specific actions on local variables or

literals, resulting in some string or numeric value. Table 7-2 lists the
available macro operators in order of precedence by operation type.
Operators within a given row are equal in precedence.
Table 7-2 Macro operators
Operation Type

Operators

Extraction

substr()

String

Multiplicative

rand()

round()

truncate()

Arithmetic

++

Relational

<

>

<=

>=

!=

Logical

||

&&

Assignment

:=

Miscellaneous

[]

()

<#

#>

Writing Macros
ERX Edge Routers

Table 7-3 briefly describes the action performed by each operator.

Table 7-3 Operator actions
Operation

Operator

Action

Arithmetic
(binary)

Adds the right and left sides together

Arithmetic
(binary)

Subtracts the element to the right of the operator from

the element to the left of the operator

Assignment

:=

Evaluates the elements to the right of the operator, then

assigns that value to the local variable to the left of the
operator

Combine

Creates a new string by joining the values of the right

and left sides; converts any numeric values to strings
before joining

Less than

<

Evaluates as true (returns a 1) if the element to the left of

the operator is less than the expression to the right of
the operator; otherwise the result is false (0)

Greater than

>

Evaluates as true (returns a 1) if the element to the left of

the operator is greater than the expression to the right of
the operator; otherwise the result is false (0)

Less than or
equal to

<=

Evaluates as true (returns a 1) if the element to the left of

the operator is less than or equal to the expression to
the right of the operator; otherwise the result is false (0)

Greater than or
equal to

>=

Evaluates as true (returns a 1) if the element to the left of

the operator is greater than or equal to the expression to
the right of the operator; otherwise the result is false (0)

Equal to

Evaluates as true (returns a 1) if the element to the left of

the operator is equivalent to the expression to the right
of the operator; otherwise the result is false (0)

Not equal to
(logical NOT)

!=

Evaluates as true (returns a 1) if the element to the left of

the operator is not equal to the expression to the right of
the operator; otherwise the result is false (0)

Logical OR

||

Evaluates as true (returns a 1) if the values of either the

left or right sides is nonzero; evaluation halts at the first
true (1) expression

Logical AND

&&

Evaluates as true (returns a 1) if the values of the left

and right sides are both nonzero; evaluation halts at the
first false (0) expression

Miscellaneous

[]

See Invoking Other Macros in this chapter for usage.

Miscellaneous

See While Constructs in this chapter for usage.

Miscellaneous

()

Groups operands and operators to achieve results

different from simple precedence; effectively has the
highest precedence

7-5

7-6

CHAPTER 7
Writing CLI Macros

Table 7-3 Operator actions (continued)

Operation

Operator

Action

Miscellaneous

Provides access to environment commands; see

Table 7-1. Provides access to macros; see Invoking
Other Macros

Miscellaneous

Separates operation statements within a control

expression

Miscellaneous

<# #>

Encloses control expressions

Multiplication

Multiplies the expression to the left of the operator by the

expression to the right

Division

Divides the expression to the left of the operator by the

expression to the right

Modulo

Divides the expression to the left of the operator by the

expression to the right and returns the integer
remainder. If the expression to the left of the operator is
less than the expression to the right, then the result is
the expression to the left of the operator.

Postincrement

++

Increments the variable after the expression is evaluated

Postdecrement

Decrements the variable after the expression is

evaluated

Preincrement

++

Increments the variable before the expression is

evaluated

Predecrement

Decrements the variable before the expression is

evaluated

Negation

Reverses the logical state of its operand. 0 is returned

for nonzero operands. 1 is returned for operands that
evaluate to zero.

Arithmetic
(unary)

Provides the absolute value of the value

Arithmetic
(unary)

Provides the inverse of the value

Substring

substr()

Extracts a portion of a string

Randomize

rand()

Generates a random integer between the provided

endpoints, inclusive

Round

round()

Rounds the value to the nearest integer

Truncate

truncate()

Truncates a noninteger value to the value left of the

decimal point

Assignment

Use the assignment operator (:=) to set the value of a local variable. The
expression to the right of the operator is evaluated, and then the result is
assigned to the local variable to the left of the operator. The expression to

Writing Macros
ERX Edge Routers

the right of the operator can include the local variable if you want to
modify its current value.
Example

<# i := i + 1 #>
<# count := count - 2 #>

Increment and Decrement

You can use the increment operator (++) to increase the value of a local
variable by one. You specify when the value is incremented by the
placement of the operator. Incrementing occurs after the expression is
evaluated if you place the operator to the right of the operand.
Incrementing occurs before the expression is evaluated if you place the
operator to the left of the operand.
Example 1

<# i := 0; j := 10 #>
<# j := j - i++ #>

In Example 1, the result is that i equals 1 and j equals 10, because the
expression is evaluated (10 0 = 10) before i is incremented.
Example 2

<# i := 0; j := 10 #>
<# j := j - ++i #>

In Example 2, the result is still that i equals 1, but now j equals 9, because
i is incremented to 1 before the expression is evaluated (10 1 = 9).
Similarly, you can use the decrement operator ( ) to decrement local
variables. Placement of the operator has the same effect as for the
increment operator.
When a local variable with a string value is used with the increment or
decrement operators, the value is permanently converted to an integer
equal to the length in characters of the string value.
String Operations

The combine operator ($) concatenates two strings into one longer string.
Numeric expressions are converted to strings before the operation
proceeds. The variable local evaluates to want a big:
<# local := want a $ big #>

Extraction Operations

The extraction operations are substring (substr), randomize (rand), round,

and truncate. These operators are equal in precedence, and all take
precedence over the string operator.

7-7

7-8

CHAPTER 7
Writing CLI Macros

You can use the substring operator (substr) to extract a shorter string from
a longer string. To use the substring operator, you must specify the source
string, an offset value, and a count value. You can specify the string
directly, or you can specify a local variable that contains the string. The
offset value indicates the place of the first character of the substring to be
extracted; 0 indicates the first character in the source string. The count
value indicates the length of the substring. If the source string has fewer
characters than the sum of the offset and count values, then the resulting
substring has fewer characters than indicated by the count value.
Example

<# local := want a $ big $ string #>

<# substr(local, 5, 12) #>The result is a big string
<# substr(local, 0, 10) #>The result is want a big
<# substr(ready, 0, 4) #>The result is read

The random operator produces a random integer value from the

specified inclusive range; in the following example, the result is between 1
and 10:
<# number:= rand(1,10) #>

The round operator rounds off the number to the nearest integer:
<# decimal:= 4.7 #>
<# round(decimal) #>The result is decimal is now 5

The truncate operator truncates noninteger numbers to the value left of

the decimal point:
<# decimal:= 4.7 #>
<# truncate(decimal) #>The result is decimal is now 4

Arithmetic Operations

The arithmetic operations are multiply (*), divide (/), modulo (%), add (+),
and subtract (-). Multiply, divide, and modulo are equal in precedence,
but each has a higher precedence relative to add and subtract. Add and
subtract are equal in precedence.
Example

<# 4 % 3 + 12 - 6 #>The result is 7

When a local variable with a string value is used with arithmetic

operators, the value is temporarily converted to an integer equal to the
length in characters of the string value. You can use the env.atoi
commands to avoid this situation.

Writing Macros
ERX Edge Routers

Relational Operations

The relational operations compare the value of the expression to the left
of the operator with the value of the expression to the right. The result of
the comparison is 1 if the comparison is true and 0 if the comparison is
false.
If the expressions on both sides of the operator are strings, they are
compared alphabetically. If only one expression is a string, the numeric
value is used for comparison. Arithmetic operators have a higher
precedence.
Example

<# i := 9; i++ < 10 #>The result is 1

<# i := 9; ++i < 10 #>The result is 0

Logical Operations

You can use the logical operators AND (&&), OR (||), and NOT (!) to
evaluate expressions. The result of the operation is a 1 if the operation is
true and 0 if the operation is false.
For the logical AND, the result of the operation is true (1) if the values of
the expressions to the left and right of the operator are both nonzero. The
result of the operation is false (0) if either value is zero. The evaluation
halts when an expression is evaluated as zero.
For the logical OR, the result of the operation is true (1) if the values of
the expression on either the left or right of the operator is nonzero. The
result of the operation is false (0) if both values are zero. The evaluation
halts when an expression is evaluated as nonzero.
The NOT operator must precede the operand. The operation inverts the
value of the operand; that is, a nonzero expression becomes 0, and a zero
expression becomes 1. For the logical NOT, the result of the operation is
true (1) if it evaluates to zero, or false if it evaluates to nonzero.
Example

<# i := 6; i >= 3 && i <= 10 #>The result is 1

<# i := 1; i >= 3 && i <= 10 #>The result is 0
<# i := 6; i >= 3 || i <= 10 #>The result is 1
<# i := 1; i >= 3 && i <= 10 #>The result is 0
<# i := 5; !i #>The result is 0
<# i := 5; j := 0; !i && !j #>The result is 0
<# i := 5; j := 0; !i || !j #>The result is 1

Relational operators have a higher precedence than logical AND and

OR. The NOT operator is equal in precedence to the increment and
decrement operators.

7-9

7-10

CHAPTER 7
Writing CLI Macros

Miscellaneous Operations

The positive (+) and negative (-) operations must precede the operand.
The result of a positive operation is the absolute value of the operand.
The result of a negative operation is the negative value of the operand;
that is, a +(-5) becomes 5 and a -(-2) becomes 2. These operators have the
same precedence as the increment and decrement operators. If there is an
operand on both sides of these operators, they are interpreted as the add
and subtract operators.
Example

# local_abs := +local #>

<# local_neg := -local #>

All operations are performed in the order implied by the precedence of

the operators. However, you can modify this order by using parentheses
(( )) to group operands and operators. Operations within parentheses are
performed first. The result is that of the operation(s) within the
parentheses.
Example

<# 4 % (3 + 12) - 6 #>The result is -6

<# 5 && 2 > 1 #>The result is 1
<# (5 && 2) > 1 #>The result is 0

Results of control expressions are written to the output stream when the
expression consists of the following:
A single local variable
A single literal element
An operation whose result is not used by one of the following
operations:

Example

assignment

predecrement

postdecrement

if

preincrement

postincrement

<# localvar #>value of localvar is written

<# " any string" #> any string written
<# 4 % 3 + 12 - 6 #>7 is written
<# 4 % (3 + 12) - 6 #>-6 is written
<# i := i + 1 #>nothing is written
<# count := (count - 2) #>nothing is written

while

Writing Macros
ERX Edge Routers

Conditional Execution

You can use if or while constructs in macros to enable conditional

execution of commands.
If Constructs

If constructs provide a means to execute portions of the macro based on

conditions that you specify. An if construct consists of the following
components:
An opening if expression
A group of any number of additional expressions
(Optional) Any number of elseif expressions and groups of associated
expressions
(Optional) An else expression and any associated group of expressions
An endif expression to indicate the end of the if structure
The if expression and any optional elseif expressions must include either a
lone environment value command, a local variable, a literal, or some
operation using one or more operators.
Only one of the groups of expressions within the if construct is executed,
according to the following scheme:
1

The if expression is evaluated. If the result is true (nonzero), the

associated expression group is executed.

If the result is false (zero), then the first elseif expression, if present, is
evaluated. If the result is true (nonzero), the associated expression
group is executed.

If the result of evaluating the first elseif expression is false (zero), the
next elseif expression is evaluated, if present. If the result is true
(nonzero), the associated expression group is executed.
If all elseif expressions evaluate to false (zero) or if no elseif
expressions are present, then the else expression groupif
presentis executed.

This evaluation process continues until an expression evaluates to

nonzero. If there is no nonzero evaluation, then no expression group
is executed.

You can write an empty expression group so that no action is performed if

this group is selected for execution. You can nest if structures within other
if structures or while structures.

7-11

7-12

CHAPTER 7
Writing CLI Macros

The following sample macro demonstrates various if structures:

<#

if_examples

#>

<# //---------------------------------------- #>

<# if 1 #>
! This is always output because any nonzero value is true.
<# endif #>
<# if 0 #>
! This is never output because a value of zero is false.
<# endif #>
<# // Heres an example with elseif and else. #>
<# color := env.getline("What is your favorite color? ") #>
<# if color = "red" #>
! Red is my favorite color, too.
<# elseif color = "pink" #>
! Pink is a lot like red.
<# elseif color = "black" #>
! Black is just a very, very, very dark shade of red.
<# else #>
! Oh.

Thats nice.

<# endif #>

<# // Heres a nested if example. #>
<# sure := env.getline("Are you sure that " $ color $ " is
your favorite color? ") #>
<# if substr(sure, 0, 1) = y || substr(sure, 0, 1) = Y #>
<# if color != "black" && color != "white";
shade := env.getline("Do you prefer dark " $ color $
" or light " $ color $ "? ") #>
<# if shade = "dark" #>
! I like dark colors, too.
<# elseif shade = "light" #>
! I prefer dark colors myself.
<# else #>
! Hmmm, thats neither dark nor light.
<# endif #>
<# else #>
! Oh.

Thats nice.

<# endif #>

<# else #>
! I didnt think so!
<# endif #>
<# endtmpl #>

Writing Macros
ERX Edge Routers

While Constructs

While constructs provide a means to repeatedly execute one or more

portions of the macro based on a condition that changes during the
execution. A while construct consists of the following components:
An opening while expression
A group of any number of additional expressions
An endwhile expression to indicate the end of the while structure
The while expression must include either a lone environment value
command, a local variable, a literal, or some operation using one or more
operators. Each time that this expression evaluates to nonzero, the
associated expression group is executed.
You can place an iteration expression after the while expression. This
optional expression is evaluated after each execution of the while
expression group.
You can include if structures within a while structure. You can also
include special control expressions indicated by the break or continue
expressions. The break expression breaks out of the while structure by
halting execution of the expression group and executing the first
expression after the endwhile statement. The continue expression skips
over the rest of the expression group, evaluates any iteration expression,
then continues with the execution of the while structure. The while
structure is limited to 100,000 repetitions by default. You can nest up to
ten while structures.
Example

The following sample macro demonstrates various while structures:

7-13

7-14

CHAPTER 7
Writing CLI Macros

<#

while_examples

#>

<# //---------------------------------------- #>

<# // Remember that variables are automatically initialized to 0. #>
! Table of squares of the first 10 integers:
<# while ++i <= 10 #>
!<#i;"

";i*i;"\n"#>

<# endwhile #>

<# // Remember that the value of a string used as an integer is the number. #>
<# // of characters in the string.

#>

<# stars := "*" #>

<# while stars < 10, stars := stars $ "*"#>
!<# stars;"\n" #>
<# endwhile #>
<# while stars > 0, stars := substr(stars, 0, stars-1)#>
!<# stars;"\n" #>
<# endwhile #>
<# // An example of the continue and break statements. #>
<# // Also note that many statements can be grouped. #>
! All the positive even numbers less than 11
<# i:=0; while ++i < 100 #>
<#if i%2; continue; endif; if i > 10; break; endif; "!" $ i $ "\n"; #>
<# endwhile #>
<# // While constructs will NOT iterate forever. #>
<# while 100 > 0 // This is always true, but the macro will eventually stop #>
<# ++iterations; endwhile #>
! The while loop iterated <#iterations#> times.
<# endtmpl #>

Invoking Other Macros

Macros can invoke other macros within the same macro file; a macro can
also invoke a macro from another macro file if the invocation takes place
in literal text, that is, not within a control expression. A macro can invoke
itself directly or indirectly (an invoked macro can invoke the macro that
invoked it); the number of nested invocations is limited to 10 to prevent
infinite recursion.
Within each macro, you can specify parameters that must be passed to
the macro when it is invoked by another. You must specify named
variables enclosed in parentheses after the macro name in the first line of
the macro, as shown in this example:
<# macroName (count, total) #>

Writing Macros
ERX Edge Routers

7-15

Additional parameters can be passed as well. Parameters can be local

variables, environmental variables, literals, or operations. The invoking
macro passes local variables by reference to the invoked macro. Passing
parameters has no effect on the invoking macro unless the parameter is a
local variable that is changed by the invoked macro. When the invoked
macro completes execution, the local variable assumes the new value for
the invoking macro.
The invoked macro can use the param[n] expression to access
parameters passed to it, where n is the number of the parameter passed.
This is useful if optional parameters can be passed to a macro or if the
same iterative algorithm needs to process the parameters.
Use the expression param[0] to return the total number of parameters
passed to the macro. Use the return keyword to halt execution of the
invoked macro and resume execution of the invoking macro. Use the exit
keyword to halt execution of all macros.
Example 1

The following sample macro demonstrates macro invocation:

<#

invoking_examples

#>

<# //---------------------------------------- #>

<# name := env.getline("What is your first name? ") #>
! First, <#name#>, we will invoke the if_examples and
! the while_examples macros...
<# tmpl.if_examples; tmpl.while_examples #>
! Hey <#name#>, have you noticed that your name backwards is:
!<# eman:= ""; tmpl.reversestring(name, eman); eman; "\n"#>
<#

tmpl.argumentlist("a", "b", "c")#>

<# endtmpl #>

<# argumentlist #>
<# if param[0] = 0; return; endif #>
! argumentList() was called with the following arguments:
<# while ++i <= param[0]#>
! <#param[i];"\n"#>
<# endwhile #>
<# endtmpl #>
<# reversestring (string, gnirts) #>
<# i := 0 + string; // i is now equal to the number of
characters in string. #>
<# while --i >= 0; gnirts := gnirts $ substr(string, i, 1);
endwhile #>
<# endtmpl #>

7-16

CHAPTER 7
Writing CLI Macros

Example 2

The following macro in file macro1.mac invokes a macro from within

another file, macro2.mac:
<# callAnotherMacro #>
<# localVar := 5 #>
macro macro2.mac macroName2 <# localVar #> string1
<# endtmpl #>

This macro passes the value of localVar to macroName2. The value of

localVar remains at 5 for callAnotherMacro, regardless of any operations
upon that variable in the second macro. In other words, an invoked
macro in another file cannot return any values to the invoking macro.
The output of callAnotherMacro looks like this:
host1#macro verbose macro1.mac callAnotherMacro
host1#!Macro 'callAnotherMacro' in the file 'macro1.mac'
starting execution
macro macro2.mac macroName2 5 string1
!Macro 'macroName2' in the file 'macro2.mac' starting
execution
!Macro 'macroName2' in the file 'macro2.mac' ending
execution
host1#!Macro 'callAnotherMacro' in the file 'macro1.mac'
ending execution

The invoked macro cannot invoke a third macro from another file. Only
a single level of invocation is supported.

Running Macros
Although you must write macros on a computer, you can copy them to
the system. Issue the macro command from the CLI to execute both
local macros and macros stored remotely.
You can display the commands that are generated by the macro file
without executing the commands by using the test keyword. It is good
practice to confirm that the test display matches your expectations before
you execute the macro to run the commands.
You can terminate a macro while it is running by entering <Ctrl+C>. You
can close Telnet and SSH windows while a macro is running, but the
macro does not terminate until it completes the current command.
macro

Use to execute a macro that generatesand can executeCLI commands.

This command is available in all command modes.

This command invokes a hidden FTP client and takes place in the context of
the current virtual router (VR) rather than the default VR. You must configure

Running Macros
ERX Edge Routers

the FTP server so that any traffic destined for the VR can reach the VR;
typically, you configure the FTP server to reach the default address of the
system, which will always be able to reach the VR.

You can specify both a macro filename and a macro contained within that file.
For example, the following command looks for the file confatm.mac and runs
the macro named atm0verDs3 contained within the file:
host1(config)#macro confatm.mac atm0verDs3

You can specify only a macro filename. The command searches in the
specified file for a macro named start. The command fails if the start macro
does not exist. For example, the following command looks for the file
confatm.mac and runs the macro named start contained within the file:
host1(config)#macro confatm.mac

You can specify only the macro name, using the name keyword, if the macro
file is stored locally in NVS and has the same name as the included macro you
wish to invoke. For example, the following command looks for the file
confatm.mac and runs the macro named confatm contained within the file:
host1(config)#macro name confatm

You must specify a macro filename for remotely stored macro files, as in the
following example:
host1(config)#macro pc:/macros.mac atm0verDs3

Example

You can pass arguments to the macro; if the argument contains a space or
other special character, you must enclose the argument within double quotation
marks.

Use the test keyword to specify that the macro generate, but not execute, the
commands. You can check the output to verify that it is what you want. The test
mode is verbose and displays comments.

Use the verbose keyword to echo commands to the display and display
comments as the macro executes. By default the command executes in
nonverbose mode.

There is no no version.

A typical macro application is to iteratively generate a series of

commands, as shown in the following macro, atm0verDs3:
<# atmOverDs3 #>
<# i:=0; while i++ < 3 #>
controller t3 9/<#i;'\n'#>
no shut
clock source internal module
framing cbitadm
ds3-scramble
!
interface atm 9/<#i;'\n'#>
atm vc-per-vp 256
!
<# endwhile #>

7-17

7-18

CHAPTER 7
Writing CLI Macros

!
interface atm 9/1.1
encap pppoe
!
<# i:=1; while i < 100 #>
interface atm 9/1.1.<#i;'\n'#>
encap ppp
no ppp shut
no ppp keep
atm pvc <# i #> 1 <# i #> aal5mux ip
ip addr 10.1.<#i#>.1 255.255.255.0
!
<# i++ #>
<# endwhile #>
!
<# endtmpl #>

If you stored this macro remotely in the macro file, pc:/macros.mac, you
issue the following commands to execute the macro:
host1>enable
host1#conf t
host1(config)#macro pc:/macros.mac atm0verDs3

Alternatively, if you stored this macro locally in the macro file

atm0verDs3.mac, you issue the following commands to execute the
macro:
host1>enable
host1#conf t
host1(config)#macro verbose atm0verDs3

A portion of the output resulting from executing the atm0verDs3 macro

from a local file is shown below (the starting and ending comments would
vary for a remote macro):
host1(config)#!Macro 'atmOverDs3' in the file
'atmOverDs3.mac' starting execution
host1(config)#controller t3 9/1
host1(config)#no shut
host1(config)#clock source internal module
host1(config)#framing cbitadm
host1(config)#ds3-scramble
host1(config)#interface atm 9/1
host1(config)#atm vc-per-vp 256
host1(config)#controller t3 9/2
host1(config)#no shut
host1(config)#clock source internal module
host1(config)#framing cbitadm

Practical Examples
ERX Edge Routers

host1(config)#ds3-scramble
host1(config)#interface atm 9/2
host1(config)#atm vc-per-vp 256
host1(config)#controller t3 9/3
host1(config)#no shut
host1(config)#clock source internal module
host1(config)#framing cbitadm
host1(config)#ds3-scramble
host1(config)#interface atm 9/3
host1(config)#atm vc-per-vp 256
host1(config)#interface atm 9/1.1
host1(config)#encap pppoe
host1(config)#interface atm 9/1.1.1
host1(config)#encap ppp
host1(config)#no ppp shut
host1(config)#no ppp keep
host1(config)#atm pvc 1 1 1 aal5mux ip
host1(config)#ip addr 10.1.1.1 255.255.255.0

[display omitted]
host1(config)#interface atm 9/1.1.99
host1(config)#encap ppp
host1(config)#no ppp shut
host1(config)#no ppp keep
host1(config)#atm pvc 99 1 99 aal5mux ip
host1(config)#ip addr 10.1.99.1 255.255.255.0
host1(config)#!Macro 'atmOverDs3' in the file
'atmOverDs3.mac' ending execution

Practical Examples
You can use the macros in this section for configuring your system or as
examples of useful macros you can build yourself.
Configuring Frame Relay

You can organize your macros in many different ways to suit your needs.
The first sample macro in this section, ds1mac.mac, shows a typical
method of organization. It consists of a number of related macros for
configuring interfaces on CT1 and CE1 modules, as described in
Table 7-4.
Some of the macros provide a single configuration function, like
configuring the controller. These are invoked by other macros that are

7-19

7-20

CHAPTER 7
Writing CLI Macros

executable from the command line. A high-level macro invokes several of

the executables, acting much like a script to provide greater functionality.
Table 7-4 Contents of ds1mac.mac
Macro Name

Description

Help

Lists the executable macros in ds1mac.mac

controllerDs1

Executable macro that configures Cx1 ports; calls macro

cntrDs1

ds1Encap

Executable macro that configures Frame Relay

encapsulation on Cx1 serial interfaces; calls macro
cx1Encap

ds1FrCir

Executable macro that configures Frame Relay circuits on

Cx1 subinterfaces; calls macro cx1FRCir

configCx1

Executable macro that configures Cx1 serial Frame Relay

interfaces; calls macros cntrDs1, cx1Encap, and cx1FrCir

cntrDs1

Configures the Cx1 controller; called by other macros

cx1Encap

Configures Frame Relay encapsulation on serial interfaces;

called by other macros

cx1FrCir

Configures Frame Relay circuits on the subinterfaces; called

by other macros

Table 7-5 lists the complete set of macros contained in ds1mac.mac. You
can run the Help macro to list the other executable macros contained in
ds1mac.mac. To configure Frame Relay on your system with
ds1mac.mac, you can do one of the following:
Run the controllerDS1, ds1Encap, and ds1FrCir macros in that order
Run the configCx1 macro
In either case, to run the macros you must provide the required values
described in the macros.
Table 7-5 ds1mac.mac
<# Help #>
! This file contains the following executable macros:
!

controllerDs1

ds1Encap

ds1FrCir

configCx1

<# endtmpl #>

Practical Examples
ERX Edge Routers

Table 7-5 ds1mac.mac (continued)

<# controllerDs1 #>
<# if env.argc = 0 #>
! This macro configures your Cx1 controller.
! This macro will configure e1 ports as unframed.
! This macro should be called with 4 arguments.
! The argument list should be as follows:
! type; number of numPorts; slot; port; clock; framing;
lineCoding
<# return #>
<# endif #>
<# type := env.argv(1) #>
<# ifCount := env.argv(2) #>
<# slot := env.argv(3) #>
<# port := env.argv(4)#>
<# clock := env.argv(5) #>
<# framing := env.argv(6) #>
<# coding := env.argv(7) #>
<# if clock = 'internal' #>
<# clock := 'internal mod' #>
<# endif #>
<# tmpl.cntrDs1(type, ifCount, slot, port, clock, framing,
coding) #>
<# endtmpl #>

7-21

7-22

CHAPTER 7
Writing CLI Macros

Table 7-5 ds1mac.mac (continued)

<# ds1Encap #>
<# if env.argc = 0 #>
! This macro configures Frame Relay encapsulation on Cx1
serial
! interfaces.
! This macro must be called with 4 arguments.
! If the protocol is Frame Relay (fr), then specify the
type (DTE
! or DCE) and the lmi type.
! The argument list should be as follows:
! number of numPorts; slot; port; proto; frType; frLmi
<# return #>
<# endif #>
<# ifCount := env.argv(1) #>
<# slot := env.argv(2) #>
<# port := env.argv(3) #>
<# proto := env.argv(4) #>
<# if proto = 'fr' #>
<# proto := 'frame-relay ietf' #>
<# endif #>
<# tmpl.cx1Encap(ifCount, slot, port, proto) #>
<# endtmpl #>
<# ds1FrCir #>
<# if env.argc = 0 #>
! This macro configures Frame Relay circuits on Cx1
! subinterfaces.
! This macro must be called with 4 arguments.
! The argument list should be as follows:
! number of numPorts; slot; port; numCirs; dlci
<# return #>
<# endif #>
<# ifCount := env.argv(1) #>
<# slot := env.argv(2) #>
<# port := env.argv(3) #>
<# numCirs := env.argv(4) #>
<# dlci := env.argv(5) #>
<# tmpl.cx1FrCir(ifCount, slot, port, numCirs, dlci) #>
<# endtmpl #>

Practical Examples
ERX Edge Routers

Table 7-5 ds1mac.mac (continued)

<# configCx1 #>
<# if env.argc = 0 #>
! This macro configures Cx1 serial Frame Relay interfaces.
! This macro must be called with 4 arguments.
! The argument list should be as follows:
! type; number of numPorts; slot; port; clock; framing;
coding; proto; frType; frLmi; numCirs; dlci
<# return #>
<# endif #>
<# type := env.argv(1) #>
<# ifCount := env.argv(2) #>
<# slot := env.argv(3) #>
<# port := env.argv(4) #>
<# clock := env.argv(5) #>
<# framing := env.argv(6) #>
<# coding := env.argv(7) #>
<# proto := env.argv(8) #>
<# tmpl.cntrDs1(type, ifCount, slot, port, clock, framing,
coding) #>
<# if proto = 'fr' #>
<# frType := env.argv(9) #>
<# frLmi := env.argv(10) #>
<# numCirs := env.argv(11) #>
<# dlci := env.argv(12) #>
<# tmpl.cx1Encap(ifCount, slot, port, proto, frType, frLmi)
#>
<# tmpl.cx1FrCir(ifCount, slot, port, numCirs, dlci) #>
<# else #>
<# tmpl.cx1Encap(ifCount, slot, port, proto, type, type) #>
<# endif #>
<# endtmpl #>

7-23

7-24

CHAPTER 7
Writing CLI Macros

Table 7-5 ds1mac.mac (continued)

<# cntrDs1 #>
<# //This macro is called by other macros to configure DS1
ports #>
<# //Parameters in order are interface Type; numPorts;
slot; port; clock; framing; lineCoding #>
!
! Configure Cx1 Controller
!
<# type := param[1] #>
<# ifCount := env.atoi(param[2]) #>
<# slot := param[3] #>
<# port := env.atoi(param[4]) #>
<# clock := param[5] #>
<# framing := param[6] #>
<# coding := param[7] #>
<# while ifCount-- > 0 #>
controller <# type;' '; slot;'/';port;'\n' #>
<# if framing = 'unframed' #>
unframed
<# else #>
framing <# framing;'\n' #>
linecoding <# coding;'\n' #>
<# endif #>
clock source <# clock;'\n' #>
no shutdown
<# port++ #>
<# endwhile #>
<# endtmpl #>

Practical Examples
ERX Edge Routers

Table 7-5 ds1mac.mac (continued)

<# cx1Encap #>
<# //This macro is called by other macros to configure
Frame Relay encapsulation on serial interfaces. #>
<# //Parameters in order are interface Type; numPorts;
slot; port; clock; framing; lineCoding #>
!
! Configure Encapsulation
!
<# ifCount := env.atoi(param[1]) #>
<# slot := param[2] #>
<# port := env.atoi(param[3]) #>
<# proto := param[4] #>
<# if proto = 'fr' #>
<# proto := 'frame-relay ietf' #>
<# endif #>
<# while ifCount-- > 0 #>
interface serial <# slot;'/';port;':1';'\n' #>
encapsulation <# proto;'\n' #>
<# if proto = 'frame-relay ietf' #>
frame-relay intf-type <# param[5];'\n'#>
frame-relay lmi-type <# param[6];'\n'#>
<# endif #>
<# port++ #>
<# endwhile #>
<# endtmpl #>

7-25

7-26

CHAPTER 7
Writing CLI Macros

Table 7-5 ds1mac.mac (continued)

<# cx1FrCir #>
<# //This macro is called by other macros to configure
Frame Relay circuits on subinterfaces. #>
<# //Parameters in order are interface numPorts; slot;
port; numCirs; dlci #>
!
! Configure Frame Relay Circuits
!
<# ifCount := env.atoi(param[1]) #>
<# slot := param[2] #>
<# port := env.atoi(param[3]) #>
<# numCirs := env.atoi(param[4]) #>
<# startDlci := env.atoi(param[5]) #>
<# id := env.atoi('1') #>
<# while ifCount-- > 0 #>
<# cirs := numCirs #>
<# id := env.atoi('1') #>
<# dlci := startDlci #>
<# while cirs-- > 0 #>
interface serial <# slot;'/';port;':1.';id;'\n' #>
frame-relay interface-dlci <# dlci #> ietf
<# id++; dlci++ #>
<# endwhile #>
<# port++ #>
<# endwhile #>
<# endtmpl #>

Practical Examples
ERX Edge Routers

Configuring ATM Interfaces

The sample macro in Table 7-6 configures ATM interfaces based on the
inputs you provide when prompted by the macro.
Table 7-6 Sample macro to configure ATM interfaces
<# atmIf #>
<# slotPort:=env.getline("slot/port?") #>
<# while (vcType != 1 && vcType != 2);
vcTypeStr :=env.getline("VC type (1 = AAL5MUX IP, 2 = AAL5SNAP)?");
vcType := env.atoi(vcTypeStr);
endwhile #>
<# if vcType = 1; vcTypeStr := "aal5mux ip"; else; vcTypeStr := "aal5snap"; endif
#>
<# encapRouted:=1; encapBridged:=2; encapPPP:=3 #>
<# while (encapType < encapRouted || encapType > encapPPP );
encapTypeStr
ppp)?");

:=env.getline("encapsulation (1 = routed, 2 = bridged, 3 =

encapType := env.atoi(encapTypeStr);
endwhile #>
<# if encapType = encapPPP #>
<# authNone:=1; authPap:=2; authChap:=3; authPapChap:=4; authChapPap:=5 #>
<# while (authType < authNone || authType > authChapPap );
authTypeStr :=env.getline("authentication (1 = None, 2 = PAP, 3 = CHAP, 4 =
PAP/CHAP; 5 = CHAP/PAP)?");
authType

:= env.atoi(authTypeStr);

endwhile #>
<# endif #>
<# vpStartStr := env.getline("Starting VP number?");
vpStart:=env.atoi(vpStartStr)#>
<# vpEndStr
:= env.getline("Ending
:=env.atoi(vpEndStr)#>

VP number?"); vpEnd

<# vcStartStr := env.getline("Starting VC number?");

vcStart:=env.atoi(vcStartStr)#>
<# vcEndStr
:= env.getline("Ending
:=env.atoi(vcEndStr)#>

VC number?"); vcEnd

7-27

7-28

CHAPTER 7
Writing CLI Macros

<# loopbackStr := env.getline("Loopback interface number or <cr>?") #>

<# vp := vpStart; while vp <= vpEnd, ++vp #>
<# vc := vcStart; while vc <= vcEnd, ++vc #>
interface atm <#slotPort $ '.' $ ++i;'\n'#>
atm pvc <# i; ' '; vp; ' '; vc; ' '; vcTypeStr;'\n'#>
<# if encapType = encapPpp #>
encap ppp
<# if authType = authPap#>
ppp authentication pap
<# elseif authType = authPapChap#>
ppp authentication pap chap
<# elseif authType = authChapPap#>
ppp authentication chap pap
<# elseif authType = authChap#>
ppp authentication chap
<# endif #>
<# elseif encapType = encapBridged #>
encap bridged1483
<# endif #>
<# if loopbackStr != "" #>
ip unnumbered loopback <# loopbackStr;"\n" #>
<# endif #>
!
<# endwhile #>
!
<# endwhile #>

Practical Examples
ERX Edge Routers

<# if encapType = encapPPP #>

<# authNone:=1; authPap:=2; authChap:=3; authPapChap:=4; authChapPap:=5 #>
<# while (authType < authNone || authType > authChapPap );
authTypeStr :=env.getline(authentication (1 = None, 2 = PAP, 3 = CHAP, 4 =
PAP/CHAP; 5 = CHAP/PAP)?);
authType

:= env.atoi(authTypeStr);

endwhile #>
<# endif #>
<# vpStartStr := env.getline(Starting VP number?);
vpStart:=env.atoi(vpStartStr)#>
<# vpEndStr
:= env.getline(Ending
:=env.atoi(vpEndStr)#>

VP number?); vpEnd

<# vcStartStr := env.getline(Starting VC number?);

vcStart:=env.atoi(vcStartStr)#>
<# vcEndStr
:= env.getline(Ending
:=env.atoi(vcEndStr)#>

VC number?); vcEnd

<# loopbackStr := env.getline(Loopback interface number or <cr>?) #>

<# vp := vpStart; while vp <= vpEnd, ++vp #>
<# vc := vcStart; while vc <= vcEnd, ++vc #>
interface atm <#slotPort $ '.' $ ++i;'\n'#>
atm pvc <# i; ' '; vp; ' '; vc; ' '; vcTypeStr;'\n'#>
<# if encapType = encapPpp #>
encap ppp
<# if authType = authPap#>
ppp authentication pap
<# elseif authType = authPapChap#>
ppp authentication pap chap
<# elseif authType = authChapPap#>
ppp authentication chap pap
<# elseif authType = authChap#>
ppp authentication chap
<# endif #>
<# elseif encapType = encapBridged #>
encap bridged1483
<# endif #>
<# if loopbackStr != #>
ip unnumbered loopback <# loopbackStr;\n #>
<# endif #>
!
<# endwhile #>
!
<# endwhile #>
<# endtmpl #>

7-29

7-30

CHAPTER 7
Writing CLI Macros

Booting the System

This chapter provides information about booting your ERX system.

Note: The type of file you must always use for booting your system is a software
release file with the extension .rel.

Topic

Page

Configuring Your System for Booting

8-1

Rebooting Your System

8-5

Operations in Boot Mode

8-8

Displaying Boot Information

8-9

Configuring Your System for Booting

Juniper Networks delivers your system already set up with a factory
default configuration and a software release (.rel) file. You can, however,
create a new configuration file (.cnf) and select a different software release
file to use in future reboots of your system. When you reboot your system,
you can use:
An existing configuration file to be used each time the system reboots
An existing configuration file limited to a single reboot
An existing script file to be used on only the next reboot
An existing script file to be used on the next and every subsequent
reboot using backup mode
The configuration that is already running on the system
The factory default configuration

8-2

CHAPTER 8
Booting the System

In addition, you can configure the system to load a different software

release file on its next reboot. Use the boot system command to do this.
If you do not configure your system with a backup release, it reverts to the
release and configuration it had before the crash.
You can use the boot backup command to specify a software release and
configuration for the system to use in case the system resets too many
times in a given period.
The boot subsystem and boot slot commands enable you to override
the system release setting for a given subsystemfor example, OC3or
for a given slotfor example, slot 5.
boot backup

Use to set the release version and the configuration to be used when the boot
logic chooses backup mode.

This command does not reboot the system; it configures the system for
rebooting.

You can require the system to reboot from an existing configuration file, from an
existing local script file, or with the factory default configuration.

Example
host1(config)#boot backup rel_1_1_0.rel newfile.cnf

Use the no version of this command to remove the backup setting.

Use to specify the configuration with which the system is rebooted.

boot config
Caution: All versions of this command except those using the
running-configuration or startup-configuration keywords erase the current
system running configuration. Before issuing one of those versions, you might want
to save the running configuration to a .cnf file by issuing the copy
running-configuration command.

You can require the system to reboot from a configuration file.

To specify an existing system configuration (.cnf) file that the system uses for
the next reboot and all subsequent reboots:
host1(config)#boot config newconffile.cnf

To specify an existing system configuration (.cnf) file that the system uses only
on the next rebooton subsequent reboots, the system will use the running
configuration current at the time of that reboot:
host1(config)#boot config newconffile.cnf once

You can require the system to reboot from an existing local script (.scr) file that
the system uses only on the next rebooton subsequent reboots, the system
will use the running configuration current at the time of that reboot:
host1(config)#boot config scriptfile.scr

Configuring Your System for Booting

ERX Edge Routers

Configuring this option causes the system to ignoreonly at the next

rebootan autocfg.scr file that you may also have configured.

If you specify a .cnf file, upon the next reboot the system resets to the factory
defaults; it then opens the .cnf file and begins applying it immediately. If you
specify a .scr file, upon the next reboot the system resets to the factory
defaults; it then waits for a 600-second countdown timer to expire before
applying the script. This period gives the line modules an opportunity to fully
initialize before configuration begins. Upon timer expiration or system
initialization (whichever occurs first), the script executes regardless of the state
of the line modules. You can escape from the countdown by pressing <Ctrl+C>;
the system prompts you to execute the script immediately or return to the
system console.

You can require the system to reboot from the configuration running on the
system at the time of the reboot.
If the system is in Automatic Commit mode:
host1(config)#boot config running-configuration

If the system is in Manual Commit mode:

host1(config)#boot config startup-configuration

See Saving the Current Configuration in Chapter 4, Managing the System, for
information on Automatic and Manual Commit modes.

You can require the system to reboot from the factory default configuration. On
subsequent reboots, the system will use the running configuration current at the
time of that reboot:
host1(config)#boot config factory-defaults

This command does not reboot the system.

Use the no version to clear a previous request to reboot in a specified manner.

Use to force the system to use the backup release/configuration on the next
boot.

This command does not reboot the system.

Example

boot force-backup

host1(config)#boot force-backup mysafe.rel mysafe.cnf

Note: Even if you request the normal release/configuration, the boot logic still
checks the reboot history file. It may force the backup mode regardless of your
request. To guarantee that the boot logic does not override your request to use the
normal release/configuration, do either of the following:

Delete the reboot history file after issuing the no boot force-backup command.
Do not configure a backup release or configuration file.

Use the no version to set the system to return to its normal

release/configuration on the next boot.

8-3

8-4

CHAPTER 8
Booting the System

boot revert-tolerance

Use to set the reversion tolerances that the boot logic uses to determine
whether to use normal or backup settings.

The default settings tolerate up to three resets in 30 minutes.

This command does not reboot the system.

Example
host1(config)#boot revert-tolerance 2 60

Use the no version to restore the default values, 3 and 1800.

boot revert-tolerance never

Use to set the boot logic to never revert to the backup image/configuration.

This command does not reboot the system.

Example
host1(config)#boot revert-tolerance never

Note: This command is functionally equivalent to specifying no backup

image/configuration, but it allows you to leave the backup settings alone and to
toggle autoreversion on and off. This command is undone by using the no boot
revert-tolerance command, which restores the default settings, or the boot
revert-tolerance command. The default settings are count = 3 (crashes) and time =
1800 (seconds); that is, 3 crashes in 30 minutes.

There is no no version.

Use to configure the software release the module in the selected slot will use
the next time it reboots.

This command does not reboot the module.

Example 1

boot slot

host1(config)#boot slot 6 rel_1_0_1.rel

The boot backup slot version of this command enables you to configure a
backup slot for booting.

Example 2
host1(config)#boot backup slot 7 rel_1_0_1.rel

Use the no version to clear the override for the specified slot or all slots.

Use to configure the software release the selected subsystem will use the next
time it reboots.

This command does not reboot the subsystem.

Example 1

boot subsystem

host1(config)#boot subsystem ct3 rel_1_0_1.rel

The boot backup subsystem version of this command enables you to

configure a backup subsystem for booting.

Rebooting Your System

ERX Edge Routers

Example 2
host1(config)#boot backup subsystem ct3 rel_1_0_1.rel

Use the no version of this command to remove the configuration setting.

boot system
Warning: This command attempts to reprogram the SRP boot PROMs, if
necessary. The SRP has a primary and, typically, a backup boot PROM. If the boot
system command is executed on an SRP with no backup boot PROM, the following
message is displayed: Write to Backup Boot ROM failed. In this instance, this
message is correct, and you can ignore it.

Use to specify the software release (.rel) file that your system will use when
rebooting.

This command does not reboot the system.

Example
host1(config)#boot system release1.rel

There is no no version.

Rebooting Your System

You can reboot your system as a whole or select a single slot in the system
to be rebooted. You can reboot your system immediately or in a
designated interval of time, and can configure the system to prompt you if
the modules are in a state that could lead to a loss of configuration data
or an NVS corruption.
If you reboot the system before it has completely written configuration
updates to NVS, the system will start with the last saved configuration. If
you reboot the system after it has written the configuration updates to
NVS, but before it has applied those updates to actual configuration data,
the configuration update process resumes immediately following the
reboot and completes before any application accesses its configuration
data.
reload

Use to reload the software on the system immediately.

Reloads the system software (.rel) file and the configuration (.cnf) file on the
system.

When you issue this command, the system prompts you for a confirmation
before the procedure starts.

If you specify the force keyword, the procedure will fail if the system is updating
the boot prom. In this case, the system will display a message that indicates
that the procedure cannot currently be performed and the cause. However, if
the system is in a state that could lead to a loss of configuration data or an NVS

8-5

8-6

CHAPTER 8
Booting the System

corruption, such as during the synchronization of SRP modules, the system

displays a message that describes the state, and asks you to confirm (enter y
for yes, n for no) whether you want to proceed.

If you do not specify the force keyword, the procedure will fail if the system is in
a state that could lead to a loss of configuration data or an NVS corruption, and
the system will display a message that explains why the procedure failed.

When you issue this command, the system prompts you for a confirmation
before the procedure starts.

Example
host1#reload
host1#reload force

There is no no version.

Use to reload the software on the system at an absolute time.

This command halts the system.

Reloads the system software (.rel) file and the configuration (.cnf) file on the
system.If the system is in a state that could lead to a loss of configuration data
or an NVS corruption, it will delay the procedure for one minute. Each time the
system delays the procedure, it adds a message to the os log that explains why
the procedure was delayed. If the system cannot reload on its sixth attempt, the
reboot procedure will fail, and the system will add an explanation to the os log.

Example

reload at

host1#reload at 10:10 May 5

This command reloads the software 10 minutes after 10 on May 5th.

There is no no version.

Use to reload the software on the system in a relative period of time.

This command halts the system.

Reloads the system software (.rel) file and the configuration (.cnf) file on the
system.

If the system is in a state that could lead to a loss of configuration data or an

NVS corruption, it will delay the procedure for one minute. Each time the
system delays the procedure, it adds a message to the os log that explains why
the procedure was delayed. If the system cannot reload on its sixth attempt, the
reboot procedure will fail, and the system will add an explanation to the os log.

Example

reload in

host1#reload in 00:10

This command reloads the software in 10 minutes.

There is no no version.

Rebooting Your System

ERX Edge Routers

reload slot

Use to reboot a selected slot on the system.

Reloads the system software (.rel) file and the configuration (.cnf) file on the
module in the selected slot.

When you issue this command, the system prompts you for a confirmation
before the procedure starts.

If you specify the force keyword and the slot number of the primary SRP
module, the procedure will fail if the system is updating the boot prom. In this
case, the system will display a message that indicates that the procedure
cannot currently be performed and the cause. However, if the system is in a
state that could lead to a loss of configuration data or an NVS corruption, such
as using the synchronization of SRP modules, it displays a message that
describes the state, and asks you to confirm (enter yes or no) whether you want
to proceed.

If you do not specify the force keyword, the procedure will fail if the system is in
a state that could lead to a loss of configuration data or an NVS corruption, and
the system will display a message that explains why the procedure failed.

Example
host1#reload slot 3

There is no no version.

Rebooting When a Command Takes a Prolonged Time to Execute

Although some commands might take a relatively long time to execute,

most do not. If the CLI displays no output other than Please wait... for
a prolonged period, you can press <Ctrl+X> to reset the system. Use
<Ctrl+X> only as a last resort; if at all possible, wait until the command is
completed, or attempt to connect to the system via a Telnet or SSH client
through which you can use the reload command.
service ctrl-x-reboot

Enables the <Ctrl+X> key combination to reset the system from any location.

Issuing the <Ctrl+X> command has no effect if you are accessing the system
via Telnet.

This feature is disabled by default.

Loading the factory default configuration does not override this feature.

Example
host1(config)#service ctrl-x-reboot

Use the no version to disable this feature.

8-7

8-8

CHAPTER 8
Booting the System

Configuration Caching

Configuration caching prevents the system from being partially

configured with changes in the event of a reset. When a script or macro
begins execution, the resulting configuration changes are automatically
cached in system RAM rather than being committed to nonvolatile
storage (NVS). When the script or macro completes execution, the cache
is flushed as a background operation, saving the configuration changes to
NVS.
If the SRP module resets during the script or macro execution, the system
boots as though the script were never started because no NVS files have
changed. If the SRP module resets during the flush operation, the system
boots with factory defaults.
If you start another script or macro in the middle of an ongoing flush
operation, the current flush is halted; now if the SRP module resets
during the script, the system boots with factory defaults.
If you issue the reload command to manually reset the system, the
system checks for an ongoing cache flush and warns you if a flush
operation is discovered.

Operations in Boot Mode

To access Boot mode:
1

Reload the system from Privileged Exec mode:

host1#reload
WARNING: Execution of this command will cause the system to
reboot.
Proceed with reload? [confirm]
Reload operation commencing, please wait...
7

Press the <M+B> key sequence (case-insensitive) during the

countdown that is displayed immediately after the BPOST tests are
bypassed. This puts the CLI in Boot mode.
:boot##

If you do not press the <M+B> key sequence before the countdown
timer expires, the reloading process continues and returns the CLI to
the normal User Exec mode.

Displaying Boot Information

ERX Edge Routers

Displaying Boot Information

You can display information about the systems booting configuration,
installed hardware versions, and installed software versions.
show boot

Use to show the current boot settings.

Example
host1#show boot
System Release:

release.rel

System Configuration:

running-configuration

Note: This system is not configured with backup settings.

show hardware

Use to display detailed information about the system hardware.

Field descriptions

slot physical slot that contains the module

type type of module
serial number serial number of the module
assembly number part number of the module
assembly rev. hardware revision of the module
ram (MB) memory capacity of the host processor
number of MAC addresses total number of Ethernet addresses on an I/O
module

base MAC address lowest Ethernet address on an I/O module

Example

host1#show hardware
serial

assembly

assembly

slot

type

number

number

rev.

(MB)

ram

----

------

----------

----------

--------

----

SRP-5G

7199160022

3400002900

A03

128

---

---

---

---

---

---

---

---

---

---

OC3dP2

7199190218
---

3401002800
---

A02

64

---

---

---

CT3P2

7199160121

3401002501

A02

64

CT2

7199160311

3401002011

A03

64

8-9

8-10

CHAPTER 8
Booting the System

number
of
serial

assembly

assembly

slot

type

number

number

rev.

----

-----

------

--------

--------

SRP-5G I/O

7199170147

3400003301

0
1

---

2
3

---

---

---

OC3dP2 I/O

7199030030
---

----3400003400
---

MAC
addresses
------

A01

16

---

---

---

---

A01

---

CT3P2 I/O

7199150162

3400003200

A03

---

CT1 I/O

7199460217

3400006401

A02

slot

base MAC address

----

-----------------

00-90-1a-00-09-a0

---

---

---

3
4

---

5
6

show last-reset

Displays the reason for the systems last user-directed reload or error-caused
reset.

Example
host1#show last-reset
last reset: power cycle

show reload

Displays the systems reload status.

Example
host1#show reload
reload scheduled for TUE OCT 2 2001 10:10:00 UTC

Displaying Boot Information

ERX Edge Routers

show version

Use to display the configuration of the system hardware and the software
version.

Example

host1#show version
Juniper Networks Edge Routing Switch ERX-700
Copyright (c) 1999-2002 Juniper Networks, Inc.

All rights reserved.

System Release: erx_4-1-0b0-13.rel

Version: 4.1.0 beta-0.13 [BuildId 25]

(July 9, 2002

13:17)

System running for: 18 days, 6 hours, 13 minutes, 21 seconds

(since WED JUL 10 2002 20:35:31 UTC)
slot state

type

admin

spare

running release

slot uptime

---- ------ ------ ------- ----- ------------------ -------------0

online SRP-5G enabled

---

erx_4-1-0b0-13.rel 18d06h:12m:13s

---

---

---

---

---

---

---

---

---

---

---

---

online OC3sP2 enabled

---

erx_4-1-0b0-13.rel 18d06h:11m:44s

online DPFE

enabled

---

erx_4-1-0b0-13.rel 18d06h:11m:45s

online CT3

enabled

---

erx_4-1-0b0-13.rel 18d06h:11m:44s

online CT1

enabled

---

erx_4-1-0b0-13.rel 18d06h:11m:44s

Output Filtering

The output filtering feature of the show command is not available in

Boot mode.

8-11

8-12

CHAPTER 8
Booting the System

Configuring the System

Clock

Use the procedures described in this chapter to configure the ERX

system clock.
Topic

Page

Overview

9-1

References

9-5

Setting the System Clock Manually

9-5

Before You Configure NTP

9-7

NTP Configuration Tasks

9-8

Monitoring NTP

9-12

Overview
You can use the clock commands to set the time and date on your system
manually. These commands allow you to specify settings such as the
source of the time, the time zone, and dates for seasonal time changes.
You can configure your system to update its clock automatically by
configuring it as a Network Time Protocol (NTP) client. NTP provides a
method of synchronizing the system clocks of hosts on the Internet to
Universal Coordinated Time (UTC). Using NTP allows the system to
record accurate times of events. You can view the log file of events to
monitor the status of the network.
Since there is only one system clock, you can configure an NTP client on
one virtual router only. Other virtual routers obtain clock parameters
from the system clock. However, multiple virtual routers can act as NTP
servers.

9-2

CHAPTER 9
Configuring the System Clock

NTP

NTP uses a hierarchical structure of hosts, such as computers and routers,

that form client-server and peer associations. An NTP client synchronizes
with an NTP server, which in turn synchronizes with another time
source. If two hosts provide synchronization for each other, they are
peers.
Primary or stratum 1 servers synchronize directly with an accurate time
source, such as a radio clock or an atomic clock. Secondary or stratum n
servers synchronize with other servers, and are n hops from an accurate
time source.
To obtain high precision and reliability with NTP, clients typically
synchronize with several NTP servers at different physical locations. Peer
associations, especially for stratum 1 and 2 servers, provide redundancy
for the network.
Hosts synchronize by exchanging NTP messages via UDP. NTP uses the
IP and UDP checksums to confirm data integrity.
By default, the system is an NTP client. You must configure NTP client
parameters to start NTP client operation. You can also configure the
system as an NTP server, whether or not you configure NTP client
parameters.
Figure 9-1 shows an example of an NTP hierarchy.
ERX system as
NTP client and
NTP server
local
clients

stratum 2
server

ERX system as
NTP client

stratum 1
server

stratum 2
server

atomic
clock

stratum 1
server

stratum 3
server
local
clients
local
servers

stratum 2
server
stratum 1
server

stratum 2
server
stratum 1
server
atomic
clock

Figure 9-1 Example of an NTP hierarchy

atomic
clock

atomic
clock

Overview
ERX Edge Routers

System Operation as an NTP Client

To synchronize to the clock of a server, the system must receive time

information from NTP servers recurrently. The way the system receives
such information depends on how you configure it:
If you configure the system to poll NTP servers, it sends time requests
to the servers periodically. NTP servers receive the requests, add time
information to the messages, and send replies to the system.
If you configure the system as a broadcast client, it receives NTP
broadcasts from servers periodically. The broadcasts include time
information from the servers.
By default, NTP servers respond to the interface from which an NTP
request originated. You can direct responses from all NTP servers to one
interface on the system, or from a specific NTP server to a specific
interface.
Synchronization

There are three stages to synchronization:

Preliminary synchronization
Frequency calibration
Progressive synchronization
Preliminary Synchronization Preliminary synchronization is a
stage during which the system evaluates the initial time situation and
decides how to proceed with longer-term synchronization. This stage
involves the following steps:
1

The system obtains several readings of time data from NTP servers.

The system analyzes time data in the messages and compares the
readings from different servers. Using this information, the system
identifies the initial best time source (the best server).

The system calculates the difference between its own clock and the
best servers clock (the offset) and proceeds as follows:
If the offset is greater than 15 minutes, the system disables NTP
and displays a message advising you to check the time zone and
clock settings.
If the offset is less than 15 minutes, the system sets its clock to that
of the best server.

9-3

9-4

CHAPTER 9
Configuring the System Clock

Provided the system has not disabled NTP, it proceeds to the next
stage:
If a frequency calibration is available, the system starts
progressive synchronization.
If the system has never performed a frequency calibration or the
calibration has been deleted, the system starts a frequency
calibration.

Frequency Calibration Frequency calibration takes place the first

time you use NTP or when you reboot the system. During this stage, the
system evaluates the frequency error of its clock by measuring change in
the offset error. A frequency calibration takes 15 minutes.
Progressive Synchronization After the system has established
initial NTP parameters, it continues to synchronize to a server as follows:
1

The system acquires time information from servers periodically.

The system evaluates which server is currently the best time source
(the master) by analyzing time data in the messages and comparing
the data from different servers.

The system gradually synchronizes its clock to that of the master.

System Operation as an NTP Server

When the system is configured as an NTP server, it synchronizes clients

to its own clock by responding to NTP requests from clients as follows:
1

Swaps the destination and source addresses in the request packet.

Sets all timestamps and NTP attributes in the packet.

Returns the packet to the client.

When the system is not configured as either an NTP client or an
NTP server, it responds to NTP requests with an invalid stratum
number.
If the system is configured both as an NTP client and an NTP server,
the system effectively synchronizes its clients to its masters clock. If
the system is configured as an NTP server but not an NTP client, the
system synchronizes its clients to its own clock, which can be set via
the clock commands.

References
ERX Edge Routers

References
This implementation of NTP meets the following specification:
RFC 1305 Network Time Protocol (version 3) Specification,
Implementation and Analysis (March 1992)

Setting the System Clock Manually

Before you set the system clock, obtain the following information about
your time zone:
The name of the time zone
The difference (offset) between the time zone and UTC
The dates and times of transitions to and from summer time (daylight
savings time)
The difference between the standard time and summer time (daylight
savings time)
The international Web site www.timeanddate.com contains information
about time zones.
Caution: Be sure to set the time zone and summer time dates before you set the
clock.

You can set the system clock at any time. This process involves the
following steps:
1

Set the time zone.

Set the summer time dates.

Set the time.

Check the clock settings.

9-5

9-6

CHAPTER 9
Configuring the System Clock

clock set

Use to set the time and date on your system manually.

Use the following syntax for setting the time: HH:MM:SS. This is the current
time in 24-hour format hours:minutes:seconds.

There are two acceptable date forms for this command. Both produce the same
display when you run the show clock command.

Day:month:year
Month:day:year

Examples
host1#clock set 08:12:42 12 March 2000
host1#clock set 11:12:55 March 10 2000

There is no no version.

Use to set the clock to switch automatically to summer time (daylight savings
time).

Example

clock summer-time date

host1(config)#clock summer-time PDT date 1 April 200X 2:00

31 October 200X 2:00 60

Use the no version to prevent automatic switching to summer time.

clock summer-time recurring

Use to set the clock to summer time at the same time each year.

Example
host1(config)#clock summer-time PDT recurring first Sunday
April 2:00 last Sunday October 2:00

Use the no version to prevent automatic switching to summer time.

Use to set the time zone for display.

Example

clock timezone

host1(config)#clock timezone EST -5

This sets the time zone to 5 hours behind UTC.

Use the no version to set the time zone to UTC, the default setting.

Before You Configure NTP

ERX Edge Routers

show clock

Use to display the system time and the date.

Example
host1#show clock detail
FRI DEC 17 1999 15:39:42 EST
time source: manually entered by user
timezone: EST (-300 minutes from UTC)
DST start: 04/02/2000 02:00 EST
DST stop:

10/31/1999 02:00 EDT

DST offset: 60 minutes

Before You Configure NTP

Before you configure NTP, complete the following procedures:
1

Configure at least one IP address on the router.

Check that the system clock reads the correct time to within 15
minutes, and that the time zone and summer time settings are
correct.

Reset the system clock manually if the time, time zone, or summer
time settings are incorrect.

If you want to configure the NTP system as an NTP client, choose

the NTP servers.

Choosing NTP Servers

For the system, synchronizing to several stratum 2 or higher servers on

the Internet provides sufficient accuracy for the timing of event messages.
You can find a list of stratum 2 servers at
www.eecis.udel.edu/~mills/ntp/clock2.html
If you have access to an NTP server that you know to be reliable and
accurate, you can synchronize the system to that server alone. You may
prefer this method if you have used Simple Network Time Protocol
(SNTP) with other equipment.
If you know that an NTP server broadcasts on a network to which the
system has an interface, you do not need to configure NTP servers.
Simply enable the system to accept NTP broadcasts on that interface.

9-7

9-8

CHAPTER 9
Configuring the System Clock

NTP Configuration Tasks

By default, the system is an NTP client. You must configure NTP client
parameters to start NTP client operation. You can also configure the
system as an NTP server, whether or not you configure NTP client
parameters.
Enabling NTP Services

Before you can configure NTP client parameters or enable a virtual

router to act as an NTP server, you must enable NTP services. When you
enable NTP services, the NTP client associates itself with the current
virtual router. Because there is only one system clock to update, only the
virtual router on which you configure NTP can act as the NTP client.
However, any virtual router can act as an NTP server. To enable NTP
services:
1

(Optional) Access the virtual router with which you want to associate
NTP services.

Issue the ntp enable command.

ntp enable

Use to enable NTP services on the system.

This command associates NTP services and the NTP client with the current
virtual router.

Example
host1:boston(config)#ntp enable

Use the no version to disable NTP polling and clock correction and to remove
the association between NTP services and the virtual router.

NTP Client Configuration

To configure the system as an NTP client:

1

Ping the selected NTP servers to ensure that the system can reach
them.

Configure the system to acquire NTP data by completing one or

both of the following actions:
Assign the NTP servers.
Enable the system to receive broadcasts on an interface.

NTP Configuration Tasks

ERX Edge Routers

If you enable the system to receive broadcasts on an interface, set the

estimated round-trip delay between the system and an NTP
broadcast server.

Disable NTP on interfaces that should not receive NTP

communications for security or other reasons.

ntp broadcast-client

Use to enable the system to receive NTP broadcasts on an interface.

Example
host1(config-if)#ntp broadcast-client

Use the no version to prevent the system from receiving NTP broadcasts.

Use to set the estimated round-trip delay in the range 0 to 999,999

microseconds between the system and an NTP broadcast server.

Example

ntp broadcast-delay

host1(config)#ntp broadcast-delay 2000

Use the no version to set the estimated round-trip delay to the default, 3000
microseconds.

Use to disable NTP on an interface.

Example

ntp disable

host1(config-if)#ntp disable

Use the no version to re-enable NTP on an interface.

Use to assign an NTP server to the system and to customize the way the
server communicates with the system.

Specify the source option to direct responses from the NTP server to a specific
interface on the system and override the ntp source command.

Example

ntp server

host1(config)#ntp server 154.23.45.1 version 3 prefer source

atm 3/0.1

Use the no version to terminate communications between the system and an

NTP server.

9-9

9-10

CHAPTER 9
Configuring the System Clock

ping

Use to check that the system can reach an NTP server.

Example
host1(config)#ping 192.35.42.1

There is no no version.

Directing Responses from NTP Servers

By default, an NTP server sends a response to the interface from which

an NTP request originated. You can now direct responses from all NTP
servers to one interface on the system or direct responses from a specific
NTP server to a specific interface.
ntp source

Use to direct responses from all NTP servers to a specific interface. Using the
source option with the ntp server command overrides the ntp source
command.

Example
host1(config)#ntp source atm 3/1

Use the no version to direct all servers to reply to the interface from which the
NTP request was sent (the default setting).

Refusing Broadcasts from NTP Servers

You can prevent the system from receiving certain types of broadcasts
and specify the servers from which the system will accept NTP
broadcasts. To do so:
1

Issue the ntp access-group command.

Configure an access list.

Use to configure an access list.

Example

access-list

host1(config)#access-list europe permit any

The no version of this command removes the access list.

NTP Configuration Tasks

ERX Edge Routers

ntp access-group
Note: The system can accept, but does not use, NTP control queries.

Use to specify the types of broadcasts that the system will accept and respond
to, and to specify an access list of servers from which the system will accept
broadcasts.You can enable the system to:

Receive time requests, receive NTP control queries, and synchronize itself
to the servers specified on the access-list

Only receive time requests and NTP control queries from specified servers
Only receive time requests from specified servers
Only receive NTP control queries from specified servers

Example
host1(config-line)#ntp access-group peer europe

Use the no version to enable the system to receive all NTP broadcasts on
interfaces configured to receive broadcasts.

NTP Server Configuration

To enable a virtual router to act as an NTP server:

1

Access the virtual router context.

Specify that the virtual router will act as an NTP server.

Caution: Be sure that you do not override a valid time source if you specify the
stratum of the NTP server. Issuing the ntp master command on multiple systems
in the network may lead to unreliable timestamps if those systems do not agree on
the time.

(Optional) Specify the stratum of this NTP server.

ntp master

Use to specify the stratum number of a virtual router you configured as an NTP
server.

By default, the stratum number is set to the stratum number of the master plus
one.
Note: Although you can specify a stratum number of 1, the system does not support
stratum 1 service. The system can synchronize only with an NTP server, and not
directly with an atomic clock or radio clock.

Specify a stratum number for the system in the range 1 to 15. A stratum n
server is n hops from an accurate time source.

Example
host1:boston(config)#ntp master

Use the no version to restore the default stratum number.

9-11

9-12

CHAPTER 9
Configuring the System Clock

ntp server enable

Use to enable a virtual router to act as an NTP server.

Example:
host1:boston(config)#ntp server enable

Use the no version to prevent a virtual router from acting as an NTP server.

Configuration Examples

The following examples show how to configure the system as an NTP

client and an NTP server.
Example 1

NTP communications are established on the virtual router boston. The

system is a client of the NTP server with IP address 172.16.5.1.
host1#virtual-router boston
host1:boston#ping 172.16.5.1
Sending 5 ICMP echos to 172.16.5.1, timeout = 2 sec.
.....
Success rate = 0% (0/5), round-trip min/avg/max = 0/0/0 ms
host1:boston#configure terminal
host1:boston(config)#ntp server 172.16.5.1
host1:boston(config)#ntp enable

Example 2

NTP communications are established on the virtual router boston. The

system is specified as an NTP server.
host1#virtual-router boston
host1:boston#configure terminal
host1:boston(config)#ntp server

Monitoring NTP
After you configure the system as an NTP client, you can use show
commands to view information about the NTP servers you assigned and
the status of NTP on the interface.
Note: For about 30 minutes after you configure the system as an NTP client, the
data varies rapidly, and then starts to stabilize. Wait at least 1 hour before using the
data to make decisions about NTP servers.

Many of the fields in the display of these show commands take their
values from the NTP messages. The NTP client uses this data to compare
the performance of its NTP servers and to choose a master.

Monitoring NTP
ERX Edge Routers

show ntp associations

Use to view the information about the NTP servers you assigned.

Field descriptions

* (Master) system is synchronizing to this server

# (Master - unsynchronized) system has chosen this server as master, but
the master has not yet synchronized to UTC

+ (Selected) system will consider this server when it chooses the master

Peer Address IP address of server

- (Candidate) system may consider this server when it chooses the master
x (Unusable) server does not meet the initial criteria for master
p (Preferred) server that you specified as the preferred server
~ (Configured) server is a configured server; no tilde indicates a broadcast
server
Stratum number of hops between the server and the accurate time source
Poll time between NTP requests from system to server
Reachable 8-bit number that shows whether or not the NTP server
responded to the last eight requests from the system; one indicates a
response, zero indicates no response. For example, 11111111 indicates that
the NTP server responded to the last eight requests. If the system reaches
one server less often than it does other servers, that server is not a good
choice for the master.

Precision length of the clock tick (interrupt interval) of servers clock

Delay round-trip delay, with the lowest dispersion value in the sample
buffer, between the system and the server

Offset difference, with the lowest dispersion in the sample buffer, between
the systems clock and the servers clock

Disp. lowest measure, in the sample buffer, of the error associated with the
peer offset, based on the peer delay

Example

host1#show ntp associations

Peer Address

Stratum

Poll

Reachable

Precision

Delay

Offset

Disp.

- 10.6.129.58

512s

01111111

0.000000s

0.000s

0.052s

0.010s

+~152.2.21.1

256s

11111111

0.000015s

0.070s

0.039s

0.020s

+~128.182.58.100

256s

11011111

0.000004s

0.030s

0.019s

0.074s

*p128.118.25.3

256s

10111111

0.000015s

0.020s

0.038s

0.073s

(* Master, + Selected, - Candidate, x Unusable) (p Preferred, ~ Configured)

9-13

9-14

CHAPTER 9
Configuring the System Clock

show ntp associations detail

Use to view the information about the NTP servers you assigned.

Field descriptions

Peer IP address of server, status of the server: configured, master,

selected, candidate, correct, unusable
configured confirmation that you assigned this NTP server to the
system
master system has chosen this server as the master
selected system will consider this server when it chooses the master
candidate system may consider this server when it chooses the master
correct system considers the servers clock to be reasonably correct
unusable server does not meet the initial criteria for the master
stratum number of hops between the server and its stratum 1 server
Peer is a Broadcast/Configured Server type of NTP server: one that
broadcasts NTP messages or one you have configured for NTP services
version version of NTP on the server
polled every time between NTP requests from the system to the server
polls every time between NTP requests from the server to its NTP
servers
Root Delay round-trip time between the server and its stratum 1 root
server
Root Dispersion measure of all the errors associated with the network
hops and servers between the server and its stratum 1 server
Sync Dist. measure of the total time error since the update in the path to
the stratum 1 server
Peer Delay round-trip delay, with the lowest dispersion value in the
sample buffer, between the system and the server
Peer Dispersion lowest measure, in the sample buffer, of the error
associated with the peer offset, based on the peer delay and precision
Offset difference, with the lowest dispersion in the sample buffer,
between the systems clock and the servers clock
Reachability 8-bit number that shows whether or not the NTP server
responded to the last eight requests from the system; one indicates a
response; zero indicates no response. For example, 11111111 indicates
that the NTP server responded to the last eight requests. If the system
reaches one server less often than it does other servers, that server is not
a good choice for the master.
Precision length of the clock tick (interrupt interval) of the servers clock
Source IP address of the interface to which NTP servers should send
NTP responses

Timestamps of latest time samples from this peer; actual timestamps

displayed depends on how the server is configured
Root reference at last time at which the stratum 1 server sent an NTP
reply to the server

Monitoring NTP
ERX Edge Routers

Last request sent last time at which the system sent an NTP request to
the server
Response/Broadcast was sent last time at which the server sent an
NTP reply or broadcast to the system
Response/Broadcast received last time at which the system received an
NTP reply or broadcast from this server

Sample buffer for this peer contains the following samples:

Delay round-trip delay from client to server
Offset difference between clients and servers clocks
Dispersion measure of the errors of the offset values, based on the
round-trip delay and the precisions of the system and the server

Example

host1#show ntp associations detail

Peer 10.6.129.58 is selected, stratum 3
Peer is a Broadcast Server, version 3, broadcasts every 64 sec
Root Delay 0.059052 sec, Dispersion 0.189056 sec, Sync Dist. 0.229679 sec
Peer Delay -0.000016 sec, Dispersion 0.009665 sec, Offset 0.050714 sec
Reachability 11111110, Precision 0.000000 sec
'Source' Interface : default (transmit interface)
Timestamps of latest time sample from this peer:
Root reference

at:

Thu, Apr 13 2000 17:27:17.145 from 128.118.25.3

Broadcast was sent:

Thu, Apr 13 2000 17:42:02.118

Broadcast received:

Thu, Apr 13 2000 17:42:02.067

Sample buffer for this peer contains the following samples:

Delay

(sec):

0.000

0.000

0.000

0.000

0.000

0.000

0.000

Offset

(sec):

0.049

0.050

0.050

0.050

0.050

0.050

0.051

0.000
0.051

Dispersion (sec):

0.015

0.015

0.014

0.013

0.012

0.011

0.010

0.009

show ntp status

Use to view the configuration and status of the system.

Field descriptions

Status state of NTP on the system and the stratum number of the server
Offset Error time difference between the system and the master
Frequency Error error in the frequency of the systems clock
Last Update last time received from the master
Root Dispersion measure of all the errors associated with the network
hops and servers between the system and its stratum 1 server

Admin. State status of NTP on the router (enabled or disabled)

Virtual Router Name name of the virtual router to which you attached NTP
Broadcast Delay time for a broadcast message to travel between the
server and the client

Client Mode NTP client status

True system is an NTP client

9-15

9-16

CHAPTER 9
Configuring the System Clock

Master Mode NTP server status

True system is configured as an NTP server
False system is not configured as an NTP server

Stratum No. stratum number of system if configured as NTP server

Summer Time status of seasonal time
Summer Timezone Name name of summer time zone
Timezone Name name of time zone
Timezone Offset time difference between the time zone and UTC
Access List identities of access lists of servers from which the system will
not accept broadcasts

Source Interface IP address of the interface to which NTP servers should

send NTP responses

Address IP address of interface

NTP Enable status of NTP on the interface
BroadcastClient indication of whether or not this interface accepts
broadcasts from NTP servers

Name type of interface and its location

Example

host1#show ntp status

Network Time Protocol (NTP v.4)
Clock Status:
Status

: Initializing: calibrating frequency (15 min.)

Offset Error

: 0 sec, amortizing asymptotically

Frequency Error

: 0 sec/sec, compensating every second

Last Update

Root Dispersion

: 0.001605 sec

Configuration:
Admin. State

: NTP Enabled

Virtual Router Name

: default

Broadcast Delay

: 3000 microseconds

Client Mode

: True

Master Mode

: True

Stratum No.

: 5

Summer Time

: False

Summer Timezone Name

Timezone Name

: UTC

Timezone Offset

: 00:0

Access List

'Source' Interface

: default (transmit interface)

hours:minutes

Interface Configuration:
Address

NTP Enable

BroadcastClient

Name

Configuring Virtual
Routers

10

The ERX system allows you to create multiple logical or virtual routers in
a single system. Each virtual router has its own separate set of IP
interfaces, forwarding table, and instances of routing protocols.
Topic

Page

Overview

10-1

References

10-3

Configuring Virtual Routers

10-4

Monitoring Virtual Routers

10-8

Overview
Multiple distinct routers are supported within a single system, which
allows service providers to configure multiple, separate, secure routers
within a single chassis. These routers are identified as virtual routers
(VRs). Applications for this function include the creation of individual
routers dedicated to wholesale customers, corporate virtual private
network (VPN) users, or a specific traffic type.
Default Virtual Router

When you first boot your system, it creates a default virtual router. The
only difference between the default VR and any other router is that you
cannot create or delete the default VR. Just like any other router, the
default VR gets its IP addresses when you add interfaces to it.

10-2

CHAPTER 10
Configuring Virtual Routers

Virtual Router Instances

Your system can support up to 1,000 forwarding tables; that is, up to a

total of 1,000VRs and VPN routing and forwarding (VRF) instances.
Each VRF has a forwarding table. A network device attaching to a system
sees a router interface. The attaching device has no notion of the virtual
router behind the interface.
For example, a physical ATM link may have circuits that are connected to
different VRs. The physical and data link layers are not aware that there
are multiple router instances. See Figure 10-1.
ERX System
Virtual Router 1

ATM Subinterface
/ PVC

Virtual Router 2

ATM Subinterface
/ PVC

Virtual Router 3

ATM Subinterface
/ PVC

ATM Subinterface
/ PVC

ATM Major Interface

Figure 10-1 Virtual routers

VRs and VRFs are tools for implementing VPNs.

Routing Protocols

Your system implements the VRs by maintaining a separate instance of

each data structure for each VR and allowing each protocol (for example,
TCP/UDP, RIP, OSPF, and IS-IS) to be enabled on a case-by-case basis.
A table of router interfaces associates user connections (for example, PPP
or ATM) with one or more IP interfaces within a VR.
VPNs and VRFs

Your system supports VPNs and VRFs. For information on VPNs and
VRFs, see Configuring BGP VPN Services and Monitoring BGP/MPLS
VPNs in ERX Routing Protocols Configuration Guide, Vol. 2,
Chapter 3, Configuring BGP/MPLS VPNs.

References
ERX Edge Routers

VPNs

A VPN is a set of sites attached to a common network, but whose data is

handled separately from that common network.
VPNs enable private IP traffic to travel over a public TCP/IP network by
tunneling that traffic between VPN member sites. Different levels of
security are available depending on the security of the tunnel used
between sites.
Your system supports VPNs consisting of VRs or VRFs. See RFC 2547
BGP/MPLS VPNs. Additionally, your system supports tunnels built from
GRE, IPSec, L2TP, MPLS, and tunnels built from layer 2 circuits, such
as Frame Relay and ATM.
VRFs

A VRF is a virtual routing and forwarding instance that exists within the
context of a VR. The VRF provides forwarding information to your
system. The system looks up a packets destination in the VRF associated
with the interface on which the packet is received. In general, any
application that can be enabled in a VR can be enabled in a VRF. VRFs
are generally associated with the VPN behavior described in RFC 2547.
When a VRF receives an update message, it needs to know whether it
should add the route to its routing table. Similarly, when a VRF sends
update messages, it needs to identify the VPNs that it wants to receive the
updates. See ERX Routing Protocols Configuration Guide, Vol. 2,
Chapter 3, Configuring BGP/MPLS VPNs.

References
For more information about virtual routers, VPNs, or VRFs, consult the
following resources:
ERX Release Notes, Appendix A, System Maximums refer to the
Release Notes corresponding to your software release for information
on maximum values.
ERX Routing Protocols Configuration Guide, Vol. 2, Chapter 3,
Configuring BGP/MPLS VPNs
RFC 2547 BGP/MPLS VPNs (March 1999)
RFC 2917 A Core MPLS IP Architecture (September 2000)

10-3

10-4

CHAPTER 10
Configuring Virtual Routers

Configuring Virtual Routers

This section provides examples of some of the more common virtual
router tasks.
There are different uses of the virtual-router command. You can create
or access VRs and VRFs in Global Configuration mode or map a VR to a
domain map in Domain Map Configuration mode. Once you create a
VR, you can continue to work in different command modes and
configure the same user interface parameters as before the virtual router
was created.
Note: For information on the many VR tasks you can configure, see the related
chapter; for example, Configuring IP or Configuring BGP.

Create and name a VR in Configuration mode.

host1(config)#virtual-router western
host1:western(config)#

Create a VRF to provide forwarding information to your system. In

this example, the VRF created is in context with the VR created
above.
host1:western(config)#ip vrf eastern
Proceed with new VRF creation? [confirm]
host1:western(config-vrf)#virtual-router:eastern
host1:western:eastern(config)#

Access a VRF from the context of a different VR.

host1(config)#virtual-router western:eastern
host1:western:eastern(config)#

View your configuration choices from a VR or VRF context.

host1:western:eastern(config)#?
aaa

Configure authentication, authorization,

and accounting characteristics

access-list

Configure an access list entry

arp

Configure a static ARP entry

bandwidth

Configure slot-group bandwidth control

banner

Define a banner line

baseline

Configure baseline operations

boot

Configure boot time behavior

bulkstats

Configure bulkstats parameters

cbf

Configure connection-based forwarding

classifier-list

Configure a classifier list entry

clns

Configure CLNS characteristics

Configuring Virtual Routers

ERX Edge Routers

clock

Set the system's clock

controller

Configure controller parameters

crypto

Configure cryptographic parameters

disable-autosync

Disable automatic synchronization of

redundant system controller file system

disable-switch-on-error

Disable automatic switch to redundant system

enable

Configure security related options

controller upon software/hardware error

end

Exit Global Configuration mode

exception

Configure core dump

exclude-subsystem

Exclude copying a subsystem from the release

exit

Exit from the current command mode

ftp-server

Configure FTP Server characteristics

help

Describe the interactive help system

host

Add/modify an entry to the host table

hostname

Set the host (system) name

interface

Enter Interface Configuration mode

ip

Configure IP characteristics

l2f

Configure L2F parameters

l2tp

Configure L2TP parameters

license

Configure licenses

line

Enter Line Configuration mode

log

Configure logging settings

macro

Run a CLI macro

map-list

Create an NBMA static map

memory

Configure and administer memory operations

mpls

Configure MPLS global parameters

no

Negate a command or set its default(s)

ntp

Configure the Network Time Protocol

policy-list

Enter Policy Configuration mode

pppoe

Configure PPPoE

profile

Specify a profile

radius

Configure RADIUS server

rate-limit-profile

Enter rate limit profile configuration mode

redundancy

Perform a redundancy configuration

route-map

Configure a route map

router

Configure a routing protocol

rtr

Configure rtr parameters

service

Configure system-level services

set

Configure

sleep

Make the Command Interface pause for a

specified duration

slot

Configure and administer slot operation

snmp-server

Configure SNMP parameters

sscc

The SSC Client

telnet

telnet daemon configuration

timing

Configure network timing

10-5

10-6

CHAPTER 10
Configuring Virtual Routers

traffic-shape-profile

Enter traffic shape profile configuration mode

virtual-router

Specify a virtual router

host1:western:eastern(config)#

View the VRF configuration choices from VRF Configuration mode.

host1:western(config-vrf)#?
exit

Exit from the current command mode

export

Specify VRF export characteristics

help

Describe the interactive help system

import

Specify VRF import characteristics

log

Configure logging settings

macro

Run a CLI macro

no

Negate a command or set its default(s)

rd

Specify route distinguisher

route-target

Specify VPN extended community Target

sleep

Make the Command Interface pause for a

specified duration

host1:western(config-vrf)#

Access a VR to configure it with an interior gateway protocol (IGP) or

exterior gateway protocol (EGP) to learn routes from a customer edge
device (CE). See the related routing protocol chapters for detailed
information.
Example 1
VR with an
IGP

host1(config)#virtual-router miami

Example 2
VR with an
EGP

host1(config)#virtual-router western

host1:miami(config)#router ospf 5
host1:miami(config-router)#

host1:western(config)#router bgp 359

host1:western(config-router)#

Configure a Telnet daemon to listen in VRs other than the default VR.
host1(config)#virtual-router boston
host1(config)#telnet listen port 23

List all VRs and VRFs on the system.

host1#show virtual-router
Virtual Router : default
Virtual Router : thursday
Virtual Router : western
VRF : eastern
Virtual Router : boston

Configuring Virtual Routers

ERX Edge Routers

Virtual Router : miami

Virtual Router : northern
VRF : southern
host1#

Map a VR to a user domain name in Domain Map Configuration

mode. The VR must already exist.
host1(config)#aaa domain-map jacksonville
host1(config-domain-map)#virtual-router western
host1(config-domain-map)#

aaa domain-map

Use to map a user domain name to a virtual router.

Examples
host1-0-1-90(config)#aaa domain-map juniper.net vrouter_1
host1-0-1-90(config)#aaa domain-map none vrouter__all_purpose
host1-0-1-90(config)#aaa domain-map DEFAULT vrouter_all_purpose

Use the no version of the command to delete the domain map.

Use to create a VRF or access VRF Configuration mode to configure a VRF.

You must specify a route distinguisher after you create a VRF. Otherwise, the
VRF will not operate.

Example

Use the no version to remove a VRF.

Use to create a Telnet daemon to listen in a virtual router.

Example

ip vrf

host1-00-02-80:boston(config)#ip vrf vpn-A

telnet listen

host1(config)#virtual-router 3
host1(config)#telnet listen port 3223

Use the no version of the command to delete the daemon.

From Global Configuration mode, use this command to create a virtual router or
access the context of a previously created virtual router or a VRF.

From Domain Map Configuration mode, use this command to map the VR to a
user domain name. Use the no version in this mode to delete the VR parameter
and assign the default VR.

A VR name consists of up to 15 alphanumeric characters.

Once you are in the context of a particular VR or VRF (indicated by the change
in the prompt), all subsequent commands you enter apply to that context until
you exit the context.

virtual-router

10-7

10-8

CHAPTER 10
Configuring Virtual Routers

Use the no version of the command only to delete the VR and return the
system to the default VR. Issuing the command no virtual-router
vrName.vrfName has no effect.

Issuing a no version of this command (no virtual-router :vrfName or

no virtual-router vrName:vrfName) that specifies an existing VRF only
displays the error message: Cannot delete a VRF with this command." You
must use the no ip vrf command to remove a VRF.
Note: See ERX Command Reference Guide for additional information.

Monitoring Virtual Routers

Use the show virtual-router and show aaa domain-map commands
to display virtual router and user-domain-to-virtual-router mapping
information. Use the show ip forwarding table command to display
information on memory usage by virtual routers.
show aaa domain-map

Use to display the mapping between user domains and virtual routers.

The following keywords have significance when used as user domains:

none all client requests with no user domain name are associated with the
virtual router mapped to the none entry

default all client requests with a domain present that has no map are
associated with the virtual router mapped to the default entry

Example
host1#show aaa domain-map
Domain: boston; virtual-router: default
Tunnel Tunnel Tunnel Tunnel Tunnel
Tag

Peer

Source

Type

Tunnel

Medium Password

Tunnel
Id

Tunnel
Hostname

------ ------ ------ ------ ------ --------

------ --------

31

<null> <null>

<null> <null> l2tp

Tunnel

Tunnel

Server

Tunnel

Name

Preference

------

------

----------

31

<null>

2000

Tag

ipv4

<null>

Monitoring Virtual Routers

ERX Edge Routers

show configuration virtual-router

Use to display configuration information for the virtual routers configured on

your system.

You can create a configuration script from the output by saving it as a file with
the .scr extension.

You can exclude information about a particular type of interface.

You can use the output filtering feature of the show command to include or
exclude lines of output based on a text string you specify. See Chapter 2,
Command Line Interface, for details.

Example
host1#show configuration virtual-router default
virtual-router default
ip domain-lookup
ip name-server 10.2.0.3
ip domain-name "junipercom.com"
!
host f 10.10.0.129 ftp anonymous null
interface null 0
!
interface fastEthernet 0/0
ip address 192.168.1.155 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip multicast-routing
!
mpls rsvp profile default
mpls ldp profile default
cr-ldp
!
rtr 1
type echo protocol ipIcmpEcho 10.5.0.200 source
fastEthernet0/0
frequency 1
samples-of-history-kept 5
timeout 10000
!

show ip forwarding-table slot

Use to display the memory used by each VR configured on a line module and
free memory available on the line module.

Field descriptions

Free Memory amount of memory free on the line module, in kilobytes

Virtual Router name of the virtual routers configured on the line module
Memory (KB) amount of memory consumed by the VR, in kilobytes
Load Errors counts errors made while loading the routing table on the line
module

10-9

10-10

CHAPTER 10
Configuring Virtual Routers

Status indicates whether the routing table for the VR is valid

Example
host1#show ip forwarding-table slot 9
Free Memory = 14,328KB
Virtual Router

Memory

Load Errors

Status

(KB)
----------------

---------

-------------

--------

vr1

4128

Valid

vr2

3136

Valid

vr3

2256

Valid

vr4

1512

Valid

default

1024

Valid

-----------------------------------------------------------

show virtual-router

Use to display virtual routers configured on your system.

The display shows the name of the virtual router and the status of the
supported protocols.

You can use the output filtering feature of the show command to include or
exclude lines of output based on a text string you specify. See Chapter 2,
Command Line Interface, for details.

Example
host1-0-6-60#show virtual-router
Virtual Router : default
Ip:

Present

Bgp:

Present

Isis:

Present

Ospf:

Not Present

Rip:

Present

Virtual Router : two

Ip:

Present

Bgp:

Not Present

Isis:

Not Present

Ospf:

Not Present

Rip:

Present

Virtual Router : three

Ip:

Present

Bgp:

Not Present

Isis:

Not Present

Ospf:

Not Present

Rip:

Present

Logging System Events

11

The ERX system allows you to log system events to discover and isolate
problems with your system. This chapter shows how to use the CLI to
monitor your systems log configuration and stay abreast of all system
events that you want to track.
Topic

Page

Overview

11-1

Configuring Event Logging

11-3

Monitoring Logging System Events

11-12

List of Event Categories

11-16

Overview
System events are classified into event categories. Using the CLI, you can
determine which event categories to log. To take the most advantage of
the logging facility, it is important to understand the terms log severity
and log verbosity.
Log Severity

Log severity is a level that is assigned to an event or log message. Log

severity levels apply to event categories, such as bulkStats, bgpRoutes, or
atm1483.
The minimum severity of a log message for an individual category is
described either by a severity number in the range 07 or a descriptive
priority term, such as emergency or debug. The lower the severity
number is, the higher the priority. See Table 11-1.

11-2

CHAPTER 11
Logging System Events

Note: Not every event category supports every severity level. For a list of event
categories and the severity levels that each category supports, see List of Event
Categories later in this chapter.
Table 11-1 Log severity descriptions
Severity Number Severity Name

System Response

Emergency

System unusable; shelf reset

Alert

Immediate action needed; card reset

Critical

Critical conditions exist; interface is down

Error

Error conditions; nonrecoverable software

error

Warning

Warning conditions; recoverable software

error

Notice

Normal but significant conditions; nonerror,

low-verbosity information

Info

Informational messages; nonerror,

medium-verbosity information

Debug

Debug messages; nonerror, high-verbosity

information

Log Verbosity

The verbosity level determines the amount of information that appears in

each message. You can assign the verbosity level for the log category.
Verbosity levels can be any of the following:
Low terse
Medium moderate
High verbose
Note: Many event categories provide only low-verbosity detail regardless of the
verbosity setting.

Persistent Logs

Log messages can survive a system reboot. After a reboot, the system
rebuilds the list of log messages. However, if the system detects any
problems or has gone through a power cycle, the buffer is reset, and the
log messages from the previous session are lost.
Log messages are not synchronized between primary and redundant SRP
modules. During a switchover from a primary to a redundant SRP
module, existing log messages are not transferred to the redundant SRP
module.

Configuring Event Logging

ERX Edge Routers

Configuring Event Logging

By default, event logging is enabled and has default settings. This section
shows how to change the following settings to customize event logging to
fit your needs.
Set a baseline for when the system begins logging messages.
host1#baseline log 11:12:55 April 30 2002

Set the log severity.

host1(config)#log severity warning

Remove the limit on the number of buffers available for an event

category.
host1(config)#log unlimit qos

Set the log verbosity.

host1(config)#log verbosity log

Log messages to a specified destination.

host1(config)#log destination syslog 10.10.9.5 include
ospfGeneral mplsGeneral os

Select fields to be added to logs.

host1(config)#log fields timestamp instance no-calling-task

Enable logs destined for a console to be displayed at the current

console device.
host1#log here

The next sections show how to configure individual and systemwide logs,
how to format timestamps for log messages, and how to configure log
filters.
baseline log

Use to set a baseline for logging events. Only log messages timestamped after
the baseline will appear when you enter the show log data delta command.

To use the current system time, do not enter any options.

To set a specific time, use the following syntax:

Hour:Minute[:Second] current time in 24-hour format. Seconds are optional.

utc enter this keyword to indicate that the time entered is in universal
coordinated time (UTC), rather than local time.

To set a specific date, use the following syntax:

Month Day Year you must spell out the name of the month.

11-3

11-4

CHAPTER 11
Logging System Events

last-reset causes the system to display log messages generated since the
last time the system was reset

Examples
host1#baseline log 11:12:55 April 30 2002
host1#baseline log last-reset

There is no no version.

Use to log messages to the specified destination, including system log,

console, and nv-file (nonvolatile storage).

log destination

Note: You can display traffic logssuch as ipTraffic, icmpTraffic, tcpTraffic, and
udpTrafficonly via the show log data command or from the SRP module console.
You cannot redirect traffic logs elsewhere, such as to a system log or nonvolatile
storage file, or to a Telnet session.

Use the severity keyword to limit the messages logged based on priority level.

The following information applies to logging messages to system log servers.

You can have multiple system log servers, but must configure logging to
each one separately.

A particular message within a specified event category is logged to a

particular system log server only if the priority of the message is greater than
or equal to both the priority of the event category and the priority of that
system log server.

If you log messages to a system log server, you can also specify:
facility specifies a facility ID on the system log destination host. The
range is 07, representing the logging facilities local0local7.
include logs only the listed categories to system log; no other
categories are logged unless specifically included by issuing this
command again.
exclude logs all categories to system log except the listed categories;
all other categories are logged unless specifically excluded by issuing this
command again.

Issuing an include command after an exclude command (or vice versa)

overrides the earlier command. Therefore, you cannot enter a command
including certain categories and then follow it with a command excluding
others. Similarly, you cannot enter a command excluding certain categories
and then follow it with a command including others.

You can issue successive include commands or successive exclude

commands; in this case, the successive commands expand the list of
included or excluded categories.

In this example, the first command causes only the osfpGeneral, mplsGeneral,
and os event categories to be logged to system log at 10.10.9.5. The second
command reverses this inclusion and restores the logging of all event
categories.
host1(config)#log destination syslog 10.10.9.5 include
ospfGeneral mplsGeneral os
host1(config)#no log destination syslog 10.10.9.5

Configuring Event Logging

ERX Edge Routers

In this example, the first command again causes only the osfpGeneral,
mplsGeneral, and os event categories to be logged to system log at 10.10.9.5.
The second command reverses the inclusion of ospfGeneral and os. The
mplsGeneral category is still included and is thus the only category logged.
host1(config)#log destination syslog 10.10.9.5 include
ospfGeneral mplsGeneral os
host1(config)#no log destination syslog 10.10.9.5 include
ospfGeneral os

In this example, the first command causes the isisGeneral, ipRoutePolicy, and
ipTraffic event categories to be excluded from logging to system log at 10.1.2.3.
The second command reverses this exclusion and restores the logging of all
event categories.
host1(config)#log destination syslog 10.1.2.3 exclude
isisGeneral ipRoutePolicy ipTraffic
host1(config)#no log destination syslog 10.1.2.3 exclude

In this example, the first command again causes the isisGeneral,

ipRoutePolicy, and ipTraffic event categories to be excluded from logging to
system log at 10.1.2.3. The second command reverses the exclusion of
ipRoutePolicy and ipTraffic. The isisGeneral category is still excluded; all other
events are logged.
host1(config)#log destination syslog 10.1.2.3 exclude
isisGeneral ipRoutePolicy ipTraffic
host1(config)#no log destination syslog 10.1.2.3 exclude
isisGeneral

In this example, the first command causes the isisGeneral event category to be
excluded from logging to system log at 10.1.2.3. The second command causes
ospfGeneral to also be excluded from logging.
host1(config)#log destination syslog 10.1.2.3 exclude
isisGeneral
host1(config)#log destination syslog 10.1.2.3 exclude
ospfGeneral

In this example, the first command causes the isisGeneral event category to be
excluded from logging to system log at 10.1.2.3; all other events are logged.
The second command overrides the first and causes the exclusion of all events
except ospfGeneral.
host1(config)#log destination syslog 10.1.2.3 exclude
isisGeneral
host1(config)#log destination syslog 10.1.2.3 include
ospfGeneral

Use the no version to reverse the effects of previous commands or restore the
default, which is to log all event categories.

11-5

11-6

CHAPTER 11
Logging System Events

log destination syslog source

Use to specify a source interface type and location for events logged to system
log at the specified IP address.

Overrides the actual source interface type and location. The IP address
associated with the specified source interface will be used as the source
address for subsequent system log messages.

Example
host1(config)#log destination syslog 10.1.2.3 source atm 0/1

Use the no version to restore the actual source interface type and location.

Use to enable engineering logs.

This command can provide you with troubleshooting information that will assist
you when contacting Juniper Networks Customer Service.

Example

log engineering

host1(config)#log engineering

Use the no form of this command to disable engineering logs.

Use to select fields to be added to all logs. These fields include a timestamp for
the message, an instance identifier, and the name of the internal software
application that created the message.

Example

log fields

host1(config)#log fields timestamp instance no-calling-task

Use the no version to restore the default log field settings.

Use to enable logs destined for a console to be displayed at the current

console.

By default, the local console automatically receives all log messages if console
is a destination. The exception is the cliCommand log. These log events do not
appear on the console.

By default, Telnet consoles do not receive log messages.

Example

log here

host1#log here

Use the no version to disable logs destined for a console from being displayed
on this console.

Configuring Event Logging

ERX Edge Routers

log severity

Use to set the severity level for a selected category or for systemwide logs. For
a list of severity values, see Table 11-1.

If you do not specify a category, then the severity value is set for all categories,
except individual logs for which you previously set a specific value. See the
next section, Configuring Log Severity for Individual and Systemwide Logs.

Each event category has its own default severity value. For most categories,
the default is error.

To disable log messages use the off keyword.

Example
host1(config)#log severity warning

Use the no version to return to the default severity value (error) for the selected
category. To return all logs to their default severity setting, include an *
(asterisk) with the no version. For example:
host1(config)#no log severity *

log unlimit

Use to remove the limit on the number of outstanding buffers for an event
category. You would remove the limit in cases where the system is dropping
logs of a particular category.

Example
host1(config)#log unlimit qos

Use the no version to return to the default value.

Use to set the verbosity level for a selected category or for all categories.

If you do not specify a category, then the verbosity level is set for all categories.

The default verbosity setting for all logs is low.

Example

log verbosity

host1(config)#log verbosity log

Use the no version to return to the default verbosity (low) for the selected
category.

Configuring Log Severity for Individual and Systemwide Logs

Each event category has its own default severity setting that is based on
the type of log messages for that category. You can change the severity
setting for individual logs and the systemwide value:
To change the log severity of an individual log, set the individual log
category to an explicit value. The new value overrides any systemwide
value, and subsequent commands that set the systemwide severity
value do not override the value you set for the individual log. To return
an individual log severity to its default value, which also allows the

11-7

11-8

CHAPTER 11
Logging System Events

individual log severity to be overridden by the systemwide value, use

the no version of the log severity command, and specify the
individual log category.
To change the log severity of every log, set the systemwide severity.
The systemwide severity setting does not override individual log
severities that you explicitly set.
To return all logs, systemwide and individual, to their default severity
level, use the no log severity * command.
Examples

The following example sets all logs to log at severity info, except for the
bgpEvents and bgpRoutes categories.
host1(config)#log severity warning bgpEvents
host1(config)#log severity notice bgpRoutes
host1(config)#log severity info

The following command removes the severity values for bgpEvents;

bgpEvents now logs at the info severity level.
host1(config)#no log severity bgpEvents

The following command returns all logs to their default severity level.
host1(config)#no log severity *

To see whether individual or systemwide severity and verbosity settings

are in effect, use the show log configuration command.
Configuring Log Verbosity for Individual Logs or All Logs

The default verbosity setting for all logs is low. To change the logging
verbosity of an individual log, specify a category when you enter the log
verbosity command. To change the log verbosity of every log, do not
specify an event category when you enter the log verbosity command.
However, once you enter the log verbosity command without specifying
a particular event category, all logs are set to the new verbosity. No log
verbosity overrides are saved.
Example

The following example sets all log categories to verbosity medium, and
then it sets the verbosity level for ds3 events to high.
host1(config)#log verbosity medium
host1(config)#log verbosity high ds3

Configuring Event Logging

ERX Edge Routers

Setting the Timestamp for Log Messages

You can use the service timestamps command to format timestamps for
log messages. By default, log messages display universal coordinated time
(UTC) without the time zone.
The following examples illustrate how you can change the timestamp on
log messages.
Set the time zone to EDT, 5 hours behind UTC, and display the local
time on the log messages.
host1(config)#clock timezone EDT -5
host1(config)#service timestamps log datetime show-timezone
localtime
host1#exit
host1#show log data category cliCommand severity info
***********************************************************
NOTICE 05/14/2001 13:22:48 EDT cliCommand: "clock timezone
EDT -5", console
NOTICE 05/14/2001 13:23:03 EDT cliCommand: "service
timestamps log datetime show-timezone localtime ", console
***********************************************************

Display UTC, but no time zone, on the log messages.

host1(config)#service timestamps log datetime
host1#exit
host1#show log data category cliCommand severity info
***********************************************************
NOTICE 05/14/2001 18:24:49 cliCommand: "configure terminal",
console
NOTICE 05/14/2001 18:24:45 cliCommand: "service timestamps
log datetime", console
***********************************************************

Display UTC and the time zone on the log messages.

host1#configure terminal
host1(config)#service timestamps log datetime show-timezone
host1(config)#exit
host1#show log data category cliCommand severity info
***********************************************************
NOTICE 05/14/2001 18:28:45 UTC EDT cliCommand: "configure
terminal", console

11-9

11-10

CHAPTER 11
Logging System Events

NOTICE 05/14/2001 18:28:42 UTC EDT cliCommand: "service

timestamps log datetime show-timezone", console
***********************************************************

Display no timestamp on the log messages.

host1#configure terminal
host1(config)#no service timestamps
host1#exit
host1#show log data category cliCommand severity info
***********************************************************
NOTICE 134 cliCommand: "configure terminal", console
NOTICE 133 cliCommand: "no service timestamps", console
***********************************************************

service timestamps

Use to format timestamps for log messages.

For information about setting local times and time zones, see Chapter 9,
Configuring the System Clock

The show log data command displays the log data with the current timestamp
format.

The show log data nv-file command displays the log data with the timestamp
format in effect at the time the log record was written.

Use the no version to remove timestamps from log messages.

Configuring Log Filters

Many event categories contain filters that let you further refine the type
of information that the system logs. For example, when logging BGP
connections, you can limit the information logged to a specific access
class, peer, route map, or virtual router.
You define filters when you set the log severity for an event category. The
online Help shows the options you can set for each filter. The following
example creates a filter that logs BGP connection information at the
debug severity level on traffic that matches access list ListOne, and is
incoming traffic to virtual router default.
host1(config)#log severity debug bgpevents ?
access-class

Select an access list for the filter

in

Select import/in direction for the filter

out

Select export/out direction for the filter

peer

Select a peer IP address for the filter

route-map

Select a route map for the filter

router

Identify an instance of a virtual router

Configuring Event Logging

ERX Edge Routers

<cr>
host1(config)#log severity debug bgpevents access-class ?
WORD

The access list

host1(config)#log severity debug bgpevents access-class

ListOne ?
filtering-router Identify virtual router where
access-class/route-map are defined
in

Select import/in direction for the filter

out

Select export/out direction for the filter

route-map

Select a route map for the filter

<cr>
host1(config)#log severity debug bgpevents access-class
ListOne route-map ?
WORD

The route map

host1(config)#log severity debug bgpevents access-class

ListOne route-map default ?
filtering-router Identify virtual router where
access-class/route-map are defined
in

Select import/in direction for the filter

out

Select export/out direction for the filter

<cr>
host1(config)#log severity debug bgpevents access-class
ListOne route-map default in

The next example limits the logging of PPP debug events to traffic to or
from the POS interface in slot 2/0.
host1(config)#log severity debug ppp ?
atm

Specify an ATM PPP interface

fastEthernet

Specify a fastEthernet interface

gigabitEthernet

Specify a gigabitEthernet interface

mlppp

Specify an MLPPP network interface

pos

Specify a POS PPP interface

serial

Specify a serial PPP interface

<cr>
host1(config)#log severity debug ppp pos 2/0

List of Event Categories, later in this chapter, includes the filters available
in each event category.
Turning Off Filters

There are three ways to turn off filters. The first turns off all filters, the
second lets you turn off all filters for an event category, and the third lets
you turn off a specific filter.

11-11

11-12

CHAPTER 11
Logging System Events

To turn off all filters:

host1(config)#no log filters

To turn off all filters for an event category, use the no version of the log
severity command along with the category name. For example:
host1(config)#no log severity bgpEvents filters

To turn off a specific filter, use the no version of the log severity
command that you used to add the filter. For example:
host1(config)#no log severity bgpEvents peer 10.0.0.2
10.0.0.1

no log filters

Use to turn off log filters.

To turn off all filters for an event category, specify the category name.

To turn off a specific filter, use the no version of the log severity command that
you used to add the filter.

Example
host1(config)#no log filters

Monitoring Logging System Events

Use the show log configuration command to display your log
configuration. Use the show log data command to display system events
on your screen.
You can use the output filtering feature of the show command to include
or exclude lines of output based on a text string you specify. See show
Commands in Chapter 2, Command Line Interface, for details.
show log configuration

Use to show the logging configuration on your system.

Example 1 factory defaults are set

host1#show log configuration
log destination console severity WARNING
log destination nv-file severity CRITICAL
no log engineering
log fields timestamp instance no-calling-task
no log severity
category

severity

verbosity

filters

-------------------------

--------

---------

-------

NameResolverLog

ERROR

low

aaaAtm1483Cfg

ERROR

low

Monitoring Logging System Events

ERX Edge Routers

aaaEngineGeneral

ERROR

low

aaaServerGeneral

ERROR

low

addressServerGeneral

ERROR

low

atm

ERROR

low

atm1483

ERROR

low

atmAal5

ERROR

low

bgpConnections

ERROR

low

cliCommand

NOTICE

low

controlNetworkSlave

ERROR

low

cops

ERROR

low

ERROR

low

...

...
udpTraffic

Example 2 individual log udpTraffic is set to warning

host1#(config)#log severity warning udpTraffic
host1##show log configuration
log destination console severity WARNING
log destination nv-file severity CRITICAL
no log engineering
log fields timestamp instance no-calling-task
no log severity
category

severity

verbosity

filters

-------------------------

--------

---------

-------

NameResolverLog

ERROR

low

aaaAtm1483Cfg

ERROR

low

aaaEngineGeneral

ERROR

low

aaaServerGeneral

ERROR

low

addressServerGeneral

ERROR

low

atm

ERROR

low

atm1483

ERROR

low

atmAal5

ERROR

low

bgpConnections

ERROR

low

cliCommand

NOTICE

low

controlNetworkSlave

ERROR

low

cops

ERROR

low

WARNING*

low

...

...
udpTraffic

* Default severity setting is overridden by the individual

log severity setting.

11-13

11-14

CHAPTER 11
Logging System Events

Example 3 log severity is set to alert

host1#(config)#log severity alert
host1#show log configuration
log destination console severity WARNING
log destination nv-file severity CRITICAL
no log engineering
log fields timestamp instance no-calling-task
log severity ALERT
category

severity

verbosity

filters

-------------------------

--------

---------

-------

NameResolverLog

ALERT#

low

aaaAtm1483Cfg

ALERT#

low

aaaEngineGeneral

ALERT#

low

aaaServerGeneral

ALERT#

low

addressServerGeneral

ALERT#

low

atm

ALERT#

low

atm1483

ALERT#

low

atmAal5

ALERT#

low

bgpConnections

ALERT#

low

...
cliCommand

ALERT#

low

controlNetworkSlave

ALERT#

low

cops

ALERT#

low

ALERT#

low

...
udpTraffic

# Default severity setting is overridden by the system-wide

severity setting.

Example 4 individual log atm is set to severity warning

host1#(config)#log severity warning atm
host1#show log configuration
log destination console severity WARNING
log destination nv-file severity CRITICAL
no log engineering
log fields timestamp instance no-calling-task
log severity ALERT
category

severity

verbosity

filters

-------------------------

--------

---------

NameResolverLog

ALERT#

low

aaaAtm1483Cfg

ALERT#

low

aaaEngineGeneral

ALERT#

low

aaaServerGeneral

ALERT#

low

addressServerGeneral

ALERT#

low

atm

WARNING*

low

-------

Monitoring Logging System Events

ERX Edge Routers

atm1483

ALERT#

atmAal5

ALERT#

low
low

bgpConnections

ALERT#

low

cliCommand

ALERT#

low

controlNetworkSlave

ALERT#

low

cops

ALERT#

low

ALERT#

low

...

...
udpTraffic

# Default severity setting is overridden by the system-wide

severity setting.
* Default severity setting is overridden by the individual
log severity setting.

show log data

Use to display system events. The following keywords allow you to be selective
about which events are displayed.

category limits the display to a single log event category. Refer to the CLI
online Help for available categories.

Example
host1#show log data category os

delta limits the display to events that occurred after the time set with the log
baseline command.

nv-file displays the information that is currently logged to nonvolatile storage.

Example
host1#show log data nv-file
logFile.temp: The system cannot find the file specified.
ALERT 09/12/2000 21:29:17 os: ASSERTION FAILED: file mplsNvs2.cc, line 789
ALERT 09/20/2000 02:18:06 os: ASSERTION FAILED: file osPool.cc, line 819
ALERT 09/20/2000 02:26:35 os: ASSERTION FAILED: file osPool.cc, line 819
ALERT 09/20/2000 02:44:33 os: ASSERTION FAILED: file osPool.cc, line 819
ALERT 09/20/2000 04:56:35 os: ASSERTION FAILED: file osPool.cc, line 819
ALERT 09/27/2000 03:10:25 os: ASSERTION FAILED: file
/sw0/sc/nvs/include/../nvMapBackend.h, line 235
ALERT 10/02/2000 04:05:42 os: ASSERTION FAILED: file osHeap.cc, line 439
ALERT 10/02/2000 04:08:04 os: ASSERTION FAILED: file osMessageQueue.cc,
line
42, rip1
ALERT 10/12/2000 03:43:38 os: PANIC: file osSemaphore.cc, line 54
ALERT 11/01/2000 02:03:49 os: ASSERTION FAILED: file cliCommand.cc, line
195

11-15

11-16

CHAPTER 11
Logging System Events

severity displays events that have a specific severity level.

Example
host1#show log data severity notice
NOTICE 01/10/2001 00:59:50 os: config -- using running
NOTICE 01/10/2001 00:59:52 os: srp application, build date: 0x3a437424 (FRI
DEC 22 2000 15:32:52 UTC)
NOTICE 01/10/2001 00:59:52 os: last reset: user reboot, reason: not
specified
NOTICE 01/10/2001 00:59:52 os: OsIsrRegistrar: 0xb
NOTICE 01/10/2001 00:59:52 os: OsIsrRegistrar: 0xa
NOTICE 01/10/2001 00:59:52 os: OsIsrRegistrar: 0x2

By combining keywords, you can further limit the information displayed. See
the CLI online Help for information on the keywords available at each level.
host1#show log data nv-file severity alert

List of Event Categories

This section lists each event category in the system software. To help you
determine the severity level to set when troubleshooting, the log strategy
for each event category is included. The log strategy shows the type of
information logged for each severity level. In addition, this section
includes the filters available in each event category.

aaaAtm1483Cfg
Description:

AAA ATM 1483 subinterface configuration

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Illegal service category traffic parameter received from AAA; unable to

modify circuit traffic parameters using those received from AAA

Notice:

None

Info:

None

Debug:

Notification from AAA indicating that an ATM 1483 subinterface

configuration is available; ATM 1483 processing configuration received
from AAA; unable to get ATM 1483 subinterface information; number of
ATM 1483 configuration entries is out of range

Filter:

None

List of Event Categories

ERX Edge Routers

aaaEngineGeneral
Description:

AAA engine general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

Control flow and key events, less verbose than debug

Info:

None

Debug:

Control flow and key events

Filter:

None

aaaServerGeneral
Description:

AAA server general

Emergency:

None

Alert:

None

Critical:

None

Error:

Subscriber count exceeds license plus grace; internal attachment errors

Warning:

Subscriber count exceeds license; cannot grow internal memory pools;

accounting message failures

Notice:

Authentication failures resulting from memory allocation failures

Info:

None

Debug:

Authentication failures resulting from reasons other than memory

allocation failures; status of authentication; accounting and address
assignment requests sent to local (internal) servers; duplicate accounting
message failures

Filter:

None

11-17

11-18

CHAPTER 11
Logging System Events

aaaUserAccess
Description:

AAA user access

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

User is granted or denied access

Debug:

None

Filter:

None

addressServerGeneral
Description:

Address server general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Address server request failure (for example, configured address server is

not available)

Notice:

None

Info:

None

Debug:

None

Filter:

None

ar1AaaServerGeneral
Description:

Platform-dependent AAA server

Emergency:

None

Alert:

None

Critical:

None

Error:

Internal (NVS) errors for limit configuration per interface

Warning:

None

Notice:

None

Info:

None

Debug:

Interface information insufficient to identify the users interface location

Filter:

None

List of Event Categories

ERX Edge Routers

atm
Description:

ATM interface

Emergency:

None

Alert:

None

Critical:

None

Error:

Unable to reenable ILMI administrative state after UNI version change

Warning:

Error getting location of underlying physical interface; error binding or

unbinding to physical interface; error allocating memory for new interface;
error setting system identifier; error adding or configuring an interface;
error getting capabilities of interface; error getting maximum VPI/VCI for
interface; error getting maximum virtual circuit descriptor for interface;
unable to store or allocate memory for F4 OAM circuit data; unable to
configure F4 OAM circuit for interface

Notice:

Interface pool expanded by an incremental number of entries; report retry

delay in seconds when waiting for the underlying physical interface to be
created; unable to allocate a message to send an interface up or down
notification; unable to add or configure interface

Info:

Dropping interface up, down, or not present notification due to removal of

interface; discarding F4 OAM circuits when interface does not support F4
OAM

Debug:

None

Filter:

None

atm1483
Description:

ATM 1483 data service

Emergency:

None

Alert:

None

Critical:

None

Error:

Error applying static map entry for a newly created circuit of an NBMA
interface; unable to configure interfaces on ATM interface; unable to
determine interface location for ATM AAL5 interface; unable to determine
maximum interface configuration count for interface; unable to configure
interface on ATM interface

Warning:

Error getting location of underlying AAL5 or ATM interface; error binding

to AAL5 interface; error opening a circuit for an NBMA interface;
attempting to associate a static map to an underlying ATM interface that
does not exist; error restoring circuits from NVS; error removing static
map entry; NVS entry not found for static map entry; error storing static
map entry in NVS; error expanding interface pool, interface binding pool,
or subscriber pool

Notice:

Interface pool, interface binding pool, or subscriber pool expanded by an

incremental number of entries; unable to allocate a message to send a
subinterface up or down notification

11-19

11-20

CHAPTER 11
Logging System Events

Info:

Dropping subinterface up or down notification due to removal of

subinterface; configure interfaces on ATM interface; elapsed time for
downloading interfaces; elapsed time for ATM AAL5 present notification;
maximum interface count per call; SVC up or down state change

Debug:

None

Filter:

None

atmAal5
Description:

ATM adaptation layer 5

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Error getting location of underlying ATM interface; error binding to ATM

interface; unable to expand interface pool; error creating interface; unable
to set administrative status of interface

Notice:

Interface pool expanded by an incremental number of entries; report retry

delay in seconds when waiting for the underlying ATM interface to be
created; unable to allocate a message to send an interface up or down
notification

Info:

Dropping interface up or down notification due to removal of interface

Debug:

None

Filter:

None

AuditIpsec
Description:

IKE SA negotiations

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

Information on IKE SA negotiation payloads

Info:

None

Debug:

None

Filter:

None

List of Event Categories

ERX Edge Routers

bgpConnections
Description:

BGP TCP/IP connection activity

Emergency:

None

Alert:

None

Critical:

None

Error:

Error setting password for specified peer; error binding to update-source

address for specified peer

Warning:

TCP error occurred while receiving data

Notice:

Outbound TCP connection initiated, completed, or failed; inbound TCP

connection accepted, refused, or failed; TCP connection closed by peer

Info:

None

Debug:

TCP connection is ready to send; data received on TCP connection;

notification message sent; could not send notification message due to
flow controlwill retry later; error while sending notification message;
keepalive message sent; could not send keepalive message due to flow
controlwill retry later; error while sending keepalive message; message
other than notification or keepalive sent; could not send other message
than notification or keepalive due to flow controlwill retry later; error
while sending other message than notification or keepalive

Filter 1:

access-class this filter is not currently supported

Filter 2:

peer see description of the bgpRoutes peer filter for information on this
filter

Filter 3:

route-map this filter is not currently supported

Filter 4:

router see description of the bgpRoutes router filter for information on

this filter

Filter 5:

in this filter is not currently supported

Filter 6:

out this filter is not currently supported

bgpDampening
Description:

BGP dampening

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

Route is suppressed by route-flap dampening; route is no longer

suppressed by route-flap dampening

Info:

None

Debug:

None

11-21

11-22

CHAPTER 11
Logging System Events

Filter 1:

access-class this filter is not currently supported

Filter 2:

peer see description of the bgpRoutes peer filter for information on this
filter

Filter 3:

route-map this filter is not currently supported

Filter 4:

router see description of the bgpRoutes router filter for information on

this filter

Filter 5:

in this filter is not currently supported

Filter 6:

out this filter is not currently supported

bgpEvents
Description:

BGP finite state machine (FSM) events and transitions

Emergency:

None

Alert:

None

Critical:

None

Error:

Event occurred that was not expected for current state

Warning:

None

Notice:

One of the following events occurred: start, stop,

inbound-connection-arrived, outbound-connection-complete,
connection-error, connection-closed, start-timer-expired,
connect-timer-expired, hold-timer-expired, keep-alive-timer-expired,
open-received, update-received, keep-alive-received,
notification-received, route-refresh, route-refresh-cisco

Info:

None

Debug:

None

Filter 1:

access-class this filter is not currently supported

Filter 2:

peer see description of the bgpRoutes peer filter for information on this
filter

Filter 3:

route-map this filter is not currently supported

Filter 4:

router see description of the bgpRoutes router filter for information on

this filter

Filter 5:

in this filter is not currently supported

Filter 6:

out this filter is not currently supported

List of Event Categories

ERX Edge Routers

bgpGeneral
Description:

BGP general information

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

None

Filter 1:

access-class this filter is not currently supported

Filter 2:

peer see description of the bgpRoutes peer filter for information on this
filter

Filter 3:

route-map this filter is not currently supported

Filter 4:

router see description of the bgpRoutes router filter for information on

this filter

Filter 5:

in this filter is not currently supported

Filter 6:

out this filter is not currently supported

bgpKeepAlives
Description:

BGP keepalive messages

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Keepalive message received with unexpected additional data after header

Notice:

Keepalive message received; keepalive message sent

Info:

None

Debug:

None

Filter 1:

access-class this filter is not currently supported

Filter 2:

peer see description of the bgpRoutes peer filter for information on this
filter

Filter 3:

route-map this filter is not currently supported

Filter 4:

router see description of the bgpRoutes router filter for information on

this filter

11-23

11-24

CHAPTER 11
Logging System Events

Filter 5:

in matches on traffic coming into the router

Filter 6:

out matches on traffic going out of the router

Note: Send messages are logged to the bgpKeepAlives log when a message
is added to the send queue. A debug message is logged in to the
bgpConnections log when the message is actually passed to TCP.

bgpMessages
Description:

BGP protocol messages

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Unknown message type received; invalid field in received message;

notification message received or senta; invalid capability length in
received ORF capability; invalid capability value in received ORF
capability; invalid ORF in received ORF capability; ORF entries exceeded
maximum limit in received prefix list

Notice:

Open message received or senta; update message received or sent;

route-refresh message received or senta; route-refresh-cisco message
received or senta; received ORF capability; received route refresh
message with ORF entries

Info:

None

Debug:

Keepalive message received or senta

Note: Send messages are logged to the bgpMessages log when a message
is added to the send queue. A debug message is logged to the
bgpConnections log when the message is actually passed to TCP.

Filter 1:

access-class this filter is not currently supported

Filter 2:

peer see description of the bgpRoutes peer filter for information on this
filter

Filter 3:

route-map this filter is not currently supported

Filter 4:

router see description of the bgpRoutes router filter for information on

this filter

Filter 5:

in matches on traffic coming into the router

Filter 6:

out matches on traffic going out of the router

a. Full decode of message logged if verbosity is high.

List of Event Categories

ERX Edge Routers

bgpNeighborChanges
Description:

BGP neighbor change

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

A peer has entered into or left the established state; reason for a session
going idle

Info:

None

Debug:

None

Filter 1:

access-class this filter is not currently supported

Filter 2:

peer see description of the bgpRoutes peer filter for information on this
filter

Filter 3:

route-map this filter is not currently supported

Filter 4:

router see description of the bgpRoutes router filter for information on

this filter

Filter 5:

in this filter is not currently supported

Filter 6:

out this filter is not currently supported

bgpRoutes
Description:

BGP routing table updates

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Failure to add, remove, or modify BGP route in IP forwarding table

Notice:

BGP route added to, removed from, or modified in the IP forwarding table;
aggregate route added to, removed from, or modified in Loc-RIB; network
route added to, removed from, or modified in Loc-RIB; best route for
internal peers for a given prefix became available; best route for internal
peers for a given prefix is no longer available, has changed, or has
become available; best route for external peers for a given prefix is no
longer available, has changed, or has become available; MPLS base
tunnel used to reach an indirect next-hop came up or went down; MPLS
stacked tunnel for label came up; indirect next-hop became reachable or
unreachable; direct next-hop for an indirect next-hop changed

Info:

None

11-25

11-26

CHAPTER 11
Logging System Events

Debug:

Redistributed route added to, removed from, or modified in Loc-RIB;

advertisement for a given prefix received; withdraw for a given prefix
received

Filter 1:

access-class accessClassName [ route-map routeMapName

routeMapOptions | filtering-router filteringRouterName
filteringRouterOptions | in | out ]

Filter 2:

access-class log events for traffic that matches a specific access

class
accessClassName name of the access class for which you want to
log events
route-map log events for traffic that matches a specific route map
routeMapName name of route map for which you want to log events
routeMapOptions in the following format filtering-router
filteringRouterName filteringRouterOptions | in | out
filtering-router log events only if the access class or route map are
defined on a specific virtual router
filteringRouterName virtual router where the access class and/or
route map are defined
filteringRouterOptions in | out
in matches on traffic coming into the access class, route map, or
virtual router
out matches on traffic sent out of the access class, route map, or
virtual router

peer peerIpAddress [ access-class accessClassName

accessClassOptions | route-map routeMapName routeMapOptions |
filtering-router filteringRouterName filteringRouterOptions | in | out ]

peer log events for traffic that matches a specific peer

peerIpAddress address of the peer for which you want to log events
access-class log events for traffic that matches a specific access
class
accessClassName name of the access class for which you want to
log events
accessClassOptions in the following format filtering-router
filteringRouterName filteringRouterOptions | in | out
route-map log events for traffic that matches a specific route map
routeMapName name of route map for which you want to log events
routeMapOptions in the following format filtering-router
filteringRouterName filteringRouterOptions | in | out
filtering-router log events only if the peer, access class or route map
are defined on a specific virtual router
filteringRouterName virtual router where the peer, access class
and/or route map are defined
filteringRouterOptions in | out
in matches on traffic coming into the peer, access class, route map,
or virtual router
out matches on traffic sent out of the peer, access class, route map,
or virtual router

List of Event Categories

ERX Edge Routers

Filter 3:

route-map routeMapName [ filtering-router filteringRouterName

filteringRouterOptions | in | out ]

Filter 4:

route-map log events for traffic that matches a specific route map
routeMapName name of route map for which you want to log events
filtering-router log events only if the route map is defined on a
specific virtual router
filteringRouterName virtual router where the route map is defined
filteringRouterOptions in | out
in matches on traffic coming into the route map or virtual router
out matches on traffic sent out of the route map or virtual router

router virtualRouterName [ access-class accessClassName

accessClassOptions | route-map routeMapName routeMapOptions |
filtering-router filteringRouterName filteringRouterOptions | peer
peerIpAddress peerOptions | in | out ]

router log events for traffic on a specific virtual router

virtual-router-name name of virtual router
access-class log events for traffic that matches a specific access
class on the specified router
accessClassName name of the access class for which you want to
log events
accessClassOptions in the following format route-map
routeMapName routeMapOptions | virtual-router virtualRouterName
virtualRouterOptions | in | out
route-map log events for traffic that matches a specific route map
routeMapName name of route map for which you want to log events
routeMapOptions in the following format virtual-router
virtualRouterName virtualRouterOptions | in | out
filtering-router log events only if the access class or route map is
defined on a specific virtual router
filteringRouterName virtual router where the access class or route
map is defined
filteringRouterOptions in the following format in | out
peer log events for traffic that matches a specific peer
peerIpAddress address of the peer for which you want to log events
peerOptions in the following format access-class
accessClassName accessClassOptions | filtering-router
filteringRouterName filteringRouterOptions | route-map
routeMapName routeMapOptions | in | out
in matches on traffic coming into the virtual router, access class, or
route map
out matches on traffic sent out of the virtual router, access class, or
route map

Filter 5:

in matches on traffic coming into the router

Filter 6:

out matches on traffic going out of the router

11-27

11-28

CHAPTER 11
Logging System Events

bgpVpn
Description:

BGP VPN

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

None

Filter 1:

access-class this filter is not currently supported

Filter 2:

peer this filter is not currently supported

Filter 3:

route-map this filter is not currently supported

Filter 4:

router this filter is not currently supported

Filter 5:

in this filter is not currently supported

Filter 6:

out this filter is not currently supported

bridgedEthernet
Description:

Bridged Ethernet protocol layer

Emergency:

None

Alert:

None

Critical:

Out of resources

Error:

Mismatch in configuration or NVRAM

Warning:

None

Notice:

Removing interface from NVRAM

Info:

Hardware state change

Debug:

None

Filter:

None

bulkStats
Description:

Bulk statistics collector

Emergency:

None

Alert:

None

Critical:

None

Error:

None

List of Event Categories

ERX Edge Routers

Warning:

Operational failures, such as failed transferreverting to secondary

receiver, file full, file creation failure, file deletion failure

Notice:

File full or file nearly full conditions, preparing to send an SNMP trap

Info:

Status of user configuration commands

Debug:

Tracks performance progress of bulkstats application

Filter:

None

cacGeneral
Description:

CAC general purpose

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Unusual conditions in IGP/CAC interaction

Notice:

None

Info:

None

Debug:

General debugging info

Filter:

None

cacIntf
Description:

CAC interface events

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Unusual or failure situations in interface processing

Notice:

None

Info:

None

Debug:

Interface level debugging info

Filter:

interface interfaceType interfaceSpecifier

interfaceType type of interface on which you want to log events

interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

11-29

11-30

CHAPTER 11
Logging System Events

cbf
Description:

General connection-based forwarding

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Error creating, modifying, or removing an interface or connection; error

saving or storing a configuration

Notice:

Interface or connection created, modified, or removed

Info:

Change in interface status, location, or location availability

Debug:

Configuration saved or restored

Filter:

None

cliCommand
Description:

CLI commands

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

All successful CLI configuration commands

Info:

All unsuccessful CLI configuration commands; all nonconfiguration

commands

Debug:

None

Filter:

None

Description:

Common Open Policy Service (COPS) protocol

Emergency:

None

Alert:

None

Critical:

None

Error:

COPS message with bad header, version, length, or client

Warning:

Unexpected socket event

Notice:

COPS layer enabled or disabled; socket remotely closed

cops

List of Event Categories

ERX Edge Routers

Info:

None

Debug:

COPS session instantiation or removal; COPS connection or socket

creation or deletion; keepalive value

Filter:

None

crldpGeneral
Description:

Constraint-based Routed Label Distribution Protocol (CRLDP) general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Sessions not being connected; memory allocation failures; internal

protocol failures; protocol message processing failures

Notice:

Configuration problems; resource shortfalls; memory allocation failures

when processing configuration directives; invalid protocol messages
received; LSP loops detected; session or adjacency errors

Info:

Minor protocol message processing errors; minor configuration problems

Debug:

None

Filter:

router virtualRouterName {trace traceOptions}

router log events for traffic on a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
trace you can optionally trace specific types of activity
traceOptions type(s) of activity to trace. You can trace any of the
following types of activity, and you can trace multiple types of activity
by including multiple trace options in the command. For example, the
following command causes configuration changes, function calls, and
performance to be traced.
host1(config)#log severity info crldpgeneral router westford
trace config func perf

config configuration changes

crutil CRLDP subsystem
demux demultiplexer activity
flow data flows
func function calls
hello hello traffic
init initialization activity
input input activity
lmm lmm activity
smif label space manager interfaces
nmadap network management adaptation layer
notf notification activity

11-31

11-32

CHAPTER 11
Logging System Events

output output activity

perf performance
reif routing entity interface activity
sciif switch controller interface activity
sessions session activity
teif traffic engineering interface activity
util utility subsystems

ctreeLog
Description:

For internal maintenance of IP routes

Emergency:

None

Alert:

None

Critical:

None

Error:

Failure in insertion, deletion, and update of IP routes in internal data

structure used to maintain the routes

Warning:

None

Notice:

None

Info:

None

Debug:

Creation or deletion of an internal data structure

Filter:

None

Description:

Dynamic Configuration Manager

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Schedule engine event; status of dynamic interface creation; receipt of

teardown signal for a dynamic interface; no interface adapter to propagate
teardown; creation of dynamic PPP interface failed; creation of dynamic
PPPoE interface failed

Filter:

None

dcm

List of Event Categories

ERX Edge Routers

dcmEngineGeneral
Description:

DCM engine general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Giving notify credits to line module; receipt of request buffer from line
module; starting line module communication session; Ack/Nack dynamic
interface creation request

Filter:

None

dhcpGeneral
Description:

DHCP general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

DHCP message received

Filter:

None

dhcpLocalServerGeneral
Description:

General DHCP local server

Emergency:

None

Alert:

None

Critical:

None

Error:

Memory allocation failure

Warning:

Invalid configuration; DHCP packet drops due to invalid local server state
or resource exhaustion; address limit violations; SDX communication
problems; invalid DHCP packets

Notice:

Authentication denial

11-33

11-34

CHAPTER 11
Logging System Events

Info:

None

Debug:

Receive packet; transmit packet; authentication status; DHCP local pool

resolution; address allocation; DHCP local server state transition; NVS
actions; configuration changes

dhcpNvGeneral
Description:

DHCP host route preservation

Emergency:

None

Alert:

None

Critical:

None

Error:

Null interface for DHCP clients

Warning:

None

Notice:

None

Info:

Output from VxWorks shell dhcp-NvShow command

Debug:

NVS cache creation; entries added to or removed from the cache; cache
synchronized to NVS

Filter:

None

dhcpRelayGeneral
Description:

DHCP Relay general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Control flow and key events

Filter:

None

dhcpProxyGeneral
Description:

DHCP Proxy general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

List of Event Categories

ERX Edge Routers

Warning:

None

Notice:

None

Info:

None

Debug:

Control flow and key events

Filter:

None

diagMboxCtrl
Description:

Power-on-self-test (POST) is run via CLI on console

Emergency:

None

Alert:

None

Critical:

None

Error:

PPC7XX to PPC860 mailbox not functioning

Warning:

PPC860 processor does not boot

Notice:

None

Info:

None

Debug:

PPC860 test execution time

Filter:

None

dnsGeneralLog
Description:

DNS general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Failure to post a message to DNS about the query response from DNS
server

Notice:

None

Info:

None

Debug:

Dump DNS response packet; trace DNS query submission; trace DNS
response parsing and processing; trace dropped queries if router is
shutting down or DNS disabled in virtual router; trace DNS cache cleanup

Filter:

None

11-35

11-36

CHAPTER 11
Logging System Events

ds1
Description:

DS1 layer

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Interface creation or binding failure

Notice:

Failure to bring line module application online; dropped interface state

change notification due to lack of resources; discarded stale line module
notification

Info:

Dropped interface state change notification for unknown or removed

interface

Debug:

None

Filter:

None

Description:

DS3 layer

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Failure to create or bind interface

Notice:

Failure to bring line module application online; dropped interface state

change notification due to lack of resources; discarded stale line module
notification

Info:

Dropped interface state change notification for unknown or removed

interface

Debug:

None

Filter:

None

ds3

dvmrpGeneral
Description:

DVMRP general

Emergency:

None

Alert:

None

Critical:

None

Error:

Memory allocation errors; bad parameters (internal errors); designated

forwarder (DF) errors (two for same interface, DoNotForward by no DF);

List of Event Categories

ERX Edge Routers

processing prune errors; graft errors; internal errors; catastrophic RT table

errors; management interaction errors; NVS errors
Warning:

Unable to add local route; routeHogCheck; routeLimit

Notice:

Route expiration; pruneProcessing (send or receive); graftAck processing;

source group (SG) state information; deletion of an output interface (OIF);
nbrQuickDelete; nbrReset; nbrTimeOut; error adding neighbor on Route
Report Reception

Info:

DF election information; sending graft; timer expired for MulticastEntry;

attempting to log duplicate accept filter; external route deleted or added

Debug:

Local address creation or deletion; information about accept filters;

dvmrpInterface creation or deletion; sgTimeout information; noMoreOifs
info; sg creation information; multicastForwarding enabled or disabled;
DvmrpInit; dvmrpEnable/Disable; rpfCallback

Filter 1:

interface interfaceType interfaceSpecifier

interface log events for a specific interface

interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

Filter 2:

router virtualRouterName [ interface interfaceType interfaceSpecifier ]

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
interface log events on a specific interface on the virtual router
interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

dvmrpMcastTable
Description:

DVMRP multicast table messages

Emergency:

None

Alert:

None

Critical:

None

Error:

Error removing MulticastEntry; adding duplicate MulticastEntry; adding

nonexistent MulticastEntry; attempting to send prune to nonexistent
neighbor; error deleting MulticastEntry; error adding OIF

Warning:

Deleting MulticastEntry with no SG state found; attempting to create

MulticastEntry, but unable to do so

Notice:

Creating MulticastEntry

Info:

rePruning; delOif; add OIF; not adding OIF for some reason; creating
sgoiflist; pruneDelayCallback; prune; deleting MulticastEntry

11-37

11-38

CHAPTER 11
Logging System Events

Debug:

None

Filter 1:

interface see description of the dvmrpGeneral interface filter for

information on this filter

Filter 2:

router see description of the dvmrpGeneral router filter for information

on this filter

dvmrpProbeRcv
Description:

DVMRP probe received

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

procProbe new neighbor

Info:

None

Debug:

Processing probe (verified has our address in packet); display probe

Filter 1:

interface see description of the dvmrpGeneral interface filter for

information on this filter

Filter 2:

router see description of the dvmrpGeneral router filter for information

on this filter

dvmrpProbeSent
Description:

DVMRP probe sent

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Send probe

Filter 1:

interface see description of the dvmrpGeneral interface filter for

information on this filter

Filter 2:

router see description of the dvmrpGeneral router filter for information

on this filter

List of Event Categories

ERX Edge Routers

dvmrpRtTable
Description:

DVMRP Routing Table

Emergency:

None

Alert:

None

Critical:

None

Error:

Route error; router report error; error replacing route after applying accept
filter; internal errors

Warning:

Unable to create new route; deleting routing table

Notice:

Error in report packet; adding or replacing local route; ignoring poison on

upstream user interface (USIF); deleting all dependent neighbors

Info:

Processing report; added route from report; declaring ourselves as DF;

route update

Debug:

Delete route; insert route

Filter 1:

interface see description of the dvmrpGeneral interface filter for

information on this filter

Filter 2:

router see description of the dvmrpGeneral router filter for information

on this filter

ethernet
Description:

Ethernet layer

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Cannot configure Ethernet interface successfully; memory pool depleted

Notice:

No pool space; can bring interface up

Info:

Hardware present or not present notification

Debug:

Interface created or deleted

Filter:

None

fileSystem
Description:

File system

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Missing of invalid armed files

11-39

11-40

CHAPTER 11
Logging System Events

Notice:

None

Info:

None

Debug:

Timestamp of last synchronization

Filter:

None

frameRelay
Description:

Frame Relay layer

Emergency:

None

Alert:

None

Critical:

Failure to bring up the application due to lack of memory resources

Error:

Summary information on automatic removal of interface or circuit from

nonvolatile storage on startup; internal resource pool is too small

Warning:

None

Notice:

Lack of pool space for SNMP traps (it is permissible for SNMP traps to be
unreliable); failure to obtain line module configuration on line module
insertion

Info:

Line module insertion and removal information

Debug:

Creation of interfaces or circuits from nonvolatile storage on startup;

detailed information on automatic removal of interfaces or circuit from
nonvolatile storage on startup; reporting on SNMP traps for interfaces or
circuits; engine debug messages

Filter:

None

fsAgent
Description:

File System Agent

Emergency:

None

Alert:

None

Critical:

Previous file system sync failedbooting protected images

Error:

File system unavailable

Warning:

File transfer initialization failure; unexpected software error

Notice:

None

Info:

File transfer notification; platform or release mismatch; file transfer error;

release file is corrupt; image path not found; insufficient resources to copy
release

Debug:

Status of copy running-config; file transfer status; backup boot-setting

configuration notification; subsystem release configuration notification

Filter:

None

List of Event Categories

ERX Edge Routers

ft1
Description:

FT1 layer

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Interface creation or binding failure

Notice:

Failure to bring line module application online; dropped interface state

change notification due to lack of resources; discarded stale line module
notification

Info:

Dropped interface state change notification for unknown or removed

interface

Debug:

None

Filter:

None

ftpClient
Description:

FTP client

Emergency:

None

Alert:

None

Critical:

None

Error:

Unexpected results during a transfer

Warning:

None

Notice:

Completion status of a network connection command (example:

Succeeded creating data socket)

Info:

Completion status of a user command (example: "lS command

succeeded")

Debug:

None

Filter:

None

ftpServer
Description:

FTP server

Emergency:

None

Alert:

None

Critical:

None

Error:

Error listening for new client connection; error creating daemon task

Warning:

Error creating new server task; socket write error; error adjusting socket
window size

11-41

11-42

CHAPTER 11
Logging System Events

Notice:

Daemon task created; waiting for new client connection; accept client
from host a.b.c.d; maximum client sessions exceeded; FTP daemon
shutdown complete

Info:

Starting FTP daemon shutdown

Debug:

Read FTP command

gplaan
Description:

General purpose locally allocated address notifier

Emergency:

None

Alert:

None

Critical:

None

Error:

Out of resources

Warning:

None

Notice:

Task creation or deletion

Info:

None

Debug:

Adding or deleting IP addresses; adding or deleting user sessions

Filter:

None

httpServer
Description:

Embedded HTTP server

Emergency:

None

Alert:

None

Critical:

None

Error:

Failure to enable HTTP daemons (httpd); failure to remove httpd; failure to

grow pool of httpds; failure to listen on httpd socket; unable to create or
remove session with DHCP Local Server (dhcp-ls); failure to grow pool of
HTTP connections (httpcs); failure to set TCP socket options; failure to
remove TCP socket; failure to queue HTTP event (socket accept, socket
approve, socket send, socket receive); failure to queue HTTP event for
maximum connection aging; failure to queue HTTP event for dhcp-ls
(newaddress, gplaanAdd, gplaanRemove); failure to find session to
dhcp-ls; received invalid token address from dhcp-ls; out of resources for
adding new address at dhcp-ls session; invalid http event

Warning:

Refused HTTP connection due to too many simultaneous connections

from same host; refused HTTP connection due to access list deny; failure
to perform TCP socket approval; failure to send data on TCP socket;
unexpected token address from DHCP-LS session; authentication failure
from dhcp-ls for a given client

Notice:

None

List of Event Categories

ERX Edge Routers

Info:

Start or stop HTTP process; create or remove httpd; growing a pool of

httpds; enable or disable httpd; growing a pool of HTTP connections
(httpcs); failure to perform TCP socket accept; growing a pool of HTTP
events; updated HTTP scalars; handed out (global/token) address to
dhcp-ls client; authentication passed from dhcp-ls for a given client;
renewing token address for dhcp-ls client; removed session with dhcp-ls;
removed global address via gplaanDelete; dhcp-ls user
login/logout/shortcut login

Debug:

Server self-bind (for example, started HTTP without instantiating any

httpd); attempt to remove nonexisting httpd; attempt to reread from NVS;
updated httpd; create or remove session with dhcp-ls; bind or unbind with
policy table; invalid or valid TCP socket approve or accept; received data
from stale socket; create or remove HTTP connection; receive data from
httpc; queued HTTP event; aging group of httpcs; added new address at
dhcp-ls session; phase 1 of 2 for authentication passed from dhcp-ls for a
given client; revoking token address for a given dhcp-ls client

Filter:

None

icmpTraffic
Description:

ICMP frame transmit or receive

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

All ICMP transmit or receive events

Filter 1:

remote-ip-address ipAddress [ ipAddressMask ]

Filter 2:

remote-ip-address log events for a remote address

ipAddress address of remote system for which you want to log
messages
ipAddressMask optionally supply a mask for the remote address

router virtualRouterName [ remote-ip-address ipAddress [

ipAddressMask ] ]

router log events on a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
remote-ip-address log events for a remote address
ipAddress address of remote system for which you want to log
messages
ipAddressMask optionally supply a mask for the remote address

11-43

11-44

CHAPTER 11
Logging System Events

igmpGeneral
Description:

IGMP general

Emergency:

None

Alert:

None

Critical:

None

Error:

Nonrecoverable errors

Warning:

NVS errors

Notice:

Errors while configuring or learning groups

Info:

None

Debug:

IGMP interface or group state change; errors in packet transmit or receive

Filter 1:

interface interfaceType interfaceSpecifier

interface log events for a specific interface

interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

Filter 2:

router virtualRouterName [ interface interfaceType interfaceSpecifier ]

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
interface log events on a specific interface on the virtual router
interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

ikepki
Description:

IKE SA negotiation

Emergency:

None

Alert:

None

Critical:

None

Error:

Event occurred that is unexpected for the current state

Warning:

Memory pool growth problems; recoverable state problems; receiving IKE

packets for unconfigured peer

Notice:

IKE configuration problemsno preshared keys for peer; recoverable

status conditions

Info:

Number of successful SAs negotiation, both phase 1 and phase 2;

unsuccessful phase 1 negotiation information; unsuccessful phase 2
negotiation information

List of Event Categories

ERX Edge Routers

Debug:

Detailed SA negotiation debug information

Filter:

Filter

ipAccessList
Description:

IP access list matching

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Access list rule has been matched

Debug:

None

Filter 1:

accessList

Filter 2:

accessList logs a match on any access-list entry for all access lists

access List router virtualRouterName access-list accessListName

access-element-id idNumber

accessList logs a match on any access-list entry

router log events for a specific virtual router
virtualRouterName name of virtual router for which you want to log
events
access-list logs events for a specific access list
accessListName name of access list for which you want to log
events
access-element-id logs events for a specific element ID
idNumber element ID number for which you want to log events; the
element ID is automatically assigned for access-list rules that you
explicitly create and is shown by issuing the show access-list detail
command

ipEngine
Description:

IP chassis manager

Emergency:

None

Alert:

None

Critical:

None

Error:

Failure in operations such as adding, removing, or deleting interfaces or

distributing routing tables to line modules

Warning:

Errors such as attempting to configure something that is not supported on

a module, or routing table memory is approaching 80% full

11-45

11-46

CHAPTER 11
Logging System Events

Notice:

Something unexpected happened; for example, an interface was deleted

twice or, internal to the software, connections between IC and SRP were
deleted twice

Info:

Completion status of a user command (for example: "IS command

succeeded")

Debug:

An engine or agent that corresponds to a virtual router is added or

deleted; an interface is added or deleted

ipGeneral
Description:

IP general

Emergency:

None

Alert:

None

Critical:

(IP) Interface stacking management errors

Error:

(ARP) Allocation of Ethernet next hop failed

(IP) Not able to create interface or create address on null 0 interface;
undefined IP status code; interface stacking management errors; send
and forward failures because of not finding corresponding egress or
ingress nodes; conflict in adding hidden routes

Warning:

(IP) NVS load errors; failure to add address on an interface because of

low memory

Notice:

None

Info:

None

Debug:

(ARP) NextHopPool is out of memory and trying to expire old entries; ARP
data events
(IP) Interface stacking management errors

Filter 1:

interface interfaceType interfaceSpecifier

interface log events for a specific interface

interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

Filter 2:

router virtualRouterName [ interface interfaceType interfaceSpecifier ]

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
interface log events on a specific interface on the virtual router
interfaceType type of interface for which you want to log events. For
example, atm or fastEthernet.
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

List of Event Categories

ERX Edge Routers

ipInterface
Description:

IP interface

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Error status is returned by lower layer configuration; best route is pointing

to an unnumbered interface with an invalid source IP address;
unnumbered interface is pointing to invalid loopback interface problems;
packets received with invalid source IP address on interfaces

Notice:

None

Info:

None

Debug:

Interface state transitions and deletions; interface state machine events

Filter 1:

interface see description of the ipGeneral interface filter for information

on this filter

Filter 2:

router see description of the ipGeneral router filter for information on this
filter

ipNhopTrackerGeneral
Description:

Next-hop tracker for IP shared interfaces

Emergency:

None

Alert:

None

Critical:

None

Error:

Errors in tracking of routes that resolve indirect next hops

Warning:

None

Notice:

None

Info:

None

Debug:

None

Filter:

None

ipProfileMgr
Description:

IP Profile Manager

Emergency:

None

Alert:

None

Critical:

None

Error:

Failure to create or delete dynamic IP interfaces

Warning:

None

11-47

11-48

CHAPTER 11
Logging System Events

Notice:

None

Info:

None

Debug:

Events related to dynamic IP interface creation or deletion; assignment or

unassignment of profiles to interfaces

Filter:

None

ipRoutePolicy
Description:

IP route policy

Emergency:

None

Alert:

None

Critical:

None

Error:

Failure to clean up NVS while a routing policy was being deleted; failure to
store the routing policy to NVS while a new routing policy was being
created; failure to find an expected routing policy created previously

Warning:

Failure to create a new routing policy due to memory limitation; misuse of

a routing policy

Notice:

None

Info:

Result of routing policy check; specifies which routing policy is used

Debug:

Successful addition or deletion of routing policies

Filter:

router virtualRouterName

router logs IP route policy events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

ipRouteTable
Description:

IP routing table

Emergency:

None

Alert:

None

Critical:

None

Error:

Next-hop resolution-related problems

Warning:

Failure to add route

Notice:

None

Info:

In process of finding best route information

Debug:

Normal routing table updates; next-hop resolution for static routes

Filter 1:

interface see description of the ipGeneral interface filter for information

on this filter

Filter 2:

router see description of the ipGeneral router filter on information on this

filter

List of Event Categories

ERX Edge Routers

ipTraffic
Description:

IP frame transmit and receive

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Data errors detected in frames

Notice:

Dropped framesno error

Info:

None

Debug:

Normal data events

Filter 1:

interface see description of the ipGeneral interface filter for information

on this filter

Filter 2:

router see description of the ipGeneral router filter for information on this
filter

ipTunnel
Description:

IP tunnel

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Unexpected but recoverable events

Notice:

No more pool space for interface up notification

Info:

None

Debug:

Function trace

Filter:

None

isisAdjChange
Description:

IS-IS adjacency up or down

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

Adjacency state change

Info:

None

11-49

11-50

CHAPTER 11
Logging System Events

Debug:

None

Filter 1:

interface interfaceType interfaceSpecifier

interface log events for a specific interface

interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

Filter 2:

router virtualRouterName [ interface interfaceType interfaceSpecifier ]

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
interface log events on a specific interface on the virtual router
interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

isisAdjPackets
Description:

IS-IS adjacency hello packets

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Error in sent IIH or received IIH

Notice:

Sent or received IIH, DR election

Info:

Authentication failed

Debug:

Detailed information about IIH

Filter 1:

interface see description of the isisAdjChange interface filter for

information on this filter

Filter 2:

router see description of the isisAdjChange router filter for information

on this filter

isisChecksumErr
Description:

IS-IS checksum errors

Emergency:

None

Alert:

None

Critical:

None

Error:

None

List of Event Categories

ERX Edge Routers

Warning:

LSP checksum error

Notice:

None

Info:

None

Debug:

None

Filter 1:

interface see description of the isisAdjChange interface filter for

information on this filter

Filter 2:

router see description of the isisAdjChange router filter for information

on this filter

isisGeneral
Description:

IS-IS system notifications

Emergency:

None

Alert:

None

Critical:

None

Error:

Error in restoring NVS

Warning:

Exceeding maximum IP addresses on interface or maximum sequence

number

Notice:

Error in redistributing routes; LAN circuit coming up

Info:

None

Debug:

Redistributed routes

Filter 1:

interface see description of the isisAdjChange interface filter for

information on this filter

Filter 2:

router see description of the isisAdjChange router filter for information

on this filter

isisLocalUpdate
Description:

IS-IS local LSP packets

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

Sent local LSP

Info:

None

Debug:

None

11-51

11-52

CHAPTER 11
Logging System Events

Filter 1:

interface see description of the isisAdjChange interface filter for

information on this filter

Filter 2:

router see description of the isisAdjChange router filter for information

on this filter

isisMplsTeAdvertisements
Description:

IS-IS MPLS traffic engineering advertisements

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Resource information changes

Filter:

None

isisMplsTeEvents
Description:

IS-IS MPLS traffic engineering

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Start or stop MPLS function; tunnel in use by IS-IS; explicit route

computation

Debug:

Detailed debugging information for MPLS function

Filter:

None

isisProtocolErr
Description:

IS-IS protocol errors

Emergency:

None

Alert:

None

Critical:

None

Error:

None

List of Event Categories

ERX Edge Routers

Warning:

LSP protocol error

Notice:

None

Info:

None

Debug:

None

Filter:

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

isisSnpPackets
Description:

IS-IS complete sequence numbers PDU (CSNP) and partial sequence

numbers PDU (PSNP) packets

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Error in received CSNP or PSNP

Notice:

Sent PSNP; received CSNP or PSNP packets; PSNP authentication failed

Info:

Sent CSNP packets; CSNP authentication failed

Debug:

LSP entries

Filter 1:

interface see description of the isisAdjChange interface filter for

information on this filter

Filter 2:

router see description of the isisAdjChange router filter for information

on this filter

isisSpfEvents
Description:

IS-IS Shortest Path First (SPF)

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

Start or suspend SPF; updating routing table

Info:

Add tent or path; process LSP

11-53

11-54

CHAPTER 11
Logging System Events

Debug:

Add route

Filter:

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

isisSpfStatistics
Description:

IS-IS SPF timing and statistic data

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

SPF compute time

Info:

None

Debug:

None

Filter:

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

isisSpfTriggers
Description:

IS-IS SPF triggering

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

SPF trigger event

Info:

None

Debug:

None

Filter:

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

List of Event Categories

ERX Edge Routers

isisUpdatePackets
Description:

IS-IS LSP packets sent or received

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Error in received LSP

Notice:

Sent or received LSP

Info:

Authentication failed; processed received LSP

Debug:

Set or cleared SRM flags; building LSP

Filter 1:

interface see description of the isisAdjChange interface filter for

information on this filter

Filter 2:

router see description of the isisAdjChange router filter for information

on this filter

Description:

Layer 2 Forwarding Protocol

Emergency:

None

Alert:

None

Critical:

Nonrecoverable error

Error:

Configuration error

Warning:

Protocol error; insufficient resources

Notice:

Status change; protocol warnings

Info:

Protocol operational information

Debug:

Detailed debugging information

Filter:

None

l2f

l2fIpLowerBinding
Description:

Layer 2 Fowarding over IP

Emergency:

None

Alert:

None

Critical:

None

Error:

Recoverable error

Warning:

Protocol error; insufficient resources

Notice:

None

Info:

None

11-55

11-56

CHAPTER 11
Logging System Events

Debug:

Function trace

Filter:

None

l2fStateMachine
Description:

Layer 2 Forwarding state machine trace

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Unexpected state machine transitions

Notice:

None

Info:

State machine trace

Debug:

State machine timer operations

Filter:

None

Description:

Layer 2 Tunneling Protocol

Emergency:

None

Alert:

None

Critical:

Nonrecoverable error

Error:

Configuration error

Warning:

Protocol error; insufficient resources

Notice:

Status change; protocol warnings

Info:

Protocol operational information

Debug:

Detailed debugging information

Filter:

None

l2tp

l2tpIpLowerBinding
Description:

Layer 2 Tunneling Protocol over IP

Emergency:

None

Alert:

None

Critical:

None

Error:

Recoverable error

Warning:

Protocol error; insufficient resources

Notice:

None

List of Event Categories

ERX Edge Routers

Info:

None

Debug:

None

Filter:

None

l2tpStateMachine
Description:

Layer 2 Tunnel Protocol state machine trace

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

State machine trace

Filter:

None

localAddressServerGeneral
Description:

LAS general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Attempts to set a local pool group name; attempts to restore an

overlapping address range from a previous version of the software

Notice:

None

Info:

None

Debug:

Control flow and key events

Filter:

None

localLinePassword
Description:

Local line password authentication server

Emergency:

None

Alert:

None

Critical:

None

Error:

Unknown algorithm for local password

11-57

11-58

CHAPTER 11
Logging System Events

Warning:

Connection granted or denied due to possible misconfiguration

Notice:

None

Info:

None

Debug:

Connection granted or denied due to incorrect password

Filter:

None

mgtmGeneral
Description:

Mgtm general information

Emergency:

None

Alert:

None

Critical:

None

Error:

Major errors in MGTM API calls resulting in failure

Warning:

IP Multicast fastpath forwarding not supported on interface

Notice:

Errors in MGTM API calls

Info:

State change events; invalid parameters in API calls

Debug:

<Source, Group> entries not found

Filter 1:

interface interfaceType interfaceSpecifier

interface log events for a specific interface

interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

Filter 2:

router virtualRouterName [ interface interfaceType interfaceSpecifier ]

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
interface log events on a specific interface on the virtual router
interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

mmcd
Description:

MMC switch fabric driver

Emergency:

None

Alert:

None

Critical:

None

List of Event Categories

ERX Edge Routers

Error:

Errors in hardware configuration; resource limitation in fabric reached;

errors in hardware

Warning:

None

Notice:

None

Info:

None

Debug:

Initialization details; configuration details; connection status details

Filter:

None

mplsAppService
Description:

MPLS application service

Emergency:

None

Alert:

None

Critical:

LSM platform label space creation failure; tunnel information access

failure

Error:

Upper interface stacking or unstacking interaction failures; global tunnel

information; storage failures; MPLS engine failures

Warning:

None

Notice:

None

Info:

Upper stacking information

Debug:

Upper interface stacking or unstacking transactions; global MPLS engine

transactions; global tunnel information storage transactions; LSM platform
label space transactions

Filter:

None

mplsGeneral
Description:

MPLS general purpose

Emergency:

None

Alert:

None

Critical:

Resource allocation failures; initialization failures; fatal internal errors

Error:

Signaling protocol errors; nonfatal internal errors; configuration errors

Warning:

Signaling protocol configuration problems; major interface deletion; minor

internal errors; CRLDP session status

Notice:

None

Info:

NVS operations

Debug:

NVS operations; timer operations; minor interface label stacking; function

flows

11-59

11-60

CHAPTER 11
Logging System Events

Filter:

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

mplsMajorInterface
Description:

MPLS major interface

Emergency:

None

Alert:

None

Critical:

None

Error:

Signaling protocol interaction failures; major interface engine interaction

failures; major interface finite state machine bad state transitions; major
interface configuration errors; LSM interface label space interaction
failures

Warning:

None

Notice:

None

Info:

None

Debug:

Major interface finite state machine transitions; signaling protocol

interaction; major interface to engine transactions; major interface
configuration transactions; LSM interface label space transactions

Filter:

router virtualRouterName [ interface interfaceType interfaceSpecifier ]

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
interface log events on a specific interface on the virtual router
interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

mplsMinorInterface
Description:

MPLS minor interface

Emergency:

None

Alert:

None

Critical:

None

Error:

Tunnel/LSP setup or teardown signaling protocol interaction failures;

minor interface engine interaction failures; minor interface finite state
machine bad state transitions; minor interface configuration errors; minor
interface to IP interaction failures

Warning:

None

List of Event Categories

ERX Edge Routers

Notice:

None

Info:

None

Debug:

Minor interface to engine transactions; minor interface to IP transactions;

minor interface configuration transactions; signaling protocol LSP setup or
teardown transactions; minor interface finite state machine transitions

Filter 1:

interface interfaceType interfaceSpecifier

interface log events for a specific interface

interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

Filter 2:

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

mtraceLog
Description:

General mtrace server information

Emergency:

None

Alert:

None

Critical:

None

Error:

Error creating or deleting Mtrace server; error communicating with other

modules; allocation failures

Warning:

None

Notice:

Error in received/sent mtrace packets

Info:

None

Debug:

Creation or deletion of Mtrace server; communication with other modules

Filter:

None

mtracercvdLog
Description:

mtrace packets received

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Short description of the received mtrace packets

11-61

11-62

CHAPTER 11
Logging System Events

Debug:

Complete print of the received mtrace packets

Filter:

None

mtraceSentLog
Description:

mtrace packets sent

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Short description of the mtrace packets sent

Debug:

Complete print of the mtrace packets sent

Filter:

None

multicastTraffic
Description:

IP multicast frame transmit or receive

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

IP multicast packet transmit or receive information

Filter 1:

remote-ip-address ipAddress [ ipAddressMask ]

Filter 2:

remote-ip-address log events for a remote address

ipAddress address of remote system for which you want to log
messages
ipAddressMask mask for the remote address

router virtualRouterName [ remote-ip-address ipAddress [

ipAddressMask ] ]

router log events on a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

List of Event Categories

ERX Edge Routers

remote-ip-address log events for a remote address

ipAddress address of remote system for which you want to log
messages
ipAddressMask mask for the remote address

nameResolverLog
Description:

Name resolver table

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Name lookup failures

Debug:

Name lookup processing events

Filter:

None

noneAaaAddrServer
Description:

AAA address client

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Notification of automatic success response to address request

Filter:

None

noneAaaServer
Description:

Authentication and accounting client

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

11-63

11-64

CHAPTER 11
Logging System Events

Info:

None

Debug:

Notification of automatic success response to authentication or

accounting request

Filter:

None

ntpGeneral
Description:

Network Time Protocol (NTP) system notifications

Emergency:

None

Alert:

None

Critical:

None

Error:

NVS configuration errors; insufficient memory resources; protocol errors;

time adjustment failures

Warning:

No usable servers, NTP synchronization lost

Notice:

System time adjustment

Info:

Attach to or detach from virtual router; shutting down NTP IP session;

shutting down NTP UDP session; enable or disable NTP; connection
established with NTP server; announce system clock precision

Debug:

None

Filter:

router ID

onlineDiag
Description:

Online diagnostics for tests run in the background

Emergency:

None

Alert:

None

Critical:

None

Error:

Any errors detected during tests

Warning:

The PPC860 processor does not boot

Notice:

Names of tests being run during onlineDiags; memory sizes detected

Info:

Fabric connections; memory sizes

Debug:

Very verbose messages for debugging errors and register accesses

Filter:

None

List of Event Categories

ERX Edge Routers

os
Description:

Operating system (including image loader)

Emergency:

None

Alert:

Fatal software error notification (assertions, panics, exceptions); panic

timer expiration; ECC memory errors

Critical:

System halt; NVS reverting to factory defaults

Error:

File system errors; image checksum failure; POST test failure;

unexpected software error; scheduled reload cancelled due to ongoing
NVS flush; image not found or invalid; core dump host connect failure;
SRP synchronization failure notification; I/O module mismatch or missing;
NVS configuration errors

Warning:

OsTask client failed to initialize; file system capacity low (15%); heap
utilization high (85%); crash dump save failure; unknown reset type;
image loader failures (will retry); boot ROM programming failure;
hardware upgrade necessary notification; NVS config file read or write
errors; release file invalid

Notice:

OsAppRegistrar client names; OsAppRegistrar state change; version

display; last reset type; file system condition abatement; POST start or
done; NVS config file initialized or converted; scheduled reload
notification; heap utilization abatement (75%); file system release file copy
notification; erasing boot ROM notification; core dump notification and
status; NVS config boot status (factory defaults, running, file)

Info:

Image loader request; image loader success; SC-srpIc mailbox client up;
POST test passed; NVS config cache enable, disable, flush, or
termination; release path notification

Debug:

High-frequency debug messages (enabled with various build defines);

cached file hit, miss, or close; image loader frame retry; NVS config cache
flush status

Filter:

None

ospfElectDr
Description:

OSPF designated router (DR) election

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

DR election events

Info:

None

Debug:

None

11-65

11-66

CHAPTER 11
Logging System Events

Filter 1:

interface-ip-address [ ip-address ipAddress | unnumbered interfaceType

interfaceSpecifier ]

interface-ip-address log events for a specific interface

ip-address specifies that you will identify the interface by entering an
IP address
ipAddress IP address of interface for which you want to log events
unnumbered specifies that the interface is unnumbered
interfaceType to identify unnumbered interface, enter type of
interface for which you want to log events
interfaceSpecifier location of the unnumbered interface in the
appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

Filter 2:

router virtualRouterName [ interface-ip-address [ ip-address ipAddress |

unnumbered interfaceType interfaceSpecifier ] ]

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
interface-ip-address log events for a specific interface on the virtual
router
ip-address specifies that you will identify the interface by entering an
IP address
ipAddress IP address of interface for which you want to log events
unnumbered specifies that the interface is unnumbered
interfaceType to identify the unnumbered interface, enter the type of
interface for which you want to log events
interfaceSpecifier location of the unnumbered interface in the
appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

ospfGeneral
Description:

OSPF general

Emergency:

None

Alert:

None

Critical:

None

Error:

Error enabling or disabling OSPF; allocation errors

Warning:

State change errors (for example, OSPF could not be enabled); errors
creating or destroying an area, an OSPF range, or a virtual link

Notice:

OSPF enabled or disabled

Info:

None

Debug:

None

List of Event Categories

ERX Edge Routers

Filter 1:

interface-ip-address see description of the ospfElectDr interface filter for

information on this filter

Filter 2:

router see description of the ospfElectDr router filter for information on

this filter

ospfInterface
Description:

OSPF interface

Emergency:

None

Alert:

None

Critical:

None

Error:

Error saving or restoring OSPF interface configuration

Warning:

Errors for packets sent or received over the OSPF interface

Notice:

Creation or deletion of OSPF interfaces

Info:

None

Debug:

None

Filter 1:

interface-ip-address see description of the ospfElectDr interface filter for

information on this filter

Filter 2:

router see description of the ospfElectDr router filter for information on

this filter

ospfLsa
Description:

OSPF link state advertisement (LSA) events

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

LSA discard errors

Notice:

LSA add, update, or delete events; LSA purge, refresh, and max-age
events; LSA send and receive events (Ack, delayed Ack, retransmit)

Info:

None

Debug:

None

Filter 1:

neighbor neighborIpAddress

neighbor log events associated with a specific neighbor

neighborIpAddress IP address of neighbor for which you want to log
events

11-67

11-68

CHAPTER 11
Logging System Events

Filter 2:

router virtualRouterName [ neighbor neighborIpAddress ]

router log events on a specific virtual router

virtualRouterName virtual router on which you want to log events
neighbor log events associated with a specific neighbor
neighborIpAddress IP address of neighbor for which you want to log
events

ospfNeighbor
Description:

OSPF neighbor change

Emergency:

None

Alert:

None

Critical:

None

Error:

Neighbor MTU negotiation rejects

Warning:

Flooding event errors; neighbor transition from Full state to Down state;
invalid neighbor LSA requests; neighbor MTU negotiation mismatches

Notice:

Database description neighbor exchange; neighbor state changes;

neighbor retransmissions

Info:

None

Debug:

None

Filter 1:

neighbor see description of the ospfLsa neighbor filter for information on

this filter

Filter 2:

router see description of the ospfLsa router filter for information on this
filter

ospfPktsRcvd
Description:

OSPF packet received

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Packets discarded; validation errors

Notice:

Number of LSAs packed in different packet types (LSA Ack, LSA update);
packets received over Down interface

Info:

None

Debug:

Packets received description

List of Event Categories

ERX Edge Routers

Filter 1:

interface-ip-address see description of the ospfElectDr interface filter for

information on this filter

Filter 2:

router see description of the ospfElectDr router filter for information on

this filter

ospfPktsSent
Description:

OSPF packet sent

Emergency:

None

Alert:

None

Critical:

None

Error:

Packet sent errors (for example, dropped OSPF packets)

Warning:

None

Notice:

Number of LSAs packed in different packet types (LSA Ack, LSA update)

Info:

None

Debug:

Packets sent description

Filter 1:

interface-ip-address see description of the ospfElectDr interface filter for

information on this filter

Filter 2:

router see description of the ospfElectDr router filter for information on

this filter

ospfRoute
Description:

OSPF route

Emergency:

None

Alert:

None

Critical:

None

Error:

OSPF route addition, deletion, or replacement errors in the routing table

Warning:

Errors for routes imported into OSPF

Notice:

Forwarding address decision algorithm events

Info:

OSPF route added to, replaced, or deleted from the routing table; route
imported into OSPF

Debug:

None

Filter 1:

interface-ip-address see description of the ospfElectDr interface filter for

information on this filter

Filter 2:

router see description of the ospfElectDr router filter for information on

this filter

11-69

11-70

CHAPTER 11
Logging System Events

ospfSpfExt
Description:

OSPF SPF external calculation

Emergency:

None

Alert:

None

Critical:

None

Error:

Errors in adding, modifying, or removing entries in tentative path entry

table (TENT) and path entry table (PATH)

Warning:

None

Notice:

SPF (Dijkstra Shortest Path First algorithm) chunking events (for example,
number of LSAs processed in an SPF chunk)

Info:

SPF results

Debug:

Events in building TENT and PATH

Filter 1:

interface-ip-address see description of the ospfElectDr interface filter for

information on this filter

Filter 2:

router see description of the ospfElectDr router filter for information on

this filter

ospfSpfInter
Description:

OSPF SPF interarea calculation

Emergency:

None

Alert:

None

Critical:

None

Error:

Errors in adding, modifying, or removing entries in tentative path entry

table (TENT) and path entry table (PATH)

Warning:

None

Notice:

SPF chunking events (for example, number of LSAs processed in an SPF

chunk)

Info:

SPF results

Debug:

Events in building TENT and PATH

Filter 1:

interface-ip-address see description of the ospfElectDr interface filter for

information on this filter

Filter 2:

router see description of the ospfElectDr router filter for information on

this filter

List of Event Categories

ERX Edge Routers

ospfSpfIntra
Description:

OSPF SPF intra-area calculation

Emergency:

None

Alert:

None

Critical:

None

Error:

Errors in adding, modifying, or removing entries in tentative path entry

table (TENT) and path entry table (PATH)

Warning:

None

Notice:

SPF chunking events (for example, number of LSAs processed in an SPF

chunk)

Info:

SPF results

Debug:

Events in building TENT and PATH

Filter 1:

interface-ip-address see description of the ospfElectDr interface filter for

information on this filter

Filter 2:

router see description of the ospfElectDr router filter for information on

this filter

ospfTeDatabase
Description:

OSPF traffic engineering database

Emergency:

None

Alert:

None

Critical:

None

Error:

Error in adding, deleting, or updating a record in the TE database

Warning:

None

Notice:

None

Info:

General information about a record being added, deleted, or updated in

the TE database

Debug:

None

Filter:

router name virtualRouterName

router name log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

11-71

11-72

CHAPTER 11
Logging System Events

ospfTeSPF
Description:

OSPF traffic engineering SPF

Emergency:

None

Alert:

None

Critical:

None

Error:

Any error in constrained SPF calculation

Warning:

None

Notice:

Information on explicit path found as a result of TE SPF; information on

type of failure in finding a constrained path

Debug:

None

Filter:

router name virtualRouterName

router name log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

pimAutoRPRcvdLog
Description:

Protocol Independent Multicast (PIM) AutoRP messages received

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Short description of received PIM AutoRP packets

Debug:

Complete print of received PIM AutoRP packets

Filter 1:

interface-ip-address [ ip-address ipAddress | unnumbered interfaceType

interfaceSpecifier ]

interface-ip-address log events for a specific interface

ip-address specifies that you will identify the interface by entering an
IP address
ipAddress IP address of interface for which you want to log events
unnumbered specifies that the interface is unnumbered
interfaceType to identify unnumbered interface, enter type of
interface for which you want to log events
interfaceSpecifier location of unnumbered interface in the
appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

List of Event Categories

ERX Edge Routers

Filter 2:

router virtualRouterName [ interface-ip-address [ ip-address ipAddress |

unnumbered interfaceType interfaceSpecifier ]]

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
interface-ip-address log events for a specific interface on the virtual
router
ip-address specifies that you will identify the interface by entering an
IP address
ipAddress IP address of interface for which you want to log events
unnumbered specifies that the interface is unnumbered
interfaceType to identify unnumbered interface, enter type of
interface for which you want to log events
interfaceSpecifier location of unnumbered interface in the
appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

pimAutoRPSentLog
Description:

Protocol Independent Multicast (PIM) AutoRP messages sent

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Short description of the sent PIM AutoRP packets

Debug:

Complete print of the sent PIM AutoRP packets

Filter 1:

interface-ip-address see description of the pimAutoRPRcvdLog

interface-ip-address filter for information on this filter

Filter 2:

router see description of the pimAutoRPRcvdLog router filter for

information on this filter

pimHelloRcvdLog
Description:

Protocol Independent Multicast (PIM) Hello messages received

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

11-73

11-74

CHAPTER 11
Logging System Events

Notice:

None

Info:

Short description of the received PIM hello messages

Debug:

Complete printout of the received PIM hello messages

Filter 1:

interface-ip-address see description of the pimAutoRPRcvdLog

interface-ip-address filter for information on this filter

Filter 2:

router see description of the pimAutoRPRcvdLog router filter for

information on this filter

pimHelloSentLog
Description:

Protocol Independent Multicast (PIM) hello messages sent

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Short description of the PIM hello messages sent

Debug:

Complete description of the PIM hello messages sent

Filter 1:

interface-ip-address see description of the pimAutoRPRcvdLog

interface-ip-address filter for information on this filter

Filter 2:

router see description of the pimAutoRPRcvdLog router filter for

information on this filter

pimPktsRcvdLog
Description:

Protocol Independent Multicast (PIM) nonhello

(Register/RegisterStop/JoinPrune/Assert/Graft/GraftAck) messages
received

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Short description of the PIM messages received

Debug:

Complete description of the PIM messages received

List of Event Categories

ERX Edge Routers

Filter 1:

interface-ip-address see description of the pimAutoRPRcvdLog

interface-ip-address filter for information on this filter

Filter 2:

router see description of the pimAutoRPRcvdLog router filter for

information on this filter

pimPktsSentLog
Description:

Protocol Independent Multicast (PIM) nonhello

(Register/RegisterStop/JoinPrune/Assert/Graft/GraftAck) messages sent

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Short description of the PIM messages sent

Debug:

Complete description of the PIM messages sent

Filter 1:

interface-ip-address see description of the pimAutoRPRcvdLog

interface-ip-address filter for information on this filter

Filter 2:

router see description of the pimAutoRPRcvdLog router filter for

information on this filter

policyMgrAttachment
Description:

Policy Manager policy attachment activity

Emergency:

None

Alert:

None

Critical:

None

Error:

Error attaching policies to static and dynamic interfaces

Warning:

None

Notice:

None

Info:

Successful attachment of policies to dynamic interfaces

Debug:

None

Filter:

None

11-75

11-76

CHAPTER 11
Logging System Events

policyMgrGeneral
Description:

Policy Manager general information

Emergency:

None

Alert:

None

Critical:

None

Error:

Error storing or restoring policy manager data to and from NVS; resource
exhaustion errors

Warning:

None

Notice:

None

Info:

None

Debug:

None

Filter:

None

policyMgrPacketLog
Description:

Policy Manager packets

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Packet trace

Debug:

None

Filter:

None

Description:

Point-to-Point Protocol layer

Emergency:

None

Alert:

None

Critical:

Nonrecoverable error

Error:

Recoverable error

Warning:

Resource or configuration problem

Notice:

Authentication actions

Info:

None

Debug:

Detailed debugging information

ppp

List of Event Categories

ERX Edge Routers

Filter:

interface interfaceType interfaceIdentifier

interface logs PPP events for a specific interface

interfaceType type of interface for which you want to log PPP events
interfaceIdentifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

pppoe
Description:

Point-to-Point over Ethernet layer

Emergency:

None

Alert:

None

Critical:

None

Error:

Error enabling control packet log

Warning:

PPPoE interface or subInterface removed from NVS

Notice:

PPPoE enabled; status change for subInterface

Info:

Line module status change

Debug:

None

Filter:

interface interfaceType interfaceSpecifier

interface logs PPP events for a specific interface

interfaceType type of interface for which you want to log PPP events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

pppoeControlPacket
Description:

PPPoE control packet trace

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Control packets logged; control packet log enabled

11-77

11-78

CHAPTER 11
Logging System Events

Filter:

interface interfaceType interfaceSpecifier

interface logs PPP events for a specific interface

interfaceType type of interface for which you want to log PPP events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

pppPacket
Description:

PPP packet capture

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Packet trace

Filter:

interface interfaceType interfaceSpecifier

interface logs PPP events for a specific interface

interfaceType type of interface for which you want to log PPP events
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

pppStateMachine
Description:

PPP state machine trace

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

State machine trace

List of Event Categories

ERX Edge Routers

Filter:

interface interfaceType interfaceSpecifier

interface logs PPP events for a specific interface

interfaceType type of interface for which you want to log PPP
events. For example, atm or fastEthernet
interfaceSpecifier location of interface in the appropriate format

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

profileMgr
Description:

Profile manager

Emergency:

None

Alert:

None

Critical:

None

Error:

Profile manager process creation failed

Warning:

Profile being removed was not found

Notice:

None

Info:

None

Debug:

Initialize profiles from NVS at startup; dump list of profiles after startup
initialization; read or save profile numbering seed to and from NVS; profile
manager process creation succeeded; NVS updated; profile lookup
succeeded; validating or executing removal of profile

Filter:

None

Description:

QoS events

Emergency:

None

Alert:

None

Critical:

None

Error:

QoS object creation and modification failures due to resource limitations

or configuration limitations; QoS profile to interface attachment failures;
QoS failover messages reported by line module

Warning:

None

Notice:

None

Info:

Modification, creation, and destruction of QoS objects; attachment of

modification of QoS objects; attachment of QoS profiles to interfaces;
detachment of QoS profiles from interfaces; modification of QoS profiles;
QoS interface location availability operations

Debug:

Dynamic attachment of QoS profile to interfaces

Filter:

None

qos

11-79

11-80

CHAPTER 11
Logging System Events

radiusAttributes
Description:

RADIUS User Attributes

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

Debug:

Supported RADIUS attributes found in the Access-Accept or

Access-Reject packet

Filter:

None

radiusClient
Description:

RADIUS Authentication and Accounting Client

Emergency:

None

Alert:

None

Critical:

None

Error:

Internal allocation error of base RADIUS server table; invalid virtual router
for users context

Warning:

Failure to send accounting on or accounting off; tunnel password format

error; tunnel accounting request

Notice:

Dropping tunnel attribute

Info:

None

Debug:

Authentication or accounting failure due to internal memory allocation

failure

Filter:

None

remOps
Description:

Remote operations

Emergency:

None

Alert:

None

Critical:

None

Error:

Internal error

Warning:

Maximum table size reached; ICMP failure; same target probed by more
than one entry

List of Event Categories

ERX Edge Routers

Notice:

Remote operations application begin/start; ping, traceroute, or nslookup

entry; create, modify, or remove; unexpected packet receive; invalid target
or source address; late packet receive

Debug:

Ping, traceroute, or nslookup session begin or end; packet receive;

duplicate receive

Filter:

None

ripGeneral
Description:

RIP system notifications

Emergency:

None

Alert:

None

Critical:

None

Error:

Failed to redistribute an external route to the RIP; failed to establish peer

with neighbor due to the memory limitation; general RIP configuration
error, such as an access list name or route map name specified in the RIP
config mode exceed maximum allowable length

Warning:

Failed to process a RIP packet due to the current memory limitation

Notice:

Enable or disable RIP application

Info:

None

Debug:

RIP query; RIP peer address

Filter 1:

interface interfaceType interfaceSpecifier

Filter 2:

interface logs PPP events for a specific interface

interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

ripRoute
Description:

RIP route

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

11-81

11-82

CHAPTER 11
Logging System Events

Debug:

Routes sent or received by RIP; if a route is rejected or not sent, gives the
reason

Filter 1:

interface interfaceType interfaceSpecifier

Filter 2:

interface logs PPP events for a specific interface

interfaceType type of interface for which you want to log events
interfaceSpecifier location of interface in the appropriate format

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

ripRtTable
Description:

RIP routing table

Emergency:

None

Alert:

None

Critical:

None

Error:

Failed to remove a RIP route from the IP routing table

Warning:

Failed to added a RIP route to the IP routing table

Notice:

None

Info:

None

Debug:

Add or remove a route to the RIP routing table

Filter:

None

routerLog
Description:

Virtual router log

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

Creation and deletion of virtual routers

Info:

None

Debug:

None

Filter:

router virtualRouterName

router log events for a specific virtual router

List of Event Categories

ERX Edge Routers

security
Description:

CLI security messages

Emergency:

None

Alert:

None

Critical:

Suspected denial of service attack

Error:

None

Warning:

Unrecognized username, invalid password, denied host

Notice:

User connect, user disconnect

Info:

None

Debug:

None

Filter:

None

Description:

Point-to-Point protocol layer

Emergency:

None

Alert:

None

Critical:

Startup interface out of resources failure

Error:

Remove or unbind interface failure; unknown or missing lower binding

failure

Warning:

Attempt to set characteristics with invalid value

Notice:

None

Info:

Hardware state change notification

Debug:

None

Filter:

serial interfaceSpecifier

slep

serial logs SLEP events for a specific serial Cisco-HDLC interface

interfaceSpecifier specify the identifier for a serial Cisco-HDLC
interface

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

snmp
Description:

Embedded SNMP agent

Emergency:

None

Alert:

None

Critical:

None

Error:

None

11-83

11-84

CHAPTER 11
Logging System Events

Warning:

Access violation due to underprivileged community string or a bad proxy

selector; access denial due to configured access list; configuration of
SNMP failed; trap is dropped because of the severity level filter or
because the trap category is not enabled

Notice:

None

Info:

SNMP agent has been enabled or disabled

Debug:

Trap request dropped; trap processing summary statistics

Filter:

None

snmpPduAudit
Description:

SNMP PDUs

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Identifies the following fields in all SNMP PDUs sent to the ERX system
and all trap PDUs that leave the system: source and destination IP
address, PDU type, snmpVersion, requested, errorStatus, errorIndex,
variable count, variable object identifier and data

Debug:

None

Filter:

None

snmpSetPduAudit
Description:

SNMP set PDUs

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

Identifies the following fields in SNMP set PDUs: source and destination
IP address, PDU type, snmpVersion, requested, errorStatus, errorIndex,
variable count, variable object identifier and data

Debug:

None

Filter:

None

List of Event Categories

ERX Edge Routers

sonet
Description:

SONET

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

NV interface removal after failed init from NV; errors during interface
add/update or during hwPresent notification; path capability notification;
failed pool expansion

Notice:

Pool expansion

Info:

NV interface creation; interface modification from path capability;

unknown interface during hwNotPresent notification; interface notification
for unknown interface

Debug:

None

Filter:

None

sonetPath
Description:

SONET Path

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Errors during interface removal (for removable paths); path update

failures from path configuration notification; failed mapping from SONET
status; errors during path creation; engine addInterface errors during
hwPresent notification; errors during path creation for nonchannelized
interfaces; failed pool expansion

Notice:

Pool expansion

Info:

Init from NV failures; NV upgrade; path update progress; path

configuration notification

Debug:

Path update

Filter:

None

sonetVT
Description:

SONET virtual tributary

Emergency:

None

Alert:

None

Critical:

None

11-85

11-86

CHAPTER 11
Logging System Events

Error:

None

Warning:

Init from NV failures; errors during remove interface; failed pool expansion

Notice:

Engine add interface retry; pool expansion

Info:

Errors during add interface

Debug:

None

Filter:

None

ssccDetailPm
Description:

SDX client (formerly SSCC) detail for policy manager (PM) interaction

Emergency:

None

Alert:

None

Critical:

None

Error:

Failure of policy manager calls (detail)

Warning:

None

Notice:

None

Info:

None

Debug:

Policy manager function call made; Policy manager attempts to get

statistics

Filter:

None

ssccDetailSsc
Description:

SDX client (formerly SSCC) detail for SDX interaction

Emergency:

None

Alert:

None

Critical:

None

Error:

More detail for SDX management errors

Warning:

None

Notice:

None

Info:

None

Debug:

More detail for SDX events

Filter:

None

List of Event Categories

ERX Edge Routers

ssccGeneral
Description:

SDX client (formerly SSCC) general

Emergency:

None

Alert:

None

Critical:

None

Error:

Failure to get heap space; packet decode errors; SDX inconsistency

errors; packet creation errors; failure of calls to policy manager (changing,
attaching policy); attempt to manage unknown interface

Warning:

None

Notice:

None

Info:

Creation or deletion of SDX client

Debug:

Events (create interface, reports, removals); policy deletions; policy

reattachments; CLI events; connection retries

Filter:

None

stTunnel
Description:

Secure tunnel interface

Emergency:

None

Alert:

None

Critical:

None

Error:

ST interface configuration error; ST interface engine interaction failures;

IPSec service line module resource error

Warning:

ST interface pool exhausted; manual session key length input problems;

problem relocating ST interface

Notice:

ST interface memory pool extension

Info:

Transport virtual router table downloading; ST interface status retrieval;

transport virtual router table down; information on clear sa command

Debug:

Detailed debug information related to the ST

Filter:

None

system
Description:

System management and monitoring

Emergency:

None

Alert:

None

Critical:

Line module ping failure threshold exceeded

Error:

Critical subsystem failure condition (NVS, power, fan, network timing,

temperature); unrecognized module type; module ID mismatch; line

11-87

11-88

CHAPTER 11
Logging System Events

module memory reduction; line module bandwidth misconfiguration;

unrecoverable file system synchronization errors
Warning:

Noncritical subsystem failure condition (heap/CPU utilization, NVS,

network timing); unexpected software error; recoverable file system
synchronization errors; file system out of synchronization notification;
NVS subsystem redundancy size mismatch; line module ID block
misconfigured

Notice:

Subsystem failure condition abatement (heap/CPU utilization, NVS,

power, fan, network timing, temperature); new module announcement;
module revision mismatch; module upgraded or downgraded
(ECC/non-ECC); module online or offline

Info:

Synchronization start, complete; line module set timing failed (not

necessarily an error); NVS volume flush

Debug:

Module state change; module memory announcement; redundancy role

changes; server role changes; module enable, disable, or clear
notification; file system synchronization (normal operation); line module
timing source set failure (not necessarily an error); image protection
notification

Filter:

slot slotNumber

slot log events for a specific slot

slotNumber number of slot for which you want to log events

tcpGeneral
Description:

TCP system

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

TCP state change event info (brief)

Info:

None

Debug:

TCP state changes (detail); TCP packet transmission; minor TCP errors

Filter:

router virtualRouterName

router log events for a specific virtual router

virtualRouterName name of virtual router for which you want to log
events

List of Event Categories

ERX Edge Routers

tcpTraffic
Description:

TCP frame transmit and receive

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

TCP packet discards due to MD5 authorization failure and checksum

failure

Info:

None

Debug:

Report all TCP receive and transmit events

Filter 1:

remote-ip-address ipAddress [ ipAddressMask ]

Filter 2:

remote-ip-address log events for a remote address

ipAddress address of remote system for which you want to log
messages
ipAddressMask optionally supply a mask for the remote address

router virtualRouterName [ remote-ip-address ipAddress [

ipAddressMask ] ]

router log events on a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
remote-ip-address log events for a remote address
ipAddress address of remote system for which you want to log
messages
ipAddressMask optionally supply a mask for the remote address

telnet
Description:

Telnet daemon

Emergency:

None

Alert:

None

Critical:

None

Error:

Error condition binding to or listening on telnet sockets; unexpected

software error; NVS mismatch; insufficient memory resources

Warning:

None

Notice:

None

Info:

None

Debug:

Stopped listening on a specified router

Filter:

None

11-89

11-90

CHAPTER 11
Logging System Events

testExec
Description:

Test executive when POST is run via CLI on console

Emergency:

None

Alert:

None

Critical:

None

Error:

Errors detected during POST

Warning:

The PPC860 processor does not boot

Notice:

Names of tests being executed during POST, memory sizes detected

Info:

FPGA image CRCs; fabric connections; redundancy information

Debug:

Very verbose messages for debugging errors; FPGA image info; register
accesses

Filter:

None

Description:

Tunnel server manager

Emergency:

None

Alert:

None

Critical:

Number of interfaces in use is critically close to maximum

Error:

Memory exhaustion errors

Warning:

Nonvolatile storage integrity problems; memory exhaustion-based denial

of service; number of interfaces in use reaching high levels

Notice:

Nonvolatile storage allocation problems; memory pool expansion

Info:

Resource-restriction based denial of service; line module up or down

transitions

Debug:

Program debugging information including function call tracing

Filter:

None

tsm

udpTraffic
Description:

UDP frame transmit or receive

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

None

Notice:

None

Info:

None

List of Event Categories

ERX Edge Routers

Debug:

Report all UDP receive or transmit events

Filter 1:

remote-ip-address ipAddress [ ipAddressMask ]

Filter 2:

remote-ip-address log events for a remote address

ipAddress address of remote system for which you want to log
messages
ipAddressMask optionally supply a mask for the remote address

router virtualRouterName [ remote-ip-address ipAddress [

ipAddressMask ] ]

router log events on a specific virtual router

virtualRouterName name of virtual router for which you want to log
events
remote-ip-address log events for a remote address
ipAddress address of remote system for which you want to log
messages
ipAddressMask optionally supply a mask for the remote address

vrfVpnMgrGeneralLog
Description:

VPN routing and forwarding (VRF) VPN manager general

Emergency:

None

Alert:

None

Critical:

None

Error:

None

Warning:

Dynamic VPN shared interface creation and deletion failures; duplicate

notifications from different sessions to IP

Notice:

None

Info:

None

Debug:

Notifications VrfVpnMgr receives from interface session and other

sessions to IP; deletion and creation of dynamic VPN-shared interfaces

Filter:

None

Description:

Virtual Router Redundancy Protocol

Emergency:

None

Alert:

None

Critical:

NVS error; out of resources; unexpected error

Error:

Virtual router ID (VRID) creation or modification failure; association

addresses creation or modification failure

Warning:

IP interface used by VRRP was removed; unexpected advertisement

received from neighbor; invalid authentication detected; unable to get IP
interfaces primary address

vrrp

11-91

11-92

CHAPTER 11
Logging System Events

Notice:

VRRP neighbor found

Info:

State machine change

Debug:

Management get, set, create, and remove

Filter:

interfaceType interfaceSpecifier [ vrrpIdentifier ]

interfaceType type of interface for which you want to log events

interfaceSpecifier location of interface in the appropriate format
vrrpidentifier ID of the VRRP router for which you want to log events

Note: For information on interface types and specifiers, see ERX Command
Reference Guide, About This Guide.

Abbreviations and
Acronyms

Abbreviation
or Acronym

Term

A
AAA

authentication, authorization, and accounting

AAAA

authentication, authorization, accounting, and address assignment

AAL

ATM adaptation layer

ABR

area border router

AC

alternating current; access concentrator

ACCM

Async Control Character Map

ACFC

Address and Control Field Compression

ADSL

asymmetric digital subscriber line

AESA

ATM end system address

AF

assured forwarding

AFI

authority and format identifier

AH

Authentication Header

AIS

alarm indication signal

AIS-L

alarm indication signal line

AIS-P

alarm indication signal path

ANSI

American National Standards Institute

API

Application Programming Interface

APS

Automatic Protection Switching

ARP

Address Resolution Protocol

AS

autonomous system; Australia (re standards compliance)

ASBR

autonomous system boundary router

A-2

APPENDIX A
Abbreviations and Acronyms

Abbreviation
or Acronym

Term

ASCII

American Standard Code for Information Interchange

ASIC

application specific integrated circuit

ASN

autonomous system number

ASP

access service provider

ATM

Asynchronous Transfer Mode

AVP

attribute value pair

B
BDR

backup designated router

BECN

backward explicit congestion notification

BER

basic encoding rules

BERT

bit error rate test

BGP

Border Gateway Protocol

BIP

bit interleaved parity

BITS

building integrated timing supply

BMA

broadcast multiaccess

BOOTP

BOOTstrap Protocol

B-RAS

Broadband Remote Access Server

BS

base station

BSS

business support system

BW

bandwidth

C
CA

certificate authority

CAC

call admission control (MPLS);

connection admission control (ATM)

CAR

committed access rate

CARS

committed access rate service

CBC

cipher block chaining

CBF

connection-based forwarding

CBQ

class-based queuing

CBR

constant bit rate

CC

continuity check

CCITT

International Telegraph and Telephone Consultative Committee

CDVT

cell delay variation time

CE

customer edge device; Council of Europe

CHAP

Challenge Handshake Authentication Protocol

A-3
ERX Edge Routers

Abbreviation
or Acronym

Term

CIDR

classless interdomain routing

CISPR

International Special Committee on Radio Interference

CLACL

classifier control list

CLEC

competitive local exchange carrier

CLI

command line interface

CLNP

Connectionless Network Protocol

CLNS

Connectionless Network Service

CLP

cell loss priority

CM

cable modem

CMTS

cable modem termination system

CNM

customer network management

CO

central office

cOC

channelized optical carrier

COPS

Common Open Policy Service (protocol)

CORBA

common object request broker architecture

CoS

class of service

CPE

customer premises equipment

CPU

central processing unit

CRC

cyclic redundancy check

CR-LDP

Constraint-based Routed Label Distribution Protocol

CR-LSP

constraint-based routed label-switched path

CSNP

complete sequence numbers PDU (protocol data unit)

CSU

channel service unit

CT1, CT3

channelized T1, T3

CTI

computer telephony integration

CTS

clear to send

CTT

connection traffic table

CUL

agreement between Underwriter Laboratories and Canadian

Standards Association for joint product safety approval

CV

coding violation

D
DA/SA

destination address/source address

DC

direct current

DCC

Data Country Code

DCD

data carrier detect

A-4

APPENDIX A
Abbreviations and Acronyms

Abbreviation
or Acronym

Term

DCE

data communications equipment

DE

discard eligibility

DES; 3DES

Data Encryption Standard; triple DES

DF

designated forwarder; dont fragment (bit)

DHCP

Dynamic Host Configuration Protocol

DIS

designated intermediate system

DLCI

data-link connection identifier

DLCMI

data-link connection management interface

DNS

Domain Name System

DOCSIS

data-over-cable service interface specifications

DR

designated router

DS

digital signal; DiffServ

DSL

digital subscriber line

DSLAM

digital subscriber line access multiplexer

DSP

domain-specific part

DSR

data set ready

DSS

Digital Signature Standard

DST

Daylight Saving Time

DSU

data service unit

DTE

data terminal equipment

DTR

data terminal ready

DU

downstream unsolicited

DVMRP

Distance Vector Multicast Routing Protocol

DXI

data exchange interface (abbreviation pronounced dixie)

E
EBGP

exterior Border Gateway Protocol

ECC

error checking and correction; error-checking code

ECMP

equal-cost multipath

EEPROM

electrically erasable programmable read-only memory

EF

expedited forwarding

EGP

exterior gateway protocol

EMS

element management system

EN

European Norm

EPD

early packet discard

ES

end system

A-5
ERX Edge Routers

Abbreviation
or Acronym

Term

ESD

electrostatic discharge

ESF

extended superframe

ESI

end system identifier

ESP

Encapsulating Security Payload

ESSM

Extended Service and Subscriber Management

EXP

experimental (refers to bits in MPLS shim header)

F
FAT

file allocation table

FCC

Federal Communications Commission

FCS

frame check sequence

FDL

facility data link

FE

Fast Ethernet

FE-2

dual-port Fast Ethernet

FEC

forwarding equivalence class (abbreviation pronounced feck)

FECN

forward explicit congestion notification

FERF

far end receive failure

FIB

forwarding information base

FIFO

first in first out

FPGA

Field Programmable Gate Array

FQDN

fully qualified domain name

FR

Frame Relay

FRU

field replaceable unit

FSM

finite state machine

FT1

fractional T1

FTE

forwarding table entry

FTP

File Transfer Protocol

FTTC

fiber to the curb

FTTH

fiber to the home

FTTS

fiber to the subscriber

G
Gbps

gigabits per second

GE

Gigabit Ethernet

GRE

Generic Routing Encapsulation

GRxx

(refers to Bellcore standards)

GUI

graphical user interface

A-6

APPENDIX A
Abbreviations and Acronyms

Abbreviation
or Acronym

Term

H
HDLC

High-Level Data Link Control; High-Speed Data Link Control

HDSL

high-data-rate subscriber line

HMAC

Hashed Message Authentication Code

HO-DSP

high-order domain-specific part

HRR

hierarchical round robin

HSSI

high-speed serial interface (abbreviation pronounced hissy)

I
I/O

input/output

IANA

Internet Assigned Numbers Authority

IBGP

interior Border Gateway Protocol

IC CS

Industry Canada Communications Section

ICD

International Code Designator

ICMP

Internet Control Message Protocol

ICRQ

incoming-call request

ID

identification (identifying; identifier)

I-DAS

integrated DHCP access server

IDI

initial domain identifier

IDP

initial domain part

IDSL

ISDN digital subscriber line

IEC

International Electrotechnical Commission

IEEE

Institute of Electrical and Electronics Engineers

IETF

Internet Engineering Task Force

IGMP

Internet Group Management Protocol

IGP

interior gateway protocol

IIF

incoming interface

IKE

Internet Key Exchange

ILEC

incumbent local exchange carrier

ILMI

integrated local management interface

InARP

Inverse Address Resolution Protocol

IP

Internet Protocol

IPCP

Internet Protocol Control Protocol

IPoA

Internet Protocol over Asynchronous Transfer Mode

IPSec

Internet Protocol Security

IRDP

ICMP Router Discovery Protocol

A-7
ERX Edge Routers

Abbreviation
or Acronym

Term

ISAKMP

Internet Security Association and Key Management Protocol

ISDN

Integrated Services Digital Network

IS-IS

Intermediate SystemtoIntermediate System

ISM

IPSec Service module

ISO

International Organization for Standardization

ISP

Internet service provider

IS Voice

Intelligent Service Voice application

ITU-T

International Telecommunication Union - Telecommunication

J
JATE

Japan Approvals Institute for Telecommunications Terminal

Equipment

JCBC

Java Database Connectivity

K
KB

kilobyte(s)

Kbps

kilobits per second

L
L2F

Layer 2 Forwarding

L2TP

Layer 2 Tunneling Protocol

LAC

L2TP access concentrator

LAN

local area network

LCP

Link Control Protocol

LDAP

Lightweight Directory Access Protocol

LDP

Label Distribution Protocol

LED

light-emitting diode

LER

label edge router

LIB

label information base

LIP

Link Integrity Protocol

LIS

logical IP subnetwork

LLC

logical link control

LM

line module

LMDS

local multipoint distribution system

LMI

local management interface; link management interface

LNS

L2TP network server

LOF

loss of frame

LOP

loss of pointer

A-8

APPENDIX A
Abbreviations and Acronyms

Abbreviation
or Acronym

Term

LOS

loss of signal

LS

link state

LSA

link state advertisement

LSDB

link state database

LSP

label-switched path; link state packet; link state protocol

LSR

label-switching router

M
MAC

Media Access Control; message authentication code

MAN

metropolitan area network

MAU

medium attachment unit

MB

megabyte(s)

MBGP

multicast Border Gateway Protocol

MBONE

multicast backbone

Mbps

megabits per second

MBS

maximum burst size

MD5

Message Digest 5

MDL

maintenance data link

MDU

message decoder unit

MDx

Message Digest x (hash algorithm)

MED

multiexit discriminator

MFA

management functional area

MFR

Multilink Frame Relay

MIB

Management Information Base

MLP; MLPPP

Multilink Point-to-Point Protocol

MMDS

multichannel multipoint distribution system

motd

message of the day

MOTM

message of the minute

MP

Multilink Point-to-Point Protocol

MP-BGP

Border Gateway Protocol multiprotocol extensions (sometimes

referred to as multiprotocol Border Gateway Protocol)

MPLS

Multiprotocol Label Switching

MPPE

Microsoft Point-to-Point Protocol Encryption

MRRU

multilink maximum received reconstructed unit

MRU

maximum receive unit

MSO

multiservice operator

A-9
ERX Edge Routers

Abbreviation
or Acronym

Term

MSP

Multiplex Section Protection

MTU

maximum transmission unit; multitenant unit

MUX

multiplexer

N
NAK

negative acknowledgment

NAS

network access server

NBMA

nonbroadcast multiaccess

NCP

Network Control Protocol

NEBS

network equipment building systems

NET

network entity title

NLRI

network layer reachability information

NLSP

NetWare Link Services Protocol

NMC

Network Management Center

NMS

network management system

NNI

Network-to-Network Interface

NRZ

nonreturn to zero

NRZI

nonreturn to zero inverted

NSAP

network service access point

NSSA

not-so-stubby area (refers to OSPF routing)

NTP

Network Time Protocol

NVRAM

nonvolatile random-access memory

NVS

nonvolatile storage

O
OAM

operations, administration, and management

OC

optical carrier

ODBC

Open Database Connectivity

OID

object identifier

OIF

outgoing interface

ORF

outbound route filter; outbound route filtering

OSI

Open Systems Interconnection

OSINLCP

OSI Internet Link Control Protocol; OSI Network Layer Control

Protocol

OSPF

Open Shortest Path First

OSS

operations support system

A-10

APPENDIX A
Abbreviations and Acronyms

Abbreviation
or Acronym

Term

P
P

provider core router

PADI

PPPoE Active Discovery Initiation

PADM

PPPoE Active Discovery Message

PADO

PPPoE Active Discovery Offer

PADR

PPPoE Active Discovery Response

PADS

PPPoE Active Discovery Session

PADT

PPPoE Active Discovery Termination

PAP

Password Authentication Protocol

PBX

private branch exchange

PCMCIA

Personal Computer Memory Card International Association

PCR

peak cell rate

PDM

packet division multiplexed

PDU

protocol data unit

PE

provider edge router

PFC

Protocol Field Compression

PFS

perfect forward security

PHB

per-hops behavior

PIM

Protocol Independent Multicast; power input module

PIM DM

Protocol Independent Multicast Dense Mode

PIM S-DM

Protocol Independent Multicast Sparse-Dense Mode

PIM SM

Protocol Independent Multicast Sparse Mode

PKI

public key infrastructure

PKIX

public key infrastructure for the Internet using X.509v3 certificates

PLCP

physical layer convergence procedure

PM

policy manager

PNNI

private network-to-network interface

POP

point of presence

POS

packet over SONET

POST

power-on self-test

PPP

Point-to-Point Protocol

PPPoE

Point-to-Point Protocol over Ethernet

pps

packets per second

PROM

programmable read-only memory

PSNP

partial sequence numbers PDU (protocol data unit)

A-11
ERX Edge Routers

Abbreviation
or Acronym

Term

PVC

permanent virtual circuit (or connection)

Q
QoS

quality of service

QSAAL

Q.2931 protocol over signalling ATM adaptation layer

R
RADIUS

Remote Authentication Dial-In User Service

RADSL

rate-adaptive digital subscriber line

RAS

remote access server

RD

route distinguisher

RDBS

relational database system

RDI

remote defect indication

RED

random early detect

REI

remote error indication

RESV

reservation

RFC

request for comments

RIB

routing information base

RIP

Routing Information Protocol

RISC

reduced instruction set computing

RMI

Remote Method Invocation (Java)

RP

rendezvous point (router)

RPF

reverse path forwarding

RSA

Rivest-Shamir-Adleman (encryption algorithm)

RSVP

Resource Reservation Protocol

RSVP-TE

Resource Reservation Protocol with traffic-engineering extensions

RT

routing table

RTR

Response Time Reporter

RX

receive

S
SA

security association

SAR

segmentation and reassembly

SC

system controller

S-CBQ

subscriber classbased queuing

SCCRQ

Start-Control-Connection-Request

SCR

sustained cell rate

A-12

APPENDIX A
Abbreviations and Acronyms

Abbreviation
or Acronym

Term

SCSI

small computer system interface (abbreviation pronounced

scuzzy)

SDH

Synchronous Digital Hierarchy

SDRAM

synchronous dynamic random access memory

SDSL

symmetric digital subscriber line

SDU

service data unit

SDX

Service Deployment System (formerly SSC)

SEF

severely errored framing

SES

severely errored second

SETS

synchronous equipment timing source

SFP

small form-factor pluggable transceiver

SG

source group

SHA

Secure Hash Algorithm

SIP

SMDS Interface Protocol

SLA

service level agreement

SLARP

Serial Link Address Resolution Protocol

SMC

Service Management Center

SMDS

Switched Multimegabit Data Service

SMF

single-mode fiber

SMI

structure of management information

SMM

switch management module

SNAP

Subnetwork Access Protocol; subnetwork attachment point

SNI

SMDS network interface

SNMP

Simple Network Management Protocol

SNPA

subnet point of attachment

SNTP

Simple Network Time Protocol

SONET

synchronous optical network

SPF

shortest path first

SPI

security parameter index

SPQ

strict-priority queues

SPVC

soft permanent virtual circuit

SQL

Structured Query Language

SRP

switch route processor

SRT

source-rooted tree

SSC

Service Selection Center (no longer used; see SDX)

A-13
ERX Edge Routers

Abbreviation
or Acronym

Term

SSH

Secure Shell Server

SSN

short sequence number

STM

Synchronous Transport module

SVC

switched virtual circuit

S-VLAN

stacked virtual local area network

T
TAC

Technical Assistance Center (Unisphere)

TACACS

Terminal Access Controller Access Control System

TC

transmission convergence

TCP

Transmission Control Protocol

TE

traffic engineering

TIP

terminal interface processor

TLV

type-length-value

ToS

type of service

TPID

Tag Protocol Identifier

TSM

Tunnel Service line module

TTL

time-to-live

TU

tributary unit

TUG

tributary unit group

TX

transmit

U
U

unit of measurement for rack-mounted equipment

(a U is 1.75 in., or 4.44 cm)

UBR

unspecified bit rate

UDP

User Datagram Protocol

UI

user interface

UL

Underwriter Laboratories

UMC

Unisphere Management Center

UNI

User-Network Interface (ATM usage); User-to-Network Interface

UPC

user parameter control

URL

Uniform Resource Locator

USM

user-based security model

UTC

Coordinated Universal Time

V
VAC

volts alternating current

A-14

APPENDIX A
Abbreviations and Acronyms

Abbreviation
or Acronym

Term

VBR

variable bit rate

VBR-NRT

variable bit rate, nonreal time

VBR-RT

variable bit rate, real time

VC

virtual circuit (or connection)

VCC

virtual channel connection

VCCI

Voluntary Control Council for Interference

VCD

virtual circuit descriptor

VCI

virtual channel identifier

VDC

volts direct current

VDSL

very-high-bit-rate digital subscriber line

VLAN

virtual local area network

VoIP

voice over Internet Protocol

VP

virtual path

VPC

virtual path connection

VPI

virtual path identifier

VPN

virtual private network

VR

virtual router

VRF

VPN routing and forwarding instance

VRID

virtual router identifier

VRRP

Virtual Router Redundancy Protocol

VSA

vendor-specific attribute (RADIUS)

VT

virtual tributary

VTS

VPN Tunnel Server

vty

virtual terminal

W
WAN

wide area network

WFQ

weighted fair queuing

WINS

Windows Internet Name Service (Microsoft)

WLAN

wireless local area network

WLL

wireless local loop

WRED

weighted random early detect

WRR

weighted round robin

X
xDSL

combined term used to refer to ADSL, HDSL, SDSL, and VDSL

References

This document lists RFCs, draft RFCs, other software standards,

hardware standards, and other references that provide information on the
protocols and features supported by the system.

RFCs
Table B-1 ERX RFCs

Reference

Protocol or
Feature

RFC 3210 Applicability Statement for Extensions to RSVP for LSP-Tunnels (December 2001)

BGP/MPLS
VPNs

RFC 3209 RSVP-TE: Extensions to RSVP for LSP Tunnels (December 2001)

BGP/MPLS
VPNs

RFC 3198 Terminology for Policy-Based Management (November 2001)

Policy
management

RFC 3107 Carrying Label Information in BGP-4 (May 2001)

BGP/MPLS
VPNs

RFC 3065 Autonomous System Confederations for BGP (February 2001)

MPLS

RFC 3046 DHCP Relay Agent Information Option (January 2001)

Dynamic
interfaces,
RADIUS

RFC 3037 LDP Applicability (January 2001)

MPLS

RFC 3036 LDP Specification (January 2001)

MPLS

RFC 3035 MPLS using LDP and ATM VC Switching (January 2001)

MPLS

RFC 3032 MPLS Label Stack Encoding (January 2001)

MPLS

RFC 3031 Multiprotocol Label Switching Architecture (January 2001)

MPLS

RFC 3014 Notification Log MIB (November 2000)

SNMP

B-2

APPENDIX B
References

Table B-1 ERX RFCs (continued)

Reference

Protocol or
Feature

RFC 2998 A Framework for Integrated Services Operation over Diffserv Networks (November
2000)

QoS

RFC 2990 Next Steps for the IP QoS Architecture (November 2000)

QoS

RFC 2973 IS-IS Mesh Groups (October 2000)

IS-IS

RFC 2966 Domain-wide Prefix Distribution with Two-Level IS-IS (October 2000)

IS-IS

RFC 2934 Protocol Independent Multicast MIB for IPv4 (October 2000)

SNMP

RFC 2932 IPv4 Multicast Routing MIB (October 2000)

SNMP

RFC 2925 Definitions of Managed Objects for Remote Ping, Traceroute, and Lookup
Operations (September 2000)

SNMP

RFC 2918 Route Refresh Capability for BGP-4 (September 2000)

BGP

RFC 2917 A Core MPLS IP Architecture (September 2000)

MPLS

RFC 2869 RADIUS Extensions (June 2000)

RADIUS

RFC 2868 RADIUS Attributes for Tunnel Protocol Support (June 2000)

RADIUS

RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support (June 2000)

RADIUS

RFC 2866 RADIUS Accounting (June 2000)

Dynamic
interfaces;
RADIUS

RFC 2865 Remote Authentication Dial In User Service (RADIUS) (June 2000)

Dynamic
interfaces;
RADIUS

RFC 2863 The Interfaces Group MIB (June 2000)

Ethernet; SNMP

RFC 2858 Multiprotocol Extensions for BGP-4 (June 2000)

BGP

RFC 2842 Capabilities Advertisement with BGP-4 (May 2000)

BGP

RFC 2796 BGP Route Reflection An Alternative to Full Mesh IBGP (April 2000)

BGP

RFC 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol (March
2000)

VRRP

RFC 2784 Generic Routing Encapsulation (GRE) (March 2000)

IP tunnels

RFC 2763 Dynamic Hostname Exchange Mechanism for IS-IS (February 2000)

IS-IS

RFC 2747 RSVP Cryptographic Authentication (January 2000)

MPLS

RFC 2737 Entity MIB (Version 2) (December 1999)

SNMP

RFC 2702 Requirements for Traffic Engineering over MPLS (September 1999)

MPLS

RFC 2698 A Two Rate Three Color Marker (September 1999)

Policy
management;
QoS

RFC 2697 A Single Rate Three Color Marker (September 1999)

Policy
management

RFC 2685 Virtual Private Networks Identifier (September 1999)

MPLS

RFCs
ERX Edge Routers

Table B-1 ERX RFCs (continued)

Reference

Protocol or
Feature

RFC 2684 Multiprotocol Encapsulation over ATM Adaptation Layer 5 (September 1999)

ATM

RFC 2668 Definitions of Managed Objects for IEEE 802.3 Medium Attachment Units (MAUs)
(August 1999)

Ethernet; SNMP

RFC 2667 IP Tunnel MIB (August 1999)

SNMP;
IP tunnels

RFC 2665 Definitions of Managed Objects for the Ethernet-like Interface Types (August 1998)

Ethernet; SNMP

RFC 2661 Layer Two Tunneling Protocol L2TP (August 1999)

L2TP

RFC 2616 Hypertext Transfer Protocol HTTP/1.1 (June 1989)

HTTP

RFC 2615 PPP over SONET/SDH (June 1999)

PoS

RFC 2598 An Expedited Forwarding PHB (June 1999)

QoS

RFC 2597 Assured Forwarding PHB Group (June 1999)

Policy
management;
QoS

RFC 2580 Conformance Statements for SMIv2 (April 1999)

SNMP

RFC 2579 Textual Conventions for SMIv2 (April 1999)

SNMP

RFC 2578 Structure of Management Information Version 2 (SMIv2) (April 1999)

SNMP

RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard
Network Management Framework (March 2000)

SNMP

RFC 2575 View-based Access Control Model (VACM) for the Simple Network Management
Protocol (SNMP) (April 1999)

SNMP

RFC 2574 User-based Security Model (USM) for version 3 of the Simple Network Management SNMP
Protocol (SNMPv3) (April 1999)
RFC 2573 SNMPv3 Applications (April 1999)

SNMP

RFC 2572 Message Processing and Dispatching for the Simple Network Management Protocol
(SNMP) (April 1999)

SNMP

RFC 2571 An Architecture for Describing SNMP Management Frameworks (April 1999)

SNMP

RFC 2570 Introduction to Version 3 of the Internet-standard Network Management Framework

(April 1999)

SNMP

RFC 2558 Definitions of Managed Objects for the SONET/SDH Interface Type (March 1999)

SNMP;
cOCx/STMx and
OCx/STMx
interfaces

RFC 2547 BGP/MPLS VPNs (March 1999)

BGP/MPLS
VPNs

RFC 2519 A Framework for Inter-Domain Route Aggregation (February 1999)

BGP

RFC 2516 Method for Transmitting PPP over Ethernet (PPPoE) (February 1998)

PPPoE

RFC 2515 Definitions of Managed Objects for ATM Management (February 1999)

ATM; SNMP

B-3

B-4

APPENDIX B
References

Table B-1 ERX RFCs (continued)

Reference

Protocol or
Feature

RFC 2514 Definitions of Textual Conventions and OBJECT-IDENTITIES for ATM Management
(February 1999)

SNMP

RFC 2513 Managed Objects for Controlling the Collection and Storage of Accounting
Information for Connection-Oriented Networks (February 1999)

SNMP

RFC 2475 An Architecture for Differentiated Services (December 1998)

Policy,
Management;
QoS

RFC 2474 Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6
Headers (December 1998)

Policy
management;
QoS

RFC 2453 RIP Version 2 (November, 1998)

RIP

RFC 2439 BGP Route Flap Damping (November 1998)

BGP

RFC 2427 Multiprotocol Interconnect over Frame Relay (September 1998)

Frame Relay

RFC 2410 The NULL Encryption Algorithm and Its Use With IPSec (November 1998)

IPSec

RFC 2409 The Internet Key Exchange (IKE) (November 1998 )

IPSec

RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
(November 1998)

IPSec

RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP (November 1998)

IPSec

RFC 2406 IP Encapsulating Security Payload (ESP) (November 1998)

IPSec

RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV (November 1998)

IPSec

RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH (November 1998)

IPSec

RFC 2403 The Use of HMAC-MD5-96 within ESP and AH (November 1998)

IPSec

RFC 2402 IP Authentication Header (November 1998)

IPSec

RFC 2401 Security Architecture for the Internet Protocol (November 1998)

IPSec

RFC 2390 Inverse Address Resolution Protocol (September 1998)

ATM

RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option (August 1998)

BGP

RFC 2370 The OSPF Opaque LSA Option (July 1998)

OSPF

RFC 2364 PPP over AAL5 (July 1998)

E3 and T3
interfaces

RFC 2362 Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification

(June 1998)

IP multicasting;
SNMP

RFC 2341 Cisco Layer Two Forwarding (Protocol) L2F (May 1998)

L2F

RFC 2338 Virtual Router Redundancy Protocol (April 1998)

VRRP

RFC 2328 OSPF Version 2 (April 1998)

OSPF

RFC 2308 Negative Caching of DNS Queries (DNS NCACHE) (March 1998)

System
management

RFC 2270 Using a Dedicated AS for Sites Homed to a Single Provider (January 1998)

BGP

RFCs
ERX Edge Routers

Table B-1 ERX RFCs (continued)

Reference

Protocol or
Feature

RFC 2236 Internet Group Management Protocol, Version 2 (November 1997)

IP multicasting

RFC 2211 Specification of the Controlled-Load Network Element Service (September 1997)

MPLS

RFC 2210 The Use of RSVP with IETF Integrated Services (September 1997)

MPLS

RFC 2209 Resource ReSerVation Protocol (RSVP) -- Version 1, Message Processing Rules
(September 1997)

MPLS

RFC 2205 Resource ReSerVation Protocol (RSVP) -- Version 1, Functional Specification

(September 1997)

MPLS

RFC 2153 PPP Vendor Extensions (May 1997)

PPP

RFC 2131 Dynamic Host Configuration Protocol (March 1997)

DHCP

RFC 2115 Management Information Base for Frame Relay DTEs Using SMIv2 (September
1997)

Frame Relay;
SNMP

RFC 2096 IP Forwarding Table MIB (January 1997)

SNMP

RFC 2013 SNMPv2 Management Information Base for the User Datagram Protocol using
SMIv2 (November 1996)

SNMP

RFC 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SNMP
SMIv2 (November 1996)
RFC 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2
(November 1996)

SNMP

RFC 2003 IP Encapsulation within IP (October 1996)

IP tunnels

RFC 1998 An Application of the BGP Community Attribute in Multi-home Routing (August
1996)

BGP

RFC 1997 BGP Communities Attribute (August 1996)

BGP

RFC 1994 PPP Challenge Handshake Authentication Protocol (CHAP) (August 1996)

MLPPP; PPP

RFC 1990 The PPP Multilink Protocol (MP) (August 1996)

MLPPP

RFC 1966 BGP Route Reflection An alternative to full mesh IBGP (June 1996)

BGP

RFC 1965 Autonomous System Confederations for BGP (June 1996)

BGP

RFC 1930 Guidelines for creation, selection, and registration of an Autonomous System (AS)
(March 1996)

BGP

RFC 1907 Management Information Base for Version 2 of the Simple Network Management
Protocol (SNMPv2) (January 1996)

SNMP

RFC 1906 Transport Mappings for Version 2 of the Simple Network Management Protocol
(SNMPv2) (January 1996)

SNMP

RFC 1905 Protocol Operations for Version 2 of the Simple Network Management Protocol
(SNMPv2) (January 1996)

SNMP

RFC 1901 Introduction to Community-based SNMPv2 (January 1996)

SNMP

RFC 1877 PPP Internet Protocol Control Protocol Extensions for Name Server Addresses
(December 1995)

PPP

RFC 1863 A BGP/IDRP Route Server alternative to a full mesh routing (October 1995)

BGP

B-5

B-6

APPENDIX B
References

Table B-1 ERX RFCs (continued)

Reference

Protocol or
Feature

RFC 1850 OSPF Version 2 Management Information Base (November 1995)

OSPF

RFC 1812 Requirements for IP Version 4 Routers (June 1995)

IP

RFC 1774 BGP-4 Protocol Analysis (March 1995)

BGP

RFC 1773 Experience with the BGP-4 protocol (March 1995)

BGP

RFC 1772 Application of the Border Gateway Protocol in the Internet (March 1995)

BGP

RFC 1771 A Border Gateway Protocol 4 (BGP-4) (March 1995)

BGP

RFC 1745 BGP4/IDRP for IPOSPF Interaction (December 1994)

BGP

RFC 1724 RIP Version 2 MIB Extension (November 1994)

RIP

RFC 1702 Generic Routing Encapsulation over IPv4 Networks (October 1994)

IP tunnels

RFC 1701 Generic Routing Encapsulation (October 1994)

IP tunnels

RFC 1700 Assigned Numbers (October 1994)

IP tunnels

RFC 1662 PPP in HDLC-like Framing (July 1994)

PoS

RFC 1661 The Point-to-Point Protocol (PPP) (July 1994)

PPP; MLPPP;
cOCx/STMx,
CE1, CT1, CT3,
E3, and T3
interfaces

RFC 1657 Definitions of Managed Objects for the Fourth Version of the Border Gateway
Protocol (BGP-4) using SMIv2 (July 1997)

BGP; SNMP

RFC 1587 The OSPF NSSA Option (March 1994)

SNMP

RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 (July 1993)

ATM; E3 and T3
interfaces

RFC 1473 The Definitions of Managed Objects for the IP Network Control Protocol of the
Point-to-Point Protocol (June 1993)

SNMP

RFC 1472 The Definitions of Managed Objects for the Security Protocols of the Point-to-Point
Protocol (June 1993)

SNMP

RFC 1471 The Definitions of Managed Objects for the Link Control Protocol of the
Point-to-Point Protocol (June 1993)

SNMP

RFC 1407 Definitions of Managed Objects for the DS3/E3 Interface Types (January 1993)

SNMP;
cOCx/STMx,
CT3, E3, and T3
interfaces

RFC 1406 Definitions of Managed Objects for the DS1 and E1 Interface Types (January 1993)

SNMP; CE1,
CT1, and CT3
interfaces

RFC 1332 The PPP Internet Protocol Control Protocol (IPCP) (May 1992)

PPP

RFC 1305 Network Time Protocol (version 3) Specification, Implementation and Analysis
(March 1992)

NTP

RFC 1215 A Convention for Defining Traps for use with the SNMP (March 1991)

SNMP

RFCs
ERX Edge Routers

Table B-1 ERX RFCs (continued)

Reference

Protocol or
Feature

RFC 1213 Management Information Base for Network Management of TCP/IP-based Internets: SNMP
MIB-II (March 1991)
RFC 1212 Concise MIB Definitions (March 1991)

SNMP

RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments (December, 1990)

IS-IS

RFC 1157 A Simple Network Management Protocol (SNMP) (May 1990)

SNMP

RFC 1155 Structure and Identification of Management Information for TCP/IP-based Internets
(May 1990)

SNMP

RFC 1122 Requirements for Internet HostsCommunication Layers (October 1989)

IP

RFC 1112 Host Extensions for IP Multicasting (August 1989)

Ethernet; IP

RFC 1058 Routing Information Protocol (June, 1998)

RIP

RFC 1042 A Standard for the Transmission of IP Datagrams over IEEE 802 Networks
(February 1988)

Ethernet

RFC 1035 Domain Names Implementation and Specification (November 1987)

System
management

RFC 959 File Transfer Protocol (FTP) (October 1985)

FTP; System
management

RFC 950 Internet Standard Subnetting Procedure (August 1985)

IP

RFC 922 Broadcasting Internet Datagrams in the Presence of Subnets (October 1984)

IP

RFC 919 Broadcasting Internet Datagrams (October 1984)

IP

RFC 894 A Standard for the Transmission of IP Datagrams over Ethernet Networks (April 1984) Ethernet
RFC 854 Telnet Protocol Specification (May 1983)

IP

RFC 826 An Ethernet Address Resolution Protocol (November 1982)

Ethernet

RFC 793 Transmission Control Protocol (September 1981)

IP

RFC 792 Internet Control Message Protocol (September 1981)

IP

RFC 791 Internet Protocol DARPA Internet Program Protocol Specification (September 1981)

IP

RFC 768 User Datagram Protocol (August 1980)

IP

B-7

B-8

APPENDIX B
References

Draft RFCs
Note: IETF drafts are valid for only 6 months from the date of issuance. They must
be considered as works in progress. Please refer to the IETF Web site at
http://www.ietf.org for the latest drafts.
Table B-2 ERX draft RFCs

Reference

Protocol or
Feature

A Framework for Multiprotocol Label Switching draft-ietf-mpls-framework-06.txt (June 2001

expiration)

MPLS

A traceroute Facility for IP Multicast draft-ietf-idmr-traceroute-ipm-07.txt (January 2001

expiration)

IP multicasting

BGP Extended Communities Attribute draft-ietf-idr-bgp-ext-communities-05.txt (November 2002

expiration)

BGP

BGP/MPLS VPNs draft-ietf-ppvpn-rfc2547bis-01.txt (July 2002 expiration)

BGP

Definitions of Managed Objects for SONET Linear APS Architectures

draft-ietf-atommib-sonetaps-mib-08.txt (November 2002 expiration)

SONET APS
redundancy

Distance Vector Multicast Routing Protocol draft-ietf-idmr-dvmrp-v3-10 (February 2001

expiration)

IP multicasting

Extended Ethernet Frame Size Support draft-ietf-isis-ext-eth-01.txt (November 2001 expiration)

IS-IS

IGMP-based Multicast Forwarding ("IGMP Proxying'') draft-ietf-magma-igmp-proxy-00.txt (May

2002 expiration)

IP multicasting

IS-IS Extensions for Traffic Engineering draft-ietf-isis-traffic-04.txt (August 2001 publication)

IS-IS

Management Information Base for IS-IS draft-ietf-isis-wg-mib-08.txt (November 2002 expiration)

IS-IS; SNMP

Protocol Independent Multicast MIB for IPv4 draft-ietf-idmr-pim-mib-10.txt (July 2000 expiration)

IP multicasting

Routing IPv6 with IS-IS draft-ietf-isis-ipv6-02.txt (September 2001 expiration)

IS-IS

Traffic Engineering Extensions to OSPF draft-katz-yeung-ospf-traffic-06.txt (April 2002 expiration) OSPF

Other Software Standards

ERX Edge Routers

Other Software Standards

Table B-3 ERX non-RFC software standards

Reference

Protocol or
Feature

ANSI T1.107a-1990 Standard for Telecommunications Digital HierarchySupplement to Formats

Specification (August 16, 1990)

MDL (T3
interfaces)

ANSI T1.403-1989 Standard for Telecommunications - Network and Customer Installation Interfaces
DS1 Metallic Interface Robbed-bit Signaling State Definitions (1989)

FDL (T1
interfaces)

ANSI T1.617 Annex D

Frame Relay

ATM Forum ATM User-Network Interface Specification, Version 3.0 (September 1993)

ATM

ATM Forum ATM User-Network Interface Specification, Version 3.1 (September 1994)

ATM

ATM Forum Integrated Local Management Interface (ILMI) Specifications, Versions 3.0, 3.1, and
4.0 (September 1996)

ATM

ATM Forum Traffic Management Specification, Version 4.0 (April 1996)

ATM

ATM Forum User-Network Interface (UNI) versions 3.0, 3.1, 4.0

ATM

CCITT Draft Recommendation I.363 (AAL5 support) (January 1993)

ATM

CCITT ITU-T Recommendation I.160 B-ISDN Operation and Maintenance Principles and Functions
(February 1999)

ATM

CCITT ITU-T Q.933 Annex A

Frame Relay

Draft Standard P802.1Q/D9 IEEE Standards for Local and Metropolitan Area Networks: Virtual
Bridged Local Area Networks

Ethernet;
VLANs

ERX system Cisco HDLC is compatible with Cisco Systems HDLC protocol

Cisco HDLC

Frame Relay Fragmentation Implementation Agreement, FRF.12 (December 1997)

Frame Relay

IEEE 802.1q (FE and GE)

Ethernet;
VLANs

IEEE 802.3 (FE and GE)

Ethernet

IEEE 802.3u (FE only)

Ethernet

IEEE 802.3z (GE only)

Ethernet

ISO International Standard 8473-1:1993 Information technology Protocol for providing the
connectionless-mode network service

IS-IS

ISO International Standard 9542:1988 (E) Information processing systems Telecommunications

and information exchange between systems End System-to-Intermediate System Routing
Exchange Protocol for use in conjunction with the protocol for providing the connectionless-mode
network service (ISO 8473)

IS-IS

ISO/IEC 10589:1992 Information technology Telecommunications and information exchange

between systems Intermediate System-to-Intermediate System Intra-Domain Routing Exchange
Protocol for use in conjunction with the protocol for providing the connectionless-mode network
service (ISO 8473)

IS-IS

ITU-T G.783 Characteristics Of Synchronous Digital Hierarchy (SDH) Multiplexing Equipment

Functional Blocks: Annex A Multiplex Section Protection (MSP) Protocol, Commands And
Operation (1990)

SDH MSP
redundancy

B-9

B-10

APPENDIX B
References

Table B-3 ERX non-RFC software standards (continued)

Reference

Protocol or
Feature

Multilink Frame Relay UNI/NNI Implementation Agreement, FRF.16 (April 2000)

Multilink
Frame Relay

ITU-T V.35: Data transmission at 48 kbit/s using 60-108 kHz group band circuits (October 1984 - now
obsolete)

V.35

ITU-T X.21: Interface between Data Terminal Equipment and Data Circuit-terminating Equipment for
synchronous operation on public data networks (September 1992)

X.21

Telcordia document GR-253 Synchronous Optical Network (SONET) Transport Systems: Common
Generic Criteria, Revision 3 (September 2000).

SONET APS
redundancy

Hardware Standards
Table B-4 ERX hardware standards

Reference

Protocol or
Feature

ACA TS 016-1997

Telecom

ANSI T1.102-1993: Digital Hierarchy Electrical Interfaces (1999)

Cables

ANSI T1.646-1995: Telecommunications Broadband ISDN - Physical Layer Specification for

User-Network Interfaces Including DS1/ATM (1995)

Cables and
connectors

ANSI T1.646a-1997: Telecommunications Broadband ISDN - Physical Layer Specification for

User-Network Interfaces Including DS1/ATM (1997)

Cables and
connectors

AS/NZS 3260:1993: Safety of Information Technology Equipment Including Electrical Business

Equipment

Safety

AS/NZS 3548:1995 (CISPR 22 Class A)

EMC

AT&T (Lucent) Technical Note Power Margin Analysis (November 1995)

Cables and
connectors

CAN/CSA C22.2, No. 60950-00, 3rd Edition, Safety of Information Technology Equipment

Safety

CTR13 Commission Decision of 9 July 1997 on a common technical regulation for attachment
requirements for terminal equipment interface for connection to 2048 kbit/s digital structured ONP
leased lines: 97/521/EC OJ No. L215 Vol. 40, August 1997

Telecom

CTR24 Commission Decision of 9 September 1997 on a common technical regulation for

attachment requirements for terminal equipment interface for connection to 34 Mbit/s digital
unstructured and structured leased lines: 97/639/EC OJ No. L271 Vol. 40, 3 October 1997

Telecom

EMC Directive (89/336/EEC)

EMC

EN300 386-2:1997 EMC requirements for Telecom Network Equipment-Telco Centers

Telecom

EN55022 Class A (CISPR-22 Class A)

EMC

EN55024, Annex C for WAN Equipment Performance Criteria A, B, and C

EMC

EN60825-1, Safety of Laser Products - Part 1: Equipment Class, Requirements, and Users Guide
(2001)

Safety

Hardware Standards
ERX Edge Routers

Table B-4 ERX hardware standards (continued)

Reference

Protocol or
Feature

EN60950:2000, 3rd Edition, Safety of Information Technology Equipment

Safety

ETSI 300-386, Telecommunication Network Equipment; ElectroMagnetic Compatibility (EMC)

requirements

EMC

FCC Part 15 Class A

EMC

FCC PART 68

EMC

GR-1089 (LSSGR, FD-15): Electromagnetic Compatibility and Electrical Safety - Generic Criteria
for Network Telecommunications Equipment, Issue 2, Revision 1, February 1999

NEBS

GR-63 (LSSGR, FD-15): Network Equipment Building System (NEBS) Requirements: Physical
Protection, Issue 1, October 1995

NEBS

IECS-003 Issue 3 Class A

EMC

IEC 825-1, Safety of Laser Products - Part 1

Safety

IEC 60950-1(2001-10) Ed. 1.0 Information technology equipment - Safety - Part 1: General
requirements

Safety

ITUT G.703: Physical/electrical characteristics of hierarchical digital interfaces (November 2001)

Cables

Low Voltage Directive (73/23/EEC)

Safety

PD7024 Essential requirements for terminal equipment intended for connection to unstructured
digital leased circuits of the public telecommunications network using a CCITT recommendation
G,703 interface at a rate of 2048 kbit/s with a 75 ohm unbalanced presentation, 1994

Telecom

RTTE Directive (1999/5/EEC)

Telecom

SR-3580 (FD-15): Network Equipment Building System (NEBS) Criteria Levels, Issue 1, November
1995

Safety

UL 1950, Safety of Information Technology Equipment, Including Electrical Business Equipment

Safety

UL 60950, 3rd Edition, Safety of Information Technology Equipment

Safety

VCCI (Voluntary Control Council for Interference by Information Technology Equipment)

EMC

B-11

B-12

APPENDIX B
References

Index
Symbols
.cnf files 4-10, 4-22
.dmp files 4-22, 4-44
.hty files 4-22
.log files 4-22
.mac files 4-22
.pub files 4-22
.rel files 4-22
.scr files 4-22
.sts files 4-22
.txt files 4-22
? command 2-6, 2-23, 2-25

Numbers
3des-cbc encryption algorithm for SSH 6-21

A
AAA authentication, configuring 6-13
aaa commands
aaa authentication login 6-14
aaa domain-map 10-7
aaa domain-map command 2-38
aaa new-model 6-14
AAL5 layer (ATM) 1-24
abbreviating
keywords 2-4, 2-5, 2-26
access and uplink methods 1-3
access-class in command 6-16
access levels (CLI) 2-20
access-list command 6-16, 9-10
access lists for Telnet sessions 6-16
access lists 1-30
Address Family Configuration mode 2-29, 2-37
address-family ipv4 command 2-37
address-family vpnv4 command 2-37
agent, SNMP 3-2, 3-4
enabling 3-13
algorithm negotiation, SSH 6-17
arrow keys 2-7, 2-27, 2-28
assembly numbers (hardware), displaying 5-17
assembly numbers, displaying for hardware 8-9
assembly revisions (hardware), displaying 5-17
assembly revisions, displaying for hardware 8-9
assigning NTP servers 9-7

ATM interfaces 1-23 to 1-25

attributes, SNMP 3-9
audience for documentation xx
authentication
FTP server 4-33
hmac-md5 for SSH 6-24
hmac-sha1-96 for SSH 6-24
hmac-sha1 for SSH 6-24
new model AAA 6-13
SSH user 6-18
authentication trap, SNMP 3-21
Automatic Commit mode 4-10
automatic switchover 5-15
automatic synchronization 5-25
disabling 5-27
autoupgrade 4-3

B
Backspace key 2-6, 2-27
backup router 1-29
bandwidth
associated error messages 5-14
line modules 5-8
optimizing 5-14
SRP modules 5-8
bandwidth oversubscription
configuring 5-13
monitoring 5-13
overview 5-6
bandwidth oversubscription command 5-13
banner command 4-17
baseline commands
baseline log 11-3
baseline show-delta-counts 4-49
baseline snmp 3-43
best NTP server 9-4, 9-13
BGP protocol 1-29
blowfish-cbc encryption algorithm for SSH 6-21
boot commands
boot backup 8-2
boot config 8-2
boot config factory-defaults 8-2
boot config once 8-2
boot config running-configuration 8-2

2
Index

boot config startup-configuration 8-2

boot force-backup 8-3
boot revert-tolerance 8-4
boot revert-tolerance never 8-4
boot slot 8-4
boot subsystem 8-4
boot system 8-5
booting modules 5-21
booting the system 8-1 to 8-11
rebooting 8-5
while running scripts or macros 8-8
BOOT mode 5-28
enabling a core dump in 4-44
Border Gateway Protocol. See BGP
bottom-up approach to network configuration 1-4
B-RAS applications 1-3 to 1-4
overview 1-31
broadcasts, NTP 9-3, 9-10
bulk statistics, SNMP
collecting 3-24 to 3-42
configuring
collectors and receivers 3-25 to 3-28
schemas 3-37 to 3-39
formatter 3-41
if-stats objects 3-37
monitoring
collection statistics 3-29 to 3-37
schema statistics 3-40 to 3-41
bulkstats commands 3-27 to 3-28
bulkstats collector 3-26
bulkstats collector collect-mode 3-26
bulkstats collector description 3-26
bulkstats collector interval 3-26
bulkstats collector max-size 3-26
bulkstats collector primary-receiver 3-27
bulkstats collector secondary-receiver 3-27
bulkstats collector single-interval 3-27
bulkstats file-format endOfLine-Lf 3-42
bulkstats interface-type 3-27
bulkstats policy-name 3-39
bulkstats receiver remote-name 3-28
bulkstats schema 3-39
bulkstats schema policy-type 3-39
bulkstats traps 3-28
See also show bulkstats commands

C
caching, configuration 8-8
capitalization. See case sensitivity
case sensitivity 2-26

CD, documentation CD xxii

using the xxiii
CE1 interfaces
configuring 1-15, 1-16
line rates 1-10
characters on terminal screen, setting bits for 4-15
chassis slot numbers 4-48
choosing NTP servers 9-7
clear line command 4-9
CLI (command line interface) 4-5 to 4-7
abbreviating keywords 2-4, 2-5, 2-26
accessing the CLI 2-21
command modes. See command modes
context-sensitive help 2-22 to 2-26, 4-7
editing keys 2-27
editing on 2-26 to 2-28
logging in 2-21
pausing 4-7
system prompts 2-19
CLI access levels
VSA descriptions 6-28, 6-29
CLI command execution by macro file 7-1
client, SNMP 3-2, 3-3
configuring access 3-13
clock 9-5 to 9-7
clock commands 9-5 to 9-7
clock set 9-6
clock summer-time date 9-6
clock summer-time recurring 9-6
clock timezone 9-6
.cnf files 4-10, 4-11, 4-22, 8-1
cOCx/STMx interfaces
configuring 1-15
line rates 1-10
coldStart, SNMP trap 3-21
combinations of line modules 5-7 to 5-12
command history keys 2-28
command line interface. See CLI
command line prompts 2-3, 2-29 to 2-33
command modes 2-1 to 2-3, 2-29 to 2-33
accessing 2-29
Boot mode 4-44
exiting 2-22, 4-6
Global Configuration mode 4-5
Privileged Exec mode 4-6
Prvileged Exec 6-31
User Exec 6-31
User Exec mode 4-5

3
ERX Edge Routers

commands
abbreviating 2-26
editing on command line 2-26 to 2-28
issuing from other command modes 2-8, 4-7
listing available 2-23
pausing before executing 4-7
using 2-5
community, SNMP 3-2, 3-13, 3-14
community table, SNMP
community name 3-13
configuring 3-13
IP access list 3-14
privilege levels 3-14
configuration caching 8-8
configuration file 8-1
configuration tasks, general 1-8 to 1-9
configure command 2-34, 2-36, 4-5
configuring
bandwidth oversubscription 5-13
banners 4-17
CLI messages 4-17
data link layer interfaces 1-20
display terminal 4-14
DNS 4-39
line module redundancy 5-16
login conditions 4-15
NTP 9-8
performance rate of line modules 5-6
physical layer interfaces 1-10
policy management 1-31
routing policy 1-30
routing protocols 1-28
timing 4-3
virtual routers 1-9, 10-4 to 10-10
confirmations explicit command 2-19
console
monitoring settings 4-19
password 6-10
restricting login 4-15
setting speed 4-14
contact person for SNMP server 3-14
context-sensitive help 2-22 to 2-26, 4-7
controller command 2-37
controller commands 2-37
See also show controllers commands
Controller Configuration mode 2-29, 2-37
conventions defined
icons xx
syntax xx
text xx

copy commands
copy 4-30, 4-47
copy running-configuration 4-10
copy running-configuration
startup-configuration 4-11
copy startup-configuration 4-11
copying
files 4-30, 4-47
image on primary SRP module 5-28
long scripts 5-27
partial releases 4-36
core dump files for troubleshooting 4-22, 4-44
corrupted files
repairing 5-29
scanning 5-29
crypto key dss command 6-19, 6-25
CT1 interfaces
configuring 1-15, 1-16
line rates 1-10
CT3 interfaces
configuring 1-13
line rates 1-10
Ctrl-key combinations (CLI)
command history 2-28
command-line editing 2-27
customizing. See configuring

D
data-character-bits command 4-15
data set ready signal. See DSR
DCE 1-19
default command 2-7
default virtual router 10-1
delete command 4-25
Delete key 2-6, 2-27
deleting
files 4-25
line module configurations 5-4
passwords and secrets 6-6 to 6-7
destination, logging messages by 11-4
DHCP Pool Configuration mode 2-29, 2-37
Diffie-Hellman key exchange 6-17
digital subscriber line access multiplexers. See
DSLAMs
dir command 4-26
directing NTP replies 9-10
disable-autosync command 5-27
disable command 4-5
disable-switch-on-error command 5-22

4
Index

disabling
automatic synchronization 5-27
line modules 5-2
disconnect ssh command 6-26
displaying. See listing; show commands
distribution lists 1-30
.dmp files 4-22, 4-44
DNS (Domain Name Service) 4-39 to ??
documentation set, Juniper Networks xxi
CD xxii
CD, using the xxiii
comments on xxiii
Domain Map Configuration mode 2-29, 2-38
Domain Map Tunnel Configuration mode 2-29,
2-39
Domain Name Service. See DNS
Down Arrow key 2-7, 2-28
draft RFCs B-8
DS1 channels 1-13
DS3 channels 1-13
DSLAM aggregation 1-3 to 1-4
DSLAMs (digital subscriber line access
multiplexers) 1-3, 1-21, 1-23, 1-31
DSR (data set ready), restricting login with 4-15
dsr-detect command 4-16
DTE 1-19
dump files, core 4-44

E
E3 interfaces
configuring 1-14
line rates 1-10
edge aggregation applications 1-2
private line aggregation 1-2
xDSL session termination 1-3 to 1-4
editing on command line 2-26 to 2-28
enable commands
enable 2-35, 4-6, 6-28
enable password 6-4
enable privilege-level 6-6
enable secret 6-4
enable passwords
erasing 6-6
enabling
engineering logs 11-6
line modules 5-2
passwords 6-4
SNMP agent 3-13
SNMP traps 3-22

encryption
3des-cbc for SSH 6-21
blowfish-cbc for SSH 6-21
configuring SSH 6-21
twofish-cbc for SSH 6-21
encrypt passwords 6-5
end command 4-6
engineering logs 11-6
Enter key 2-6, 2-26, 2-28
Enterprise SNMP MIB 3-4
entity, SNMP 3-2
environment, system 4-49
erase secrets command 6-7
erasing
line module configurations 5-4
erasing. See deleting
ERX-1400 series xix
ERX-700 series xix
ERX models xix
ERX system, remote access. See B-RAS
applications
ERX system. See system
Esc-key combinations (CLI) 2-27
Ethernet, Telnet on 4-39
Ethernet port on SRP module 5-31
events, SNMP 3-2
exception commands
exception dump 4-45
exception gateway 4-45
exception protocol ftp 4-45
exception source 4-46
exclude-subsystem command 4-37
exec-banner command 4-18
exec-timeout command 4-17
executing macros 7-16
exit command 2-22, 4-6
exiting
current command mode 4-6
Global Configuration mode 4-6
Privileged Exec mode 4-5
exiting system 2-22
Explicit Path Configuration mode 2-29, 2-39

F
failover. See switchover
Fast Ethernet (FE) modules
specifying an interface 5-31
fields, adding to logs 11-6

5
ERX Edge Routers

files
deleting 4-25
macro 7-1
managing 4-22 to 4-24
monitoring 4-26
renaming 4-24
transferring 4-27 to 4-39
types of 4-22
file system configuration, saving current 4-10
filtering show command output 2-9
flash-disk commands
flash-disk duplicate 5-29
flash-disk initialize 5-28
flash-disk scan 5-29
Frame Relay
interfaces 1-21 to 1-22
FTP client 4-28
FTP server 4-28
authentication 4-33
configuring 4-32
monitoring 4-35
ftp-server enable command 4-33

G
GetBulk operation, SNMP 3-10
GetBulk PDU type, SNMP 3-10
GetNext operation, SNMP 3-10
GetNextRequest PDU type, SNMP 3-10
Get operation, SNMP 3-10
GetRequest PDU type, SNMP 3-10
GetResponse PDU type, SNMP 3-10
Global Configuration mode 2-1, 2-29, 2-36, 4-5
exiting 4-6
group, SNMP 3-2

H
halt command 5-3, 5-25
hardware
slot numbers 4-48
standards B-10
versions, displaying 5-33, 8-11
HDLC parameters 1-12
help 4-7
CLI system 2-22 to 2-26
help command 2-22, 2-26, 4-7
history command 2-28
hmac-md5 authentication for SSH 6-24
hmac-sha1-96 authentication for SSH 6-24
hmac-sha1 authentication for SSH 6-24

host ftp command 4-30

hostname command 4-2
host table, modifying 4-30
HSSIs, configuring 1-18
.hty files 4-22

I
I/O modules
software compatibility 5-6
icons defined, notice xx
if constructs, macro 7-11
initializing line modules 2-20
initializing primary NVS card 5-28
installing NVS cards 5-25
installing software 5-27
installing the system software xix
interactive help system. See help
interface commands 1-7
interface 2-40, 2-53
interface fastEthernet 5-31
See also show interfaces commands
Interface Configuration mode 2-30, 2-40
interfaces 1-6 to 1-28
configuring 2-40
Fast Ethernet 5-31
physical. See physical interfaces
IP access list, SNMP 3-14
ip commands
ip atm-vc 2-44
ip dhcp-local pool 2-37
ip domain-lookup 4-41
ip domain-lookup transit-virtual-router 4-43
ip domain-name 4-42
ip ftp source-address 4-31
ip ftp source-interface 4-31
ip name-server 4-42
ip vrf 2-54, 10-7
IP multicast 1-28
IPSec
AH 1-10
ESP 1-10
ipsec commands
ipsec isakmp-policy-rule 2-41
ipsec key manual 2-41
IPSec Manual Key Configuration mode 2-30,
2-41
ip ssh commands
ip ssh authentication-retries 6-23
ip ssh crypto 6-22
ip ssh disable-user-authentication 6-23

6
Index

ip ssh mac 6-24

ip ssh sleep 6-23
ip ssh timeout 6-23
IP support 1-23 to 1-28
IP/ATM 1-23 to 1-25
IP/Ethernet 1-27
IP/FR 1-21 to 1-22
IP/HDLC 1-27
IP/PPP 1-25 to 1-26
ip vrf command 10-7
ISAKMP Policy Configuration mode 2-30, 2-41
IS-IS protocol 1-28
issuing commands from other CLI modes 2-8, 4-7

J
Juniper Networks documentation set xxi
CD xxii
CD, using the xxiii
comments on xxiii
Juniper Networks ERX Enterprise SNMP
MIB 3-4

K
keywords 2-3, 2-4
partial-keyword <Tab> 2-26

L
L2F protocol 1-32
l2tp destination profile command 2-42
L2TP Destination Profile Configuration
mode 2-30, 2-42
L2TP Destination Profile Host Configuration
mode 2-30, 2-42
L2TP protocol 1-32
Layer 2 Forwarding Protocol. See L2TF
Layer 2 Tunneling Protocol. See L2TP
layered approach to network configuration 1-4
LDP Configuration mode 2-30, 2-43
Left Arrow key 2-7, 2-27
levels of CLI access 6-27
line command 6-9, 6-12, 6-15
Line Configuration mode 2-30, 2-43
line module redundancy 5-14
configuring 5-16
managing 5-16
monitoring 5-17
line modules
bandwidth 5-8
combinations 5-6 to 5-12

disabling 5-2
enabling 5-2
erasing configurations 5-4
initialization sequence 2-20
line rates 1-10
performance rate 5-6
replacing 5-4
restricted combinations 5-7, 5-14
slot groups 5-6 to 5-12
software compatibility 5-5
switch usage 5-8
troubleshooting 4-44
line rates 1-10
lines on terminal screen, setting 4-14
line vty command 2-43, 4-8
link-up, link-down traps, SNMP 3-23
listing
commands available 2-23
files on system 4-26
See also show commands
LLC layer (ATM) 1-24
LMI (local management interface) 1-22
local management interface. See LMI and ILMI
location of SNMP server 3-14
log commands 4-43
baseline log 11-3
log destination 11-4
log engineering 11-6
log field 11-6
log here 11-6
log severity 11-7
log unlimit 11-7
log verbosity 11-7
no log filters 11-12
See also show log commands
log event categories 11-16
aaaAtm1483Cfg 11-16
aaaEngineGeneral 11-17
aaaServerGeneral 11-17
aaaUserAccess 11-18
addressServerGeneral 11-18
ar1AaaServerGeneral 11-18
atm 11-19
atm1483 11-19
atmAal5 11-20
AuditIpsec 11-20
bgpConnections 11-21
bgpDampening 11-21
bgpEvents 11-22
bgpGeneral 11-23

7
ERX Edge Routers

bgpKeepAlives 11-23
bgpMessages 11-24
bgpNeighborChanges 11-25
bgpRoutes 11-25
bgpVpn 11-28
bridgedEthernet 11-28
bulkStats 11-28
cacGeneral 11-29
cacIntf 11-29
cbf 11-30
cliCommand 11-30
cops 11-30
crldpGeneral 11-31
ctreeLog 11-32
dcm 11-32
dcmEngineGeneral 11-33
dhcpGeneral 11-33
dhcpLocalServerGeneral 11-33, 11-34
dhcpProxyGeneral 11-34
dhcpRelayGeneral 11-34
diagMboxCtrl 11-35
dnsGeneralLog 11-35
ds1 11-36
ds3 11-36
dvmrpGeneral 11-36
dvmrpMcastTable 11-37
dvmrpProbeRcv 11-38
dvmrpProbeSent 11-38
dvmrpRtTable 11-39
ethernet 11-39
fileSystem 11-39
frameRelay 11-40
fsAgent 11-40
ft1 11-41
ftpClient 11-41
ftpServer 11-41
gplaan 11-42
httpServer 11-42
icmpTraffic 11-43
igmpGeneral 11-44
ikepki 11-44
ipAccessList 11-45
ipEngine 11-45
ipGeneral 11-46
ipInterface 11-47
ipNhopTrackerGeneral 11-47
ipProfileMgr 11-47
ipRoutePolicy 11-48
ipRouteTable 11-48
ipTraffic 11-49

ipTunnel 11-49
isisAdjChange 11-49
isisAdjPackets 11-50
isisChecksumErr 11-50
isisGeneral 11-51
isisLocalUpdate 11-51
isisMplsTeAdvertisements 11-52
isisMplsTeEvents 11-52
isisProtocolErr 11-52
isisSnpPackets 11-53
isisSpfEvents 11-53
isisSpfStatistics 11-54
isisSpfTriggers 11-54
isisUpdatePackets 11-55
l2f 11-55
l2flpLowerBinding 11-55
l2fStateMachine 11-56
l2tp 11-56
l2tplpLowerBinding 11-56
l2tpStateMachine 11-57
localAddressServerGeneral 11-57
localLinePassword 11-57
mgmtGeneral 11-58
mmcd 11-58
mplsAppService 11-59
mplsGeneral 11-59
mplsMajorInterface 11-60
mplsMinorInterface 11-60
mtraceLog 11-61
mtracercvdLog 11-61
mtraceSentLog 11-62
multicastTraffic 11-62
nameResolverLog 11-63
noneAaaAddrServer 11-63
noneAaaServer 11-63
ntpGeneral 11-64
onlineDiag 11-64
os 11-65
ospfElectDr 11-65
ospfGeneral 11-66
ospfInterface 11-67
ospfLsa 11-67
ospfNeighbor 11-68
ospfPktsRcvd 11-68
ospfPktsSent 11-69
ospfRoute 11-69
ospfSpfExt 11-70
ospfspfInter 11-70
ospfSpfIntra 11-71
ospfTeDatabase 11-71

8
Index

ospfTeSPF 11-72
pimAutoRPRcvdLog 11-72
pimAutoRPSentLog 11-73
pimHelloRcvdLog 11-73
pimHelloSentLog 11-74
pimPktsRcvdLog 11-74
pimPktsSentLog 11-75
policyMgrAttachment 11-75
policyMgrGeneral 11-76
policyMgrPacketLog 11-76
ppp 11-76
pppoe 11-77
pppoeControlPacket 11-77
pppPacket 11-78
pppStateMachine 11-78
profileMgr 11-79
qos 11-79
radiusAttributes 11-80
radiusClient 11-80
remOps 11-80
ripGeneral 11-81
ripRoute 11-81
ripRtTable 11-82
routerLog 11-82
security 11-83
slep 11-83
snmp 11-83
snmpPduAudit 11-84
snmpSetPduAudit 11-84
sonet 11-85
sonetPath 11-85
sonetVt 11-85
ssccDetailPm 11-86
ssccDetailSsc 11-86
ssccGeneral 11-87
stTunnel 11-87
system 11-87
tcpGeneral 11-88
tcpTraffic 11-89
telnet 11-89
testExec 11-90
tsm 11-90
udpTraffic 11-90
vrfVpnMgrGeneralLog 11-91
vrrp 11-91
.log files 4-22
logging in to system 2-21
logging system events
individual logs 11-7, 11-8
severity 11-1

strategies 11-16 to 11-92

system-wide logs 11-7, 11-8
verbosity 11-2
viewing logs 11-15
login authentication command 6-15
login banner 4-17
login command 4-14, 6-9, 6-12
long scripts, copying 5-27

M
MAC, configuring for SSH 6-23
.mac files 4-22
macro (.mac) files 4-22, 7-1
macro command 7-16
macros
comments 7-2
conditional execution 7-11 to 7-13
control expressions 7-1
environment commands 7-3
if constructs 7-11
invoking 7-14 to 7-15
invoking from another macro file 7-14, 7-16
literals 7-4
naming 7-2
noncontrol expressions 7-1
operators 7-4
arithmetic 7-8
assignment 7-6
extraction 7-7
increment and decrement 7-7
logical 7-9
miscellaneous 7-10
relational 7-9
string 7-7
resetting system while running 8-8
running 7-16
variables 7-3
while constructs 7-13
writing 7-1 to 7-15
managed object, SNMP 3-2
Management Information Bases. See MIBs
managing
line module redundancy 5-16
NVS cards 5-24
SRP redundancy 5-22
managing files 4-22 to 4-24
managing system 4-1 to 4-2
passwords 6-1 to 6-30
security 6-1 to 6-30
Manual Commit mode 4-10

9
ERX Edge Routers

manuals, Juniper Networks xxi

comments on xxiii
on CD xxii
Map Class Configuration mode 2-30, 2-44
map-class frame-relay command 2-44
map-list command 2-44
Map List Configuration mode 2-31, 2-44
master, NTP 9-4, 9-13
master router 1-29
MD5 authentication, SSH 6-24
memory (hardware), displaying 5-17
memory, displaying for hardware 8-9
memory warning command 3-15
message authentication code. See MAC
message-of-the-day (MOTD) banner 4-17, 4-18
MIBs (Management Information Bases)
definition of 3-2
Juniper Networks ERX enterprise 3-4
standard SNMP 3-4
models, ERX xix
monitor. See terminal
monitoring
bandwidth oversubscription 5-13
Ethernet port on SRP module 5-32
hardware information 5-17, 5-33
modules 5-34
NTP 9-12
NVS cards 5-31
redundancy status 5-17
resources used 5-34
SNMP status 3-43, 3-44
status LEDs 5-23
virtual routers 10-8 to 10-10
monitoring files 4-26
--More-- prompts 2-6, 2-14, 2-15 to 2-19, 2-28
motd-banner command 4-18
mpls commands
mpls explicit-path name 2-39
mpls ldp profile 2-43
mpls rsvp profile 2-51
mpls tunnels profile 2-54
MPLS protocol 1-29
Multiprotocol Label Switching. See MPLS
protocol

N
names
renaming local files 4-24
system name 4-2

network configuration 1-1 to 1-32

layered (bottom-up) approach 1-4
routing protocols 1-28
network elements, SNMP 3-3
network servers, displaying list of 4-52
Network Time Protocol. See NTP
new model AAA authentication 6-13
no command 2-7
non-PPP equal access 1-32
notice icons defined xx
NTP
best server 9-4, 9-13
broadcasts 9-3, 9-10
client-server associations 9-2
master 9-4, 9-13
overview 9-1
peers 9-2
replies 9-3, 9-10
requests 9-3
servers 9-2, 9-3, 9-7, 9-11
synchronization 9-3 to 9-4
virtual routers 9-1, 9-8
NTP client
configuring the system as 9-8
system operation as 9-3
ntp commands
ntp access-group 9-11
ntp broadcast-client 9-9
ntp broadcast-delay 9-9
ntp disable 9-9
ntp enable 9-8
ntp master 9-11
ntp server 9-9
ntp server enable 9-12
ntp source 9-10
NTP control queries 9-11
NTP servers
configuring virtual routers as 9-11
enabling on a virtual router 9-12
system operation as 9-4
NVS cards 5-24
copying 5-28
different capacities 5-24
synchronization of 5-26
formatting 5-28
managing 5-24
monitoring 5-31
replacing 5-25
scanning 5-29
synchronizing 5-25

10
Index

O
Open Shortest Path First. See OSPF
optimizing bandwidth 5-14
OSPF (Open Shortest Path First) 1-28
output filtering
from the --More-- prompt 2-15
show command 2-9
oversubscription, bandwidth
configuring 5-13
monitoring 5-13
overview 5-6
overview, NTP 9-1

P
packet size, SNMP 3-15
pagination keys 2-28
parameters 2-3, 2-4
password command 4-8, 6-9, 6-12, 6-15
passwords 2-26, 2-35, 6-1
encryption 6-2
erasing console passwords 6-10
erasing enable passwords 6-6
See also Privileged Exec mode
pausing before command execution 4-7
PDU (protocol data unit) 3-10
performance, line rates 1-10
performance rate, line modules 5-6
physical interfaces, configuring 2-37
physical slots
rebooting 5-21
rebooting selected 8-7
ping command 2-33, 9-10
planning your network 1-1
access lists 1-30
BGP 1-29
configurable HDLC parameters 1-12
configuration overview 1-2
CT3 module 1-13
data link layer interfaces 1-20
distribution lists 1-30
E3 modules 1-14
Ethernet modules 1-17
general configuration tasks 1-8
interfaces and subinterfaces 1-6
IP/ATM 1-23
IP/Frame Relay 1-21
IP/HDLC 1-27
IP/PPP 1-25
IP multicast 1-28

L2F 1-32
L2TP 1-32
layered approach 1-4
line module features 1-12
MPLS 1-29
non-PPP equal access 1-32
OSPF 1-28
physical layer interfaces 1-10
policy management 1-31
private line aggregation 1-2
RIP 1-29
route maps 1-30
routing policy 1-30
routing protocols 1-28
SONET 1-15
T3 modules 1-14
virtual routers 1-9
VRRP 1-29
xDSL session termination 1-3
Policy Configuration mode 2-31, 2-45
policy-list command 2-45
policy management 1-31
QoS classification and marking 1-31
rate limiting 1-31
types of services 1-31
polling NTP servers 9-3
POS interfaces 1-25 to 1-26
PPP protocol support 1-25 to 1-26
primary NTP servers 9-2
private line aggregation 1-2
Privileged Exec mode 2-31, 2-34
accessing 2-21, 2-35, 4-6
exiting 4-5
See also passwords
privileged-level access (CLI) 2-20, 2-21
See also Privileged Exec mode
privilege levels
password encryption 6-2
SNMP 3-14
profile command 2-45
Profile Configuration mode 2-31, 2-45
prompts, CLI system 2-19
protocol data unit. See PDU
protocols, xDSL, supported 1-4
proxy, SNMP 3-7, 3-42
.pub files 4-22

11
ERX Edge Routers

Q
QoS 1-30
qos-profile command 2-46
QoS Profile Configuration mode 2-31, 2-46
Queue Configuration mode 2-31, 2-47
queue-profile command 2-47
quitting. See exiting

R
RADIUS
authentication, restricting access 6-29
password authentication 6-18
per-user enable authentication 6-28
restricting access to commands 6-27, 6-30
user authentication 6-20
radius commands
radius accounting server 2-47
radius authentication server 2-47
RADIUS Configuration mode 2-31, 2-47
rate-limit-profile command 2-48
Rate Limit Profile Configuration mode 2-31, 2-48
reboot history (reboot.hty) file 4-22
reboot history, displaying 4-54
rebooting the system 8-1 to 8-11
redirect operators 2-14
redistribute routes 1-30
redundancy
line module. See line module redundancy
SRP module. See SRP module redundancy
redundancy commands
redundancy force-failover 5-17
redundancy lockout 5-16
redundancy revert 5-17
redundancy revertive 5-16
references
draft RFCs B-8
hardware standards B-10
non-RFC software standards B-9
RFCs B-1
reformatting primary NVS card 5-28
refusing NTP broadcasts 9-10
regular expressions 2-10
release. See versions
.rel files 4-22
specifying for reboot 8-5

reload commands
reload 4-46, 8-5
reload at 8-6
reload in 8-6
reload slot 5-21, 8-7
Remote Authentication Dial-In User Service. See
RADIUS
remote host command 2-42
remote-neighbor command 2-49
Remote Neighbor Configuration mode 2-32, 2-49
removing
NVS cards 5-25
See also deleting
SRP modules 5-2
rename command 4-24
renaming files 4-24
repairing corrupted files 5-29
replacing
line modules 5-4
NVS cards 5-25
SRP modules 5-5
replies, NTP 9-3, 9-10
requests, NTP 9-3
reset button, software 6-10
resetting while running scripts or macros 8-8
reversion, after switchover 5-16
revisions, displaying assembly 5-17, 8-9
RFCs B-1
draft B-8
Right Arrow key 2-7, 2-27
RIP protocol 1-29
route-map command 2-50
Route Map Configuration mode 2-32, 2-50
route maps 1-30
router bgp command 2-37
router command 2-49, 2-50
Router Configuration mode 2-32, 2-50
routers. See system
routing, IP
configuring other protocols 1-28
monitoring 10-9
Routing Information Protocol. See RIP
routing protocols 1-28
RSVP Configuration mode 2-32, 2-51
rtr command 2-51
RTR Configuration mode 2-32, 2-51
run command 2-8, 2-8 to 2-9, 4-7
running configuration file 4-10
running macros 7-16

12
Index

S
saving current configuration 4-10, 4-11, 4-13
saving startup configuration 4-11
scanning NVS cards 5-29
schedule-profile command 2-52
Scheduler Profile Configuration mode 2-32, 2-52
screen. See terminal
.scr files 4-22
script files 4-22
scripts, resetting system while running 8-8
secondary NTP servers 9-2
secrets, erasing 6-6
secure IP tunnels 1-20
Secure Shell Server protocol. See SSH
security
administration via SSH instead of Telnet 6-16
SSH issues 6-20
security features of SNMP 3-5
selecting NTP servers 9-7
send command 4-21
sending messages to terminals 4-20
serial numbers (hardware), displaying 5-17
serial numbers, displaying for hardware 8-9
series
ERX-1400 xix
ERX-700 xix
servers, NTP 9-3
service ctrl-x-reboot command 2-27, 8-7
service manual-commit command 4-11
service password-encryption command 6-3, 6-5
service timestamps command 11-10
service unattended password-recovery
command 6-8
Set operation, SNMP 3-10
SetRequest PDU type, SNMP 3-10
setting the system clock 9-5 to 9-7
shortcuts 2-20
show aaa commands
show aaa domain-map 10-8
show bandwidth oversubscription 5-13
show boot command 8-9
show bulkstats commands
show bulkstats 3-29
show bulkstats collector interface-type 3-33
show bulkstats collector interval 3-32
show bulkstats collector max-size 3-33
show bulkstats collector transfer-mode 3-33
show bulkstats receiver 3-34
show bulkstats statistics 3-35
show bulkstats traps 3-36

show clock command 9-7

show command 2-7, 2-9 to 2-15
output filtering feature 10-9, 10-10
redirecting output 2-14
redirect operators 2-14
show config command 6-25
show configuration command 4-12, 4-49
show configuration virtual-router command 10-9
show environment command 4-49, 5-17
show exception dump command 4-46
show ftp-server command 4-35
show hardware command 5-17, 5-33, 8-9
show hosts command 4-52
show ip commands
show ip domain-lookup command 4-43
show ip forwarding-table slot 10-9
show ip ssh 6-25
show last-reset command 8-10
show line console 0 command 4-19
show line vty command 4-9, 6-13
show log commands
show log configuration 11-12
show log data 11-15
show ntp commands
show ntp associations 9-13
show ntp associations detail 9-14
show ntp status 9-15
show nvs command 5-31
show processes command 4-52
show reboot-history command 4-54
show redundancy command 5-18
show reload command 8-10
show running-configuration command 4-13
show secrets command 6-10
show snmp commands
show snmp 3-44
show snmp community 3-14
show snmp trap 3-47
show subsystems command 4-38
show terminal command 4-19
show timing command 4-4
show users command 4-36
show utilization command 5-34
show version command 2-20, 4-48, 4-55, 5-19,
8-11
show virtual-router command 10-10
Simple Network Management Protocol. See
SNMP
sleep command 4-7

13
ERX Edge Routers

slot commands
slot accept 5-4
slot disable 5-2
slot enable 5-2
slot erase 5-4
slot groups and module arrangements 5-6 to 5-12
slot numbers
chassis 4-48
hardware 4-48
slots. See physical slots
SNMP (Simple Network Management
Protocol) 3-1 to 3-49
agent software 3-2, 3-4
enabling 3-13
attributes 3-9
bulk statistics collection 3-24 to 3-42
client software 3-2, 3-3
configuring access 3-13
communities 3-2, 3-13, 3-14
compressing interfaces 3-16
configuration tasks 3-12
encoding method 3-16
engine 3-8
entity 3-2
group 3-2
interface numbering 3-18
management features 3-6
managing interface sublayers 3-16
memory warning 3-15
monitoring interface tables 3-19
monitoring status 3-43, 3-44
multiple virtual routers 3-7, 3-42
operations 3-10
packet size, setting 3-15
PDU 3-10
proxy, creating 3-7
RFC 1213 compatibility 3-18
schema
configuring 3-37
monitoring 3-40
security features 3-5
server 3-3
server parameters, setting 3-14
traps 3-3, 3-19, 3-21, 3-23, 3-47
users, configuring 3-14
versions 3-5
view 3-3, 3-6
viewing status 3-44
virtual routers 3-7

snmp commands
bulkstats interfaces description-format
common 3-27
show snmp interfaces 3-19
snmp interfaces description-format
common 3-16
snmp-server 3-13
snmp-server community 3-14
snmp-server contact 3-15
snmp-server enable traps 3-22
snmp-server host 3-22
snmp-server interfaces compress 3-17
snmp-server interfaces
compress-restriction 3-18
snmp-server interfaces rfc1213 3-18
snmp-server location 3-15
snmp-server packetsize 3-15
snmp-server trap-proxy 3-24
snmp-server trap-source 3-23
snmp-server user 3-14
snmp trap ip link-status 3-23
snmp trap link-status 3-23
See also bulkstats, show bulkstats, and show
snmp commands
software
installing xix, 5-27
line rates 1-10
upgrading 5-23
software compatibility 5-5
software release file 4-22
specifying for reboot 8-5
software reset button 6-7, 6-10
software standards
draft RFCs B-8
non-RFC standards B-9
RFCs B-1
software versions, displaying 4-55, 8-11
SONET (synchronous optical network)
configuring 1-15
Space key 2-22, 2-28
speed command 4-14
SRP module
core dump file 4-47
reset button 6-10
SRP module redundancy 5-19
installing 5-20
managing 5-22
monitoring 5-17

14
Index

SRP modules
bandwidth 5-8
copying image 5-28
installing a redundant module 5-20
removing 5-2
replacing 5-5
synchronizing 5-25
srp switch command 5-23
SSH (Secure Shell Server protocol) 6-16 to 6-26
accessing the system 2-21
algorithm negotiation 6-17
client configuration 6-19
configuration prerequisites 6-20
configuring 6-21 to 6-24
connections 6-18
disabling 6-24
enabling 6-24
encryption, configuring 6-21
encryption algorithms
3des-cbc 6-21
blowfish-cbc 6-21
twofish-cbc 6-21
generating host keys 6-19
host key management 6-19
key exchange 6-17
message authentication
configuring 6-23
hmac-md5 6-24
hmac-sha1 6-24
hmac-sha1-96 6-24
monitoring 6-25 to 6-26
performance issues 6-19
security concerns 6-20
server public key files 4-22
terminating 6-26
user authentication 6-18
configuring 6-22
user key management 6-18
standards
draft RFCs B-8
hardware standards B-10
non-RFC software standards B-9
RFCs B-1
static host maps, adding 4-30
statistics, SNMP 3-24 to 3-42
statistics (.sts) files 4-22
status LEDs, monitoring 5-23
stratum 1 servers. See primary NTP servers
.sts files 4-22
Subinterface Configuration mode 2-32, 2-52

subinterfaces 1-6, 2-52

configuring 2-52
subtree 3-39
summer time, specifying 9-6
switchover 5-14 to 5-17
switch usage
line modules 5-8
synchronization, NTP 9-3, 9-4
synchronization process 5-25, 5-26
synchronization reserve file 5-26
synchronize command 5-21, 5-22, 5-26
synchronizing, NVS cards 5-25
syntax conventions defined xx
system
autoupgrade feature 4-3
basic parameters 6-1 to 6-11
booting 8-1 to 8-11
rebooting 8-5
command line interface. See CLI
configuring automatically 4-10
environment information 4-49
exiting 2-22
FTP client 4-28
FTP server 4-28
initializing line modules 2-20
levels of access 6-27, 6-28
logging/troubleshooting, commands
for 4-43 to 4-56
logging in 2-21
managing 4-1 to 4-2
monitoring 4-48 to 4-56
passwords 6-1 to 6-30
physical slots, rebooting 8-7
RADIUS password authentication 6-18
security 6-1 to 6-30
software reset button 6-7, 6-10
system configuration files 4-22
system name 4-2
timing 4-3
virtual router limitations 10-2
VPN and VRF limitations 10-2
system.log file 4-22
system clock 9-5 to 9-7
system configuration
saving current 4-11, 4-13
saving startup 4-11
system passwords. See passwords

15
ERX Edge Routers

T
T1 lines, controllers for 1-13
T3 interfaces
configuring 1-14
line rates 1-10
T3 lines, controllers for 1-13
Tab key 2-6, 2-22, 2-26
Telnet
access lists 6-16
client, using 4-39
configuring to listen in nondefault virtual
router 4-39
logins 2-21
telnet commands
telnet 4-39
telnet listen 4-39
telnet listen command 10-7
terminal
displaying configuration 4-19
displaying international characters 4-15
sending messages to 4-20
setting length (in lines) 4-14
setting width (in characters) 4-14
terminal commands
terminal data-character-bits 4-15
terminal length 4-14
terminal speed 4-14
terminal width 4-14
See also show terminal command
text conventions defined xx
text files 4-22
thermal protection mode 4-49
time limits, setting
for user input 4-16
for user login 4-16
timeout login response command 4-16
time zone, specifying 9-6
timing, system. See also system clock
timing, system
configuring 4-3
monitoring 4-4
timing commands
timing disable-auto-upgrade 4-3
timing select 4-3
timing source 4-4
trace command 2-33
traffic-class command 2-53
Traffic Class Configuration mode 2-32, 2-53
traffic-class-group command 2-53

Traffic Class Group Configuration mode 2-33,

2-53
transport protocols
xDSL, supported 1-4
traps, SNMP 3-3
configuring 3-19 to 3-24
operation 3-10
PDU type 3-10
status information 3-47
troubleshooting
commands for 4-43 to 4-56
core dump files 4-44
troubleshooting bandwidth errors 5-14
tunnel command 2-39
Tunnel Profile Configuration mode 2-33, 2-54
twofish-cbc encryption algorithm for SSH 6-21
.txt files 4-22

U
Universal Coordinated Time. See UTC
Up Arrow key 2-7, 2-28
updating the system software xix
upgrading software 5-23
uplink methods 1-3
user access, restricting 6-27 to 6-30
user authentication, configuring 6-22
See also authentication
User Exec mode 2-1, 2-33, 4-5
See also exiting Privileged Exec mode
user interface, customizing 4-13
user interface commands 4-5 to 4-14
user level access (CLI) 2-20, 2-33
UTC (Universal Coordinated Time) 9-6

V
vendor-specific attribute. See VSA
versions
displaying for hardware/software 8-11
displaying for software 4-55
SNMP 3-5
versions (hardware), displaying 5-33
view, SNMP 3-3, 3-6
viewing. See listing, show commands
virtual interfaces (subinterfaces) 1-6
virtual private network. See VPN
virtual-router command 3-7, 6-30
virtual router commands
ip vrf 10-7
virtual-router 10-7

16
Index

Virtual Router Redundancy Protocol (VRRP). See

VRRP
virtual routers 1-9, 10-1 to 10-10
configuring 10-4 to 10-10
default virtual router 10-1
map VR to domain map 10-4, 10-7
monitoring 10-8 to 10-10
name resolvers for multiple 4-42
NTP 9-1, 9-8, 9-12
restricting access 6-28
SNMP 3-7
managing 3-42
VPNs 10-1 to 10-3
VRFs 10-2 to 10-7
VSAs 6-29
with routing protocols 10-2, 10-6
VPN 10-1 to 10-3
VPN routing and forwarding instance. See VRF
VRF 10-2 to 10-7
VRF Configuration mode 2-33, 2-54
VRRP
backup router 1-29
master router 1-29
planning your network 1-29
VSA (vendor-specific attribute)
levels of CLI access 6-27
restricting access to virtual routers 6-28
vty lines
clearing 4-8
configuring 4-7
managing 4-7
monitoring 4-9
users of 4-36

W
waiting before command execution 4-7
warmStart, SNMP trap 3-21
while constructs, macro 7-13
width of terminal screen, setting 4-14
write memory command 4-13
writing macros 7-1 to 7-15

X
xDSL
protocols 1-4
session termination 1-3 to 1-4