System Configure Mode Commands
This chapter provides a reference for the system configure mode commands.
delay-profile interfaces
Use this command to go into the delay-profile mode to edit the parameters of the "interfaces" profile. In this mode, the user is able to edit the delay measurement profile parameters.
Command Syntax
delay-profile interfaces
Parameters
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.1.
Examples
#configure terminal
(config)#delay-profile interfaces
(config-dp-intf)#
delay-profile interfaces subcommands
The following commands are to edit the delay-profile parameters.
Note: According to IGP-TE RFC8570 and RFC7471, the advertised delay should be unidirectional. So when the mode is set to two-way, the advertised delay is “Average_RTT_delay / 2” and when the mode is set to one-way, the advertised delay is “Average_FWD_delay”. The default value is “two-way”.
Command Syntax
mode <two-way>|<one-way>
burst-interval <1000-15000>
burst-count <1-5>
interval < 30-3600>
sender-port <VALUE>
advertisement periodic
advertisement periodic threshold <1-100>
advertisement periodic minimum-change <0-10000>
no advertisement periodic
advertisement accelerated
advertisement accelerated threshold <1-100>
advertisement accelerated minimum-change <0-10000>
no advertisement accelerated
Parameters
one-way | The one-way value sets the mode to one-way measurement. |
two-way | The two-way value sets the mode to two-way measurement. |
<1000-15000> | Set the burst interval in milliseconds. The default value is 3000 milliseconds and the range is 1000-15000 milliseconds |
<1-5> | Set the number of packets to be sent at each burst interval. The default value is 1 and the range is 1-5 |
<30-3600> | Set the computation interval in seconds. The default computation interval is 30 seconds. The range is 30-3600 seconds. This will be used also as the periodic advertisement interval. |
<1-100> | Set the advertisement threshold percentage in the range of 1-100 (for periodic, default=10% and for accelerated, default=20% |
<1025-65535> | Set the TWAMP sender port value in the range 1025-65535. If not specified, the default value is 862) |
<0-10000> | Set the advertisement minimum change in microseconds in the range 0-10000 (for periodic, default=1000 and for accelerated, default=2000) |
Command Mode
delay-profile interfaces mode
Default
The default mode value is “two-way”.
Applicability
This command was introduced in OcNOS version 5.1.
Examples
#configure terminal
(config)#delay-profile interfaces
(config-dp-intf)#mode two-way
(config-dp-intf)#burst-count 5
(config-dp-intf)#burst-interval 3000
(config-dp-intf)#interval 30
(config-dp-int)#sender-port 862
(config-dp-intf)#advertisement periodic threshold 10
(config-dp-intf)#advertisement periodic minimum-change 1000
(config-dp-intf)#advertisement accelerated
(config-dp-intf)#advertisement accelerated threshold 20
(config-dp-intf)#advertisement accelerated minimum-change 2000
(config-dp-intf)#no advertisement periodic
(config-dp-intf)#commit
(config-dp-intf)#exit
(config)#
evpn mpls irb
Use this command to enable EVPN MPLS IRB (Integrated Routing & Bridging) feature.
Command Syntax
evpn mpls irb
Parameters
None
Default
Disabled
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 6.0.0
Examples
(config)#evpn mpls irb
The following table list the qualifiers for TCAM group.
Table 9-33: TCAM Group
Group | Qualifiers |
evpn-irb | L4 Ports Destination Port Source IP Destination IP Source/Destination MAC1/MAC2 Ethertype |
forwarding profile
Use this command to configure different forwarding profiles in hardware.
Use the no form of this command to set the forwarding profile to default.
Note: It is required to save the configuration and reboot the board for the new forwarding profile to come into effect in the hardware.
Use
show forwarding profile limit to verify the configured profile.
Command Syntax
forwarding profile (kaps (profile-one | profile-two)) | (elk-tcam (profile-one | profile-two | profile-three | custom-profile))
no forwarding profile (kaps) | (elk-tcam (custom-profile))
Parameters
For details about these profiles, see
show forwarding profile limit.
kaps
Internal KBP routing table
profile-one
KAPS profile one
profile-two
KAPS profile two
elk-tcam
External TCAM routing table
profile-one
external TCAM profile one
profile-two
external TCAM profile two
profile-three
external TCAM profile three
custom-profile
external TCAM custom profile
< 10-90>
percent of ipv4 routes
< 10-90>
percent of ipv6 routes
Default
The default forwarding profile are as below
Table 9-34:
Is ELK-TCAM present | KAPS | ELK-TCAM |
|---|
Yes | profile-two | profile-one |
No | profile-one | N/A |
Note:
1. elk-tcam profiles are supported only on hardware models which have external TCAM for routing.
2. forwarding profile-three is applicable on hardware model Agema AGC7648A.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version SP 1.0. The no version of the command was introduced in OcNOS version 5.0.
Examples
#configure terminal
(config)# forwarding profile elk-tcam profile-one
(config)# no forwarding profile elk-tcam
hardware-profile filter (Qumran1)
Use this command to enable or disable ingress IPv4 or IPv6, egress IPv6 filter groups, EVPN-MPLS,VxLAN filter and TWAMP IPv4 or IPv6 groups. Disabling filter groups increases the configurable filter entries.
Disabling a TCAM filter group is not allowed if the group has any entries configured in hardware. Group dependent entries must be explicitly removed before disabling the TCAM group.
Note:
• This feature is supported for IPv4 unicast and IPv4 BGP/MPLS VPN service based on RFC 8955.
• The qos, qos-ext, and qos-policer filter groups can only be used for Layer 2 and IPv4 traffic. For IPv6 traffic QoS classification and actions, users must enable the ingress-ipv6-qos group and create an IPv6 ACL which can be matched in a class-map for applying QoS actions. For more details, refer to the Quality of Service Guide.
• Usually the number of extended ingress filter groups that can be created at the same time is 3. If the PIM bidirectional feature is enabled, only 2 ingress extended filter groups can be created.
• The ipv4-ext and qos-policer grp parameters are not supported together.
• For better utilization of TCAM resources, it is recommended to enable the large groups first and then smaller groups. For example, Using admin credentials, configure evpn-mpls-mh as last filter as it is the smallest group.
Example 1
(config)#hardware-profile filter ingress-ipv4-ext enable
(config)#hardware-profile filter ingress-ipv6 enable
(config)#hardware-profile filter qos-ext enable
(config)#hardware-profile filter ingress-l2 enable
(config)#hardware-profile filter evpn-mpls-mh enable
Example 2
(config)#hardware-profile filter ingress-ipv4-qos enable
(config)#hardware-profile filter ipv4-bgp-flowspec enable
(config)#hardware-profile filter ingress-l2 enable
(config)#hardware-profile filter vxlan enable
(config)#hardware-profile filter vxlan-mh enable
Example 3
(config)#hardware-profile filter qos-ext enable
(config)#hardware-profile filter egress-ipv4 enable
(config)#hardware-profile filter ipv4-bgp-flowspec enable
(config)#hardware-profile filter ingress-ipv4 enable
(config)#hardware-profile filter ingress-ipv4 enable
The twamp-ipv4 hardware profile sets up a PMF group to manage TWAMP IPv4 traffic, enabling precise hardware time stamping of TWAMP packets. These packets are identified by their source IP, destination IP, source UDP port, and destination UDP port. When a packet is recognized as a TWAMP packet, the bcmFieldActionOam action is applied, directing the packet to the OAMP module for time stamping. Additionally, the bcmFieldActionForward action is used to ensure the packet is encapsulated with the correct FEC. If the packet includes MPLS labels, the predefined qualifiers will not match. In this scenario, user-defined qualifiers are added to the same PMF group to identify the TWAMP packet.
The twamp-ipv6 hardware profile establishes two PMF groups to manage TWAMP IPv6 traffic, differentiating between MPLS and non-MPLS traffic due to the inability to fit user-defined qualifiers in a single PMF group. These groups ensure accurate hardware time stamping of TWAMP packets, identified by their source IPv6, destination IPv6, source UDP port, and destination UDP port. When a packet is recognized as a TWAMP packet, the bcmFieldActionOam action is applied, sending the packet to the OAMP module for time stamping. Additionally, the bcmFieldActionForward action ensures the packet is encapsulated with the correct FEC. If the packet includes MPLS labels, the predefined qualifiers will not match. In this case, user-defined qualifiers are added to identify the TWAMP packet, and since the IPv6 qualifiers cannot be included in the same group, they are created in a separate group.
Command Syntax
hardware-profile filter (ingress-l2|ingress-l2-ext|ingress-ipv4|ingress-ipv4-ext|ingress-ipv4-qos|ingress-ipv6|ingress-ipv6-ext|ingress-ipv6-ext-vlan|ingress-ipv6-qos|qos-ipv6|ingress-arp|qos|qos-ext|qos-policer|egress-l2|egress-ipv4|evpn-mpls-cw|evpn-mpls-mh|vxlan|vxlabn-mh|cfm-domain-name-str|twamp-ipv4|twamp-ipv6|twamp-ipv6-mpls|ipv4-bgp-flowspec|) (enable|disable)
Parameter
ingress-l2 | Ingress L2 ACL filter group. |
|---|
ingress-l2-ext | Ingress L2 ACL, QoS, mirror filter group. |
ingress-ipv4 | Ingress IP ACL filter group. |
ingress-ipv4-ext | Ingress IP ACL, mirror, PBR filter group. |
ingress-ipv4-qos | Ingress IPv4 group for ACL match QoS. |
ingress-ipv6 | Ingress IPv6 ACL, mirror, PBR filter group |
ingress-ipv6-ext | Ingress IPv6 group to support 128-bit address qualification support on physical interface. |
ingress-ipv6-ext-vlan | Ingress IPv6 group to support 128-bit address qualification support on vlan interface and subinterface. |
ingress-ipv6-qos | Ingress IPv6 group for ACL match QoS. |
qos-ipv6 | Ingress QOS IPv6 group for IPv6 QoS support with statistics. |
ingress-arp | Ingress ARP group. |
qos | Ingress QoS filter group |
qos-ext | Ingress QoS extended filter group. |
qos-policer | Ingress extended QoS group for hierarchical policer support. |
egress-l2 | Egress L2 ACL filter group |
egress-ipv4 | Egress IP ACL filter group. |
evpn-mpls-mh | Ingress EVPN MPLS Multi-Homing Forwarding Group |
vxlan | Ingress VxLAN Forwarding group |
vxlan-mh | Ingress VxLAN Multi-Homing Forwarding Group. |
cfm-domain-name-str | Egress CFM domain group. |
twamp-ipv4 | TWAMP IPv4 filter group. |
twamp-ipv6 | TWAMP IPv6 filter group. |
twamp-ipv6-mpls | TWAMP IPv6 MPLS filter group. |
ipv4-bgp-flowspec | BGP FlowSpec filter group. |
enable | Enable filter group. |
disable | Disable filter group |
Default
By default, all filter groups are disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3 and changed in OcNOS version 3.0.
Examples
OcNOS#configure terminal
OcNOS(config)#hardware-profile filter ingress-ipv4 enable
OcNOS(config)#hardware-profile filter ingress-ipv4 disable
OcNOS(config)#hardware-profile filter egress-ipv4 enable
OcNOS(config)#hardware-profile filter egress-ipv4 disable
Table 9-35: Supported groups and the feature dependency on the groups
Group | Key Size | Security | QoS | PBR | Mirror | Statistics |
|---|
| | | | | | QMX | QAX | QUX |
|---|
ingress-l2 | 160 | Yes | No | N/A | No | Yes | Yes | Yes |
ingress-l2-ext | 320 | Yes | No | N/A | Yes | Yes | Yes | Yes |
ingress-ipv4 | 160 | Yes | No | No | No | Yes | Yes | Yes |
ingress-ipv4-ext | 320 | Yes | No | Yes | Yes | Yes | Yes | Yes |
ingress-ipv4-qos | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
ingress-ipv6 | 320 | Yes | No | Yes | Yes | Yes | Yes | Yes |
Ingress-ipv6-ext | 320 | N/A | Yes | No | Yes | Yes | Yes | Yes |
Ingress-ipv6-ext-vlan | 320 | N/A | Yes | No | Yes | Yes | Yes | Yes |
ingress-ipv6-qos | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
qos-ipv6 | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
qos | 160 | N/A | Yes | N/A | N/A | No | No | No |
qos-ext | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
qos-policer | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
egress-l2 | 320 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
egress-ipv4 | 320 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
cfm-domain-name-str | 160 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
twamp-ipv4 | 320 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
twamp-ipv6 | 320 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
twamp-ipv6-mpls | 320 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
Ipv4-bgp-flowspec | 320 | N/A | N/A | N/A | N/A | No | No | No |
Table 9-36: Comparison between basic and extended group qualifiers
Basic Group | Supported Qualifiers | Supported Action | Extended Group | Supported Qualifiers | Supported Action |
|---|
ingress-l2 | Source MAC Destination MAC Ether Type (ip, ipv6, mpls, arp, cfm, fcoe) VLAN ID Inner VLAN ID | Permit, Deny | ingress-l2-ext | Source MAC Destination MAC Ether Type VLAN ID Inner VLAN ID COS | Permit, Deny, Policer, Mirror, Assign Queue, COS Remark |
ingress-ipv4 | Source IP Destination IP IP Protocols L4 Ports | Permit, Deny | ingress-ipv4-ext | Source IP Destination IP IP Protocols L4 Ports DSCP VLAN ID Inner VLAN ID TCP flags | Permit, Deny, Mirror |
ingress-ipv6 | Source IPv6 (n/w part) Destination IPv6 (n/w part) IPv6 Protocols L4 Ports VLAN ID DSCP | Permit, Deny, Mirror, Assign Queue, | ingress-ipv6-ext | Source IPv6 address full 128 bits Destination IPv6 address full 128 bits L4 Ports IPv6 Protocols Physical interface | Permit, Deny, Assign Queue, DSCP Remark, Policer, Mirror |
qos | VLAN ID COS Inner VLAN ID Inner COS Ether Type DSCP Topmost EXP | Assign Queue, COS Remark, DSCP Remark, Policer | qos-ext | VLAN ID COS Inner VLAN ID Inner COS Ether Type DSCP Topmost EXP IP RTP L4 Ports Destination MAC Traffic type | Assign Queue, COS Remark, DSCP Remark, Policer |
Table 9-37: Qualifiers for other groups
Group | Qualifiers | Actions |
|---|
ingress-ipv6-ext-vlan | Source IPv6 address full 128 bits Destination IPv6 address full 128 bits L4 Ports IPv6 Protocols vlan interface subinterface | Permit, Deny, Assign Queue, DSCP Remark, Policer, Mirror |
egress-l2 | Source MAC Destination MAC VLAN ID Inner VLAN ID COS | Permit, Deny |
egress-ipv4 | Source IP Destination IP IP Protocols L4 Ports DSCP VLAN ID Inner VLAN ID | Permit, Deny |
qos-policer | VLAN ID COS Inner VLAN ID Inner COS Ether Type DSCP Topmost EXP IP RTP L4 Ports | Assign Queue, COS Remark, DSCP Remark, Policer, Hierarchical Policer and Storm Control |
ingress-ipv4-qos | Source IP Destination IP IP Protocols L4 Ports DSCP VLAN ID Inner VLAN ID TCP flags | Policer, Assign Queue, DSCP Remark |
ingress-ipv6-qos | Source IPv6 (n/w part) Destination IPv6 (n/w part) IPv6 Protocols L4 Ports VLAN ID DSCP | Assign Queue, DSCP Remark, Policer |
qos-ipv6 | IPv6 Protocols L4 Ports VLAN ID COS Inner VLAN ID Inner COS Ether Type DSCP | Assign Queue, COS Remark, DSCP Remark, Policer |
ingress-arp | ARP Request/Response ARP IP address ARP MAC address VLAN ID Inner VLAN ID | Permit, Deny |
cfm-domain-name-str | MA ID | |
twamp-ipv4 | - predefined qualifer IPV4_SIP - predefined qualifer IPV4_DIP - predefined qualifer L4_SRC_PORT - predefined qualifer L4_DST_PORT - user-defined qualifer MplsSrcIpv4_qual - user-defined qualifer MplsDstIpv4_qual - user-defined qualifer MplsUdpPorts_qual | |
twamp-ipv6 | For non-MPLS group: - predefined qualifer IPV6_SIP - predefined qualifer IPV6_DIP - predefined qualifer L4_SRC_PORT - predefined qualifer L4_DST_PORT For MPLS group: - user-defined qualifer MplsSrcIpv6_qual - user-defined qualifer MplsDstIpv6_qual - user-defined qualifer MplsUdpPorts_qual | |
|
Ipv4-bgp-flowspec | VRF ID Source IP Destination IP IP Protocols L4 Ports ICMP Type/Code TCP Flags PacketSize DSCP IP Fragmentation Note: The following traffic filter types of the components range value can be specified only with non-range value. • Type 3: IP Protocol • Type 7: ICMP type • Type 8: ICMP code • Type 10: Packet length • Type 11: DSCP (Diffserv Code Point) | |
hardware-profile filter (Qumran2)
Use this command to enable or disable ingress IPv4 or IPv6, egress IPv6 filter groups, EVPN-MPLS,VxLAN filter and TWAMP IPv4 or IPv6 groups. Disabling filter groups increases the configurable filter entries.
Disabling a TCAM filter group is not allowed if the group has any entries configured in hardware. Group dependent entries must be explicitly removed before disabling the TCAM group.
Note:
• This feature is supported for IPv4 unicast and IPv4 BGP/MPLS VPN service based on RFC 8955.
• Updating the access list may take a long time in a scaled configuration because the hardware must reshuffle the filter entries when configuring a high-priority filter.
• Use the ingress-IPv4-subif and ingress-IPv6-subif-ext groups when ACL is required on the sub-interfaces only. Use ingress-IPv4-ext and ingress-IPv6 groups when ACL is required on physical, sub-interface, LAG, and IRB interfaces.
For better utilization of TCAM resources it is recommended to enable large groups first and then smaller groups.
Example
hardware-profile filter qos-policer enable # QoS policer/storm control
hardware-profile filter ingress-ipv6 enable # IPV6 ACL
hardware-profile filter ingress-l2-subif enable # MAC ACL
hardware-profile filter ingress-ipv4-subif enable # IPv4 ACL
Command Syntax
hardware-profile filter (dhcp-snoop|dhcp-snoop-ipv6|egress-dst-ipv6|egress-ipv4|egress-ipv4-ext|egress-ipv6|egress-l2|egress-l2-ext|egress-l2-mlag|egress-qos-policer|egress-qos-policer-ext|egress-src-ipv6|ingress-arp|ingress-ipv4|ingress-ipv4-ext|ingress-ipv4-qos|ingress-ipv4-subif|ingress-ipv6|ingress-ipv6-ext|ingress-ipv6-ext-vlan|ingress-ipv6-qos|ingress-l2|ingress-l2-ext|ingress-l2-subif|ipsg|ipsg-ipv6|qos|qos-ext|qos-ipv6|qos-policer|evpn-mpls-cw|evpn-mpls-mh|vxlan|vxlan-mh|twamp-ipv4|twamp-ipv6|twamp-ipv6-mpls|vxlan|ipv4-bgp-flowspec|) (enable|disable)
Parameter
dhcp-snoop | Ingress DHCP Snooping group |
dhcp-snoop-ipv6 | Ingress IPv6 DHCP Snooping group |
ingress-arp | Ingress ARP group for ARP ACL support |
ingress-l2 | Ingress L2 ACL filter group. |
ingress-l2-ext | Ingress L2 ACL, QoS, mirror filter group. |
ingress-l2-subif | Ingress L2 group for ACL on L2/L3 Subinterfaces. |
ipsg | Ingress IP Source Guard group |
ipsg-ipv6 | Ingress IPv6 Source Guard group |
ingress-ipv4 | Ingress IP ACL filter group. |
ingress-ipv4-ext | Ingress IP ACL, mirror, PBR filter group. |
ingress-ipv4-qos | Ingress IPv4 group for ACL match QoS. |
ingress-ipv4-subif | Ingress IPv4 group for ACL on L2/L3 Subinterfaces. |
ingress-ipv6 | Ingress IPv6 ACL, mirror, PBR filter group |
ingress-ipv6-ext | Ingress IPv6 extended group with 128-bit address support for ACL , ACL match QOS on physical interfaces. |
ingress-ipv6-ext-vlan | Ingress IPv6 extended group with 128-bit address support for ACL, ACL match QOS on SVI interfaces. |
ingress-ipv6-qos | Ingress IPv6 group for ACL match QoS. |
qos-ipv6 | Ingress QOS IPv6 group for IPv6 QoS support with statistics. |
qos | Ingress QoS filter group |
qos-ext | Ingress QoS extended filter group. |
qos-ipv6 | Ingress QOS IPv6 group for IPv6 QoS support with statistics |
qos-policer | Ingress extended QoS group for hierarchical policer support with statistics. |
egress-l2 | Egress L2 ACL filter group |
egress-l2-mlag | Egress L2 group for ACL only on MLAG interface. |
egress-l2-ext | Egress L2 extended (mac) group for ACL on subinterface. |
egress-dst-ipv6 | Egress Destination IPv6 group for ACL |
egress-ipv4 | Egress IP ACL filter group. |
egress-ipv4-ext | Egress IPv4 extended group for ACL on subinterface |
egress-ipv6 | Egress IPv6 group for ACL |
egress-qos-policer | Egress QoS policer group only for physical and LAG interface |
egress-qos-policer-ext | Egress extended QOS policer group |
egress-src-ipv6 | Egress Source IPv6 group for ACL |
twamp-ipv4 | Ingress TWAMP IPv4 Forwarding group. |
twamp-ipv6 | Ingress TWAMP IPv6 Forwarding group. |
twamp-ipv6-mpls | Ingress TWAMP IPv6 MPLS Forwarding group. |
ipv4-bgp-flowspec | BGP FlowSpec filter group. |
evpn-mpls-mh | Ingress EVPN MPLS Multi-Homing Forwarding Group |
vxlan | Ingress VxLAN Forwarding group |
vxlan-mh | Ingress VxLAN Multi-Homing Forwarding Group. |
vxlan | Ingress Vxlan Forwarding group |
enable | Enable filter group. |
disable | Disable filter group |
Default
By default, all filter groups are disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3 and changed in OcNOS version 3.0.
Examples
OcNOS#configure terminal
OcNOS(config)#hardware-profile filter ingress-ipv4 enable
OcNOS(config)#hardware-profile filter ingress-ipv4 disable
OcNOS(config)#hardware-profile filter egress-ipv4 enable
OcNOS(config)#hardware-profile filter egress-ipv4 disable
Table 9-38: Supported groups and the feature dependency on the groups
Group | Key Size | Security | QoS | PBR | Mirror | Statistics |
|---|
| | | | | | Q2U | Q2A | Q2C, J2C+ |
|---|
dhcp-snoop | 160 | Yes | No | N/A | No | Yes | Yes | Yes |
Dhcp-snoop-ipv6 | 160 | Yes | No | N/A | No | Yes | Yes | Yes |
Ingress-arp | 320 | Yes | No | N/A | No | Yes | Yes | Yes |
ingress-l2 | 160 | Yes | No | N/A | No | Yes | Yes | Yes |
ingress-l2-ext | 320 | Yes | No | N/A | Yes | Yes | Yes | Yes |
ingress-l2-subif | 160 | Yes | No | N/A | No | Yes | Yes | Yes |
ingress-ipv4 | 160 | Yes | No | No | No | Yes | Yes | Yes |
ingress-ipv4-ext | 320 | Yes | No | Yes | Yes | Yes | Yes | Yes |
ingress-ipv4-qos | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
ingress-ipv4-subif | 160 | Yes | No | Yes | No | Yes | Yes | Yes |
ingress-ipv6 | 320 | Yes | No | Yes | Yes | Yes | Yes | Yes |
Ingress-ipv6-ext | 320 | N/A | Yes | No | Yes | Yes | Yes | Yes |
Ingress-ipv6-ext-vlan | 320 | N/A | Yes | No | Yes | Yes | Yes | Yes |
ingress-ipv6-qos | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
Ipsg | 160 | Yes | No | N/A | N/A | Yes | Yes | Yes |
Ipsg-ipv6 | 160 | Yes | No | N/A | N/A | Yes | Yes | Yes |
qos-ipv6 | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
qos | 160 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
qos-ext | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
qos-policer | 320 | N/A | Yes | N/A | N/A | Yes | Yes | Yes |
egress-l2 | 320 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
egress-l2-ext | 160 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
egress-l2-mlag | 80 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
egress-dst-ipv6 | 160 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
egress-ipv4 | 160 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
egress-ipv4-ext | 160 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
Egress-ipv6 | 320 | Yes | N/A | N/A | N/A | Yes | Yes | Yes |
Egress-qos-policer | 160 | No | Yes | N/A | N/A | Yes | Yes | Yes |
Egress-qos-policer-ext | 160 | No | Yes | N/A | N/A | Yes | Yes | Yes |
Egress-src-ipv6 | 160 | Yes | No | N/A | N/A | Yes | Yes | Yes |
evpn-mpls-mh | 160 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
vxlan | 160 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
vxlan-mh | 160 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
twamp-ipv4 (Having MPLS enabled SKUs) | 320 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
Twamp-ipv4 (MPLS disabled SKUs) | 160 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
twamp-ipv6 | 320 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
twamp-ipv6-mpls | 320 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
Vxlan | 160 | N/A | N/A | N/A | N/A | Yes | Yes | Yes |
Ipv4-bgp-flowspec | 320 | N/A | N/A | N/A | N/A | No | No | No |
Table 9-39: Comparison between basic and extended group qualifiers
Basic Group | Extended Qualifiers | Supported Actions | Extended Group | Supported Qualifiers | Supported Actions |
dhcp-snoop | SourcePort L4 DestinationPort IPv4 Protocol Destination Mac InterfaceClass Ethertype Vlan | | | | |
dhcp-snoop-ipv6 | L4 Destination port IP6NextHeader DstIp6High Ethertype | | | | |
ingress-l2 | Source MAC Destination MAC Ether Type VLAN ID Inner VLAN ID | Permit, Deny | ingress-l2-ext | Source MAC Destination MAC Ether Type VLAN ID Inner VLAN ID COS Inner CoS IPv4 Protocols | Permit, Deny, Policer, Mirror, Assign Queue, COS Remark |
ingress-l2-subif | Source Mac Destination Mac Ethertype | Permit, Deny | | | |
ingress-ipv4 | Source IP Destination IP IP Protocols L4 Dest Ports L4 Src Ports | Permit, Deny | ingress-ipv4-ext | Source IP Destination IP IP Protocols DSCP/ToS L4 Dest Ports L4 Src Ports VLAN ID Inner VLAN ID TCP flags Packet Length range check L4 Source/Destination Port Range Check | Permit, Deny, Mirror |
Ingress-ipv4-subif | Source IP Destination IP IPv4 Protocol Type L4 Destination Port L4 Source Port Packet Length Range Check L4 Source/Destination Port Range Check | Permit, Deny | | | |
ingress-ipv4-qos | Source IP Destination IP IPv4 Protocols L4 Destination Port L4 Source Port L4 Source/Destination Port Range Check DSCP VLAN ID Inner VLAN ID TCP flags | Policer, Assign Queue, DSCP Remark | | | |
ingress-ipv6 | Source IPv6 (n/w part) Destination IPv6 (n/w part) IPv6 NextHeader L4 Destination Port L4 Source Port VLAN ID IPv6 Traffic Class IPv6 Hop Limit L4 Source/Destination Port Range Packet Length Range Check | Permit, Deny, Assign Queue, Mirror | ingress-ipv6-ext | Source ipv6 address full 128 bits Destination ipv6 address full 128 bits L4 Destination Port L4 Source Port IPv6 NextHeader | Permit, Deny, Assign Queue, DSCP Remark, |
ingress-ipv6-ext-vlan | Source ipv6 address full 128 bits Destination ipv6 address full 128 bits L4 Destination Port L4 Source Port IPv6 NextHeader | Permit, Deny, Assign Queue, DSCP Remark, s | | | |
ingress-ipv6-qos | Source IPv6 (n/w part) Destination IPv6 (n/w part) IPv6 NextHeader L4 Destination Port L4 Source Port L4 Source/Destination Port Range VLAN ID IPv6 Traffic Class | Assign Queue, DSCP Remark, Policer | | | |
ipsg | Source MAC Source IP VLAN ID | | | | |
Ipsg-ipv6 | Source MAC Source IP6 High VLAN ID | | | | |
Table 9-40: Qualifiers for other groups
Group | Supported Qualifiers | Supported Actions | Extended Group | Supported Qualifiers | Supported Actions |
egress-l2 | Source MAC Destination MAC VLAN ID Inner VLAN ID CoS Inner CoS | Permit, Deny | egress-l2-ext | Source Mac Destination Mac VLAN ID Inner VLAN ID CoS Inner CoS | Permit, Deny |
egress-l2-mlag | Source Port Destination Port Layer Record Type | Deny | | | |
egress-ipv4 | Source IP Destination IP IPv4 Protocol L4 Destination Port L4 Source Port DSCP VLAN ID Inner VLAN ID | Permit, Deny | egress-ipv4-ext | Source IP Destination IP IPv4 Protocol L4 Destination Port L4 Source Port DSCP VLAN ID Inner VLAN ID | Permit, Deny |
egress-dst-ipv6 | Destination IPv6 High (N/W part) IPv6 Next Header IPv6 Traffic Class L4 Destination Port L4 Source Port | Permit, Deny | | | |
egress-ipv6 | Destination IPv6 High (N/W part) Source IPv6 High (N/W part) IPv6 Next Header IPv6 Traffic Class L4 Destination Port L4 Source Port VLAN ID | Permit, Deny | | | |
egress-qos-policer | Destination Mac VLAN ID CoS DSCP L4 Destination Port L4 Source Port IPv4 Protocols | Policer | egress-qos-policer-ext | Destination Mac VLAN ID CoS DSCP L4 Destination Port L4 Source Port IPv4 Protocols SVI interface Subinterface | Policer |
egress-src-ipv6 | Source IPv6 High (N/W part) IPv6 Next Header IPv6 Traffic Class L4 Destination Port L4 Source Port | Permit, Deny | | | |
qos | Ether Type VLAN ID CoS Inner VLAN ID Inner CoS DSCP Topmost EXP IP Flags | Assign Queue, COS Remark, DSCP Remark, Policers | qos-ext | Ether Type VLAN ID COS Inner VLAN ID Inner COS DSCP Topmost EXP IP Flags IP Protocols L4 Destination Port L4 Source Port L4 Source/Destination Port Range | Assign Queue, COS Remark, DSCP Remark, Policer |
evpn-mpls-mh | USER_DEFINED_IP MPLS LABEL | | | | |
vxlan | | | | | |
vxlan-mh | Source IP
Destination IP | | | | |
qos-policer | Destination MAC Ether Type VLAN ID COS Inner VLAN ID Inner CoS DSCP IP Protocols IP Flags Topmost EXP L4 Destination Port L4 Source Port L4 Source/Destination Port Range Traffic type | Assign Queue, COS Remark, DSCP Remark, Policer, Hierarchical Policer and Storm Control | | | |
qos-ipv6 | Ether Type VLAN ID COS Inner VLAN ID Inner CoS IPv6 Next Header IPv6 Traffic Class L4 Destination Port L4 Source Port L4 Source/Destination Port Range | Assign Queue, COS Remark, DSCP Remark, Policer | | | |
ingress-arp | ARP Request/Response ARP IP address ARP MAC address VLAN ID Inner VLAN ID | Permit, Deny | | | |
twamp-ipv4 | IPv4 Source IP IPv4 Destination IP UDP Source port UDP Destination port IPv4 Type of Service | | | | |
twamp-ipv6 | UDP Source port UDP Destination port IPv6 Source IP IPv6 Destination IP | | | | |
twamp-ipv6-mpls | UDP Source port UDP Destination port IPv6 Source IP IPv6 Destination IP | | | | |
vxlan | Forwarding Types Ethernet Type IPv4 Y1731 | | | | |
Ipv4-bgp-flowspec | VRF ID Source IP Destination IP IP Protocols L4 Ports ICMP Type/Code TCP Flags PacketSize DSCP IP Fragmentation The following traffic filter types of the components range value can be specified only with non-range value. Type 3: IP Protocol Type 7: ICMP type Type 8: ICMP code Type 10: Packet length Type 11: DSCP (Diffserv Code Point) | | | | |
Table 9-41: Total available entries for each group
Group Name | Q2U | Q2A | Q2C | Q2C+ |
dhcp-snoop | 10240 | 10240 | 19456 | 19456 |
dhcp-snoop-ipv6 | 10240 | 10240 | 19456 | 19456 |
Ingress-arp | 4608 | 4608 | 8704 | 8704 |
Ingress-l2 | 10240 | 10240 | 19456 | 19456 |
Ingress-l2-ext | 4608 | 4608 | 8704 | 8704 |
Ingress-l2-subif | 10240 | 10240 | 19456 | 19456 |
Ipsg | 10240 | 10240 | 19456 | 19456 |
Ipsg-ipv6 | | | | |
Ingress-ipv4 | 10240 | 10240 | 19456 | 19456 |
Ingress-ipv4-ext | 4608 | 4608 | 8704 | 8704 |
Ingress-ipv4-qos | 4608 | 4608 | 8704 | 8704 |
Ingress-ipv4-subif | 10240 | 10240 | 19456 | 19456 |
Ingress-ipv6 | 4608 | 4608 | 8704 | 8704 |
Ingress-ipv6-ext | 4608 | 4608 | 8704 | 8704 |
ingress-ipv6-ext-vlan | 4608 | 4608 | 8704 | 8704 |
Ingress-ipv6-qos | 4608 | 4608 | 8704 | 8704 |
Qos-ipv6 | 4608 | 4608 | 8704 | 8704 |
Qos | 4605/4608 | 4608 | 8704 | 8704 |
Qos-ext | 4605/4608 | 4608 | 8704 | 8704 |
Qos-policer | 4605/4608 | 4608 | 8704 | 8704 |
Egress-l2 | 4608 | 4608 | 8704 | 8704 |
Egress-l2-ext | 10240 | 10240 | 19456 | 19456 |
Egress-l2-mlag | 20480 | 20480 | 38912 | 38912 |
Egress-dst-ipv6 | 10240 | 10240 | 19456 | 19456 |
Egress-ipv4 | 10240 | 10240 | 19456 | 19456 |
Egress-ipv4-ext | 10240 | 10240 | 19456 | 19456 |
Egress-ipv6 | 4608 | 4608 | 8704 | 8704 |
Egress-qos-policer | 10240 | 10240 | 19456 | 19456 |
Egress-qos-policer-ext | 10240 | 10240 | 19456 | 19456 |
Egress-src-ipv6 | 10240 | 10240 | 19456 | 19456 |
Twamp-ipv4 | 4608 | 4608 | 8704 | 8704 |
Twamp-ipv6 | 4608 | 4608 | 8704 | 8704 |
Twamp-ipv6-mpls | 4608 | 4608 | 8704 | 8704 |
Vxlan | 10240 | 10240 | 19456 | Not supported |
hardware-profile flowcontrol
Use this command to globally enable or disable hardware-based flow control.
Syntax
hardware-profile flowcontrol (disable|enable)
Parameters
disable
Disable flow control globally
enable
Enable flow control globally
Default
By default flow control is disabled.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 3.0.
Examples
#configure terminal
(config)#hardware-profile flowcontrol enable
hardware-profile service-queue
Use this command to set the number of service-queue counts to create in hardware.
Use the no form of this command to set the service queue profile to default
Note: Reboot the switch after giving this command for the changes to take effect.
Command Syntax
hardware-profile service-queue (profile1| profile2)
no hardware-profile service-queue
Parameter
profile1
Supports new 4 queue-bundle per service (default)
profile2
Supports new 8 queue-bundle per service
Default
By default, profile1 is enabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
This command is only available on Qumran platforms.
Examples
#configure terminal
(config)#hardware-profile service-queue profile2
(config)#no hardware-profile service-queue
hardware-profile statistics
Use this command to enable or disable filter statistics in hardware.
Note: In Q1, you must reboot the switch after giving this command for the changes to take effect. For Q2, Statistic profiles are updated dynamically.
Note: If both ACL and QOS statistics are required on the same interface, then both ingress-acl and ingress-qos profiles must be enabled and this will limit other profiles from being enabled. More details on restrictions explained below.
Note: When any two or all of MAC ACL or IP ACL or QoS service-policy are configured on the same interface or in its dependent interface, their entries will use statistics entries from ingress-acl statistics profile, and as a result the statistics is updated on only one entry based on the hardware-profile filter created later.
Note: Cfm-slm statistics is supported only on Q2 devices.
Command Syntax
hardware-profile statistics (ac-lif|cfm-ccm|cfm-lm |cfm-slm|ingress-acl|ingress-qos|egress-acl|mpls-pwe|tunnel-lif|voq-full-color|voq-fwd-drop) (enable|disable)
Parameter
ac-lif
VXLAN access ports statistics
cfm-ccm
Cfm ccm counter statistics
cfm-lm
Cfm Loss Measurements statistics
cfm-slm
Cfm Synthetic Loss Measurements statistics
tunnel-lif
VXLAN tunnels statistics
ingress-acl
Ingress ACL, QoS, and PBR statistics
ingress-qos
Ingress QoS statistics (explicit)
egress-acl
Egress ACL statistics
mpls-pwe
Pseudowire logical interfaces statistics
voq-full-color
Statistics for all VOQ counters
voq-fwd-drop
Statistics for forward drop VOQ counters
enable
Enable statistics
disable
Disable statistics
Default
In Q1, By default, only ingress-acl statistics profile is enabled. Other statistics profiles are disabled.
In Q2, By default, voq-full-color, cfm-ccm statistics profile is enabled. Other statistics profiles are disabled. The voq-full-color cannot be disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3 and this command is applicable for Qumran. The voq- full-color and voq-fwd-drop,cfm-slm,cfm-lm and cfm-ccm options are applicable for Qumran2.
Examples
#configure terminal
(config)#hardware-profile statistics tunnel-lif enable
Table 9-42 provides details of scalable numbers of each statistics profiles and the applications that use the statistics profiles. For example, the
ingress-acl profile is used by ACL, QoS, and PBR applications and all of them share the statistics entries from this profile. So, consuming 8k statistics entries for ACL application means that QOS and PBR applications do not get any statistics.
There are limitations on the number of statistics profiles that can be enabled at a time. This limitation is based on the stages that each profile uses.
Table 9-42 shows the four stages: ingress, ingress queuing, egress1, and egress2; and only two statistics profiles per stage can be configured.
For example, if both the ingress-acl and mpls-acl profiles are configured, then no more profiles that use the “ingress stage” can be enabled because only two profiles are allowed per stage. To use another “ingress-based” profile, you must first disable at least one of the profiles that are currently using the ingress stage.
Table 9-42: Qumran 1 Statistics profile capacity (maximum numbers in best case scenario)
Statistics profile | Stage | QMX | QAX | QUX | Application |
|---|
ingress-acl | Ingress | ~8k | ~6k | ~1.5K | Ingress ACL, QoS, PBR |
egress-acl | Egress1 | ~8k | ~2k | ~2k | Egress ACL |
ingress-qos | Ingress | ~8k | ~6k | ~1.5K | QoS |
voq-full-color | Ingress queuing | ~13k | ~6k | ~6K | QoS (queue statictics) |
voq-fwd-drop | Ingress queuing | ~32k | ~16k | ~16K | QoS (queue statictics) |
tunnel-lif | Ingress
Egress2 | ~16k | N/A | N/A | VXLAN and MPLS (LSP/tunnels) |
mpls-pwe | Ingress
Egress2 | ~16k | ~8k | ~1K | MPLS (pseudowire) |
cfm-ccm | Ingress | ~3k | ~800 | ~800 | CFM (ccm) |
cfm-lm | Ingress
Egress2 | ~6k | ~1.5k | NA | CFM (loss measurement) |
ac-lif | Ingress
Egress2 | ~32k | N/A | N/A | VXLAN and MPLS (access-port) |
Table 9-43: Qumran2 Statistics profile capacity (maximum numbers in best case scenario)
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
hardware-profile bgp-flowspec-mode
Use this command to set BGP flowspec mode that specifies the installation rules to the hardware.
Note: No support for Install-partial option in Q2.
Setting hardware profile to bgp-flowspec-mode requires, disabling and enabling the ipv4-bgp-flowspec to take effect.
Chose a appropriate option based on usage. Use install-all option for normal case.
Syntax
hardware-profile bgp-flowspec-mode (install-all|install-partial|no-prioritizing)
Parameters
install-all
FLOWSPEC rules are prioritized. The already installed all rules are reinstalled when a new rule is added. (default)
install-partial
FLOWSPEC rules are prioritized. Do not reinstall all previously installed rules when a new rule is added to avoid unnecessary reinstallation.
no-prioritizing
FLOWSPEC rules are not prioritized. Install only rules requested to add but not reinstall any other rules when a new rule is added.
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.3.5.
Example
(config)#hardware-profile filter ipv4-bgp-flowspec disable
(config)#commit
(config)#hardware-profile bgp-flowspec-mode no-prioritizing
(config)#commit
(config)#hardware-profile filter ipv4-bgp-flowspec enable
(config)#commit
ip redirects
Use this global command to trap ICMP redirect packets to the CPU and on interface to enable ICMP redirects in kernel.
Use the no form of this command to disable the ICMP redirect message on an interface.
Note: This command is applicable for both ipv4 and ipv6 interfaces.
Syntax
ip redirects
no ip redirects
Parameters
None
Default
None
Command Mode
Configure and Interface mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#configure terminal
(config)#ip redirects
(config)#no ip redirects
#configure terminal
(config)#interface xe1/1
(config-if)#ip redirects
#configure terminal
(config)#interface xe1/1
(config-if)#no ip redirects
load-balance enable
Use this command to enable load-balancing configurations in hardware.
Use the no option to reset the load balancing to default settings.
Note: When the command load-balance enable is issued, the default load-balance settings are unset. User then has to configure the new load-balancing parameters.
Command Syntax
This form unsets load balancing globally:
load-balance enable
This form resets load balancing globally to default settings:
no load-balance enable
By default, load balancing is enabled for ECMP and LAG.
This form sets hashing based on IPv4 fields:
load-balance (ipv4 {src-ipv4 | dest-ipv4 | srcl4-port | destl4-port | protocol-id})
no load-balance (ipv4 {src-ipv4 | dest-ipv4 | srcl4-port | destl4-port | protocol-id})
This form sets hashing based on IPv6 fields:
load-balance (ipv6 {src-ipv6 | dest-ipv6 | srcl4-port | destl4-port | protocol-id | next-hdr})
no load-balance (ipv6 {src-ipv6 | dest-ipv6 | srcl4-port | destl4-port | protocol-id | next-hdr})
This form sets hashing based on L2 fields:
load-balance (l2 {dest-mac|src-mac|ether-type|vlan})
no load-balance (l2 {dest-mac|src-mac|ether-type|vlan})
This form sets hashing on an MPLS fields:
load-balance (mpls {labels})
no load-balance (mpls {labels})
Following additional parameters are supported on Dune DNX boards:
load-balance inner-ipv4 ({non-symmetric| protocol-id| src-dest-ipv4})
no load-balance inner-ipv4 ({non-symmetric| protocol-id| src-dest-ipv4})
load-balance inner-l2 ({ether-type| non-symmetric| src-dest-mac| vlan})
no load-balance inner-l2 ({ether-type| non-symmetric| src-dest-mac| vlan})
load-balance src-dest-l4port (non-symmetric)
no load-balance src-dest-l4port
Note: The configured load balancing parameters are global and will be applicable to all LAG & ECMP created in the hardware.
Parameters
ipv4
Load balance IPv4 packets
src-ipv4
Source IPv4 based load balancing
dest-ipv4
Destination IPv4 based load balancing
srcl4-port
Source L4 port based load balancing
destl4-port
Destination L4 port based load balancing
protocol-id
Protocol ID based load balancing
ipv6
Load balance IPv6 packets
src-ipv6
Source IPV6 based load balancing
dest-ipv6
Destination IPv6 based load balancing
srcl4-port
Source L4 port based load balancing
destl4-port
Destination L4 port based load balancing
l2
Load balance L2 packets
src-dest-mac
Source Destination based load balancing
non-symmetric
Non symmetrical based load balancing
ether-type
Ether-type based load balancing
Vlan
VLAN-based load balancing
mpls
Load balance MPLS packets
labels
label stack based load balancing
inner-ipv4
Load balancing on IPv4 packet
inner-l2
Load balancing on L2 packet
src-dest-l4port
Source Destination l4port based load balancing
non-symmetric
Non symmetric based load balancing
protocol-id
Protocol Id based load balancing
src-dest-ipv4
Source Destination IPV4 based load balancing
ether-type
Ether-type based load balancing
src-dest-mac
Source Destination based load balancing
next-hdr
Next Header Field for IPV6
src-dest-ipv6
Source Destination IPV6 based load balancing
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 3.0.
Examples
(config)#load-balance enable
(config)#load-balance ipv4 src-ipv4
show forwarding profile limit
Use this command to display the forwarding profile table sizes.
Note: 1k is 1024 entries.
Command Syntax
show forwarding profile limit
Parameters
None
Default
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version SP 1.0.
Examples
#show forwarding profile limit
------------------------------------------------------------------------------
L3 (Ipv4/Ipv6) KAPS Forwarding Profile
------------------------------------------------------------------------------
Active (*) Configured (*) Profile-type IPv4-db-size IPv6-db-size
profile-one NA NA
* * profile-two - 200k
------------------------------------------------------------------------------
L3 (Ipv4/Ipv6) ELK TCAM Forwarding Profile
------------------------------------------------------------------------------
Active (*) Configured (*) Profile-type IPv4-db-size IPv6-db-size
* * profile-one ~1024k -
profile-two - ~1024k
profile-three ~2048k -
NOTE: for external-tcam profile-three, URPF should be disabled &
number of vrf's limited to 255
------------------------------------------------------------------------------
L2 forwarding table
------------------------------------------------------------------------------
Max Entries: 768k
NOTE: 1k is 1024 entries
#
show hardware-profile filters
Use this command to show details of TCAM filter groups which are enabled. By default, all filter groups are disabled.
Command Syntax
show hardware-profile filters
Parameter
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 3.0.
Examples
#show hardware-profile filters
Note: Shared count is the calculated number from available resources.
Dedicated count provides allocated resource to the group.
If group shares the dedicated resource with other groups, then dedicated
count of group will reduce with every resource usage by other groups.
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 10495 0 1 10486 2048 8448
Table 9-44 explains the output fields.
Table 9-44: show hardware-profile filters
Field | Description |
|---|
Ingress | Ingress filtering is a method used to prevent suspicious traffic from entering a network. |
TCAMS | Number of ternary content addressable memory (TCAM) entries a particular firewall filter. |
Free Entries | Number of TCAM filter entries available for use by the filter group. |
Used Entries | Number of TCAM filter entries used by the filter group. |
Total Entries | Number of TCAM total filter entries to the filter group. |
Dedicated Entries | Number of TCAM filter entries dedicated to the filter group. |
Shared Entries | Number of TCAM filter entries shared to the filter groups. |
Operational details of TCAM profiles
TCAM group statistics comprises of three parts:
• Total Entries – Total configurable entries on the TCAM group. Total has two parts. One is dedicated and other is shared. Dedicated count is the guaranteed entry count for the group. Shared count a logical count calculated for the group from shared pool available at the time of show command execution
• Used Entries – Count of entries that have been configured on the TCAM group. Used entries are shown are shown in percentage format as well as an indication of how much TCAM space is used up. However, percentage calculation includes shared pool and subject to change drastically when shared pool is taken up by different group.
• Free Entries – Count of possible remaining entries on the TCAM group. Free entries count is not the guaranteed count as the count includes the shared pool count into account.
When a TCAM group is enabled in the device, no hardware resource (bank) is associated with the group. Thus, dedicated count will be initially zero. Total count will be same as shared count which is calculated based on the group width. Group width is determined by width consumed by the qualifiers or width consumed by the actions.
Example of show output when qos-ext group is enabled on QMX device is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 10496 0 0 10496 0 10496
When an entry is created on the group for the first time, either a single bank or a bank pair is allocated to the group. A group consuming single bank or a bank pair is decided by group width. Groups like qos, ingress-l2, and ingress-ipv4 consume single bank and groups like qos-ext, qos-policer, ingress-l2-ext, ingress-ipv4-ext, ingress-ipv4-qos, ingress-ipv6, ingress-ipv6-qos, egress-l2, and egress-ipv4 consume a bank pair.
An example of output when a single entry is created in hardware for qos-ext group on QMX device is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 10495 0 1 10496 2048 8448
In the above example, dedicated entry count has increased to 2048 as a bank pair is allocated for the group. Unallocated banks capacity is calculated for qos-ext group and counted under shared entries as 8448.
An example of output when 2048 entries are created in hardware for qos-ext group and ingress-l2 and ingress-ipv4-ext groups is enabled with no entries created on those groups for QMX device is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 8448 20 2048 10496 2048 8448
INGRESS L2 16896 0 0 16896 0 16896
INGRESS IPV4-EXT 8448 0 0 8448 0 8448
In the above example, note that the number of entries between ingress-l2 and ingress-ipv4-ext groups vary as ingress-l2 group is a 160-bit wide group consuming only one bank at a time. On the other hand, ingress-ipv4-ext group is 320 bit wide group consuming a group pair at a time. With a bank pair already being consumed by qos-ext group, ingress-ipv4-ext group gets possible total entries of 8448 in comparison to 10496 by qos-ext group.
When all the created entry count goes beyond the entries of dedicated bank pair (or a bank), group will be allocated with another bank pair (or a bank) and subsequently shared pool count will reduce across all other groups.
An example of output when 2049 entries are created in hardware for qos-ext group with ingress-l2 and ingress-ipv4-ext groups enabled with no entries created on those groups for QMX device is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 8447 20 2049 10496 4096 6400
INGRESS L2 12800 0 0 12800 0 12800
INGRESS IPV4-EXT 6400 0 0 6400 0 6400
When a bank is consumed by ingress-l2 group, effect on qos-ext group will still be the count of a bank pair with one bank not usable for qos-ext group even if it is available. The bank can be used by groups which consume single bank.
An example of output when an entry is created in hardware for ingress-l2 group with qos-ext and ingress-ipv4-ext groups in the state as mentioned in above example is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 6399 24 2049 8448 4096 4352
INGRESS L2 12799 0 1 12800 2048 10752
INGRESS IPV4-EXT 4352 0 0 4352 0 4352
In the above example scenario, it can be noted that the used entry percentage for qos-ext group jumped from 20 to 24 as a result of drastic reduction in total entry count due to bank movement from shared pool to dedicated bank.
Hardware doesn’t optimize the utilization of banks when entries are removed from one of the banks resulting in entries used shown up less than capacity of one bank but still multiple banks would be dedicated to a group.
An extended example of above scenario with 10 entries removed from qos-ext group is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 6409 24 2039 8448 4096 4352
INGRESS L2 12799 0 1 12800 2048 10752
INGRESS IPV4-EXT 4352 0 0 4352 0 4352
It can be noted that the used entry count has come down to 2039 which is less than the capacity of bank pair i.e. 2048. However, since entries are used up across two set of bank pairs, both bank pairs will still be dedicated. If there is a need to recover bank pair from dedicated pool, all the entries should be deleted and re-created in hardware.
TCAM groups are further divided into sub-categories which can share the dedicated banks between the groups. TCAM groups such as ingress-l2, ingress-l2-ext, ingress-ipv4, ingress-ipv4-ext, ingress-ipv4-qos, qos, qos-ext, qos-policer are considered under default sub-category and don't serve IPv6 traffic. TCAM groups such as ingress-ipv6, ingress-ipv6-qos, and qos-ipv6 are meant for IPv6 traffic and are considered under IPv6 sub-category.
Only four 320-bit wide groups that belong to same sub-category can be created. For default sub-category, number is limited to three as system group will be created by default.
When three default sub-category groups are created along with one group from IPv6 sub-category, one of the default sub-category group will share the bank pair with IPv6 group. This will result in dedicated count to be shown lesser by the number that the other shared group is consuming. With every single resource consumed by one group will reduce the same number from other shared group.
An example of above scenario is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
QOS-EXT 6399 0 1 6400 2048 4352
INGRESS IPV4-ACL-EXT 6398 0 2 6400 2048 4352
INGRESS IPV4-QOS 6382 0 1 6383 2031 4352
INGRESS IPV6-ACL 6382 0 17 6399 2047 4352
Note that ingress-ipv4-qos group has shared the resource with ingress-ipv6 group. TCAM group ingress-ipv4-qos has consumed 1 entry and ingress-ipv6 group has consumed 17 entries. Hence, dedicated count for ingress-ipv4-qos group is shown as 2031 (2048 - 17) and dedicated count for ingress-ipv6 group is shown as 2047 (2048 - 1).
Capacity of TCAM profiles
Entries created on other TCAM groups affect the capacity of a particular TCAM group. This dependency is explained in the section
Operational details of TCAM profiles.
In this section maximum configurable entries per group when no entries created on other groups are listed below.
Table 9-45: Maximum configurable entries
TCAM Groups | QMX | QAX | QUX |
|---|
ingress-l2 | 20992 (2048 x 10 + 256 x 2) | 9728 (1024 x 9 + 256 x 2) | 3584 |
ingress-l2-ext | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 +256 x 1) | 1792 |
ingress-ipv4 | 20992 (2048 x 10 + 256 x 2) | 9728 (1024 x 9 + 256 x 2) | 3584 |
ingress-ipv4-ext | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
ingress-ipv4-qos | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
ingress-ipv6 | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
ingress-ipv6-ext | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
ingress-ipv6-ext-vlan | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
ingress-ipv6-qos | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
qos-ipv6 | 12288 (2048 x 6) | 5120 (1024 x 5) | 1792 |
qos | 20992 (2048 x 10 + 256 x 2) | 9728 (1024 x 9 + 256 x 2) | 3584 |
qos-ext | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
qos-policer | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
egress-l2 | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
egress-ipv4 | 10496 (2048 x 5 + 256 x 1) | 4352 (1024 x 4 + 256 x 1) | 1792 |
cfm-domain-name-str | 20992 (2048 x 10 + 256 x 2) | 9728 (1024 x 9 + 256 x 2) | 3584 |
Combination of TCAM profiles
Device supports configuration of only one egress group in the system. Hence out of the egress groups cfm-domain-name-str, egress-l2 and egress-ipv4, only one egress group can be enabled.
In other words, solution with CFM features enabled, cannot have egress security filters.
Configuration of ingress groups are subject to the sub-category to which a group belongs. Sub-category of each group is shown below:
Table 9-46: Sub-category of groups
Category | Groups in the category |
|---|
default (ingress) | ingress-l2 ingress-l2-ext ingress-ipv4 ingress-ipv4-ext ingress-ipv4-qos qos qos-ext qos-policer |
Ipv6 (ingress) | ingress-ipv6, ingress-ipv6-qos, qos-ipv6, ingress-ipv6-ext, ingress-ipv6-ext-vlan |
default (egress) | egress-l2, egress-ipv4 |
cfm (egress) | cfm-domain-name-str |
Note: Per sub-category, not more than three groups can be created if the group key size is 320 bits wide.
show nsm forwarding-timer
Use this command to display the information of Graceful Restart capable MPLS clients to NSM that are currently shutdown. Use the option LDP or RSVP to see the particular module information.
Command Syntax
show nsm (ldp| rsvp) forwarding-timer
Parameters
ldp
Use this parameter to display the protocol LDP information.
rsvp
Use this parameter to display the protocol RSVP information.
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 5.0.
Example
#sh nsm rsvp forwarding-timer
Protocol-Name GR-State Time Remaining (sec) Disconnected-time
RSVP ACTIVE 100 2021/08/18 04:49:23
#sh nsm ldp forwarding-timer
Protocol-Name GR-State Time Remaining (sec) Disconnected-time
LDP ACTIVE 111 2021/08/18 04:50:37
#sh nsm forwarding-timer
Protocol-Name GR-State Time Remaining (sec) Disconnected-time
LDP ACTIVE 110 2021/08/18 04:50:37
RSVP ACTIVE 96 2021/08/18 04:49:23
show queue remapping
Use this command to display the traffic class-to-hardware-queue mapping in hardware.
Command Syntax
show queue remapping
Parameters
N/A
Default
N/A
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
This command is only available on Qumran platforms.
Examples
When service-queue profile1 is set:
#show queue remapping
Port queue remapping:
+------------+-----------------------+
| Queue/tc | hardware-queue |
+------------+-----------------------+
| 0 | 0 |
| 1 | 1 |
| 2 | 2 |
| 3 | 3 |
| 4 | 4 |
| 5 | 5 |
| 6 | 6 |
| 7 | 7 |
+------------+-----------------------+
Service queue remapping:
+------------+-----------------------+
| Queue/tc | hardware-queue |
+------------+-----------------------+
| 0 | 0 |
| 1 | 1 |
| 2 | 1 |
| 3 | 1 |
| 4 | 2 |
| 5 | 2 |
| 6 | 3 |
| 7 | 3 |
+------------+-----------------------+
When service-queue profile2 is set:
#show queue remapping
Port queue remapping:
+------------+-----------------------+
| Queue/tc | hardware-queue |
+------------+-----------------------+
| 0 | 0 |
| 1 | 1 |
| 2 | 2 |
| 3 | 3 |
| 4 | 4 |
| 5 | 5 |
| 6 | 6 |
| 7 | 7 |
+------------+-----------------------+
Service queue remapping:
+------------+-----------------------+
| Queue/tc | hardware-queue |
+------------+-----------------------+
| 0 | 0 |
| 1 | 1 |
| 2 | 2 |
| 3 | 3 |
| 4 | 4 |
| 5 | 5 |
| 6 | 6 |
| 7 | 7 |
+------------+-----------------------+