OcNOS SP : System Management Guide : System Management Command Reference : System Configure Mode Commands
System Configure Mode Commands
This chapter provides a reference for the system configure mode commands.
delay-profile interfaces
Use this command to go into the delay-profile mode to edit the parameters of the "interfaces" profile. In this mode, the user is able to edit the delay measurement profile parameters.
Command Syntax
delay-profile interfaces
Parameters
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.1.
Examples
#configure terminal
(config)#delay-profile interfaces
(config-dp-intf)#
 
delay-profile interfaces subcommands
The following commands are to edit the delay-profile parameters.
Note: According to IGP-TE RFC8570 and RFC7471, the advertised delay should be unidirectional. So when the mode is set to two-way, the advertised delay is “Average_RTT_delay / 2” and when the mode is set to one-way, the advertised delay is “Average_FWD_delay”. The default value is “two-way”.
Command Syntax
mode <two-way>|<one-way>
burst-interval <1000-15000>
burst-count <1-5>
interval < 30-3600>
sender-port <1025-65535>
advertisement periodic
advertisement periodic threshold <1-100>
advertisement periodic minimum-change <0-10000>
no advertisement periodic
advertisement accelerated
advertisement accelerated threshold <1-100>
advertisement accelerated minimum-change <0-10000>
no advertisement accelerated
Parameters
one-way
The one-way value sets the mode to one-way measurement.
two-way
The two-way value sets the mode to two-way measurement.
<1000-15000>
Set the burst interval in milliseconds. The default value is 3000 milliseconds and the range is 1000-15000 milliseconds
<1-5>
Set the number of packets to be sent at each burst interval. The default value is 1 and the range is 1-5
<30-3600>
Set the computation interval in seconds. The default computation interval is 30 seconds. The range is 30-3600 seconds. This will be used also as the periodic advertisement interval.
<1-100>
Set the advertisement threshold percentage in the range of 1-100 (for periodic, default=10% and for accelerated, default=20%
<1025-65535>
Set the TWAMP sender port value in the range 1025-65535. If not specified, the default value is 862)
<0-10000>
 
Set the advertisement minimum change in microseconds in the range 0-10000 (for periodic, default=1000 and for accelerated, default=2000)
Command Mode
delay-profile interfaces mode
Default
The default mode value is “two-way”.
Applicability
This command was introduced in OcNOS version 5.1.
Examples
#configure terminal
(config)#delay-profile interfaces
(config-dp-intf)#mode two-way
(config-dp-intf)#burst-count 5
(config-dp-intf)#burst-interval 3000
(config-dp-intf)#interval 30
(config-dp-int)#sender-port 862
(config-dp-intf)#advertisement periodic threshold 10
(config-dp-intf)#advertisement periodic minimum-change 1000
(config-dp-intf)#advertisement accelerated
(config-dp-intf)#advertisement accelerated threshold 20
(config-dp-intf)#advertisement accelerated minimum-change 2000
(config-dp-intf)#no advertisement periodic
(config-dp-intf)#commit
(config-dp-intf)#exit
(config)#
 
 
 
evpn mpls irb
Use this command to enable EVPN MPLS IRB (Integrated Routing & Bridging) feature.
Command Syntax
evpn mpls irb
Parameters
None
Default
Disabled
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 6.0.0
Examples
(config)#evpn mpls irb
 
The following table list the qualifiers for TCAM group.
Table 9-41: TCAM Group
Group
Qualifiers
evpn-irb
L4 Ports
Destination Port
Source IP
Destination IP
Source/Destination MAC1/MAC2
Ethertype
 
forwarding profile
Use this command to configure different forwarding profiles in hardware.
Note: To apply profile configuration changes in the hardware, you must save the configuration and reboot, except when modifying the default profile.
Use show-running configuration or show forwarding profile limit to verify the selected profile.
Use this no command to set the forwarding table size to the default.
Command Syntax
forwarding profile (kaps (profile-one | profile-two)) | (elk-tcam (profile-one | profile-two | profile-three | custom-profile))
no forwarding profile (kaps) | (elk-tcam (custom-profile))
Parameters
For details about these profiles, see show forwarding profile limit.
kaps
Internal KBP routing table
profile-one
 
 
KAPS profile one
 
profile-two
 
KAPS profile two
 
elk-tcam
External TCAM routing table
profile-one
 
external TCAM profile one
profile-two
 
external TCAM profile two
profile-three
 
external TCAM profile three
custom-profile
 
external TCAM custom profile
< 10-90>
 
percent of ipv4 routes
< 10-90>
percent of ipv6 routes
Default
The default forwarding profile are as below
Table 9-42:  
Is ELK-TCAM present
KAPS
ELK-TCAM
Yes
profile-two
profile-one
No
profile-one
 
N/A
Note:
1. elk-tcam profiles are supported only on hardware models which have external TCAM for routing.
2. forwarding profile-three is applicable on hardware model Agema AGC7648A.
 
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version SP 1.0. The no version of the command was introduced in OcNOS version 5.0.
Examples
#configure terminal
(config)# forwarding profile elk-tcam profile-one
(config)# no forwarding profile elk-tcam
 
hardware-profile filter (Qumran1)
Use this command to enable or disable ingress IPv4 or IPv6, egress IPv6 filter groups, EVPN-MPLS,VxLAN filter and TWAMP IPv4 or IPv6 groups. Disabling filter groups increases the configurable filter entries.
Disabling a TCAM filter group is not allowed if the group has any entries configured in hardware. Group dependent entries must be explicitly removed before disabling the TCAM group.
Note:  
This feature is supported for IPv4 unicast and IPv4 BGP/MPLS VPN service based on RFC 8955.
The qos, qos-ext, and qos-policer filter groups can only be used for Layer 2 and IPv4 traffic. For IPv6 traffic QoS classification and actions, users must enable the ingress-ipv6-qos group and create an IPv6 ACL which can be matched in a class-map for applying QoS actions. For more details, refer to the Quality of Service Guide.
Usually the number of extended ingress filter groups that can be created at the same time is 3. If the PIM bidirectional feature is enabled, only 2 ingress extended filter groups can be created.
The ipv4-ext and qos-policer grp parameters are not supported together.
For better utilization of TCAM resources, it is recommended to enable the large groups first and then smaller groups. For example, Using admin credentials, configure evpn-mpls-mh as last filter as it is the smallest group.
Example 1
(config)#hardware-profile filter ingress-ipv4-ext enable
(config)#hardware-profile filter ingress-ipv6 enable
(config)#hardware-profile filter qos-ext enable
(config)#hardware-profile filter ingress-l2 enable
(config)#hardware-profile filter evpn-mpls-mh enable
Example 2
(config)#hardware-profile filter ingress-ipv4-qos enable
(config)#hardware-profile filter ipv4-bgp-flowspec enable
(config)#hardware-profile filter ingress-l2 enable
(config)#hardware-profile filter vxlan enable
(config)#hardware-profile filter vxlan-mh enable
Example 3
(config)#hardware-profile filter qos-ext enable
(config)#hardware-profile filter egress-ipv4 enable
(config)#hardware-profile filter ipv4-bgp-flowspec enable
(config)#hardware-profile filter ingress-ipv4 enable
(config)#hardware-profile filter ingress-ipv4 enable
The twamp-ipv4 hardware profile sets up a PMF group to manage TWAMP IPv4 traffic, enabling precise hardware time stamping of TWAMP packets. These packets are identified by their source IP, destination IP, source UDP port, and destination UDP port. When a packet is recognized as a TWAMP packet, the bcmFieldActionOam action is applied, directing the packet to the OAMP module for time stamping. Additionally, the bcmFieldActionForward action is used to ensure the packet is encapsulated with the correct FEC. If the packet includes MPLS labels, the predefined qualifiers will not match. In this scenario, user-defined qualifiers are added to the same PMF group to identify the TWAMP packet.
The twamp-ipv6 hardware profile establishes two PMF groups to manage TWAMP IPv6 traffic, differentiating between MPLS and non-MPLS traffic due to the inability to fit user-defined qualifiers in a single PMF group. These groups ensure accurate hardware time stamping of TWAMP packets, identified by their source IPv6, destination IPv6, source UDP port, and destination UDP port. When a packet is recognized as a TWAMP packet, the bcmFieldActionOam action is applied, sending the packet to the OAMP module for time stamping. Additionally, the bcmFieldActionForward action ensures the packet is encapsulated with the correct FEC. If the packet includes MPLS labels, the predefined qualifiers will not match. In this case, user-defined qualifiers are added to identify the TWAMP packet, and since the IPv6 qualifiers cannot be included in the same group, they are created in a separate group.
Note: Enabling TWAMP hardware profiles requires a system reboot.
Command Syntax
hardware-profile filter (ingress-l2|ingress-l2-ext|ingress-ipv4|ingress-ipv4-ext|ingress-ipv4-qos|ingress-ipv6|ingress-ipv6-ext|ingress-ipv6-ext-vlan|ingress-ipv6-qos|qos-ipv6|ingress-arp|qos|qos-ext|qos-policer|egress-l2|egress-ipv4|evpn-mpls-cw|evpn-mpls-mh|vxlan|vxlabn-mh|cfm-domain-name-str|twamp-ipv4|twamp-ipv6|twamp-ipv6-mpls|ipv4-bgp-flowspec|) (enable|disable)
Parameter
 
 
Default
By default, all filter groups are disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3 and changed in OcNOS version 3.0.
Examples
OcNOS#configure terminal
OcNOS(config)#hardware-profile filter ingress-ipv4 enable
OcNOS(config)#hardware-profile filter ingress-ipv4 disable
OcNOS(config)#hardware-profile filter egress-ipv4 enable
OcNOS(config)#hardware-profile filter egress-ipv4 disable
 
Table 9-43: Supported groups and the feature dependency on the groups 
Group
Key Size
Security
QoS
PBR
Mirror
Statistics
 
 
 
 
 
 
QMX
QAX
QUX
ingress-l2
160
Yes
No
N/A
No
Yes
Yes
Yes
ingress-l2-ext
320
Yes
No
N/A
Yes
Yes
Yes
Yes
ingress-ipv4
160
Yes
No
No
No
Yes
Yes
Yes
ingress-ipv4-ext
320
Yes
No
Yes
Yes
Yes
Yes
Yes
ingress-ipv4-qos
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
ingress-ipv6
320
Yes
No
Yes
Yes
Yes
Yes
Yes
Ingress-ipv6-ext
320
N/A
Yes
No
Yes
Yes
Yes
Yes
Ingress-ipv6-ext-vlan
320
N/A
Yes
No
Yes
Yes
Yes
Yes
ingress-ipv6-qos
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
qos-ipv6
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
qos
160
N/A
Yes
N/A
N/A
No
No
No
qos-ext
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
qos-policer
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
egress-l2
320
Yes
N/A
N/A
N/A
Yes
Yes
Yes
egress-ipv4
320
Yes
N/A
N/A
N/A
Yes
Yes
Yes
cfm-domain-name-str
160
N/A
N/A
N/A
N/A
Yes
Yes
Yes
twamp-ipv4
320
N/A
N/A
N/A
N/A
Yes
Yes
Yes
twamp-ipv6
320
N/A
N/A
N/A
N/A
Yes
Yes
Yes
twamp-ipv6-mpls
320
N/A
N/A
N/A
N/A
Yes
Yes
Yes
Ipv4-bgp-flowspec
320
N/A
N/A
N/A
N/A
No
No
No
 
Table 9-44: Comparison between basic and extended group qualifiers 
Basic Group
Supported Qualifiers
Supported Action
Extended Group
Supported Qualifiers
Supported Action
ingress-l2
Source MAC
Destination MAC
Ether Type (ip, ipv6, mpls, arp, cfm, fcoe)
VLAN ID
Inner VLAN ID
Permit, Deny
ingress-l2-ext
Source MAC
Destination MAC
Ether Type
VLAN ID
Inner VLAN ID
COS
Permit, Deny, Policer, Mirror, Assign Queue, COS Remark
ingress-ipv4
Source IP
Destination IP
IP Protocols
L4 Ports
Permit, Deny
ingress-ipv4-ext
Source IP
Destination IP
IP Protocols
L4 Ports
DSCP
VLAN ID
Inner VLAN ID
TCP flags
Permit, Deny, Mirror
ingress-ipv6
Source IPv6 (n/w part)
Destination IPv6 (n/w part)
IPv6 Protocols
L4 Ports
VLAN ID
DSCP
Permit, Deny, Mirror, Assign Queue,
ingress-ipv6-ext
Source IPv6 address full 128 bits
Destination IPv6 address full 128 bits
L4 Ports
IPv6 Protocols
Physical interface
Permit, Deny, Assign Queue, DSCP Remark, Policer, Mirror
qos
VLAN ID
COS
Inner VLAN ID
Inner COS
Ether Type
DSCP
Topmost EXP
Assign Queue, COS Remark, DSCP Remark, Policer
qos-ext
VLAN ID
COS
Inner VLAN ID
Inner COS
Ether Type
DSCP
Topmost EXP
IP RTP
L4 Ports
Destination MAC
Traffic type
Assign Queue, COS Remark, DSCP Remark, Policer
 
 
Table 9-45: Qualifiers for other groups 
Group
Qualifiers
Actions
ingress-ipv6-ext-vlan
Source IPv6 address full 128 bits
Destination IPv6 address full 128 bits
L4 Ports
IPv6 Protocols
vlan interface
subinterface
Permit, Deny, Assign Queue, DSCP Remark, Policer, Mirror
egress-l2
Source MAC
Destination MAC
VLAN ID
Inner VLAN ID
COS
Permit, Deny
egress-ipv4
Source IP
Destination IP
IP Protocols
L4 Ports
DSCP
VLAN ID
Inner VLAN ID
Permit, Deny
qos-policer
VLAN ID
COS
Inner VLAN ID
Inner COS
Ether Type
DSCP
Topmost EXP
IP RTP
L4 Ports
Assign Queue, COS Remark, DSCP Remark, Policer, Hierarchical Policer and Storm Control
ingress-ipv4-qos
Source IP
Destination IP
IP Protocols
L4 Ports
DSCP
VLAN ID
Inner VLAN ID
TCP flags
Policer, Assign Queue, DSCP Remark
ingress-ipv6-qos
Source IPv6 (n/w part)
Destination IPv6 (n/w part)
IPv6 Protocols
L4 Ports
VLAN ID
DSCP
Assign Queue, DSCP Remark, Policer
qos-ipv6
IPv6 Protocols
L4 Ports
VLAN ID
COS
Inner VLAN ID
Inner COS
Ether Type
DSCP
Assign Queue, COS Remark, DSCP Remark, Policer
ingress-arp
ARP Request/Response
ARP IP address
ARP MAC address
VLAN ID
Inner VLAN ID
Permit, Deny
cfm-domain-name-str
MA ID
 
twamp-ipv4
- predefined qualifer IPV4_SIP
- predefined qualifer IPV4_DIP
- predefined qualifer L4_SRC_PORT
- predefined qualifer L4_DST_PORT
- user-defined qualifer MplsSrcIpv4_qual
- user-defined qualifer MplsDstIpv4_qual
- user-defined qualifer MplsUdpPorts_qual
 
twamp-ipv6
For non-MPLS group:
- predefined qualifer IPV6_SIP
- predefined qualifer IPV6_DIP
- predefined qualifer L4_SRC_PORT
- predefined qualifer L4_DST_PORT
 
For MPLS group:
- user-defined qualifer MplsSrcIpv6_qual
- user-defined qualifer MplsDstIpv6_qual
- user-defined qualifer MplsUdpPorts_qual
 
 
Ipv4-bgp-flowspec
VRF ID
Source IP
Destination IP
IP Protocols
L4 Ports
ICMP Type/Code
TCP Flags
PacketSize
DSCP
IP Fragmentation
Note: The following traffic filter types of the components range value can be specified only with non-range value.
Type 3: IP Protocol
Type 7: ICMP type
Type 8: ICMP code
Type 10: Packet length
Type 11: DSCP (Diffserv Code Point)
 
hardware-profile filter (Qumran2)
Use this command to enable or disable ingress IPv4 or IPv6, egress IPv6 filter groups, EVPN-MPLS,VxLAN filter and TWAMP IPv4 or IPv6 groups. Disabling filter groups increases the configurable filter entries.
Disabling a TCAM filter group is not allowed if the group has any entries configured in hardware. Group dependent entries must be explicitly removed before disabling the TCAM group.
Note:  
This feature is supported for IPv4 unicast and IPv4 BGP/MPLS VPN service based on RFC 8955.
Updating the access list may take a long time in a scaled configuration because the hardware must reshuffle the filter entries when configuring a high-priority filter.
Use the ingress-IPv4-subif and ingress-IPv6-subif-ext groups when ACL is required on the sub-interfaces only. Use ingress-IPv4-ext and ingress-IPv6 groups when ACL is required on physical, sub-interface, LAG, and IRB interfaces.
Enabling TWAMP hardware profiles requires a system reboot.
In the ingress direction, Qumran-2C (Q2C) series platforms supports stats for 16k filter entries, and Qumran-2A (Q2A) series platforms supports 8k filter entries. For the egress direction, Qumran-2C (Q2C) series platforms supports 8k, and Qumran-2A (Q2A) series platforms supports 4k.
In Qumran2 series platforms, either two 160-bit groups or one 320-bit group can be created in the egress direction.
For better utilization of TCAM resources it is recommended to enable large groups first and then smaller groups.
Example
hardware-profile filter qos-policer enable # QoS policer/storm control
hardware-profile filter ingress-ipv6 enable # IPV6 ACL
hardware-profile filter ingress-l2-subif enable # MAC ACL
hardware-profile filter ingress-ipv4-subif enable # IPv4 ACL
hardware-profile filter ingress-ipv6-ext-subif enable # IPv6 ACL
Command Syntax
hardware-profile filter (dhcp-snoop|dhcp-snoop-ipv6|egress-dst-ipv6|egress-ipv4|egress-ipv4-ext|egress-ipv6|egress-l2|egress-l2-ext|egress-l2-mlag|egress-qos-policer|egress-qos-policer-ext|egress-src-ipv6|ingress-arp|ingress-ipv4|ingress-ipv4-ext|ingress-ipv4-qos|ingress-ipv4-subif| ingress-ipv6-ext-subif|ingress-ipv6|ingress-ipv6-ext|ingress-ipv6-ext-vlan|ingress-ipv6-qos|ingress-l2|ingress-l2-ext|ingress-l2-subif|ipsg|ipsg-ipv6|qos|qos-ext|qos-ipv6|qos-policer|evpn-mpls-cw|evpn-mpls-mh|vxlan|vxlan-mh|twamp-ipv4|twamp-ipv6|twamp-ipv6-mpls|vxlan|ipv4-bgp-flowspec|) (enable|disable)
Parameter
 
Default
By default, all filter groups are disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3 and changed in OcNOS version 3.0.
Examples
OcNOS#configure terminal
OcNOS(config)#hardware-profile filter ingress-ipv4 enable
OcNOS(config)#hardware-profile filter ingress-ipv4 disable
 
OcNOS(config)#hardware-profile filter egress-ipv4 enable
OcNOS(config)#hardware-profile filter egress-ipv4 disable
 
Table 9-46: Supported groups and the feature dependency on the groups 
Group
Key Size
Security
QoS
PBR
Mirror
Statistics
 
 
 
 
 
 
Q2U
Q2A
Q2C, J2C+
dhcp-snoop
160
Yes
No
N/A
No
Yes
Yes
Yes
Dhcp-snoop-ipv6
160
Yes
No
N/A
No
Yes
Yes
Yes
Ingress-arp
320
Yes
No
N/A
No
Yes
Yes
Yes
ingress-l2
160
Yes
No
N/A
No
Yes
Yes
Yes
ingress-l2-ext
320
Yes
No
N/A
Yes
Yes
Yes
Yes
ingress-l2-subif
160
Yes
No
N/A
No
Yes
Yes
Yes
ingress-ipv4
160
Yes
No
No
No
Yes
Yes
Yes
ingress-ipv4-ext
320
Yes
No
Yes
Yes
Yes
Yes
Yes
ingress-ipv4-qos
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
ingress-ipv4-subif
160
Yes
No
Yes
No
Yes
Yes
Yes
ingress-ipv6
320
Yes
No
Yes
Yes
Yes
Yes
Yes
Ingress-ipv6-ext
320
N/A
Yes
No
Yes
Yes
Yes
Yes
Ingress-ipv6-ext-vlan
320
N/A
Yes
No
Yes
Yes
Yes
Yes
Ingress-ipv6-ext-subif
320
N/A
Yes
No
Yes
Yes
Yes
Yes
ingress-ipv6-qos
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
Ipsg
160
Yes
No
N/A
N/A
Yes
Yes
Yes
Ipsg-ipv6
160
Yes
No
N/A
N/A
Yes
Yes
Yes
qos-ipv6
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
qos
160
N/A
Yes
N/A
N/A
Yes
Yes
Yes
qos-ext
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
qos-policer
320
N/A
Yes
N/A
N/A
Yes
Yes
Yes
egress-l2
320
Yes
N/A
N/A
N/A
Yes
Yes
Yes
egress-l2-ext
160
Yes
N/A
N/A
N/A
Yes
Yes
Yes
egress-l2-mlag
80
Yes
N/A
N/A
N/A
Yes
Yes
Yes
egress-dst-ipv6
160
Yes
N/A
N/A
N/A
Yes
Yes
Yes
egress-ipv4
160
Yes
N/A
N/A
N/A
Yes
Yes
Yes
egress-ipv4-ext
320
Yes
N/A
N/A
N/A
Yes
Yes
Yes
Egress-ipv6
320
Yes
N/A
N/A
N/A
Yes
Yes
Yes
Egress-qos-policer
160
No
Yes
N/A
N/A
Yes
Yes
Yes
Egress-qos-policer-ext
160
No
Yes
N/A
N/A
Yes
Yes
Yes
Egress-src-ipv6
160
Yes
No
N/A
N/A
Yes
Yes
Yes
evpn-mpls-mh
160
N/A
N/A
N/A
N/A
Yes
Yes
Yes
vxlan
160
N/A
N/A
N/A
N/A
Yes
Yes
Yes
vxlan-mh
160
N/A
N/A
N/A
N/A
Yes
Yes
Yes
twamp-ipv4
(Having MPLS enabled SKUs)
320
N/A
N/A
N/A
N/A
Yes
Yes
Yes
Twamp-ipv4
(MPLS disabled SKUs)
160
N/A
N/A
N/A
N/A
Yes
Yes
Yes
twamp-ipv6
320
N/A
N/A
N/A
N/A
Yes
Yes
Yes
twamp-ipv6-mpls
320
N/A
N/A
N/A
N/A
Yes
Yes
Yes
Vxlan
160
N/A
N/A
N/A
N/A
Yes
Yes
Yes
Ipv4-bgp-flowspec
320
N/A
N/A
N/A
N/A
No
No
No
 
Table 9-47: Comparison between basic and extended group qualifiers
Basic Group
Extended Qualifiers
Supported Actions
Extended Group
Supported Qualifiers
Supported Actions
dhcp-snoop
SourcePort
L4 DestinationPort
IPv4 Protocol
Destination Mac
InterfaceClass
Ethertype
Vlan
 
 
 
 
dhcp-snoop-ipv6
L4 Destination port
IP6NextHeader
DstIp6High
Ethertype
 
 
 
 
ingress-l2
Source MAC
Destination MAC
Ether Type
VLAN ID
Inner VLAN ID
Permit, Deny
ingress-l2-ext
Source MAC
Destination MAC
Ether Type
VLAN ID
Inner VLAN ID
COS
Inner CoS
IPv4 Protocols
Permit, Deny, Policer, Mirror, Assign Queue, COS Remark
ingress-l2-subif
Source Mac
Destination Mac
Ethertype
Permit, Deny
 
 
 
ingress-ipv4
Source IP
Destination IP
IP Protocols
L4 Dest Ports
L4 Src Ports
Permit, Deny
ingress-ipv4-ext
Source IP
Destination IP
IP Protocols
DSCP/ToS
L4 Dest Ports
L4 Src Ports
VLAN ID
Inner VLAN ID
TCP flags
Packet Length range check
L4 Source/Destination Port Range Check
Permit, Deny, Mirror
Ingress-ipv4-subif
Source IP
Destination IP
IPv4 Protocol Type
L4 Destination Port
L4 Source Port
Packet Length Range Check
L4 Source/Destination Port Range Check
Permit, Deny
 
 
 
ingress-ipv4-qos
Source IP
Destination IP
IPv4 Protocols
L4 Destination Port
L4 Source Port
L4 Source/Destination Port Range Check
DSCP
VLAN ID
Inner VLAN ID
TCP flags
Policer, Assign Queue, DSCP Remark
 
 
 
ingress-ipv6
Source IPv6 (n/w part)
Destination IPv6 (n/w part)
IPv6 NextHeader
L4 Destination Port
L4 Source Port
VLAN ID
IPv6 Traffic Class
IPv6 Hop Limit
L4 Source/Destination Port Range
Packet Length Range Check
Permit, Deny, Assign Queue, Mirror
ingress-ipv6-ext
Source ipv6 address full 128 bits
Destination ipv6 address full 128 bits
L4 Destination Port
L4 Source Port
IPv6 NextHeader
Permit, Deny, Assign Queue, DSCP Remark,
ingress-ipv6-ext-vlan
Source ipv6 address full 128 bits
Destination ipv6 address full 128 bits
L4 Destination Port
L4 Source Port
IPv6 NextHeader
Permit, Deny, Assign Queue, DSCP Remark, s
 
 
 
ingress-ipv6-ext-subif
Source ipv6 address full 128 bits
Destination ipv6 address full 128 bits
L4 Destination Port
L4 Source Port
IPv6 NextHeader
Permit, Deny, Assign Queue, DSCP Remark
 
 
 
ingress-ipv6-qos
Source IPv6 (n/w part)
Destination IPv6 (n/w part)
IPv6 NextHeader
L4 Destination Port
L4 Source Port
L4 Source/Destination Port Range
VLAN ID
IPv6 Traffic Class
Assign Queue, DSCP Remark, Policer
 
 
 
ipsg
Source MAC
Source IP
VLAN ID
 
 
 
 
Ipsg-ipv6
Source MAC
Source IP6 High
VLAN ID
 
 
 
 
 
Table 9-48: Qualifiers for other groups
Group
Supported Qualifiers
Supported Actions
Extended Group
Supported Qualifiers
Supported Actions
egress-l2
Source MAC
Destination MAC
VLAN ID
Inner VLAN ID
CoS
Inner CoS
Permit, Deny
egress-l2-ext
Source Mac
Destination Mac
VLAN ID
Inner VLAN ID
CoS
Inner CoS
Permit, Deny
egress-l2-mlag
Source Port
Destination Port
Layer Record Type
Deny
 
 
 
egress-ipv4
Source IP
Destination IP
IPv4 Protocol
L4 Destination Port
L4 Source Port
DSCP
VLAN ID
Inner VLAN ID
Permit, Deny
egress-ipv4-ext
Source IP
Destination IP
IPv4 Protocol
L4 Destination Port
L4 Source Port
DSCP
VLAN ID
Inner VLAN ID
Permit, Deny
egress-dst-ipv6
Destination IPv6 High (N/W part)
IPv6 Next Header
IPv6 Traffic Class
L4 Destination Port
L4 Source Port
Permit, Deny
 
 
 
egress-ipv6
Destination IPv6 High (N/W part)
Source IPv6 High (N/W part)
IPv6 Next Header
IPv6 Traffic Class
L4 Destination Port
L4 Source Port
VLAN ID
Permit, Deny
 
 
 
egress-qos-policer
Destination Mac
VLAN ID
CoS
DSCP
L4 Destination Port
L4 Source Port
IPv4 Protocols
Policer
egress-qos-policer-ext
Destination Mac
VLAN ID
CoS
DSCP
L4 Destination Port
L4 Source Port
IPv4 Protocols
SVI interface
Subinterface
Policer
egress-src-ipv6
Source IPv6 High (N/W part)
IPv6 Next Header
IPv6 Traffic Class
L4 Destination Port
L4 Source Port
Permit, Deny
 
 
 
qos
Ether Type
VLAN ID
CoS
Inner VLAN ID
Inner CoS
DSCP
Topmost EXP
IP Flags
Assign Queue, COS Remark, DSCP Remark, Policers
qos-ext
Ether Type
VLAN ID
COS
Inner VLAN ID
Inner COS
DSCP
Topmost EXP
IP Flags
IP Protocols
L4 Destination Port
L4 Source Port
L4 Source/Destination Port Range
Assign Queue, COS Remark, DSCP Remark, Policer
evpn-mpls-mh
USER_DEFINED_IP
MPLS LABEL
 
 
 
 
vxlan
 
 
 
 
 
vxlan-mh
Source IP
Destination IP
 
 
 
 
qos-policer
Destination MAC
Ether Type
VLAN ID
COS
Inner VLAN ID
Inner CoS
DSCP
IP Protocols
IP Flags
Topmost EXP
L4 Destination Port
L4 Source Port
L4 Source/Destination Port Range
Traffic type
Assign Queue, COS Remark, DSCP Remark, Policer, Hierarchical Policer and Storm Control
 
 
 
qos-ipv6
Ether Type
VLAN ID
COS
Inner VLAN ID
Inner CoS
IPv6 Next Header
IPv6 Traffic Class
L4 Destination Port
L4 Source Port
L4 Source/Destination Port Range
Assign Queue, COS Remark, DSCP Remark, Policer
 
 
 
ingress-arp
ARP Request/Response
ARP IP address
ARP MAC address
VLAN ID
Inner VLAN ID
Permit, Deny
 
 
 
twamp-ipv4
IPv4 Source IP
IPv4 Destination IP
UDP Source port
UDP Destination port
IPv4 Type of Service
 
 
 
 
twamp-ipv6
UDP Source port
UDP Destination port
IPv6 Source IP
IPv6 Destination IP
 
 
 
 
twamp-ipv6-mpls
UDP Source port
UDP Destination port
IPv6 Source IP
IPv6 Destination IP
 
 
 
 
vxlan
Forwarding Types
Ethernet Type
IPv4
Y1731
 
 
 
 
Ipv4-bgp-flowspec
VRF ID
Source IP
Destination IP
IP Protocols
L4 Ports
ICMP Type/Code
TCP Flags
PacketSize
DSCP
IP Fragmentation
The following traffic filter types of the components range value can be specified only with non-range value.
Type 3: IP Protocol
Type 7: ICMP type
Type 8: ICMP code
Type 10: Packet length
Type 11: DSCP (Diffserv Code Point)
 
 
 
 
 
Table 9-49: Total available entries for each group
Group Name
Q2U
Q2A
Q2C
Q2C+
dhcp-snoop
10240
10240
19456
19456
dhcp-snoop-ipv6
10240
10240
19456
19456
Ingress-arp
4608
4608
8704
8704
Ingress-l2
10240
10240
19456
19456
Ingress-l2-ext
4608
4608
8704
8704
Ingress-l2-subif
10240
10240
19456
19456
Ipsg
10240
10240
19456
19456
Ipsg-ipv6
 
 
 
 
Ingress-ipv4
10240
10240
19456
19456
Ingress-ipv4-ext
4608
4608
8704
8704
Ingress-ipv4-qos
4608
4608
8704
8704
Ingress-ipv4-subif
10240
10240
19456
19456
Ingress-ipv6
4608
4608
8704
8704
Ingress-ipv6-ext
4608
4608
8704
8704
ingress-ipv6-ext-vlan
4608
4608
8704
8704
ingress-ipv6-ext-subif
4608
4608
8704
8704
Ingress-ipv6-qos
4608
4608
8704
8704
Qos-ipv6
4608
4608
8704
8704
Qos
4605/4608
4608
8704
8704
Qos-ext
4605/4608
4608
8704
8704
Qos-policer
4605/4608
4608
8704
8704
Egress-l2
4608
4608
8704
8704
Egress-l2-ext
10240
10240
19456
19456
Egress-l2-mlag
20480
20480
38912
38912
Egress-dst-ipv6
10240
10240
19456
19456
Egress-ipv4
10240
10240
19456
19456
Egress-ipv4-ext
10240
10240
19456
19456
Egress-ipv6
4608
4608
8704
8704
Egress-qos-policer
10240
10240
19456
19456
Egress-qos-policer-ext
10240
10240
19456
19456
Egress-src-ipv6
10240
10240
19456
19456
Twamp-ipv4
4608
4608
8704
8704
Twamp-ipv6
4608
4608
8704
8704
Twamp-ipv6-mpls
4608
4608
8704
8704
Vxlan
10240
10240
19456
Not supported
 
hardware-profile flowcontrol
Use this command to globally enable or disable hardware-based flow control.
Syntax
hardware-profile flowcontrol (disable|enable)
Parameters
disable
Disable flow control globally
enable
Enable flow control globally
Default
By default flow control is disabled.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 3.0.
Examples
#configure terminal
(config)#hardware-profile flowcontrol enable
 
 
 
hardware-profile service-queue
Use this command to set the number of service-queue counts to create in hardware.
Use the no form of this command to set the service queue profile to default
Note: Reboot the switch after giving this command for the changes to take effect.
Command Syntax
hardware-profile service-queue (profile1| profile2)
no hardware-profile service-queue
Parameter
profile1
Supports new 4 queue-bundle per service (default)
profile2
Supports new 8 queue-bundle per service
Default
By default, profile1 is enabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
This command is only available on Qumran platforms.
Examples
#configure terminal
(config)#hardware-profile service-queue profile2
(config)#no hardware-profile service-queue
hardware-profile statistics
Use this command to enable or disable filter statistics in hardware.
Note: In Q1, you must reboot the switch after giving this command for the changes to take effect. For Q2, Statistic profiles are updated dynamically.
Note: If both ACL and QOS statistics are required on the same interface, then both ingress-acl and ingress-qos profiles must be enabled and this will limit other profiles from being enabled. More details on restrictions explained below.
Note: When any two or all of MAC ACL or IP ACL or QoS service-policy are configured on the same interface or in its dependent interface, their entries will use statistics entries from ingress-acl statistics profile, and as a result the statistics is updated on only one entry based on the hardware-profile filter created later.
Note: Cfm-slm statistics is supported only on Q2 devices.
Command Syntax
hardware-profile statistics (ac-lif|cfm-ccm|cfm-lm |cfm-slm|ingress-acl|ingress-qos|egress-acl|mpls-pwe|tunnel-lif|voq-full-color|voq-fwd-drop) (enable|disable)
Parameter
ac-lif
VXLAN access ports statistics
cfm-ccm
Cfm ccm counter statistics
cfm-lm
Cfm Loss Measurements statistics
cfm-slm
Cfm Synthetic Loss Measurements statistics
tunnel-lif
VXLAN tunnels statistics
ingress-acl
Ingress ACL, QoS, and PBR statistics
ingress-qos
Ingress QoS statistics (explicit)
egress-acl
Egress ACL statistics
mpls-pwe
Pseudowire logical interfaces statistics
voq-full-color
Statistics for all VOQ counters
voq-fwd-drop
Statistics for forward drop VOQ counters
enable
Enable statistics
disable
Disable statistics
Default
In Q1, By default, only ingress-acl statistics profile is enabled. Other statistics profiles are disabled.
In Q2, By default, voq-full-color, cfm-ccm statistics profile is enabled. Other statistics profiles are disabled. The voq-full-color cannot be disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3 and this command is applicable for Qumran. The voq- full-color and voq-fwd-drop,cfm-slm,cfm-lm and cfm-ccm options are applicable for Qumran2.
Examples
#configure terminal
(config)#hardware-profile statistics tunnel-lif enable
 
Table 9-50 provides details of scalable numbers of each statistics profiles and the applications that use the statistics profiles. For example, the ingress-acl profile is used by ACL, QoS, and PBR applications and all of them share the statistics entries from this profile. So, consuming 8k statistics entries for ACL application means that QOS and PBR applications do not get any statistics.
There are limitations on the number of statistics profiles that can be enabled at a time. This limitation is based on the stages that each profile uses. Table 9-50 shows the four stages: ingress, ingress queuing, egress1, and egress2; and only two statistics profiles per stage can be configured.
For example, if both the ingress-acl and mpls-acl profiles are configured, then no more profiles that use the “ingress stage” can be enabled because only two profiles are allowed per stage. To use another “ingress-based” profile, you must first disable at least one of the profiles that are currently using the ingress stage.
 
Table 9-50: Qumran 1 Statistics profile capacity (maximum numbers in best case scenario) 
Statistics profile
Stage
QMX
QAX
QUX
Application
ingress-acl
Ingress
~8k
~6k
~1.5K
Ingress ACL, QoS, PBR
egress-acl
Egress1
~8k
~2k
~2k
Egress ACL
ingress-qos
Ingress
~8k
~6k
~1.5K
QoS
voq-full-color
Ingress queuing
~13k
~6k
~6K
QoS (queue statictics)
voq-fwd-drop
Ingress queuing
~32k
~16k
~16K
QoS (queue statictics)
tunnel-lif
Ingress
Egress2
~16k
N/A
N/A
VXLAN and MPLS (LSP/tunnels)
mpls-pwe
Ingress
Egress2
~16k
~8k
~1K
MPLS (pseudowire)
cfm-ccm
Ingress
~3k
~800
~800
CFM (ccm)
cfm-lm
Ingress
Egress2
~6k
~1.5k
NA
CFM (loss measurement)
ac-lif
Ingress
Egress2
~32k
N/A
N/A
VXLAN and MPLS (access-port)
 
Table 9-51: Qumran2 Statistics profile capacity (maximum numbers in best case scenario) 
Statistics profile
Stage
Q2A /Q2U
Q2C/J2C
Application
ingress-acl
Ingress
~8k
~16k
Ingress ACL, QoS, PBR
egress-acl
Egress1
~4k
~8k
Egress ACL
ingress-qos
Ingress
~4k
~8k
Ingress QoS policer
Egress-qos
Egress
~4k
~8k
Egress qos policer
voq-full-color
Ingress queuing
~6552
~19k
QoS (queue statictics)
voq-fwd-drop
Ingress queuing
~16k
~48k
QoS (queue statictics)
slm
Ingress
~2k
~2k
OAM SLM
cfm-ccm
Ingress
~2k
~2k
CFM_CCM_RX_TX &
CCM-BANK-0 RX/TX
cfm-lm
Ingress Egress
~2k
~2k
~2k
~2k
CFM (loss measurement)
ac-lif
Ingress Egress
~8k
~8k
~32k
~32k
VXLAN and MPLS (access-port)
hardware-profile bgp-flowspec-mode
Use this command to set BGP flowspec mode that specifies the installation rules to the hardware.
Note: No support for Install-partial option in Q2.

Setting hardware profile to bgp-flowspec-mode requires, disabling and enabling the ipv4-bgp-flowspec to take effect.

Chose a appropriate option based on usage. Use install-all option for normal case.
Syntax
hardware-profile bgp-flowspec-mode (install-all|install-partial|no-prioritizing)
Parameters
install-all
FLOWSPEC rules are prioritized. The already installed all rules are reinstalled when a new rule is added. (default)
install-partial
 
FLOWSPEC rules are prioritized. Do not reinstall all previously installed rules when a new rule is added to avoid unnecessary reinstallation.
no-prioritizing
 
FLOWSPEC rules are not prioritized. Install only rules requested to add but not reinstall any other rules when a new rule is added.
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.3.5.
Example
(config)#hardware-profile filter ipv4-bgp-flowspec disable
(config)#commit
(config)#hardware-profile bgp-flowspec-mode no-prioritizing
(config)#commit
(config)#hardware-profile filter ipv4-bgp-flowspec enable
(config)#commit
 
 
 
ip redirects
Use this global command to trap ICMP redirect packets to the CPU and on interface to enable ICMP redirects in kernel.
Use the no form of this command to disable the ICMP redirect message on an interface.
Note: This command is applicable for both ipv4 and ipv6 interfaces.
Syntax
ip redirects
no ip redirects
Parameters
None
Default
None
Command Mode
Configure and Interface mode
Applicability
This command was introduced in OcNOS version 3.0.
Example
#configure terminal
(config)#ip redirects
 
 
(config)#no ip redirects
 
 
#configure terminal
(config)#interface xe1/1
(config-if)#ip redirects
 
 
#configure terminal
(config)#interface xe1/1
(config-if)#no ip redirects
load-balance enable
Use this command to enable load-balancing configurations in hardware.
Use the no option to reset the load balancing to default settings.
Note: When the command load-balance enable is issued, the default load-balance settings are unset. User then has to configure the new load-balancing parameters.
Command Syntax
This form unsets load balancing globally:
load-balance enable
This form resets load balancing globally to default settings:
no load-balance enable
 
By default, load balancing is enabled for ECMP and LAG.
This form sets hashing based on IPv4 fields:
load-balance (ipv4 {src-ipv4 | dest-ipv4 | srcl4-port | destl4-port | protocol-id})
no load-balance (ipv4 {src-ipv4 | dest-ipv4 | srcl4-port | destl4-port | protocol-id})
 
This form sets hashing based on IPv6 fields:
load-balance (ipv6 {src-ipv6 | dest-ipv6 | srcl4-port | destl4-port | protocol-id | next-hdr})
no load-balance (ipv6 {src-ipv6 | dest-ipv6 | srcl4-port | destl4-port | protocol-id | next-hdr})
 
This form sets hashing based on L2 fields:
load-balance (l2 {dest-mac|src-mac|ether-type|vlan})
no load-balance (l2 {dest-mac|src-mac|ether-type|vlan})
 
This form sets hashing on an MPLS fields:
load-balance (mpls {labels})
no load-balance (mpls {labels})
 
Following additional parameters are supported on Dune DNX boards:
load-balance inner-ipv4 ({non-symmetric| protocol-id| src-dest-ipv4})
no load-balance inner-ipv4 ({non-symmetric| protocol-id| src-dest-ipv4})
 
load-balance inner-l2 ({ether-type| non-symmetric| src-dest-mac| vlan})
no load-balance inner-l2 ({ether-type| non-symmetric| src-dest-mac| vlan})
 
load-balance src-dest-l4port (non-symmetric)
no load-balance src-dest-l4port
 
Note: The configured load balancing parameters are global and will be applicable to all LAG & ECMP created in the hardware.
Parameters
ipv4
Load balance IPv4 packets
src-ipv4
Source IPv4 based load balancing
dest-ipv4
Destination IPv4 based load balancing
srcl4-port
Source L4 port based load balancing
destl4-port
Destination L4 port based load balancing
protocol-id
Protocol ID based load balancing
 
ipv6
Load balance IPv6 packets
src-ipv6
Source IPV6 based load balancing
dest-ipv6
Destination IPv6 based load balancing
srcl4-port
Source L4 port based load balancing
destl4-port
Destination L4 port based load balancing
 
l2
Load balance L2 packets
src-dest-mac
Source Destination based load balancing
non-symmetric
Non symmetrical based load balancing
ether-type
Ether-type based load balancing
Vlan
VLAN-based load balancing
mpls
Load balance MPLS packets
labels
label stack based load balancing
 
inner-ipv4
Load balancing on IPv4 packet
inner-l2
Load balancing on L2 packet
src-dest-l4port
Source Destination l4port based load balancing
non-symmetric
Non symmetric based load balancing
protocol-id
Protocol Id based load balancing
src-dest-ipv4
Source Destination IPV4 based load balancing
ether-type
Ether-type based load balancing
src-dest-mac
Source Destination based load balancing
next-hdr
Next Header Field for IPV6
src-dest-ipv6
Source Destination IPV6 based load balancing
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 3.0.
Examples
(config)#load-balance enable
(config)#load-balance ipv4 src-ipv4
 
show forwarding profile limit
Use this command to display the forwarding profile table sizes.
Note: 1k is 1024 entries.
Command Syntax
show forwarding profile limit
Parameters
None
Default
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version SP 1.0.
Examples
#show forwarding profile limit
 
------------------------------------------------------------------------------
L3 (Ipv4/Ipv6) KAPS Forwarding Profile
------------------------------------------------------------------------------
Active (*) Configured (*) Profile-type IPv4-db-size IPv6-db-size
profile-one NA NA
* * profile-two - 200k
 
------------------------------------------------------------------------------
L3 (Ipv4/Ipv6) ELK TCAM Forwarding Profile
------------------------------------------------------------------------------
Active (*) Configured (*) Profile-type IPv4-db-size IPv6-db-size
* * profile-one ~1024k -
profile-two - ~1024k
profile-three ~2048k -
 
NOTE: for external-tcam profile-three, URPF should be disabled &
number of vrf's limited to 255
------------------------------------------------------------------------------
L2 forwarding table
------------------------------------------------------------------------------
Max Entries: 768k
 
NOTE: 1k is 1024 entries
 
#
 
show hardware-profile filters
Use this command to show details of TCAM filter groups which are enabled. By default, all filter groups are disabled.
Command Syntax
show hardware-profile filters
Parameter
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 3.0.
Examples
#show hardware-profile filters
 
Note: Shared count is the calculated number from available resources.
Dedicated count provides allocated resource to the group.
If group shares the dedicated resource with other groups, then dedicated
count of group will reduce with every resource usage by other groups.
 
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 10495 0 1 10486 2048 8448
 
Table 9-52 explains the output fields.
 
Table 9-52: show hardware-profile filters 
Field
Description
Ingress
Ingress filtering is a method used to prevent suspicious traffic from entering a network.
TCAMS
Number of ternary content addressable memory (TCAM) entries a particular firewall filter.
Free Entries
Number of TCAM filter entries available for use by the filter group.
Used Entries
Number of TCAM filter entries used by the filter group.
Total Entries
Number of TCAM total filter entries to the filter group.
Dedicated Entries
Number of TCAM filter entries dedicated to the filter group.
Shared Entries
Number of TCAM filter entries shared to the filter groups.
Operational details of TCAM profiles
TCAM group statistics comprises of three parts:
Total Entries – Total configurable entries on the TCAM group. Total has two parts. One is dedicated and other is shared. Dedicated count is the guaranteed entry count for the group. Shared count a logical count calculated for the group from shared pool available at the time of show command execution
Used Entries – Count of entries that have been configured on the TCAM group. Used entries are shown are shown in percentage format as well as an indication of how much TCAM space is used up. However, percentage calculation includes shared pool and subject to change drastically when shared pool is taken up by different group.
Free Entries – Count of possible remaining entries on the TCAM group. Free entries count is not the guaranteed count as the count includes the shared pool count into account.
When a TCAM group is enabled in the device, no hardware resource (bank) is associated with the group. Thus, dedicated count will be initially zero. Total count will be same as shared count which is calculated based on the group width. Group width is determined by width consumed by the qualifiers or width consumed by the actions.
Example of show output when qos-ext group is enabled on QMX device is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 10496 0 0 10496 0 10496
When an entry is created on the group for the first time, either a single bank or a bank pair is allocated to the group. A group consuming single bank or a bank pair is decided by group width. Groups like qos, ingress-l2, and ingress-ipv4 consume single bank and groups like qos-ext, qos-policer, ingress-l2-ext, ingress-ipv4-ext, ingress-ipv4-qos, ingress-ipv6, ingress-ipv6-qos, egress-l2, and egress-ipv4 consume a bank pair.
An example of output when a single entry is created in hardware for qos-ext group on QMX device is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 10495 0 1 10496 2048 8448
In the above example, dedicated entry count has increased to 2048 as a bank pair is allocated for the group. Unallocated banks capacity is calculated for qos-ext group and counted under shared entries as 8448.
An example of output when 2048 entries are created in hardware for qos-ext group and ingress-l2 and ingress-ipv4-ext groups is enabled with no entries created on those groups for QMX device is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 8448 20 2048 10496 2048 8448
INGRESS L2 16896 0 0 16896 0 16896
INGRESS IPV4-EXT 8448 0 0 8448 0 8448
In the above example, note that the number of entries between ingress-l2 and ingress-ipv4-ext groups vary as ingress-l2 group is a 160-bit wide group consuming only one bank at a time. On the other hand, ingress-ipv4-ext group is 320 bit wide group consuming a group pair at a time. With a bank pair already being consumed by qos-ext group, ingress-ipv4-ext group gets possible total entries of 8448 in comparison to 10496 by qos-ext group.
When all the created entry count goes beyond the entries of dedicated bank pair (or a bank), group will be allocated with another bank pair (or a bank) and subsequently shared pool count will reduce across all other groups.
An example of output when 2049 entries are created in hardware for qos-ext group with ingress-l2 and ingress-ipv4-ext groups enabled with no entries created on those groups for QMX device is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 8447 20 2049 10496 4096 6400
INGRESS L2 12800 0 0 12800 0 12800
INGRESS IPV4-EXT 6400 0 0 6400 0 6400
When a bank is consumed by ingress-l2 group, effect on qos-ext group will still be the count of a bank pair with one bank not usable for qos-ext group even if it is available. The bank can be used by groups which consume single bank.
An example of output when an entry is created in hardware for ingress-l2 group with qos-ext and ingress-ipv4-ext groups in the state as mentioned in above example is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 6399 24 2049 8448 4096 4352
INGRESS L2 12799 0 1 12800 2048 10752
INGRESS IPV4-EXT 4352 0 0 4352 0 4352
In the above example scenario, it can be noted that the used entry percentage for qos-ext group jumped from 20 to 24 as a result of drastic reduction in total entry count due to bank movement from shared pool to dedicated bank.
Hardware doesn’t optimize the utilization of banks when entries are removed from one of the banks resulting in entries used shown up less than capacity of one bank but still multiple banks would be dedicated to a group.
An extended example of above scenario with 10 entries removed from qos-ext group is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
INGRESS-QOS-EXT 6409 24 2039 8448 4096 4352
INGRESS L2 12799 0 1 12800 2048 10752
INGRESS IPV4-EXT 4352 0 0 4352 0 4352
It can be noted that the used entry count has come down to 2039 which is less than the capacity of bank pair i.e. 2048. However, since entries are used up across two set of bank pairs, both bank pairs will still be dedicated. If there is a need to recover bank pair from dedicated pool, all the entries should be deleted and re-created in hardware.
TCAM groups are further divided into sub-categories which can share the dedicated banks between the groups. TCAM groups such as ingress-l2, ingress-l2-ext, ingress-ipv4, ingress-ipv4-ext, ingress-ipv4-qos, qos, qos-ext, qos-policer are considered under default sub-category and don't serve IPv6 traffic. TCAM groups such as ingress-ipv6, ingress-ipv6-qos, and qos-ipv6 are meant for IPv6 traffic and are considered under IPv6 sub-category.
Only four 320-bit wide groups that belong to same sub-category can be created. For default sub-category, number is limited to three as system group will be created by default.
When three default sub-category groups are created along with one group from IPv6 sub-category, one of the default sub-category group will share the bank pair with IPv6 group. This will result in dedicated count to be shown lesser by the number that the other shared group is consuming. With every single resource consumed by one group will reduce the same number from other shared group.
An example of above scenario is shown below:
#show hardware-profile filters
...
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
QOS-EXT 6399 0 1 6400 2048 4352
INGRESS IPV4-ACL-EXT 6398 0 2 6400 2048 4352
INGRESS IPV4-QOS 6382 0 1 6383 2031 4352
INGRESS IPV6-ACL 6382 0 17 6399 2047 4352
Note that ingress-ipv4-qos group has shared the resource with ingress-ipv6 group. TCAM group ingress-ipv4-qos has consumed 1 entry and ingress-ipv6 group has consumed 17 entries. Hence, dedicated count for ingress-ipv4-qos group is shown as 2031 (2048 - 17) and dedicated count for ingress-ipv6 group is shown as 2047 (2048 - 1).
Capacity of TCAM profiles
Entries created on other TCAM groups affect the capacity of a particular TCAM group. This dependency is explained in the section Operational details of TCAM profiles.
In this section maximum configurable entries per group when no entries created on other groups are listed below.
 
Table 9-53: Maximum configurable entries 
TCAM Groups
QMX
QAX
QUX
ingress-l2
20992 (2048 x 10 + 256 x 2)
9728 (1024 x 9 + 256 x 2)
3584
ingress-l2-ext
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 +256 x 1)
1792
ingress-ipv4
20992 (2048 x 10 + 256 x 2)
9728 (1024 x 9 + 256 x 2)
3584
ingress-ipv4-ext
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
ingress-ipv4-qos
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
ingress-ipv6
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
ingress-ipv6-ext
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
ingress-ipv6-ext-vlan
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
ingress-ipv6-qos
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
qos-ipv6
12288 (2048 x 6)
5120 (1024 x 5)
1792
qos
20992 (2048 x 10 + 256 x 2)
9728 (1024 x 9 + 256 x 2)
3584
qos-ext
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
qos-policer
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
egress-l2
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
egress-ipv4
10496 (2048 x 5 + 256 x 1)
4352 (1024 x 4 + 256 x 1)
1792
cfm-domain-name-str
20992 (2048 x 10 + 256 x 2)
9728 (1024 x 9 + 256 x 2)
3584
Combination of TCAM profiles
Device supports configuration of only one egress group in the system. Hence out of the egress groups cfm-domain-name-str, egress-l2 and egress-ipv4, only one egress group can be enabled.
In other words, solution with CFM features enabled, cannot have egress security filters.
Configuration of ingress groups are subject to the sub-category to which a group belongs. Sub-category of each group is shown below:
 
Table 9-54: Sub-category of groups
Category
Groups in the category
default (ingress)
ingress-l2
ingress-l2-ext
ingress-ipv4
ingress-ipv4-ext
ingress-ipv4-qos
qos
qos-ext
qos-policer
Ipv6 (ingress)
ingress-ipv6, ingress-ipv6-qos, qos-ipv6, ingress-ipv6-ext, ingress-ipv6-ext-vlan
default (egress)
egress-l2, egress-ipv4
cfm (egress)
cfm-domain-name-str
Note: Per sub-category, not more than three groups can be created if the group key size is 320 bits wide.
show nsm forwarding-timer
Use this command to display the information of Graceful Restart capable MPLS clients to NSM that are currently shutdown. Use the option LDP or RSVP to see the particular module information.
Command Syntax
show nsm (ldp| rsvp) forwarding-timer
Parameters
ldp
Use this parameter to display the protocol LDP information.
rsvp
Use this parameter to display the protocol RSVP information.
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 5.0.
Example
#sh nsm rsvp forwarding-timer
Protocol-Name GR-State Time Remaining (sec) Disconnected-time
RSVP ACTIVE 100 2021/08/18 04:49:23
#sh nsm ldp forwarding-timer
Protocol-Name GR-State Time Remaining (sec) Disconnected-time
LDP ACTIVE 111 2021/08/18 04:50:37
#sh nsm forwarding-timer
Protocol-Name GR-State Time Remaining (sec) Disconnected-time
LDP ACTIVE 110 2021/08/18 04:50:37
RSVP ACTIVE 96 2021/08/18 04:49:23
 
 
show queue remapping
Use this command to display the traffic class-to-hardware-queue mapping in hardware.
Command Syntax
show queue remapping
Parameters
N/A
Default
N/A
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
This command is only available on Qumran platforms.
Examples
When service-queue profile1 is set:
#show queue remapping
 
Port queue remapping:
+------------+-----------------------+
| Queue/tc | hardware-queue |
+------------+-----------------------+
| 0 | 0 |
| 1 | 1 |
| 2 | 2 |
| 3 | 3 |
| 4 | 4 |
| 5 | 5 |
| 6 | 6 |
| 7 | 7 |
+------------+-----------------------+
 
Service queue remapping:
+------------+-----------------------+
| Queue/tc | hardware-queue |
+------------+-----------------------+
| 0 | 0 |
| 1 | 1 |
| 2 | 1 |
| 3 | 1 |
| 4 | 2 |
| 5 | 2 |
| 6 | 3 |
| 7 | 3 |
+------------+-----------------------+
When service-queue profile2 is set:
#show queue remapping
 
Port queue remapping:
+------------+-----------------------+
| Queue/tc | hardware-queue |
+------------+-----------------------+
| 0 | 0 |
| 1 | 1 |
| 2 | 2 |
| 3 | 3 |
| 4 | 4 |
| 5 | 5 |
| 6 | 6 |
| 7 | 7 |
+------------+-----------------------+
 
Service queue remapping:
+------------+-----------------------+
| Queue/tc | hardware-queue |
+------------+-----------------------+
| 0 | 0 |
| 1 | 1 |
| 2 | 2 |
| 3 | 3 |
| 4 | 4 |
| 5 | 5 |
| 6 | 6 |
| 7 | 7 |
+------------+-----------------------+