Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.2.x
DDoS Mitigation Support on CGSE Commands
Downloads: This chapterpdf (PDF - 1.4MB) The complete bookPDF (PDF - 3.97MB) | Feedback

DDoS Mitigation Support on CGSE Commands

DDoS Mitigation Support on CGSE Commands

This module describes the commands used to configure and implement DDoS mitigation support on CGSE.

For detailed information about DDoS mitigation support concepts, configuration tasks, and examples, see the Implementing DDoS Mitigation Support on CGSE on Cisco IOS XR Software configuration module in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.

application tms-mgmt

To specify and map the DDoS TMS management application with the management serviceApp interface, use the application tms-mgmt command in ddos-tms configuration mode. To remove the DDoS TMS management application, use the no form of this command.

application tms-mgmt [ interface ServiceApp <ID> ]

no application tms-mgmt [ interface ServiceApp <ID> ]

Syntax Description

interface ServiceApp ID

(Optional) Configures ServiceApp interface.

Command Default

None

Command Modes

ddos-tms configuration mode

Command History

Release Modification
Release 4.2.3

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

basic-services

read, write

Examples

The following example shows how to specify the DDoS TMS management application:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh sesh1
RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0
RP/0/RP0/CPU0:router(config-sesh)# service-type ddos-tms tms1 
RP/0/RP0/CPU0:router(config-ddos-tms)# application tms-mgmt
RP/0/RP0/CPU0:router(config-tms-mgmt)#

Related Commands

Command

Description

service-type ddos-tms

Sets the service type as DDoS TMS.  

application tms-scrb

To specify and map the DDoS TMS Scrubber application with the ingress and the egress serviceApp interfaces, use the application tms-scrb command in ddos-tms configuration mode. To remove the DDoS TMS Scrubber application, use the no form of this command.

application tms-scrb [ map ingress-interface ServiceApp <ID> egress-interface ServiceApp <ID> ]

no application tms-scrb [ map ingress-interface ServiceApp <ID> egress-interface ServiceApp <ID> ]

Syntax Description

map ingress-interface ServiceApp <ID> egress-interface ServiceApp <ID> ID

(Optional) Maps the incoming interface and outgoing interface with the DDoS TMS Scrubber application.

Command Default

None

Command Modes

ddos-tms configuration mode

Command History

Release Modification
Release 4.2.3

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

basic-services

read, write

Examples

The following example shows how to specify the DDoS TMS scrubber application:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh sesh1
RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0
RP/0/RP0/CPU0:router(config-sesh)# service-type ddos-tms tms1 
RP/0/RP0/CPU0:router(config-ddos-tms)# application tms-scrb
RP/0/RP0/CPU0:router(config-tms-scrb)#

Related Commands

Command

Description

service-type ddos-tms

Sets the service type as DDoS TMS.  

copy

To copy a file from a source (such as a network server) to a destination (such as a flash disk), use the copy command in EXEC or administration EXEC mode.

copy source { location node-id destination location { node-id | all } | running-config [atomic] }

Syntax Description

source

Filename including the directory path or network location of the file. The possible sources are:

directory-path —Directory path of the file from which the file is copied.

access-list { ipv4 | ipv6 }—Copies an access list (EXEC mode only).

bootflash: —Copies from the bootflash: file system.

compactflash: —Copies from the compactflash: file system.

compactflasha: —Copies from the compactflasha: file system partition.

disk0: —Copies from disk0: file system.

disk0a: —Copies from disk0a: file system partition.

disk1: —Copies from disk1: file system.

disk1a: —Copies from disk1a: file system partition.

flash: —Copies from the flash: file system. The flash: keyword is an alias for bootflash:.

ftp: —Copies from an FTP network server. The syntax is ftp:[[[//username [:password]@] location]/directory]/filename.

harddisk: —Copies from the hard disk drive file system (if present).

harddiska: —Copies from the hard disk partition a.

harddiskb: —Copies from the hard disk partition b.

nvram: —Copies from the NVRAM file system.

prefix-list {ipv4 | ipv6}—Copies from a prefix list (EXEC mode only).

rcp: —Copies from a remote copy protocol (rcp) network server. The syntax is rcp:[[[//username@]location]/directory]/filename.

running-config —Copies from the current system configuration.

tftp: —Copies from a TFTP network server. The syntax is tftp:[[//location]/directory]/filename

xml-schema —Copies the XML schema files as a tar ball file (.tar.gz) [EXEC mode only].

destination

Filename including the directory path or network location of the file.

location node-id

Specifies a node. The node-id argument is expressed in the rack/slot/module notation.

location all

Copies to all nodes.

running-config

Applies the source configuration file to the running configuration of the system.

atomic

(Optional) Applies the changes to the running configuration only if there are no errors

Command Default

No default behavior or values

Command Modes

EXEC

Administration EXEC

Command History

Releases

Modifications

Release 2.0

This command was introduced.

Release 3.2

The command was made available in administration EXEC mode.

Support was added to copy to a designated node or to all nodes. Hardware partition support was added.

Release 3.5.0

Support was added to copy XML schema files.

Release 3.6.0

The following file systems were added: disk0a: and disk1a: .

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Source and destination can each be a configuration file, a text file, or a file system. Enter source and destination URL information, usernames, and passwords and issue the copy command. The networking device prompts for any missing information.

The exact format of the source and destination arguments vary according to the file or directory location. Enter the device or network location for the file system type.

Filenames can include the following characters:

! # $ % & ' + 0 1 2 3 4 5 6 7 8 9 ; @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ ] ^ _ a b c d e f g h i j k l m n o p q r s t u v w x y z { } ~

The following characters can be used with the stated limitations:

  • ` needs backslash before this character
  • – cannot be the first character
  • . cannot be the last character
  • = cannot be the filename without other characters

The following characters cannot be used in filenames:

" ( ) * , / : < > ? \ |

The maximum length allowed for a filename is 254 characters including the path. If a filename longer than 254 characters is specified, the filename is truncated to 254 characters.

To copy a file from a source on the router to a destination on the router, specify a source location node-id and a destination location node-id . To copy the file to all nodes, use the location all keywords.

In the alias syntax for the ftp: , rcp: , and tftp: keywords, the location is either an IP address or a hostname. The filename is specified relative to the directory used for file transfers.

When no alias is specified, the networking device looks for a file in the current directory. To view the current directory, enter the pwd command.


Note


During processing of the copy command, you might see the “C” character. For all files being copied, “C” indicates that the copy process is taking place. The entire copying process might take several minutes and differs from protocol to protocol and from network to network.


Table 1 describes the network protocols supported by Cisco IOS XR software.

Table 1  Network Protocols Supported by Cisco IOS XR Software

Prefix

Name

Description

tftp:

Trivial File Transfer Protocol

TFTP is a simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).

ftp:

File Transfer Protocol

FTP is an application protocol, part of the TCP/IP protocol stack, and is used for transferring files between network nodes. FTP requires a username and password.

rcp:

Remote Copy Protocol

The rcp protocol allows users to copy files to and from a file system residing on a remote host or server on the network. The rcp protocol uses TCP to ensure the reliable delivery of data. The rcp protocol downloads require a username.

Additional usage guidelines are in the following sections.

Invalid Combinations of Source and Destination

Some combinations of source and destination are invalid. Specifically, you cannot copy the following:

  • From a running configuration to a running configuration
  • From a network device to a network device (for example, copy ftp: rcp: )

Using TFTP

TFTP is a simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).

The syntax is as follows:

copy tftp://hostname /ipaddress/directory-path pie name target-device [location {node-id | all}]

Example:
RP/0/RP0/CPU0:router# copy tftp://1.1.1.1/images/software.pie disk1:

Note


Some Cisco IOS XR images may be larger than 32 MB, and the TFTP services provided by some vendors may not support a file this large. If you do not have access to a TFTP server that supports files larger than 32 MB, download the software image using FTP or rcp as described in the following sections.


Using FTP

FTP servers require a username and password for each client request. Cisco IOS XR software sends the first valid username in the following list:

  1. The username and password specified in the copy command, if a username is specified. The syntax is as follows: copy ftp:// username : password @ hostname or ipaddress/directory-path/pie-name target-device [location {node-id | all}]
    Example:
    RP/0/RP0/CPU0:router# copy ftp://john:secret@10.1.1.1/images/software.pie disk1:
    
  2. An “anonymous” username and password. The anonymous password is “root@ip address,” where “ip address” is the IP address of the local networking device.
  3. A password “username@iosname.domain” formed by the networking device. The variable “username” is the username associated with the current session, “iosname” is the configured hostname, and “domain” is the domain of the networking device.

The username and password must be associated with an account on the FTP server. If you are writing to the network server, the FTP server must be properly configured to accept the FTP write request from the user on the networking device.

If the network server has a directory structure, the configuration file or image is written to or copied from the directory associated with the username on the network server. For example, if the system image resides in the home directory of a user on the network server, specify the name of that user as the remote username.

Refer to the documentation for your FTP server for more details.

Using rcp

The rcp protocol requires a username upon each request. When you copy a configuration file or image between the networking device and an rcp server, the Cisco IOS XR software sends the first valid username in the following list:

  1. The remote username specified in the copy command, if one is specified.
  2. The username set by the rcp client username command, if the command is configured.
  3. The networking device hostname.

For the rcp copy request to process successfully, an account must be defined on the network server for the remote username. If the network administrator of the destination server did not establish an account for the remote username, this command does not run successfully. If the network server has a directory structure, the configuration file or image is written to or copied from the directory associated with the remote username on the network server. For example, if the system image resides in the home directory of a user on the network server, specify the name of that user as the remote username.

If you are writing to the network server, the rcp server must be properly configured to accept the rcp write request from the user on the networking device. For UNIX systems, add an entry to the .rhosts file for the remote user on the rcp server. Suppose the networking device contains the following configuration lines:

hostname Rtr1
ip rcp remote-username User0
    

If the IP address of the networking device translates to company.com, then the .rhosts file for User0 on the rcp server should contain the following line:

company.com Rtr1
    

See the documentation for your rcp server for more details.

If you are using a personal computer as a file server, the computer must support remote shell (rsh) protocol.

Using xml-schema

Use the xml-schema keyword to obtain the most up-to-date XML schemas (.xsd files) from the router. Using this keyword is useful to prevent the use of outdated schemas in the event that router software updates include schema updates. The tar ball file includes all active schema files. It does not include schemas that are activated by specific package installation envelopes (PIEs) if those PIEs are not installed and activated on the router.

Copying to the Running Configuration

When you use the copy command to copy a configuration file to the running-config destination, the configuration in the file is applied to the running configuration of the system. This is a configuration operation. By default, the copy is carried out in a best-effort manner. This means that if some configuration lines from the file cannot be applied, the remaining configuration is still integrated into the system. In this case, a partial configuration is committed. When the atomic keyword is used, partial configurations are not committed. This means that even if one error occurs in the parsing or committing phase, no changes are made to the system. To view any errors when applying the configuration, use the show configuration failed command.

Task ID

Task ID

Operations

filesystem

execute

Examples

The following example shows how to copy a file from a FTP server to disk1:

RP/0/RP0/CPU0:router# copy ftp://john:secret@10.1.1.1/images/comp-hfr-full.pie disk1:



           

The following example shows how to copy a file from an rcp server to disk1:

RP/0/RP0/CPU0:router# copy rcp://john@10.1.1.1/images/comp-hfr-full.pie disk1:



  

The following example shows how to copy a file from a TFTP server to disk1:

RP/0/RP0/CPU0:router# copy tftp://10.1.1.1/images/comp-hfr-full.pie disk1:



  

description (ddos-tms)

To create a description for ddos-tms service, use the description command in DDoS TMS configuration mode. To delete ddos-tms service description, use the no form of this command.

description string

no description

Syntax Description

string

Character string describing the ddos-tms service.

Command Default

None

Command Modes

DDoS TMS configuration mode

Command History

Release Modification
Release 4.2.3

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

basic-services

read, write

Examples

The following example shows the creation of ddos-tms service description:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh sesh1
RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0
RP/0/RP0/CPU0:router(config-sesh)# service-type ddos-tms tms1 
RP/0/RP0/CPU0:router(config-ddos-tms)# description ddos TMS instance 1
RP/0/RP0/CPU0:router(config-ddos-tms)#

Related Commands

description (interface ServiceApp)

To create a description for Service Application Interface, use the description command in Interface ServiceApp configuration mode. To delete Service Application Interface description, use the no form of this command.

description string

no description

Syntax Description

string

Character string describing the Service Application Interface.

Command Default

None

Command Modes

Interface ServiceApp configuration mode

Command History

Release Modification
Release 4.2.3

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

interface

read, write

Examples

The following example shows the creation of Service Application Interface description:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface ServiceApp 11
RP/0/RP0/CPU0:router(config-if)# description tms1 mgmt interface
RP/0/RP0/CPU0:router(config-if)# 

Related Commands

hw-module location

To configure various hardware attributes for a specific node, or for all nodes installed in the router, use the hw-module location command in EXEC or administration EXEC mode.

EXEC Mode hw-module location node-id { maintenance-mode | reload { path | warm } }

Administration EXEC Mode hw-module location node-id reload { path | warm }

Syntax Description

node-id

Node whose hardware attributes you want to configure. The node-id is expressed in the rack/slot/module notation.

Note   

Enter the show platform command to see the location of all nodes installed in the router.

maintenance-mode

Brings the node down and puts the node into maintenance mode.

reload

Resets power-cycle, reloads hardware, or both on a specific node.

path

Specific image you want to download onto the specific node or nodes. Replace path with the TFTP or disk path to the image you want to download.

warm

Specifies a warm reload of the node.

Command Default

No default behavior or values

Command Modes

EXEC

Administration EXEC

Command History

Release

Modification

Release 3.3.0

This command was introduced.

Release 3.4.0

The maintenance-mode keyword was added in EXEC mode.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

To reset a specific node, or to put a node into maintenance mode, use the hw-module location command in EXEC mode.

To reset a specific node or all nodes, use the hw-module location command in administration EXEC mode.


Note


Before reloading nodes, we recommend using the cfs check command to check the sanity of the configuration file system and attempt to recover from internal inconsistencies. You need to enter the cfs check command on each secure domain router (SDR) that has nodes impacted by the reload.


Task ID

Task ID

Operations

root-lr

execute (in EXEC mode)

sysmgr

execute (in EXEC mode and administration EXEC mode)

Examples

The following example shows how to reset the hardware on a specific node from EXEC mode:

RP/0/RP0/CPU0:router # hw-module location 0/1/CPU0 reload
  

The following example shows how to reset the hardware on a specific node from administration EXEC mode:

RP/0/RP0/CPU0:router# admin
RP/0/RP0/CPU0:router(admin)# hw-module location 0/3/CPU0 reload
       

hw-module service sesh location

To configure the service role as Service Engine Service Hosting (SESH) for the specified Carrier Grade Service Engine (CGSE) location, use the hw-module service sesh location command in global configuration mode. To remove SESH as the service role on the CGSE, use the no form of the command.

hw-module service sesh location node-id

no hw-module service sesh location node-id

Syntax Description

node-id

Location of the CGSE where you want to configure the service role as SESH. The node-id argument is entered in the rack/slot/interface notation.

Command Default

None

Command Modes

Global configuration

Command History

Release Modification

Release 4.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use this command to allow the CGSE to start the Network Positioning System (NPS) service on the Cisco CRS router.

Task ID

Task ID Operation

root-lr

read, write

Examples

This example shows how to set the service role as SESH on the CGSE.

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# hw-module service sesh location 0/3/CPU0
RP/0/RP0/CPU0:router(config)# 

Related Commands

Command

Description

show running-config

Displays the current running (active) configuration.  

interface ServiceApp

To enable the application SVI interface, use the interface ServiceApp command in global configuration mode. To disable a particular service application interface, use the no form of this command.

interface ServiceApp value

no interface ServiceApp value

Syntax Description

value

Total number of service application interfaces to be configured. Range is from 1 to 2000.

Command Default

None

Command Modes

Global configuration

Command History

Release

Modification

Release 3.9.1

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The total number of service application interfaces per multi-service PLIM card cannot exceed 889.


Note


The name of the serviceapp interfaces is serviceapp n where n can be a number between 1 to 2000.


Task ID

Task ID

Operations

interface

read, write

Examples

This example shows how to configure a DDoS TMS service application interface:

RP/0/RP0/CPU0:router#configure
RP/0/RP0/CPU0:router(config)#interface ServiceApp 1
RP/0/RP0/CPU0:router(config-if)#service sesh sesh1

interface ServiceInfra

To enable the infrastructure SVI interface, use the interface ServiceInfra command in global configuration mode. To disable a particular service infrastructure interface, use the no form of this command.

interface ServiceInfra value

no interface ServiceInfra value

Syntax Description

value

Total number of service infrastructure interfaces to be configured. Range is from 1 to 2000.

Command Default

None

Command Modes

Global configuration

Command History

Release

Modification

Release 3.9.1

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Only one service infrastructure interface can be configured per ISM.


Note


The Infra SVI interface and its IPv4 address configuration are required to boot the CGSE. The IPv4 address is used as the source address of the netflow v9 logging packet.


Task ID

Task ID

Operations

interface

read, write

Examples

This example shows how to configure one service infrastructure interface:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface ServiceInfra 1
RP/0/RP0/CPU0:router(config-if)#ipv4 address 3.1.1.1 255.255.255.248
RP/0/RP0/CPU0:router(config-if)#service-location 0/1/CPU0

map (tms-scrb)

To map the DDoS TMS Scrubber application with the offramp and onramp serviceApp interfaces use the map command in tms-scrb configuration mode. To remove the map, use the no form of the command.

map ingress-interface ServiceApp <ID> egress-interface ServiceApp <ID>

no map ingress-interface ServiceApp <ID> egress-interface ServiceApp <ID>

Syntax Description

ID

Specifies the name of the ServiceApp interface in number. Range is from 1 to 2000.

Command Default

None

Command Modes

tms-scrb configuration mode

Command History

Release Modification
Release 4.2.3

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation
basic-services

read, write

Examples

The following example shows how to map the DDoS TMS Scrubber application with the offramp and onramp serviceApp interfaces:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh sesh1
RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0
RP/0/RP0/CPU0:router(config-sesh)# service-type ddos-tms tms1 
RP/0/RP0/CPU0:router(config-ddos-tms)# application tms-scrb
RP/0/RP0/CPU0:router(config-tms-scrb)# map ingress-interface ServiceApp 21 egress-interface ServiceApp 22
RP/0/RP0/CPU0:router(config-tms-scrb)#

Related Commands

package

To add the TMS–CGSE RPM image to a specific Service Engine Service Hosting (SESH) instance, use the package command in the DDoS TMS configuration .

package package name

Syntax Description

package name

Specifies the name of the TMS–CGSE RPM image that you want to run on a SESH instance.

Note   

The TMS–CGSE RPM image be in the tftp_root directory.

Command Default

None

Command Modes

DDoS TMS

Command History

Release Modification

Release 4.2.3

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

It takes approximately 10 minutes for the application to start executing after committing the configuration.

Task ID

Task ID Operation

basic-services

read, write

Examples

This example shows how to add TMS–CGSERPM image to the specified SESH instance.

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh sesh1
RP/0/RP0/CPU0:router(config-sesh)# service-type ddos-tms tms1
RP/0/RP0/CPU0:router(config-ddos-tms)# package tms-cgse.rpm
RP/0/RP0/CPU0:router

Related Commands

Command

Description

service sesh

Configures the service hosting instance.  

remote (tms-mgmt)

To configure remote endpoint parameters, use the remote command in the TMS-MGMT application ServiceApp interface configuration mode. To remove the remote endpoint parameters, use the no form of the command.

remote { ipv4 { address } A.B.C.D/prefix | ipv6 { address } X:X::X/length }

no remote { ipv4 { address } A.B.C.D/prefix | ipv6 { address } X:X::X/length }

Syntax Description

ipv4 address

Specifies IPv4 address of the remote endpoint.

ipv6 address

Specifies IPv6 address of the remote endpoint.

A.B.C.D/prefix

IPv4 address and prefix in A.B.C.D/prefix notation.

X:X::X/length

IPv6 address and prefix in X:X::X/length notation.

Command Default

None

Command Modes

TMS-MGMT application ServiceApp interface configuration mode

Command History

Release Modification
Release 4.2.3

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation
basic-services

read, write

Examples

The following example shows how to configure remote endpoint parameters:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh sesh1
RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0
RP/0/RP0/CPU0:router(config-sesh)# service-type ddos-tms tms1 
RP/0/RP0/CPU0:router(config-ddos-tms)# application tms-mgmt
RP/0/RP0/CPU0:router(config-tms-mgmt)# interface ServiceApp11
RP/0/RP0/CPU0:router(config-intf)# remote ipv4 address 10.10.76.17/29
RP/0/RP0/CPU0:router(config-intf)#

Related Commands

service-location (Serviceinfra)

To specify the SESH service location of CGSE, use the service-location command in Interface ServiceInfra configuration mode. To remove the SESH service location specification, use the no form of the command.

service-location node-id

no service-location node-id

Syntax Description

node-id
The CGSE node location in which the service role is configured as SESH. The node-id is expressed in the rack/slot/module notation.
Note   

Use the show platform command to view the location of all nodes installed in the router.

Command Default

None

Command Modes

Interface ServiceInfra configuration mode

Command History

Release Modification
Release 3.9.1

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Only one service infrastructure interface can be configured per CGSE.

Task ID

Task ID Operation
basic-services

read, write

Examples

The following example shows how to specify the SESH service location of CGSE:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface ServiceInfra 1
RP/0/RP0/CPU0:router(config-if)# service-location 0/1/CPU0
RP/0/RP0/CPU0:router(config-if)#

service-location preferred-active (SESH)

To specify the CGSE card location for the SESH instance, use the service-location preferred-active command in SESH configuration mode. To remove the SESH instance location specification, use the no form of the command.

service-location preferred-active node-id

no service-location preferred-active node-id

Syntax Description

preferred-active node-id
Specifies the location in which the active TMS application starts. The node-id argument is entered in the rack/slot/module notation.
Note   

Only one active card is supported with no failover.

Command Default

None

Command Modes

SESH configuration mode

Command History

Release Modification
Release 3.9.1

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation
basic-services

read, write

Examples

The following example shows how to specify the CGSE card location for the SESH instance:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh sesh1
RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0

Related Commands

Command

Description

service-type ddos-tms

Sets the service type as DDoS TMS.  

service sesh

To configure the Service Engine Service Hosting (SESH) instance, use the service sesh command in global configuration mode.

service sesh instance-name

Syntax Description

instance-name

Specifies the name of the service hosting instance on the Carrier Grade Service Engine (CGSE).

Command Default

None

Command Modes

Global configuration

Command History

Release Modification

Release 4.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

basic-services

read, write

Examples

This example shows how to configure the instance on the SESH.

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh instance1
RP/0/RP0/CPU0:router(config)#

Related Commands

Command

Description

show running-config

Displays the current running (active) configuration.  

service-type ddos-tms

To set the service type as DDoS TMS, use the service-type ddos-tms command in SESH configuration mode. To remove the DDoS TMS service type, use the no form of the command.

service-type ddos-tms TMS-name

no service-type ddos-tms TMS-name

Syntax Description

TMS-name

Assigns a name to the DDoS TMS service type.

Command Default

None

Command Modes

SESH Configuration mode

Command History

Release Modification
Release 4.2.3

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation
basic-services

read, write

Examples

The following example shows how to set the service type as DDoS TMS:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# service sesh sesh1
RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0
RP/0/RP0/CPU0:router(config-sesh)# service-type ddos-tms tms1
RP/0/RP0/CPU0:router(config-ddos-tms)# 

Related Commands

Command

Description

service-location preferred-active (SESH)

Specifies the CGSE card location for the SESH instance.  

show controllers services boot-params location

To display the parameters for the Carrier Grade Service Engine (CGSE) card, use the show controllers services boot-params location command in the EXEC mode.

show controllers boot-params location node-id

Syntax Description

node-id

Location of the CGSE for which you want to display parameters. The node-id argument is entered in the rack/slot/interface notation.

Command Default

None

Command Modes

EXEC

Command History

Release Modification

Release 4.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

sonet-sdh

read

dwdm

read

interface

read

drivers

read

Examples

This example show sample output of the parameters for the CGSE card.

RP/0/RP0/CPU0:router# show controllers services boot-params location 0/3/CPU0
Tue Mar  6 13:58:28.676 PST
=============================================
               Boot Params 
=============================================

Phase of implementation  : 1 
Application              : SESH

MSC ipv4 address       : 192.0.2.1
Octeon0 SVC IPv4 addr    : 192.0.2.3 
Octeon1 SVC IPv4 addr    : 192.0.2.4 
Octeon2 SVC IPv4 addr    : 192.0.2.5 
Octeon3 SVC IPv4 addr    : 192.0.2.6 
ipv4 netmask             : 255.255.255.0

MSC ipv6 address         : ::
Octeon ipv6 address      : ::
ipv6 netmask             : ::

Tx uidb index            : 1 
Rx uidb index            : 1 
 
SVI VRF Name     : DUMMY_VRF_NAME    index 1610612736 

Domain Name       :   

MAC 0 : 00:15:63:58:bd:10   
MAC 1 : 00:15:63:58:bd:11   
MAC 2 : 00:15:63:58:bd:12   
MAC 3 : 00:15:63:58:bd:13   

Rack# : 0 
Slot# : 3 
Tile# : 0 

show running-config

To display the contents of the currently running configuration or a subset of that configuration, use the show running-config command in the appropriate mode.

show running-config [ [exclude] command ] [sanitized]

Syntax Description

exclude

(Optional) Excludes a specific configuration from the display.

command

(Optional) Command for which to display the configuration.

sanitized

(Optional) Displays a sanitized configuration for safe distribution and analysis.

Command Default

The show running-config command without any arguments or keywords displays the entire contents of the running configuration file.

Command Modes

EXEC

Administration EXEC

Any configuration

Command History

Release

Modification

Release 2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

You can display either the entire running configuration, or a subset of the running configuration. The subset may be all the commands within a specified command mode.


Note


In Cisco IOS XR software, the running configuration is automatically used at system startup, reset, or power cycle. The running configuration is the committed configuration.


Sanitized Output

Use the show running-config command with the sanitized keyword to display the contents of the active running configuration without installation-specific parameters. Some configuration details, such as IP addresses, are replaced with different addresses. The sanitized configuration can be used to share a configuration without exposing the configuration details.

Command Modes

When the show running-config command is entered in administration configuration mode, the configuration for the administration plane is displayed, including the configured logical routers for the system. When the show running-config command is entered in any global configuration mode, or in EXEC mode, the configuration for the specific secure domain router (SDR) is displayed.

The inheritance and no-annotations keywords are not supported in administration EXEC or configuration modes.

Excluding Parts of the Display

Use the exclude keyword followed by a command argument to exclude a specific configuration from the display.

Task ID

Task ID

Operations

config-services

read

Examples

This example shows how to enter the show running-config command with the question mark (?) online help function to display the available subsets of the running configuration that can be entered to display a subset of the running configuration:

RP/0/RP0/CPU0:router# show running-config ?
  
aaa               Authentication, Authorization and Accounting
alias             Create an alias for entity
aps               Configure SONET Automatic Protection Switching (APS)
arp               Global ARP configuration subcommands
as-path           BGP autonomous system path filter
as-path-set       Define an AS-path set
banner            Define a login banner
cdp               Enable CDP, or configure global CDP subcommands
cef               CEF configuration commands
cinetd            Global Cisco inetd configuration commands
class-map         Configure QoS Class-map command
clock             Configure time-of-day clock
community-list    Add a community list entry
community-set     Define a community set
controller        Controller configuration subcommands
dhcp              Dynamic Host Configuration Protocol
domain            Domain service related commands
exception         Coredump configuration commands
exclude           Exclude a feature or configuration item from display
explicit-path     Explicit-path config commands
extcommunity-set  Define an extended communitiy set
fault             Fault related commands
forward-protocol  Controls forwarding of physical and directed IP broadcasts
ftp               Global FTP configuration commands
--More--
  

In this example, the show running-config command is used to display the running configuration for Packet-over-SONET/SDH (POS) interface 0/2/0/1:

RP/0/RP0/CPU0:router# show running-config interface pos 0/2/0/1
  
interface POS0/2/0/1
ipv4 address 10.0.0.0 255.0.0.0  
  

This example shows sample output from the show running-config command with the sanitized keyword displays a sanitized version of the running configuration. The sanitized configuration can be used to share a configuration without exposing specific configuration details.

RP/0/RP0/CPU0:router# show running-config sanitized                                              

Building configuration...                         
  
!! Last configuration change at 05:26:50 UTC Thu Jan 19 2009 by <removed>
!
snmp-server traps fabric plane
snmp-server traps fabric bundle state
hostname <removed>
line console
exec-timeout 0 0
!
exception choice 1 compress off filepath <removed>
logging console debugging
telnet vrf <removed> ipv4 server max-servers no-limit
snmp-server ifindex persist
snmp-server host 10.0.0.1 traps version <removed> priv <removed> udp-port 2555
snmp-server view <removed> <removed> included
snmp-server community <removed> RO LROwner
snmp-server community <removed> RO LROwner
snmp-server group <removed> v3 priv read <removed> write <removed>
snmp-server traps snmp
snmp-server traps syslog
interface Loopback10
!
interface Loopback1000
!
 --More--  
  

This example shows sample output for the SESH on the Carrier Grade Service Engine (CGSE).

RP/0/RP0/CPU0:router# show running-config service sesh
Thu Mar  1 13:06:45.023 PST
service sesh instance1
 service-location preferred-active 0/3/CPU0
 service-type nps nps-1
  forced-placement npu 0
  tunnel type gre
   name gre10
   tunnel-destination ipv4 address 209.165.200.225
   ipv4 address 192.0.2.6/24
   remote ipv4 address 192.0.2.5/24
   tunnel-source ipv4 address 209.165.200.226
  !
  package nps-mips64-r2.rpm
  interface ServiceApp1
   remote ipv4 address 209.165.200.227/24
  !
 !
!

show service sesh instance

To display the state of the service application, use the show service sesh instance command in the EXEC mode.

show service sesh instance name of instance

Syntax Description

name of instance

Specifies the name of the Service Engine Service Hosting (SESH) instance.

Command Default

None

Command Modes

EXEC

Command History

Release Modification

Release 4.2.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID Operation

ic-services

read

Examples

This example shows the state of an SESH instance.

RP/0/RP0/CPU0:router# show service sesh instance instance1
service sesh instance instance1 

Service Infra instance sesh1 

Application tms1 hosted on Location 0/3/CPU0 

Octeon 0 

State - UP - Application Spawned and Service App Interfaces Ready 

Error Messages - None 

Table 2 show service sesh instance Command Field Descriptions
Field Description

State

Displays the state of the application. Values are:
  • INIT—Application configuration download is initiated.
  • WAITING—Application download is complete, but the service application interface is not ready.
  • UP—Application download is complete, and the service application interface is ready.

Error Messages

Displays error messages if the service application is missing or not configured.

Related Commands

Command

Description

service sesh

Configures the service hosting instance.  

show services role

To display the current service role on service cards, use the show services role command in EXEC mode.

show services role [detail] [ location node-id ]

Syntax Description

detail

Displays the reason a role has not been enacted, if applicable.

location node-id

Location for which to display the specified information. The node-id argument is entered in the rack/slot/module notation.

Command Default

No default behavior or values

Command Modes

EXEC

Command History

Release

Modification

Release 3.5.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Operations

interface

read

Examples

This example displays sample output from the show services role command:

RP/0/RP0/CPU0:router# show services role
Thu Mar  1 14:53:55.530 PST
Node       Configured Role     Enacted Role        Enabled Services
-----------------------------------------------------------------------------
0/3/CPU0   SESH                SESH                 ServiceInfra 
  

vrf

To configure a VPN routing and forwarding (VRF) instance for a routing protocol, use the vrf command in router configuration mode. To place a service interface in VRF, use the command in Service Application Interface mode. To disable the VRF instance, use the no form of this command.

vrf vrf-name

no vrf vrf-name

Syntax Description

vrf-name

Name of the VRF instance. The following names cannot be used: all, default, and global.

Command Default


Note


The number of supported VRFs is platform specific.


All routing protocols insert their routes into a VRF's routing table.

Command Modes

Router configuration

Service Application Interface configuration

Command History

Release

Modification

Release 3.3.0

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID

Operations

ip services (Router Configuration mode)

read, write

interface (Service Application Interface configuration mode)

read, write

Examples

The following example shows how to configure VRF using the vrf command:

RP/0/RP0/CPU0:router# config
RP/0/RP0/CPU0:router(config)# vrf client