rule(:undocumented) do s( any ) end rule(:key_attribute_long_type) do arg.as(:arg) end rule(:key_attribute_string_type) do arg.as(:arg) end rule(:key_attribute_ulong_type) do arg.as(:arg) end rule(:filename) do arg.as(:arg) end rule(:client_filename) do arg.as(:arg) end rule(:hostname) do arg.as(:arg) end rule(:ipaddr) do arg.as(:arg) end rule(:sysid) do arg.as(:arg) end rule(:interface_device) do arg.as(:arg) end rule(:bits) do arg.as(:arg) end rule(:isoaddr) do arg.as(:arg) end rule(:ipprefix) do arg.as(:arg) end rule(:ipprefix_mandatory) do arg.as(:arg) end rule(:interface_unit) do arg.as(:arg) end rule(:ipaddr_or_interface) do arg.as(:arg) end rule(:areaid) do arg.as(:arg) end rule(:interface_name) do arg.as(:arg) end rule(:community) do arg.as(:arg) end rule(:interface_wildcard) do arg.as(:arg) end rule(:unreadable) do arg.as(:arg) end rule(:ipprefix_optional) do arg.as(:arg) end rule(:policy_algebra) do arg.as(:arg) end rule(:regular_expression) do arg.as(:arg) end rule(:group_glob) do arg.as(:arg) end rule(:atm_vci) do arg.as(:arg) end rule(:ipprefix_only) do arg.as(:arg) end rule(:ipv4addr) do arg.as(:arg) end rule(:ipv4prefix) do arg.as(:arg) end rule(:ipv4prefix_mandatory) do arg.as(:arg) end rule(:ipv4addr_or_interface) do arg.as(:arg) end rule(:ipv4prefix_optional) do arg.as(:arg) end rule(:ipv4prefix_only) do arg.as(:arg) end rule(:ipv6addr) do arg.as(:arg) end rule(:ipv6prefix) do arg.as(:arg) end rule(:ipv6prefix_mandatory) do arg.as(:arg) end rule(:ipv6addr_or_interface) do arg.as(:arg) end rule(:ipv6prefix_optional) do arg.as(:arg) end rule(:ipv6prefix_only) do arg.as(:arg) end rule(:interface_device_wildcard) do arg.as(:arg) end rule(:interface_unit_wildcard) do arg.as(:arg) end rule(:time) do arg.as(:arg) end rule(:mac_addr) do arg.as(:arg) end rule(:mac_addr_prefix) do arg.as(:arg) end rule(:mac_unicast) do arg.as(:arg) end rule(:mac_unicast_prefix) do arg.as(:arg) end rule(:mac_multicast) do arg.as(:arg) end rule(:mac_multicast_prefix) do arg.as(:arg) end rule(:mpls_label) do arg.as(:arg) end rule(:float) do arg.as(:arg) end rule(:unsigned_float) do arg.as(:arg) end rule(:isoprefix) do arg.as(:arg) end rule(:isosysid) do arg.as(:arg) end rule(:interface_range_wild) do arg.as(:arg) end rule(:fc_addr) do arg.as(:arg) end rule(:wwn) do arg.as(:arg) end rule(:logfilename) do arg.as(:arg) end rule(:esi) do arg.as(:arg) end rule(:typedef) do arg.as(:arg) end rule(:time_of_day) do arg.as(:arg) end rule(:date) do arg.as(:arg) end rule(:configuration) do c( "rcsid" arg /* Revision control system identifier */, "version" arg /* Software version information */, "groups" ( /* Configuration groups */ s( any ) ), "system" ( /* System parameters */ juniper_system /* System parameters */ ), "dynamic-profiles" ( /* Dynamic profiles configuration */ juniper_dynamic_profile_object /* Dynamic profiles configuration */ ), "logical-systems" ( /* Logical systems */ juniper_logical_system /* Logical systems */ ), "chassis" ( /* Chassis configuration */ chassis_type /* Chassis configuration */ ), "services" ( /* Set services parameters */ c( "analytics" /* Traffic analytics configuration options */, "jinsightd" /* Health Monitoring services */, "captive-portal-content-delivery" /* Configuration for captive portal and content delivery service */, "dynamic-flow-capture" /* Configure Dynamic Flow Capture parameters */, "flow-tap" /* Configure flow-tap parameters */, "radius-flow-tap" /* Configure radius triggered flow-tap parameters */, "mobile-flow-tap" /* Configure mobile triggered flow-tap parameters */, "flow-monitoring" ( /* Configure flow monitoring */ c( "version9" ( /* Version 9 configuration */ c( "template" ( /* One or more version 9 templates */ version9_template /* One or more version 9 templates */ ) ) ), "version-ipfix" ( /* Version IP-Fix configuration */ c( "template" ( /* One or more version ip-fix templates */ version_ipfix_template /* One or more version ip-fix templates */ ) ) ) ) ), "jdaf" ( /* Juniper distributed application framework (JDAF) */ c( "routing-instances" arg /* List of routing-instance name for JDAF clients */ ) ), "rpm" ( /* Real-time performance monitoring */ c( "traceoptions" ( /* RMOPD trace options */ rmopd_traceoptions /* RMOPD trace options */ ), "bgp" ( /* BGP options for real-time performance monitoring */ c( "probe-type" ( /* RPM-BGP probe request type */ ("icmp-ping" | "icmp-ping-timestamp" | "icmp6-ping" | "tcp-ping" | "udp-ping" | "udp-ping-timestamp") ), "probe-count" arg /* Total number of probes per test */, "probe-interval" arg /* Delay between probes */, "test-interval" arg /* Delay between tests */, "destination-port" arg /* TCP/UDP port number */, "history-size" arg /* Number of stored history entries */, "moving-average-size" arg /* Number of samples used for moving average */, "data-size" arg /* Size of the data portion of the probes */, "data-fill" arg /* Define contents of the data portion of the probes */, "ttl" arg /* Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet */, "logical-system" ( /* Logical systems */ bgp_logical_system /* Logical systems */ ), "routing-instances" ( /* Routing instances */ bgp_routing_instances /* Routing instances */ ) ) ), "probe" arg ( /* TCP/UDP/ICMP ping */ c( "delegate-probes" /* Offload real-time performance monitoring probes to MS-MIC/MS-MPC card */, "test" arg ( /* TCP/UDP/ICMP/ICMP6 ping test */ c( "rpm-scale" ( /* Configuring real-time performance monitoring scale tests */ c( "tests-count" arg /* Number of probe-tests generated using scale config */, c( "target" ( /* Target address generation for scale test config */ c( "address-base" ( /* Base address of target host in a.b.c.d format */ ipv4addr /* Base address of target host in a.b.c.d format */ ), "step" ( /* Steps to increment target address in a.b.c.d format */ ipv4addr /* Steps to increment target address in a.b.c.d format */ ), "count" arg /* Target address count */ ) ), "target-inet6" ( /* IPv6 target address generation for scale test config */ c( "address-base" ( /* Base address of target host in a:b:c:d:e:f:g:h format */ ipv6addr /* Base address of target host in a:b:c:d:e:f:g:h format */ ), "step" ( /* Steps to increment target address in a:b:c:d:e:f:g:h format */ ipv6addr /* Steps to increment target address in a:b:c:d:e:f:g:h format */ ), "count" arg /* Target address count */ ) ) ), c( "source" ( /* Source address generation in scale tests */ c( "address-base" ( /* Base address of host in a.b.c.d format */ ipv4addr /* Base address of host in a.b.c.d format */ ), "step" ( /* Steps to increment src address in a.b.c.d format */ ipv4addr /* Steps to increment src address in a.b.c.d format */ ), "count" arg /* Source-address count */ ) ), "source-inet6" ( /* IPv6 source address generation in scale tests */ c( "address-base" ( /* Base address of host in a:b:c:d:e:f:g:h format */ ipv6addr /* Base address of host in a:b:c:d:e:f:g:h format */ ), "step" ( /* Steps to increment src address in a:b:c:d:e:f:g:h format */ ipv6addr /* Steps to increment src address in a:b:c:d:e:f:g:h format */ ), "count" arg /* Source-address count */ ) ) ), "destination" ( /* Name of output interface for probes */ c( "interface" ( /* Base destination interface for scale test */ interface_name /* Base destination interface for scale test */ ), "subunit-cnt" arg /* Subunit count for destination interface for scale test */ ) ) ) ), "probe-type" ( /* Probe request type */ ("http-get" | "http-metadata-get" | "icmp-ping" | "icmp-ping-timestamp" | "icmp6-ping" | "tcp-ping" | "udp-ping" | "udp-ping-timestamp") ), "target" ( /* Target destination for probe */ sc( c( "address" ( /* Address of target host */ ipv4addr /* Address of target host */ ), "inet6-address" ( /* Inet6 Address of target host */ ipv6addr /* Inet6 Address of target host */ ), "url" arg /* Fully formed target URL */, "inet6-url" arg /* Fully formed target IPV6 URL */ ) ) ).as(:oneline), "inet6-options" ( /* IPV6 related options */ c( "source-address" ( /* Inet6 Source Address of the probe */ ipv6addr /* Inet6 Source Address of the probe */ ) ) ), "probe-count" arg /* Total number of probes per test */, "probe-interval" arg /* Delay between probes */, "test-interval" arg /* Delay between tests */, "destination-port" arg /* TCP/UDP port number */, "source-address" ( /* Source address for probe */ ipv4addr /* Source address for probe */ ), "routing-instance" arg /* Routing instance used by probes */, "history-size" arg /* Number of stored history entries */, "moving-average-size" arg /* Number of samples used for moving average */, "dscp-code-points" arg /* Differentiated Services code point bits or alias */, "data-size" arg /* Size of the data portion of the probes */, "data-fill" arg /* Define contents of the data portion of the probes */, "ttl" arg /* Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet */, "thresholds" ( /* Probe and test threshold values. Set 0 to disable respective threshold */ c( "successive-loss" arg /* Successive probe loss count indicating probe failure */, "total-loss" arg /* Total probe loss count indicating test failure */, "rtt" arg /* Maximum round trip time per probe */, "jitter-rtt" arg /* Maximum jitter per test */, "std-dev-rtt" arg /* Maximum standard deviation per test */, "egress-time" arg /* Maximum source to destination time per probe */, "ingress-time" arg /* Maximum destination to source time per probe */, "jitter-ingress" arg /* Maximum destination to source jitter per test */, "jitter-egress" arg /* Maximum source to destination jitter per test */, "std-dev-ingress" arg /* Maximum destination to source standard deviation per test */, "std-dev-egress" arg /* Maximum source to destination standard deviation per test */ ) ), "traps" ( /* Trap to send if threshold is met or exceeded */ ("probe-failure" | "test-failure" | "test-completion" | "rtt-exceeded" | "std-dev-exceeded" | "jitter-exceeded" | "ingress-time-exceeded" | "ingress-std-dev-exceeded" | "ingress-jitter-exceeded" | "egress-time-exceeded" | "egress-std-dev-exceeded" | "egress-jitter-exceeded") ), "destination-interface" ( /* Name of output interface for probes */ interface_name /* Name of output interface for probes */ ), "hardware-timestamp" /* Packet Forwarding Engine updates timestamps */, "one-way-hardware-timestamp" /* Enable hardware timestamps for one-way measurements */, "next-hop" ( /* Next-hop to which probe should be sent */ ipv4addr /* Next-hop to which probe should be sent */ ) ) ) ) ), "probe-server" ( /* ICMP/TCP/UDP probe server */ c( "icmp" ( /* ICMP probe server */ c( "destination-interface" ( /* Name of output interface for probes */ interface_name /* Name of output interface for probes */ ) ) ), "tcp" ( /* TCP probe server */ c( "port" arg /* Port number 7 through 65535 */, "destination-interface" ( /* Name of output interface for probes */ interface_name /* Name of output interface for probes */ ) ) ), "udp" ( /* UDP probe server */ c( "port" arg /* Port number 7 through 65535 */, "destination-interface" ( /* Name of output interface for probes */ interface_name /* Name of output interface for probes */ ) ) ) ) ), "probe-limit" arg /* Maximum number of concurrent probes allowed */, "rfc2544-benchmarking" /* Rfc2544 benchmarking tests */, "twamp" ( /* Two-way Active Measurement Protocol configuration */ c( "post-cli-implicit-firewall" /* Enable post cli implicit firewall */, "client" ( /* TWAMP client configuration */ c( "control-connection" arg ( /* TWAMP control session configuration */ c( "authentication-mode" ( /* Authentication modes */ c( "none" /* No authentication or encryption */ ) ), "destination-interface" ( /* Name of output interface for all test sessions */ interface_name /* Name of output interface for all test sessions */ ), "destination-port" arg /* TCP TWAMP client listening port for the test sessions. Default 862 */, "history-size" arg /* Number of stored history entries */, "moving-average-size" arg /* Number of samples used for moving average */, "routing-instance" arg /* Routing instance used by the test sessions */, "target-address" ( /* Destination address of TWAMP responder */ ipv4addr /* Destination address of TWAMP responder */ ), "test-count" arg /* Total number of test session iterations */, "test-interval" arg /* Delay between test session iterations */, "traps" ( /* Trap to send if threshold is met or exceeded */ c( "test-iteration-done" /* All test sessions configured under the control connection have completed an iteration */, "control-connection-closed" /* Control connection closed */ ) ), "test-session" arg ( /* Test session details */ c( "target-address" ( /* Destination address of TWAMP responder */ ipv4addr /* Destination address of TWAMP responder */ ), "data-fill-with-zeros" /* Fill contents of test packet with zeros */, "data-size" arg /* Size of the data portion of the probes */, "dscp-code-points" arg /* Differentiated Services code point bits or alias used for TCP control and UDP TWAMP test packets */, "ttl" arg /* Time to Live (hop-limit) value for an RPM IPv4(IPv6) packet */, "probe-count" arg /* Total number of probes per test */, "probe-interval" arg /* Delay between two consecutive probes */, "thresholds" ( /* TWAMP test threshold values. Set 0 to disable respective threshold */ c( "successive-loss" arg /* Successive probe loss count indicating probe failure */, "total-loss" arg /* Total probe loss count indicating test failure */, "rtt" arg /* Maximum round trip time per probe */, "max-rtt" arg /* Maximum round trip time per test */, "jitter-rtt" arg /* Maximum jitter per test */, "std-dev-rtt" arg /* Maximum standard deviation per test */, "egress-time" arg /* Maximum source to destination time per probe */, "ingress-time" arg /* Maximum destination to source time per probe */, "jitter-ingress" arg /* Maximum destination to source jitter per test */, "jitter-egress" arg /* Maximum source to destination jitter per test */, "std-dev-ingress" arg /* Maximum destination to source standard deviation per test */, "std-dev-egress" arg /* Maximum source to destination standard deviation per test */ ) ), "traps" ( /* Trap to send if threshold is met or exceeded */ c( "probe-failure" /* Successive probe loss threshold reached */, "test-failure" /* Total probe loss threshold reached */, "test-completion" /* Test completed */, "rtt-exceeded" /* Exceeded maximum round trip time threshold */, "max-rtt-exceeded" /* Exceeded maximum round trip time threshold at the end of per test */, "std-dev-exceeded" /* Exceeded round trip time standard deviation threshold */, "jitter-exceeded" /* Exceeded jitter in round trip time threshold */, "ingress-time-exceeded" /* Exceeded maximum ingress time threshold */, "ingress-std-dev-exceeded" /* Exceeded ingress time standard deviation threshold */, "ingress-jitter-exceeded" /* Exceeded jitter in ingress time threshold */, "egress-time-exceeded" /* Exceeded maximum egress time threshold */, "egress-std-dev-exceeded" /* Exceeded egress time standard deviation threshold */, "egress-jitter-exceeded" /* Exceeded jitter in egress time threshold */ ) ) ) ) ) ) ) ), "server" ( /* TWAMP server configuration */ c( "routing-instance-list" arg ( /* List of allowed routing instances,not more than 100, along with ports */ c( "port" arg /* Port to be used by the routing instance */ ) ), "authentication-mode" ( /* Authentication modes */ c( "none" /* No authentication or encryption */, "authenticated" /* Authenticated mode */.as(:oneline), "encrypted" /* Encrypted mode */.as(:oneline), "control-only-encrypted" /* Encrypted control and unauthenticated data mode */ ) ), "authentication-key-chain" ( /* Authentication key chain configuration */ twamp_authentication_key_chain /* Authentication key chain configuration */ ), "server-inactivity-timeout" arg /* Control packet idle timeout value in minutes, 0 to disable */, "max-connection-duration" arg /* Maximum Connection duration in hours, 0 to disable */, "maximum-sessions" arg /* Maximum number of test sessions for the server */, "maximum-sessions-per-connection" arg /* Maximum number of test sessions per client connection */, "maximum-connections" arg /* Maximum number of connections for the server */, "maximum-connections-per-client" arg /* Maximum number of server connections per client */, "port" arg /* TWAMP server listening port */, "client-list" arg ( /* List of allowed clients */ c( "address" arg /* IP prefix of client */ ) ) ) ) ) ) ) ), "video-monitoring" /* Video monitoring service */, "app-engine" ( /* App-engine */ c( "security" /* Enable app-engine security */, "monitor-cpu" ( /* Monitor node CPU usage */ monitor_threshold /* Monitor node CPU usage */ ), "monitor-memory" ( /* Monitor node memory usage */ monitor_threshold /* Monitor node memory usage */ ), "monitor-storage" ( /* Monitor storage usage */ monitor_threshold /* Monitor storage usage */ ), "default-compute-node-package" arg /* Default JunosV App Engine package for appliance */, "compute-cluster" arg ( /* Configure compute cluster */ c( "local-management" ( /* Management address connected to compute cluster */ c( "routing-instance" ( /* Packets are restriction to specified routing instance */ s( arg, c( "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "address" ( /* Interface address */ ipv4addr /* Interface address */ ) ) ) ) ) ) ) ), "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "address" ( /* Interface address */ ipv4addr /* Interface address */ ) ) ) ) ) ) ), "monitor-cpu" ( /* Monitor node CPU usage */ monitor_threshold /* Monitor node CPU usage */ ), "monitor-memory" ( /* Monitor node memory usage */ monitor_threshold /* Monitor node memory usage */ ), "monitor-storage" ( /* Monitor storage usage */ monitor_threshold /* Monitor storage usage */ ), "compute-node" arg ( /* Compute node name */ c( "monitor-cpu" ( /* Monitor node CPU usage */ monitor_threshold /* Monitor node CPU usage */ ), "monitor-memory" ( /* Monitor node memory usage */ monitor_threshold /* Monitor node memory usage */ ), "monitor-storage" ( /* Monitor storage usage */ monitor_threshold /* Monitor storage usage */ ), c( "mac-address" ( /* MAC address of the network boot interface */ mac_addr /* MAC address of the network boot interface */ ), "fpc" arg /* FPC slot number */, "hypervisor" /* Compute node is hypervisor */ ), "package" arg /* JunosV App Engine package */, "routing-options" ( /* Route configuration for compute node */ c( "static" ( /* Static routes */ c( "route" arg ( /* Static route */ c( "next-hop" ( /* Next hop to destination */ ipv4addr /* Next hop to destination */ ) ) ) ) ), "rib" arg ( /* Routing table options */ c( "static" ( /* Static routes */ c( "route" arg ( /* Static route */ c( "next-hop" ( /* Next hop to destination */ ipv4addr /* Next hop to destination */ ) ) ) ) ) ) ) ) ), "interfaces" ( /* Network interfaces configuration */ c( "ethernet" arg ( /* Interface configuration */ c( "management" /* Use this as management interface */, "family" ( /* Protocol family */ family /* Protocol family */ ), "enable-passthrough" /* Enable passthrough on this interface */, "mtu" arg /* Maximum transmit packet size */, "ether-options" ( c( c( "ieee-802-3ad" arg /* Aggregated interface name */ ) ) ) ) ), "bridge" arg ( /* Bridge configuration */ c( "management" /* Use this as management bridge */, "family" ( /* Protocol family */ family /* Protocol family */ ), "interface" arg /* Bridge interface list */, "mtu" arg /* Maximum transmit packet size */ ) ), "aggregate" arg ( /* Aggregate interface configuration */ c( "management" /* Use this as management aggregate */, "family" ( /* Protocol family */ family /* Protocol family */ ), "mtu" arg /* Maximum transmit packet size */, "aggregated-ether-options" ( /* Link aggregation parameters */ c( "hash-policy" ( ("layer-2" | "layer-3-and-4" | "layer-2-and-3") ), "miimon" arg /* Link monitoring interval in milli-second */ ) ) ) ) ) ), "syslog" enum(("any" | "authorization" | "privileged" | "cron" | "daemon" | "kernel" | "syslog" | "user" | "uucp" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7")) ( /* System logging facility */ sc( c( "any" /* All levels */, "emergency" /* Panic conditions */, "alert" /* Conditions that should be corrected immediately */, "critical" /* Critical conditions */, "error" /* Error conditions */, "warning" /* Warning messages */, "notice" /* Conditions that should be handled specially */, "info" /* Informational messages */, "debug" /* Debug messages */ ) ) ).as(:oneline) ) ) ) ), "virtual-machines" ( /* Virtual-machine management */ c( "instance" arg ( /* Virtual-machine instance */ c( "cpu" arg /* Units of CPUs (default 1 cpu) */, "memory" arg /* Memory for the virtual-machine (default 1 gigabytes) */, "management-interface" arg /* Virtual-machine management interface name */, "package" arg /* Virtual-machine package */, "local-management" ( /* Management address connected to virtual machine */ c( "routing-instance" ( /* Packets are restriction to specified routing instance */ s( arg, c( "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "address" ( /* Interface address */ ipv4addr /* Interface address */ ) ) ) ) ) ) ) ), "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "address" ( /* Interface address */ ipv4addr /* Interface address */ ) ) ) ) ) ) ), "compute-cluster" arg ( /* Compute cluster on which the virtual-machine runs */ c( "compute-node" arg /* Compute node on which the virtual-machine runs */ ) ), "interface" arg ( /* Virtual-machine interface configuration */ c( "hw-model" ( /* Interface hardware model */ ("e1000g" | "virtio") ), "host-interface" arg /* Passthrough host interface for virtual-machine */, "bridge" arg /* Bridge that the interface connected to */, "mtu" arg /* Maximum transmit packet size */, "family" ( /* Interface address family */ c( "inet" ( /* IPv4 parameters */ c( "address" arg ( /* Interface address/destination prefix */ c( "primary" /* Primary address on the interface */ ) ) ) ) ) ) ) ), "routing-options" ( /* Route configuration for virutal machine */ c( "static" ( /* Static routes */ c( "route" arg ( /* Static route */ c( "next-hop" ( /* Next hop to destination */ ipv4addr /* Next hop to destination */ ) ) ) ) ), "rib" arg ( /* Routing table options */ c( "static" ( /* Static routes */ c( "route" arg ( /* Static route */ c( "next-hop" ( /* Next hop to destination */ ipv4addr /* Next hop to destination */ ) ) ) ) ) ) ) ) ), "secondary-disk" ("hdb" | "hdc" | "hdd") ( /* Virtual-machine disk */ sc( "size" arg /* Virtual-machine secondary disk size */ ) ).as(:oneline) ) ) ) ) ) ), "unified-access-control" ( /* Configure Unified Access Control */ c( "infranet-controller" arg ( /* Configure infranet controller */ c( "address" ( /* Infranet controller IP address */ ipv4addr /* Infranet controller IP address */ ), "port" arg /* Infranet controller port */, "interface" ( /* Outgoing interface */ interface_name /* Outgoing interface */ ), "password" arg /* Infranet controller server password */, "ca-profile" arg /* Define a list of certificate authority */, "server-certificate-subject" arg /* Subject name of infranet controller certificate to match */ ) ), "certificate-verification" ( /* Specify certificate verification requirement */ ("warning" | "required" | "optional") ), "timeout" arg /* Timeout for idle infranet controller link in seconds */, "interval" arg /* Heartbeat interval from infranet controller in seconds */, "timeout-action" ( /* Specify action when infranet controller timeout occurs */ ("close" | "no-change" | "open") ), "test-only-mode" /* Allow all traffic and only log enforcement result */, "traceoptions" ( /* UAC trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "ipc" | "config" | "connect")) /* Tracing parameters */.as(:oneline) ) ), "captive-portal" arg ( /* Unauthenticated HTTP redirect */ c( "redirect-traffic" ( /* Traffic to redirect */ ("unauthenticated" | "all") ), "redirect-url" arg /* Redirect URL for unauthenticated users */ ) ) ) ), "flow-collector" /* Configure options to control flow collector */, "captive-portal" ( /* Captive Portal options */ juniper_services_captive_portal /* Captive Portal options */ ), "logging" ( /* Bulk logging configuration */ juniper_pic_services_logging_options /* Bulk logging configuration */ ), "application-identification" ( /* Application identification configuration */ c( "enable-heuristics" /* Enable heuristic application identification */, "enable-performance-mode" ( /* Enable performance mode knobs for best DPI performance */ c( "max-packet-threshold" arg /* Max packet inspection threshold including both c2s ans s2c direction packets. Default value is 2 if not configured */ ) ), "imap-cache-timeout" arg /* IMAP cache entry timeout in seconds */, "imap-cache-size" arg /* IMAP cache size, it will be effective only after next appid sigpack install */, "download" ( c( "url" arg /* URL for application package download */, "ignore-server-validation" /* Disable server authentication for Applicaton Signature download */, "automatic" ( /* Scheduled download and update */ c( "start-time" arg /* Start time(MM-DD.hh:mm) */, "interval" arg /* Attempt to download new application package */ ) ), "proxy-profile" arg /* Configure web proxy for Application signature download */ ) ), "statistics" ( /* Configure application statistics information */ c( "interval" arg /* Application statistics collection interval */ ) ), "nested-application-settings" ( /* Nested application settings */ c( "no-nested-application" /* Disable nested application identification */, "no-application-system-cache" /* Not to save nested AI match in application system cache */ ) ), "no-application-identification" /* Disable all application identification methods */, "no-signature-based" /* Disable signature based method */, "no-protocol-based" /* Disable protocol based method */, "signature-method-all-ports" /* Use signature-method on all(including well-known) ports */, "no-clear-application-system-cache" /* Disable clearing application system cache */, "no-application-system-cache" /* Disable storing AI result in application system cache */, "max-sessions" arg /* Max sessions that can run AI at the same time */, "application-system-cache-timeout" arg /* Application system cache entry lifetime */, "application-system-cache" ( /* Enable or Disable application system cache */ c( "security-services" /* Enable ASC for security services (appfw, appqos, idp, skyatp..) */, "no-miscellaneous-services" /* Disable ASC for miscellaneous services APBR,... */ ) ), "max-transactions" arg /* Number of transaction finals to terminate application classification */, "max-checked-bytes" arg /* Inspect the maximal number of bytes */, "application" arg ( /* Configure application definition */ c( "type" arg /* Well-known application such as HTTP and FTP */, "index" arg /* Custom index (32768..65534). Application index */, "tags" /* Application tags eg. risk factors, technology, traffic type */, "session-timeout" arg /* Lifetime of a session */, "idle-timeout" arg /* Remove the session if no packets */, "type-of-service" /* Type of service */, "disable" /* Disable this application definition in AI */, "cacheable" /* Cacheable */, "description" arg /* Text description of application */, "priority" ( /* Application matching priority */ ("high" | "low") ), "order" arg /* The order value, lower the value higher the priority */, "maximum-transactions" arg /* Maximum number of transactions matched by AI */, "alt-name" arg /* Alt name for the application */, "compatibility" arg /* Juniper compatibility version */, "port-mapping", "icmp-mapping" ( /* Match ICMP message */ c( "type" arg /* Numeric type value */, "code" arg /* Numeric code value */, "order" arg /* The Order value */, "order-priority" arg /* Application matching priority */ ) ), "ip-protocol-mapping" ( /* Match IP protocol */ c( "protocol" arg /* Numeric protocol value */, "order" arg /* The Order value */, "order-priority" arg /* Application matching priority */ ) ), "address-mapping" arg ( /* Match IP address */ c( "filter" ( /* Match IP/port */ c( "ip" ( /* IP address and prefix-length */ ipprefix /* IP address and prefix-length */ ), "port-range" ( /* Port ranges */ c( "tcp" arg /* TCP port range */, "udp" arg /* UDP port range */ ) ) ) ), "source" /* Match IP source address */, "destination" /* Match IP destination address */, "order" arg /* Application matching priority */, "order-priority" arg /* Application matching priority */ ) ), "over" arg ( /* Set of L4/L7 application that carries given application */ c( "protocol" arg /* Application protocol */, "chain-order" /* The order of members is used to match the pattern */, "order-priority" arg /* Application matching priority */, "order" arg /* The order value */, "port-range" /* Apply signature to packets sent to this port range */, "member" /* Pattern matched on client-to-server packets */, "signature" arg ( /* Application signature for pattern matching */ c( "port-range" arg /* Port range */, "member" arg ( /* Application signature member */ c( "context" arg /* Context to be matched on */, "pattern" arg /* DFA pattern matched on context */, "direction" ( /* Connection direction of the packets to apply pattern matching */ ("client-to-server" | "server-to-client" | "any") ) ) ) ) ) ) ) ) ), "nested-application" arg ( /* Configure nested application definition */ c( "type" arg /* Well-known application such as FACEBOOK and KAZZA */, "index" arg /* Custom index (32768..65534). Application index */, "protocol" arg /* Name of layer 7 application that carries nested application */, "signature" arg ( /* Nested application signature for pattern matching */ c( "member" arg ( /* Pattern matched on client-to-server packets */ c( "context" ( /* Context to be matched on */ ("http-url-parsed" | "http-url-parsed-param-parsed" | "http-header-host" | "http-header-location" | "http-header-content-type" | "http-get-url-parsed-param-parsed" | "http-post-url-parsed-param-parsed" | "http-header-cookie" | "http-header-user-agent" | "http-post-variable-parsed" | "ssl-server-name" | "stream") ), "pattern" arg /* Pattern matched on context */, "direction" ( /* Connection direction of the packets to apply pattern matching */ ("client-to-server" | "server-to-client" | "any") ), "check-bytes" arg /* Maximum number of bytes to check for stream context */ ) ), "chain-order" /* The order of members is used to match the pattern */, "maximum-transactions" arg /* Maximum number of transactions matched by AI */, "order" arg /* Application matching priority */, "insert-before" ( /* Insert before another signature */ c( arg /* An application name */ ) ) ) ) ) ), "application-group" arg ( /* Define application group */ c( "application-groups" arg /* Configure child application group(s) */, "applications" arg /* Configure applications that belong to this application group */, "disable" /* Disable this application group definition in AI */ ) ), "rule" /* One or more application rules for address-based method AI */, "rule-set" /* One or more application rules */, "profile" /* One or more application rule-sets */, "traceoptions" ( /* Trace options for application identification */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all")) /* Events and other information to include in trace output */.as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ) ) ) ) ), "service-set" /* Define a service set */, "ssl" ( /* Configuration for Secure Socket Layer support service */ c( "traceoptions" ( /* Trace options for Secure Socket Layer support service */ ssl_traceoptions /* Trace options for Secure Socket Layer support service */ ), "termination" ( /* Configuration for Secure Socket Layer termination support service */ ssl_termination_config /* Configuration for Secure Socket Layer termination support service */ ), "initiation" ( /* Configuration for Secure Socket Layer initiation support service */ ssl_initiation_config /* Configuration for Secure Socket Layer initiation support service */ ), "proxy" ( /* Configuration for Secure Socket Layer proxy support service */ ssl_proxy_config /* Configuration for Secure Socket Layer proxy support service */ ) ) ), "softwires" ( /* Configure softwire feature */ softwires_object /* Configure softwire feature */ ), "screen" ( /* Configure screen feature */ c( "trap" ( /* Configure trap interval */ sc( "interval" arg /* Trap interval */ ) ).as(:oneline), "ids-option" ( /* Configure ids-option */ ids_option_type /* Configure ids-option */ ), "traceoptions" ( /* Trace options for Network Security Screen */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ), "security-intelligence" ( c( "category" ( /* Category to be disabled */ c( "all" ( /* All categories */ c( "disable" /* To disable all categories */ ) ), "category-name" ( secintel_category_disable ) ) ), "url" arg /* Configure the url of feed server [https://:/] */, "url-parameter" ( /* Configure the parameter of url */ unreadable /* Configure the parameter of url */ ), "proxy-profile" arg /* The proxy profile name */, "authentication" ( /* Authenticate to use feed update services */ c( "auth-token" arg /* Token string for authentication */, "tls-profile" arg /* TLS profile */ ) ), "traceoptions" ( /* Security intelligence trace options */ secintel_traceoptions /* Security intelligence trace options */ ), "profile" ( /* Configure security intelligence profile */ secintel_profile_setting /* Configure security intelligence profile */ ), "default-policy" ( /* Configure security intelligence default policy */ c( c( arg /* Name of profile */ ) ) ), "policy" ( /* Configure security intelligence policy */ secintel_policy_setting /* Configure security intelligence policy */ ) ) ), "icap-redirect" ( /* Configure ICAP redirection service */ c( "profile" ( /* Congifure ICAP service profile */ icap_profile_object /* Congifure ICAP service profile */ ), "traceoptions" ( /* ICAP redirect trace options */ icap_redirect_traceoptions /* ICAP redirect trace options */ ) ) ), "advanced-anti-malware" ( c( "connection" ( c( "url" arg /* The url of the cloud server [https://:] */, "authentication" ( /* The authentication profile for using cloud services */ c( "tls-profile" arg /* TLS profile */ ) ), "proxy-profile" arg /* Proxy profile */, "source-address" ( /* The source ip for connecting to the cloud server. */ ipaddr /* The source ip for connecting to the cloud server. */ ), "source-interface" ( /* The source interface for connecting to the cloud server */ interface_name /* The source interface for connecting to the cloud server */ ) ) ), "default-policy" ( /* Advanced Anti-malware default policy */ c( "http" ( /* Configure HTTP options */ c( "inspection-profile" arg /* Advanced Anti-malware inspection-profile name (default:default_profile) */, "action" ( /* Action taken for contents with verdict meet threshold */ ("permit" | "block") ), "notification" ( /* Notification action taken for contents with verdict meet threshold */ c( "log" /* Logging option for Advanced Anti-malware actions */ ) ) ) ), "smtp" ( /* Configure SMTP options */ c( "inspection-profile" arg /* Advanced Anti-malware inspection-profile name (default:default_profile) */, "notification" ( /* Notification action taken for contents with verdict meet threshold */ c( "log" /* Logging option for Advanced Anti-malware actions */ ) ) ) ), "imap" ( /* Configure IMAP options */ c( "inspection-profile" arg /* Advanced Anti-malware inspection-profile name (default:default_profile) */, "notification" ( /* Notification action taken for contents with verdict meet threshold */ c( "log" /* Logging option for Advanced Anti-malware actions */ ) ) ) ), "verdict-threshold" ( /* Verdict threshold */ ("1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "10" | "recommended") ), "inspection-profile" arg /* Advanced Anti-malware inspection-profile name */, "fallback-options" ( /* Fallback options for abnormal conditions */ c( "action" ( /* Action taken for fallback conditions */ ("permit" | "block") ), "notification" ( /* Notification action taken for fallback action */ c( "log" /* Logging option for Advanced Anti-malware fallback action */ ) ) ) ), "default-notification" ( /* Notification action taken for action */ c( "log" /* Logging option for Advanced Anti-malware action */ ) ), "whitelist-notification" ( /* Whitelist notification logging option */ c( "log" /* Logging option for Advanced Anti-malware whitelist hit */ ) ), "blacklist-notification" ( /* Blacklist notification logging option */ c( "log" /* Logging option for Advanced Anti-malware blacklist hit */ ) ) ) ), "policy" arg ( /* Advanced Anti-malware policy */ c( "match" ( /* Policy match conditions */ c( "application" ( /* Application */ ("HTTP") ), "verdict-threshold" ( /* Verdict threshold */ ("1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "10" | "recommended") ) ) ), "then" ( c( "action" ( /* Action taken for contents with verdict meet threshold */ ("permit" | "block") ), "notification" ( /* Notification action taken for contents with verdict meet threshold */ c( "log" /* Logging option for Advanced Anti-malware actions */ ) ) ) ), "http" ( /* Configure HTTP options */ c( "inspection-profile" arg /* Advanced Anti-malware inspection-profile name (default:default_profile) */, "action" ( /* Action taken for contents with verdict meet threshold */ ("permit" | "block") ), "notification" ( /* Notification action taken for contents with verdict meet threshold */ c( "log" /* Logging option for Advanced Anti-malware actions */ ) ) ) ), "smtp" ( /* Configure SMTP options */ c( "inspection-profile" arg /* Advanced Anti-malware inspection-profile name (default:default_profile) */, "notification" ( /* Notification action taken for contents with verdict meet threshold */ c( "log" /* Logging option for Advanced Anti-malware actions */ ) ) ) ), "imap" ( /* Configure IMAP options */ c( "inspection-profile" arg /* Advanced Anti-malware inspection-profile name (default:default_profile) */, "notification" ( /* Notification action taken for contents with verdict meet threshold */ c( "log" /* Logging option for Advanced Anti-malware actions */ ) ) ) ), "verdict-threshold" ( /* Verdict threshold */ ("1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" | "10" | "recommended") ), "inspection-profile" arg /* Advanced Anti-malware inspection-profile name */, "fallback-options" ( /* Fallback options for abnormal conditions */ c( "action" ( /* Action taken for fallback conditions */ ("permit" | "block") ), "notification" ( /* Notification action taken for fallback action */ c( "log" /* Logging option for Advanced Anti-malware fallback action */ ) ) ) ), "default-notification" ( /* Notification action taken for action */ c( "log" /* Logging option for Advanced Anti-malware action */ ) ), "whitelist-notification" ( /* Whitelist notification logging option */ c( "log" /* Logging option for Advanced Anti-malware whitelist hit */ ) ), "blacklist-notification" ( /* Blacklist notification logging option */ c( "log" /* Logging option for Advanced Anti-malware blacklist hit */ ) ) ) ), "traceoptions" ( /* Advanced Anti-malware trace options */ aamwd_traceoptions /* Advanced Anti-malware trace options */ ) ) ), "user-identification" ( /* Configure user-identification */ c( "active-directory-access" ( /* Configure active directory access */ c( "traceoptions" ( /* Active-directory-access Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("active-directory-authentication" | "configuration" | "db" | "ip-user-mapping" | "ip-user-probe" | "ipc" | "user-group-mapping" | "wmic" | "all")) /* Tracing parameters */.as(:oneline) ) ), "domain" arg ( /* Configure active-directory-access domain */ c( "user" ( /* User name */ c( arg, "password" arg /* Password string */ ) ), "domain-controller" arg ( /* Domain controller */ c( "address" ( /* Address of domain controller */ ipaddr /* Address of domain controller */ ) ) ), "ip-user-mapping" ( /* Ip-user-mapping */ c( "discovery-method" ( /* Discovery method */ c( "wmi" ( /* WMI */ c( "event-log-scanning-interval" arg /* Interval of event log scanning */, "initial-event-log-timespan" arg /* Event log scanning timespan */ ) ) ) ) ) ), "user-group-mapping" ( /* User-group-mapping */ user_group_mapping_type /* User-group-mapping */ ) ) ), "no-on-demand-probe" /* Disable on-demand probe */, "authentication-entry-timeout" arg /* Authentication entry timeout number (0, 10-1440) */, "invalid-authentication-entry-timeout" arg /* Invalid authentication entry timeout number (0, 10-1440) */, "firewall-authentication-forced-timeout" arg /* Firewallauth fallback authentication entry forced timeout number (10-1440) */, "wmi-timeout" arg /* Wmi timeout number */, "thread" arg /* Thread to do PC probe */, "event-log-identifier" arg /* Event log identifier */, "logon-type" arg /* Logon type */, "filter" ( /* Configure filter address or prefix */ c( "include" arg /* Include address */.as(:oneline), "exclude" arg /* Exclude address */.as(:oneline) ) ) ) ), "authentication-source" ("aruba-clearpass") ( /* Configure authentication-source */ c( "authentication-entry-timeout" arg /* Aruba ClearPass authentication entry timeout number (0, 10-1440) */, "invalid-authentication-entry-timeout" arg /* Invalid authentication entry timeout number (0, 10-1440) */, "traceoptions" ( /* Aruba ClearPass authentication table Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("all" | "clearpass-authentication" | "configuration" | "dispatcher" | "ipc" | "user-query")) /* Tracing parameters */.as(:oneline) ) ), "user-query" ( /* ClearPass individual user query */ c( "web-server" ( /* Web server for user query */ c( arg, "connect-method" ( /* Method of connecting to web server */ ("https" | "http") ), "address" arg /* IP address or hostname of web server */, "port" arg /* Web server port */ ) ), "ca-certificate" arg /* Ca-certificate file name */, "client-id" arg /* Client ID for OAuth2 grant */, "client-secret" arg /* Client secret for OAuth2 grant */, "token-api" arg /* API of acquiring token for OAuth2 authentication */, "query-api" arg /* User query API */, "delay-query-time" arg /* Delay time to send user query (0~60sec) */ ) ), "no-user-query" /* Disable user query from ClearPass */.as(:oneline) ) ), "device-information" ( /* Device information configuration */ c( "authentication-source" ( /* Configure authentication-source */ c( c( "active-directory" /* From windows active directory */, "network-access-controller" /* From network access controller such as Aruba ClearPass or JIMS */, "no-configured" /* No configuring authentication source for device entry */ ) ) ), "end-user-profile" ( /* End-user-profile configuration */ c( "profile-name" arg ( /* End-user-profile profile-name configuration */ c( "domain-name" arg /* Domain name */, "attribute" ("device-identity" | "device-category" | "device-vendor" | "device-type" | "device-os" | "device-os-version" | arg) ( /* Attribute */ c( c( "string" arg /* Value type is strings */, "digital" ( /* Value type is digital */ c( "value" arg /* Digital value */, "from" arg ( /* Range of digital value */ c( "to" arg /* Digit range's end value */ ) ) ) ) ) ) ) ) ) ) ), "traceoptions" ( /* Device info related Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("all" | "auth-source" | "configuration" | "device-table" | "ipid-all" | "ipid-db" | "ipid-entry" | "ipid-ipc" | "ipid-message" | "ipid-others" | "ipid-server" | "ipid-statistics" | "ipid-task" | "profile-lookup")) /* Tracing parameters */.as(:oneline) ) ) ) ), "identity-management" ( /* Identity management configuration */ c( "authentication-entry-timeout" arg /* Authentication entry timeout number (0, 10-1440) */, "invalid-authentication-entry-timeout" arg /* Invalid authentication entry timeout number (0, 10-1440) */, "connection" ( /* Connection to identity management */ c( "connect-method" ( /* Method of connection */ ("https" | "http") ), "port" arg /* Server port */, "primary" ( /* Primary server */ server_connection_type /* Primary server */ ), "secondary" ( /* Secondary server */ server_connection_type /* Secondary server */ ), "token-api" arg /* API of acquiring token for OAuth2 authentication */, "query-api" arg /* Query API */ ) ), "batch-query" ( /* Batch query parameters */ c( "items-per-batch" arg /* Items number per batch query */, "query-interval" arg /* Query interval */ ) ), "ip-query" ( /* IP query parameters */ c( "query-delay-time" arg /* Delay time to send IP query (0~60sec) */, "no-ip-query" /* Disable IP query */.as(:oneline) ) ), "filter" ( /* Filter for query */ c( "domain" arg /* Domain filter */.as(:oneline), "include-ip" ( /* Include IP filter */ address_filter_type /* Include IP filter */ ), "exclude-ip" ( /* Exclude IP filter */ address_filter_type /* Exclude IP filter */ ) ) ), "traceoptions" ( /* Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("all" | "authentication-management" | "configuration" | "dispatcher" | "query")) /* Tracing parameters */.as(:oneline) ) ) ) ) ) ), "ip-monitoring" ( /* IP monitoring for route action */ c( "policy" arg ( /* Policy for route action */ c( "no-preempt" /* No automatic failback preemption once policy failover */, "match" ( /* Matching probing condition */ c( "rpm-probe" arg /* RPM probe name */ ) ), "then" ( /* Action to be taken */ action_object_type /* Action to be taken */ ) ) ), "traceoptions" ( /* IP-Monitoring trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("debug" | "configuration" | "errors" | "memory" | "event" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ), "wireless-wan" /* Wireless WAN configuration */, "proxy" ( /* Proxy setting for services */ c( "profile" ( /* Proxy profile */ proxy_profile_setting /* Proxy profile */ ) ) ), "lrf" /* Logging and reporting service configuration */, "stateful-firewall" /* Configure stateful firewall services */, "ip-reassembly" /* Configure ip-reassembly services */, "softwire" /* Configure softwire services */, "aacl" /* Application Aware Access List services configuration */, "hcm" /* Http Content Management services configuration */, "cos" /* Class of Service services configuration */, "pgcp" /* Packet Gateway Control Protocol services configuration */, "border-signaling-gateway" /* Border signaling service configuration */, "ids" /* Configure the intrusion detection system */, "nat" ( /* Configure Network Address Translation */ nat_object /* Configure Network Address Translation */ ), "pcp" /* Configure Port Control Protocol */, "l2tp" /* Configure Layer 2 Tunneling Protocol service */, "adaptive-services-pics" /* Adaptive Services PIC daemon configuration */, "license-management" /* Configure license management server */, "soft-gre" /* Soft GRE tunnel definitions */, "service-interface-pools" ( /* Configure service interface pools */ c( "pool" ( /* Define service interface pool */ service_interface_pool_object /* Define service interface pool */ ) ) ), "hosted-services" ( /* Configuration for services performed in the remote server */ c( "client-profile" arg ( /* Configure client profile */ c( "transport-type" ( /* Transport type */ ("GRE" | "UDP" | "TCP") ), "client-address" ( /* Client address */ ipv4addr /* Client address */ ), "hosted-service-identifier" arg /* Identifier for the service performed on the remote server */ ) ), "server-profile" arg ( /* Configure server profile */ c( "transport-type" ( /* Transport type */ ("GRE" | "UDP" | "TCP") ), "server-address" ( /* Server address */ ipv4addr /* Server address */ ), "client-address" ( /* Client address */ ipv4addr /* Client address */ ), "hosted-service-identifier" arg /* Identifier for the service performed in the remote server */ ) ) ) ), "jflow-log" ( /* Configure jflow-logging parameters for services */ c( "collector" arg ( /* Collector attributes */ c( "destination-address" arg /* IPv4 Address or hostname of the collector */, "destination-port" arg /* Destination port of the collector */, "source-ip" ( /* Source IPv4 Address from which logging is to be done */ ipv4addr /* Source IPv4 Address from which logging is to be done */ ) ) ), "collector-group" arg ( c( "collector" arg /* List of Collector profiles */ ) ), "template-profile" arg ( c( "collector" arg /* Specify a collector name */, "collector-group" arg /* Specify a collector-group name */, "template-type" ( /* Allow jflow-log for applications */ ("nat") ), "version" ( /* Version of jflow-logging */ ("v9" | "ipfix") ), "refresh-rate" ( c( "packets" arg /* Specify number of packets after which templates are sent to collector */, "seconds" arg /* Specify number of seconds after which templates are sent to collector */ ) ) ) ) ) ), "service-device-pools" ( /* Configure service device pools */ c( "pool" ( /* Define service device pool */ service_device_pool_object /* Define service device pool */ ) ) ), "traffic-load-balance" ( /* Traffic load balance configuration */ tdir_service_load_balance_object /* Traffic load balance configuration */ ), "network-monitoring" ( /* Network monitoring probe configuration */ tdir_netmon_object /* Network monitoring probe configuration */ ), "web-filter" ( /* Web Filtering service configuration */ c( "profile" ( /* Web Filter profile */ urlf_profile_object /* Web Filter profile */ ), "traceoptions" ( /* Trace options for Web Filter */ urlf_traceoptions_object /* Trace options for Web Filter */ ) ) ) ) ), "access-profile" ( /* Access profile for this instance */ sc( arg /* Profile name */ ) ).as(:oneline), "security" ( /* Security configuration */ c( "alarms" ( /* Configure security alarms */ c( "audible" ( /* Beep when new security alarms arrive */ c( "continuous" /* Keep beeping until all security alarms have been cleared */ ) ), "potential-violation" ( /* Configure potential security violations */ c( "authentication" arg /* Raise alarm for specified number of authentication failures */, "cryptographic-self-test" /* Raise alarm for cryptographic self test failures */, "decryption-failures" ( /* No. of decryption failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 1000] */ ) ), "encryption-failures" ( /* No. of encryption failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 1000] */ ) ), "ike-phase1-failures" ( /* No. of IKE Phase-1 failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 20] */ ) ), "ike-phase2-failures" ( /* No. of IKE Phase-2 failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 20] */ ) ), "key-generation-self-test" /* Raise alarm for key generation self test failures */, "non-cryptographic-self-test" /* Raise alarm for non-cryptographic self test failures */, "policy" ( /* Raise alarm for flow policy violations */ c( "source-ip" ( /* Configure source address type of policy violation */ c( "threshold" arg /* Number of source IP address matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total source IP address number that can be done policy violation check concurrently */ ) ), "destination-ip" ( /* Configure destination address type of policy violation */ c( "threshold" arg /* Number of destination IP address matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total destination IP address number that can be done policy violation check concurrently */ ) ), "application" ( /* Configure application type of policy violation */ c( "threshold" arg /* Number of application matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total application number that can be done policy violation check concurrently */ ) ), "policy-match" ( /* Configure policy type of policy violation */ c( "threshold" arg /* Number of policy matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total concurrent number of policy check violations */ ) ) ) ), "replay-attacks" ( /* No. of Replay attacks before which an alarm needs to be raised */ c( "threshold" arg /* Replay threshold value */ ) ), "security-log-percent-full" arg /* Raise alarm when security log exceeds this percent capacity */, "idp" /* Raise alarm for idp attack */ ) ) ) ), "log" ( /* Configure security log */ c( "exclude" arg ( /* List of security log criteria to exclude from the audit log */ c( "destination-address" ( /* Destination address */ ipaddr /* Destination address */ ), "destination-port" arg /* Destination port */, "event-id" arg /* Event ID filter */, "failure" /* Event was a failure */, "interface-name" arg /* Name of interface */, "policy-name" arg /* Policy name filter */, "process" arg /* Process that generated the event */, "protocol" arg /* Protocol filter */, "source-address" ( /* Source address */ ipaddr /* Source address */ ), "source-port" arg /* Source port */, "success" /* Event was successful */, "username" arg /* Username filter */ ) ), "limit" arg /* Limit number of security log entries to keep in memory */, "cache" ( /* Cache security log events in the audit log buffer */ c( "exclude" arg ( /* List of security log criteria to exclude from the audit log */ c( "destination-address" ( /* Destination address */ ipaddr /* Destination address */ ), "destination-port" arg /* Destination port */, "event-id" arg /* Event ID filter */, "failure" /* Event was a failure */, "interface-name" arg /* Name of interface */, "policy-name" arg /* Policy name filter */, "process" arg /* Process that generated the event */, "protocol" arg /* Protocol filter */, "source-address" ( /* Source address */ ipaddr /* Source address */ ), "source-port" arg /* Source port */, "success" /* Event was successful */, "username" arg /* Username filter */ ) ), "limit" arg /* Limit number of security log entries to keep in memory */ ) ), "disable" /* Disable security logging for the device */, "utc-timestamp" /* Use UTC time for security log timestamps */, "mode" ( /* Controls how security logs are processed and exported */ ("stream" | "event") ), "event-rate" arg /* Control plane event rate */, "format" ( /* Set security log format for the device */ ("syslog" | "sd-syslog" | "binary") ), "rate-cap" arg /* Data plane event rate */, "max-database-record" arg /* Maximum records in database */, "report" /* Set security log report settings */, c( "source-address" ( /* Source ip address used when exporting security logs */ ipaddr /* Source ip address used when exporting security logs */ ), "source-interface" ( /* Source interface used when exporting security logs */ interface_name /* Source interface used when exporting security logs */ ) ), "transport" ( /* Set security log transport settings */ c( "tcp-connections" arg /* Set tcp connection number per-stream */, "protocol" ( /* Set security log transport protocol for the device */ ("udp" | "tcp" | "tls") ), "tls-profile" arg /* TLS profile */ ) ), "facility-override" ( /* Alternate facility for logging to remote host */ ("authorization" | "daemon" | "ftp" | "kernel" | "user" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7") ), "stream" arg ( /* Set security log stream settings */ c( "severity" ( /* Severity threshold for security logs */ ("emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug") ), "format" ( /* Specify the log stream format */ ("syslog" | "sd-syslog" | "welf" | "binary") ), "category" enum(("all" | "content-security" | "fw-auth" | "screen" | "alg" | "nat" | "flow" | "sctp" | "gtp" | "ipsec" | "idp" | "rtlog" | "pst-ds-lite" | "appqos" | "secintel" | "aamw")) /* Selects the type of events that may be logged */, "filter" enum(("threat-attack")) /* Selects the filter to filter the logs to be logged */, "host" ( /* Destination to send security logs to */ host_object /* Destination to send security logs to */ ), "rate-limit" ( /* Rate-limit for security logs */ c( arg ) ), "file" ( /* Security log file options for logs in local file */ c( "localfilename" arg /* Name of local log file */, "size" arg /* Maximum size of local log file in megabytes */, "rotation" arg /* Maximum number of rotate files */, "allow-duplicates" /* To disable log consolidation */ ) ) ) ), "file" ( /* Security log file options for logs in binary format */ c( "filename" arg /* Name of binary log file */, "size" arg /* Maximum size of binary log file in megabytes */, "path" arg /* Path to binary log files */, "files" arg /* Maximum number of binary log files */ ) ), "traceoptions" ( /* Security log daemon trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("source" | "configuration" | "all" | "report" | "hpl")) /* List of things to include in trace */.as(:oneline) ) ) ) ), "certificates" ( /* X.509 certificate configuration */ c( "local" ( /* Local X.509 certificate configuration */ certificate_object /* Local X.509 certificate configuration */ ), "path-length" arg /* Maximum certificate path length */, "maximum-certificates" arg /* Maximum number of certificates to cache */, "cache-size" arg /* Maximum size of certificate cache */, "cache-timeout-negative" arg /* Time in seconds to cache negative responses */, "enrollment-retry" arg /* Number of retry attempts for an enrollment request */, "certification-authority" arg ( /* CA X.509 certificate configuration */ c( "ca-name" arg /* CA name */, "file" arg /* File to read certificate from */, "crl" arg /* File to read crl from */, "enrollment-url" arg /* URL */, "ldap-url" arg /* URL */, "encoding" ( /* Encoding to use for certificate or CRL on disk */ ("binary" | "pem") ) ) ) ) ), "authentication-key-chains" ( /* Authentication key chain configuration */ security_authentication_key_chains /* Authentication key chain configuration */ ), "ssh-known-hosts" ( /* SSH known host list */ c( "host" arg ( /* SSH known host entry */ c( "rsa1-key" arg /* Base64 encoded RSA key (protocol version 1) */, "rsa-key" arg /* Base64 encoded RSA key */, "dsa-key" arg /* Base64 encoded DSA key */, "ecdsa-key" arg /* Base64 encoded ECDSA key */, "ecdsa-sha2-nistp256-key" arg /* Base64 encoded ECDSA-SHA2-NIST256 key */, "ecdsa-sha2-nistp384-key" arg /* Base64 encoded ECDSA-SHA2-NIST384 key */, "ecdsa-sha2-nistp521-key" arg /* Base64 encoded ECDSA-SHA2-NIST521 key */, "ed25519-key" arg /* Base64 encoded ED25519 key */ ) ) ) ), "key-protection" /* Common-Criteria key-protection configuration */, "pki" ( /* PKI service configuration */ security_pki /* PKI service configuration */ ), "ike" ( /* IKE configuration */ security_ike /* IKE configuration */ ), "ipsec" ( /* IPSec configuration */ security_ipsec_vpn /* IPSec configuration */ ), "group-vpn" ( /* Group VPN configuration */ security_group_vpn /* Group VPN configuration */ ), "ipsec-policy" ( /* IPSec policy configuration */ security_ipsec_policies /* IPSec policy configuration */ ), "idp" ( /* Configure IDP */ c( "idp-policy" ( /* Configure IDP policy */ idp_policy_type /* Configure IDP policy */ ), "active-policy" arg /* Set active policy */, "default-policy" arg /* Set active policy */, "custom-attack" ( /* Configure custom attacks */ custom_attack_type /* Configure custom attacks */ ), "custom-attack-group" ( /* Configure custom attack groups */ custom_attack_group_type /* Configure custom attack groups */ ), "dynamic-attack-group" ( /* Configure dynamic attack groups */ dynamic_attack_group_type /* Configure dynamic attack groups */ ), "traceoptions" ( /* Trace options for idp services */ idpd_traceoptions_type /* Trace options for idp services */ ), "security-package" ( /* Security package options */ c( "url" arg /* URL of Security package download */, "source-address" ( /* Source address to be used for sending download request */ ipv4addr /* Source address to be used for sending download request */ ), "proxy-profile" arg /* Proxy profile of security package download */, "install" ( /* Configure install command */ c( "ignore-version-check" /* Skip version check when attack database gets installed */ ) ), "automatic" ( /* Scheduled download and update */ c( "start-time" ( /* Start time (YYYY-MM-DD.HH:MM:SS) */ time /* Start time (YYYY-MM-DD.HH:MM:SS) */ ), "interval" arg /* Interval */, "download-timeout" arg /* Maximum time for download to complete */, ("enable") ) ) ) ), "sensor-configuration" ( /* IDP Sensor Configuration */ c( "log" ( /* IDP Log Configuration */ c( "cache-size" arg /* Log cache size */, "suppression" ( /* Log suppression */ c( ("disable"), "include-destination-address" /* Include destination address while performing a log suppression */, "no-include-destination-address" /* Don't include destination address while performing a log suppression */, "start-log" arg /* Suppression start log */, "max-logs-operate" arg /* Maximum logs can be operate on */, "max-time-report" arg /* Time after suppressed logs will be reported */ ) ) ) ), "packet-log" ( /* IDP Packetlog Configuration */ c( "total-memory" arg /* Total memory unit(%) */, "max-sessions" arg /* Max num of sessions in unit(%) */, "threshold-logging-interval" arg /* Interval of logs for max limit session/memory reached in minutes */, "source-address" ( /* Source IP address used to transport packetlog to a host */ ipv4addr /* Source IP address used to transport packetlog to a host */ ), "host" ( /* Destination host to send packetlog to */ c( ipv4addr /* IP address */, "port" arg /* UDP port number */ ) ) ) ), "application-identification" ( /* Application identification */ c( ("disable"), "application-system-cache" /* Application system cache */, "no-application-system-cache" /* Don't application system cache */, "max-tcp-session-packet-memory" arg /* Max TCP session memory */, "max-udp-session-packet-memory" arg /* Max UDP session memory */, "max-sessions" arg /* Max sessions that can run AI at the same time */, "max-packet-memory" arg /* Max packet memory */, "max-packet-memory-ratio" arg /* Max packet memory ratio */, "max-reass-packet-memory-ratio" arg /* Max reass packet memory ratio */, "application-system-cache-timeout" arg /* Application system cache timeout */ ) ), "flow" ( /* Flow configuration */ c( "log-errors" /* Flow log errors */, "no-log-errors" /* Don't flow log errors */, "reset-on-policy" /* Flow reset-on-policy */, "no-reset-on-policy" /* Don't flow reset-on-policy */, "allow-icmp-without-flow" /* Allow icmp without flow */, "no-allow-icmp-without-flow" /* Don't allow icmp without flow */, "hash-table-size" arg /* Flow hash table size */, "reject-timeout" arg /* Flow reject timeout */, "max-timers-poll-ticks" arg /* Maximum timers poll ticks */, "fifo-max-size" arg /* Maximum fifo size */, "udp-anticipated-timeout" arg /* Maximum udp anticipated timeout */, "allow-nonsyn-connection" /* Allow TCP non-syn connection */, "drop-on-limit" /* Drop connections on exceeding resource limits */, "drop-on-failover" /* Drop traffic on HA failover sessions */, "drop-if-no-policy-loaded" /* Drop all traffic till IDP policy gets loaded */, "max-sessions-offset" arg /* Maximum session offset limit percentage */, "min-objcache-limit-lt" arg /* Memory lower threshold limit percentage */, "min-objcache-limit-ut" arg /* Memory upper threshold limit percentage */, "session-steering" /* Session steering for session anticipation */, "idp-bypass-cpu-usg-overload" /* Enable IDP bypass of sessions/packets on CPU usage overload */, "idp-bypass-cpu-threshold" arg /* Threshold of CPU usage in percentage for IDP bypass */, "idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */ ) ), "re-assembler" ( /* Re-assembler configuration */ c( "drop-on-syn-in-window" /* Drop session when SYN is seen in the window */, "no-drop-on-syn-in-window" /* Don't drop session when SYN is seen in the window */, "ignore-memory-overflow" /* Ignore memory overflow */, "no-ignore-memory-overflow" /* Don't ignore memory overflow */, "ignore-reassembly-memory-overflow" /* Ignore packet reassembly memory overflow */, "no-ignore-reassembly-memory-overflow" /* Don't ignore packet reassembly memory overflow */, "ignore-reassembly-overflow" /* Ignore global reassembly overflow */, "max-packet-mem" arg /* Maximum packet memory */, "max-flow-mem" arg /* Maximum flow memory */, "max-packet-mem-ratio" arg /* Maximum packet memory ratio */, "action-on-reassembly-failure" ( /* Select the action on reassembly failures */ ("ignore" | "drop" | "drop-session") ), "tcp-error-logging" /* Enable logging on tcp errors */, "no-tcp-error-logging" /* Don't enable logging on tcp errors */, "max-synacks-queued" arg /* Maximum syn-acks queued with different SEQ numbers */, "force-tcp-window-checks" /* Force TCP window checks if uni-directional policy is configured */, "no-force-tcp-window-checks" /* Don't force TCP window checks if uni-directional policy is configured */ ) ), "ips" ( /* Ips configuration */ c( "process-override" /* Process override */, "no-process-override" /* Don't process override */, "detect-shellcode" /* Detect shellcode */, "no-detect-shellcode" /* Don't detect shellcode */, "process-ignore-s2c" /* Process ignore s2c */, "no-process-ignore-s2c" /* Don't process ignore s2c */, "ignore-regular-expression" /* Ignore regular expression */, "no-ignore-regular-expression" /* Don't ignore regular expression */, "process-port" arg /* Process port */, "fifo-max-size" arg /* Maximum fifo size */, "log-supercede-min" arg /* Minimum log supercede */, "content-decompression-max-memory-kb" arg /* Maximum memory usage in kilo bytes */, "content-decompression-max-ratio" arg /* Maximum decompression ratio supported */, "session-pkt-depth" arg /* Session pkt scanning depth */ ) ), "global" ( /* Global configuration */ c( "enable-packet-pool" /* Enable packet pool */, "no-enable-packet-pool" /* Don't enable packet pool */, "enable-all-qmodules" /* Enable all qmodules */, "no-enable-all-qmodules" /* Don't enable all qmodules */, "policy-lookup-cache" /* Policy lookup cache */, "no-policy-lookup-cache" /* Don't policy lookup cache */, "memory-limit-percent" arg /* Memory limit percentage */ ) ), "detector" ( /* Detector Configuration */ c( "protocol-name" ( /* Apropriate help string */ proto_object /* Apropriate help string */ ) ) ), "ssl-inspection" ( /* SSL inspection */ c( "sessions" arg /* Number of SSL sessions to inspect */, "session-id-cache-timeout" arg /* Timeout value for SSL session ID cache */, "maximum-cache-size" arg /* Maximum SSL session ID cache size */, "cache-prune-chunk-size" arg /* Number of cache entries to delete when pruning SSL session ID cache */, "key-protection" /* Enable SSL key protection */ ) ), "disable-low-memory-handling" /* Do not abort IDP operations under low memory condition */, "high-availability" ( /* High availability configuration */ c( "no-policy-cold-synchronization" /* Disable policy cold synchronization */ ) ), "security-configuration" ( /* IDP security configuration */ c( "protection-mode" ( /* Enable security protection mode */ ("datacenter" | "datacenter-full" | "perimeter" | "perimeter-full") ) ) ) ) ), "max-sessions" arg /* Max number of IDP sessions */, "logical-system" ( /* Configure max IDP sessions for the logial system */ logical_system_type /* Configure max IDP sessions for the logial system */ ), "processes" /* Configure IDP Processes */ ) ), "address-book" ( /* Security address book */ named_address_book_type /* Security address book */ ), "alg" ( /* Configure ALG security options */ alg_object /* Configure ALG security options */ ), "application-firewall" ( /* Configure application-firewall rule-sets */ c( "traceoptions" ( /* Rule-sets Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "profile" arg ( /* Configure application-firewall profile */ c( "block-message" ( /* Block message settings */ c( "type" ( /* Type of block message desired */ c( c( "custom-text" ( /* Custom defined block message */ c( "content" arg /* Content of custom-text */ ) ), "custom-redirect-url" ( /* Custom redirect URL server */ c( "content" arg /* URL of block message */ ) ) ) ) ) ) ) ) ), "rule-sets" arg ( /* Configure application-firewall rule-sets */ c( "rule" ( /* Rule */ appfw_rule_type /* Rule */ ), "default-rule" ( /* Specify default rule for a rule-set */ c( c( "permit" /* Permit packets */, "deny" ( /* Deny packets */ c( "block-message" /* Block message */ ) ), "reject" ( /* Reject packets */ c( "block-message" /* Block message */ ) ) ) ) ), "profile" arg /* Profile for block message */ ) ), "nested-application" ( /* Configure nested application dynamic lookup */ c( "dynamic-lookup" ( /* Configure dynamic lookup */ c( "enable" /* Enable dynamic lookup */ ) ) ) ) ) ), "application-tracking" ( /* Application tracking configuration */ c( "disable" /* Disable Application tracking */, c( "first-update-interval" arg /* Interval when the first update message is sent */, "first-update" /* Generate Application tracking initial message when a session is created */ ), "session-update-interval" arg /* Frequency in which Application tracking update messages are generated */ ) ), "utm" ( /* Content security service configuration */ c( "traceoptions" ( /* Trace options for utm */ utm_traceoptions /* Trace options for utm */ ), "application-proxy" ( /* Application proxy settings */ c( "traceoptions" ( /* Trace options for application proxy */ utm_apppxy_traceoptions /* Trace options for application proxy */ ) ) ), "ipc" ( /* IPC settings */ c( "traceoptions" ( /* Trace options for IPC */ utm_ipc_traceoptions /* Trace options for IPC */ ) ) ), "custom-objects" ( /* Custom-objects settings */ c( "category-package" ( /* Category package download and install options */ c( "url" arg /* HTTPS URL of category package download */, "proxy-profile" arg /* Proxy profile */, "routing-instance" arg /* Routing instance name */, "automatic" ( /* Scheduled download and install */ c( "start-time" ( /* Start time (YYYY-MM-DD.HH:MM:SS) */ time /* Start time (YYYY-MM-DD.HH:MM:SS) */ ), "interval" arg /* Interval in hours */, "enable" /* Enable automatic download and install */ ) ) ) ), "mime-pattern" ( /* Configure mime-list object */ mime_list_type /* Configure mime-list object */ ), "filename-extension" ( /* Configure extension-list object */ extension_list_type /* Configure extension-list object */ ), "url-pattern" ( /* Configure url-list object */ url_list_type /* Configure url-list object */ ), "custom-url-category" ( /* Configure category-list object */ category_list_type /* Configure category-list object */ ), "protocol-command" ( /* Configure command-list object */ command_list_type /* Configure command-list object */ ), "custom-message" ( /* Configure custom-message object */ custom_message_type /* Configure custom-message object */ ) ) ), "default-configuration" ( /* Global default UTM configurations */ c( "anti-virus" ( /* Configure anti-virus feature */ default_anti_virus_feature /* Configure anti-virus feature */ ), "web-filtering" ( /* Configure web-filtering feature */ default_webfilter_feature /* Configure web-filtering feature */ ), "anti-spam" ( /* Configure anti-spam feature */ default_anti_spam_feature /* Configure anti-spam feature */ ), "content-filtering" ( /* Configure content filtering feature */ default_content_filtering_feature /* Configure content filtering feature */ ) ) ), "feature-profile" ( /* Feature-profile settings */ c( "anti-virus" ( /* Configure anti-virus feature */ anti_virus_feature /* Configure anti-virus feature */ ), "web-filtering" ( /* Configure web-filtering feature */ webfilter_feature /* Configure web-filtering feature */ ), "anti-spam" ( /* Configure anti-spam feature */ anti_spam_feature /* Configure anti-spam feature */ ), "content-filtering" ( /* Configure content filtering feature */ content_filtering_feature /* Configure content filtering feature */ ) ) ), "utm-policy" ( /* Configure profile */ profile_setting /* Configure profile */ ) ) ), "dynamic-address" ( /* Configure security dynamic address */ c( "traceoptions" ( /* Security dynamic address tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "control" | "ipc" | "ip-entry" | "file-retrieval" | "lookup" | "all")) /* Tracing parameters */.as(:oneline) ) ), "feed-server" arg ( /* Security dynamic address feed-server */ c( "description" arg /* Text description of feed-server */, "hostname" arg /* Hostname or IP address of feed-server */, "update-interval" arg /* Interval to retrieve update */, "hold-interval" arg /* Time to keep IP entry when update failed */, "feed-name" arg ( /* Feed name in feed-server */ c( "description" arg /* Text description of feed in feed-server */, "path" arg /* Path of feed, appended to feed-server to form a complete URL */, "update-interval" arg /* Interval to retrieve update */, "hold-interval" arg /* Time to keep IP entry when update failed */ ) ) ) ), "address-name" arg ( /* Security dynamic address name */ c( "description" arg /* Text description of dynamic address */, "profile" ( /* Information to categorize feed data into this dynamic address */ c( "feed-name" arg /* Name of feed in feed-server for this dynamic address */, "category" arg ( /* Name of category */ c( "feed" arg /* Name of feed under category */, "property" arg ( /* Property to match */ c( c( "string" arg /* Value type is strings */ ) ) ) ) ) ) ) ) ) ) ), "dynamic-vpn" /* Configure dynamic VPN */, "dynamic-application" ( /* Configure dynamic-application */ c( "traceoptions" ( /* Dynamic application tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "profile" arg ( /* Configure application-firewall profile */ c( "redirect-message" ( /* Redirect message settings */ c( "type" ( /* Type of redirect message desired */ c( c( "custom-text" ( /* Custom defined text block message */ c( "content" arg /* Content of custom-text */ ) ), "redirect-url" ( /* Custom redirect URL server */ c( "content" arg /* URL of block message */ ) ) ) ) ) ) ) ) ) ) ), "softwires" ( /* Configure softwire feature */ softwires_object /* Configure softwire feature */ ), "forwarding-options" ( /* Security-forwarding-options configuration */ c( "family" ( /* Security forwarding-options for family */ c( "inet6" ( /* Family IPv6 */ c( "mode" ( /* Forwarding mode */ ("packet-based" | "flow-based" | "drop") ) ) ), "mpls" ( /* Family MPLS */ c( "mode" ( /* Forwarding mode */ ("packet-based") ) ) ), "iso" ( /* Family ISO */ c( "mode" ( /* Forwarding mode */ ("packet-based") ) ) ) ) ), "mirror-filter" ( /* Security mirror filters */ mirror_filter_type /* Security mirror filters */ ), "secure-wire" ( /* Secure-wire cross connections */ secure_wire_type /* Secure-wire cross connections */ ) ) ), "advanced-services" /* Advanced services configuration */, "flow" ( /* FLOW configuration */ c( "enhanced-routing-mode" /* Enable enhanced route scaling */, "traceoptions" ( /* Trace options for flow services */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "basic-datapath" | "high-availability" | "host-traffic" | "fragmentation" | "multicast" | "route" | "session" | "session-scan" | "tcp-basic" | "tunnel")) /* Events and other information to include in trace output */.as(:oneline), "rate-limit" arg /* Limit the incoming rate of trace messages */, "packet-filter" ( /* Flow packet debug filters */ flow_filter_type /* Flow packet debug filters */ ), "trace-level" ( /* FLow trace level */ c( c( "error" /* Error messages */, "brief" /* Brief messages */, "detail" /* Detail messages */ ) ) ) ) ), "pending-sess-queue-length" ( /* Maximum queued length per pending session */ ("normal" | "moderate" | "high") ), "enable-reroute-uniform-link-check" ( /* Enable reroute check with uniform link */ c( "nat" /* Enable NAT check */ ) ), "allow-dns-reply" /* Allow unmatched incoming DNS reply packet */, "route-change-timeout" arg /* Timeout value for route change to nonexistent route */, "syn-flood-protection-mode" ( /* TCP SYN flood protection mode */ ("syn-cookie" | "syn-proxy") ), "allow-embedded-icmp" /* Allow embedded ICMP packets not matching a session to pass through */, "mcast-buffer-enhance" /* Allow to hold more packets during multicast session creation */, "allow-reverse-ecmp" /* Allow reverse ECMP route lookup */, "sync-icmp-session" /* Allow icmp sessions to sync to peer node */, "ipsec-performance-acceleration" /* Accelerate the IPSec traffic performance */, "aging" ( /* Aging configuration */ c( "early-ageout" arg /* Delay before device declares session invalid */, "low-watermark" arg /* Percentage of session-table capacity at which aggressive aging-out ends */, "high-watermark" arg /* Percentage of session-table capacity at which aggressive aging-out starts */ ) ), "ethernet-switching" ( /* Ethernet-switching configuration for flow */ c( "block-non-ip-all" /* Block all non-IP and non-ARP traffic including broadcast/multicast */, "bypass-non-ip-unicast" /* Allow all non-IP (including unicast) traffic */, "no-packet-flooding" ( /* Stop IP flooding, send ARP/ICMP to trigger MAC learning */ c( "no-trace-route" /* Don't send ICMP to trigger MAC learning */ ) ), "bpdu-vlan-flooding" /* Set 802.1D BPDU flooding based on VLAN */ ) ), "tcp-mss" ( /* TCP maximum segment size configuration */ c( "all-tcp" ( /* Enable MSS override for all packets */ c( "mss" arg /* MSS value */ ) ), "ipsec-vpn" ( /* Enable MSS override for all packets entering IPSec tunnel */ c( "mss" arg /* MSS value */ ) ), "gre-in" ( /* Enable MSS override for all GRE packets coming out of an IPSec tunnel */ c( "mss" arg /* MSS value */ ) ), "gre-out" ( /* Enable MSS override for all GRE packets entering an IPsec tunnel */ c( "mss" arg /* MSS value */ ) ) ) ), "tcp-session" ( /* Transmission Control Protocol session configuration */ c( "rst-invalidate-session" /* Immediately end session on receipt of reset (RST) segment */, "fin-invalidate-session" /* Immediately end session on receipt of fin (FIN) segment */, "rst-sequence-check" /* Check sequence number in reset (RST) segment */, "no-syn-check" /* Disable creation-time SYN-flag check */, "strict-syn-check" /* Enable strict syn check */, "no-syn-check-in-tunnel" /* Disable creation-time SYN-flag check for tunnel packets */, "no-sequence-check" /* Disable sequence-number checking */, "tcp-initial-timeout" arg /* Timeout for TCP session when initialization fails */, "maximum-window" ( /* Maximum TCP proxy scaled receive window, default 256K bytes */ ("64K" | "128K" | "256K" | "512K" | "1M") ), "time-wait-state" ( /* Session timeout value in time-wait state, default 150 seconds */ c( c( "session-ageout" /* Allow session to ageout using service based timeout values */, "session-timeout" arg /* Configure session timeout value for time-wait state */ ), "apply-to-half-close-state" /* Apply time-wait-state timeout to half-close state */ ) ) ) ), "force-ip-reassembly" /* Force to reassemble ip fragments */, "preserve-incoming-fragment-size" /* Preserve incoming fragment size for egress MTU */, "advanced-options" ( /* Flow config advanced options */ c( "drop-matching-reserved-ip-address" /* Drop matching reserved source IP address */, "drop-matching-link-local-address" /* Drop matching link local address */, "reverse-route-packet-mode-vr" /* Allow reverse route lookup with packet mode vr */ ) ), "load-distribution" ( /* Flow config SPU load distribution */ c( "session-affinity" /* SPU load distribution based on the service anchor SPU */ ) ), "packet-log" ( /* Configure flow packet log */ c( "enable" /* Enable log for dropped packet */, "throttle-interval" arg /* Interval should be configured as a power of two */, "packet-filter" ( /* Configure packet log filter */ flow_filter_type /* Configure packet log filter */ ) ) ), "power-mode-ipsec" /* Enable power mode ipsec processing */ ) ), "firewall-authentication" ( /* Firewall authentication parameters */ c( "traceoptions" ( /* Data-plane firewall authentication tracing options */ c( "flag" enum(("authentication" | "proxy" | "all")) ( /* Events to include in trace output */ sc( c( "terse" /* Include terse amount of output in trace */, "detail" /* Include detailed amount of output in trace */, "extensive" /* Include extensive amount of output in trace */ ) ) ).as(:oneline) ) ) ) ), "screen" ( /* Configure screen feature */ c( "trap" ( /* Configure trap interval */ sc( "interval" arg /* Trap interval */ ) ).as(:oneline), "ids-option" ( /* Configure ids-option */ ids_option_type /* Configure ids-option */ ), "traceoptions" ( /* Trace options for Network Security Screen */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "all")) /* Tracing parameters */.as(:oneline) ) ), "white-list" ( /* Set of IP addresses for white list */ ids_wlist_type /* Set of IP addresses for white list */ ) ) ), "nat" ( /* Configure Network Address Translation */ nat_object /* Configure Network Address Translation */ ), "forwarding-process" ( /* Configure security forwarding-process options */ c( "enhanced-services-mode" /* Enable enhanced application services mode */, "application-services" ( /* Configure application service options */ c( "maximize-alg-sessions" /* Maximize ALG session capacity */, "maximize-persistent-nat-capacity" /* Increase persistent NAT capacity by reducing maximum flow sessions */, "maximize-cp-sessions" /* Maximize CP session capacity */, "session-distribution-mode" arg /* Session distribution mode */, "enable-gtpu-distribution" /* Enable GTP-U distribution */, "packet-ordering-mode" arg /* Packet ordering mode */, "maximize-idp-sessions" /* Run security services in dedicated processes to maximize IDP session capacity */ ) ) ) ), "policies" ( /* Configure Network Security Policies */ policy_object_type /* Configure Network Security Policies */ ), "tcp-encap" ( /* Configure TCP Encapsulation. */ c( "traceoptions" ( /* Trace options for TCP encapsulation service */ ragw_traceoptions /* Trace options for TCP encapsulation service */ ), "profile" arg ( /* Configure profile. */ c( "ssl-profile" arg /* SSL Termination profile */, "log" /* Enable logging for remote-access */ ) ), "global-options" ( /* Global settings for TCP encapsulation */ c( "enable-tunnel-tracking" /* Track ESP tunnels */ ) ) ) ), "resource-manager" ( /* Configure resource manager security options */ c( "traceoptions" ( /* Traceoptions for resource manager */ c( "flag" enum(("client" | "group" | "resource" | "gate" | "session" | "chassis cluster" | "messaging" | "service pinhole" | "error" | "all")) ( /* Resource manager objects and events to include in trace */ sc( c( "terse" /* Set trace verbosity level to terse */, "detail" /* Set trace verbosity level to detail */, "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "analysis" ( /* Configure security analysis */ c( "no-report" /* Stops security analysis reporting */ ) ), "traceoptions" ( /* Network security daemon tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "compilation" | "all")) /* Tracing parameters */.as(:oneline), "rate-limit" arg /* Limit the incoming rate of trace messages */ ) ), "datapath-debug" ( /* Datapath debug options */ c( "traceoptions" ( /* End to end debug trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline) ) ), "capture-file" ( /* Packet capture options */ sc( arg /* Capture file name */, "format" ( /* Capture file format */ ("pcap") ), "size" arg /* Maximum file size */, "files" arg /* Maximum number of files */, "world-readable" /* Allow any user to read packet-capture files */, "no-world-readable" /* Don't allow any user to read packet-capture files */ ) ).as(:oneline), "maximum-capture-size" arg /* Max packet capture length */, "action-profile" ( /* Action profile definitions */ e2e_action_profile /* Action profile definitions */ ), "packet-filter" ( /* Packet filter configuration */ end_to_end_debug_filter /* Packet filter configuration */ ) ) ), "user-identification" ( /* Configure user-identification */ c( "traceoptions" ( /* User-identification Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all")) /* Tracing parameters */.as(:oneline) ) ), "authentication-source" ( /* Configure user-identification authentication-source */ authentication_source_type /* Configure user-identification authentication-source */ ) ) ), "zones" ( /* Zone configuration */ c( "functional-zone" ( /* Functional zone */ c( "management" ( /* Host for out of band management interfaces */ c( "interfaces" ( /* Interfaces that are part of this zone */ zone_interface_list_type /* Interfaces that are part of this zone */ ), "screen" arg /* Name of ids option object applied to the zone */, "host-inbound-traffic" ( /* Allowed system services & protocols */ zone_host_inbound_traffic_t /* Allowed system services & protocols */ ), "description" arg /* Text description of zone */ ) ) ) ), "security-zone" ( /* Security zones */ security_zone_type /* Security zones */ ) ) ), "advance-policy-based-routing" ( /* Configure Network Security APBR Policies */ c( "traceoptions" ( /* Advance policy based routing tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "tunables" ( /* Configure advance policy based routing tunables */ c( "max-route-change" arg /* Maximum route change */, "drop-on-zone-mismatch" /* Drop session if zone mismatches */, "enable-logging" /* Enable AppTrack logging */ ) ), "profile" arg ( /* Configure advance-policy-based-routing profile */ c( "rule" ( /* Specify an advance policy based routing rule */ apbr_rule_type /* Specify an advance policy based routing rule */ ) ) ), "active-probe-params" arg ( /* Active probe's settings */ c( "settings" ( /* Settings */ appqoe_probe_params /* Settings */ ) ) ), "metrics-profile" arg ( /* Configure metric profiles */ c( "sla-threshold" ( /* Configure SLA metric threshold */ appqoe_sla_metric_profile /* Configure SLA metric threshold */ ) ) ), "overlay-path" arg ( /* List of overlay paths */ c( "tunnel-path" ( /* Tunnel start & end ip addresses */ appqoe_probe_path /* Tunnel start & end ip addresses */ ), "probe-path" ( /* Probe start & end ip addresses */ appqoe_probe_path /* Probe start & end ip addresses */ ) ) ), "destination-path-group" arg ( /* Group of tunnels to a particular destination */ c( "probe-routing-instance" ( /* Set routing instance for the probe-path */ c( arg /* Name of routing instance */ ) ), "overlay-path" arg /* List of paths */ ) ), "sla-options" ( /* Global SLA options */ c( "local-route-switch" ( /* Enable/disable Automatic local route switching */ c( c( "enabled" /* Enable */, "disabled" /* Disable */ ) ) ), "log-type" ( /* Choose the logging mechanism */ c( c( "syslog" /* Choose syslog */ ) ) ), "max-passive-probe-limit" ( /* Set max passive probe limits */ c( "number-of-probes" ( /* Number of passive probes to be sent */ c( arg ) ), "interval" ( /* Interval within which to send */ c( arg ) ) ) ) ) ), "sla-rule" arg ( /* Create SLA rule */ c( "switch-idle-time" ( /* Idle timeout period where no SLA violation will be detected once path switch has happened */ c( arg ) ), "metrics-profile" ( /* Set metrics profile for the SLA */ c( arg /* Metrics Profile name */ ) ), "active-probe-params" ( /* Set Probe params for the overlay-path */ c( arg /* Probe parameter's name */ ) ), "passive-probe-params" ( /* Passive probe settings */ c( "sampling-percentage" ( /* Mininmum percentage of Sessions to be evaluated for the application */ c( arg ) ), "violation-count" ( /* Number of SLA violations within sampling period to be considered as a violation. */ c( arg ) ), "sampling-period" ( /* Time period in which the sampling is done */ c( arg ) ), "sla-export-factor" ( /* Enabled sampling window based SLA exporting */ c( arg ) ), "type" ( /* Choose type of SLA measurement */ c( c( "book-ended" /* Choose custom method of probing within WAN link */ ) ) ), "sampling-frequency" ( /* Sampling frequency settings */ c( "interval" ( /* Time based sampling interval */ c( arg ) ), "ratio" ( /* 1:N based sampling ratio */ c( arg ) ) ) ) ) ) ) ), "policy" arg ( /* Define a policy context from this zone */ c( "policy" ( /* Define security policy in specified zone-to-zone direction */ sla_policy_type /* Define security policy in specified zone-to-zone direction */ ) ) ) ) ), "gprs" ( /* GPRS configuration */ c( "gtp" ( /* GPRS tunneling protocol configuration */ c( "profile" arg ( /* Configure GTP Profile */ c( "min-message-length" arg /* Minimum message length, from 0 to 65535 */, "max-message-length" arg /* Maximum message length, from 1 to 65535 */, "timeout" arg /* Tunnel idle timeout */, "rate-limit" arg /* Limit messages per second */, "log" ( /* GPRS tunneling protocol logs */ c( "forwarded" ( /* Log passed good packets */ ("basic" | "detail") ), "state-invalid" ( /* Dropped by state-inspection or sanity failure */ ("basic" | "detail") ), "prohibited" ( /* Dropped for type/length/version filtering */ ("basic" | "detail") ), "gtp-u" enum(("all" | "dropped")) /* Logs for gtp-u */, "rate-limited" ( /* Dropped for rate-limit */ c( c( "basic" /* Basic logs */, "detail" /* Detailed logs */ ), "frequency-number" arg /* Logging frequency over threshold, set by rate-limit */ ) ) ) ), "remove-ie" ( /* Remove information elements */ c( "version" enum(("v1")) ( /* GTP version */ c( "release" enum(("R6" | "R7" | "R8" | "R9")) /* Remove information elements by release */, "number" ( /* Remove information elements by number */ c( arg ) ) ) ) ) ), "path-rate-limit" ( /* Limit control messages based on IP pairs */ c( "message-type" enum(("create-req" | "delete-req" | "echo-req" | "other")) ( /* Specific group of control messages */ c( "drop-threshold" ( /* Set drop threshold for path rate limiting */ c( "forward" arg /* Limit messages of forward direction */, "reverse" arg /* Limit messages of reverse direction */ ) ), "alarm-threshold" ( /* Set alarm threshold for path rate limiting */ c( "forward" arg /* Limit messages of forward direction */, "reverse" arg /* Limit messages of reverse direction */ ) ) ) ) ) ), "drop" ( /* Drop certain type of messages */ c( "aa-create-pdp" ( /* Create AA pdp request/response message */ c( c( "0" /* Version 0 */ ) ) ), "aa-delete-pdp" ( /* Delete AA pdp request/response message */ c( c( "0" /* Version 0 */ ) ) ), "bearer-resource" ( /* Bearer resource command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "change-notification" ( /* Change notification request/response message */ c( c( "2" /* Version 2 */ ) ) ), "config-transfer" ( /* Configuration transfer message */ c( c( "2" /* Version 2 */ ) ) ), "context" ( /* Context request/response/ack message */ c( c( "2" /* Version 2 */ ) ) ), "create-bearer" ( /* Create bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-data-forwarding" ( /* Create indirect data forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-pdp" ( /* Create pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "create-session" ( /* Create session request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-tnl-forwarding" ( /* Create forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "cs-paging" ( /* CS paging indication message */ c( c( "2" /* Version 2 */ ) ) ), "data-record" ( /* Data record request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "delete-bearer" ( /* Delete bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-command" ( /* Delete bearer command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "delete-data-forwarding" ( /* Delete indirect data forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-pdn" ( /* Delete PDN connection set request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-pdp" ( /* Delete pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "delete-session" ( /* Delete session request/response message */ c( c( "2" /* Version 2 */ ) ) ), "detach" ( /* Detach notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "downlink-notification" ( /* Downlink data notification/ack/failure message */ c( c( "2" /* Version 2 */ ) ) ), "echo" ( /* Echo request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "error-indication" ( /* Error indication message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "failure-report" ( /* Failure report request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "fwd-access" ( /* Forward access context notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "fwd-relocation" ( /* Forward relocation request/response/comp/comp-ack message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "fwd-srns-context" ( /* Forward SRNS context/context-ack message */ c( c( "1" /* Version 1 */ ) ) ), "g-pdu" ( /* G-PDU (user PDU) message/T-PDU */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "identification" ( /* Identification request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-start" ( /* MBMS session start request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-stop" ( /* MBMS session stop request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-update" ( /* MBMS session update request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "modify-bearer" ( /* Modify bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "modify-command" ( /* Modify bearer command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "node-alive" ( /* Node alive request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "note-ms-present" ( /* Note MS GPRS present request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "pdu-notification" ( /* PDU notification requst/response/reject/reject-response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "ran-info" ( /* RAN info relay message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "redirection" ( /* Redirection request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "release-access" ( /* Release access-bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "relocation-cancel" ( /* Relocation cancel request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "resume" ( /* Resume notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "send-route" ( /* Send route info request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "sgsn-context" ( /* SGSN context request/response/ack message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "stop-paging" ( /* Stop paging indication message */ c( c( "2" /* Version 2 */ ) ) ), "supported-extension" ( /* Supported extension headers notification message */ c( c( "1" /* Version 1 */ ) ) ), "suspend" ( /* Suspend notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "trace-session" ( /* Trace session activation/deactivation message */ c( c( "2" /* Version 2 */ ) ) ), "update-bearer" ( /* Update bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "update-pdn" ( /* Update PDN connection set request/response message */ c( c( "2" /* Version 2 */ ) ) ), "update-pdp" ( /* Update pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "ver-not-supported" ( /* Version not supported message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ) ) ), "apn" arg ( /* GTP Access Point Name (APN) filter */ c( "imsi-prefix" arg ( /* Specific filter prefix digits for International Mobile Subscriber Identification(IMSI) */ c( "action" ( /* Configure GTP profile APN action */ c( c( "pass" /* Pass all selection modes for this APN */, "drop" /* Drop all selection modes for this APN */, "selection" ( /* Allowed selection modes for this APN */ c( "ms" /* Mobile Station selection mode */, "net" /* Network selection mode */, "vrf" /* Subscriber verified mode */ ) ) ) ) ) ) ) ) ), "restart-path" ( /* Restart GTP paths */ ("echo" | "create" | "all") ), "seq-number-validated" /* Validate G-PDU sequence number */, "gtp-in-gtp-denied" /* Deny nested GTP */, "u-tunnel-validated" /* Validate GTP-u tunnel */, "end-user-address-validated" /* Validate end user address */, "req-timeout" arg /* Request message timeout, default timeout value 5 seconds */, "handover-on-roaming-intf" /* Enable tunnel setup by Handover messages on roaming interface */, "handover-group" ( /* SGSN handover group configuration */ c( arg ) ) ) ), "traceoptions" ( /* Trace options for GPRS tunneling protocol */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "parser" | "chassis-cluster" | "gsn" | "jmpi" | "tnl" | "req" | "path" | "all")) /* Tracing parameters */.as(:oneline), "trace-level" ( /* GTP trace level */ c( c( "error" /* Match error conditions */, "warning" /* Match warning messages */, "notice" /* Match conditions that should be handled specially */, "info" /* Match informational messages */, "verbose" /* Match verbose messages */ ) ) ) ) ), "handover-group" arg ( /* Set handover group */ c( "address-book" arg ( /* Set addreess book */ c( "address-set" ( /* Set address set */ c( arg ) ) ) ) ) ), "handover-default" ( /* Set handover default deny */ c( "deny" /* Handover default deny */ ) ) ) ), "sctp" ( /* GPRS stream control transmission protocol configuration */ c( "profile" arg ( /* Configure stream transmission protocol */ c( "nat-only" /* Only do payload IPs translation for SCTP packet */, "association-timeout" arg /* SCTP association timeout length, in minutes */, "handshake-timeout" arg /* SCTP handshake timeout, in seconds */, "drop" ( /* Disallowed SCTP payload message */ c( "m3ua-service" enum(("sccp" | "tup" | "isup")) /* MTP level 3 (MTP3) user adaptation layer service */.as(:oneline), "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "all" | arg)) /* SCTP payload protocol identifier */.as(:oneline) ) ), "permit" ( /* Permit SCTP payload message */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "all" | arg)) /* SCTP payload protocol identifier */.as(:oneline) ) ), "limit" ( /* Packet limits */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "others" | arg)) ( /* Payload Rate limit */ sc( "rate" arg /* Rate limit */ ) ).as(:oneline), "address" arg ( /* Rate limit for a list of IP addresses */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "others" | arg)) ( /* Payload Rate limit */ sc( "rate" arg /* Rate limit */ ) ).as(:oneline) ) ), "rate" ( /* Rate limit */ c( "sccp" arg /* Global SCCP messages rate limit */, "ssp" arg /* Global SSP messages rate limit */, "sst" arg /* Global SST messages rate limit */, "address" arg ( /* Rate limit for a list of IP addresses */ c( "sccp" arg /* SCCP messages rate limit */, "ssp" arg /* SSP messages rate limit */, "sst" arg /* SST messages rate limit */ ) ) ) ) ) ) ) ), "multichunk-inspection" ( /* Configure for SCTP multi chunks inspection */ c( c( "disable" /* Set multichunk inspection flag to disable */ ) ) ), "nullpdu" ( /* Configure for SCTP NULLPDU protocol value */ c( "protocol" ( /* SCTP NULLPDU payload protocol identifier */ c( c( "ID-0x0000" /* Set 0x0000 to be NULLPDU ID value */, "ID-0xFFFF" /* Set 0xFFFF to be NULLPDU ID value */ ) ) ) ) ), "log" enum(("configuration" | "rate-limit" | "association" | "data-message-drop" | "control-message-drop" | "control-message-all")) /* GPRS stream control transmission protocol logs */.as(:oneline), "traceoptions" ( /* Trace options for GPRS stream control transmission protocol */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "detail" | "flow" | "parser" | "chassis-cluster" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ) ) ), "ngfw" ( /* Next generation unified L4/L7 firewall */ c( "default-profile" ( /* Unified L4/L7 firewall default profile configuration */ c( "ssl-proxy" ( /* SSL proxy services */ c( "profile-name" arg /* Specify SSL proxy service profile name */ ) ), "application-traffic-control" ( /* Application traffic control services */ jsf_application_traffic_control_rule_set_type /* Application traffic control services */ ) ) ) ) ), "macsec" ( /* MAC Security configuration */ security_macsec /* MAC Security configuration */ ) ) ), "interfaces" ( /* Interface configuration */ c( "pic-set" /* NP bundling configuration */, "interface-set" ("$junos-interface-set-name" | arg | "$junos-svlan-interface-set-name" | "$junos-tagged-vlan-interface-set-name" | "$junos-phy-ifd-interface-set-name" | "$junos-pon-id-interface-set-name") ( /* Logical interface set configuration */ c( "targeted-distribution" /* Interface participates in targeted-distribution */, "targeted-options" /* Targeting specific options */, "interface" arg ( /* One or more interfaces that belong to interface set */ c( "unit" arg /* One or more logical interface unit numbers */, "vlan-tags-outer" arg /* One or more outer VLAN tags */ ) ), "pppoe-underlying-options" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ) ) ), "stacked-interface-set" ( /* Stacked interface set configuration */ c( "interface-set" ("$junos-aggregation-interface-set-name" | arg) ( /* Stacked parent interface set configuration */ c( "interface-set" ("$junos-interface-set-name" | arg | "$junos-svlan-interface-set-name" | "$junos-tagged-vlan-interface-set-name" | "$junos-phy-ifd-interface-set-name" | "$junos-pon-id-interface-set-name") /* Stacked child interface set configuration */ ) ) ) ), "traceoptions" ( /* Interface trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "kernel" | "change-events" | "kernel-detail" | "config-states" | "resource-usage" | "gres-events" | "select-events" | "bfd-events" | "lib-events" | "reserved" | "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "informational" | "debugging" | "verbose" | "japi")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "interface-range" arg ( /* Interface ranges configuration */ c( "member" arg /* Interfaces belonging to the interface range */, "member-range" arg ( /* Interfaces range in to format */ sc( "end-range" ( interface_device ) ) ).as(:oneline), "description" arg /* Text description of interface */, "metadata" arg /* Text metadata attached to interface */, ("disable"), "promiscuous-mode" /* Enable promiscuous mode for L3 interface */, "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "multicast-statistics" /* Enable multicast statistics */, "oam-on-svlan" /* Propagate SVLAN OAM state to CVLANs */, "fabric-options" ( /* Fabric interface specific options */ c( "member-interfaces" arg /* Member interface for the fabric interface */ ) ), "traceoptions" ( /* Interface trace options */ c( "flag" enum(("ipc" | "event" | "media" | "all" | "q921" | "q931")) /* Tracing parameters */.as(:oneline), "file" ( /* Trace file information for ISDN decoded frames */ c( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ) ) ) ), "passive-monitor-mode" /* Use interface to tap packets from another router */, c( "keepalives" ( /* Send or demand keepalive messages */ keepalives_type /* Send or demand keepalive messages */ ).as(:oneline), "no-keepalives" /* Do not send keepalive messages */ ), "traps" /* Enable SNMP notifications on state changes */, "no-traps" /* Don't enable SNMP notifications on state changes */, "interface-mib" /* Enable interface-related MIBs */, "no-interface-mib" /* Don't enable interface-related MIBs */, "accounting-profile" arg /* Accounting profile name */, "anchor-point" /* Anchor point */, "bypass-queueing-chip" /* Enable to bypass queueing chip */, "no-bypass-queueing-chip" /* Don't enable to bypass queueing chip */, c( "per-unit-scheduler" /* Enable subunit queuing on Frame Relay or VLAN IQ interface */, "no-per-unit-scheduler" /* Don't enable subunit queuing on Frame Relay or VLAN IQ interface */, "shared-scheduler" /* Enabled shared queuing on an IQ2 interface */, "hierarchical-scheduler" ( /* Enable hierarchical scheduling */ sc( "maximum-hierarchy-levels" arg /* Maximum hierarchy levels */, "maximum-l2-nodes" arg /* Maximum l2 nodes, allowed numbers are power of 2 between 1 and 16k (needs FPC reboot) */, "maximum-l3-nodes" arg /* Maximum l3 nodes, allowed numbers are power of 2 between 2 and 32k (needs FPC reboot) */, "implicit-hierarchy" /* Implicit hierarchy (follows interface hierarchy) */ ) ).as(:oneline) ), "l2tp-maximum-session" arg /* Maximum L2TP session */, "schedulers" arg /* Number of schedulers to allocate for interface */, "interface-transmit-statistics" /* Interface statistics based on the transmitted packets */, "cascade-port" /* Cascade port */, "dce" /* Respond to Frame Relay status enquiry messages */, c( "vlan-tagging" /* 802.1q VLAN tagging support */, "stacked-vlan-tagging" /* Stacked 802.1q VLAN tagging support */, "flexible-vlan-tagging" /* Support for no tagging, or single and double 802.1q VLAN tagging */, "vlan-vci-tagging" /* CCC for VLAN Q-in-Q and ATM VPI/VCI interworking */ ), "native-vlan-id" arg /* Virtual LAN identifier for untagged frames */, "no-native-vlan-insert" /* Disable native-vlan-id insertion to untagged frames */, "no-pseudowire-down-on-core-isolation" /* Do not bring the pseudowire down in the event of EVPN Core isolation */, "speed" ( /* Link speed */ ("auto" | "auto-10m-100m" | "10m" | "100m" | "1g" | "2.5g" | "5g" | "10g" | "40g" | "oc3" | "oc12" | "oc48") ), "forwarding-class-accounting" /* Configure Forwarding-class-accounting parameters */, "auto-configure" ( /* Auto configuration */ auto_configure_vlan_type /* Auto configuration */ ), "mtu" arg /* Maximum transmit packet size */, "hold-time" ( /* Hold time for link up and link down */ sc( "up" arg /* Link up hold time */, "down" arg /* Link down hold time */ ) ).as(:oneline), "damping" /* Interface damping parameters */, "link-degrade-monitor" ( /* Enable link degrade monitoring */ c( "actions" ( /* Action upon link degrade event */ c( c( "media-based" /* Media based */ ) ) ), "recovery" ( /* Link degrade recovery mechanism */ c( "timer" arg /* Auto recovery timer in seconds */, c( "auto" /* Automatic recovery */, "manual" /* Manual recovery */ ) ) ), "thresholds" ( /* Link degrade threshold parameters */ c( "set" arg /* BER at which link considered degraded(1..16) */, "clear" arg /* BER at which link considered improved(1..16) */, "warning-set" arg /* BER at which link degrade warning raised(1..16) */, "warning-clear" arg /* BER at which link degrade warning cleared(1..16) */, "interval" arg /* Consecutive link degrade events */ ) ) ) ), "satop-options" ( /* Structure-Agnostic TDM over Packet protocol options */ c( "idle-pattern" arg /* An 8-bit hexadecimal pattern to replace TDM data in a lost packet */, "payload-size" arg /* Number of payload bytes per packet */, "excessive-packet-loss-rate" ( /* Packet loss options */ c( "threshold" arg /* Percentile designating the threshold of excessive packet loss rate */, "sample-period" arg /* Number of milliseconds over which excessive packet loss rate is calculated */ ) ), c( "jitter-buffer-packets" arg /* Number of packets in jitter buffer before packet data is played out in the line */, "jitter-buffer-latency" arg /* Number of milliseconds delay in jitter buffer before packet data is played out in the line */, "jitter-buffer-auto-adjust" /* Automatically adjust jitter buffer */ ), "bit-rate" arg /* In multiples of DS0 */ ) ), "cesopsn-options" ( /* Structure-Aware TDM over Packet protocol options */ c( "idle-pattern" arg /* An 8-bit hexadecimal pattern to replace TDM data in a lost packet */, "packetization-latency" arg /* Number of microseconds to create packets */, "payload-size" arg /* Number of payload bytes per packet */, "excessive-packet-loss-rate" ( /* Packet loss options */ c( "threshold" arg /* Percentile designating the threshold of excessive packet loss rate */, "sample-period" arg /* Number of milliseconds over which excessive packet loss rate is calculated */ ) ), c( "jitter-buffer-packets" arg /* Number of packets in jitter buffer before packet data is played out in the line */, "jitter-buffer-latency" arg /* Number of milliseconds delay in jitter buffer before packet data is played out in the line */, "jitter-buffer-auto-adjust" /* Automatically adjust jitter buffer */ ), "bit-rate" arg /* In multiples of DS0 */ ) ), "ima-group-options" /* IMA group options */, "ima-link-options" /* IMA link options */, "multi-chassis-protection" ( /* Inter-Chassis protection configuration */ multi_chassis_protection_group /* Inter-Chassis protection configuration */ ), "clocking" ( /* Interface clock source */ sc( c( "internal" /* Clocking provided by local system */, "external" ( /* Clocking provided by DCE (loop timing) */ c( "interface" ( /* Interface that acts as clock source */ interface_device /* Interface that acts as clock source */ ) ) ) ) ) ).as(:oneline), "link-mode" ( /* Link operational mode */ ("automatic" | "half-duplex" | "full-duplex") ), "media-type" arg /* Interface media type (copper or fiber) */, "encapsulation" ( /* Physical link-layer encapsulation */ ("ethernet" | "fddi" | "token-ring" | "ppp" | "ppp-ccc" | "ppp-tcc" | "ether-vpls-ppp" | "frame-relay" | "frame-relay-ccc" | "frame-relay-tcc" | "extended-frame-relay-ccc" | "extended-frame-relay-tcc" | "flexible-frame-relay" | "frame-relay-port-ccc" | "frame-relay-ether-type" | "frame-relay-ether-type-tcc" | "extended-frame-relay-ether-type-tcc" | "cisco-hdlc" | "cisco-hdlc-ccc" | "cisco-hdlc-tcc" | "vlan-ccc" | "extended-vlan-ccc" | "ethernet-ccc" | "flexible-ethernet-services" | "smds-dxi" | "atm-pvc" | "atm-ccc-cell-relay" | "ethernet-over-atm" | "ethernet-tcc" | "extended-vlan-tcc" | "multilink-frame-relay-uni-nni" | "satop" | "cesopsn" | "ima" | "ethernet-vpls" | "ethernet-bridge" | "vlan-vpls" | "vlan-vci-ccc" | "extended-vlan-vpls" | "extended-vlan-bridge" | "multilink-ppp" | "generic-services") ), "esi" /* ESI configuration of multi-homed interface */, "framing" ( /* Frame type */ c( c( "lan-phy" /* 802.3ae 10-Gbps LAN-mode interface */, "wan-phy" /* 802.3ae 10-Gbps WAN-mode interface */, "sonet" /* SONET framing */, "sdh" /* SDH framing */ ) ) ), "unidirectional" /* Unidirectional Mode */, "lmi" ( /* Local Management Interface settings */ c( "n391dte" arg /* DTE full status polling interval */, "n392dce" arg /* DCE error threshold */, "n392dte" arg /* DTE error threshold */, "n393dce" arg /* DCE monitored event count */, "n393dte" arg /* DTE monitored event count */, "t391dte" arg /* DTE polling timer */, "t392dce" arg /* DCE polling verification timer */, "lmi-type" ( /* Specify the Frame Relay LMI type */ ("ansi" | "itu" | "c-lmi") ) ) ), "mlfr-uni-nni-bundle-options" ( /* Multilink Frame Relay UNI NNI (FRF.16) management settings */ c( "cisco-interoperability" ( /* FRF.16 Cisco interoperability settings */ c( "send-lip-remove-link-for-link-reject" /* Send Link Integrity Protocol remove link on receiving add-link rejection */ ) ), "mrru" arg /* Maximum received reconstructed unit */, "yellow-differential-delay" arg /* Yellow differential delay among bundle links to give warning */, "red-differential-delay" arg /* Red differential delay among bundle links to take action */, "action-red-differential-delay" ( /* Type of actions when differential delay exceeds red limit */ ("remove-link" | "disable-tx") ), "fragment-threshold" arg /* Fragmentation threshold */, "drop-timeout" arg /* Drop timeout */, "link-layer-overhead" ( /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ unsigned_float /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ ), "lmi-type" ( /* Specify the multilink Frame Relay UNI NNI LMI type */ ("ansi" | "itu" | "c-lmi") ), "minimum-links" arg /* Minimum number of links to sustain the bundle */, "hello-timer" arg /* LIP hello timer */, "acknowledge-timer" arg /* LIP ack timer */, "acknowledge-retries" arg /* LIP ack retry times */, "n391" arg /* Multilink Frame Relay UNI NNI full status polling counter */, "n392" arg /* Multilink Frame Relay UNI NNI LMI error threshold */, "n393" arg /* Multilink Frame Relay UNI NNI LMI monitored event count */, "t391" arg /* Multilink Frame Relay UNI NNI link integrity verify polling timer */, "t392" arg /* Multilink Frame Relay UNI NNI polling verification timer */ ) ), "mac" ( /* Hardware MAC address */ mac_unicast /* Hardware MAC address */ ), "receive-bucket" ( /* Set receive bucket parameters */ dcd_rx_bucket_config /* Set receive bucket parameters */ ), "transmit-bucket" ( /* Set transmit bucket parameters */ dcd_tx_bucket_config /* Set transmit bucket parameters */ ), "shared-interface" /* Enable shared interface on the interface */, "sonet-options" ( /* SONET interface-specific options */ sonet_options_type /* SONET interface-specific options */ ), "logical-tunnel-options" ( /* Logical Tunnel interface-specific options */ c( "link-protection" ( /* Enable link protection mode */ c( "revertive" /* Revert back (Default mode) from active backup link to primary, if primary is UP */, "non-revertive" /* Do not revert back from active backup link to primary, if primary is UP */ ) ), "per-unit-mac-disable" /* Disable the creation of per unit mac address on LT IFLs for VPLS/CCC encaps */ ) ), "aggregated-sonet-options" ( /* Aggregated SONET interface-specific options */ c( "minimum-links" arg /* Minimum number of aggregated links */, "link-speed" ( /* Aggregated links speed */ ("oc3" | "oc12" | "oc48" | "oc192" | "oc768" | "mixed") ), "minimum-bandwidth" arg /* Minimum bandwidth necessary to sustain bundle */ ) ), "atm-options" ( /* ATM interface-specific options */ c( "pic-type" ( /* Type of ATM PIC (ATM I, ATM II or ATM CE) */ ("atm-ce" | "atm2" | "atm1") ), "cell-bundle-size" arg /* L2 circuit cell bundle size */, "cell-bundle-timeout" arg /* L2 circuit cell bundle timeout */, "plp-to-clp" /* Enable ATM2 PLP to CLP copy */, "use-null-cw" /* Always insert/strip null control words with cell-relay */, "promiscuous-mode" ( /* Set ATM interface to promiscuous mode */ c( "vpi" arg /* Open this VPI in promiscuous mode */.as(:oneline) ) ), "vpi" arg ( /* Define a virtual path */ c( "maximum-vcs" arg /* Maximum number of virtual circuits on this VP */, "shaping" ( /* Virtual path traffic-shaping options */ dcd_shaping_config /* Virtual path traffic-shaping options */ ), "oam-period" ( /* F4 OAM cell period */ sc( c( arg, "disable" /* Disable F4 OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* F4 OAM virtual path liveness parameters */ c( "up-count" arg /* Number of F4 OAM cells to consider VP up */, "down-count" arg /* Number of F4 OAM cells to consider VP down */ ) ) ) ), "ilmi" /* Enable Interim Local Management Interface */, "linear-red-profiles" arg ( /* ATM2 CoS virtual circuit drop profiles */ sc( "queue-depth" arg /* Maximum queue depth */, "high-plp-threshold" arg /* Fill level percentage when linear RED is applied for high PLP */, "low-plp-threshold" arg /* Fill level percentage when linear RED is applied for low PLP */, "high-plp-max-threshold" arg /* Fill level percentage with 100 percent packet drop for high PLP */, "low-plp-max-threshold" arg /* Fill level percentage with 100 percent packet drop for low PLP */ ) ).as(:oneline), "scheduler-maps" arg ( /* ATM2 CoS parameters assigned to forwarding classes */ c( "vc-cos-mode" ( /* ATM2 virtual circuit CoS mode */ ("strict" | "alternate") ), "forwarding-class" arg ( /* Scheduling parameters associated with forwarding class */ c( "priority" ( /* Queuing priority assigned to forwarding class */ ("low" | "high") ), "transmit-weight" ( /* Transmit weight */ sc( c( "percent" arg /* Transmit weight as percentage */, "cells" arg /* Transmit weight by cells count */ ) ) ).as(:oneline), c( "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline), "linear-red-profile" arg /* Linear RED profile profile name */ ) ) ) ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */ ) ), "multiservice-options" ( /* Multiservice interface-specific options */ c( "syslog" /* Enable system logging on this interface */, "no-syslog" /* Don't enable system logging on this interface */, "core-dump" /* Enable core dumping on this interface */, "no-core-dump" /* Don't enable core dumping on this interface */, "dump-on-flow-control" /* Enable dumping for this interface on prolonged flow-control */, "no-dump-on-flow-control" /* Don't enable dumping for this interface on prolonged flow-control */, "reset-on-flow-control" /* Enable resetting this interface on prolonged flow-control */, "no-reset-on-flow-control" /* Don't enable resetting this interface on prolonged flow-control */, "flow-control-options" ( /* Flow control configuration */ c( "dump-on-flow-control" /* Cause core dump during prolonged flow-control */, "reset-on-flow-control" /* Reset interface during prolonged flow-control */, "down-on-flow-control" /* Bring interface down during prolonged flow-control */, "up-on-flow-control" /* Keep interface up during prolonged flow-control */ ) ) ) ), "ggsn-options" ( /* GGSN interface-specific options */ c( "syslog" /* Enable system logging on this interface */, "no-syslog" /* Don't enable system logging on this interface */, "core-dump" /* Enable core dumping on this interface */, "no-core-dump" /* Don't enable core dumping on this interface */ ) ), "ppp-options" ( /* Point-to-Point Protocol (PPP) interface-specific options */ ppp_options_type /* Point-to-Point Protocol (PPP) interface-specific options */ ), "redundancy-options" /* Redundancy options */, "load-balancing-options" /* Load-balancing on services pics */, "aggregated-inline-services-options" /* Aggregated Inline Service interface specific options */, "anchoring-options" /* Groups anchoring PFEs or FPCs together. */, "lsq-failure-options" /* Link services queuing failure options */, "redundancy-group" /* Redundancy group configuration */, "services-options" ( /* Services interface-specific options */ c( "syslog" ( /* Define system log parameters */ service_set_syslog_object /* Define system log parameters */ ), "jflow-log" ( /* Define Jflow-log parameters. */ c( "message-rate-limit" arg /* Maximum jflow-log NAT error events allowed per second from this interface */ ) ), "deterministic-nat-configuration-log-interval" ( /* Define Deterministic NAT parameters */ c( "interval" arg /* Interval in which deterministic NAT logs are generated */ ) ), "open-timeout" arg /* Timeout period for TCP session establishment */, "close-timeout" arg /* Timeout period for TCP session tear-down */, "inactivity-timeout" arg /* Inactivity timeout period for established sessions (4..86400) */, "inactivity-tcp-timeout" arg /* Inactivity timeout period for TCP established sessions */, "inactivity-asymm-tcp-timeout" arg /* Inactivity timeout period for asymmetric TCP established sessions */, "inactivity-non-tcp-timeout" arg /* Inactivity timeout period for non-TCP established sessions */, "session-timeout" arg /* Session timeout period for established sessions */, "disable-global-timeout-override" /* Disallow overriding global inactivity or session timeout */, "tcp-tickles" arg /* Number of TCP keep-alive packets to be sent for bi-directional TCP flows */, "trio-flow-offload" /* Allow PIC to offload flows to Trio-based PFE */, "fragment-limit" arg /* Maximum number of fragments allowed for a packet */, "reassembly-timeout" arg /* Re-assembly timeout (seconds) for fragments of a packet */, "cgn-pic" /* PIC will be used for Carrier Grade NAT configuration only */, "pba-interim-logging-interval" arg /* Interim logging interval in seconds */, "session-limit" ( /* Session limit */ c( "maximum" arg /* Maximum number of sessions allowed simultaneously */, "rate" arg /* Maximum number of new sessions allowed per second */, "cpu-load-threshold" arg /* CPU limit in percentage for auto-tuning of session rate */ ) ), "ignore-errors" ( /* Ignore anomalies or errors */ sc( "tcp" /* TCP protocol errors */, "alg" /* ALG anomalies or errors */ ) ).as(:oneline), "capture" ( /* Packet capture for SFW and NAT on the Services PIC */ c( "capture-size" arg /* The number of packets to store */, "pkt-size" arg /* Number of bytes to be saved from each packet */, "logs-per-packet" arg /* The number of trace messages stored for each packet */, "max-log-line-size" arg /* The maximum length of a stored trace message */, "filter" ( /* Filtering options for the packet capture */ c( "source-ip" ( /* Filter based on source-ip (and wildcard) */ sc( "wildcard" ( /* Source IP wildcard */ ipaddr /* Source IP wildcard */ ), ipaddr /* Source IP */ ) ).as(:oneline), "dest-ip" ( /* Filter based on dest-ip (and wildcard) */ sc( "wildcard" ( /* Dest IP wildcard */ ipaddr /* Dest IP wildcard */ ), ipaddr /* Dest IP */ ) ).as(:oneline), "sw-sip" ( /* Filter based on source softwire ip (and wildcard) */ sc( "wildcard" ( /* Source IP wildcard */ ipv6addr /* Source IP wildcard */ ), ipv6addr /* Source softwire IP */ ) ).as(:oneline), "sw-dip" ( /* Filter based on destination softwire ip (and wildcard) */ sc( "wildcard" ( /* Destination IP wildcard */ ipaddr /* Destination IP wildcard */ ), ipaddr /* Destination softwire IP */ ) ).as(:oneline), "sport-range" ( /* Filter based on source port */ sc( "low" arg /* Source port range start */, "high" arg /* Source port range end */ ) ).as(:oneline), "dport-range" ( /* Filter based on destination port */ sc( "low" arg /* Destination port range start */, "high" arg /* Destination port range end */ ) ).as(:oneline), "proto" ( /* Filter based on L4 protocol */ ("icmp" | "tcp" | "udp") ) ) ) ) ) ) ), "t3-options" ( /* T3 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("local" | "remote" | "payload") ), "long-buildout" /* Set hardware to drive line longer than 255 feet */, "no-long-buildout" /* Don't set hardware to drive line longer than 255 feet */, "loop-timing" /* Set loop timing for T3 */, "no-loop-timing" /* Don't set loop timing for T3 */, "unframed" /* Enable unframed mode */, "no-unframed" /* Don't enable unframed mode */, "compatibility-mode" ( /* Set CSU compatibility mode */ sc( c( "larscom" ( /* Compatible with Larscom CSU */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "verilink" ( /* Compatible with Verilink CSU (not on 2/4-port T3 PIC) */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "adtran" ( /* Compatible with Adtran CSU (not on 2/4-port T3 PIC) */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "kentrox" ( /* Compatible with Kentrox CSU */ sc( "subrate" arg /* Set subrate value (not on 2/4-port T3 PIC) */ ) ).as(:oneline), "digital-link" ( /* Compatible with Digital Link CSU */ sc( "subrate" ( /* Set subrate value */ ("301Kb" | "601Kb" | "902Kb" | "1.2Mb" | "1.5Mb" | "1.8Mb" | "2.1Mb" | "2.4Mb" | "2.7Mb" | "3.0Mb" | "3.3Mb" | "3.6Mb" | "3.9Mb" | "4.2Mb" | "4.5Mb" | "4.8Mb" | "5.1Mb" | "5.4Mb" | "5.7Mb" | "6.0Mb" | "6.3Mb" | "6.6Mb" | "6.9Mb" | "7.2Mb" | "7.5Mb" | "7.8Mb" | "8.1Mb" | "8.4Mb" | "8.7Mb" | "9.0Mb" | "9.3Mb" | "9.6Mb" | "9.9Mb" | "10.2Mb" | "10.5Mb" | "10.8Mb" | "11.1Mb" | "11.4Mb" | "11.7Mb" | "12.0Mb" | "12.3Mb" | "12.6Mb" | "12.9Mb" | "13.2Mb" | "13.5Mb" | "13.8Mb" | "14.1Mb" | "14.4Mb" | "14.7Mb" | "15.0Mb" | "15.3Mb" | "15.6Mb" | "15.9Mb" | "16.2Mb" | "16.5Mb" | "16.8Mb" | "17.1Mb" | "17.4Mb" | "17.7Mb" | "18.0Mb" | "18.3Mb" | "18.6Mb" | "18.9Mb" | "19.2Mb" | "19.5Mb" | "19.8Mb" | "20.1Mb" | "20.5Mb" | "20.8Mb" | "21.1Mb" | "21.4Mb" | "21.7Mb" | "22.0Mb" | "22.3Mb" | "22.6Mb" | "22.9Mb" | "23.2Mb" | "23.5Mb" | "23.8Mb" | "24.1Mb" | "24.4Mb" | "24.7Mb" | "25.0Mb" | "25.3Mb" | "25.6Mb" | "25.9Mb" | "26.2Mb" | "26.5Mb" | "26.8Mb" | "27.1Mb" | "27.4Mb" | "27.7Mb" | "28.0Mb" | "28.3Mb" | "28.6Mb" | "28.9Mb" | "29.2Mb" | "29.5Mb" | "29.8Mb" | "30.1Mb" | "30.4Mb" | "30.7Mb" | "31.0Mb" | "31.3Mb" | "31.6Mb" | "31.9Mb" | "32.2Mb" | "32.5Mb" | "32.8Mb" | "33.1Mb" | "33.4Mb" | "33.7Mb" | "34.0Mb" | "34.3Mb" | "34.6Mb" | "34.9Mb" | "35.2Mb" | "35.5Mb" | "35.8Mb" | "36.1Mb" | "36.4Mb" | "36.7Mb" | "37.0Mb" | "37.3Mb" | "37.6Mb" | "37.9Mb" | "38.2Mb" | "38.5Mb" | "38.8Mb" | "39.1Mb" | "39.4Mb" | "39.7Mb" | "40.0Mb" | "40.3Mb" | "40.6Mb" | "40.9Mb" | "41.2Mb" | "41.5Mb" | "41.8Mb" | "42.1Mb" | "42.4Mb" | "42.7Mb" | "43.0Mb" | "43.3Mb" | "43.6Mb" | "43.9Mb" | "44.2Mb") ) ) ).as(:oneline) ) ) ).as(:oneline), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */, "cbit-parity" /* Enable C-bit parity mode */, "no-cbit-parity" /* Don't enable C-bit parity mode */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "feac-loop-respond" /* Respond to FEAC loop requests */, "no-feac-loop-respond" /* Don't respond to FEAC loop requests */, "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "buildout" arg /* Line buildout */, "atm-encapsulation" ( /* DS-3 interface encapsulation */ ("plcp" | "direct") ) ) ), "e3-options" ( /* E3 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("local" | "remote") ), "unframed" /* Enable unframed mode */, "no-unframed" /* Don't enable unframed mode */, "compatibility-mode" ( /* Set CSU compatibility mode */ sc( c( "larscom" /* Compatible with Larscom CSU (only non IQ E3 interfaces) */, "digital-link" ( /* Compatible with Digital Link CSU */ sc( "subrate" ( /* Set subrate value */ ("358Kb" | "716Kb" | "1.1Mb" | "1.4Mb" | "1.8Mb" | "2.1Mb" | "2.5Mb" | "2.9Mb" | "3.2Mb" | "3.6Mb" | "3.9Mb" | "4.3Mb" | "4.7Mb" | "5.0Mb" | "5.4Mb" | "5.7Mb" | "6.1Mb" | "6.4Mb" | "6.8Mb" | "7.2Mb" | "7.5Mb" | "7.9Mb" | "8.2Mb" | "8.6Mb" | "9.0Mb" | "9.3Mb" | "9.7Mb" | "10.0Mb" | "10.4Mb" | "10.7Mb" | "11.1Mb" | "11.5Mb" | "11.8Mb" | "12.2Mb" | "12.5Mb" | "12.9Mb" | "13.2Mb" | "13.6Mb" | "14.0Mb" | "14.3Mb" | "14.7Mb" | "15.0Mb" | "15.4Mb" | "15.8Mb" | "16.1Mb" | "16.5Mb" | "16.8Mb" | "17.2Mb" | "17.5Mb" | "17.9Mb" | "18.3Mb" | "18.6Mb" | "19.0Mb" | "19.3Mb" | "19.7Mb" | "20.0Mb" | "20.4Mb" | "20.8Mb" | "21.1Mb" | "21.5Mb" | "21.8Mb" | "22.2Mb" | "22.6Mb" | "22.9Mb" | "23.3Mb" | "23.6Mb" | "24.0Mb" | "24.3Mb" | "24.7Mb" | "25.1Mb" | "25.4Mb" | "25.8Mb" | "26.1Mb" | "26.5Mb" | "26.9Mb" | "27.2Mb" | "27.6Mb" | "27.9Mb" | "28.3Mb" | "28.6Mb" | "29.0Mb" | "29.4Mb" | "29.7Mb" | "30.1Mb" | "30.4Mb" | "30.8Mb" | "31.1Mb" | "31.5Mb" | "31.9Mb" | "32.2Mb" | "32.6Mb" | "32.9Mb" | "33.3Mb" | "33.7Mb" | "34.0Mb") ) ) ).as(:oneline), "kentrox" ( /* Compatible with Kentrox CSU */ sc( "subrate" arg /* Set subrate value (only for E3 IQ interfaces) */ ) ).as(:oneline) ) ) ).as(:oneline), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "invert-data" /* Invert data */, "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "buildout" arg /* Line buildout */, "atm-encapsulation" ( /* E3 interface encapsulation */ ("plcp" | "direct") ), "framing" ( /* E3 line format */ ("g.751" | "g.832") ) ) ), "e1-options" ( /* E1 interface-specific options */ c( "timeslots" arg /* Timeslots (1..32); for example, 1-4,6,9-11,32 (no space) */, "loopback" ( /* Loopback mode */ ("local" | "remote") ), "framing" ( /* Framing mode */ ("g704" | "unframed" | "g704-no-crc4") ), "fcs" ( /* Frame checksum */ ("32" | "16") ), "invert-data" /* Invert data */, "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */ ) ), "t1-options" ( /* T1 interface-specific options */ c( "timeslots" arg /* Timeslots (1..24; for example, 1-3,4,9,22-24 (no space) */, "voice-timeslots" arg /* Voice timeslots (1..24),for example, 1-3,4,9,22-24 (no space) */, "disable-remote-alarm-detection" arg /* Disable detection of a remote alarm */, "loopback" ( /* Loopback mode */ ("local" | "remote" | "payload") ), "buildout" ( /* Line buildout */ ("0-132" | "133-265" | "266-398" | "399-531" | "532-655" | "long-0db" | "long-7.5db" | "long-15db" | "long-22.5db") ), "byte-encoding" ( /* Byte encoding */ ("nx64" | "nx56") ), "line-encoding" ( /* Line encoding */ ("ami" | "b8zs") ), "invert-data" /* Invert data */, "framing" ( /* Framing mode */ ("sf" | "esf") ), "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "remote-loopback-respond" /* Respond to loop requests from remote end */, "crc-major-alarm-threshold" ( /* CRC Major alarm threshold value */ ("1e-3" | "5e-4" | "1e-4" | "5e-5" | "1e-5") ), "crc-minor-alarm-threshold" ( /* CRC Minor alarm threshold value */ ("1e-3" | "5e-4" | "1e-4" | "5e-5" | "1e-5" | "5e-6" | "1e-6") ), "alarm-compliance" arg /* Enforce standard for alarm reporting */ ) ), "ds0-options" ( /* DS-0 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("payload") ), "byte-encoding" ( /* Byte encoding */ ("nx64" | "nx56") ), "invert-data" /* Invert data */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4" | "repeating-1-in-16") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */ ) ), "serial-options" ( /* Serial interface-specific options */ c( "line-protocol" ( /* Line protocol to be used */ ("eia530" | "v.35" | "x.21") ), c( "dte-options" ( /* DTE options/control leads */ c( "ignore-all" /* Ignore all control leads */, "dtr" ( /* Data Transmit Ready signal handling */ sc( c( "assert" /* Assert DTR signal */, "de-assert" /* Deassert DTR signal */, "normal" /* Normal DTR signal */, "auto-synchronize" ( /* Normal DTR signal, with autoresynchronization */ c( "duration" arg /* Duration of autoresynchronization */, "interval" arg /* Interval for autoresynchronization */ ) ) ) ) ).as(:oneline), "control-signal" ( /* X.21 control signal handling */ ("assert" | "de-assert" | "normal") ), "rts" ( /* Request To Send signal handling */ ("assert" | "de-assert" | "normal") ), "dcd" ( /* Data Carrier Detect signal handling */ ("require" | "ignore" | "normal") ), "dsr" ( /* Data Set Ready signal handling */ ("require" | "ignore" | "normal") ), "cts" ( /* Clear To Send signal handling */ ("require" | "ignore" | "normal") ), "indication" ( /* X.21 Indication signal handling */ ("require" | "ignore" | "normal") ), "tm" ( /* Test Mode signal handling */ ("require" | "ignore" | "normal") ) ) ), "dce-options" ( /* DCE options */ c( "ignore-all" /* Ignore all control leads */, "dtr" ( /* Data Transmit Ready signal handling */ ("require" | "ignore" | "normal") ), "rts" ( /* Request To Send signal handling */ ("require" | "ignore" | "normal") ), "dcd" ( /* Data Carrier Detect signal handling */ ("assert" | "de-assert" | "normal") ), "dsr" ( /* Data Set Ready signal handling */ ("assert" | "de-assert" | "normal") ), "cts" ( /* Clear To Send signal handling */ ("assert" | "de-assert" | "normal") ), "tm" ( /* Test Mode signal handling */ ("require" | "ignore" | "normal") ), "dce-loopback-override" /* DCE loopback override */ ) ) ), "dtr-circuit" ( /* Data Transmit Ready circuit mode */ ("balanced" | "unbalanced") ), "dtr-polarity" ( /* Data Transmit Ready signal polarity */ ("positive" | "negative") ), "rts-polarity" ( /* Request To Send signal polarity */ ("positive" | "negative") ), "control-polarity" ( /* X.21 Control signal polarity */ ("positive" | "negative") ), "dcd-polarity" ( /* Data Carrier Detect signal polarity */ ("positive" | "negative") ), "dsr-polarity" ( /* Data Set Ready signal polarity */ ("positive" | "negative") ), "cts-polarity" ( /* Clear To Send signal polarity */ ("positive" | "negative") ), "indication-polarity" ( /* X.21 Indication signal polarity */ ("positive" | "negative") ), "tm-polarity" ( /* Test Mode signal polarity */ ("positive" | "negative") ), "clocking-mode" ( /* Clock mode */ ("dce" | "internal" | "loop") ), "transmit-clock" ( /* Transmit clock phase */ ("invert") ), "clock-rate" ( /* Interface clock rate */ ("2.048mhz" | "2.341mhz" | "2.731mhz" | "3.277mhz" | "4.096mhz" | "5.461mhz" | "8.192mhz" | "16.384mhz" | "1.2khz" | "2.4khz" | "9.6khz" | "19.2khz" | "38.4khz" | "56.0khz" | "64.0khz" | "72.0khz" | "125.0khz" | "148.0khz" | "250.0khz" | "500.0khz" | "800.0khz" | "1.0mhz" | "1.3mhz" | "2.0mhz" | "4.0mhz" | "8.0mhz") ), "loopback" ( /* Loopback mode */ ("local" | "remote" | "dce-local" | "dce-remote") ), "encoding" ( /* Line encoding */ ("nrz" | "nrzi") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ) ) ), "gratuitous-arp-reply" /* Enable gratuitous ARP reply */, "no-gratuitous-arp-reply" /* Don't enable gratuitous ARP reply */, "no-gratuitous-arp-request" /* Ignore gratuitous ARP request */, "no-no-gratuitous-arp-request" /* Don't ignore gratuitous ARP request */, "arp-l2-validate" /* Validate ARP against L2 */, "ether-options" ( /* Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "ethernet-policer-profile" ( /* Ethernet level CoS-based policer configuration */ c( "input-priority-map" ( /* Input policer priority map */ cos_policer_input_priority_map /* Input policer priority map */ ), "output-priority-map" ( /* Output policer priority map */ cos_policer_output_priority_map /* Output policer priority map */ ), "policer" ( /* Policer template definition */ cos_policer /* Policer template definition */ ) ) ), "storm-control" ( /* Storm control profile name to bind */ c( arg /* Profile name */ ) ), "recovery-timeout" ( /* Recovery timeout for this interface */ sc( arg ) ).as(:oneline), "mac-learn-enable" /* Learn MAC addresses dynamically */, "no-mac-learn-enable" /* Don't learn MAC addresses dynamically */ ) ), "asynchronous-notification" /* Enable sending asynchronous notification to peer on CCC-down */, "source-address-filter" arg /* Source address filters */.as(:oneline), "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "configured-flow-control" /* Enable flow control */, "link-mode" arg /* Link duplex */, "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */, "no-auto-mdix" /* Disable auto MDI/MDIX */, "speed" /* Specify speed */, "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "force-up" /* Keep the port up in absence of received LACPDU */, "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ), "link-protection-sub-group" /* Link Protection subgroup configuration */, "port-priority" arg /* Link protection Priority of the port (0 ... 65535) */ ) ), "ieee-802-3az-eee" /* IEEE 802.3az Energy Efficient Ethernet(EEE) */, "mdi-mode" arg /* Cable cross-over mode */, "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant ethernet interface */ ) ), "autostate-exclude" /* Interface will not contribute to IRB state */ ) ), "fibrechannel-options" ( /* Fibre Channel interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "bb-sc-n" arg /* B2B state change number */, "speed" ( /* Specify speed */ ("auto-negotiation" | "1g" | "2g" | "4g" | "8g") ) ) ), "gigether-options" ( /* Gigabit Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "loopback-remote" /* Enable remote loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, c( "no-auto-negotiation" /* Disable auto-negotiation */, "auto-negotiation" ( /* Enable auto-negotiation */ sc( "remote-fault" ( ("local-interface-offline" | "local-interface-online") ) ) ).as(:oneline) ), "mac-mode" arg /* Physical layer protocol of MAC's SERDES interface */, "asynchronous-notification" /* Enable sending asynchronous notification to peer on CCC-down */, "source-address-filter" arg /* Source address filters */.as(:oneline), "pad-to-minimum-frame-size" /* Pad Tx vlan tagged frame to minimum of 68 bytes */, "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant-ethernet interface */ ) ), "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, "link-index" arg /* Desired child link index within the Aggregated Interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ), "distribution-list" arg /* Distribution list to which interface belongs */ ) ), "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "ethernet-policer-profile" ( /* Ethernet level CoS-based policer configuration */ c( "ieee802.1-priority-map" ( /* Premium priority values for IEEE 802.1p bits */ c( "premium" arg /* Premium policer priority map */ ) ), "input-priority-map" ( /* Input policer priority map */ cos_policer_input_priority_map /* Input policer priority map */ ), "output-priority-map" ( /* Output policer priority map */ cos_policer_output_priority_map /* Output policer priority map */ ), "policer" ( /* Policer template definition */ cos_policer /* Policer template definition */ ) ) ), "accept-from" ( /* Accept traffic from or to specified remote MAC */ c( "mac-address" ( /* Remote MAC */ mac_list /* Remote MAC */ ) ) ), "reject-the-rest" /* Accept traffic from only the specified MAC addresses */, "no-reject-the-rest" /* Don't accept traffic from only the specified MAC addresses */, "mac-learn-enable" /* Learn MAC addresses dynamically */ ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */, "no-auto-mdix" /* Disable auto MDI/MDIX */, "ieee-802-3az-eee" /* IEEE 802.3az Energy Efficient Ethernet(EEE) */, "mru" arg /* Maximum receive packet size */, "fec" ( /* Forward Error Correction mode */ ("none" | "fec91" | "fec74") ), "speed" ( /* Speed mode */ ("1g" | "10g") ) ) ), "optics-options" ( /* Optics options */ c( "wavelength" ( /* Wavelength of the optics (nanometers) for 50Ghz/100Ghz spacing */ ("1568.77" | "1568.36" | "1568.31" | "1568.26" | "1568.21" | "1568.16" | "1568.11" | "1568.05" | "1568.00" | "1567.95" | "1567.90" | "1567.85" | "1567.80" | "1567.75" | "1567.70" | "1567.64" | "1567.59" | "1567.54" | "1567.49" | "1567.44" | "1567.39" | "1567.34" | "1567.29" | "1567.23" | "1567.18" | "1567.13" | "1567.08" | "1567.03" | "1566.98" | "1566.93" | "1566.88" | "1566.83" | "1566.77" | "1566.72" | "1566.67" | "1566.62" | "1566.57" | "1566.52" | "1566.47" | "1566.42" | "1566.36" | "1566.31" | "1566.26" | "1566.21" | "1566.16" | "1566.11" | "1566.06" | "1566.01" | "1565.96" | "1565.90" | "1565.85" | "1565.80" | "1565.75" | "1565.70" | "1565.65" | "1565.60" | "1565.55" | "1565.50" | "1565.44" | "1565.39" | "1565.34" | "1565.29" | "1565.24" | "1565.19" | "1565.14" | "1565.09" | "1565.04" | "1564.99" | "1564.93" | "1564.88" | "1564.83" | "1564.78" | "1564.73" | "1564.68" | "1564.63" | "1564.58" | "1564.53" | "1564.47" | "1564.42" | "1564.37" | "1564.32" | "1564.27" | "1564.22" | "1564.17" | "1564.12" | "1564.07" | "1564.02" | "1563.96" | "1563.91" | "1563.86" | "1563.81" | "1563.76" | "1563.71" | "1563.66" | "1563.61" | "1563.56" | "1563.51" | "1563.45" | "1563.40" | "1563.35" | "1563.30" | "1563.25" | "1563.20" | "1563.15" | "1563.10" | "1563.05" | "1563.00" | "1562.95" | "1562.89" | "1562.84" | "1562.79" | "1562.74" | "1562.69" | "1562.64" | "1562.59" | "1562.54" | "1562.49" | "1562.44" | "1562.39" | "1562.33" | "1562.28" | "1562.23" | "1562.18" | "1562.13" | "1562.08" | "1562.03" | "1561.98" | "1561.93" | "1561.88" | "1561.83" | "1561.77" | "1561.72" | "1561.67" | "1561.62" | "1561.57" | "1561.52" | "1561.47" | "1561.42" | "1561.37" | "1561.32" | "1561.27" | "1561.22" | "1561.16" | "1561.11" | "1561.06" | "1561.01" | "1560.96" | "1560.91" | "1560.86" | "1560.81" | "1560.76" | "1560.71" | "1560.66" | "1560.61" | "1560.56" | "1560.50" | "1560.45" | "1560.40" | "1560.35" | "1560.30" | "1560.25" | "1560.20" | "1560.15" | "1560.10" | "1560.05" | "1560.00" | "1559.95" | "1559.90" | "1559.84" | "1559.79" | "1559.74" | "1559.69" | "1559.64" | "1559.59" | "1559.54" | "1559.49" | "1559.44" | "1559.39" | "1559.34" | "1559.29" | "1559.24" | "1559.19" | "1559.14" | "1559.08" | "1559.03" | "1558.98" | "1558.93" | "1558.88" | "1558.83" | "1558.78" | "1558.73" | "1558.68" | "1558.63" | "1558.58" | "1558.53" | "1558.48" | "1558.43" | "1558.38" | "1558.32" | "1558.27" | "1558.22" | "1558.17" | "1558.12" | "1558.07" | "1558.02" | "1557.97" | "1557.92" | "1557.87" | "1557.82" | "1557.77" | "1557.72" | "1557.67" | "1557.62" | "1557.57" | "1557.52" | "1557.46" | "1557.41" | "1557.36" | "1557.31" | "1557.26" | "1557.21" | "1557.16" | "1557.11" | "1557.06" | "1557.01" | "1556.96" | "1556.91" | "1556.86" | "1556.81" | "1556.76" | "1556.71" | "1556.66" | "1556.61" | "1556.55" | "1556.50" | "1556.45" | "1556.40" | "1556.35" | "1556.30" | "1556.25" | "1556.20" | "1556.15" | "1556.10" | "1556.05" | "1556.00" | "1555.95" | "1555.90" | "1555.85" | "1555.80" | "1555.75" | "1555.70" | "1555.65" | "1555.60" | "1555.55" | "1555.49" | "1555.44" | "1555.39" | "1555.34" | "1555.29" | "1555.24" | "1555.19" | "1555.14" | "1555.09" | "1555.04" | "1554.99" | "1554.94" | "1554.89" | "1554.84" | "1554.79" | "1554.74" | "1554.69" | "1554.64" | "1554.59" | "1554.54" | "1554.49" | "1554.44" | "1554.39" | "1554.34" | "1554.29" | "1554.23" | "1554.18" | "1554.13" | "1554.08" | "1554.03" | "1553.98" | "1553.93" | "1553.88" | "1553.83" | "1553.78" | "1553.73" | "1553.68" | "1553.63" | "1553.58" | "1553.53" | "1553.48" | "1553.43" | "1553.38" | "1553.33" | "1553.28" | "1553.23" | "1553.18" | "1553.13" | "1553.08" | "1553.03" | "1552.98" | "1552.93" | "1552.88" | "1552.83" | "1552.78" | "1552.73" | "1552.68" | "1552.62" | "1552.57" | "1552.52" | "1552.47" | "1552.42" | "1552.37" | "1552.32" | "1552.27" | "1552.22" | "1552.17" | "1552.12" | "1552.07" | "1552.02" | "1551.97" | "1551.92" | "1551.87" | "1551.82" | "1551.77" | "1551.72" | "1551.67" | "1551.62" | "1551.57" | "1551.52" | "1551.47" | "1551.42" | "1551.37" | "1551.32" | "1551.27" | "1551.22" | "1551.17" | "1551.12" | "1551.07" | "1551.02" | "1550.97" | "1550.92" | "1550.87" | "1550.82" | "1550.77" | "1550.72" | "1550.67" | "1550.62" | "1550.57" | "1550.52" | "1550.47" | "1550.42" | "1550.37" | "1550.32" | "1550.27" | "1550.22" | "1550.17" | "1550.12" | "1550.07" | "1550.02" | "1549.97" | "1549.92" | "1549.87" | "1549.82" | "1549.77" | "1549.72" | "1549.67" | "1549.62" | "1549.57" | "1549.52" | "1549.47" | "1549.42" | "1549.37" | "1549.32" | "1549.26" | "1549.21" | "1549.16" | "1549.11" | "1549.06" | "1549.01" | "1548.96" | "1548.91" | "1548.86" | "1548.81" | "1548.76" | "1548.71" | "1548.66" | "1548.61" | "1548.56" | "1548.51" | "1548.46" | "1548.41" | "1548.36" | "1548.31" | "1548.26" | "1548.21" | "1548.16" | "1548.11" | "1548.06" | "1548.02" | "1547.97" | "1547.92" | "1547.87" | "1547.82" | "1547.77" | "1547.72" | "1547.67" | "1547.62" | "1547.57" | "1547.52" | "1547.47" | "1547.42" | "1547.37" | "1547.32" | "1547.27" | "1547.22" | "1547.17" | "1547.12" | "1547.07" | "1547.02" | "1546.97" | "1546.92" | "1546.87" | "1546.82" | "1546.77" | "1546.72" | "1546.67" | "1546.62" | "1546.57" | "1546.52" | "1546.47" | "1546.42" | "1546.37" | "1546.32" | "1546.27" | "1546.22" | "1546.17" | "1546.12" | "1546.07" | "1546.02" | "1545.97" | "1545.92" | "1545.87" | "1545.82" | "1545.77" | "1545.72" | "1545.67" | "1545.62" | "1545.57" | "1545.52" | "1545.47" | "1545.42" | "1545.37" | "1545.32" | "1545.27" | "1545.22" | "1545.17" | "1545.12" | "1545.07" | "1545.02" | "1544.97" | "1544.92" | "1544.87" | "1544.82" | "1544.77" | "1544.72" | "1544.68" | "1544.63" | "1544.58" | "1544.53" | "1544.48" | "1544.43" | "1544.38" | "1544.33" | "1544.28" | "1544.23" | "1544.18" | "1544.13" | "1544.08" | "1544.03" | "1543.98" | "1543.93" | "1543.88" | "1543.83" | "1543.78" | "1543.73" | "1543.68" | "1543.63" | "1543.58" | "1543.53" | "1543.48" | "1543.43" | "1543.38" | "1543.33" | "1543.28" | "1543.23" | "1543.18" | "1543.13" | "1543.08" | "1543.04" | "1542.99" | "1542.94" | "1542.89" | "1542.84" | "1542.79" | "1542.74" | "1542.69" | "1542.64" | "1542.59" | "1542.54" | "1542.49" | "1542.44" | "1542.39" | "1542.34" | "1542.29" | "1542.24" | "1542.19" | "1542.14" | "1542.09" | "1542.04" | "1541.99" | "1541.94" | "1541.89" | "1541.84" | "1541.80" | "1541.75" | "1541.70" | "1541.65" | "1541.60" | "1541.55" | "1541.50" | "1541.45" | "1541.40" | "1541.35" | "1541.30" | "1541.25" | "1541.20" | "1541.15" | "1541.10" | "1541.05" | "1541.00" | "1540.95" | "1540.90" | "1540.85" | "1540.80" | "1540.76" | "1540.71" | "1540.66" | "1540.61" | "1540.56" | "1540.51" | "1540.46" | "1540.41" | "1540.36" | "1540.31" | "1540.26" | "1540.21" | "1540.16" | "1540.11" | "1540.06" | "1540.01" | "1539.96" | "1539.91" | "1539.86" | "1539.82" | "1539.77" | "1539.72" | "1539.67" | "1539.62" | "1539.57" | "1539.52" | "1539.47" | "1539.42" | "1539.37" | "1539.32" | "1539.27" | "1539.22" | "1539.17" | "1539.12" | "1539.07" | "1539.03" | "1538.98" | "1538.93" | "1538.88" | "1538.83" | "1538.78" | "1538.73" | "1538.68" | "1538.63" | "1538.58" | "1538.53" | "1538.48" | "1538.43" | "1538.38" | "1538.33" | "1538.28" | "1538.24" | "1538.19" | "1538.14" | "1538.09" | "1538.04" | "1537.99" | "1537.94" | "1537.89" | "1537.84" | "1537.79" | "1537.74" | "1537.69" | "1537.64" | "1537.59" | "1537.55" | "1537.50" | "1537.45" | "1537.40" | "1537.35" | "1537.30" | "1537.25" | "1537.20" | "1537.15" | "1537.10" | "1537.05" | "1537.00" | "1536.95" | "1536.90" | "1536.86" | "1536.81" | "1536.76" | "1536.71" | "1536.66" | "1536.61" | "1536.56" | "1536.51" | "1536.46" | "1536.41" | "1536.36" | "1536.31" | "1536.26" | "1536.22" | "1536.17" | "1536.12" | "1536.07" | "1536.02" | "1535.97" | "1535.92" | "1535.87" | "1535.82" | "1535.77" | "1535.72" | "1535.67" | "1535.63" | "1535.58" | "1535.53" | "1535.48" | "1535.43" | "1535.38" | "1535.33" | "1535.28" | "1535.23" | "1535.18" | "1535.13" | "1535.08" | "1535.04" | "1534.99" | "1534.94" | "1534.89" | "1534.84" | "1534.79" | "1534.74" | "1534.69" | "1534.64" | "1534.59" | "1534.54" | "1534.50" | "1534.45" | "1534.40" | "1534.35" | "1534.30" | "1534.25" | "1534.20" | "1534.15" | "1534.10" | "1534.05" | "1534.00" | "1533.96" | "1533.91" | "1533.86" | "1533.81" | "1533.76" | "1533.71" | "1533.66" | "1533.61" | "1533.56" | "1533.51" | "1533.47" | "1533.42" | "1533.37" | "1533.32" | "1533.27" | "1533.22" | "1533.17" | "1533.12" | "1533.07" | "1533.02" | "1532.98" | "1532.93" | "1532.88" | "1532.83" | "1532.78" | "1532.73" | "1532.68" | "1532.63" | "1532.58" | "1532.53" | "1532.49" | "1532.44" | "1532.39" | "1532.34" | "1532.29" | "1532.24" | "1532.19" | "1532.14" | "1532.09" | "1532.04" | "1532.00" | "1531.95" | "1531.90" | "1531.85" | "1531.80" | "1531.75" | "1531.70" | "1531.65" | "1531.60" | "1531.56" | "1531.51" | "1531.46" | "1531.41" | "1531.36" | "1531.31" | "1531.26" | "1531.21" | "1531.16" | "1531.12" | "1531.07" | "1531.02" | "1530.97" | "1530.92" | "1530.87" | "1530.82" | "1530.77" | "1530.72" | "1530.68" | "1530.63" | "1530.58" | "1530.53" | "1530.48" | "1530.43" | "1530.38" | "1530.33" | "1530.29" | "1530.24" | "1530.19" | "1530.14" | "1530.09" | "1530.04" | "1529.99" | "1529.94" | "1529.89" | "1529.85" | "1529.80" | "1529.75" | "1529.70" | "1529.65" | "1529.60" | "1529.55" | "1529.50" | "1529.46" | "1529.41" | "1529.36" | "1529.31" | "1529.26" | "1529.21" | "1529.16" | "1529.11" | "1529.07" | "1529.02" | "1528.97" | "1528.92" | "1528.87" | "1528.82" | "1528.77" | "1528.38") ), "tx-power" arg /* Transmit laser output power */, "loopback" /* Put the optics in loopback mode */, "los-warning-threshold" arg /* LOS warning threshold */, "los-alarm-threshold" arg /* LOS alarm threshold */, "modulation-format" ( /* Type of Modulation Format */ ("16qam" | "8qam" | "qpsk") ), "laser-enable" /* Enable Laser */, "no-laser-enable" /* Don't enable Laser */, "is-ma" /* Link is enabled with alarms masked */, "no-is-ma" /* Don't link is enabled with alarms masked */, "encoding" ( /* Line encoding */ ("differential" | "non-differential") ), "fec" ( /* Forward Error Correction mode */ ("sdfec" | "sdfec25" | "hgfec" | "sdfec15") ), "high-polarization" /* High polarization tracking mode */, "signal-degrade" ( /* Signal degrade thresholds */ c( "interval" arg /* Time interval */, "ber-threshold-clear" arg /* Ber threshold for signal degrade clear (format: xe-n, example: 4.5e-3) */, "ber-threshold-signal-degrade" arg /* Ber threshold for signal-degrade (format: xe-n, example: 4.5e-3) */, "q-threshold-signal-degrade-clear" arg /* Q threshold for signal-degrade clear (e.g. 14.26) */, "q-threshold-signal-degrade" arg /* Q threshold for signal-degrade (e.g. 9.26) */ ) ), "alarm" enum(("low-light-alarm")) ( /* Set optic alarms */ c( c( "syslog", "link-down" ) ) ), "tca" ( /* Set tca for optic alarms */ c( "tx-power-high-tca" ( /* Tx power high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute tx power high TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour tx power high TCA in dBm */ ) ), "tx-power-low-tca" ( /* Tx power low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute tx power low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour tx power low TCA in dBm */ ) ), "rx-power-high-tca" ( /* Rx power high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute rx power high TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour rx power high TCA in dBm */ ) ), "rx-power-low-tca" ( /* Rx power low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute rx power low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour rx power low TCA in dBm */ ) ), "temperature-high-tca" ( /* Temperature high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute high temperature TCA in celsius */, "threshold-24hrs" arg /* Threshold for 24 hour high temperature TCA in celsius */ ) ), "temperature-low-tca" ( /* Temperature low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute low temperature TCA in celsius */, "threshold-24hrs" arg /* Threshold for 24 hour low temperature TCA in celsius */ ) ), "carrier-frequency-offset-high-tca" ( /* Carrier frequency offset high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency offset high TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency offset high TCA in MHz */ ) ), "carrier-frequency-offset-low-tca" ( /* Carrier frequency offset low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency offset low TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency offset low TCA in MHz */ ) ), "fec-ber" ( /* Optics Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the Optics errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the Optics errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for BER value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* TCA threshold for BER value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ).as(:oneline), "tec-current-high-tca" ( /* TEC Current high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute TEC Current high TCA in mA */, "threshold-24hrs" arg /* Threshold for 24 hour TEC Current high TCA in mA */ ) ), "tec-current-low-tca" ( /* TEC Current low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute TEC Current low TCA in mA */, "threshold-24hrs" arg /* Threshold for 24 hour TEC Current low TCA in mA */ ) ), "residual-isi-high-tca" ( /* Residual ISI high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute Residual ISI high TCA in ps/nm */, "threshold-24hrs" arg /* Threshold for 24 hour Residual ISI high TCA in ps/nm */ ) ), "residual-isi-low-tca" ( /* Residual ISI low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute Residual ISI low TCA in ps/nm */, "threshold-24hrs" arg /* Threshold for 24 hour Residual ISI low TCA in ps/nm */ ) ), "pam-histogram-high-tca" ( /* PAM Histogram high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute PAM Histogram high TCA */, "threshold-24hrs" arg /* Threshold for 24 hour PAM Histogram high TCA */ ) ), "snr-low-tca" ( /* SNR low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute SNR low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour SNR low TCA in dBm */ ) ), "fec-corrected-errors-high-tca" ( /* FEC Corrected Error High Threshold crossing defect trigger */ c( "enable-tca" /* Enable the FEC Corrected Errors threshold crossing alert */, "no-enable-tca" /* Don't enable the FEC Corrected Errors threshold crossing alert */, "threshold" arg /* FEC Corrected-Errs value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* FEC Corrected-Errs value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ), "fec-ucorrected-words-high-tca" ( /* FEC UCorrected Words High Threshold crossing defect trigger */ c( "enable-tca" /* Enable the FEC UCorrected Words threshold crossing alert */, "no-enable-tca" /* Don't enable the FEC UCorrected Words threshold crossing alert */, "threshold" arg /* FEC UCorrected-Words value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* FEC UCorrected-Words value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ), "laser-frequency-error-high-tca" ( /* Laser frequency error high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency error high TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency error high TCA in MHz */ ) ), "laser-frequency-error-low-tca" ( /* Laser frequency error low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency error low TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency error low TCA in MHz */ ) ) ) ), "warning" enum(("low-light-warning")) ( /* Set optic warnings */ c( c( "syslog" /* Set action as syslog */, "link-down" /* Set action as link-down */ ) ) ) ) ), "otn-options" ( /* Optical Transmission Network interface-specific options */ otn_options_type /* Optical Transmission Network interface-specific options */ ), "fastether-options" ( /* Fast Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "ingress-rate-limit" arg /* Ingress rate at port */, "source-address-filter" arg /* Source address filters */.as(:oneline), "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant ethernet interface */ ) ), "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ) ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */ ) ), "redundant-ether-options" ( /* Ethernet redundancy options */ c( "redundancy-group" arg /* Redundancy group of this interface */, "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "source-address-filter" arg /* Source address filters */.as(:oneline), "link-speed" ( /* Link speed of individual interface that joins the RETH */ ("10m" | "100m" | "1g" | "10g") ), "minimum-links" arg /* Minimum number of active links */, "lacp" ( /* Link Aggregation Control Protocol configuration */ c( c( "active" /* Initiate transmission of LACP packets */, "passive" /* Respond to LACP packets */ ), "periodic" ( /* Timer interval for periodic transmission of LACP packets */ ("fast" | "slow") ) ) ) ) ), "aggregated-ether-options" ( /* Aggregated Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "autostate-exclude" /* Interface will not contribute to IRB state */, "link-protection" ( /* Enable link protection mode */ c( "revertive" /* Revert back from active backup link to primary, if primary is UP */, "non-revertive" /* Do not revert back (default mode) from active backup link to primary, if primary is UP */, "backup-state" ( /* Link protection backup link state */ ("accept-data" | "discard-data" | "down") ), "rtg-config" ( /* RTG enable on AE */ c( "preempt-cutover-timer" arg /* RTG preempt-cutover-timer in seconds */ ) ) ) ), "fcoe-lag" /* Enable FIP/FCoE LAG */, "no-fcoe-lag" /* Don't enable FIP/FCoE LAG */, "source-address-filter" /* Source address filters */.as(:oneline), "configured-flow-control" /* Enable flow control */, "load-balance" ( aggregate_load_balance ), "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address */ ipaddr /* BFD local address */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */ ) ), "minimum-links" arg /* Minimum number of aggregated links */, "minimum-bandwidth" ( /* Minimum bandwidth configured for aggregated bundle */ c( "bw-value" arg /* Bandwidth value */, "bw-unit" ( /* Bandwidth unit */ ("bps" | "kbps" | "mbps" | "gbps") ) ) ), "targeted-options" /* Targeting specific options */, c( "logical-interface-fpc-redundancy" /* Enable FPC redundancy for logical interfaces */, "logical-interface-chassis-redundancy" /* Enable CHASSIS redundancy for logical interfaces */ ), "rebalance-periodic" ( c( "start-time" ( /* Start time of the rebalance operation ( Wall clock time ) */ date /* Start time of the rebalance operation ( Wall clock time ) */ ), "interval" arg /* Interval of the rebalance operation in hrs */ ) ), "pad-to-minimum-frame-size" /* Pad Tx vlan tagged frame to minimum of 68 bytes */, "link-speed" ( /* Link speed of individual interface that joins the AE */ ("10m" | "100m" | "1g" | "2.5g" | "5g" | "8g" | "10g" | "25g" | "40g" | "50g" | "80g" | "100g" | "oc192" | "mixed") ), "local-bias" /* Turn on local bias functionality */, "local-minimum-links-threshold" arg /* Specify threshold for minimum links per VC/VCF member */, "resilient-hash" /* Turn on resilient-hash */, "lacp" ( /* Link Aggregation Control Protocol configuration */ c( c( "active" /* Initiate transmission of LACP packets */, "passive" /* Respond to LACP packets */ ), "periodic" ( /* Timer interval for periodic transmission of LACP packets */ ("fast" | "slow") ), "fast-failover" /* To turn off LACP fast-failover */, "link-protection" ( c( "disable" /* To turn off LACP link-protection */, c( "revertive" /* Switch links when better priority link comes up */, "non-revertive" /* Do not switch links when better priority link comes up */ ), "rtg-config" ( /* RTG Feature enable on AE */ c( "preempt-cutover-timer" arg /* RTG preempt-cutover-timer in seconds */ ) ) ) ), "accept-data" /* Keep receiving traffic even when LACP goes down */, "sync-reset" ( /* On minimum-link failure notify out of sync to peer */ ("disable" | "enable") ), "system-priority" arg /* Priority of the system (0 ... 65535) */, "system-id" ( /* Node's System ID, encoded as a MAC address */ mac_addr /* Node's System ID, encoded as a MAC address */ ), "admin-key" arg /* Node's administrative key */, "hold-time" /* Hold time for link up and link down for AE link members */.as(:oneline), "aggregate-wait-time" arg /* Aggregate wait time for the AE */, "force-up" /* Forceup AE interface with LACP */ ) ), "link-protection-sub-group" /* Link Protection subgroup configuration */, "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "storm-control" /* Storm control profile name to bind */, "mac-learn-enable" /* Learn MAC addresses dynamically */ ) ), "mc-ae" /* Multi-chassis aggregation (MC-AE) network device configuration */, "share-standby" /* Share the resources with standby ports, needs FPC reboot to take effect */ ) ), "es-options" ( /* ES PIC interface-specific options */ c( "backup-interface" ( /* Name of backup interface */ interface_device /* Name of backup interface */ ) ) ), "dsl-options" ( /* DSL interface-specific options */ c( "operating-mode" ( /* DSL operating mode */ ("auto" | "ansi-dmt" | "itu-dmt" | "etsi" | "itu-annexb-ur2" | "itu-annexb-non-ur2" | "itu-dmt-bis" | "adsl2plus" | "annexm-itu-dmt-bis" | "annexm-adsl2plus") ) ) ), "vdsl-options" ( /* VDSL interface-specific options */ c( "vdsl-profile" ( /* VDSL profile */ ("auto" | "8a" | "8b" | "8c" | "8d" | "12a" | "12b" | "17a") ), "sra" ( /* DSL SRA */ ("enable" | "disable") ), "v43" ( /* DSL V43 tones */ ("enable" | "disable") ) ) ), "shdsl-options" ( /* SHDSL interface-specific options */ c( "annex" ( /* Type of SHDSL annex */ ("annex-a" | "annex-b" | "annex-f" | "annex-g" | "annex-auto") ), "line-rate" ( /* SHDSL line rate */ ("auto" | arg) ), "loopback" ( /* Loopback mode */ ("local" | "remote") ), "snr-margin" ( /* Signal to noise ratio margin */ c( "current" ( /* Current signal to noise ratio margin */ ("disable" | arg) ), "snext" ( /* SNEXT signal to noise ratio margin */ ("disable" | arg) ) ) ) ) ), "data-input" ( /* Configuration for drop-insert data input */ c( c( "system" /* Data sourced from system */, "interface" ( /* Interface that acts as data source */ interface_device /* Interface that acts as data source */ ) ) ) ), "switch-options" ( /* Front end ports configuration */ c( "switch-port" arg ( c( "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "link-mode" ( /* Link operational mode */ ("half-duplex" | "full-duplex") ), "speed" ( /* Link speed */ ("10m" | "100m" | "1g") ), "vlan-id" arg /* VLAN ID for this port */, "cascade-port" /* Port externally connected to another cascade port */ ) ) ) ), "container-options" ( /* Container interface specific options */ c( "container-type" ( /* Protocol type of the container interface */ c( c( "aps" ( /* APS options on the container */ aps_type /* APS options on the container */ ) ) ) ), "member-interface-type" ( /* Link type of members of container */ c( c( "sonet" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("oc3" | "oc12" | "oc48" | "oc192" | "oc768" | "mixed") ) ) ), "atm" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("oc3" | "oc12" | "oc48") ) ) ), "channelized-sonet" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("coc3" | "coc12" | "coc48" | "coc192" | "coc768") ) ) ), "channelized-sdh" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("cstm1" | "cstm4" | "cstm16" | "coc64" | "cstm256") ) ) ) ) ) ), "redundancy" ( /* Container interface redundancy options */ c( "hold-time" ( /* Hold time for link up and link down */ sc( "up" arg /* Link up hold time */, "down" arg /* Link down hold time */ ) ).as(:oneline) ) ), "container-list" ( /* List of container interfaces this member link is associated to */ interface_device /* List of container interfaces this member link is associated to */ ), c( "primary" /* This member link is primary interface of the container */, "standby" /* This member link is standby interface of the container */ ), "fast-aps" /* Fast APS switch */, "allow-configuration-override" /* Allow physical configuration of member link to override container configuration */ ) ), "layer2-policer" /* Layer2 policing for interface */, "unit" enum(("$junos-underlying-interface-unit" | "$junos-interface-unit" | arg)) ( /* Logical interface */ c( "policer-overhead" ( /* Policer overhead adjustment for this unit */ c( arg, "ingress" arg /* Ingress value in bytes */, "egress" arg /* Egress value in bytes */ ) ), "alias" arg /* Interface alias */, "enhanced-convergence" /* Optimize convergence time for L3 */, "proxy-macip-advertisement" /* Proxy advertisement of type 2 MAC+IP route for EVPN */, "virtual-gateway-accept-data" /* Accept packets destined for virtual gateway address */, "peer-psd" ( /* Peer psd */ sc( arg /* Peer psd name */ ) ).as(:oneline), "peer-interface" ( /* Peer interface */ c( interface_unit /* Peer interface name */ ) ), "interface-shared-with" ( /* Specify which PSD owns this logical interface */ c( arg /* Name of protected system domain (psd[1-31], ex. psd2) */ ) ), ("disable"), "passive-monitor-mode" /* Use interface to tap packets from another router */, "per-session-scheduler" /* Enable per-session queuing on an IQ2 interface */, "account-layer2-overhead" /* Account layer2 overhead in IFL byte statistics */, "forwarding-class-accounting" /* Configure Forwarding-class-accounting parameters for IFL */, "clear-dont-fragment-bit" /* Clear DF bit in packet (AS PIC and J-series only as well as MIF) */, "packet-inject-enable" /* Enable packet inject functionality on this IFL */, "reassemble-packets" /* Do reassembly of fragmented tunnel packets */, "services-options" /* Services interface-specific options */, "rpm" /* Enable RPM service on this interface */, "description" arg /* Text description of interface */, "metadata" arg /* Text metadata attached to interface */, "dial-options" /* Dial options */, "actual-transit-statistics" /* Actual transit statistics */, "demux-source" ( enum(("inet" | "inet6")) ), "demux-destination" ( enum(("inet" | "inet6")) ), "demux" /* Demux based on source or destination address */, "encapsulation" ( /* Logical link-layer encapsulation */ ("atm-nlpid" | "atm-cisco-nlpid" | "atm-snap" | "atm-vc-mux" | "atm-ccc-vc-mux" | "atm-tcc-vc-mux" | "atm-tcc-snap" | "atm-ccc-cell-relay" | "vlan-vci-ccc" | "ether-over-atm-llc" | "ether-vpls-over-atm-llc" | "ppp-over-ether-over-atm-llc" | "ppp-over-ether" | "atm-ppp-vc-mux" | "atm-ppp-llc" | "atm-mlppp-llc" | "frame-relay-ppp" | "frame-relay-ccc" | "frame-relay" | "frame-relay-tcc" | "frame-relay-ether-type" | "frame-relay-ether-type-tcc" | "ether-vpls-fr" | "vlan-ccc" | "ethernet-ccc" | "vlan-vpls" | "vlan-bridge" | "dix" | "ethernet" | "ethernet-vpls" | "ethernet-bridge" | "vlan" | "vlan-tcc" | "multilink-ppp" | "multilink-frame-relay-end-to-end" | "ppp-ccc") ), "gre" /* Allow GRE packets */, "mtu" arg /* Maximum transmission unit packet size */, c( "point-to-point" /* Point-to-point connection */, "multipoint" /* Multipoint connection */ ), "bandwidth" arg /* Logical unit bandwidth (informational only) */, "global-layer2-domainid" arg /* Global Layer-2 Identifier for this interface */, "radio-router" ( /* Parameters for dynamic link cost management */ dynamic_ifbw_parms_type /* Parameters for dynamic link cost management */ ), "traps" /* Enable SNMP notifications on state changes */, "no-traps" /* Don't enable SNMP notifications on state changes */, "routing-services" /* Enable routing services */, "no-routing-services" /* Don't enable routing services */, "arp-resp" ( /* Knob to control ARP response on the interface, default is restricted */ sc( c( "unrestricted" /* Enable unrestricted ARP respone on the interface */, "restricted" /* Enable restricted proxy ARP response on the interface */ ) ) ).as(:oneline), "proxy-arp" ( /* Enable proxy ARP on the interface, default is unrestricted */ sc( c( "unrestricted" /* Enable unrestricted proxy ARP on the interface */, "restricted" /* Enable restricted proxy ARP on the interface */ ) ) ).as(:oneline), c( "vlan-id" ( /* Virtual LAN identifier value for 802.1q VLAN tags */ ("none" | arg) ), "vlan-id-range" arg /* Virtual LAN identifier range of form vid1-vid2 */, "inner-vlan-id-swap-ranges" arg /* Inner vlan-id swap range(s) of form vid1-vid2 for dynamic L2 VLANs */, "vlan-id-list" arg /* List of VLAN identifiers */, "vlan-tag" arg /* IEEE 802.1q tag list for VLAN tagged frames */, "vlan-tags" ( /* IEEE 802.1q tags */ sc( "outer" ( /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ("$junos-stacked-vlan-id" | "$junos-vlan-id" | arg) ), c( "inner" ( /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ("$junos-vlan-id" | arg) ), "inner-range" arg /* [tpid.]vid1-vid2, tpid format is 0xNNNN and is optional */, "inner-list" arg /* List of VLAN identifiers */ ) ) ).as(:oneline) ), "deep-vlan-qualified-learning" arg /* Enable qualified MAC-address learning on the specified vlan tag */, "native-inner-vlan-id" arg /* Native virtual LAN identifier for singly tagged frames */, "inner-vlan-id-range" /* Inner vlan-id range start end */.as(:oneline), "accept-source-mac" ( /* Remote media access control address to/from which to accept traffic */ c( "mac-address" ( /* Remote MAC address */ mac_list /* Remote MAC address */ ) ) ), "input-vlan-map" ( /* VLAN map operation on input */ vlan_map /* VLAN map operation on input */ ), "output-vlan-map" ( /* VLAN map operation on output */ vlan_map /* VLAN map operation on output */ ), "swap-by-poppush" /* Pop original vlan tag and then push a new vlan tag */, "receive-lsp" arg /* Name of incoming label-switched path */, "transmit-lsp" arg /* Name of outgoing label-switched path */, "dlci" arg /* Frame Relay data-link control identifier */, "multicast-dlci" arg /* Frame Relay data-link control identifier for multicast packets */, c( "vci" ( /* ATM point-to-point virtual circuit identifier ([vpi.]vci) */ atm_vci /* ATM point-to-point virtual circuit identifier ([vpi.]vci) */ ), "allow-any-vci" /* Allow all VCIs to open in atm-ccc-cell-relay mode */, "vpi" arg /* ATM point-to-point virtual path identifier (vpi) */, "trunk-id" arg /* ATM trunk identifier */ ), "no-vpivci-swapping" /* Do not swap VPI/VCI for Cell Relay */, c( "psn-vci" ( /* PSN VCI */ atm_vci /* PSN VCI */ ), "psn-vpi" arg /* PSN VPI */ ), "atm-l2circuit-mode" ( /* Select ATM Layer 2 circuit transport mode */ sc( c( "cell" /* ATM Layer 2 circuit cell mode */, "aal5" /* ATM Layer 2 circuit AAL5 mode */ ) ) ).as(:oneline), "vci-range" ( /* ATM VCI range start end */ sc( "start" arg /* ATM VCI range's start value */, "end" arg /* ATM VCI range's end value */ ) ).as(:oneline), "trunk-bandwidth" arg /* ATM trunk bandwidth */, "multicast-vci" ( /* ATM virtual circuit identifier for multicast packets */ atm_vci /* ATM virtual circuit identifier for multicast packets */ ), "shaping" ( /* Virtual circuit traffic-shaping options */ dcd_shaping_config /* Virtual circuit traffic-shaping options */ ), "oam-period" ( /* OAM cell period */ sc( c( arg, "disable" /* Disable F5 OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* OAM virtual circuit liveness parameters */ c( "up-count" arg /* Number of OAM cells to consider VC up */, "down-count" arg /* Number of OAM cells to consider VC down */ ) ), "ppp-options" ( /* Point-to-Point Protocol interface-specific options */ ppp_options_type /* Point-to-Point Protocol interface-specific options */ ), "pppoe-options" ( /* PPP over Ethernet interface-specific options */ pppoe_options_type /* PPP over Ethernet interface-specific options */ ), "pppoe-underlying-options" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ), "advisory-options" ( /* Interface-specific recommendations */ advisory_options_type /* Interface-specific recommendations */ ), "auto-configure" ( /* Auto configuration */ auto_configure_vlan_type /* Auto configuration */ ), "demux-options" ( /* IP demux interface-specific options */ demux_options_type /* IP demux interface-specific options */ ), "targeted-distribution" /* Interface participates in targeted-distribution */, "targeted-options" /* Targeting specific options */, c( "keepalives" ( /* Send or demand keepalive messages */ keepalives_type /* Send or demand keepalive messages */ ).as(:oneline), "no-keepalives" /* Do not send or demand keepalive messages */ ), "inverse-arp" /* Enable inverse ARP */, "transmit-weight" arg /* ATM2 transmit weight for VC under VP tunnel */, "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline), "cell-bundle-size" arg /* L2 circuit cell bundle size */, "cell-bundle-timeout" arg /* L2 circuit cell bundle timeout */, "plp-to-clp" /* Enable ATM2 PLP to CLP copy */, "atm-scheduler-map" arg /* Assign ATM2 CoS scheduling map */, "mrru" arg /* Maximum received reconstructed unit */, "short-sequence" /* Short sequence number header format (MLPPP only) */, "fragment-threshold" arg /* Fragmentation threshold */, "drop-timeout" arg /* Drop timeout */, "disable-mlppp-inner-ppp-pfc" /* Disable compression for inner PPP header in MLPPP payload */, "minimum-links" arg /* Minimum number of links to sustain the bundle */, "multilink-max-classes" arg /* Number of multilink classes */, "compression" ( /* Various packet header compressions */ c( "rtp" ( /* Compress and decompress RTP */ c( "f-max-period" arg /* Maximum number of compressed packets between transmission of full headers */, "queues" ( /* Queue holding RTP packets. Default is queue 1 */ ("q0" | "q1" | "q2" | "q3") ), "port" ( /* UDP destination ports reserved for RTP packets */ sc( "minimum" arg, "maximum" arg ) ).as(:oneline), "maximum-contexts" ( /* Maximum number of simultaneous RTP contexts */ sc( arg ) ).as(:oneline) ) ) ) ), "interleave-fragments" /* Interleave long packets with high priority ones */, "link-layer-overhead" ( /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ unsigned_float /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ ), "accounting-profile" arg /* Accounting profile name */, "peer-unit" arg /* Peer unit number */, "tunnel" ( /* Tunnel parameters */ c( "encapsulation" ( /* Encapsulation over tunnel */ c( "vxlan-gpe" ( c( "source" ( c( "address" ( /* Interface address prefix */ ipv4addr /* Interface address prefix */ ), "interface" ( /* Name of the interface */ interface_name /* Name of the interface */ ) ) ), "destination" ( c( "address" ( /* Interface address prefix */ ipv4addr /* Interface address prefix */ ) ) ), "tunnel-endpoint" ( /* Tunnel end point type */ ("vxlan") ), "destination-udp-port" arg /* Value to write to the destination-udp-port field */, "vni" arg /* Value to write to the vni field */ ) ) ) ), "source" ( /* Tunnel source */ ipaddr /* Tunnel source */ ), "destination" ( /* Tunnel destination */ ipaddr /* Tunnel destination */ ), "key" arg /* Tunnel key */, "backup-destination" ( /* Backup tunnel destination */ ipaddr /* Backup tunnel destination */ ), c( "allow-fragmentation" /* Do not set DF bit on packets */, "do-not-fragment" /* Set DF bit on packets */ ), "ttl" arg /* Time to live */, "traffic-class" arg /* TOS/Traffic class field of IP-header */, "flow-label" arg /* Flow label field of IP6-header */, "path-mtu-discovery" /* Enable path MTU discovery for tunnels */, "no-path-mtu-discovery" /* Don't enable path MTU discovery for tunnels */, "routing-instance" ( /* Routing instance to which tunnel ends belong */ c( "destination" arg /* Routing instance of tunnel destination */ ) ) ) ), "compression-device" ( /* Logical interface used for compression */ interface_unit /* Logical interface used for compression */ ), "atm-policer" /* ATM policing for logical interface */, "layer2-policer" /* Layer2 policing for logical interface */, "filter" /* Filters to apply to all families configured under this logical interface */, "multi-chassis-protection" ( /* Inter-Chassis protection configuration */ multi_chassis_protection_group_ifl /* Inter-Chassis protection configuration */ ), "statistics" /* Enable statistics collection in PFE */, "esi" /* ESI configuration of logical interface */, "virtual-gateway-esi" /* ESI configuration of virtual gateway */, "service" ( /* Service operations */ c( "pcef" arg ( /* PCEF configuration */ c( "activate-all" /* Activate all rules and rulebases in the pcef profile */, "activate" arg /* Name of pcef profile rule or rulebase to activate */ ) ) ) ), "generate-eui64" /* To generate Link Local EUI-64 addresses */, "no-generate-eui64" /* Don't to generate Link Local EUI-64 addresses */, "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "dhcp" ( /* Dynamic Host Configuration Protocol client configuration */ dhcp_client_type /* Dynamic Host Configuration Protocol client configuration */ ), "targeted-broadcast" ( /* Directed broadcast */ c( c( "forward-and-send-to-re" /* Allow packets to be forwarded and sent to re */, "forward-only" /* Allow packets only to be forwarded */ ) ) ), "destination-class-usage" /* Enable destination class usage on this interface */, "transit-options-packets" /* Transit IP options packets (don't send to Routing Engine) */, "transit-ttl-exceeded" /* Transit IP TTL-exceeded packets (don't send to Routing Engine) */, "receive-options-packets" /* Receive IP options packets (don't send to Routing Engine) */, "receive-ttl-exceeded" /* Receive IP TTL-exceeded packets (don't send to Routing Engine) */, "accounting" ( /* Configure interface-based accounting options */ c( "source-class-usage" ( /* Enable source class usage on this interface */ c( "input" /* Specify this interface for source-class-usage input */, "output" /* Specify this interface for source-class-usage output */ ) ), "destination-class-usage" /* Enable destination class usage on this interface */ ) ), "mac-validate" arg /* Validate source MAC address */, "rpf-check" ( /* Enable reverse-path-forwarding checks on this interface */ c( "fail-filter" arg /* Name of filter applied to packets failing RPF check */, "mode" ( /* Mode for reverse path forwarding */ sc( "loose" /* Reverse-path-forwarding loose mode */ ) ).as(:oneline) ) ), "mtu" arg /* Protocol family maximum transmission unit */, "arp-max-cache" arg /* Max interface ARP nexthop cache size */, "arp-new-hold-limit" arg /* Max no. of new unresolved nexthops */, "tcp-mss" arg /* Protocol family tcp maximum segment size */, "no-redirects" /* Do not redirect traffic */, "no-neighbor-learn" /* Disable neighbor address learning on interface */, "unconditional-src-learn" /* Glean from arp packets even when source cannot be validated */, "multicast-only" /* Allow only multicast traffic (tunnels only) */, "primary" /* Candidate for primary interface in system */, "ipsec-sa" arg /* Name of security association */, "allow-filter-on-re" /* Enable kernel filter on network ports */, "demux-source" /* Demux based on source prefix */, "demux-destination" /* Demux based on destination prefix */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "iq-policing-filter" /* Protocol family ingress-queuing-policing-filter */.as(:oneline), "simple-filter" ( /* Filter for doing multifield classification */ c( "input" arg /* Name of simple filter applied to received packets */ ) ), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "arp" arg /* Name of policer applied to received ARP packets */, "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" ( /* Interface sampling */ c( "input" /* Sample all packets input on this interface */, "output" /* Sample all packets output on this interface */ ) ), "service" ( /* Service operations */ c( "input" ( /* Service sets to consider for received packets */ c( "service-set" arg ( /* Service set to consider for received packets */ c( "service-filter" arg /* Name of service filter */ ) ), "post-service-filter" arg /* Post-service filter to apply to received packets */ ) ), "output" ( /* Service sets to consider for transmitted packets */ c( "service-set" arg ( /* Service set to consider for transmitted packets */ c( "service-filter" arg /* Name of service filter */ ) ) ) ) ) ), "next-hop-tunnel" arg ( /* One or more next-hop tunnel tables */ c( "ipsec-vpn" arg /* Name of IPSec VPN */ ) ), "address" arg ( /* Interface address/destination prefix */ c( "destination" ( /* Destination address */ ipv4addr /* Destination address */ ), "destination-profile" arg /* Profile to use for destination address */, "broadcast" ( /* Broadcast address */ ipv4addr /* Broadcast address */ ), "primary" /* Candidate for primary address in system */, "preferred" /* Preferred address on interface */, "master-only" /* Master management IP address for router */, "multipoint-destination" arg ( /* Multipoint NBMA destination */ c( c( "dlci" arg /* Frame Relay data-link control identifier */, "vci" ( /* ATM virtual circuit identifier ([vpi.]vci) */ atm_vci /* ATM virtual circuit identifier ([vpi.]vci) */ ) ), "shaping" ( /* Virtual circuit traffic-shaping options */ dcd_shaping_config /* Virtual circuit traffic-shaping options */ ), "oam-period" ( /* OAM cell period */ sc( c( arg, "disable" /* Disable OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* OAM virtual circuit liveness parameters */ c( "up-count" arg /* Number of OAM cells to consider VC up */, "down-count" arg /* Number of OAM cells to consider VC down */ ) ), "inverse-arp" /* Enable inverse ARP reply messages */, "transmit-weight" arg /* ATM2 transmit weight for VC under VP tunnel */, "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline) ) ), "arp" arg ( /* Static Address Resolution Protocol entries */ sc( "l2-interface" ( /* Layer 2 interface name for ARP entry */ interface_name /* Layer 2 interface name for ARP entry */ ), c( "mac" ( /* MAC address */ mac_unicast /* MAC address */ ), "multicast-mac" ( /* Multicast MAC address */ mac_multicast /* Multicast MAC address */ ) ), "publish" /* Reply to ARP requests for this entry */ ) ).as(:oneline), "web-authentication" ( /* Parameters for web-based firewall-user authentication */ c( "http" /* Enable authentication via HTTP */, "https" /* Enable authentication via HTTPS */, "redirect-to-https" /* Web authentication redirect to HTTPS */ ) ), "vrrp-group" ( /* VRRP group */ vrrp_group /* VRRP group */ ), "virtual-gateway-address" ( /* Virtual Gateway IP address */ ipv4addr /* Virtual Gateway IP address */ ) ) ), "unnumbered-address" ( /* Unnumbered interface address/destination prefix */ sc( interface_unit /* Interface from which to take local address */, "preferred-source-address" ( /* Preferred address on the donor interface */ ("$junos-preferred-source-address" | arg) ), "destination" ( /* Destination address */ ipv4addr /* Destination address */ ), "destination-profile" arg /* Profile to use for destination address */ ) ).as(:oneline), "location-pool-address" /* Location-based IP address pool */, "negotiate-address" /* Negotiate address with remote */ ) ), "iso" ( /* OSI ISO protocol parameters */ c( "address" arg /* Interface address */, "mtu" arg /* Protocol family maximum transmission unit */ ) ), "inet6" ( /* IPv6 protocol parameters */ c( "dhcpv6-client" ( /* Dynamic Host Configuration Protocol DHCPv6 client configuration */ c( "client-type" ( /* DHCPv6 client type */ ("stateful" | "autoconfig") ), "client-ia-type" enum(("ia-na" | "ia-pd")) /* DHCPv6 client identity association type */, "rapid-commit" /* Option is used to signal the use of the two message exchange for address assignment */, "prefix-delegating" ( /* Prefix delegating parameters */ c( "preferred-prefix-length" arg /* Client preferred prefix length */, "sub-prefix-length" arg /* The sub prefix length for LAN interfaces */ ) ), "client-identifier" ( /* DHCP Server identifies a client by client-identifier value */ sc( "duid-type" ( /* DUID identifying a client */ ("duid-llt" | "vendor" | "duid-ll") ) ) ).as(:oneline), "req-option" enum(("dns-server" | "domain" | "ntp-server" | "time-zone" | "sip-server" | "sip-domain" | "nis-server" | "nis-domain" | "fqdn" | "vendor-spec")) /* DHCPV6 client requested option configuration */, "retransmission-attempt" arg /* Number of attempts to retransmit the DHCPV6 client protocol packet */, "no-dns-install" /* Not propagate DNS to kernel */, "update-router-advertisement" ( /* Dhcpv6 client update rpd for prefix delegation */ c( "interface" arg ( /* Interfaces on which to delegate prefix */ c( "managed-configuration" /* Set managed address configuration */, "no-managed-configuration" /* Don't set managed address configuration */, "other-stateful-configuration" /* Set other stateful configuration */, "no-other-stateful-configuration" /* Don't set other stateful configuration */, "max-advertisement-interval" arg /* Maximum advertisement interval */, "min-advertisement-interval" arg /* Minimum advertisement interval */, "enable-recursive-dns-server-option" /* Enables the recursive DNS server option */, "no-enable-recursive-dns-server-option" /* Don't enables the recursive DNS server option */ ) ) ) ), "update-server" /* Propagate TCP/IP settings to DHCP server */ ) ), "rpf-check" ( /* Enable reverse-path-forwarding checks on this interface */ c( "fail-filter" arg /* Name of filter applied to packets failing RPF check */, "mode" ( /* Mode for reverse path forwarding */ sc( "loose" /* Reverse-path-forwarding loose mode */ ) ).as(:oneline) ) ), "accounting" ( /* Interface-based accounting options */ c( "source-class-usage" ( c( "input" /* Interface for source-class-usage input */, "output" /* Interface for source-class-usage output */ ) ), "destination-class-usage" /* Enable destination class usage on this interface */ ) ), "mtu" arg /* Protocol family maximum transmission unit */, "tcp-mss" arg /* Protocol family tcp maximum segment size */, "nd6-stale-time" arg /* Stale time to reconfirm reachability with inet6 neighbour */, "no-neighbor-learn" /* Disable neighbor address learning on interface */, "slaac-enable" /* Enable slaac on management interface */, "ndp-proxy" ( /* Enable ndp proxy on interface */ c( "interface-restricted" /* Enable ndp interface proxy restricted to interface */ ) ), "dad-proxy" ( /* DAD proxy on interface */ c( "interface-restricted" /* Enable DAD interface proxy restricted to interface */ ) ), "nd6-max-cache" arg /* Max interface ND nexthop cache size */, "nd6-new-hold-limit" arg /* Max no. of new unresolved nexthops */, "no-redirects" /* Do not redirect traffic */, "allow-filter-on-re" /* Enable kernel filter on network ports */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" ( /* Interface sampling */ c( "input" /* Sample all packets input on this interface */, "output" /* Sample all packets output on this interface */ ) ), "service" ( /* Service operations */ c( "input" ( /* Service sets to consider for received packets */ c( "service-set" arg ( /* Service set to consider for received packets */ c( "service-filter" arg /* Name of service filter */ ) ), "post-service-filter" arg /* Post-service filter to apply to received packets */ ) ), "output" ( /* Service sets to consider for transmitted packets */ c( "service-set" arg ( /* Service set to consider for transmitted packets */ c( "service-filter" arg /* Name of service filter */ ) ) ) ) ) ), "address" arg ( /* Interface address or destination prefix */ c( "destination" ( /* Destination address */ ipv6addr /* Destination address */ ), "eui-64" /* Generate EUI-64 interface ID */, "primary" /* Candidate for primary address in system */, "preferred" /* Preferred address on interface */, "master-only" /* Master management IP address for router */, "ndp" arg ( /* Static Neighbor Discovery Protocol entries */ sc( "l2-interface" ( /* Layer 2 interface name for NDP entry */ interface_name /* Layer 2 interface name for NDP entry */ ), c( "mac" ( /* MAC address */ mac_unicast /* MAC address */ ), "multicast-mac" ( /* Multicast MAC address */ mac_multicast /* Multicast MAC address */ ) ), "publish" /* Reply to NDP requests for this entry */ ) ).as(:oneline), "vrrp-inet6-group" ( /* VRRP group */ vrrp_group /* VRRP group */ ), "web-authentication" ( /* Parameters for web-based firewall-user authentication */ c( "http" /* Enable authentication via HTTP */, "https" /* Enable authentication via HTTPS */, "redirect-to-https" /* Web authentication redirect to HTTPS */ ) ), "virtual-gateway-address" ( /* Virtual Gateway IP address */ ipv6addr /* Virtual Gateway IP address */ ), "subnet-router-anycast" /* Create a subnet roter anycast address for this address. */ ) ), "demux-source" /* Demux based on source prefix */, "demux-destination" /* Demux based on destination prefix */, "unnumbered-address" ( /* Unnumbered interface address/destination prefix */ sc( interface_unit /* Interface from which to take local address */, "preferred-source-address" ( /* Preferred address on the donor interface */ ("$junos-preferred-source-ipv6-address" | arg) ) ) ).as(:oneline), "dad-disable" /* Disable duplicate-address-detection */, "no-dad-disable" /* Don't disable duplicate-address-detection */, "negotiate-address" /* Negotiate address with remote */ ) ), "mpls" ( /* MPLS protocol parameters */ c( "mtu" arg /* Protocol family maximum transmission unit */, "maximum-labels" arg /* Protocol family maximum number of labels */, "filter" ( /* Packet filtering */ c( c( "input" arg /* Name of filter applied to received packets */, "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" arg /* Name of filter applied to transmitted packets */, "output-list" arg /* List of filter modules applied to transmitted packets */ ), "group" arg /* Interface group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ) ) ), "mlppp" ( /* Multilink PPP protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ ("$junos-bundle-interface-name" | arg) ), c( "service-interface" ( /* Services interface to use */ interface_device /* Services interface to use */ ), "service-device-pool" arg /* Service interface pool name to use */ ), "dynamic-profile" arg /* dynamic profile for interface to use */ ) ), "mlfr-end-to-end" ( /* Multilink Frame Relay end-to-end protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ interface_unit /* Logical interface name this link will join */ ) ) ), "mlfr-uni-nni" ( /* Multilink Frame Relay UNI NNI protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ interface_unit /* Logical interface name this link will join */ ) ) ), "ccc" ( /* Circuit cross-connect parameters */ c( "mtu" arg /* Protocol family maximum transmission unit */, "filter" ( /* Packet filtering */ c( c( "input" arg /* Name of filter applied to received packets */, "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" arg /* Name of filter applied to transmitted packets */, "output-list" arg /* List of filter modules applied to transmitted packets */ ), "group" arg /* Interface group to which interface belongs */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "translate-fecn-and-becn" /* Translate FECN and BECN bits */, c( "translate-discard-eligible" /* Translate DE bit */, "translate-plp-control-word-de" /* Translate PLP to/from Martini Control DE bit */ ), "keep-address-and-control" /* Don't strip PPP address and control bytes */ ) ), "tcc" ( /* Translational cross-connect parameters */ c( "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "proxy" ( c( "inet-address" ( /* Remote host address on non-Ethernet side of Ethernet TCC */ ipv4addr /* Remote host address on non-Ethernet side of Ethernet TCC */ ) ) ), "remote" ( c( "inet-address" ( /* Remote host address on Ethernet side of Ethernet TCC */ ipv4addr /* Remote host address on Ethernet side of Ethernet TCC */ ), "mac-address" ( /* Remote host MAC address on Ethernet side of Ethernet TCC */ mac_addr /* Remote host MAC address on Ethernet side of Ethernet TCC */ ) ) ), "protocols" /* Protocols supported on TCC interface */ ) ), "vpls" ( /* Virtual private LAN service parameters */ c( "core-facing" /* Interface is core facing */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "iq-policing-filter" /* Protocol family ingress-queuing-policing-filter */.as(:oneline), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" /* Interface sampling */ ) ), "bridge" /* Layer-2 bridging parameters */, "ethernet-switching" ( /* Ethernet switching parameters */ ethernet_switching_type /* Ethernet switching parameters */ ), "fibre-channel" ( /* Fibre channel switching parameters */ fibre_channel_type /* Fibre channel switching parameters */ ), "pppoe" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ), "any" ( /* Parameters for 'any' family */ c( "filter" ( /* Layer 2 packet filtering */ c( "input" arg /* Name of filter applied to received packets */, "group" arg /* Group to which interface belongs */ ) ) ) ), "llc2" /* Enable Logical Link Control Type 2 */ ) ), "service-domain" ( /* Service domain to which interface belongs */ ("inside" | "outside") ), "copy-tos-to-outer-ip-header" /* Copy IP payload header's ToS field to GRE delivery header */, "copy-tos-to-outer-ip-header-transit" /* Copy IP ToS field to GRE header for transit packets */, "load-balancing-options" ( /* AMS subunit load balancing options */ c( "preferred-active" ( /* Preferred active Interface name */ interface_device /* Preferred active Interface name */ ), "disable-hash" /* Hash based distribution is not needed for this subunit */, "hash-keys" ( c( "ingress-key" ( /* Hash Key for the ingress direction */ enum(("source-ip" | "destination-ip" | "protocol" | "iif")) ), "egress-key" ( /* Hash Key for the egress direction */ enum(("source-ip" | "destination-ip" | "protocol" | "oif")) ), "ipv6-source-prefix-length" ( /* IPv6 source prefix length for hash computation */ ("56" | "64" | "96" | "128") ) ) ) ) ), "mac" ( /* Configure logical interface MAC address */ mac_unicast /* Configure logical interface MAC address */ ), "virtual-gateway-v4-mac" ( /* Configure virtual gateway IPV4 virtual MAC address */ mac_unicast /* Configure virtual gateway IPV4 virtual MAC address */ ), "virtual-gateway-v6-mac" ( /* Configure virtual gateway IPV6 virtual MAC address */ mac_unicast /* Configure virtual gateway IPV6 virtual MAC address */ ), "forwarding-options" /* Aggregated Ethernet interface forwarding-options */, "etree-ac-role" ( /* ETREE attachment circuit role */ ("root" | "leaf") ), "dialer-options" ( /* Dialer options */ c( "pool" arg /* Dialer pool */, "dial-string" arg /* String to dial out */, "incoming-map" ( /* Map incoming call to dialer */ c( c( "caller" arg /* Caller Id to be screened */.as(:oneline), "accept-all" /* Accept all incoming calls */ ) ) ), "callback" /* Call back on any incoming call to the dialer */, "callback-wait-period" arg /* Time to wait before calling back */, "redial-delay" arg /* Time to wait before redialing */, "idle-timeout" arg /* Delay before taking down the interface */, "watch-list" arg /* Dialer watch list */, "load-threshold" arg /* Load threshold for adding interfaces */, "load-interval" arg /* Interval used to calculate average load */, "activation-delay" arg /* Activation delay */, "deactivation-delay" arg /* Deactivation delay */, "initial-route-check" arg /* Delay to check primary after the router is up */, "always-on" /* Always keep on-line */ ) ), "backup-options" ( /* Backup interface configuration options */ c( "interface" ( /* Backup interface */ interface_name /* Backup interface */ ) ) ), "dynamic-call-admission-control" /* Dynamic call admission control configuration */ ) ), "no-partition" ( /* Use channelizable interface as clear channel */ sc( "interface-type" ( /* Interface type */ ("e1" | "t1" | "at" | "t3" | "e3" | "ct3" | "so" | "cau4") ) ) ).as(:oneline), "partition" arg ( /* Channelized interface partition */ sc( "oc-slice" arg /* Range of SONET/SDH slices (for example, 1, 7-9) */, "timeslots" arg /* Timeslots [(1..24) for T1, (1..31) for E1]; for example, 1-3,4,9,22-24 (no spaces) */, "interface-type" ( /* Sublevel interface type */ ("ds" | "e1" | "t1" | "at" | "ct1" | "ce1" | "t3" | "ct3" | "e3" | "so" | "coc1" | "cau4" | "dc" | "bc") ) ) ).as(:oneline), "radius-options" ( /* Interface RADIUS Options */ radius_options_vlan_type /* Interface RADIUS Options */ ), "modem-options" ( /* MODEM interface-specific options */ c( "init-command-string" arg /* AT command string to initialize modem */, "dialin" ( ("console" | "routable") ) ) ), "isdn-options" ( /* ISDN interface-specific options */ c( "switch-type" ( /* ISDN switch type */ ("ni1" | "etsi" | "att5e" | "ntdms100" | "ntt" | "ni2") ), "media-type" arg /* IDSN media type - voice, data or both */, "spid1" arg /* Service profile identifier */, "spid2" arg /* Additional service profile identifier */, "calling-number" arg /* Calling number included in outgoing calls */, "incoming-called-number" arg ( /* Incoming called number to be screened */ sc( "reject" /* Reject the called number */ ) ).as(:oneline), "tei-option" ( /* ISDN terminal endpoint identifier negotiation options */ ("first-call" | "power-up") ), "static-tei-val" arg /* Static TEI value */, "t310" arg /* Timer T310 value */, "bchannel-allocation" ( /* Allocate PRI dialout b-channel in ascending/descending order */ ("ascending" | "descending") ) ) ), "dialer-options" ( /* Dialer options */ c( "pool" arg ( /* Dialer pool */ sc( "priority" arg /* Dialer pool priority */ ) ).as(:oneline) ) ), "redundant-pseudo-interface-options" ( /* Pseudo interface redundancy options */ c( "redundancy-group" arg /* Redundancy group of this interface */ ) ), "act-sim" arg /* Default SIM slot to connect LTE network */, "cellular-options" ( /* Cellular interface specific options */ c( "sim" arg ( /* SIM slot to connect LTE network */ c( "select-profile" ( /* Profile to be applied */ sc( "profile-id" arg /* Profile to be used for data calls */ ) ).as(:oneline), "radio-access" ( /* Select radio access technology */ sc( c( "automatic" /* Automatically selects radio access type */, "umts-3g-only" /* 3G only */, "umts-3g-preferred" /* UMTS 3G Preferred */, "lte-only" /* Only LTE */, "lte-preferred" /* LTE Preferred */ ) ) ).as(:oneline), "encrypted-sim-unlock-code" ( /* Encrypted PIN */ unreadable /* Encrypted PIN */ ), "gateway" ( /* Set customer gateway for LTE network */ ipprefix /* Set customer gateway for LTE network */ ) ) ) ) ) ) ), interfaces_type ) ), "multi-chassis" /* Multi-chassis configuration */, "jsrc-partition" /* JSRC partition configuration */.as(:oneline), "snmp" ( /* Simple Network Management Protocol configuration */ c( "system-name" arg /* System name override */, "description" arg /* System description */, "location" arg /* Physical location of system */, "contact" arg /* Contact information for administrator */, "interface" ( /* Restrict SNMP requests to interfaces */ interface_name /* Restrict SNMP requests to interfaces */ ), "alarm-management" /* Alarm management */, "filter-interfaces" ( /* List of interfaces that needs to be filtered */ c( "interfaces" arg /* Filter specified interfaces */, "all-internal-interfaces" /* Filter all internal interfaces */ ) ), "if-count-with-filter-interfaces" /* Filter interfaces config for ifNumber and ipv6Interfaces */, "filter-duplicates" /* Filter requests with duplicate source address/port and request ID */, "nonvolatile" ( /* Configure the handling of nonvolatile SNMP Set requests */ c( "commit-delay" arg /* Delay between affirmative SNMP Set reply and start of commit */ ) ), "v3" ( /* SNMPv3 configuration information */ c( "usm" ( /* User-based security model (USM) information */ c( "local-engine" ( /* Local engine user configuration */ c( "user" ( /* SNMPv3 USM user information */ v3_user_config /* SNMPv3 USM user information */ ) ) ), "remote-engine" arg ( /* Remote engine user configuration */ c( "user" ( /* SNMPv3 USM user information */ v3_user_config /* SNMPv3 USM user information */ ) ) ) ) ), "vacm" ( /* View-based access control model (VACM) information */ c( "security-to-group" ( /* Assigns security names to group */ c( "security-model" enum(("usm" | "v1" | "v2c")) ( /* Security model context for group assignment */ c( "security-name" arg ( /* Security name to assign to group */ c( "group" arg /* Group to which to assign security name */ ) ) ) ) ) ), "access" ( /* Specify SNMP access limits */ c( "group" arg ( /* Group access configuration */ c( "default-context-prefix" ( /* Default context-prefix access configuration */ c( "security-model" ( /* Security model access configuration */ security_model_access /* Security model access configuration */ ) ) ), "context-prefix" arg ( /* Context-prefix access configuration */ c( "security-model" ( /* Security model access configuration */ security_model_access /* Security model access configuration */ ) ) ) ) ) ) ) ) ), "target-address" arg ( /* Identifies notification targets as well as allowed management stations */ c( "address" ( /* SNMP target address */ ipaddr /* SNMP target address */ ), "port" arg /* SNMP target port number */, "timeout" arg /* Acknowledgment timeout for confirmed SNMP notifications */, "retry-count" arg /* Maximum retry count for confirmed SNMP notifications */, "tag-list" arg /* SNMP tag list used to select target addresses */, "address-mask" ( /* Mask range of addresses for community string access control. */ ipaddr /* Mask range of addresses for community string access control. */ ), "routing-instance" arg /* Routing instance for trap destination */, "logical-system" arg /* Logical-system name for trap destination */, "target-parameters" arg /* SNMPv3 target parameter name in the target parameters table */ ) ), "target-parameters" arg ( /* Parameters and filter name used when sending notifications */ c( "parameters" ( /* Parameters used when sending notifications */ c( "message-processing-model" ( /* The message processing model to be used when generating SNMP notifications */ ("v1" | "v2c" | "v3") ), "security-model" ( /* Security-model used when generating SNMP notifications */ ("usm" | "v1" | "v2c") ), "security-level" ( /* Security-level used when generating SNMP notifications */ ("none" | "authentication" | "privacy") ), "security-name" arg /* Security name used when generating SNMP notifications */ ) ), "notify-filter" ( /* Notify filter to apply to notifications */ sc( arg ) ).as(:oneline) ) ), "notify" arg ( /* Used to select management targets for notifications as well as the type of notifications */ c( "type" ( /* Notification type */ ("trap" | "inform") ), "tag" arg /* Notifications will be sent to all targets configured with this tag */ ) ), "notify-filter" arg ( /* Filters to apply to SNMP notifications */ c( "oid" arg ( /* OID include/exclude list */ sc( c( "include" /* Include this OID in the notify filter */, "exclude" /* Exclude this OID from the notify filter */ ) ) ).as(:oneline) ) ), "snmp-community" arg ( /* SNMP community and view-based access control model configuration */ c( "community-name" ( /* SNMPv1/v2c community name (default is same as community-index) */ unreadable /* SNMPv1/v2c community name (default is same as community-index) */ ), "security-name" arg /* Security name used when performing access control */, "context" arg /* Context used when performing access control */, "tag" arg /* Tag identifier for set of targets allowed to use this community string */ ) ) ) ), "proxy" arg ( /* SNMP proxy configuration */ c( "device-name" arg /* Satellite/Proxied Device name or IP address */, c( "version-v1" ( /* For v1 proxy configuration define snmp-community */ comm_object /* For v1 proxy configuration define snmp-community */ ), "version-v2c" ( /* For v2c proxy configuration define snmp-community */ comm_object /* For v2c proxy configuration define snmp-community */ ), "version-v3" ( /* For v3 proxy configuration define security-name */ sec_object /* For v3 proxy configuration define security-name */ ) ), "routing-instance" arg /* Associate routing-instance name for proxy forwarding */, "logical-system" arg ( /* Associate logical-system name for proxy forwarding */ c( "routing-instance" arg /* Associate routing-instance name for proxy forwarding */ ) ) ) ), "subagent" ( /* SNMP subagent configuration */ c( "tcp" ( /* Allow SNMP subagent tcp connection */ c( "routing-instance" ( /* Specify routing-instance name for tcp connection */ c( "default" /* Allow connections over default routing-instance */ ) ) ) ) ) ), "engine-id" ( /* SNMPv3 engine ID */ c( c( "use-mac-address" /* Uses management interface MAC Address for the engine ID */, "use-default-ip-address" /* Use default IP address for the engine ID */, "local" arg /* Local engine ID */ ) ) ), "access" ( /* SNMPv3 access information */ c( "user" arg ( /* SNMPv3 USM user information */ c( "authentication-type" ( /* SNMPv3 USM authentication type */ ("none" | "md5" | "sha") ), "authentication-password" ( /* SNMPv3 USM authentication password */ unreadable /* SNMPv3 USM authentication password */ ), "privacy-type" ( /* SNMPv3 USM privacy type */ ("none" | "des") ), "privacy-password" ( /* SNMPv3 USM privacy password */ unreadable /* SNMPv3 USM privacy password */ ), "clients" arg ( /* List of source address prefix ranges to accept */ sc( "restrict" /* Deny access */ ) ).as(:oneline) ) ), "group" arg ( /* SNMPv3 USM group information */ c( "user" arg /* SNMPv3 USM username */, "model" ( /* SNMPv3 security model */ ("usm") ) ) ), "context" arg ( /* SNMPv3 context information */ c( "description" arg /* SNMPv3 context description */, "group" arg ( /* Access group */ c( "model" ( /* SNMPv3 security model */ ("usm") ), "security-level" ( /* SNMPv3 security level */ ("none" | "authentication" | "privacy") ), "read-view" arg /* Read view name */, "write-view" arg /* Write view name */ ) ) ) ) ) ), "view" arg ( /* Define MIB views */ c( "oid" arg ( /* OID include/exclude list */ sc( c( "include" /* Include this OID in the view */, "exclude" /* Exclude this OID from the view */ ) ) ).as(:oneline) ) ), "client-list" arg ( /* Client list */ c( client_address_object /* Client address list */ ) ), "community" arg ( /* Configure a community string */ c( "view" arg /* View name */, "authorization" ( /* Authorization type */ ("read-only" | "read-write") ), c( "client-list-name" arg /* The name of client list or prefix list */, "clients" arg ( /* List of source address prefix ranges to accept */ sc( "restrict" /* Deny access */ ) ).as(:oneline) ), "routing-instances" arg ( /* Use logical-system/routing-instance for v1/v2c clients */ c( c( "client-list-name" arg /* The name of client list or prefix list */, "clients" arg ( /* List of source address prefix ranges to accept */ sc( "restrict" /* Deny access */ ) ).as(:oneline) ) ) ), "routing-instance" arg ( /* Use routing-instance name for v1/v2c clients */ c( c( "client-list-name" arg /* The name of client list or prefix list */, "clients" arg ( /* List of source address prefix ranges to accept */ sc( "restrict" /* Deny access */ ) ).as(:oneline) ) ) ), "logical-system" arg ( /* Use logical-system name for v1/v2c clients */ c( "routing-instance" arg ( /* Use routing-instance name for v1/v2c clients */ c( c( "client-list-name" arg /* The name of client list or prefix list */, "clients" arg ( /* List of source address prefix ranges to accept */ sc( "restrict" /* Deny access */ ) ).as(:oneline) ) ) ) ) ) ) ), "trap-options" ( /* SNMP trap options */ c( "source-address" ( /* IPv4/IPv6 source address for trap PDUs */ c( c( "lo0" /* Use lowest address on loopback interface */, ipaddr /* Use specified address */ ) ) ), "enterprise-oid" /* Add snmpTrapEnterprise oid in varbind of all traps */, "context-oid" /* Add context oid in varbind of all traps at the end */, "routing-instances" arg ( /* Use routing-instance name for source-address */ c( "source-address" ( /* IPv4/IPv6 source address for trap PDUs */ c( c( "lo0" /* Use lowest address on loopback interface */, ipaddr /* Use specified address */ ) ) ) ) ), "routing-instance" arg ( /* Use routing-instance name for source-address */ c( "source-address" ( /* IPv4/IPv6 source address for trap PDUs */ c( c( "lo0" /* Use lowest address on loopback interface */, ipaddr /* Use specified address */ ) ) ) ) ), "logical-system" arg ( /* Use logical-system name for source-address */ c( "routing-instance" arg ( /* Use routing-instance name for source-address */ c( "source-address" ( /* IPv4/IPv6 source address for trap PDUs */ c( c( "lo0" /* Use lowest address on loopback interface */, ipaddr /* Use specified address */ ) ) ) ) ) ) ), "agent-address" ( /* Agent address for v1 trap PDUs */ ("outgoing-interface") ) ) ), "trap-group" arg ( /* Configure traps and notifications */ c( "version" ( /* SNMP version */ ("all" | "v1" | "v2") ), "destination-port" arg /* SNMP trap receiver port number */, "categories" ( /* Trap categories */ c( "authentication" /* Authentication failures */, "chassis" /* Chassis or environment notifications */, "link" /* Link up-down transitions */, "remote-operations" /* Remote operations */, "routing" /* Routing protocol notifications */, "startup" /* System warm and cold starts */, "ggsn" /* GGSN notifications */, "rmon-alarm" /* RMON rising and falling alarms */, "vrrp-events" /* VRRP notifications */, "configuration" /* Configuration notifications */, "services" /* Services notifications */, "chassis-cluster" /* Clustering notifications */, "timing-events" /* Timing defects/events notifications */, "dot3oam-events" /* 802.3ah notifications */, "sonet-alarms" ( /* SONET alarm trap subcategories */ c( "loss-of-light" /* Loss of light alarm notification */, "pll-lock" /* PLL lock alarm notification */, "loss-of-frame" /* Loss of frame alarm notification */, "loss-of-signal" /* Loss of signal alarm notification */, "severely-errored-frame" /* Severely errored frame alarm notification */, "line-ais" /* Line AIS alarm notification */, "path-ais" /* Path AIS alarm notification */, "loss-of-pointer" /* Loss of pointer alarm notification */, "ber-defect" /* Sonet bit error rate alarm defect notification */, "ber-fault" /* Sonet bit error rate alarm fault notification */, "line-remote-defect-indication" /* Line Remote Defect Indication alarm notification */, "path-remote-defect-indication" /* Path Remote Defect Indication alarm notification */, "remote-error-indication" /* Remote Error Indication alarm notification */, "unequipped" /* Unequipped alarm notification */, "path-mismatch" /* Path mismatch alarm notification */, "loss-of-cell" /* Loss of Cell delineation alarm notification */, "vt-ais" /* VT AIS alarm notification */, "vt-loss-of-pointer" /* VT Loss Of Pointer alarm notification */, "vt-remote-defect-indication" /* VT Remote Defect Indication alarm notification */, "vt-unequipped" /* VT Unequipped alarm notification */, "vt-label-mismatch" /* VT label mismatch error notification */, "vt-loss-of-cell" /* VT Loss of Cell delineation notification */ ) ), "otn-alarms" ( /* OTN alarm trap subcategories */ c( "oc-los" /* Loss of signal alarm notification */, "oc-lof" /* Loss of frame alarm notification */, "oc-lom" /* Loss of multiframe alarm notification */, "wavelength-lock" /* Wavelength lock alarm notification */, "otu-ais" /* OTU Alarm indication signal alarm notification */, "otu-bdi" /* OTU Backward defect indication alarm notification */, "otu-ttim" /* OTU Trace identification mismatch alarm notification */, "otu-iae" /* OTU Incoming alignment error alarm notification */, "otu-sd" /* OTU Signal degrade alarm notification */, "otu-sf" /* OTU Signal fail alarm notification */, "otu-fec-exe" /* OTU Fec excessive errors alarm notification */, "otu-fec-deg" /* OTU Fec degraded errors alarm notification */, "otu-bbe-threshold" /* OTU Background block error threshold alarm notification */, "otu-es-threshold" /* OTU Errored Second threshold alarm notification */, "otu-ses-threshold" /* OTU Severely Errored Second threshold alarm notification */, "otu-uas-threshold" /* OTU Unavailable Second threshold alarm notification */, "odu-ais" /* ODU Alarm indication signal alarm notification */, "odu-oci" /* ODU Open connection indicator alarm notification */, "odu-lck" /* ODU Locked alarm notification */, "odu-bdi" /* ODU Backward defect indication alarm notification */, "odu-ttim" /* ODU Trace identification mismatch alarm notification */, "odu-sd" /* ODU Signal degrade alarm notification */, "odu-sf" /* ODU Signal fail alarm notification */, "odu-rx-aps-change" /* ODU Receive APS change notification */, "odu-bbe-threshold" /* ODU Background block error threshold alarm notification */, "odu-es-threshold" /* ODU Errored Second threshold alarm notification */, "odu-ses-threshold" /* ODU Severely Errored Second threshold alarm notification */, "odu-uas-threshold" /* ODU Unavailable Second threshold alarm notification */, "opu-ptm" /* ODU Payload Type Mismatch alarm notification */ ) ) ) ), "targets" arg /* Targets for trap messages */.as(:oneline), "routing-instance" arg /* Routing instance for trap destination */, "logical-system" arg /* Logical-system name for trap destination */ ) ), "routing-instance-access" ( /* SNMP routing-instance options */ c( "access-list" arg ( /* Allow/Deny SNMP access to routing-instances */ sc( "restrict" /* Deny access */ ) ).as(:oneline) ) ), "logical-system-trap-filter" /* Allow only logical-system specific traps */, "traceoptions" ( /* Trace options for SNMP */ c( "memory-trace" ( /* Memory tracing information */ c( "size" arg /* Memory size reserved for tracing */ ) ), "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("timer" | "protocol-timeouts" | "pdu" | "varbind-error" | "routing-socket" | "interface-stats" | "subagent" | "general" | "nonvolatile-sets" | "all")) /* Tracing parameters */.as(:oneline) ) ), "rmon" ( /* Remote Monitoring configuration */ c( "history" /* RMON history entries */, "alarm" arg ( /* RMON alarm entries */ c( "description" arg /* General description of alarm (stored in alarmOwner) */, "interval" arg /* Interval between samples */, "falling-threshold-interval" arg /* Interval between samples during falling-threshold test */, "variable" arg /* OID of MIB variable to be monitored */, "sample-type" ( /* Method of sampling the selected variable */ ("absolute-value" | "delta-value") ), "request-type" ( /* Type of SNMP request to issue for alarm */ ("get-request" | "get-next-request" | "walk-request") ), "startup-alarm" ( /* The alarm that may be sent upon entry startup */ ("rising-alarm" | "falling-alarm" | "rising-or-falling-alarm") ), "rising-threshold" arg /* The rising threshold */, "falling-threshold" arg /* The falling threshold */, "rising-event-index" arg /* Event triggered after rising threshold is crossed */, "falling-event-index" arg /* Event triggered after falling threshold is crossed */, "syslog-subtag" arg /* Tag to be added to syslog messages */ ) ), "event" arg ( /* RMON event entries */ c( "description" arg /* General description of event */, "type" ( /* The type of notification for this event */ ("none" | "log" | "snmptrap" | "log-and-trap") ), "community" arg /* The community (trap group) for outgoing traps */ ) ) ) ), "health-monitor" ( /* Health monitoring configuration */ c( "routing-engine" /* Routing engine health monitoring configuration */, "interval" arg /* Interval between samples */, "rising-threshold" arg /* Rising threshold applied to all monitored objects */, "falling-threshold" arg /* Falling threshold applied to all monitored objects */, "idp" ( /* IDP health monitor configuration */ c( "interval" arg /* Interval between samples */, "rising-threshold" arg /* Rising threshold applied to all monitored objects */, "falling-threshold" arg /* Falling threshold applied to all monitored objects */ ) ) ) ), "arp" ( /* JVision ARP settings */ c( "host-name-resolution" /* Enable host name resolution */ ) ) ) ), "forwarding-options" ( /* Configure options to control packet forwarding */ juniper_forwarding_options /* Configure options to control packet forwarding */ ), "event-options" ( /* Event processing configuration */ c( "max-policies" arg /* Number of policies that can be executed simultaneously */, "generate-event" arg ( /* Generate an internal event */ sc( c( "time-of-day" ( /* Time of day at which to generate event (hh:mm:ss) */ date /* Time of day at which to generate event (hh:mm:ss) */ ), "time-interval" arg /* Frequency for generating the event */ ), "no-drift" /* Avoid event generation delay propagating to next event */ ) ).as(:oneline), "policy" arg ( /* Event policy for event policy manager */ c( "events" arg /* List of events that trigger this policy */, "within" arg ( /* List of events correlated with trigering events */ c( "trigger" ( /* Correlate events based on the number of occurrences */ sc( c( "until" /* Trigger when occurrences of triggering event < 'count' */, "on" /* Trigger when occurrences of triggering event = 'count' */, "after" /* Trigger when occurrences of triggering event > 'count' */ ), arg /* Number of occurrences of triggering event */ ) ).as(:oneline), "events" arg /* List of events that must occur within time interval */, "not" ( /* Events must not occur within time interval */ sc( "events" arg /* List of events that must not occur within time interval */ ) ).as(:oneline) ) ), "attributes-match" ( /* List of attributes to compare for two events */ s( arg, enum(("equals" | "starts-with" | "matches")), arg ) ).as(:oneline), "then" ( /* List of actions to perform when policy matches */ c( "ignore" /* Do not log event or perform any other action */, "priority-override" ( /* Change syslog priority value */ c( "facility" ( /* Facility type */ ("authorization" | "daemon" | "ftp" | "ntp" | "security" | "kernel" | "user" | "dfc" | "external" | "firewall" | "pfe" | "conflict-log" | "change-log" | "interactive-commands") ), "severity" ( /* Severity type */ ("emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info") ) ) ), "upload" ( /* Upload file to specified destination */ s( "filename" arg /* Name of file to upload */, "destination" arg /* Location to which to output file */, c( "user-name" arg /* User under whose privileges upload action will execute */, "transfer-delay" arg /* Delay before uploading file to the destination */, "retry-count" ( /* Upload output-filename retry attempt count */ sc( arg, "retry-interval" arg /* Time interval between each retry */ ) ).as(:oneline) ) ) ), "change-configuration" ( /* Change configuration */ c( "retry" ( /* Change configuration retry attempt count */ sc( "count" arg /* Number of retry attempts */, "interval" arg /* Time interval between each retry */ ) ).as(:oneline), "commands" arg /* List of configuration commands */, "user-name" arg /* User under whose privileges configuration should be changed */, "commit-options" ( /* List of commit options */ c( "check" ( /* Check correctness of syntax; do not apply changes */ c( "synchronize" /* Synchronize commit on both Routing Engines */ ) ), "synchronize" /* Synchronize commit on both Routing Engines */, "force" /* Force commit on other Routing Engine (ignore warnings) */, "log" arg /* Message to write to commit log */ ) ) ) ), "execute-commands" ( /* Issue one or more CLI commands */ c( "commands" arg /* List of CLI commands to issue */, "user-name" arg /* User under whose privileges command will execute */, "output-filename" arg /* Name of file in which to write command output */, "destination" arg ( /* Location to which to upload command output */ c( "transfer-delay" arg /* Delay before uploading file to the destination */, "retry-count" ( /* Upload output-filename retry attempt count */ sc( arg, "retry-interval" arg /* Time interval between each retry */ ) ).as(:oneline) ) ), "output-format" ( /* Format of output from CLI commands */ ("text" | "xml") ) ) ), "event-script" arg ( /* Invoke event scripts */ c( "arguments" arg ( /* Command line argument to the script */ sc( arg /* Value of the argument */ ) ).as(:oneline), "user-name" arg /* User under whose privileges event script will execute */, "output-filename" arg /* Name of file in which to write event script output */, "destination" arg ( /* Location to which to upload event script output */ c( "transfer-delay" arg /* Delay before uploading files */, "retry-count" ( /* Upload output-filename retry attempt count */ sc( arg, "retry-interval" arg /* Time interval between each retry */ ) ).as(:oneline) ) ), "output-format" ( /* Format of output from event-script */ ("text" | "xml") ) ) ), "raise-trap" /* Raise SNMP trap */ ) ) ) ), "event-script" ( /* Configure event-scripts */ c( "optional" /* Allow commit to succeed if the script is missing */, "max-datasize" arg /* Maximum data segment size for scripts execution */, "dampen" ( /* Run event scripts in dampen mode */ c( "dampen-options" ( /* Dampen options for event scripts */ c( "cpu-factor" arg /* CPU factor at which to pause */, "line-interval" arg /* Line interval at which to pause */, "time-interval" arg /* Time to pause */ ) ) ) ), "traceoptions" ( /* Trace options for event scripts */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ) ).as(:oneline), "flag" enum(("events" | "input" | "offline" | "output" | "rpc" | "xslt" | "all")) /* Tracing parameters */.as(:oneline) ) ), "file" arg ( /* File name for event script */ c( "source" arg /* URL of source for this script */, "python-script-user" arg /* Run the python event script with privileges of user */, "dampen" ( /* Run script in dampen mode */ c( "dampen-options" ( /* Dampen options for the script */ c( "cpu-factor" arg /* CPU factor at which to pause */, "line-interval" arg /* Line interval at which to pause */, "time-interval" arg /* Time to pause */ ) ) ) ), "routing-instance" arg /* Routing instance */, "refresh" /* Refresh all operation scripts from their source */, "refresh-from" arg /* Refresh all operation scripts from a given base URL */, "checksum" ( /* Checksum of this script */ c( "sha-256" arg /* SHA-256 checksum of this script */ ) ), "remote-execution" arg ( /* Remote login username and password details for script */ c( "username" arg /* SSH username for login into the remote host */, "passphrase" ( /* SSH passphrase for login into the remote host */ unreadable /* SSH passphrase for login into the remote host */ ) ) ) ) ), "refresh" /* Refresh all operation scripts from their source */, "refresh-from" arg /* Refresh all operation scripts from a given base URL */ ) ), "destinations" arg ( /* List of destinations referred to in 'then' clause */ c( "transfer-delay" arg /* Delay before transferring files */, "archive-sites" arg ( /* List of archive destinations */ sc( "password" ( /* Password for login into the archive site */ unreadable /* Password for login into the archive site */ ) ) ).as(:oneline) ) ), "traceoptions" ( /* Trace options for the event processing daemon */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("server" | "configuration" | "events" | "timer-events" | "database" | "policy" | "registration" | "syslogd" | "all")) /* List of event types to include in trace */.as(:oneline) ) ) ) ), "accounting-options" ( /* Accounting data configuration */ juniper_accounting_options /* Accounting data configuration */ ), "routing-options" ( /* Protocol-independent routing option configuration */ juniper_routing_options /* Protocol-independent routing option configuration */ ), "multicast-snooping-options" ( /* Multicast snooping option configuration */ juniper_multicast_snooping_options /* Multicast snooping option configuration */ ), "protocols" ( /* Routing protocol configuration */ juniper_protocols /* Routing protocol configuration */ ), "policy-options" ( /* Policy option configuration */ juniper_policy_options /* Policy option configuration */ ), "class-of-service" ( /* Class-of-service configuration */ juniper_class_of_service_options /* Class-of-service configuration */ ), "firewall" ( /* Define a firewall configuration */ c( "family" ( /* Protocol family */ c( "inet" ( /* Protocol family IPv4 for firewall filter */ c( "dialer-filter" ( /* Define an IPv4 dialer filter */ inet_dialer_filter /* Define an IPv4 dialer filter */ ), "prefix-action" ( /* Define a prefix action */ prefix_action /* Define a prefix action */ ), "filter" ( /* Define an IPv4 firewall filter */ inet_filter /* Define an IPv4 firewall filter */ ), "template" ( /* Define an Inet firewall template */ inet_template /* Define an Inet firewall template */ ), "simple-filter" ( /* Define an IPv4 firewall simple filter */ inet_simple_filter /* Define an IPv4 firewall simple filter */ ), "service-filter" ( /* One or more IPv4 service filters */ inet_service_filter /* One or more IPv4 service filters */ ), "fast-update-filter" ( /* One or more fast update filters */ inet_fuf /* One or more fast update filters */ ) ) ), "inet6" ( /* Protocol family IPv6 for firewall filter */ c( "dialer-filter" ( /* Define an IPv6 dialer filter */ inet6_dialer_filter /* Define an IPv6 dialer filter */ ), "filter" ( /* Define an IPv6 firewall filter */ inet6_filter /* Define an IPv6 firewall filter */ ), "service-filter" ( /* One or more IPv6 service filters */ inet6_service_filter /* One or more IPv6 service filters */ ), "fast-update-filter" ( /* One or more fast update filters */ inet6_fuf /* One or more fast update filters */ ), "template" ( /* Define an Inet6 firewall template */ inet6_template /* Define an Inet6 firewall template */ ) ) ), "mpls" ( /* Protocol family MPLS for firewall filter */ c( "dialer-filter" ( /* Define an mpls dialer filter */ mpls_dialer_filter /* Define an mpls dialer filter */ ), "filter" ( mpls_filter ), "template" ( /* Define an MPLS firewall template */ mpls_template /* Define an MPLS firewall template */ ) ) ), "vpls" ( /* Protocol family VPLS for firewall filter */ c( "filter" ( vpls_filter ) ) ), "evpn" ( /* Protocol family EVPN for firewall filter */ c( "filter" ( vpls_filter ) ) ), "bridge" /* Protocol family BRIDGE for firewall filter */, "ccc" ( /* Protocol family CCC for firewall filter */ c( "filter" ( ccc_filter ) ) ), "any" ( /* Protocol-independent filter */ c( "filter" ( /* Define a protocol independent filter */ any_filter /* Define a protocol independent filter */ ), "template" ( /* Define Protocol independent filter template */ any_template /* Define Protocol independent filter template */ ) ) ), "ethernet-switching" ( /* Protocol family Ethernet Switching for firewall filter */ c( "filter" ( /* Define an Ethernet Switching firewall filter */ es_filter /* Define an Ethernet Switching firewall filter */ ), "template" ( /* Define an ethernet switching firewall template */ es_template /* Define an ethernet switching firewall template */ ) ) ) ) ), "policer" ( /* Policer template definition */ firewall_policer /* Policer template definition */ ), "flexible-match" ( /* Flexible packet match template definition */ firewall_flexible_match /* Flexible packet match template definition */ ), "tunnel-end-point" ( /* Tunnel end-point template definition */ tunnel_end_point /* Tunnel end-point template definition */ ), "hierarchical-policer" ( /* Hierarchical policer template definition */ firewall_hierpolicer /* Hierarchical policer template definition */ ), "interface-set" ( /* Interface set definition */ interface_set_type /* Interface set definition */ ), "load-balance-group" ( /* Load-balance group definition */ firewall_load_balance_group /* Load-balance group definition */ ), "atm-policer" ( /* Atm policer */ atm_policer_type /* Atm policer */ ), "three-color-policer" ( /* Three-color policer */ three_color_policer_type /* Three-color policer */ ), "filter" ( /* Define an IPv4 firewall filter */ inet_filter /* Define an IPv4 firewall filter */ ) ) ), "access" ( /* Network access configuration */ juniper_access_options /* Network access configuration */ ), "routing-instances" ( /* Routing instance configuration */ c( juniper_routing_instance ) ), "tenants" ( /* Tenants defined in this system */ juniper_tenant /* Tenants defined in this system */ ), "bridge-domains" /* Bridge domain configuration */, "fabric" /* Fabric configuration */, "switch-options" ( /* Options for default routing-instance of type virtual-switch */ juniper_def_rtb_switch_options /* Options for default routing-instance of type virtual-switch */ ), "unified-edge" ( c( "cos-cac" ( /* Unified Edge COS configuration */ juniper_unified_edge_cos_options /* Unified Edge COS configuration */ ), "local-policies" arg ( /* Local policy profiles */ c( "description" arg /* Text description of local policy */, "resource-threshold-profile" arg /* Resource threshold profile associated with the local policy */, "classifier-profile" arg /* QoS class profile associated with the local policy */, "cos-policy-profile" arg /* QoS policy profile associated with the local policy */, "roamer-classifier-profile" arg /* QoS classifier profile for roamers */, "roamer-cos-policy-profile" arg /* QoS policy profile for roamers */, "visitor-classifier-profile" arg /* QoS classifier profile for visitor */, "visitor-cos-policy-profile" arg /* QoS policy profile for visitor */, "traffic-class-qci-mapping-profile" arg /* Traffic class to qci mapping profile */, "ul-bandwidth-pool" arg /* Bandwidth pool associated with the local policy */, "dl-bandwidth-pool" arg /* Bandwidth pool associated with the local policy */ ) ) ) ), "jsrc" ( /* JSRC partition configuration */ jsrc_options /* JSRC partition configuration */ ), "vmhost" ( /* VM Host configurations */ c( "no-auto-recovery" /* Disable Guest auto recovery by the host */, "management-if" ( /* Configuration for the host's side management interface */ c( "link-mode" ( /* Link operational mode */ ("automatic" | "half-duplex" | "full-duplex") ), "speed" ( /* Link speed */ ("automatic" | "10m" | "100m" | "1g") ), "disable" /* Administratively disable the management port */ ) ), "interfaces" ("management-if0" | "management-if1") ( /* Interface configuration */ c( "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "address" ( /* Interface address/destination prefix */ ipv4prefix /* Interface address/destination prefix */ ), "gateway" ( /* Gateway IP address */ ipv4addr /* Gateway IP address */ ) ) ), "inet6" ( /* IPv6 parameters */ c( "address" ( /* Interface address/destination prefix */ ipv6prefix /* Interface address/destination prefix */ ), "gateway" ( /* Gateway IP address */ ipv6addr /* Gateway IP address */ ) ) ) ) ) ) ), "syslog" ( /* VMhost logging facility */ c( "host" arg ( /* Host to be notified */ c( sc( c( "any" /* All levels */, "emergency" /* Panic conditions */, "alert" /* Conditions that should be corrected immediately */, "critical" /* Critical conditions */, "error" /* Error conditions */, "warning" /* Warning messages */, "notice" /* Conditions that should be handled specially */, "info" /* Informational messages */, "none" /* No messages */ ) ).as(:oneline), "transport" ( /* Transport type */ ("tcp" | "udp") ) ) ) ) ), "services" ( /* System services */ c( "ssh" ( /* Allow ssh access */ c( "root-login" ( /* Configure vmhost root access via ssh */ ("allow" | "deny") ) ) ) ) ) ) ), "applications" ( /* Define applications by protocol characteristics */ c( "application" ( /* Define an application */ application_object /* Define an application */ ), "application-set" ( /* Define an application set */ application_set_object /* Define an application set */ ) ) ), "diameter" /* Diameter protocol layer */, "dialer" ( /* Dialer services configuration */ c( "traceoptions" ( /* Trace options for dialer services */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("config" | "kernel" | "route" | "interface" | "error" | "memory" | "all")) /* One or more message or event types to include in trace */.as(:oneline) ) ) ) ), "isdn" ( /* ISDN process configuration */ c( "traceoptions" ( /* Trace options for ISDN signaling process */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("daemon" | "stack" | "all")) /* One or more event types to include in trace */.as(:oneline) ) ) ) ), "schedulers" ( /* Security scheduler */ c( "scheduler" ( /* Scheduler configuration */ scheduler_object_type /* Scheduler configuration */ ) ) ), "smtp" ( /* Simple Mail Transfer Protocol service configuration */ c( "primary-server" ( /* SMTP primary server configuration */ c( "address" ( /* SMTP server's IPv4 address */ ipv4addr /* SMTP server's IPv4 address */ ), c( "login" ( /* Configure a mail sender account to the server */ login_object /* Configure a mail sender account to the server */ ) ) ) ), "secondary-server" ( /* SMTP secondary server configuration */ c( "address" ( /* SMTP server's IPv4 address */ ipv4addr /* SMTP server's IPv4 address */ ), c( "login" ( /* Configure a mail sender account to the server */ login_object /* Configure a mail sender account to the server */ ) ) ) ), "traceoptions" ( /* Trace options for SMTP client service */ c( "flag" enum(("IPC" | "protocol-exchange" | "configuration" | "send-request" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ), "poe" /* Power over Ethernet options */, "wlan" /* Wireless access point configuration */, "session-limit-group" arg ( /* Session-limit-group configuration */ sc( "maximum-sessions" arg /* Maximum number of sessions per tunnel-group */ ) ).as(:oneline), "virtual-chassis" /* Virtual chassis configuration */, "vlans" ( /* VLAN configuration */ c( vlan_types /* Virtual LAN */ ) ) ) end rule(:aamwd_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("all" | "connection" | "content" | "daemon" | "http" | "identification" | "imap" | "parser" | "plugin" | "policy" | "smtp")) /* Trace flags */.as(:oneline) ) end rule(:action_object_type) do c( "preferred-route" ( /* Preferred route action */ c( "routing-instances" arg ( /* Routing-instance */ c( "route" arg ( /* Route */ c( c( "next-hop" ( /* Next hop to destination of route-action */ ipaddr_or_interface /* Next hop to destination of route-action */ ), "discard" /* Drop packets to destination; send no ICMP unreachables */ ), "metric" arg /* Metric value assigned to route action */ ) ) ) ), "route" arg ( /* Route */ c( c( "next-hop" ( /* Next hop to destination of route-action */ ipaddr_or_interface /* Next hop to destination of route-action */ ), "discard" /* Drop packets to destination; send no ICMP unreachables */ ), "preferred-metric" arg /* Preferred metric value assigned to route action */ ) ) ) ), "interface" arg ( /* Interface enabling/disabling action */ c( c( "enable" /* Enable interface */, "disable" /* Disable interface */ ) ) ) ) end rule(:address_filter_type) do c( "address-book" ( /* Referenced address book */ (arg) ), "address-set" arg /* Referenced address set */ ) end rule(:advisory_options_type) do c( "upstream-rate" arg /* Recommended upstream shaping rate */, "downstream-rate" arg /* Recommended downstream shaping rate */ ) end rule(:aggregate_load_balance) do c( c( "per-packet" /* Per packet */, "no-adaptive" /* Disable adaptive */, "adaptive" /* Enable adaptive load balancing by re-programming selector table */ ) ) end rule(:alg_object) do c( "traceoptions" ( /* ALG trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Set level of tracing output */ ("brief" | "detail" | "extensive" | "verbose") ) ) ), "alg-manager" ( /* Configure ALG-MANAGER */ sc( "traceoptions" ( /* ALG-MANAGER trace options */ c( "flag" enum(("all")) ( /* ALG-MANAGER trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "alg-support-lib" ( /* Configure ALG-SUPPORT-LIB */ sc( "traceoptions" ( /* ALG-SUPPORT-LIB trace options */ c( "flag" enum(("all")) ( /* ALG-SUPPORT-LIB trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "dns" ( /* Configure DNS ALG */ c( "disable" /* Disable DNS ALG */, "maximum-message-length" arg /* Set maximum message length */, "oversize-message-drop" /* Drop oversized DNS packets */, "doctoring" ( /* Configure DNS ALG doctoring */ c( c( "none" /* Disable all DNS ALG Doctoring */, "sanity-check" /* Perform only DNS ALG sanity checks */ ) ) ), "traceoptions" ( /* DNS ALG trace options */ c( "flag" enum(("all")) ( /* DNS ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "ftp" ( /* Configure FTP ALG */ sc( "disable" /* Disable FTP ALG */, "ftps-extension" /* Enable secure FTP and FTP-ssl protocols */, "line-break-extension" /* Enable CR+LF line termination */, "allow-mismatch-ip-address" /* Pass FTP packets with mismatched ip address headers and payload */, "traceoptions" ( /* FTP ALG trace options */ c( "flag" enum(("all")) ( /* FTP ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "h323" ( /* Configure H.323 ALG */ c( "disable" /* Disable H.323 ALG */, "endpoint-registration-timeout" arg /* Timeout for endpoints */, "media-source-port-any" /* Permit media from any source port on the endpoint */, "application-screen" ( /* Configure application screens */ c( "unknown-message" ( /* Configure ALG action on receiving an unknown message */ c( "permit-nat-applied" /* Permit unknown messages on packets that are NATed */, "permit-routed" /* Permit unknown messages on routed packets */ ) ), "message-flood" ( /* Configure Message flood ALG options */ c( "gatekeeper" ( /* Set options for gatekeeper messages */ sc( "threshold" arg /* Message flood gatekeeper threshold */ ) ).as(:oneline) ) ) ) ), "dscp-rewrite" ( /* DSCP code rewrite */ c( "code-point" arg /* Set dscp codepoint 6-bit string */ ) ), "traceoptions" ( /* H.323 ALG trace options */ c( "flag" enum(("q931" | "h245" | "ras" | "h225-asn1" | "h245-asn1" | "ras-asn1" | "chassis-cluster" | "all")) ( /* H.323 ALG trace flags */ sc( c( "terse" /* Set trace verbosity level to terse */, "detail" /* Set trace verbosity level to detail */, "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "mgcp" ( /* Configure MGCP ALG */ c( "disable" /* Disable MGCP ALG */, "inactive-media-timeout" arg /* Set inactive media timeout */, "transaction-timeout" arg /* Set transaction timeout */, "maximum-call-duration" arg /* Set maximum call duration */, "application-screen" ( /* Configure application screens */ c( "unknown-message" ( /* Configure ALG action on receiving an unknown message */ c( "permit-nat-applied" /* Permit unknown messages on packets that are NATed */, "permit-routed" /* Permit unknown messages on routed packets */ ) ), "message-flood" ( /* Set message flood ALG options */ sc( "threshold" arg /* Message flood threshold */ ) ).as(:oneline), "connection-flood" ( /* Set connection flood options */ sc( "threshold" arg /* Connection flood threshold */ ) ).as(:oneline) ) ), "dscp-rewrite" ( /* DSCP code rewrite */ c( "code-point" arg /* Set dscp codepoint 6-bit string */ ) ), "traceoptions" ( /* MGCP ALG trace options */ c( "flag" enum(("call" | "decode" | "error" | "chassis-cluster" | "nat" | "packet" | "rm" | "all")) ( /* MGCP ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "msrpc" ( /* Configure MSRPC ALG */ sc( "disable" /* Disable MSRPC ALG */, "group-max-usage" arg /* Set maximum group usage percentage, default 80 */, "map-entry-timeout" arg /* Set entry timeout, default 8hour */, "traceoptions" ( /* MSRPC ALG trace options */ c( "flag" enum(("all")) ( /* MSRPC ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "sunrpc" ( /* Configure SUNRPC ALG */ sc( "disable" /* Disable SUNRPC ALG */, "group-max-usage" arg /* Set maximum group usage percentage, default 80 */, "map-entry-timeout" arg /* Set entry timeout, default 8hour */, "traceoptions" ( /* SUNRPC ALG trace options */ c( "flag" enum(("all")) ( /* SUNRPC ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "rsh" ( /* Configure RSH ALG */ c( "disable" /* Disable RSH ALG */, "traceoptions" ( /* RSH ALG trace options */ c( "flag" enum(("all")) ( /* RSH ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "rtsp" ( /* Configure RTSP ALG */ sc( "disable" /* Disable RTSP ALG */, "traceoptions" ( /* RTSP ALG trace options */ c( "flag" enum(("all")) ( /* RTSP ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "sccp" ( /* Configure SCCP ALG */ c( "disable" /* Disable SCCP ALG */, "inactive-media-timeout" arg /* Set inactive media timeout */, "application-screen" ( /* Configure application screens */ c( "unknown-message" ( /* Configure ALG action on receiving an unknown message */ c( "permit-nat-applied" /* Permit unknown messages on packets that are NATed */, "permit-routed" /* Permit unknown messages on routed packets */ ) ), "call-flood" ( /* Configure call flood thresholds */ sc( "threshold" arg /* Calls per second per client */ ) ).as(:oneline) ) ), "dscp-rewrite" ( /* DSCP code rewrite */ c( "code-point" arg /* Set dscp codepoint 6-bit string */ ) ), "traceoptions" ( /* SCCP ALG trace options */ c( "flag" enum(("call" | "cli" | "decode" | "error" | "chassis-cluster" | "init" | "nat" | "rm" | "all")) ( /* SCCP ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "sip" ( /* Configure SIP ALG */ c( "disable" /* Disable SIP ALG */, "inactive-media-timeout" arg /* Set inactive media timeout */, "maximum-call-duration" arg /* Set maximum call duration */, "t1-interval" arg /* Set T1 interval */, "t4-interval" arg /* Set T4 interval */, "c-timeout" arg /* Set C timeout */, "disable-call-id-hiding" /* Disable translation of host IP in Call-ID header */, "retain-hold-resource" /* Retain SDP resources during call hold */, "hide-via-headers" ( /* Hide via headers options */ c( "disable" /* Disable hide via headers function */ ) ), "distribution-ip" /* Configure SIP distribute server IPV6 or IPV4 ip */, "application-screen" ( /* Configure application screens */ c( "unknown-message" ( /* Configure ALG action on receiving an unknown message */ c( "permit-nat-applied" /* Permit unknown messages on packets that are NATed */, "permit-routed" /* Permit unknown messages on routed packets */ ) ), "protect" ( /* Configure Protect options */ c( "deny" ( /* Protect deny options */ c( c( "destination-ip" arg /* List of protected destination server IP */, "all" /* Enable attack protection for all servers */ ), "timeout" arg /* Timeout value for SIP INVITE attack table entry */ ) ) ) ) ) ), "dscp-rewrite" ( /* DSCP code rewrite */ c( "code-point" arg /* Set dscp codepoint 6-bit string */ ) ), "traceoptions" ( /* SIP ALG trace options */ c( "flag" enum(("call" | "chassis-cluster" | "nat" | "parser" | "rm" | "all")) ( /* SIP ALG trace flags */ sc( c( "terse" /* Set trace verbosity level to terse */, "detail" /* Set trace verbosity level to detail */, "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "sql" ( /* Configure SQL ALG */ sc( "disable" /* Disable SQL ALG */, "traceoptions" ( /* SQL ALG trace options */ c( "flag" enum(("all")) ( /* SQL ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "talk" ( /* Configure Talk ALG */ sc( "disable" /* Disable Talk ALG */, "traceoptions" ( /* TALK ALG trace options */ c( "flag" enum(("all")) ( /* TALK ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "tftp" ( /* Configure TFTP ALG */ sc( "disable" /* Disable TFTP ALG */, "traceoptions" ( /* TFTP ALG trace options */ c( "flag" enum(("all")) ( /* TFTP ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "pptp" ( /* Configure PPTP ALG */ sc( "disable" /* Disable PPTP ALG */, "traceoptions" ( /* PPTP ALG trace options */ c( "flag" enum(("all")) ( /* PPTP ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "ike-esp-nat" ( /* Configure IKE-ESP ALG with NAT */ c( "enable" /* Enable IKE-ESP ALG */, "esp-gate-timeout" arg /* Set ESP gate timeout */, "esp-session-timeout" arg /* Set ESP session timeout */, "state-timeout" arg /* Set ALG state timeout */, "traceoptions" ( /* IKE-ESP ALG trace options */ c( "flag" enum(("all")) ( /* IKE-ESP ALG trace flags */ sc( c( "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "twamp" ( /* Configure TWAMP ALG */ c( "traceoptions" ( /* TWAMP ALG trace options */ c( "flag" enum(("all")) ( /* TWAMP ALG trace flags */ sc( c( "extensive" /* Trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ) ) end rule(:anti_spam_feature) do c( "sbl" ( /* SBL settings */ sbl_type /* SBL settings */ ) ) end rule(:anti_virus_feature) do c( "sophos-engine" ( /* Anti-virus sophos-engine */ c( "profile" arg ( /* Anti-virus sophos-engine profile */ c( "fallback-options" ( /* Anti-virus sophos-engine fallback options */ sophos_fallback_settings /* Anti-virus sophos-engine fallback options */ ), "scan-options" ( /* Anti-virus sophos-engine scan options */ sophos_scan_options /* Anti-virus sophos-engine scan options */ ), "trickling" ( /* Anti-virus trickling */ anti_virus_trickling /* Anti-virus trickling */ ), "notification-options" ( /* Anti-virus notification options */ anti_virus_notification_options /* Anti-virus notification options */ ), "mime-whitelist" ( /* Anti-virus MIME whitelist */ c( "list" arg /* MIME list */, "exception" arg /* Exception settings for MIME white list */ ) ), "url-whitelist" arg /* Anti-virus URL white list */ ) ) ) ) ) end rule(:anti_virus_notification_options) do c( "virus-detection" ( /* Virus detection notification */ c( "type" ( /* Virus detection notification type */ ("protocol-only" | "message") ), "notify-mail-sender" /* Notify mail sender */, "no-notify-mail-sender" /* Don't notify mail sender */, "custom-message" arg /* Custom message for notification */, "custom-message-subject" arg /* Custom message subject for notification */ ) ), "fallback-block" ( /* Fallback block notification */ c( "type" ( /* Fallback block notification type */ ("protocol-only" | "message") ), "notify-mail-sender" /* Notify mail sender */, "no-notify-mail-sender" /* Don't notify mail sender */, "custom-message" arg /* Custom message for notification */, "custom-message-subject" arg /* Custom message subject for notification */ ) ), "fallback-non-block" ( /* Fallback non block notification */ c( "notify-mail-recipient" /* Notify mail recipient */, "no-notify-mail-recipient" /* Don't notify mail recipient */, "custom-message" arg /* Custom message for notification */, "custom-message-subject" arg /* Custom message subject for notification */ ) ) ) end rule(:anti_virus_trickling) do c( "timeout" arg /* Trickling timeout */ ).as(:oneline) end rule(:any_filter) do arg.as(:arg) ( c( "interface-specific" /* Defined counters are interface specific */, "interface-shared" /* Filter is interface-shared */, "term" arg ( /* Define a firewall term */ c( "from" ( /* Define match criteria */ c( "interface" ( /* Match interface name */ match_interface_object_oam /* Match interface name */ ), "interface-set" ( /* Match interface in set */ match_interface_set_object /* Match interface in set */ ), c( "packet-length" arg, "packet-length-except" arg ), c( "forwarding-class" arg, "forwarding-class-except" arg ), c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), c( "policy-map" arg, "policy-map-except" arg ), "service-filter-hit" /* Match if service-filter-hit is set */ ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */, "three-color-policer" ( /* Police the packet using a three-color-policer */ c( c( "single-rate" arg /* Name of single-rate three-color policer to use to rate-limit traffic */, "single-packet-rate" arg /* Name of single-packet-rate three-color policer to use to rate-limit traffic */, "two-rate" arg /* Name of two-rate three-color policer to use to rate-limit traffic */, "two-packet-rate" arg /* Name of two-packet-rate three-color policer to use to rate-limit traffic */ ) ) ), "hierarchical-policer" arg /* Name of hierarchical policer to use to rate-limit traffic */ ), c( "clear-policy-map" /* Clear the policy marking */, "policy-map" arg /* Policy map action */ ), "count" arg /* Count the packet in the named counter */, "service-accounting" /* Count the packets for service accounting */, "service-accounting-deferred" /* Count the packets for deferred service accounting */, "service-filter-hit" /* Signal subsequent filters in the chain that packet was processed */, "force-premium" /* Process packets as premium traffic by subsequent hierarchical policers */, "loss-priority" ( /* Classify packet to loss-priority */ ("low" | "high" | "medium-low" | "medium-high") ), "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "port-mirror" /* Port-mirror the packet */, "forwarding-class" arg /* Classify packet to forwarding class */, c( "encapsulate" /* Send to a tunnel */.as(:oneline), "accept" /* Accept the packet */, "discard" /* Discard the packet */, "next" ( /* Continue to next term in a filter */ ("term") ) ) ) ), "template" /* Refer a template */ ) ) ) ) end rule(:any_template) do arg.as(:arg) ( c( "attributes" ( /* Template attributes */ c( "forwarding-class" /* Match forwarding class */, "forwarding-class-except" /* Do not match forwarding class */, "interface" /* Match interface name */, "interface-set" /* Match interface in set */, "loss-priority" /* Match Loss Priority */, "loss-priority-except" /* Do not match Loss Priority */, "packet-length" /* Match packet length */, "packet-length-except" /* Do not match packet length */ ) ) ) ) end rule(:apbr_rule_type) do arg.as(:arg) ( c( "match" ( /* Specify security rule match-criteria */ c( "dynamic-application" ( (arg | "junos:UNKNOWN") ), "dynamic-application-group" ( (arg | "junos:unassigned") ), "category" ( (arg | arg) ) ) ), "then" ( /* Specify rule action to take when packet match criteria */ c( "routing-instance" ( /* Packets are directed to specified routing instance */ sc( arg /* Name of routing instance */ ) ).as(:oneline), "sla-rule" ( /* SLA Rule */ c( arg /* SLA rule name */ ) ) ) ) ) ) end rule(:appfw_rule_type) do arg.as(:arg) ( c( "match" ( /* Specify security rule match-criteria */ c( "dynamic-application" ( (arg | "junos:UNKNOWN") ), "dynamic-application-group" ( (arg | "junos:unassigned") ), "ssl-encryption" ( /* Select SSL encryption rules */ ("any" | "yes" | "no") ) ) ), "then" ( /* Specify rule action to take when packet match criteria */ c( c( "permit" /* Permit packets */, "deny" ( /* Deny packets */ c( "block-message" /* Redirect sessions */ ) ), "reject" ( /* Reject packets */ c( "block-message" /* Redirect sessions */ ) ) ) ) ) ) ) end rule(:application_object) do arg.as(:arg) ( c( "description" arg /* Text description of application */, "term" ( /* Define individual application protocols */ term_object /* Define individual application protocols */ ), "application-protocol" ( /* Application protocol type */ ("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp") ), "protocol" ( /* Match IP protocol type */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "source-port" ( /* Match TCP/UDP source port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port" ( /* Match TCP/UDP destination port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "ether-type" arg /* Match ether type */, "snmp-command" arg /* Match SNMP command */, "icmp-type" ( /* Match ICMP message type */ ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ), "icmp6-type" ( /* Match ICMP6 message type */ ("echo-request" | "echo-reply" | "destination-unreachable" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "packet-too-big" | "membership-query" | "membership-report" | "membership-termination" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | arg) ), "icmp-code" ( /* Match ICMP message code */ ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp6-code" ( /* Match ICMP6 message code */ ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ), "ttl-threshold" arg /* Traceroute TTL threshold */, "rpc-program-number" arg /* Match range of RPC program numbers */, "uuid" arg /* Match universal unique identifier for DCE RPC objects */, "inactivity-timeout" ( /* Application-specific inactivity timeout */ ("never" | arg) ), "gate-timeout" arg /* Application-specific gate timeout */, "child-inactivity-timeout" arg /* Application-specific child session inactivity timeout */, "learn-sip-register" /* Learn potential incoming SIP calls by inspecting the SIP register method */, "sip-call-hold-timeout" arg /* SIP flow timeout when call is put on hold */, c( "do-not-translate-AAAA-query-to-A-query" /* Knob to control the translation of AAAA query to A query */, "do-not-translate-A-query-to-AAAA-query" /* Knob to control the translation of A query to AAAA query */ ) ) ) end rule(:application_set_object) do arg.as(:arg) ( c( "description" arg /* Text description of application set */, "application" arg /* Application to be included in the set */, "application-set" arg /* Define an application-set */ ) ) end rule(:appqoe_probe_params) do c( "data-fill" ( /* Probe Data Payload content */ c( arg ) ), "data-size" ( /* Probe data size */ c( arg ) ), "probe-interval" ( /* Time interval between 2 consecutive probes */ c( arg ) ), "probe-count" ( /* Minimum number of samples to be collected to evaluate SLA measurement */ c( arg ) ), "burst-size" ( /* Number of probes out of probe count to be sent as a burst */ c( arg ) ), "sla-export-interval" ( /* Enabled time based SLA exporting */ c( arg ) ), "dscp-code-points" ( /* Mapping of code point aliases to bit strings */ c( arg /* DSCP */ ) ) ) end rule(:appqoe_probe_path) do c( "local" ( /* Local node's info */ appqoe_node /* Local node's info */ ), "remote" ( /* Remote node's info */ appqoe_node /* Remote node's info */ ) ) end rule(:appqoe_node) do c( "ip-address" ( /* Set IP address */ c( ipv4addr /* IP address */ ) ) ) end rule(:appqoe_sla_metric_profile) do c( "delay-round-trip" ( /* Maximum acceptable delay */ c( arg ) ), "jitter" ( /* Maximum acceptable jitter */ c( arg ) ), "jitter-type" ( /* Type of Jitter */ c( c( "two-way-jitter" /* Two-way-jitter-type */, "egress-jitter" /* Egress-jitter-type */, "ingress-jitter" /* Ingress-jitter-type */ ) ) ), "packet-loss" ( /* Maximum acceptable packet-loss */ c( arg ) ), "match" ( /* Type of SLA match */ c( c( "any-one" /* Match any one strings */, "all" /* Match all metrics */ ) ) ) ) end rule(:aps_type) do c( c( "working-circuit" arg /* Working circuit group name */, "protect-circuit" arg /* Protect circuit group name */ ), "annex-b" /* Annex-b mode */, "wait-to-restore-time" arg /* Circuit wait-to-restore time for annex-b */, "preserve-interface" /* Preserve interface state for fast failover */, "neighbor" ( /* Neighbor address */ ipv4addr /* Neighbor address */ ), "paired-group" arg /* Name of paired APS group */, "authentication-key" ( /* Authentication parameters */ sc( unreadable /* Authentication key */ ) ).as(:oneline), "switching-mode" ( /* APS switching mode */ ("bidirectional" | "unidirectional") ), "advertise-interval" arg /* Advertise interval */, "hold-time" arg /* Hold time */, "revert-time" arg /* Circuit revert time */, "break-before-make" /* Ensure only one interface is active at a time */, "no-break-before-make" /* Don't ensure only one interface is active at a time */, c( "request" ( /* Request circuit state */ ("protect" | "working") ), "force" ( /* Force circuit state */ ("protect" | "working") ), "lockout" /* Lockout protection */ ), "fast-aps-switch" /* Fast aps switch */ ) end rule(:atm_policer_type) do arg.as(:arg) ( c( "logical-interface-policer" /* Policer is logical interface policer */, "atm-service" ( /* ATM service category */ ("cbr" | "rtvbr" | "nrtvbr" | "ubr") ), "peak-rate" arg /* ATM Peak Cell Rate (PCR) */, "sustained-rate" arg /* ATM Sustained Cell Rate (SCR) */, "max-burst-size" arg /* ATM Maximum Burst Size (MBS) */, "cdvt" arg /* Cell Delay Variation Tolerance */, "policing-action" ( /* Policing action */ ("count" | "discard" | "discard-tag") ) ) ) end rule(:authentication_source_type) do ("local-authentication-table" | "unified-access-control" | "firewall-authentication" | "active-directory-authentication-table" | "aruba-clearpass").as(:arg) ( c( c( "priority" arg /* Larger number means lower priority, 0 for disable */ ) ) ) end rule(:auto_configure_vlan_type) do c( "stacked-vlan-ranges" ( /* Stacked Vlan Range configuration */ c( "dynamic-profile" arg ( /* Attach dynamic-profile to ranges */ c( "accept" ( enum(("inet" | "inet6" | "pppoe" | "dhcp-v4" | "dhcp-v6" | "any")) ), "ranges" arg /* Configure interface based on stacked-vlan range */, "access-profile" ( /* Auto-configure VLAN access profile for these ranges */ sc( arg ) ).as(:oneline) ) ), "override" ( /* SVLAN profile override specification */ c( "outer-tag" arg ( /* Specify pair of SVLAN tags for profile override */ c( "inner-tag" arg /* Stacked-vlan inner tag to be overridden */, "dynamic-profile" arg /* Dynamic profile to override with */ ) ) ) ), "authentication" ( /* Auto-configure stacked VLAN authentication */ auto_configure_authentication_type /* Auto-configure stacked VLAN authentication */ ), "access-profile" ( /* Auto-configure stacked VLAN access profile */ sc( arg ) ).as(:oneline) ) ), "vlan-ranges" ( /* Vlan Range configuration */ c( "dynamic-profile" arg ( /* Attach dynamic-profile to ranges */ c( c( "accept" ( enum(("inet" | "inet6" | "pppoe" | "dhcp-v4" | "dhcp-v6" | "any")) ), "accept-out-of-band" ( enum(("ancp")) ) ), "ranges" arg /* Configure interface based on vlan range */, "access-profile" ( /* Auto-configure VLAN access profile for these ranges */ sc( arg ) ).as(:oneline) ) ), "override" ( /* VLAN profile override specification */ c( "tag" arg ( /* Specify VLAN tag for profile override */ c( "dynamic-profile" arg /* Dynamic profile to override with */ ) ) ) ), "authentication" ( /* Auto-configure VLAN authentication */ auto_configure_authentication_type /* Auto-configure VLAN authentication */ ), "access-profile" ( /* Auto-configure VLAN access profile */ sc( arg ) ).as(:oneline) ) ), "agent-circuit-identifier" /* ACI configuration */, "line-identity" /* Line-identity configuration */, "remove-when-no-subscribers" /* Requests auto-deletion of interface when not in use by subscribers */ ) end rule(:auto_configure_authentication_type) do c( "packet-types" ( enum(("inet" | "inet6" | "pppoe" | "dhcp-v4" | "dhcp-v6" | "any")) ), "password" arg /* Username password */, "username-include" ( /* Username options */ c( "delimiter" arg /* Delimiter/separator character */, "domain-name" arg /* Domain name */, "user-prefix" arg /* User defined prefix */, "mac-address" /* Include MAC address */, "option-82" ( /* Include option 82 */ sc( "circuit-id" /* Include option 82 circuit-id (sub option 1) */, "remote-id" /* Include option 82 remote-id (sub option 2) */ ) ).as(:oneline), "option-18" /* Include option 18 for dhcp-v6 */, "option-37" /* Include option 37 for dhcp-v6 */, "circuit-type" /* Include circuit type */, "radius-realm" arg /* Include Radius realm name */, "interface-name" /* Include interface name */, "vlan-tags" /* Include vlan tag(s) */ ) ) ) end rule(:bgp_logical_system) do arg.as(:arg) ( c( "routing-instances" ( /* Routing instances */ bgp_routing_instances /* Routing instances */ ) ) ) end rule(:bgp_routing_instances) do arg.as(:arg) end rule(:category_list_type) do arg.as(:arg) ( c( "value" arg /* Configure value of category-list object */ ) ) end rule(:ccc_filter) do arg.as(:arg) ( c( "accounting-profile" arg /* Accounting profile name */, "interface-specific" /* Any counters defined will be interface specific */, "physical-interface-filter" /* Filter is physical interface filter */, "term" arg ( /* Define a firewall term */ c( "filter" arg /* Filter to include */, "from" ( /* Define match criteria */ c( c( "interface-group" arg, "interface-group-except" arg ), c( "forwarding-class" arg, "forwarding-class-except" arg ), c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), c( "learn-vlan-1p-priority" arg, "learn-vlan-1p-priority-except" arg ), c( "user-vlan-1p-priority" arg, "user-vlan-1p-priority-except" arg ), "destination-mac-address" ( /* Destination MAC address */ firewall_mac_addr_object /* Destination MAC address */ ), "is-host-packet" /* Match if packet is host generated */, "source-mac-address" ( /* Source MAC address */ firewall_mac_addr_object /* Source MAC address */ ), "ip-source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "ip-destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), c( "dscp" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "dscp-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), c( "ip-precedence" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ), "ip-precedence-except" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ) ), c( "ip-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ip-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "icmp-type" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ), "icmp-type-except" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ) ), c( "icmp-code" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp-code-except" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "policy-map" arg, "policy-map-except" arg ), c( "flexible-match-mask" ( /* Match flexible mask */ match_l2_flexible_mask /* Match flexible mask */ ) ), c( "flexible-match-range" ( /* Match flexible range */ match_l2_flexible_range /* Match flexible range */ ) ), c( "user-vlan-id" arg, "user-vlan-id-except" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */, "three-color-policer" ( /* Police the packet using a three-color-policer */ c( c( "single-rate" arg /* Name of single-rate three-color policer to use to rate-limit traffic */, "single-packet-rate" arg /* Name of single-packet-rate three-color policer to use to rate-limit traffic */, "two-rate" arg /* Name of two-rate three-color policer to use to rate-limit traffic */, "two-packet-rate" arg /* Name of two-packet-rate three-color policer to use to rate-limit traffic */ ) ) ), "hierarchical-policer" arg /* Name of hierarchical policer to use to rate-limit traffic */ ), c( "clear-policy-map" /* Clear the policy marking */, "policy-map" arg /* Policy map action */ ), "count" arg /* Count the packet in the named counter */, "loss-priority" ( /* Packet's loss priority */ ("low" | "high" | "medium-low" | "medium-high") ), "forwarding-class" arg /* Classify packet to forwarding class */, "port-mirror-instance" arg /* Port-mirror the packet to the specified instance */, "next-hop-group" arg /* Use specified next-hop group */, "port-mirror" /* Port-mirror the packet */, "packet-mode" /* Bypass flow mode for the packet */, "force-premium" /* Convert traffic-class to premium */, "log" /* Log the packet */, "syslog" /* System log (syslog) information about the packet */, c( "encapsulate" /* Send to a tunnel */.as(:oneline), "accept" /* Accept the packet */, "discard" /* Discard the packet */, "next" ( /* Continue to next term in a filter */ ("term") ) ) ) ) ) ) ) ) end rule(:certificate_object) do arg.as(:arg) ( c( arg /* Certificate and private key string */ ) ) end rule(:chassis_type) do c( "copy-tos-to-outer" /* Copy TOS from inner to outer header */, "nssu" /* Nonstop Software Upgrade settings */, "psu" /* Power Supply Unit redundancy configuration */, "fpc-resync" /* Send and receive Nchip cells for newly onlined FPC */, "craft-lockout" /* Disable craft interface input */, "config-button" ( /* Config button behavior settings */ sc( "no-rescue" /* Don't reset to rescue configuration */, "no-clear" /* Don't reset to factory-default configuration */ ) ).as(:oneline), "routing-engine-power-off-button-disable" /* Disable RE power off button */, "source-route" /* Enable IP source-route processing */, "no-source-route" /* Don't enable IP source-route processing */, "packet-scheduling" /* Enable DX2.0 packet scheduling */, "no-packet-scheduling" /* Don't enable DX2.0 packet scheduling */, "route-memory-enhanced" /* Enhance memory allocation for routes */, "policer-drop-probability-low" /* Set policer probabilistic drop probability to Minimum */, "policer-limit" /* Limit the policer tick unit to 32 bytes */, "enhanced-policer" /* Enhanced Policer Counters */, "effective-shaping-rate" /* Report effective shaping rate */, "memory-enhanced" /* Enhance memory allocation */, "vrf-mtu-check" /* Enable Internet Processor II-based MTU check */, "icmp" /* ICMP protocol */, "routing-performance" /* Alter routing performance */, "icmp6" /* ICMP version 6 protocol */, "maximum-ecmp" arg /* Maximum ECMP limit for nexthops */, "ecmp-alb" /* Enable adaptive load balancing for ECMP nexthops */, "redundancy" ( /* Redundancy settings */ chassis_redundancy_type /* Redundancy settings */ ), "routing-engine" ( /* Routing Engine settings */ chassis_routing_engine_type /* Routing Engine settings */ ), "aggregated-devices" ( /* Aggregated devices configuration */ chassis_agg_dev_type /* Aggregated devices configuration */ ), "disk-partition" enum(("/var" | "/config")) ( /* Chassis disk monitor configuration */ c( "level" enum(("high" | "full")) ( /* Threshold level */ c( "free-space" ( /* Enter threshold value & choose the metric */ sc( arg, c( "percent" /* Free space threshold in % */, "mb" /* Free space threshold in MB */ ) ) ).as(:oneline) ) ) ) ), "container-devices" ( /* Container devices configuration */ chassisd_agg_container_type /* Container devices configuration */ ), "pseudowire-service" ( /* Pseudowire L3 termination device configuration */ chassis_pw_type /* Pseudowire L3 termination device configuration */ ), "provider-instance-devices" ( /* Provider instance devices configuration */ chassisd_provider_instance_type /* Provider instance devices configuration */ ), "redundancy-group" ( /* Redundancy group configuration */ chassisd_redundancy_group_type /* Redundancy group configuration */ ), "fabric" ( /* Switch fabric settings */ chassis_fabric_type /* Switch fabric settings */ ), "fpc" ( /* Flexible PIC Concentrator parameters */ chassis_fpc_type /* Flexible PIC Concentrator parameters */ ), "disable-fm" /* Disable Fabric Manager */, "disable-power-management" /* Disable Power Management in this chassis */, "dedicated-ukern-cpu" /* Run Microkernel on a dedicated CPU core */, "realtime-ukern-thread" /* Run Microkernel on a realtime CPU thread */, "fpc-feb-connectivity" /* Connectivity between Flexible PIC Concentrators and Forwarding Engine Boards */, "ioc-npc-connectivity" /* Connectivity between IOC and NPC */, "pem" ( /* Power supply (PEM) parameters */ chassis_pem_type /* Power supply (PEM) parameters */ ), "sib" ( /* Switch Interface Board parameters */ chassis_sib_type /* Switch Interface Board parameters */ ), "sfm" ( /* Switching and Forwarding Module parameters */ chassis_sfm_type /* Switching and Forwarding Module parameters */ ), "feb" ( /* Forwarding Engine Board parameters */ chassis_feb_type /* Forwarding Engine Board parameters */ ), "afeb" ( /* Forwarding Engine Board parameters */ chassis_feb_type /* Forwarding Engine Board parameters */ ), "tfeb" ( /* Taz Forwarding Engine Board parameters */ chassis_feb_type /* Taz Forwarding Engine Board parameters */ ), "alarm" ( /* Global alarm settings */ chassis_alarm_type /* Global alarm settings */ ), "slow-pfe-alarm" /* Enable slow (potential) PFE alarm */, "fpc-ifl-ae-statistics" /* Enable fpc ifl ae child statistics */, "ppp-subscriber-services" arg /* Select PPP subscriber services */, "ambient-temperature" arg /* Chassis ambient-temperature value in degree celsius */, "network-services" arg /* Chassis network services configuration */, "limited-ifl-scaling" /* Configured to limit IFL scaling to 64k */, "usb" /* USB control flags */, "lcc" arg ( /* Line-card chassis configuration */ c( "fpc" ( /* Flexible PIC Concentrator parameters */ chassis_fpc_type /* Flexible PIC Concentrator parameters */ ), "pem" ( /* Power supply (PEM) parameters */ chassis_pem_type /* Power supply (PEM) parameters */ ), "spmb" /* Switch Processor Mezzanine Board parameters */, c( "online-expected" /* LCC is expected to be online */, "offline" /* LCC is expected to be offline */ ) ) ), "lcc-mode" /* Line card chassis mode T4000/T1600/EMPTY configuration */, "member" /* Member chassis configuration */, "host-outbound" /* Host-out bound options */, "synchronization" /* Clock synchronization options */, "lcd" /* Chassis LCD */, "forwarding-options" /* Configure options to control packet forwarding */, "lcd-menu" /* Chassis LCD menu */, "fru-poweron-sequence" arg /* FRUs power on sequence like 0 1 2 3 ... within double quotes */, "auto-image-upgrade" /* Auto image upgrade using DHCP */, "route-localization" /* Route-Localization settings */, "state" /* Set SFB upgrade state. */, "multicast-loadbalance" ( /* Multicast load balancing settings */ chassis_ae_lb_type /* Multicast load balancing settings */ ), "extended-statistics" /* Enable extended system statistics */, "error" ( /* Error level configuration for all FPC */ chassis_fpc_error_type /* Error level configuration for all FPC */ ), "pfe-error" ( /* PFE-scope error level configuration for all FPC */ chassis_fpc_error_type /* PFE-scope error level configuration for all FPC */ ), "oss-map" ( /* Translate Operation Supported System's requirements */ c( "model-name" ( /* Override chassis model name for specific show/snmp output */ ("t640" | "t1600") ) ) ), "satellite" arg /* List of available satellite configurations */, "preserve-fpc-poweron-sequence" /* Preserve MPC poweron sequence for consistency across reboot */, "auto-satellite-conversion" /* Enable remote conversion to satellite device-mode */, "satellite-management" ( /* Satellite management configuration */ c( "firewall" ( /* Define a firewall configuration */ c( "family" ( /* Protocol family */ c( "bridge" ( /* Protocol family BRIDGE for firewall filter */ c( "filter" ( satellite_bridge_filter ) ) ), "ethernet-switching" /* Protocol family Ethernet Switching for firewall filter */ ) ) ) ) ) ), "periodic" /* Chassisd periodic options */, "turbotx-disable" /* Disable turbotx processing */, "system-domains" /* Root and protected system domain configuration */, "network-slices" /* Network slices configuration */, "cluster" ( /* Chassis cluster configuration */ c( "traceoptions" ( /* Set chassis cluster traceoptions */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("cli" | "configuration" | "eventlib" | "fsm" | "heartbeat" | "interface" | "routing-socket" | "uspipc" | "init" | "socket" | "snmp" | "ip-monitoring" | "hw-monitoring" | "fabric-monitoring" | "schedule-monitoring" | "heartbeat-tlv" | "all")) /* Tracing parameters */.as(:oneline), "level" ( /* Set level of tracing */ ("emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug" | "all") ) ) ), "control-link-recovery" /* Enable automatic control link recovery */, "reth-count" arg /* Number of redundant ethernet interfaces */, "control-ports" /* Enable specific chassis cluster control ports */.as(:oneline), "heartbeat-interval" arg /* Interval between successive heartbeats */, "heartbeat-threshold" arg /* Number of consecutive missed heartbeats to indicate device failure */, "network-management" /* Define parameters for network management */, "node" enum(("0" | "1")) /* Set the list of nodes in the cluster */, "redundancy-group" arg ( /* Set redundancy-group parameters */ c( "node" enum(("0" | "1")) ( /* Set node specific parameters */ sc( "priority" arg /* Priority of the node in the redundancy-group */ ) ).as(:oneline), "preempt" ( /* Allow preemption of primaryship based on priority */ c( "delay" arg /* Time to wait before taking over mastership */, "limit" arg /* Max number of preemptive failovers allowed */, "period" arg /* Time period during which the limit is applied */ ) ), "gratuitous-arp-count" arg /* Number of gratuitous ARPs to send on an active interface after failover */, "hold-down-interval" arg /* RG failover interval. RG0(300-1800) RG1+(0-1800) */, "interface-monitor" arg ( /* Define interfaces to monitor */ sc( "weight" arg /* Weight assigned to this interface that influences failover */ ) ).as(:oneline), "ip-monitoring" ( /* Define parameters for IP monitoring feature */ c( "global-weight" arg /* Define global weight for IP monitoring */, "global-threshold" arg /* Define global threshold for IP monitoring */, "retry-interval" arg /* Define the time interval in seconds between retries. */, "retry-count" arg /* Number of retries needed to declare reachablity failure */, "family" ( /* Define protocol family */ c( "inet" ( /* Define IPv4 related parameters */ c( ip_monitoring_address_type /* Define IP address related parameters */ ) ) ) ) ) ) ) ), "configuration-synchronize" ( /* Cluster configration action */ c( "no-secondary-bootup-auto" /* Disable auto configuration synchronize on secondary bootup */ ) ) ) ), "node" arg ( /* Set node specific parameters */ c( "fpc" ( /* Flexible PIC Concentrator parameters */ chassis_fpc_type /* Flexible PIC Concentrator parameters */ ) ) ) ) end rule(:chassis_pw_type) do c( "device-count" arg /* Number of pseudo-wire ps devices */ ) end rule(:chassis_ae_lb_type) do c( "disable" /* Disable Multicast load balancing */, "hash-mode" ( /* PFE hash mode */ ("crc-sgip" | "crc-gip" | "crc-sip" | "simple-sgip" | "simple-gip" | "simple-sip" | "balanced") ) ) end rule(:chassis_agg_dev_type) do c( "ae-20" /* Run AE over Container nexthops Infrastructure */, "ethernet" ( /* Aggregated device options for Ethernet */ chassisd_agg_enet_type /* Aggregated device options for Ethernet */ ), "sonet" ( /* Aggregated device options for SONET */ chassisd_agg_pos_type /* Aggregated device options for SONET */ ), "maximum-links" arg /* Maximum links limit for aggregated devices (16, 32, or 64) */ ) end rule(:chassis_alarm_type) do c( "management-ethernet" ( /* Management Ethernet alarms */ chassis_alarm_ethernet_type /* Management Ethernet alarms */ ), "otn-odu" ( /* OTN ODU alarms */ chassis_alarm_otn_odu_type /* OTN ODU alarms */ ), "otn-otu" ( /* OTN OTU alarms */ chassis_alarm_otn_otu_type /* OTN OTU alarms */ ), "sonet" ( /* SONET alarms */ chassis_alarm_sonet_type /* SONET alarms */ ), "t3" ( /* DS3 alarms */ chassis_alarm_ds3_type /* DS3 alarms */ ), "ds1" ( /* DS1 alarms */ chassis_alarm_ds1_type /* DS1 alarms */ ), "ethernet" ( /* Ethernet alarms */ chassis_alarm_ethernet_type /* Ethernet alarms */ ), "integrated-services" ( /* Integrated services alarms */ chassis_alarm_integrated_services_type /* Integrated services alarms */ ), "services" ( /* Services PIC alarms */ chassis_alarm_services_type /* Services PIC alarms */ ), "serial" ( /* Serial alarms */ chassis_alarm_serial_type /* Serial alarms */ ), "fibre-channel" ( /* Fibre Channel alarms */ chassis_alarm_fibre_channel_type /* Fibre Channel alarms */ ), "relay" ( /* Alarm relays */ chassis_alarm_relay_type /* Alarm relays */ ) ) end rule(:chassis_alarm_ds1_type) do c( "ais" ( /* Alarm indicator signal */ ("red" | "yellow" | "ignore") ), "ylw" ( /* Yellow alarm */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_ds3_type) do c( "ais" ( /* Alarm indicator signal */ ("red" | "yellow" | "ignore") ), "exz" ( /* Excessive zeros */ ("red" | "yellow" | "ignore") ), "ferf" ( /* Far-end failure */ ("red" | "yellow" | "ignore") ), "idle" ( /* Idle alarm */ ("red" | "yellow" | "ignore") ), "lcv" ( /* Line code violation */ ("red" | "yellow" | "ignore") ), "lof" ( /* Loss of frame */ ("red" | "yellow" | "ignore") ), "los" ( /* Loss of signal */ ("red" | "yellow" | "ignore") ), "pll" ( /* Phase-locked loop out of lock */ ("red" | "yellow" | "ignore") ), "ylw" ( /* Yellow alarm */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_ethernet_type) do c( "link-down" ( /* Link has gone down */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_fibre_channel_type) do c( "link-down" ( /* Link has gone down */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_integrated_services_type) do c( "failure" ( /* Integrated Services failure */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_otn_odu_type) do c( "odu-bdi" ( /* ODU backward-defect-indicator, ODU-BDI failure */ ("red" | "yellow" | "ignore") ), "odu-ttim" ( /* ODU trail-trace-identifier-mismatch, ODU-TTIM failure */ ("red" | "yellow" | "ignore") ), "odu-ptim" ( /* ODU payload-type-mismatch, ODU-PTIM failure */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_otn_otu_type) do c( "oc-los" ( /* Loss of signal, LOS failure */ ("red" | "yellow" | "ignore") ), "oc-lof" ( /* Loss of framing, LOF failure */ ("red" | "yellow" | "ignore") ), "oc-lom" ( /* Loss of multiframe, LOM failure */ ("red" | "yellow" | "ignore") ), "wavelength-lock" ( /* Wavelength lock alarm */ ("red" | "yellow" | "ignore") ), "otu-bdi" ( /* OTU backward-defect-indicator, OTU-BDI failure */ ("red" | "yellow" | "ignore") ), "otu-iae" ( /* OTU incoming-alignment-error, OTU-IAE failure */ ("red" | "yellow" | "ignore") ), "otu-ttim" ( /* OTU trail-trace-identifier-mismatch, OTU-TTIM failure */ ("red" | "yellow" | "ignore") ), "otu-fec-excessive-errs" ( /* OTU fec-excessive-errors, OTU-FEC_EXE failure */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_relay_type) do c( "input" /* Input relays */, "output" /* Output relays */ ) end rule(:chassis_alarm_serial_type) do c( "loss-of-rx-clock" ( /* RX clock absent */ ("red" | "yellow" | "ignore") ), "loss-of-tx-clock" ( /* TX clock absent */ ("red" | "yellow" | "ignore") ), "dcd-absent" ( /* DCD signal absent */ ("red" | "yellow" | "ignore") ), "cts-absent" ( /* CTS signal absent */ ("red" | "yellow" | "ignore") ), "dsr-absent" ( /* DSR signal absent */ ("red" | "yellow" | "ignore") ), "tm-absent" ( /* TM signal absent */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_services_type) do c( "pic-reset" ( /* Services PIC reset */ ("red" | "yellow" | "ignore") ), "pic-hold-reset" ( /* Services PIC held in reset */ ("red" | "yellow" | "ignore") ), "linkdown" ( /* Services PIC linkdown */ ("red" | "yellow" | "ignore") ), "rx-errors" ( /* Services PIC excessive rx errors */ ("red" | "yellow" | "ignore") ), "tx-errors" ( /* Services PIC excessive tx errors */ ("red" | "yellow" | "ignore") ), "sw-down" ( /* Services PIC software problem */ ("red" | "yellow" | "ignore") ), "hw-down" ( /* Services PIC hardware problem */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_alarm_sonet_type) do c( "lol" ( /* Loss of light */ ("red" | "yellow" | "ignore") ), "pll" ( /* Phase locked loop out of lock */ ("red" | "yellow" | "ignore") ), "lof" ( /* Loss of framing, LOF failure */ ("red" | "yellow" | "ignore") ), "los" ( /* Loss of signal, LOS failure */ ("red" | "yellow" | "ignore") ), "ais-l" ( /* Line alarm indication signal, AIS-L failure */ ("red" | "yellow" | "ignore") ), "ais-p" ( /* Path alarm indication signal, AIS-P failure */ ("red" | "yellow" | "ignore") ), "lop-p" ( /* Loss of pointer, LOP-P failure */ ("red" | "yellow" | "ignore") ), "ber-sd" ( /* Signal Degrade (SD), bit error rate > 1E-6 */ ("red" | "yellow" | "ignore") ), "ber-sf" ( /* Signal Fail (SF), bit error rate > 1E-3 */ ("red" | "yellow" | "ignore") ), "rfi-l" ( /* Line remote failure indication, RFI-L, line FERF */ ("red" | "yellow" | "ignore") ), "rfi-p" ( /* Path remote failure indication, RFI-P, STS path yellow */ ("red" | "yellow" | "ignore") ), "uneq-p" ( /* STS Path (C2) unequipped, UNEQ-P failure */ ("red" | "yellow" | "ignore") ), "locd" ( /* Loss of cell delineation (ATM only) */ ("red" | "yellow" | "ignore") ), "plm-p" ( /* STS payload label (C2) mismatch, PLM-P failure */ ("red" | "yellow" | "ignore") ) ) end rule(:chassis_fabric_type) do c( "upgrade-mode" arg /* Enable online switch fabric upgrade */, "degraded" /* Degraded fabric configuration */, "redundancy-mode" /* Fabric redundancy mode */, "disable-grant-bypass" /* Disable fabric grant-bypass mode */ ) end rule(:chassis_feb_type) do c( "sanity-poll" /* FPC register sanity poll */, "slot" ) end rule(:chassis_fpc_error_type) do c( "fatal" ( /* FPC Fatal errors (default threshold = 1) */ chassis_fpc_error_level_major_fatal /* FPC Fatal errors (default threshold = 1) */ ), "major" ( /* FPC Major Level errors (default threshold = 1) */ chassis_fpc_error_level_major_fatal /* FPC Major Level errors (default threshold = 1) */ ), "minor" ( /* FPC Minor Level errors (default threshold = 10) */ chassis_fpc_error_level_minor /* FPC Minor Level errors (default threshold = 10) */ ), chassis_fru_cmerror_override_type /* Error configuration override */, "scope" ( /* Error scope */ chassis_fpc_scope_type /* Error scope */ ) ) end rule(:chassis_fpc_error_level_major_fatal) do c( "threshold" arg /* Error count at which to take the action */, "action" enum(("reset" | "offline" | "alarm" | "get-state" | "log" | "disable-pfe" | "offline-pic" | "fault")) /* Configure the action for this level */ ) end rule(:chassis_fpc_error_level_minor) do c( "threshold" arg /* Error count at which to take the action */, "action" enum(("reset" | "offline" | "alarm" | "get-state" | "log" | "disable-pfe" | "offline-pic" | "fault")) /* Configure the action for this level */ ) end rule(:chassis_fpc_scope_type) do c( "board" ( /* Board level scope */ chassis_fpc_scope_category /* Board level scope */ ), "pfe" ( /* Forwarding engine scope */ chassis_fpc_scope_category /* Forwarding engine scope */ ) ) end rule(:chassis_fpc_scope_category) do c( "category" ( /* FPC error category */ chassis_fpc_scope_category_type /* FPC error category */ ) ) end rule(:chassis_fpc_scope_category_type) do c( "functional" ( /* FPC functional category */ chassis_fpc_scope_category_error_type /* FPC functional category */ ), "memory" ( /* FPC memory category */ chassis_fpc_scope_category_error_type /* FPC memory category */ ), "io" ( /* FPC input-output category */ chassis_fpc_scope_category_error_type /* FPC input-output category */ ), "storage" ( /* FPC storage category */ chassis_fpc_scope_category_error_type /* FPC storage category */ ), "switch" ( /* FPC switch category */ chassis_fpc_scope_category_error_type /* FPC switch category */ ), "processing" ( /* FPC processing category */ chassis_fpc_scope_category_error_type /* FPC processing category */ ) ) end rule(:chassis_fpc_scope_category_error_type) do c( "fatal" ( /* FPC Fatal errors (default threshold = 1) */ chassis_fpc_error_level_type /* FPC Fatal errors (default threshold = 1) */ ), "major" ( /* FPC Major Level errors (default threshold = 1) */ chassis_fpc_error_level_type /* FPC Major Level errors (default threshold = 1) */ ), "minor" ( /* FPC Minor Level errors (default threshold = 10) */ chassis_fpc_error_level_type /* FPC Minor Level errors (default threshold = 10) */ ) ) end rule(:chassis_fpc_error_level_type) do c( "threshold" arg /* Error count at which to take the action (0 - valid for minor only) */, "action" enum(("reset" | "offline" | "alarm" | "get-state" | "log" | "disable-pfe" | "offline-pic")) /* Configure the action for this level */ ) end rule(:chassis_fpc_type) do arg.as(:arg) ( c( "auto-speed-detection" /* Disables auto-speed detection */, "ukern-trace" /* Set ukern trace */, "sanity-poll" /* FPC register sanity poll */, "forwarding-options" /* Configure options to control packet forwarding */, "pic" ( /* Physical Interface Card number */ chassis_pic_type /* Physical Interface Card number */ ), "optical-options" /* Integrated Photonic Line Card settings */, "power" arg /* Power FPCs on or off */, "traffic-manager" /* Configure traffic-manager attributes */, "route-localization" arg /* Route-Localization fib-remote or fib-local */, "vpn-localization" arg /* VPN-localization core-facing-only or core-facing-default */, "power-budget-priority" arg /* FPC priority number */, c( "disable-power" /* Do not provide power to the card */, "allow-sram-parity-errors" /* Do not power cycle FPC when SRAM parity errors occur */ ), c( "performance-mode" /* Enable performance mode, FPC will restart if mode changes from lite mode to performance mode */, "lite-mode" /* Enable lite mode, FPC will restart if mode changes from performance mode to lite mode */ ), "services-offload" /* Enable services offload on fpc */, "np-cache" /* Enable NP cache and services offload on fpc */, "offline" /* Keep FPC offline */, "offline-on-fabric-bandwidth-reduction" /* Bring FPC offline when running with reduced fabric bandwidth */, "ir-mode" arg /* Configure IR or R mode for MPC4 and above cards */, "license-mode" arg /* Configure license mode for PTX FPC3 and later cards */, "fabric", "port-mirror-instance", "sampling-instance", "inline-services", "inline-video-monitoring", "application-services" /* Application services configuration */, "slamon-services" /* SLA monitoring services */, "flexible-queuing-mode" /* Enable flexible queuing mode */, "loopback-device-count" arg /* Number of loopbacks */, "interasic-linkerror-recovery-enable" /* Enable inter-asic link error recovery */, "number-of-ports" arg /* Number of physical ports to enable on FPC */, "pfe" ( /* Packet forwarding engine parameters */ chassis_pfe_type /* Packet forwarding engine parameters */ ), "service-package" arg /* Service package to be loaded on FPC */, "max-queues" arg /* Maximum number of queues configurable on FPC */, "bandwidth" arg /* Configure bandwidth of FPC */, "pfe-bandwidth" arg /* Configure per PFE bandwidth */, "error" ( /* Error level configuration for FPC */ chassis_fpc_error_type /* Error level configuration for FPC */ ), "pfe-error" ( /* PFE-scope error level configuration for FPC */ chassis_fpc_error_type /* PFE-scope error level configuration for FPC */ ) ) ) end rule(:chassis_fru_cmerror_override_type) do arg.as(:arg) ( c( "state" ( /* State */ ("disable") ), "severity" ( /* Severity */ ("minor" | "major" | "fatal") ) ) ) end rule(:chassis_pem_type) do c( "minimum" arg /* Minimum number of power supplies required for normal operation */, "feeds" arg /* Number of input feeds required */, "input-current" ( /* Input current (Amps) in each feed */ ("40" | "60") ) ) end rule(:chassis_pfe_type) do arg.as(:arg) ( c( "forwarding-packages" /* Associated forwarding package configuration */, "power" arg /* Power PFEs on or off */, "tunnel-services" /* Tunnel services configuration */ ) ) end rule(:chassis_pic_type) do arg.as(:arg) ( c( "pic-mode" ( /* PIC mode configuration */ ("10G" | "40G" | "100G") ), "tunnel-port" ( /* Tunnel port number */ chassis_port_type /* Tunnel port number */ ), "tunnel-services" /* Tunnel services configuration */, "interface-type" arg /* Interface prefix */, "inline-services" /* Inline services configuration */, c( "adaptive-services" /* Adaptive services configuration */, "monitoring-services" /* Monitoring services configuration */ ), "no-mcast-replication" /* No mcast replication */, "ggsn-services" /* GGSN services configuration */, "framing" ( /* Framing mode */ ("sonet" | "sdh" | "t3" | "e3" | "t1" | "e1" | "lan") ), "synchronization" /* PIC synchronization source */, "recovered-clock" /* Select recovered clock for this port */, "vtmapping" ( /* Virtual tunnel mapping mode */ ("klm" | "itu-t") ), "no-concatenate" /* Do not concatenate channels */, "no-multi-rate" /* Disable multi-rate mode */, "channelization" /* Enable Channelization */, "linerate-mode" /* Disable oversubscription. PIC operates in line rate mode */, "speed" arg /* Port speed */, "mixed-rate-mode" /* PIC operates in mixed-rate-mode. Speed and AE configurable for PIC Ports */, "no-pre-classifier" /* No pre-classification of packets */, "aggregate-ports" /* Aggregate multiple ports on a PIC as a single port */, "number-of-ports" arg /* Number of physical ports to enable on PIC */, "power" arg /* Power off PIC */, "pic-type" arg /* OID of PIC type to be configured */, "aggregated-devices" /* Aggregated devices configuration */, "sparse-dlcis" /* Run in sparse data-link connection identifier mode */, "multi-link-layer-2-inline" /* Enable inline layer-2 services */, "q-pic-large-buffer" ( /* Run in large delay buffer mode */ c( c( "small-scale" /* Supports less number of interfaces */, "large-scale" /* Supports large number of interfaces */ ) ) ), "red-buffer-occupancy" ( /* Computation type for RED buffer occupancy */ c( "weighted-averaged" ( /* Weighted-average computation */ c( "instant-usage-weight-exponent" arg /* Weight for instant buffer usage (negative exponent of 2) */ ) ) ) ), "traffic-manager" ( /* Configure traffic manager attributes */ c( "ingress-shaping-overhead" arg /* Number of CoS shaping overhead bytes in ingress */, "egress-shaping-overhead" arg /* Number of CoS shaping overhead bytes in egress */, "queue-buffer-size" ( /* Set the buffer size of output queue */ ("small") ), "mode" ( /* Configure traffic manager mode */ ("egress-only" | "session-shaping" | "ingress-and-egress") ) ) ), "idle-cell-format" ( /* ATM idle cell configuration */ c( "itu-t" /* ITU-T idle cell header format */, "payload-pattern" arg /* Payload pattern byte (0x00-0xff) */ ) ), "atm-l2circuit-mode" ( /* Enable ATM Layer 2 circuit transport mode */ c( c( "aal5" /* ATM Layer 2 circuit AAL5 mode */, "cell" /* ATM Layer 2 circuit cell mode */, "trunk" ( /* Set ATM Layer 2 circuit trunk mode */ c( c( "uni" /* ATM Layer 2 circuit user-to-network interface trunk mode */, "nni" /* ATM Layer 2 circuit network-to-network interface trunk mode */ ) ) ) ) ) ), "atm-cell-relay-accumulation" /* Enable ATM cell-relay accumulation mode */, "services-offload" /* Enable services offload */, "mlfr-uni-nni-bundles" arg /* Number of multilink Frame Relay UNI NNI (FRF.16) bundles to allocate on PIC */, "mlfr-uni-nni-bundles-inline" arg /* Number of inline multilink frame relay UNI NNI bundles */, "ct3" ( /* CT3 NxDS0 PIC configuration */ c( "port" ( /* CT3 port */ ct3_port_type /* CT3 port */ ) ) ), "ce1" ( /* CE1 NxDS0 PIC configuration */ c( "e1" ( /* E1 link */ ce1_channel_type /* E1 link */ ) ) ), "max-queues-per-interface" ( /* Maximum number of queues per interface on QOS-capable PIC */ ("4" | "8") ), "shdsl" ( /* SHDSL chassis configuration */ c( "pic-mode" ( /* PIC mode */ ("1-port-atm" | "2-port-atm" | "4-port-atm" | "efm") ) ) ), "ethernet" /* J-series Ethernet PIM mode configuration */, "tunnel-queuing" /* Enable queueing for GRE/IPIP tunnels */, "port-mirror-instance" arg, "port" ( /* Port number */ chassis_pic_port_framing /* Port number */ ), "port-range" /* Physical ports to channelize */, "fibre-channel" ( /* Fibre channel configuration option */ chassis_fibre_channel_type /* Fibre channel configuration option */ ), "xe" /* Ports configurable in 10G mode */, "xle" /* Ports configurable in 40G mode */, "fte" /* Ports configurable in 40G HIGIG mode */, "qsfp-port" /* Qsfp port to configure */, "sfpplus" /* Sfpplus configuration option */, "hash-key" /* Select data used in the hash key */, "ingress-policer-overhead" arg /* Number of policer overhead bytes in ingress */, "egress-policer-overhead" arg /* Number of policer overhead bytes in egress */, "account-layer2-overhead" /* Account Layer2 overhead in egress and ingress IFD/IFL stats */, "forwarding-mode" /* Set 100GE PIC packet distribution mode */ ) ) end rule(:ce1_channel_type) do arg.as(:arg) ( c( "channel-group" arg ( /* Define channel group */ sc( "timeslots" arg /* DS0 timeslots (1..31); for example, 1-3,4,9,22-24 (no spaces) */ ) ).as(:oneline) ) ) end rule(:chassis_fibre_channel_type) do c( "port" /* Fibre channel port */, "port-range" ( /* Fibre channel port range */ s( arg, arg ) ) ) end rule(:chassis_pic_port_framing) do arg.as(:arg) ( c( "short-reach-mode" arg /* Short reach mode (For ports 0...47) */, "framing" ( /* Framing mode */ ("sonet" | "sdh" | "t3" | "e3" | "t1" | "e1") ), "number-of-sub-ports" arg /* Number of subports per physical port */, "speed" ( /* Port speed */ ("oc3-stm1" | "oc12-stm4" | "oc48-stm16" | "1G" | "10g" | "25g" | "40g" | "100g") ), "channel-speed" arg /* Port channel speed */, "forwarding-mode" /* PIC packet distribution mode - Brooklyn interop mode */, "no-mcast-replication" /* No multicast replication */, "traffic-manager" /* Configure per port traffic manager mode */ ) ) end rule(:chassis_port_type) do arg.as(:arg) ( c( "tunnel-services" /* Tunnel services configuration */ ) ) end rule(:chassis_redundancy_type) do c( "routing-engine" ( /* Redundancy options for Routing Engines */ chassis_rdd_re_type /* Redundancy options for Routing Engines */ ), "ssb" ( /* Redundancy options for System Switch Boards */ chassis_rdd_id_type /* Redundancy options for System Switch Boards */ ), "cfeb" ( /* Redundancy options for Compact Forwarding Engine Boards */ chassis_rdd_cfeb_id_type /* Redundancy options for Compact Forwarding Engine Boards */ ), "sfm" ( /* Redundancy options for Switching and Forwarding Modules */ chassis_rdd_sfm_id_type /* Redundancy options for Switching and Forwarding Modules */ ), "failover" ( /* Failover to other Routing Engine */ chassis_rdd_failover_type /* Failover to other Routing Engine */ ), "keepalive-time" arg /* Time before Routing Engine failover */, "graceful-switchover" ( /* Enable graceful switchover on supported hardware */ chassis_non_stop_forwarding_type /* Enable graceful switchover on supported hardware */ ), "feb" /* Forwarding Engine Board redundancy configuration */ ) end rule(:chassis_non_stop_forwarding_type) do c( "traceoptions" ( /* Graceful switchover trace options */ c( "flag" enum(("update" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) end rule(:chassis_rdd_cfeb_id_type) do arg.as(:arg) ( c( c( "always" /* Sole device */, "preferred" /* Preferred device */ ) ) ).as(:oneline) end rule(:chassis_rdd_failover_type) do c( "on-loss-of-keepalives" /* Failover on loss of keepalives */, "on-re-to-fpc-stale" /* Failover on loss of communication between the re and fpc */, "on-disk-failure" /* Failover on disk failure */, "not-on-disk-underperform" /* Prevent gstatd from initiating failovers in response to slow disks */, "disk-read-threshold" arg /* Read threshold (ms) on disk underperform monitoring */, "disk-write-threshold" arg /* Write threshold (ms) on disk underperform monitoring */, "on-loss-of-vm-host-connection" /* Failover on loss of vm host connection */ ) end rule(:chassis_rdd_id_type) do arg.as(:arg) ( c( c( "always" /* Sole device */, "preferred" /* Preferred device */ ) ) ).as(:oneline) end rule(:chassis_rdd_re_type) do arg.as(:arg) ( c( c( "master" /* Master Routing Engine */, "backup" /* Backup Routing Engine */, "disabled" /* Routing Engine disabled */ ) ) ).as(:oneline) end rule(:chassis_rdd_sfm_id_type) do arg.as(:arg) ( c( c( "always" /* Sole device */, "preferred" /* Preferred device */ ) ) ).as(:oneline) end rule(:chassis_routing_engine_type) do c( "on-disk-failure" ( /* Action to take when Routing Engine disk fails */ chassis_re_on_disk_failure /* Action to take when Routing Engine disk fails */ ), "control-interface" /* Configure recovery method and pause frame for control interface */, "bios" /* Routing Engine BIOS */, "usb-wwan" ( /* Enable WWAN (3G) access on the USB port */ c( "port" ( /* Select the port */ ("0" | "1") ) ) ) ) end rule(:chassis_re_on_disk_failure) do c( c( "reboot" /* Reboot on disk failure */, "disk-failure-action" ( ("reboot" | "halt") ) ) ).as(:oneline) end rule(:chassis_sfm_type) do arg.as(:arg) ( c( "power" ( /* Power SFMs on or off */ ("off" | "on") ), c( "disable-power" /* Do not enable power to the card */ ) ) ) end rule(:chassis_sib_type) do c( "minimum" arg /* Minimum number of Switch Interface Boards required for normal operation */, "power-off" /* Power off the SIB slot */ ) end rule(:chassisd_redundancy_group_type) do c( "interface-type" ( c( "redundant-logical-tunnel" ( /* Redundant logical tunnel interface group */ c( "device-count" arg /* Number of devices */ ) ), "redundant-virtual-tunnel" ( /* Redundant virtual tunnel interface group */ c( "device-count" arg /* Number of devices */ ) ) ) ) ) end rule(:chassisd_agg_container_type) do c( "device-count" arg /* Number of container devices */ ) end rule(:chassisd_agg_enet_type) do c( "device-count" arg /* Number of aggregated Ethernet devices */, "lacp" ( /* Global Link Aggregation Control Protocol configuration */ c( "system-priority" arg /* Priority of the system (0 ... 65535) */, "link-protection" ( c( "non-revertive" /* Don't revert links when better priority link comes up */ ) ) ) ) ) end rule(:chassisd_agg_pos_type) do c( "device-count" arg /* Number of aggregated SONET devices */ ) end rule(:chassisd_provider_instance_type) do c( "device-count" arg /* Number of provider instance port devices */ ) end rule(:client_address_object) do arg.as(:arg) ( c( "restrict" /* Deny access */ ) ) end rule(:comm_object) do c( "snmp-community" arg /* Specify community name */, "no-default-comm-to-v3-config" /* No default snmp-community and v3 configuration */ ) end rule(:command_list_type) do arg.as(:arg) ( c( "value" arg /* Configure value of command-list object */ ) ) end rule(:content_filtering_feature) do c( "profile" arg ( /* Content filtering profile */ c( "permit-command" arg /* Permit command list */, "block-command" arg /* Block command list */, "block-extension" arg /* Block extension list */, "block-mime" ( /* Content-filtering feature block MIME */ c( "list" arg /* Block MIME list */, "exception" arg /* Exception of block MIME list */ ) ), "block-content-type" ( /* Content-filtering feature block content type */ c( "activex" /* Block activex */, "java-applet" /* Block Java-applet */, "exe" /* Block Windows/dos exe file */, "zip" /* Block zip file */, "http-cookie" /* Block HTTP cookie */ ) ), "notification-options" ( /* Notification options */ c( "type" ( /* Notification options type */ ("protocol-only" | "message") ), "notify-mail-sender" /* Notifiy mail sender */, "no-notify-mail-sender" /* Don't notifiy mail sender */, "custom-message" arg /* Custom notification message */ ) ) ) ) ) end rule(:cos_policer) do arg.as(:arg) ( c( "premium" ( /* Policer to apply to premium traffic */ ethernet_policer /* Policer to apply to premium traffic */ ), "aggregate" ( /* Policer to apply to aggregate traffic */ ethernet_policer /* Policer to apply to aggregate traffic */ ) ) ) end rule(:cos_policer_input_priority_map) do c( "ieee-802.1p" ( /* Use IEEE 802.1p to determine policer priority map */ c( "premium" arg /* Input traffic's IEEE 802.1p value to which premium policer is applied */ ) ) ) end rule(:cos_policer_output_priority_map) do c( "classifier" ( /* Use classifier as policer priority map */ c( "premium" ( /* Output traffic classifier to which premium policer is applied */ c( "forwarding-class" arg ( /* Select a classification for this priority map */ c( "loss-priority" enum(("low" | "high")) /* Select a loss priority */.as(:oneline) ) ) ) ) ) ) ) end rule(:ct3_port_type) do arg.as(:arg) ( c( "t1" ( /* T1 link */ ct3_channel_type /* T1 link */ ) ) ) end rule(:ct3_channel_type) do arg.as(:arg) ( c( "channel-group" arg ( /* Define channel group */ sc( "timeslots" arg /* DS0 timeslots (1..24); for example, 1-3,4,9,22-24 (no spaces) */ ) ).as(:oneline) ) ) end rule(:custom_attack_group_type) do arg.as(:arg) ( c( "attack-group-description" arg /* Attack group description in xml format */, "group-members" arg /* List of attacks/attack groups belonging to this group */ ) ) end rule(:custom_attack_type) do arg.as(:arg) ( c( "attack-description" arg /* Attack description in xml format */, "recommended-action" ( /* Recommended Action */ ("none" | "ignore" | "drop-packet" | "drop" | "close-client" | "close-server" | "close") ), "severity" ( /* Select the severity that matches the lethality of this attack on your network */ ("info" | "warning" | "minor" | "major" | "critical") ), "time-binding" ( /* Time binding params */ c( "count" arg /* Number of times this attack is to be triggered */, "scope" ( /* Scope within which the count occurs */ ("peer" | "source" | "destination") ) ) ), "attack-type" ( /* Type of attack */ c( "signature" ( /* Signature based attack */ c( "protocol-binding" ( /* Protocol binding over which attack will be detected */ c( c( "tcp" ( /* Attack is for TCP packets only */ c( "minimum-port" ( /* Multiple sets of (single port/port ranges) can be specified */ port_range /* Multiple sets of (single port/port ranges) can be specified */ ) ) ), "udp" ( /* Attack is for UDP packets only */ c( "minimum-port" ( /* Either single port or port ranges can be specified */ port_range /* Either single port or port ranges can be specified */ ) ) ), "rpc" ( /* Attack is for RPC packets only */ c( "program-number" arg /* RPC Program Number */ ) ), "icmp" /* Attack is for ICMP packets only */, "icmpv6" /* Attack is for ICMPv6 packets only */, "ip" ( /* Attack is for all IP based packets */ c( "protocol-number" arg /* Transport layer protocol number */ ) ), "ipv6" ( /* Attack is for all IPv6 based packets */ c( "protocol-number" arg /* Transport layer protocol number */ ) ), "application" arg /* Application name */, "nested-application" arg /* Nested application name */ ) ) ), "context" arg /* Context */, "pattern" arg /* Pattern is the signature of the attack you want to detect */, "pattern-pcre" arg /* Attack signature pattern in PCRE format */, "regexp" arg /* Regular expression used for matching repetition of patterns */, "negate" /* Trigger the attack if condition is not met */, "direction" ( /* Connection direction of the attack */ ("client-to-server" | "server-to-client" | "any") ), "shellcode" ( /* Specify shellcode flag for this attack */ ("intel" | "sparc" | "all" | "no-shellcode") ), "protocol" ( /* Protocol header matches */ c( "ipv4" ( /* IPv4 protocol parameters */ c( "tos" ( /* Type of Service */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "ihl" ( /* Header length in words */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "total-length" ( /* Total Length of IP datagram */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "identification" ( /* Fragment Identification */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "ip-flags" ( /* IP Flag bits */ sc( "rb" /* Reserved bit */, "no-rb" /* Don't reserved bit */, "mf" /* More Fragment bit */, "no-mf" /* Don't more Fragment bit */, "df" /* Don't Fragment bit */, "no-df" /* Don't don't Fragment bit */ ) ).as(:oneline), "ttl" ( /* Time to live */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "protocol" ( /* Transport layer protocol */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "source" ( /* Source IP-address/Hostname */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv4addr /* Match value */ ) ) ), "destination" ( /* Destination IP-address/Hostname */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv4addr /* Match value */ ) ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "ipv6" ( /* IPv6 protocol parameters */ c( "traffic-class" ( /* Traffic class. Similar to TOS in IPv4 */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "payload-length" ( /* Length of the payload in the IPv6 datagram */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "flow-label" ( /* Flow label identification */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "hop-limit" ( /* Hop limit */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "next-header" ( /* The header following the basic IPv6 header */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "source" ( /* Source IP-address or hostname */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv6addr /* Match value */ ) ) ), "destination" ( /* Destination IP-address or hostname */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv6addr /* Match value */ ) ) ), "extension-header" ( /* IPv6 Extension headers */ c( "routing-header" ( /* IPv6 Routing extension header */ c( "header-type" ( /* Routing header type */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "destination-option" ( /* IPv6 Destination option extension header */ c( "option-type" ( /* Destination option header type */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "home-address" ( /* IPv6 Home address of the mobile node */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv6addr /* Match value */ ) ) ) ) ) ) ) ) ), "tcp" ( /* TCP protocol parameters */ c( "source-port" ( /* Source port */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "destination-port" ( /* Destination port */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "sequence-number" ( /* Sequence Number */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "ack-number" ( /* Acknowledgement Number */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "header-length" ( /* Header Length in words */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "reserved" ( /* Three reserved bits */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "window-size" ( /* Window Size */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "urgent-pointer" ( /* Urgent Pointer */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "tcp-flags" ( /* TCP header flags */ sc( "r1" /* Set Reserverd bit 1 */, "no-r1" /* Don't set Reserverd bit 1 */, "r2" /* Set Reserved bit 2 */, "no-r2" /* Don't set Reserved bit 2 */, "urg" /* Set Urgent bit */, "no-urg" /* Don't set Urgent bit */, "ack" /* Set Acknowledge bit */, "no-ack" /* Don't set Acknowledge bit */, "psh" /* Set Push bit */, "no-psh" /* Don't set Push bit */, "rst" /* Set Reset bit */, "no-rst" /* Don't set Reset bit */, "syn" /* Set SYN bit */, "no-syn" /* Don't set SYN bit */, "fin" /* Set FINish bit */, "no-fin" /* Don't set FINish bit */ ) ).as(:oneline), "option" ( /* Kind */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "data-length" ( /* Size of IP datagram subtracted by TCP header length */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "window-scale" ( /* Window scale */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "mss" ( /* Maximum Segment Size */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "udp" ( /* UDP protocol parameters */ c( "source-port" ( /* Source port */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "destination-port" ( /* Destination port */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "data-length" ( /* Size of IP datagram subtracted by UDP header length */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "icmp" ( /* ICMP protocol parameters */ c( "type" ( /* Type */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "code" ( /* Code */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "identification" ( /* Identifier in echo request/reply */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "sequence-number" ( /* Sequence Number */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "data-length" ( /* Size of IP datagram subtracted by ICMP header length */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "icmpv6" ( /* ICMPv6 protocol parameters */ c( "type" ( /* Type */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "code" ( /* Code */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "identification" ( /* Identifier in echo request/reply */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "sequence-number" ( /* Sequence number */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "data-length" ( /* Size of IPv6 datagram subtracted by ICMPv6 header length */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ) ) ) ) ), "anomaly" ( /* Protocol anomaly */ c( "service" arg /* Service name */, "test" arg /* Protocol anomaly condition to be checked */, "direction" ( /* Direction */ ("client-to-server" | "server-to-client" | "any") ), "shellcode" ( /* Specify shellcode flag for this attack */ ("intel" | "sparc" | "all" | "no-shellcode") ) ) ), "chain" ( /* Chain attack */ c( "protocol-binding" ( /* Protocol binding over which attack will be detected */ c( c( "tcp" ( /* Attack is for TCP packets only */ c( "minimum-port" ( /* Multiple sets of (single port/port ranges) can be specified */ port_range /* Multiple sets of (single port/port ranges) can be specified */ ) ) ), "udp" ( /* Attack is for UDP packets only */ c( "minimum-port" ( /* Either single port or port ranges can be specified */ port_range /* Either single port or port ranges can be specified */ ) ) ), "rpc" ( /* Attack is for RPC packets only */ c( "program-number" arg /* RPC Program Number */ ) ), "icmp" /* Attack is for ICMP packets only */, "icmpv6" /* Attack is for ICMPv6 packets only */, "ip" ( /* Attack is for all IP based packets */ c( "protocol-number" arg /* Transport layer protocol number */ ) ), "ipv6" ( /* Attack is for all IPv6 based packets */ c( "protocol-number" arg /* Transport layer protocol number */ ) ), "application" arg /* Application name */, "nested-application" arg /* Nested application name */ ) ) ), "scope" ( /* Scope of the attack */ ("session" | "transaction") ), "order" /* Attacks should match in the order in which they are defined */, "reset" /* Repeat match should generate a new alert */, "expression" arg /* Boolean Expression */, "member" ( /* List of member attacks. */ chain_member_type /* List of member attacks. */ ) ) ) ) ) ) ) end rule(:chain_member_type) do arg.as(:arg) ( c( "attack-type" ( /* Type of attack */ c( "signature" ( /* Signature based attack */ c( "context" arg /* Context */, "pattern" arg /* Pattern is the signature of the attack you want to detect */, "pattern-pcre" arg /* Attack signature pattern in PCRE format */, "regexp" arg /* Regular expression used for matching repetition of patterns */, "negate" /* Trigger the attack if condition is not met */, "direction" ( /* Connection direction of the attack */ ("client-to-server" | "server-to-client" | "any") ), "shellcode" ( /* Specify shellcode flag for this attack */ ("intel" | "sparc" | "all" | "no-shellcode") ), "protocol" ( /* Protocol header matches */ c( "ipv4" ( /* IPv4 protocol parameters */ c( "tos" ( /* Type of Service */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "ihl" ( /* Header length in words */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "total-length" ( /* Total Length of IP datagram */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "identification" ( /* Fragment Identification */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "ip-flags" ( /* IP Flag bits */ sc( "rb" /* Reserved bit */, "no-rb" /* Don't reserved bit */, "mf" /* More Fragment bit */, "no-mf" /* Don't more Fragment bit */, "df" /* Don't Fragment bit */, "no-df" /* Don't don't Fragment bit */ ) ).as(:oneline), "ttl" ( /* Time to live */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "protocol" ( /* Transport layer protocol */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "source" ( /* Source IP-address/Hostname */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv4addr /* Match value */ ) ) ), "destination" ( /* Destination IP-address/Hostname */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv4addr /* Match value */ ) ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "ipv6" ( /* IPv6 protocol parameters */ c( "traffic-class" ( /* Traffic class. Similar to TOS in IPv4 */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "payload-length" ( /* Length of the payload in the IPv6 datagram */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "flow-label" ( /* Flow label identification */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "hop-limit" ( /* Hop limit */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "next-header" ( /* The header following the basic IPv6 header */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "source" ( /* Source IP-address or hostname */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv6addr /* Match value */ ) ) ), "destination" ( /* Destination IP-address or hostname */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv6addr /* Match value */ ) ) ), "extension-header" ( /* IPv6 Extension headers */ c( "routing-header" ( /* IPv6 Routing extension header */ c( "header-type" ( /* Routing header type */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "destination-option" ( /* IPv6 Destination option extension header */ c( "option-type" ( /* Destination option header type */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "home-address" ( /* IPv6 Home address of the mobile node */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" ( /* Match value */ ipv6addr /* Match value */ ) ) ) ) ) ) ) ) ), "tcp" ( /* TCP protocol parameters */ c( "source-port" ( /* Source port */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "destination-port" ( /* Destination port */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "sequence-number" ( /* Sequence Number */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "ack-number" ( /* Acknowledgement Number */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "header-length" ( /* Header Length in words */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "reserved" ( /* Three reserved bits */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "window-size" ( /* Window Size */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "urgent-pointer" ( /* Urgent Pointer */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "tcp-flags" ( /* TCP header flags */ sc( "r1" /* Set Reserverd bit 1 */, "no-r1" /* Don't set Reserverd bit 1 */, "r2" /* Set Reserved bit 2 */, "no-r2" /* Don't set Reserved bit 2 */, "urg" /* Set Urgent bit */, "no-urg" /* Don't set Urgent bit */, "ack" /* Set Acknowledge bit */, "no-ack" /* Don't set Acknowledge bit */, "psh" /* Set Push bit */, "no-psh" /* Don't set Push bit */, "rst" /* Set Reset bit */, "no-rst" /* Don't set Reset bit */, "syn" /* Set SYN bit */, "no-syn" /* Don't set SYN bit */, "fin" /* Set FINish bit */, "no-fin" /* Don't set FINish bit */ ) ).as(:oneline), "option" ( /* Kind */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "data-length" ( /* Size of IP datagram subtracted by TCP header length */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "window-scale" ( /* Window scale */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "mss" ( /* Maximum Segment Size */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "udp" ( /* UDP protocol parameters */ c( "source-port" ( /* Source port */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "destination-port" ( /* Destination port */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "data-length" ( /* Size of IP datagram subtracted by UDP header length */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "icmp" ( /* ICMP protocol parameters */ c( "type" ( /* Type */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "code" ( /* Code */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "identification" ( /* Identifier in echo request/reply */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "sequence-number" ( /* Sequence Number */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "data-length" ( /* Size of IP datagram subtracted by ICMP header length */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ), "icmpv6" ( /* ICMPv6 protocol parameters */ c( "type" ( /* Type */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "code" ( /* Code */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "identification" ( /* Identifier in echo request/reply */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "sequence-number" ( /* Sequence number */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "data-length" ( /* Size of IPv6 datagram subtracted by ICMPv6 header length */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ), "checksum-validate" ( /* Validate checksum field against calculated checksum */ c( "match" ( /* Match condition */ ("equal" | "greater-than" | "less-than" | "not-equal") ), "value" arg /* Match value */ ) ) ) ) ) ) ) ), "anomaly" ( /* Protocol anomaly */ c( "test" arg /* Protocol anomaly condition to be checked */, "direction" ( /* Direction */ ("client-to-server" | "server-to-client" | "any") ), "shellcode" ( /* Specify shellcode flag for this attack */ ("intel" | "sparc" | "all" | "no-shellcode") ) ) ) ) ) ) ) end rule(:custom_message_type) do arg.as(:arg) ( c( "type" ( /* Type of custom message */ ("redirect-url" | "user-message") ), "content" arg /* Content of custom message */ ) ) end rule(:dcd_rx_bucket_config) do c( "overflow" ( /* Overflow behavior */ ("tag" | "discard") ), "rate" arg /* Bucket rate */, "threshold" arg /* Bucket threshold */ ) end rule(:dcd_shaping_config) do c( c( "cbr" ( /* Constant bandwidth utilization */ sc( arg /* Constant bandwidth utilization */, "cdvt" arg /* Cell Delay Variation Tolerance */ ) ).as(:oneline), "vbr" ( /* Variable bandwidth utilization */ sc( "peak" arg /* Peak rate */, "sustained" arg /* Sustained rate */, "burst" arg /* Burst size */, "cdvt" arg /* Cell Delay Variation Tolerance */ ) ).as(:oneline), "rtvbr" ( /* ATM2 real-time variable bandwidth utilization */ sc( "peak" arg /* Peak rate */, "sustained" arg /* Sustained rate */, "burst" arg /* Burst size */, "cdvt" arg /* Cell Delay Variation Tolerance */ ) ).as(:oneline) ), "queue-length" arg /* Queue length */ ) end rule(:dcd_tx_bucket_config) do c( "overflow" ( /* Overflow behavior */ ("discard") ), "rate" arg /* Bucket rate */, "threshold" arg /* Bucket threshold */ ) end rule(:default_anti_spam_feature) do c( "type" ( /* Anti-spam type */ ("sbl" | "anti-spam-none") ), "address-whitelist" arg /* Anti-spam whitelist */, "address-blacklist" arg /* Anti-spam blacklist */, "traceoptions" ( /* Trace options for anti-spam feature */ anti_spam_traceoptions /* Trace options for anti-spam feature */ ), "sbl" ( /* SBL settings */ default_sbl_type /* SBL settings */ ) ) end rule(:anti_spam_traceoptions) do c( "flag" enum(("manager" | "sbl" | "all")) /* Trace options for anti-spam feature flag */.as(:oneline) ) end rule(:default_anti_virus_feature) do c( "mime-whitelist" ( /* Anti-virus MIME whitelist */ c( "list" arg /* MIME list */, "exception" arg /* Exception settings for MIME white list */ ) ), "url-whitelist" arg /* Anti-virus URL white list */, "type" ( /* Anti-virus engine type */ ("sophos-engine" | "anti-virus-none") ), "traceoptions" ( /* Trace options for anti-virus feature */ anti_virus_traceoptions /* Trace options for anti-virus feature */ ), "sophos-engine" ( /* Anti-virus sophos-engine */ c( "server" ( /* SAV and Anti-Spam first hop DNS server */ c( "routing-instance" arg /* Routing instance name */, ipaddr /* SAV and Anti-Spam first hop DNS server ip */ ) ), "sxl-timeout" arg /* Sxl sophos anti-virus engine timeout */, "sxl-retry" arg /* Sxl sophos anti-virus engine query retry (number of times) */, "pattern-update" ( /* Anti-virus sophos-engine pattern update */ anti_virus_pattern_update /* Anti-virus sophos-engine pattern update */ ), "fallback-options" ( /* Anti-virus sophos-engine fallback options */ sophos_fallback_settings /* Anti-virus sophos-engine fallback options */ ), "scan-options" ( /* Anti-virus sophos-engine scan options */ default_sophos_scan_options /* Anti-virus sophos-engine scan options */ ), "trickling" ( /* Anti-virus trickling */ anti_virus_trickling /* Anti-virus trickling */ ), "notification-options" ( /* Anti-virus notification options */ anti_virus_notification_options /* Anti-virus notification options */ ) ) ) ) end rule(:anti_virus_pattern_update) do c( "email-notify" ( /* Virus pattern file updated notification */ c( "admin-email" arg /* Admin emails to be notified about pattern file update */, "custom-message" arg /* Custom message for notification */, "custom-message-subject" arg /* Custom message subject for notification */ ) ), "url" arg /* Server URL */, "proxy-profile" arg /* Proxy profile */, "routing-instance" arg /* Routing instance name */, "interval" arg /* Interval to check the update */, "no-autoupdate" /* Don't automatically update anti-virus pattern */ ) end rule(:anti_virus_traceoptions) do c( "flag" enum(("basic" | "detail" | "engine" | "pattern" | "updater" | "manager" | "worker" | "sendmail" | "ipc" | "event" | "statistics" | "all")) /* Trace options for anti-virus feature flag */.as(:oneline) ) end rule(:default_content_filtering_feature) do c( "type" ( /* Content-filtering type */ ("local" | "content-filtering-none") ), "traceoptions" ( /* Trace options for content-filtering feature */ content_filtering_traceoptions /* Trace options for content-filtering feature */ ), "permit-command" arg /* Permit command list */, "block-command" arg /* Block command list */, "block-extension" arg /* Block extension list */, "block-mime" ( /* Content-filtering feature block MIME */ c( "list" arg /* Block MIME list */, "exception" arg /* Exception of block MIME list */ ) ), "block-content-type" ( /* Content-filtering feature block content type */ c( "activex" /* Block activex */, "java-applet" /* Block Java-applet */, "exe" /* Block Windows/dos exe file */, "zip" /* Block zip file */, "http-cookie" /* Block HTTP cookie */ ) ), "notification-options" ( /* Notification options */ c( "type" ( /* Notification options type */ ("protocol-only" | "message") ), "notify-mail-sender" /* Notifiy mail sender */, "no-notify-mail-sender" /* Don't notifiy mail sender */, "custom-message" arg /* Custom notification message */ ) ) ) end rule(:content_filtering_traceoptions) do c( "flag" enum(("basic" | "detail" | "all")) /* Trace options for content-filtering feature flag */.as(:oneline) ) end rule(:default_sbl_type) do c( "sbl-default-server" /* Default SBL server */, "no-sbl-default-server" /* Don't default SBL server */, "spam-action" ( /* Anti-spam actions */ ("block" | "tag-header" | "tag-subject") ), "custom-tag-string" arg /* Custom tag string */ ) end rule(:default_sophos_scan_options) do c( "uri-check" /* Anti-virus uri-check */, "no-uri-check" /* Don't anti-virus uri-check */, "content-size-limit" arg /* Content size limit */, "timeout" arg /* Scan engine timeout */ ) end rule(:default_webfilter_feature) do c( "url-whitelist" arg /* Configure custom URL for whitelist category */, "url-blacklist" arg /* Configure custom URL for blacklist category */, "http-reassemble" /* Reassemble HTTP request segments */, "http-persist" /* Check all HTTP request in a connection */, "type" ( /* Configure web-filtering engine type */ ("websense-redirect" | "juniper-local" | "juniper-enhanced" | "web-filtering-none") ), "traceoptions" ( /* Trace options for web-filtering feature */ web_filtering_traceoptions /* Trace options for web-filtering feature */ ), "websense-redirect" ( /* Configure web-filtering websense redirect engine */ default_websense_type /* Configure web-filtering websense redirect engine */ ), "juniper-local" ( /* Configure web-filtering juniper local engine */ default_juniper_local_type /* Configure web-filtering juniper local engine */ ), "juniper-enhanced" ( /* Configure web-filtering juniper enhanced engine */ default_juniper_enhanced_type /* Configure web-filtering juniper enhanced engine */ ) ) end rule(:default_juniper_enhanced_type) do c( "cache" ( c( "timeout" arg /* Juniper enhanced cache timeout */, "size" arg /* Juniper enhanced cache size */ ) ), "server" ( /* Juniper enhanced server */ juniper_enhanced_server /* Juniper enhanced server */ ), "reputation" ( /* Customize reputation level */ c( "reputation-very-safe" arg /* Base-reputation-value */, "reputation-moderately-safe" arg /* Base-reputation-value */, "reputation-fairly-safe" arg /* Base-reputation-value */, "reputation-suspicious" arg /* Base-reputation-value */ ) ), "base-filter" arg /* Juniper base filter */, "category" ( /* Juniper enhanced category */ juniper_enhanced_category_type /* Juniper enhanced category */ ), "site-reputation-action" ( /* Juniper enhanced site reputation action */ juniper_enhanced_site_reputation_setting /* Juniper enhanced site reputation action */ ), "default" ( /* Juniper enhanced profile default */ ("permit" | "block" | "log-and-permit" | "quarantine") ), "custom-block-message" arg /* Juniper enhanced custom block message sent to HTTP client */, "quarantine-custom-message" arg /* Juniper enhanced quarantine custom message */, "fallback-settings" ( /* Juniper enhanced fallback settings */ web_filtering_fallback_setting /* Juniper enhanced fallback settings */ ), "timeout" arg /* Juniper enhanced timeout */, "no-safe-search" /* Do not perform safe-search for Juniper enhanced protocol */, "block-message" ( /* Juniper enhanced block message settings */ web_filtering_block_message /* Juniper enhanced block message settings */ ), "quarantine-message" ( /* Juniper enhanced quarantine message settings */ web_filtering_quarantine_message /* Juniper enhanced quarantine message settings */ ) ) end rule(:default_juniper_local_type) do c( "default" ( /* Juniper local profile default */ ("permit" | "block" | "log-and-permit") ), "category" ( /* Custom category */ custom_category_type /* Custom category */ ), "custom-block-message" arg /* Juniper local custom block message */, "quarantine-custom-message" arg /* Juniper local quarantine custom message */, "block-message" ( /* Juniper local block message settings */ web_filtering_block_message /* Juniper local block message settings */ ), "quarantine-message" ( /* Juniper local quarantine message settings */ web_filtering_quarantine_message /* Juniper local quarantine message settings */ ), "fallback-settings" ( /* Juniper local fallback settings */ web_filtering_fallback_setting /* Juniper local fallback settings */ ), "timeout" arg /* Juniper local timeout */ ) end rule(:custom_category_type) do arg.as(:arg) ( c( "action" ( /* Action to perform when web traffic matches category */ ("permit" | "log-and-permit" | "block" | "quarantine") ), "custom-message" arg /* Custom message */ ) ) end rule(:default_websense_type) do c( "server" ( /* Websense redirect server */ server /* Websense redirect server */ ), "category" ( /* Custom category */ custom_category_type /* Custom category */ ), "custom-block-message" arg /* Websense redirect custom block message */, "quarantine-custom-message" arg /* Websense redirect quarantine custom message */, "block-message" ( /* Websense redirect block message settings */ web_filtering_block_message /* Websense redirect block message settings */ ), "quarantine-message" ( /* Websense redirect quarantine message settings */ web_filtering_quarantine_message /* Websense redirect quarantine message settings */ ), "fallback-settings" ( /* Websense redirect fallback settings */ web_filtering_fallback_setting /* Websense redirect fallback settings */ ), "timeout" arg /* Websense redirect timeout */, "sockets" arg /* Websense redirect sockets number */, "account" arg /* Websense redirect account */ ) end rule(:demux_options_type) do c( "underlying-interface" ( /* Underlying interface name */ ("$junos-underlying-interface" | "$junos-interface-ifd-name" | arg) ) ) end rule(:dhcp_client_type) do c( "client-identifier" ( /* DHCP server identifies a client by client-identifier value */ c( c( "ascii" arg /* Client identifier as an ASCII string */, "hexadecimal" arg /* Client identifier as a hexadecimal string */ ), "user-id" ( /* Add user id to client-id option */ sc( c( "ascii" arg /* Client identifier as an ASCII string */, "hexadecimal" arg /* Client identifier as a hexadecimal string */ ) ) ).as(:oneline), "prefix" ( /* Add prefix to client-id option */ c( "host-name" /* Add router host name to client-id option */, "logical-system-name" /* Add logical system name to client-id option */, "routing-instance-name" /* Add routing instance name to client-id option */ ) ), "use-interface-description" ( /* Use the interface description */ ("logical" | "device") ) ) ), "no-dns-install" /* Do not install DNS information learned from DHCP server */, "lease-time" ( /* Lease time in seconds requested in DHCP client protocol packet */ ("infinite" | arg) ), "retransmission-attempt" arg /* Number of attempts to retransmit the DHCP client protocol packet */, "retransmission-interval" arg /* Number of seconds between successive retransmission */, "metric" arg /* Client initiated default-route metric */, "server-address" ( /* DHCP Server-address */ ipv4addr /* DHCP Server-address */ ), "update-server" /* Propagate TCP/IP settings to DHCP server */, "vendor-id" arg /* Vendor class id for the DHCP Client */, "force-discover" /* Send DHCPDISCOVER after DHCPREQUEST retransmission failure */, "options" ( /* DHCP options */ c( "no-hostname" /* Do not carry hostname (RFC option code is 12) in packet */ ) ) ) end rule(:dynamic_attack_group_type) do arg.as(:arg) ( c( "attack-group-description" arg /* Filter name/value in xml format */, "filters" ( /* Configure filters */ c( "direction" ( /* Direction of attack */ c( "expression" ( /* Boolean AND/OR to be used for values */ ("and" | "or") ), "values" ( /* Values for direction field */ ("client-to-server" | "server-to-client" | "any" | "exclude-client-to-server" | "exclude-server-to-client" | "exclude-any") ) ) ), "severity" ( /* Severity of attack */ c( "values" ( /* Values for severity field */ ("info" | "warning" | "minor" | "major" | "critical") ) ) ), "type" ( /* Type of attack */ c( "values" ( /* Values for type field */ ("signature" | "anomaly") ) ) ), "recommended" /* Recommended flag */, "no-recommended" /* Don't recommended flag */, "performance" ( /* Performance of attack */ c( "values" ( /* Values for performance field */ ("unknown" | "fast" | "normal" | "slow") ) ) ), "category" ( /* Category of attack */ c( "values" arg /* Values for category field */ ) ), "service" ( /* Service/Application of attack */ c( "values" arg /* Values for service field */ ) ), "false-positives" ( /* False positive field in attack */ c( "values" ( /* Values for false-positives field */ ("unknown" | "rarely" | "occasionally" | "frequently") ) ) ), "vendor" ( /* Vendor/Product the attack belongs to */ vendor_object /* Vendor/Product the attack belongs to */ ), "file-type" ( /* File type the attack is valid for */ c( "values" arg /* Values for file-type field */ ) ), "vulnerability-type" ( /* Vulnariability type of attack */ c( "values" arg /* Values for vulnariability-type field */ ) ), "cvss-score" ("greater-than" | "less-than") ( /* CVSS score of Attack */ c( "value" arg /* Match value */ ) ), "age-of-attack" ("greater-than" | "less-than") ( /* Age of an Attack */ c( "value" arg /* Match value */ ) ) ) ) ) ) end rule(:dynamic_ifbw_parms_type) do c( "capacity" arg /* Weight of current (vs. maximum) data rate */, "margin" arg /* Maximum reduction in bandwidth due to low link quality */, "delay" arg /* Bandwidth reduction when delay is announced as 1 second */, "bandwidth" arg /* Weight of current (vs. maximum) data rate */, "resource" arg /* Resource weight */, "latency" arg /* Latency weight */, "quality" arg /* Relative Link Quality weight */, "data-rate" arg /* Data rate weight */, "threshold" arg /* Percentage bandwidth change required for routing updates */, "credit" ( /* Credit-based scheduling parameters */ c( "interval" arg /* Grant rate interval in 100mS steps */ ) ) ) end rule(:e2e_action_profile) do arg.as(:arg) ( c( "preserve-trace-order" /* Preserve trace order (has performance overhead) */, "record-pic-history" /* Record the PIC(s) in which the packet has been processed */, "event" ( e2e_event ), "module" ( e2e_module ) ) ) end rule(:e2e_event) do ("np-ingress" | "np-egress" | "mac-ingress" | "mac-egress" | "lbt" | "pot" | "jexec" | "lt-enter" | "lt-leave").as(:arg) ( c( "trace" /* Trace action */, "count" /* Count action */, "packet-summary" /* Packet summary action */, "packet-dump" /* Packet dump action */ ) ) end rule(:e2e_module) do ("flow").as(:arg) ( c( "flag" enum(("all")) /* Events and other information to include in trace output */.as(:oneline) ) ) end rule(:end_to_end_debug_filter) do arg.as(:arg) ( c( "action-profile" ( /* Actions to take with this filter */ ("default" | arg) ), "protocol" ( /* Match IP protocol type */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "source-prefix" ( /* Source IPv4/IPv6 address prefix */ ipprefix /* Source IPv4/IPv6 address prefix */ ), "destination-prefix" ( /* Destination IPv4/IPv6 address prefix */ ipprefix /* Destination IPv4/IPv6 address prefix */ ), "source-port" ( /* Match TCP/UDP source port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port" ( /* Match TCP/UDP destination port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "interface" ( /* Logical interface */ interface_name /* Logical interface */ ) ) ) end rule(:epd_threshold_config) do c( arg /* Early packet discard threshold value */, "plp1" arg /* Early packet drop threshold value for PLP 1 */ ).as(:oneline) end rule(:es_filter) do arg.as(:arg) ( c( "interface-specific" /* Defined counters are interface specific */, "physical-interface-filter" /* Filter is physical interface filter */, "term" arg ( /* Define a firewall term */ c( "from" ( /* Define match criteria */ c( "interface" ( /* Match interface name */ match_interface_object /* Match interface name */ ), "source-mac-address" ( /* Match MAC source address */ firewall_mac_addr_object /* Match MAC source address */ ), "destination-mac-address" ( /* Match MAC destination address */ firewall_mac_addr_object /* Match MAC destination address */ ), c( "ether-type" ( ("ipv4" | "ipv6" | "arp" | "appletalk" | "sna" | "aarp" | "ppp" | "mpls-unicast" | "mpls-multicast" | "pppoe-discovery" | "pppoe-session" | "oam" | "fcoe" | "fip" | "vlan" | arg) ), "ether-type-except" ( ("ipv4" | "ipv6" | "arp" | "appletalk" | "sna" | "aarp" | "ppp" | "mpls-unicast" | "mpls-multicast" | "pppoe-discovery" | "pppoe-session" | "oam" | "fcoe" | "fip" | "vlan" | arg) ) ), c( "l2-encap-type" ( ("llc-non-snap" | arg) ), "l2-encap-type-except" ( ("llc-non-snap" | arg) ) ), c( "vlan" arg, "vlan-except" arg ), c( "dot1q-tag" arg, "dot1q-tag-except" arg ), c( "dot1q-user-priority" ( ("best-effort" | "background" | "standard" | "excellent-load" | "controlled-load" | "video" | "voice" | "network-control" | arg) ), "dot1q-user-priority-except" ( ("best-effort" | "background" | "standard" | "excellent-load" | "controlled-load" | "video" | "voice" | "network-control" | arg) ) ), "address" ( /* Match IP source or destination address */ firewall_addr_object /* Match IP source or destination address */ ), "source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), c( "dscp" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "dscp-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), c( "precedence" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ), "precedence-except" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ) ), c( "ip-options" ( ("any") ), "ip-options-except" ( ("any") ) ), "fragment-flags" arg /* Match fragment flags (in symbolic or hex formats) - (Ingress only) */, "is-fragment" /* Match if packet is a fragment */, c( "protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), "tcp-flags" arg /* Match TCP flags (in symbolic or hex formats) */, "tcp-initial" /* Match initial packet of a TCP connection */, "tcp-established" /* Match packet of an established TCP connection */, c( "icmp-type" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ), "icmp-type-except" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ) ), c( "icmp-code" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp-code-except" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ) ), "source-prefix-list" ( /* Match IP source prefixes in named list */ firewall_prefix_list /* Match IP source prefixes in named list */ ), "destination-prefix-list" ( /* Match IP destination prefixes in named list */ firewall_prefix_list /* Match IP destination prefixes in named list */ ), "ip-source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "ip-destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), c( "ip-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ip-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ip-precedence" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ), "ip-precedence-except" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ) ), "ipv6-destination-address" ( /* Match IPv6 destination address */ firewall_addr6_object /* Match IPv6 destination address */ ), "ipv6-source-address" ( /* Match IPv6 source address */ firewall_addr6_object /* Match IPv6 source address */ ), "ipv6-address" ( /* Match IPv6 address */ firewall_addr6_object /* Match IPv6 address */ ), c( "ipv6-next-header" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ipv6-next-header-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ipv6-payload-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ipv6-payload-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ipv6-traffic-class" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "ipv6-traffic-class-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), "ipv6-source-prefix-list" ( /* Match IPV6 source prefixes in named list */ firewall_prefix_list /* Match IPV6 source prefixes in named list */ ), "ipv6-destination-prefix-list" ( /* Match IPV6 destination prefixes in named list */ firewall_prefix_list /* Match IPV6 destination prefixes in named list */ ), "ipv6-prefix-list" ( /* Match IP source or destination prefixes in named list */ firewall_prefix_list /* Match IP source or destination prefixes in named list */ ), c( "interface-group" arg, "interface-group-except" arg ), c( "vlan-ether-type" ( ("ipv4" | "ipv6" | "arp" | "appletalk" | "sna" | "aarp" | "ppp" | "mpls-unicast" | "mpls-multicast" | "pppoe-discovery" | "pppoe-session" | "oam" | "fcoe" | "fip" | "vlan" | arg) ), "vlan-ether-type-except" ( ("ipv4" | "ipv6" | "arp" | "appletalk" | "sna" | "aarp" | "ppp" | "mpls-unicast" | "mpls-multicast" | "pppoe-discovery" | "pppoe-session" | "oam" | "fcoe" | "fip" | "vlan" | arg) ) ), c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), c( "learn-vlan-id" arg, "learn-vlan-id-except" arg ), c( "learn-vlan-1p-priority" arg, "learn-vlan-1p-priority-except" arg ), c( "learn-vlan-dei" arg, "learn-vlan-dei-except" arg ), c( "user-vlan-id" arg, "user-vlan-id-except" arg ), c( "user-vlan-1p-priority" arg, "user-vlan-1p-priority-except" arg ), c( "traffic-type" ( ("broadcast" | "multicast" | "unknown-unicast" | "known-unicast") ), "traffic-type-except" ( ("broadcast" | "multicast" | "unknown-unicast" | "known-unicast") ) ), "ip-address" ( /* Match IP source or destination address */ firewall_addr_object /* Match IP source or destination address */ ), "interface-set" ( /* Match interface in set */ match_interface_set_object /* Match interface in set */ ), "prefix-list" ( /* Match IP source or destination prefixes in named list */ firewall_prefix_list /* Match IP source or destination prefixes in named list */ ), c( "isid" arg, "isid-except" arg ), c( "isid-priority-code-point" arg, "isid-priority-code-point-except" arg ), c( "isid-dei" arg, "isid-dei-except" arg ), c( "forwarding-class" arg, "forwarding-class-except" arg ), "to-fabric" ( /* Match packets going to fabric */ to_fabric_object /* Match packets going to fabric */ ), "from-fabric" /* Match packets coming from fabric */, c( "arp-type" ( ("arp-request" | "arp-reply" | arg) ) ), c( "flexible-match-mask" ( /* Match flexible mask */ match_l2_flexible_mask /* Match flexible mask */ ) ), c( "flexible-match-range" ( /* Match flexible range */ match_l2_flexible_range /* Match flexible range */ ) ), "ip-version" ( /* Define IP version */ c( "ipv4" ( /* Define L3/L4 match items to match IPv4 packets */ c( "address" ( /* Match IP source or destination address */ firewall_addr_object /* Match IP source or destination address */ ), "source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), c( "dscp" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "dscp-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), c( "precedence" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ), "precedence-except" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ) ), c( "ip-options" ( ("any") ), "ip-options-except" ( ("any") ) ), "fragment-flags" arg /* Match fragment flags (in symbolic or hex formats) - (Ingress only) */, "is-fragment" /* Match if packet is a fragment */, c( "protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), "tcp-flags" arg /* Match TCP flags (in symbolic or hex formats) - (Ingress only) */, "tcp-initial" /* Match initial packet of a TCP connection - (Ingress only) */, "tcp-established" /* Match packet of an established TCP connection */, c( "icmp-type" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ), "icmp-type-except" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ) ), c( "icmp-code" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp-code-except" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ) ), "source-prefix-list" ( /* Match IP source prefixes in named list */ firewall_prefix_list /* Match IP source prefixes in named list */ ), "destination-prefix-list" ( /* Match IP destination prefixes in named list */ firewall_prefix_list /* Match IP destination prefixes in named list */ ), "ip-source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "ip-destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), c( "ip-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ip-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ip-precedence" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ), "ip-precedence-except" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ) ) ) ), "ipv6" ( /* Define L3/L4 match items to match IPv6 packets */ c( "source-address" ( /* Match source address */ firewall_addr6_object /* Match source address */ ), "destination-address" ( /* Match destination address */ firewall_addr6_object /* Match destination address */ ), c( "traffic-class" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "traffic-class-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), c( "next-header" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "next-header-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "payload-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "payload-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "extension-header" ( ("any" | "hop-by-hop" | "routing" | "mobility" | "esp" | "fragment" | "dstopts" | "ah" | arg) ), "extension-header-except" ( ("any" | "hop-by-hop" | "routing" | "mobility" | "esp" | "fragment" | "dstopts" | "ah" | arg) ) ), "tcp-flags" arg /* Match TCP flags (in symbolic or hex formats) */, "tcp-initial" /* Match initial packet of a TCP connection */, "tcp-established" /* Match packet of an established TCP connection */, c( "icmp-type" ( ("destination-unreachable" | "packet-too-big" | "time-exceeded" | "parameter-problem" | "echo-request" | "echo-reply" | "membership-query" | "membership-report" | "membership-termination" | "router-solicit" | "router-advertisement" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | "inverse-neighbor-discovery-solicitation" | "inverse-neighbor-discovery-advertisement" | "home-agent-address-discovery-request" | "home-agent-address-discovery-reply" | "mobile-prefix-solicitation" | "mobile-prefix-advertisement-reply" | "certificate-path-solicitation" | "certificate-path-advertisement" | "private-experimentation-100" | "private-experimentation-101" | "private-experimentation-200" | "private-experimentation-201" | arg) ), "icmp-type-except" ( ("destination-unreachable" | "packet-too-big" | "time-exceeded" | "parameter-problem" | "echo-request" | "echo-reply" | "membership-query" | "membership-report" | "membership-termination" | "router-solicit" | "router-advertisement" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | "inverse-neighbor-discovery-solicitation" | "inverse-neighbor-discovery-advertisement" | "home-agent-address-discovery-request" | "home-agent-address-discovery-reply" | "mobile-prefix-solicitation" | "mobile-prefix-advertisement-reply" | "certificate-path-solicitation" | "certificate-path-advertisement" | "private-experimentation-100" | "private-experimentation-101" | "private-experimentation-200" | "private-experimentation-201" | arg) ) ), c( "icmp-code" ( ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ), "icmp-code-except" ( ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ) ), "source-prefix-list" ( /* Match IP source prefixes in named list */ firewall_prefix_list /* Match IP source prefixes in named list */ ), "destination-prefix-list" ( /* Match IP destination prefixes in named list */ firewall_prefix_list /* Match IP destination prefixes in named list */ ), "ip6-source-address" ( /* Match source address */ firewall_addr6_object /* Match source address */ ), "ip6-destination-address" ( /* Match destination address */ firewall_addr6_object /* Match destination address */ ) ) ) ) ), "vxlan" /* Define vxlan match items */ ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "accept" /* Accept the packet */, "discard" /* Discard the packet */, "next" ( /* Continue to next term in a filter */ ("term") ) ), "log" /* Log the packet */, "pkt-trace" /* Trace the packet */, "syslog" /* System log (syslog) information about the packet */, "forwarding-class" arg /* Classify packet to forwarding class */, "analyzer" arg /* Name of analyzer - (Ingress only) */, "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "port-mirror" /* Port-mirror the packet */, "next-hop-group" arg /* Use specified next-hop group */, "loss-priority" ( /* Packet's loss priority */ ("low" | "high" | "medium-low" | "medium-high") ), "count" arg /* Count the packet in the named counter */, c( "policer" arg /* Name of policer to use to rate-limit traffic */, "three-color-policer" ( /* Police the packet using a three-color-policer */ c( c( "single-rate" arg /* Name of single-rate three-color policer to use to rate-limit traffic */, "single-packet-rate" arg /* Name of single-packet-rate three-color policer to use to rate-limit traffic */, "two-rate" arg /* Name of two-rate three-color policer to use to rate-limit traffic */, "two-packet-rate" arg /* Name of two-packet-rate three-color policer to use to rate-limit traffic */ ) ) ), "hierarchical-policer" arg /* Name of hierarchical policer to use to rate-limit traffic */ ), "vlan" arg /* Name of VLAN - (Ingress only) */, "interface" ( /* Switch traffic to the specified interface by-passing switching lookup - (Ingress only) */ interface_unit /* Switch traffic to the specified interface by-passing switching lookup - (Ingress only) */ ), "vxlan" /* Vxlan related data */ ) ), "template" /* Refer a template */ ) ) ) ) end rule(:es_template) do arg.as(:arg) ( c( "attributes" ( /* Template attributes */ c( "ip-version" ( /* Define IP version */ c( "ipv4" ( /* Define L3/L4 match items to match IPv4 packets */ c( "destination-port" /* Match TCP/UDP destination port */, "destination-prefix-list" /* Match IP destination prefixes in named list */, "dscp" /* Match Differentiated Services (DiffServ) code point */, "fragment-flags" /* Match fragment flags */, "icmp-code" /* Match ICMP message code */, "icmp-type" /* Match ICMP message type */, "ip-destination-address" /* Match IP destination address */, "ip-precedence" /* Match IP precedence value */, "ip-protocol" /* Match IP protocol type */, "ip-source-address" /* Match IP source address */, "is-fragment" /* Match if packet is a fragment */, "source-port" /* Match TCP/UDP source port */, "source-prefix-list" /* Match IP source prefixes in named list */, "tcp-established" /* Match packet of an established TCP connection */, "tcp-flags" /* Match TCP flags */, "tcp-initial" /* Match initial packet of a TCP connection */ ) ), "ipv6" ( /* Define L3/L4 match items to match IPv6 packets */ c( "destination-port" /* Match TCP/UDP destination port */, "destination-prefix-list" /* Match IP destination prefixes in named list */, "icmp-code" /* Match ICMP message code */, "icmp-type" /* Match ICMP message type */, "ip6-destination-address" /* Match destination address */, "ip6-source-address" /* Match source address */, "next-header" /* Match next header protocol type */, "source-port" /* Match TCP/UDP source port */, "source-prefix-list" /* Match IP source prefixes in named list */, "tcp-established" /* Match packet of an established TCP connection */, "tcp-flags" /* Match TCP flags */, "tcp-initial" /* Match initial packet of a TCP connection */, "traffic-class" /* Match Differentiated Services (DiffServ) code point */ ) ) ) ), "arp-type" /* Match ARP type */, "destination-mac-address" /* Match MAC destination address */, "destination-port" /* Match TCP/UDP destination port */, "destination-prefix-list" /* Match IP destination prefixes in named list */, "dscp" /* Match Differentiated Services (DiffServ) code point */, "ether-type" /* Match Ethernet Type */, "fragment-flags" /* Match fragment flags */, "icmp-code" /* Match ICMP message code */, "icmp-type" /* Match ICMP message type */, "interface" /* Match interface name */, "ip-destination-address" /* Match IP destination address */, "ip-precedence" /* Match IP precedence value */, "ip-protocol" /* Match IP protocol type */, "ip-source-address" /* Match IP source address */, "is-fragment" /* Match if packet is a fragment */, "l2-encap-type" /* Match Ethernet Encapsulation Type */, "learn-vlan-id" /* Match Learnt VLAN ID */, "source-mac-address" /* Match MAC source address */, "source-port" /* Match TCP/UDP source port */, "source-prefix-list" /* Match IP source prefixes in named list */, "tcp-established" /* Match packet of an established TCP connection */, "tcp-flags" /* Match TCP flags */, "tcp-initial" /* Match initial packet of a TCP connection */, "user-vlan-1p-priority" /* Match User 802.1p VLAN priority */, "user-vlan-id" /* Match User VLAN ID */ ) ) ) ) end rule(:ethernet_switching_type) do c( "port-mode" arg /* Type of port mode */, "interface-mode" ( /* Type of interface mode */ ("access" | "trunk") ), "inter-switch-link" /* PVLAN inter switch link */, "reflective-relay" /* Reflective-relay mode for this interface */, c( "vlan" ( /* Virtual LAN parameters */ c( "members" ( /* Membership for this interface (name or id) */ ("all" | arg) ) ) ), "inner-vlan" ( /* Trunk mode vlan membership for this interface */ c( "members" ( /* Membership for this interface (name or id) */ ("all" | arg) ) ) ), "inner-vlan-id-list" arg /* Trunk mode VLAN membership for this interface based on inner VLAN tag */ ), "vlan-auto-sense" /* Enable VLAN auto sense on this interface */, "bridge-domain-type" ( /* Bridge domain type */ ("svlan" | "bvlan") ), "vlan-rewrite" ( /* Specify VLAN translation */ c( "translate" arg ( /* Translate incoming VLAN tag */ sc( arg ) ).as(:oneline) ) ), "native-vlan-id" arg /* Untagged packets on a trunk/tagged-access interface belong to this vlan */, c( "isid-list" arg /* Specify the ISID list */ ), "core-facing" /* Interface is core facing */, "filter" ( /* Packet filtering */ c( "input" arg /* Name of filter applied to received packets */, "input-precedence" arg /* Precedence of the filter */, "input-list" arg /* List of filter modules applied to received packets */, "output" arg /* Name of filter applied to transmitted packets */, "output-precedence" arg /* Precedence of the filter */, "output-list" arg /* List of filter modules applied to transmitted packets */, "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */ ) ), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "storm-control" ( /* Storm control profile name to bind */ c( arg /* Profile name */ ) ), "recovery-timeout" ( /* Recovery timeout for this interface */ sc( arg ) ).as(:oneline) ) end rule(:ethernet_policer) do c( c( "bandwidth-limit" arg /* Bandwidth limit */ ), "burst-size-limit" arg /* Burst size limit */ ) end rule(:extension_list_type) do arg.as(:arg) ( c( "value" arg /* Configure value of extension-list object */ ) ) end rule(:family) do c( "inet" ( /* IPv4 parameters */ c( c( "dhcp" /* Enable DHCP on ethernet interface */, "address" ( /* Interface address/destination prefix */ ipv4prefix /* Interface address/destination prefix */ ) ) ) ) ) end rule(:fibre_channel_type) do c( "port-mode" ( /* Port mode */ ("f-port" | "e-port" | "np-port" | "auto") ), "no-npiv" /* Disable NPIV */, "fc-fabric" ( /* Virtual fabric parameters */ c( "members" ( /* Virtual Fabric Membership for this interface (name or id) */ ("all" | arg) ) ) ), "native-fabric" arg /* FC frames with no virtual fabric header on a interface belong to this fabric */ ) end rule(:firewall_addr6_object) do arg.as(:arg) ( c( "except" /* Match address not in this prefix */ ) ).as(:oneline) end rule(:firewall_addr_object) do arg.as(:arg) ( c( "except" /* Match address not in this prefix */ ) ).as(:oneline) end rule(:firewall_flexible_match) do arg.as(:arg) ( c( "match-start" ( /* Start point to match in packet */ ("layer-2" | "layer-3" | "layer-4" | "payload") ), "byte-offset" arg /* Byte offset after the match start point */, "bit-offset" arg /* Bit offset after the (match-start + byte) offset */, "bit-length" arg /* Length of the data to be matched in bits, not needed for string input */ ) ) end rule(:firewall_hierpolicer) do arg.as(:arg) ( c( c( "logical-interface-policer" /* Hierarchical policer is a logical interface policer */, "physical-interface-policer" /* Hierarchical policer is a physical interface policer */ ), "shared-bandwidth-policer" /* Share policer bandwidth among bundle links */, "filter-specific" /* Hierarchical policer is filter-specific */, "aggregate" ( /* Aggregate definition */ hierarchical_policer_aggregate_bucket /* Aggregate definition */ ), "premium" ( /* Premium definition */ hierarchical_policer_premium_bucket /* Premium definition */ ) ) ) end rule(:firewall_load_balance_group) do arg.as(:arg) ( c( "next-hop-group" arg /* Use specified next-hop group */ ) ) end rule(:firewall_mac_addr_object) do arg.as(:arg) ( c( "except" /* Match MAC address not in this range */ ) ).as(:oneline) end rule(:firewall_policer) do arg.as(:arg) ( c( "filter-specific" /* Policer is filter-specific */, "logical-interface-policer" /* Policer is logical interface policer */, "physical-interface-policer" /* Policer is physical interface policer */, "logical-bandwidth-policer" /* Policer uses logical interface bandwidth */, "shared-bandwidth-policer" /* Share policer bandwidth among bundle links */, c( "if-exceeding" ( /* Define rate limits */ c( c( "bandwidth-limit" arg /* Bandwidth limit */, "bandwidth-percent" arg /* Bandwidth limit in percentage */ ), "burst-size-limit" arg /* Burst size limit */, "aggregate-policing" /* Configure Aggregate Policer */ ) ), "if-exceeding-pps" /* Define pps limits */ ), "counter" /* Define policer counter configuration */, "then" ( /* Action to take if the rate limits are exceeded */ c( "discard" /* Discard the packet */, "loss-priority" ( /* Packet's loss priority */ ("low" | "high" | "medium-low" | "medium-high") ), "forwarding-class" arg /* Classify packet to forwarding class */, "out-of-profile" /* Discard packets only if both congested and over threshold */ ) ), "aggregate" /* Aggregate policer used in Extended Hierarchical Policers */ ) ) end rule(:firewall_prefix_list) do arg.as(:arg) ( c( "except" /* Match addresses not in this prefix list */ ) ).as(:oneline) end rule(:flow_filter_type) do arg.as(:arg) ( c( "protocol" ( /* Match IP protocol type */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "source-prefix" ( /* Source IP address prefix */ ipprefix /* Source IP address prefix */ ), "destination-prefix" ( /* Destination IP address prefix */ ipprefix /* Destination IP address prefix */ ), "conn-tag" arg /* Session connection tag */, "logical-system" arg /* Logical system */, "source-port" ( /* Match TCP/UDP source port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port" ( /* Match TCP/UDP destination port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "interface" ( /* Source logical interface */ interface_name /* Source logical interface */ ) ) ) end rule(:hierarchical_policer_aggregate_bucket) do c( c( "if-exceeding" ( /* Define rate limits */ c( c( "bandwidth-limit" arg /* Bandwidth limit */ ), "burst-size-limit" arg /* Burst size limit */ ) ), "if-exceeding-pps" /* Define pps limits */ ), "then" ( /* Action to take if the rate limits are exceeded */ c( c( "discard" /* Discard the packet */, "loss-priority" arg /* Packet's loss priority */, "forwarding-class" arg /* Classify packet to forwarding class */ ) ) ) ) end rule(:hierarchical_policer_premium_bucket) do c( c( "if-exceeding" ( /* Define rate limits */ c( c( "bandwidth-limit" arg /* Bandwidth limit */ ), "burst-size-limit" arg /* Burst size limit */ ) ), "if-exceeding-pps" /* Define pps limits */ ), "then" ( /* Action to take if the rate limits are exceeded */ c( c( "discard" /* Discard the packet */ ) ) ) ) end rule(:host_object) do c( "port" arg /* Host port number */, "routing-instance" arg /* Routing-instance name */, ipaddr /* IP address */ ) end rule(:icap_profile_object) do arg.as(:arg) ( c( "server" ( /* Configure service redirection server */ icap_redir_server /* Configure service redirection server */ ), "http" ( /* ICAP methods switch */ http_redirect_object /* ICAP methods switch */ ), "fallback-option" ( /* Failure event actions */ icap_redirect_fallback /* Failure event actions */ ), "timeout" arg /* Server response timeout in milliseconds */ ) ) end rule(:http_redirect_object) do c( "redirect-request" /* Enable redirect service on HTTP request */, "redirect-response" /* Enable redirect service on HTTP response */ ) end rule(:icap_redir_server) do arg.as(:arg) ( c( "authorization" ( /* User authentication */ c( "authorization-type" arg /* Authentication type. 'Basic' by default */, "credentials" ( /* Credentials text */ sc( c( "ascii" arg /* ASCII string */, "base64" arg /* Base64 string */ ) ) ).as(:oneline) ) ), "host" arg /* Host name/IP address */, "port" arg /* Server listening port */, "reqmod-uri" arg /* REQMOD option resource identifier */, "respmod-uri" arg /* RESPMOD option resource identifier */, "routing-instance" ( /* Routing instance */ sc( arg ) ).as(:oneline), "sockets" arg /* Number of connections to create */, "tls-profile" arg /* TLS profile */ ) ) end rule(:icap_redirect_fallback) do c( "timeout" ( /* Request timeout action */ ("permit" | "log-permit" | "block") ), "connectivity" ( /* Connection-related failure action */ ("permit" | "log-permit" | "block") ), "default-action" ( /* Default failure action */ ("permit" | "log-permit" | "block") ) ) end rule(:icap_redirect_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "icap-redirect-re" | "icap-redirect-control" | "icap-redirect-connection" | "icap-redirect-protocol")) /* Trace flags */.as(:oneline) ) end rule(:idp_policy_type) do arg.as(:arg) ( c( "rulebase-ips" ( /* IPS rulebase */ c( "rule" arg ( /* Configure IPS rule */ c( "description" arg /* Rule description */, "match" ( /* Rule match criteria */ c( "from-zone" ( /* Match from zone */ ("any" | arg) ), c( "source-address" ( /* Match source address */ ("any" | "any-ipv4" | "any-ipv6" | arg) ), "source-except" ( /* Don't match source address */ (arg) ), "source-prefix" /* Match source address */, "source-prefix-except" /* Don't match source address */ ), "to-zone" ( /* Match to zone */ ("any" | arg) ), c( "destination-address" ( /* Match destination address */ ("any" | "any-ipv4" | "any-ipv6" | arg) ), "destination-except" ( /* Don't match destination address */ (arg) ), "destination-prefix" /* Match destination address */, "destination-prefix-except" /* Don't match destination address */ ), "application" ( /* Specify application or application-set name to match */ ("any" | "default" | arg) ), "attacks" ( /* Match attack objects */ c( "custom-attacks" arg /* Custom attacks */, "custom-attack-groups" arg /* Custom attack groups */, "dynamic-attack-groups" arg /* Dynamic attack groups */, "predefined-attacks" arg /* Predefined attacks */, "predefined-attack-groups" arg /* Predefined attack groups */ ) ) ) ), "then" ( c( "action" ( c( c( "no-action" /* No action */, "ignore-connection" /* Ignore */, "mark-diffserv" ( /* Mark differentiated services codepoint (DSCP) */ c( arg ) ), "class-of-service" ( /* Classification of traffic based on class-of-service */ c( "forwarding-class" arg /* Forwarding class for outgoing packets */, "dscp-code-point" arg /* Differentiated services code point value */ ) ), "drop-packet" /* Drop packet */, "drop-connection" /* Drop connection */, "close-client" /* Close client */, "close-server" /* Close server */, "close-client-and-server" /* Close client and server */, "recommended" /* Recommended */ ) ) ), "ip-action" ( c( c( "ip-notify" /* Notify about future traffic */, "ip-close" /* Close future connections */, "ip-block" /* Block future connections */ ), "target" ( ("service" | "source-zone-address" | "source-address" | "destination-address" | "zone-service" | "source-zone") ), "log" /* Log IP action taken */, "log-create" /* Log IP action creation */, "timeout" arg /* Number of seconds IP action should remain effective */, "refresh-timeout" /* Refresh timeout when future connections match installed ip-action filter */ ) ), "notification" ( /* Configure notification/logging options */ c( "log-attacks" ( /* Enable attack logging */ c( "alert" /* Set alert flag in attack log */ ) ), "packet-log" ( c( "pre-attack" arg /* No of packets to capture before attack */, "post-attack" arg /* No of packets to capture after attack */, "post-attack-timeout" arg /* Timeout (seconds) after attack before stopping packet capture */ ) ) ) ), "severity" ( /* Set rule severity level */ ("info" | "warning" | "minor" | "major" | "critical") ) ) ), "terminal" /* Set/Unset terminal flag */ ) ) ) ), "rulebase-exempt" ( /* Exempt rulebase */ c( "rule" arg ( /* Configure exempt rule */ c( "description" arg /* Rule description */, "match" ( /* Rule match criteria */ c( "from-zone" ( /* Match from zone */ ("any" | arg) ), c( "source-address" ( /* Match source address */ ("any" | "any-ipv4" | "any-ipv6" | arg) ), "source-except" ( /* Don't match source address */ (arg) ), "source-prefix" /* Match source address */, "source-prefix-except" /* Don't match source address */ ), "to-zone" ( /* Match to zone */ ("any" | arg) ), c( "destination-address" ( /* Match destination address */ ("any" | "any-ipv4" | "any-ipv6" | arg) ), "destination-except" ( /* Don't match destination address */ (arg) ), "destination-prefix" /* Match destination address */, "destination-prefix-except" /* Don't match destination address */ ), "attacks" ( /* Match attack objects */ c( "custom-attacks" arg /* Custom attacks */, "custom-attack-groups" arg /* Custom attack groups */, "dynamic-attack-groups" arg /* Dynamic attack groups */, "predefined-attacks" arg /* Predefined attacks */, "predefined-attack-groups" arg /* Predefined attack groups */ ) ) ) ) ) ) ) ) ) ) end rule(:idpd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all")) /* Events and other information to include in trace output */.as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ) ) end rule(:ids_option_type) do arg.as(:arg) ( c( "description" arg /* Text description of screen */, "alarm-without-drop" /* Do not drop packet, only generate alarm */, "match-direction" ( /* Match direction */ ("input" | "output" | "input-output") ), "icmp" ( /* Configure ICMP ids options */ c( "ip-sweep" ( /* Configure ip sweep ids option */ sc( "threshold" arg /* Threshold */ ) ).as(:oneline), "fragment" /* Enable ICMP fragment ids option */, "large" /* Enable large ICMP packet (size > 1024) ids option */, "flood" ( /* Configure icmp flood ids option */ sc( "threshold" arg /* Threshold */ ) ).as(:oneline), "ping-death" /* Enable ping of death ids option */, "icmpv6-malformed" /* Enable icmpv6 malformed ids option */ ) ), "ip" ( /* Configure IP layer ids options */ c( "bad-option" /* Enable ip with bad option ids option */, "record-route-option" /* Enable ip with record route option ids option */, "timestamp-option" /* Enable ip with timestamp option ids option */, "security-option" /* Enable ip with security option ids option */, "stream-option" /* Enable ip with stream option ids option */, "spoofing" /* Enable IP address spoofing ids option */, "source-route-option" /* Enable ip source route ids option */, "loose-source-route-option" /* Enable ip with loose source route ids option */, "strict-source-route-option" /* Enable ip with strict source route ids option */, "unknown-protocol" /* Enable ip unknown protocol ids option */, "block-frag" /* Enable ip fragment blocking ids option */, "tear-drop" /* Enable tear drop ids option */, "ipv6-extension-header" ( /* Configure ipv6 extension header ids option */ c( "hop-by-hop-header" ( /* Enable ipv6 hop by hop option header ids option */ c( "jumbo-payload-option" /* Enable jumbo payload option ids option */, "router-alert-option" /* Enable router alert option ids option */, "quick-start-option" /* Enable quick start option ids option */, "CALIPSO-option" /* Enable Common Architecture Label ipv6 Security Option ids option */, "SMF-DPD-option" /* Enable Simplified Multicast Forwarding ipv6 Duplicate Packet Detection option ids option */, "RPL-option" /* Enable Routing Protocol for Low-power and Lossy networks option ids option */, "user-defined-option-type" arg ( /* User-defined option type range */ sc( "to" ( /* Upper limit of option type range */ c( arg ) ) ) ).as(:oneline) ) ), "routing-header" /* Enable ipv6 routing header ids option */, "fragment-header" /* Enable ipv6 fragment header ids option */, "ESP-header" /* Enable ipv6 Encapsulating Security Payload header ids option */, "AH-header" /* Enable ipv6 Authentication Header ids option */, "no-next-header" /* Enable ipv6 no next header ids option */, "destination-header" ( /* Enable ipv6 destination option header ids option */ c( "tunnel-encapsulation-limit-option" /* Enable tunnel encapsulation limit option ids option */, "home-address-option" /* Enable home address option ids option */, "ILNP-nonce-option" /* Enable Identifier-Locator Network Protocol Nonce option ids option */, "line-identification-option" /* Enable line identification option ids option */, "user-defined-option-type" arg ( /* User-defined option type range */ sc( "to" ( /* Upper limit of option type range */ c( arg ) ) ) ).as(:oneline) ) ), "shim6-header" /* Enable ipv6 shim header ids option */, "mobility-header" /* Enable ipv6 mobility header ids option */, "HIP-header" /* Enable ipv6 Host Identify Protocol header ids option */, "user-defined-header-type" arg ( /* User-defined header type range */ sc( "to" ( /* Upper limit of header type range */ c( arg ) ) ) ).as(:oneline) ) ), "ipv6-extension-header-limit" arg /* Enable ipv6 extension header limit ids option */, "ipv6-malformed-header" /* Enable ipv6 malformed header ids option */, "tunnel" ( /* Configure IP tunnel ids options */ c( "bad-inner-header" /* Enable IP tunnel bad inner header ids option */, "gre" ( /* Configure IP tunnel GRE ids option */ c( "gre-6in4" /* Enable IP tunnel GRE 6in4 ids option */, "gre-4in6" /* Enable IP tunnel GRE 4in6 ids option */, "gre-6in6" /* Enable IP tunnel GRE 6in6 ids option */, "gre-4in4" /* Enable IP tunnel GRE 4in4 ids option */ ) ), "ip-in-udp" ( /* Configure IP tunnel IPinUDP ids option */ c( "teredo" /* Enable IP tunnel IPinUDP Teredo ids option */ ) ), "ipip" ( /* Configure IP tunnel IPIP ids option */ c( "ipip-6to4relay" /* Enable IP tunnel IPIP 6to4 Relay ids option */, "ipip-6in4" /* Enable IP tunnel IPIP 6in4 ids option */, "ipip-4in6" /* Enable IP tunnel IPIP 4in6 ids option */, "ipip-4in4" /* Enable IP tunnel IPIP 4in4 ids option */, "ipip-6in6" /* Enable IP tunnel IPIP 6in6 ids option */, "ipip-6over4" /* Enable IP tunnel IPIP 6over4 ids option */, "isatap" /* Enable IP tunnel IPIP ISATAP ids option */, "dslite" /* Enable IP tunnel IPIP DS-Lite ids option */ ) ) ) ) ) ), "tcp" ( /* Configure TCP Layer ids options */ c( "syn-fin" /* Enable SYN and FIN bits set attack ids option */, "fin-no-ack" /* Enable Fin bit with no ACK bit ids option */, "tcp-no-flag" /* Enable TCP packet without flag ids option */, "syn-frag" /* Enable SYN fragment ids option */, "port-scan" ( /* Configure TCP port scan ids option */ sc( "threshold" arg /* Threshold */ ) ).as(:oneline), "syn-ack-ack-proxy" ( /* Configure syn-ack-ack proxy ids option */ sc( "threshold" arg /* Threshold */ ) ).as(:oneline), "syn-flood" ( /* Configure SYN flood ids option */ c( "alarm-threshold" arg /* Alarm threshold */, "attack-threshold" arg /* Attack threshold */, "source-threshold" arg /* Source threshold */, "destination-threshold" arg /* Destination threshold */, "queue-size" arg /* Queue size */, "timeout" arg /* SYN flood ager timeout */, "white-list" arg ( /* Set of IP addresses that will not trigger a screen */ c( "source-address" ( /* Source address */ ipprefix /* Source address */ ), "destination-address" ( /* Destination address */ ipprefix /* Destination address */ ) ) ) ) ), "land" /* Enable land attack ids option */, "winnuke" /* Enable winnuke attack ids option */, "tcp-sweep" ( /* Configure TCP sweep ids option */ sc( "threshold" arg /* Threshold */ ) ).as(:oneline) ) ), "udp" ( /* Configure UDP layer ids options */ c( "flood" ( /* Configure UDP flood ids option */ c( "threshold" arg /* Threshold */, "white-list" arg /* Configure UDP flood white list group name */ ) ), "udp-sweep" ( /* Configure UDP sweep ids option */ sc( "threshold" arg /* Threshold */ ) ).as(:oneline), "port-scan" ( /* Configure UDP port scan ids option */ sc( "threshold" arg /* Threshold */ ) ).as(:oneline) ) ), "limit-session" ( /* Limit sessions */ c( "source-ip-based" arg /* Limit sessions from the same source IP */, "destination-ip-based" arg /* Limit sessions to the same destination IP */, "by-source" ( /* Limit sessions from the same source IP or subnet */ c( "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, "packet-rate" arg /* Limit sessions on the basis of packet rate */, "session-rate" arg /* Limit sessions on the basis of session rate */, "by-protocol" ( /* Limit sessions on the basis of protocol */ by_protocol_object_type /* Limit sessions on the basis of protocol */ ) ) ), "by-destination" ( /* Limit sessions to the same destination IP or subnet */ c( "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, "packet-rate" arg /* Limit sessions on the basis of packet rate */, "session-rate" arg /* Limit sessions on the basis of session rate */, "by-protocol" ( /* Limit sessions on the basis of protocol */ by_protocol_object_type /* Limit sessions on the basis of protocol */ ) ) ) ) ) ) ) end rule(:by_protocol_object_type) do c( "tcp" ( /* Configure limit-session on the basis of TCP */ c( "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, "packet-rate" arg /* Limit sessions on the basis of packet rate */, "session-rate" arg /* Limit sessions on the basis of session rate */ ) ), "udp" ( /* Configure limit-session on the basis of UDP */ c( "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, "packet-rate" arg /* Limit sessions on the basis of packet rate */, "session-rate" arg /* Limit sessions on the basis of session rate */ ) ), "icmp" ( /* Configure limit-session on the basis of ICMP */ c( "maximum-sessions" arg /* Limit sessions on the basis of maximum concurrent sessions */, "packet-rate" arg /* Limit sessions on the basis of packet rate */, "session-rate" arg /* Limit sessions on the basis of session rate */ ) ) ) end rule(:ids_wlist_type) do arg.as(:arg) ( c( "address" ( /* Address */ ipprefix /* Address */ ) ) ) end rule(:inet6_dialer_filter) do arg.as(:arg) ( c( "accounting-profile" arg /* Accounting profile name */, "term" arg ( /* Define a firewall term */ c( "from" ( /* Define match criteria */ c( "source-address" ( /* Match source address */ firewall_addr6_object /* Match source address */ ), "destination-address" ( /* Match destination address */ firewall_addr6_object /* Match destination address */ ), "address" ( /* Match source or destination address */ firewall_addr6_object /* Match source or destination address */ ), "source-prefix-list" ( /* Match source prefixes in named list */ firewall_prefix_list /* Match source prefixes in named list */ ), "destination-prefix-list" ( /* Match destination prefixes in named list */ firewall_prefix_list /* Match destination prefixes in named list */ ), "prefix-list" ( /* Match source or destination prefixes in named list */ firewall_prefix_list /* Match source or destination prefixes in named list */ ), c( "packet-length" arg, "packet-length-except" arg ), c( "next-header" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "next-header-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "icmp-type" ( ("destination-unreachable" | "packet-too-big" | "time-exceeded" | "parameter-problem" | "echo-request" | "echo-reply" | "membership-query" | "membership-report" | "membership-termination" | "router-solicit" | "router-advertisement" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | "inverse-neighbor-discovery-solicitation" | "inverse-neighbor-discovery-advertisement" | "home-agent-address-discovery-request" | "home-agent-address-discovery-reply" | "mobile-prefix-solicitation" | "mobile-prefix-advertisement-reply" | "certificate-path-solicitation" | "certificate-path-advertisement" | "private-experimentation-100" | "private-experimentation-101" | "private-experimentation-200" | "private-experimentation-201" | arg) ), "icmp-type-except" ( ("destination-unreachable" | "packet-too-big" | "time-exceeded" | "parameter-problem" | "echo-request" | "echo-reply" | "membership-query" | "membership-report" | "membership-termination" | "router-solicit" | "router-advertisement" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | "inverse-neighbor-discovery-solicitation" | "inverse-neighbor-discovery-advertisement" | "home-agent-address-discovery-request" | "home-agent-address-discovery-reply" | "mobile-prefix-solicitation" | "mobile-prefix-advertisement-reply" | "certificate-path-solicitation" | "certificate-path-advertisement" | "private-experimentation-100" | "private-experimentation-101" | "private-experimentation-200" | "private-experimentation-201" | arg) ) ), c( "icmp-code" ( ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ), "icmp-code-except" ( ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( "log" /* Log the packet */, "syslog" /* System log (syslog) information about the packet */, "sample" /* Sample the packet */, c( "note" /* Interested ISDN packet */, "ignore" /* Non-interested ISDN packet */ ) ) ) ) ) ) ) end rule(:inet6_filter) do arg.as(:arg) ( c( "promote" arg /* Promote a firewall match to PFM */, "accounting-profile" arg /* Accounting profile name */, "interface-specific" /* Defined counters are interface specific */, "scale-optimized" /* Improve filter prefix scale */, "enhanced-mode" /* Define filter for chassis network-services enhanced mode */, "interface-shared" /* Filter is interface-shared */, "enhanced-mode-override" /* Override the default chassis network-services enhanced mode for dynamic filter */, "physical-interface-filter" /* Filter is physical interface filter */, "fast-lookup-filter" /* Configure filter in the fast lookup hardware block */, "instance-shared" /* Filter is routing-instance shared */, "term" arg ( /* Define a firewall term */ c( "filter" arg /* Filter to include */, "from" ( /* Define match criteria */ c( c( "destination-class" arg, "destination-class-except" arg ), c( "source-class" arg, "source-class-except" arg ), c( "interface-group" arg, "interface-group-except" arg ), "source-address" ( /* Match source address */ firewall_addr6_object /* Match source address */ ), "destination-address" ( /* Match destination address */ firewall_addr6_object /* Match destination address */ ), "address" ( /* Match source or destination address */ firewall_addr6_object /* Match source or destination address */ ), "source-prefix-list" ( /* Match source prefixes in named list */ firewall_prefix_list /* Match source prefixes in named list */ ), "destination-prefix-list" ( /* Match destination prefixes in named list */ firewall_prefix_list /* Match destination prefixes in named list */ ), "prefix-list" ( /* Match source or destination prefixes in named list */ firewall_prefix_list /* Match source or destination prefixes in named list */ ), c( "next-header" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "next-header-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "payload-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "payload-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "extension-header" ( ("any" | "hop-by-hop" | "routing" | "mobility" | "esp" | "fragment" | "dstopts" | "ah" | arg) ), "extension-header-except" ( ("any" | "hop-by-hop" | "routing" | "mobility" | "esp" | "fragment" | "dstopts" | "ah" | arg) ) ), c( "packet-length" arg, "packet-length-except" arg ), c( "traffic-class" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "traffic-class-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), c( "icmp-type" ( ("destination-unreachable" | "packet-too-big" | "time-exceeded" | "parameter-problem" | "echo-request" | "echo-reply" | "membership-query" | "membership-report" | "membership-termination" | "router-solicit" | "router-advertisement" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | "inverse-neighbor-discovery-solicitation" | "inverse-neighbor-discovery-advertisement" | "home-agent-address-discovery-request" | "home-agent-address-discovery-reply" | "mobile-prefix-solicitation" | "mobile-prefix-advertisement-reply" | "certificate-path-solicitation" | "certificate-path-advertisement" | "private-experimentation-100" | "private-experimentation-101" | "private-experimentation-200" | "private-experimentation-201" | arg) ), "icmp-type-except" ( ("destination-unreachable" | "packet-too-big" | "time-exceeded" | "parameter-problem" | "echo-request" | "echo-reply" | "membership-query" | "membership-report" | "membership-termination" | "router-solicit" | "router-advertisement" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | "inverse-neighbor-discovery-solicitation" | "inverse-neighbor-discovery-advertisement" | "home-agent-address-discovery-request" | "home-agent-address-discovery-reply" | "mobile-prefix-solicitation" | "mobile-prefix-advertisement-reply" | "certificate-path-solicitation" | "certificate-path-advertisement" | "private-experimentation-100" | "private-experimentation-101" | "private-experimentation-200" | "private-experimentation-201" | arg) ) ), c( "icmp-code" ( ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ), "icmp-code-except" ( ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ) ), "tcp-initial" /* Match initial packet of a TCP connection */, "tcp-established" /* Match packet of an established TCP connection */, "tcp-flags" arg /* Match TCP flags (in symbolic or hex formats) */, "interface" ( /* Match interface name */ match_interface_object /* Match interface name */ ), "interface-set" ( /* Match interface in set */ match_interface_set_object /* Match interface in set */ ), c( "forwarding-class" arg, "forwarding-class-except" arg ), c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), "service-filter-hit" /* Match if service-filter-hit is set */, c( "hop-limit" arg, "hop-limit-except" arg ), "is-fragment" /* Match if packet is a fragment */, "first-fragment" /* Match if packet is first fragment */, "last-fragment" /* Match if packet is last fragment */, c( "flexible-match-mask" ( /* Match flexible mask */ match_l3_flexible_mask /* Match flexible mask */ ) ), c( "flexible-match-range" ( /* Match flexible range */ match_l3_flexible_range /* Match flexible range */ ) ), c( "gre-key" arg, "gre-key-except" arg ), c( "policy-map" arg, "policy-map-except" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */, "three-color-policer" ( /* Police the packet using a three-color-policer */ c( c( "single-rate" arg /* Name of single-rate three-color policer to use to rate-limit traffic */, "single-packet-rate" arg /* Name of single-packet-rate three-color policer to use to rate-limit traffic */, "two-rate" arg /* Name of two-rate three-color policer to use to rate-limit traffic */, "two-packet-rate" arg /* Name of two-packet-rate three-color policer to use to rate-limit traffic */ ) ) ), "hierarchical-policer" arg /* Name of hierarchical policer to use to rate-limit traffic */ ), c( "clear-policy-map" /* Clear the policy marking */, "policy-map" arg /* Policy map action */ ), c( "traffic-class-count" arg /* Count the packet in the named traffic-class counter */, "count" arg /* Count the packet in the named counter */ ), "service-accounting" /* Count the packets for service accounting */, "service-accounting-deferred" /* Count the packets for deferred service accounting */, "log" /* Log the packet */, "pkt-trace" /* Trace packet forwarding */, "syslog" /* System log (syslog) information about the packet */, "sample" /* Sample the packet */, "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "port-mirror" /* Port-mirror the packet */, "analyzer" arg /* Name of analyzer */, "loss-priority" ( /* Packet's loss priority */ ("low" | "high" | "medium-low" | "medium-high") ), "forwarding-class" arg /* Classify packet to forwarding class */, "traffic-class" arg /* Set traffic-class code point */, "skip-services" /* Skip the services */, "service-filter-hit" /* Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters */, "force-premium" /* When this bit is marked, traffic is considered as premium by the following hierarchical policer */, "exclude-accounting" /* When this is marked, traffic is excluded from accurate accounting */, c( "decapsulate" /* Terminate a tunnel */.as(:oneline), "encapsulate" /* Send to a tunnel */.as(:oneline), "accept" /* Accept the packet */, "discard" /* Discard the packet */, "next" ( /* Continue to next term in a filter */ ("term") ), "next-hop-group" arg /* Use specified next-hop group */, "logical-system" ( /* Packets are directed to specified logical system */ s( arg, c( "routing-instance" ( /* Packets are directed to specified routing instance */ sc( arg /* Name of routing instance */, "topology" arg /* Packets are directed to specified topology */ ) ).as(:oneline), "topology" arg /* Packets are directed to specified topology */ ) ) ).as(:oneline), "routing-instance" ( /* Packets are directed to specified routing instance */ sc( arg /* Name of routing instance */, "topology" arg /* Packets are directed to specified topology */ ) ).as(:oneline), "topology" arg /* Packets are directed to specified topology */, "next-ip6" /* Packets are directed to specified the specified ipv6 address */.as(:oneline), "next-interface" /* Packets are to be routed through the specified interface */, "reject" ( /* Reject the packet */ sc( c( "no-route" /* Send ICMPv6 No Route message */, "administratively-prohibited" /* Send ICMPv6 Administratively Prohibited message */, "beyond-scope" /* Send ICMPv6 Beyond Scope of Source Address message */, "address-unreachable" /* Send ICMPv6 Address Unreachable message */, "port-unreachable" /* Send ICMPv6 Port Unreachable message */, "tcp-reset" /* Send TCP Reset message */, "network-unreachable" /* Send ICMPv4 Network Unreachable message */, "host-unreachable" /* Send ICMPv4 Host Unreachable message */, "protocol-unreachable" /* Send ICMPv4 Protocol Unreachable message */, "source-route-failed" /* Send ICMPv4 Source Route Failed message */, "network-unknown" /* Send ICMPv4 Network Unknown message */, "host-unknown" /* Send ICMPv4 Host Unknown message */, "source-host-isolated" /* Send ICMPv4 Source Host Isolated message */, "network-prohibited" /* Send ICMPv4 Network Prohibited message */, "host-prohibited" /* Send ICMPv4 Host Prohibited message */, "bad-network-tos" /* Send ICMPv4 Bad Network ToS message */, "bad-host-tos" /* Send ICMPv4 Bad Host ToS message */, "precedence-violation" /* Send ICMPv4 Precedence Violation message */, "precedence-cutoff" /* Send ICMPv4 Precedence Cutoff message */ ) ) ).as(:oneline) ) ) ), "template" /* Refer a template */ ) ) ) ) end rule(:inet6_fuf) do arg.as(:arg) ( c( "interface-specific" /* Defined counters are interface specific */, "match-order" ( ("next-header" | "payload-protocol" | "source-address" | "destination-address" | "source-port" | "destination-port" | "traffic-class") ), "term" arg ( /* One or more firewall terms */ c( "only-at-create" /* Add term only when filter is first created. */, "from" ( /* Match criteria */ c( "source-address" ( /* Match source IP address */ firewall_addr6_simple_object /* Match source IP address */ ), "destination-address" ( /* Match destination IP address */ firewall_addr6_simple_object /* Match destination IP address */ ), c( "source-port" ( /* Match TCP/UDP source port */ match_simple_port_value /* Match TCP/UDP source port */ ) ), c( "destination-port" ( /* Match TCP/UDP destination port */ match_simple_port_value /* Match TCP/UDP destination port */ ) ), c( "next-header" ( /* Match next header protocol type */ match_simple_protocol_value /* Match next header protocol type */ ) ), c( "payload-protocol" ( /* Match payload protocol type */ match_simple_payload_protocol_value /* Match payload protocol type */ ) ), c( "traffic-class" ( /* Match Differentiated Services (DiffServ) code point */ match_simple_dscp_value /* Match Differentiated Services (DiffServ) code point */ ) ), "match-terms" arg /* Dynamically supplied list of match criteria */ ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */ ), "count" arg /* Count the packet in the named counter */, "service-accounting" /* Count the packets for service accounting */, "log" /* Log the packet */, "port-mirror" /* Port-mirror the packet */, "loss-priority" ( /* Packet's loss priority */ ("low" | "high" | "medium-low" | "medium-high") ), "forwarding-class" arg /* Classify packet to forwarding class */, "action-terms" arg /* Dynamically supplied list of actions */, c( "accept" /* Accept the packet */, "discard" /* Discard the packet */, "routing-instance" ( /* Packets are directed to specified routing instance */ sc( arg /* Name of routing instance */, "topology" arg /* Packets are directed to specified topology */ ) ).as(:oneline) ) ) ) ) ) ) ) end rule(:firewall_addr6_simple_object) do c( ipv6prefix /* Prefix to match */ ) end rule(:inet6_service_filter) do arg.as(:arg) ( c( "term" arg ( /* Service filter term */ c( "from" ( /* Match criteria */ c( c( "interface-group" arg, "interface-group-except" arg ), "source-address" ( /* Match source address */ firewall_addr6_object /* Match source address */ ), "destination-address" ( /* Match destination address */ firewall_addr6_object /* Match destination address */ ), "address" ( /* Match source or destination address */ firewall_addr6_object /* Match source or destination address */ ), "source-prefix-list" ( /* Match source prefixes in named list */ firewall_prefix_list /* Match source prefixes in named list */ ), "destination-prefix-list" ( /* Match destination prefixes in named list */ firewall_prefix_list /* Match destination prefixes in named list */ ), "prefix-list" ( /* Match source or destination prefixes in named list */ firewall_prefix_list /* Match source or destination prefixes in named list */ ), c( "next-header" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "next-header-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "payload-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "payload-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "extension-header" ( ("any" | "hop-by-hop" | "routing" | "mobility" | "esp" | "fragment" | "dstopts" | "ah" | arg) ), "extension-header-except" ( ("any" | "hop-by-hop" | "routing" | "mobility" | "esp" | "fragment" | "dstopts" | "ah" | arg) ) ), c( "esp-spi" arg, "esp-spi-except" arg ), c( "ah-spi" arg, "ah-spi-except" arg ), "tcp-flags" arg /* Match TCP flags (in symbolic or hex formats) */, c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), c( "forwarding-class" arg, "forwarding-class-except" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( "count" arg /* Count the packet in the named counter */, "log" /* Log the packet */, "pkt-trace" /* Pkt-Trace the packet */, "sample" /* Sample the packet */, "port-mirror" /* Port-mirror the packet */, c( "service" /* Forward packets to service processing */, "skip" /* Skip service processing */, "accept" /* Accept the packet */ ) ) ) ) ) ) ) end rule(:inet6_template) do arg.as(:arg) ( c( "attributes" ( /* Template attributes */ c( "destination-address" /* Match destination address */, "destination-port" /* Match TCP/UDP destination port */, "destination-prefix-list" /* Match destination prefixes in named list */, "flexible-match-mask" /* Match flexible mask */, "flexible-match-range" /* Match ICMP message code */, "hop-limit" /* Match Hop Limit */, "icmp-code" /* Match ICMP message code */, "icmp-type" /* Match ICMP message code */, "interface" /* Match interface name */, "next-header" /* Match next header protocol type */, "source-address" /* Match source address */, "source-port" /* Match TCP/UDP source port */, "source-prefix-list" /* Match source prefixes in named list */, "tcp-established" /* Match packet of an established TCP connection */, "tcp-flags" /* Match TCP flags */, "tcp-initial" /* Match initial packet of a TCP connection */, "traffic-class" /* Match Differentiated Services (DiffServ) code point */ ) ) ) ) end rule(:inet_dialer_filter) do arg.as(:arg) ( c( "accounting-profile" arg /* Accounting profile name */, "term" arg ( /* Define a firewall term */ c( "from" ( /* Define match criteria */ c( "source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), "address" ( /* Match IP source or destination address */ firewall_addr_object /* Match IP source or destination address */ ), "source-prefix-list" ( /* Match IP source prefixes in named list */ firewall_prefix_list /* Match IP source prefixes in named list */ ), "destination-prefix-list" ( /* Match IP destination prefixes in named list */ firewall_prefix_list /* Match IP destination prefixes in named list */ ), "prefix-list" ( /* Match IP source or destination prefixes in named list */ firewall_prefix_list /* Match IP source or destination prefixes in named list */ ), c( "packet-length" arg, "packet-length-except" arg ), c( "precedence" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ), "precedence-except" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ) ), c( "dscp" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "dscp-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), c( "ip-options" ( ("any" | "strict-source-route" | "loose-source-route" | "route-record" | "timestamp" | "router-alert" | "security" | "stream-id" | arg) ), "ip-options-except" ( ("any" | "strict-source-route" | "loose-source-route" | "route-record" | "timestamp" | "router-alert" | "security" | "stream-id" | arg) ) ), "is-fragment" /* Match if packet is a fragment */, "first-fragment" /* Match if packet is the first fragment */, c( "fragment-offset" arg, "fragment-offset-except" arg ), "fragment-flags" arg /* Match fragment flags */, c( "protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ttl" arg, "ttl-except" arg ), c( "icmp-type" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ), "icmp-type-except" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ) ), c( "icmp-code" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp-code-except" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), "tcp-initial" /* Match initial packet of a TCP connection */, "tcp-established" /* Match packet of an established TCP connection */, "tcp-flags" arg /* Match TCP flags (in symbolic or hex formats) */, c( "esp-spi" arg, "esp-spi-except" arg ), c( "ah-spi" arg, "ah-spi-except" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( "log" /* Log the packet */, "syslog" /* System log (syslog) information about the packet */, "sample" /* Sample the packet */, c( "note" /* Interested ISDN packet */, "ignore" /* Non-interested ISDN packet */ ) ) ) ) ) ) ) end rule(:inet_filter) do arg.as(:arg) ( c( "promote" arg /* Promote a firewall match to PFM */, "accounting-profile" arg /* Accounting profile name */, "interface-specific" /* Defined counters are interface specific */, "scale-optimized" /* Improve filter prefix scale */, "physical-interface-filter" /* Filter is physical interface filter */, "enhanced-mode" /* Define filter for chassis network-services enhanced mode */, "interface-shared" /* Filter is interface-shared */, "enhanced-mode-override" /* Override the default chassis network-services enhanced mode for dynamic filter */, "instance-shared" /* Filter is routing-instance shared */, "fast-lookup-filter" /* Configure filter in the fast lookup hardware block */, "term" arg ( /* Define a firewall term */ c( "filter" arg /* Filter to include */, "from" ( /* Define match criteria */ c( c( "destination-class" arg, "destination-class-except" arg ), c( "source-class" arg, "source-class-except" arg ), c( "interface-group" arg, "interface-group-except" arg ), "source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), "address" ( /* Match IP source or destination address */ firewall_addr_object /* Match IP source or destination address */ ), "source-prefix-list" ( /* Match IP source prefixes in named list */ firewall_prefix_list /* Match IP source prefixes in named list */ ), "destination-prefix-list" ( /* Match IP destination prefixes in named list */ firewall_prefix_list /* Match IP destination prefixes in named list */ ), "prefix-list" ( /* Match IP source or destination prefixes in named list */ firewall_prefix_list /* Match IP source or destination prefixes in named list */ ), c( "packet-length" arg, "packet-length-except" arg ), c( "dscp" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "dscp-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), c( "precedence" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ), "precedence-except" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ) ), c( "ip-options" ( ("any" | "strict-source-route" | "loose-source-route" | "route-record" | "timestamp" | "router-alert" | "security" | "stream-id" | arg) ), "ip-options-except" ( ("any" | "strict-source-route" | "loose-source-route" | "route-record" | "timestamp" | "router-alert" | "security" | "stream-id" | arg) ) ), "is-fragment" /* Match if packet is a fragment */, "egress-to-ingress" /* Match egress fields in ingress */, "first-fragment" /* Match if packet is the first fragment */, "service-filter-hit" /* Match if service-filter-hit is set */, c( "fragment-offset" arg, "fragment-offset-except" arg ), "fragment-flags" arg /* Match fragment flags (in symbolic or hex formats) - (Ingress only) */, c( "protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ttl" arg, "ttl-except" arg ), c( "icmp-type" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ), "icmp-type-except" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ) ), c( "icmp-code" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp-code-except" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), "tcp-initial" /* Match initial packet of a TCP connection */, "tcp-established" /* Match packet of an established TCP connection */, "tcp-flags" arg /* Match TCP flags (in symbolic or hex formats) */, c( "esp-spi" arg, "esp-spi-except" arg ), c( "ah-spi" arg, "ah-spi-except" arg ), "interface" ( /* Match interface name */ match_interface_object /* Match interface name */ ), "interface-set" ( /* Match interface in set */ match_interface_set_object /* Match interface in set */ ), c( "forwarding-class" arg, "forwarding-class-except" arg ), c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), "source-port-range-optimize" /* Optimize the source port range */, "destination-port-range-optimize" /* Optimize the destination port range */, c( "rat-type" ( ("geran" | "utran" | "eutran" | arg) ), "rat-type-except" ( ("geran" | "utran" | "eutran" | arg) ) ), c( "redirect-reason" ( ("aoc" | "aolb" | "dpi") ), "redirect-reason-except" ( ("aoc" | "aolb" | "dpi") ) ), c( "gre-key" arg, "gre-key-except" arg ), c( "flexible-match-mask" ( /* Match flexible mask */ match_l3_flexible_mask /* Match flexible mask */ ) ), c( "flexible-match-range" ( /* Match flexible range */ match_l3_flexible_range /* Match flexible range */ ) ), c( "policy-map" arg, "policy-map-except" arg ), "vxlan" /* Define vxlan match items */ ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */, "three-color-policer" ( /* Police the packet using a three-color-policer */ c( c( "single-rate" arg /* Name of single-rate three-color policer to use to rate-limit traffic */, "single-packet-rate" arg /* Name of single-packet-rate three-color policer to use to rate-limit traffic */, "two-rate" arg /* Name of two-rate three-color policer to use to rate-limit traffic */, "two-packet-rate" arg /* Name of two-packet-rate three-color policer to use to rate-limit traffic */ ) ) ), "hierarchical-policer" arg /* Name of hierarchical policer to use to rate-limit traffic */ ), c( "clear-policy-map" /* Clear the policy marking */, "policy-map" arg /* Policy map action */ ), c( "traffic-class-count" arg /* Count the packet in the named traffic-class counter */, "count" arg /* Count the packet in the named counter */ ), "service-accounting" /* Count the packets for service accounting */, "skip-services" /* Skip the services */, "service-accounting-deferred" /* Count the packets for deferred service accounting */, "log" /* Log the packet */, "pkt-trace" /* Trace the packet */, "packet-mode" /* Bypass flow mode for the packet */, "syslog" /* System log (syslog) information about the packet */, "sample" /* Sample the packet */, "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "port-mirror" /* Port-mirror the packet */, "analyzer" arg /* Name of analyzer - (Ingress only) */, "loss-priority" ( /* Packet's loss priority */ ("low" | "high" | "medium-low" | "medium-high") ), "forwarding-class" arg /* Classify packet to forwarding class */, "service-filter-hit" /* Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters */, "force-premium" /* When this bit is marked, traffic is considered as premium by the following hierarchical policer */, "exclude-accounting" /* When this is marked, traffic is excluded from accurate accounting */, "virtual-channel" arg /* Set the output interface virtual channel */, c( "accept" /* Accept the packet */, "discard" ( /* Discard the packet */ c( "accounting" arg /* Named discard collector for packet */ ) ), "next" ( /* Continue to next term in a filter */ ("term") ), "logical-system" ( /* Packets are directed to specified logical system */ s( arg, c( "routing-instance" ( /* Packets are directed to specified routing instance */ sc( arg /* Name of routing instance */, "topology" arg /* Packets are directed to specified topology */ ) ).as(:oneline), "topology" arg /* Packets are directed to specified topology */ ) ) ).as(:oneline), "routing-instance" ( /* Packets are directed to specified routing instance */ sc( arg /* Name of routing instance */, "topology" arg /* Packets are directed to specified topology */ ) ).as(:oneline), "topology" arg /* Packets are directed to specified topology */, "next-ip" /* Packets are directed to specified the specified ipv4 address */.as(:oneline), "next-interface" /* Packets are to be routed through the specified interface */, "ipsec-sa" arg /* Use specified IPSec security association */, "next-hop-group" arg /* Use specified next-hop group */, "decapsulate" /* Terminate a tunnel */.as(:oneline), "encapsulate" /* Send to a tunnel */.as(:oneline), "reject" ( /* Reject the packet */ sc( c( "network-unreachable" /* Send ICMP Network Unreachable message */, "host-unreachable" /* Send ICMP Host Unreachable message */, "protocol-unreachable" /* Send ICMP Protocol Unreachable message */, "port-unreachable" /* Send ICMP Port Unreachable message */, "fragmentation-needed" /* Send ICMP Fragmentation Needed message */, "source-route-failed" /* Send ICMP Source Route Failed message */, "network-unknown" /* Send ICMP Network Unknown message */, "host-unknown" /* Send ICMP Host Unknown message */, "source-host-isolated" /* Send ICMP Source Host Isolated message */, "network-prohibited" /* Send ICMP Network Prohibited message */, "host-prohibited" /* Send ICMP Host Prohibited message */, "bad-network-tos" /* Send ICMP Bad Network ToS message */, "bad-host-tos" /* Send ICMP Bad Host ToS message */, "administratively-prohibited" /* Send ICMP Administratively Prohibited message */, "precedence-violation" /* Send ICMP Precedence Violation message */, "precedence-cutoff" /* Send ICMP Precedence Cutoff message */, "tcp-reset" /* Send TCP Reset message */ ) ) ).as(:oneline), "load-balance" arg /* Use specified load balancing group */ ), "dscp" arg /* Set Differentiated Services (DiffServ) code point */, "dont-fragment" arg /* Set or clear the DF bit flag of the IP header (ingress only) */, "prefix-action" arg /* Police or count packets using named prefix action */ ) ), "template" /* Refer a template */ ) ) ) ) end rule(:inet_fuf) do arg.as(:arg) ( c( "interface-specific" /* Defined counters are interface specific */, "match-order" ( ("protocol" | "source-address" | "destination-address" | "source-port" | "destination-port" | "dscp") ), "term" arg ( /* One or more firewall terms */ c( "only-at-create" /* Add term only when filter is first created. */, "from" ( /* Match criteria */ c( "source-address" ( /* Match source IP address */ firewall_addr_simple_object /* Match source IP address */ ), "destination-address" ( /* Match destination IP address */ firewall_addr_simple_object /* Match destination IP address */ ), c( "source-port" ( /* Match TCP/UDP source port */ match_simple_port_value /* Match TCP/UDP source port */ ) ), c( "destination-port" ( /* Match TCP/UDP destination port */ match_simple_port_value /* Match TCP/UDP destination port */ ) ), c( "protocol" ( /* Match IP protocol type */ match_simple_protocol_value /* Match IP protocol type */ ) ), c( "dscp" ( /* Match Differentiated Services (DiffServ) code point */ match_simple_dscp_value /* Match Differentiated Services (DiffServ) code point */ ) ), "match-terms" arg /* Dynamically supplied list of match criteria */ ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */ ), "count" arg /* Count the packet in the named counter */, "service-accounting" /* Count the packets for service accounting */, "log" /* Log the packet */, "port-mirror" /* Port-mirror the packet */, "loss-priority" ( /* Packet's loss priority */ ("low" | "high" | "medium-low" | "medium-high") ), "forwarding-class" arg /* Classify packet to forwarding class */, "action-terms" arg /* Dynamically supplied list of actions */, c( "accept" /* Accept the packet */, "discard" /* Discard the packet */, "routing-instance" ( /* Packets are directed to specified routing instance */ sc( arg /* Name of routing instance */, "topology" arg /* Packets are directed to specified topology */ ) ).as(:oneline) ) ) ) ) ) ) ) end rule(:firewall_addr_simple_object) do c( ipv4prefix /* Prefix to match */ ) end rule(:inet_service_filter) do arg.as(:arg) ( c( "term" arg ( /* Service filter term */ c( "from" ( /* Match criteria */ c( c( "interface-group" arg, "interface-group-except" arg ), "source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), "address" ( /* Match IP source or destination address */ firewall_addr_object /* Match IP source or destination address */ ), "source-prefix-list" ( /* Match IP source prefixes in named list */ firewall_prefix_list /* Match IP source prefixes in named list */ ), "destination-prefix-list" ( /* Match IP destination prefixes in named list */ firewall_prefix_list /* Match IP destination prefixes in named list */ ), "prefix-list" ( /* Match IP source or destination prefixes in named list */ firewall_prefix_list /* Match IP source or destination prefixes in named list */ ), c( "protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ip-options" ( ("any") ), "ip-options-except" ( ("any") ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "esp-spi" arg, "esp-spi-except" arg ), "is-fragment" /* Match if packet is a fragment */, "first-fragment" /* Match if packet is the first fragment */, c( "fragment-offset" arg, "fragment-offset-except" arg ), "fragment-flags" arg /* Match fragment flags */, "tcp-flags" arg /* Match TCP flags (in symbolic or hex formats) */, c( "ah-spi" arg, "ah-spi-except" arg ), c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), c( "forwarding-class" arg, "forwarding-class-except" arg ), c( "redirect-reason" ( ("aoc" | "aolb" | "dpi") ), "redirect-reason-except" ( ("aoc" | "aolb" | "dpi") ) ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( "count" arg /* Count the packet in the named counter */, "log" /* Log the packet */, "pkt-trace" /* Pkt-Trace the packet */, "sample" /* Sample the packet */, "port-mirror" /* Port-mirror the packet */, c( "service" /* Forward packets to service processing */, "skip" /* Skip service processing */, "accept" /* Accept the packet */ ) ) ) ) ) ) ) end rule(:inet_simple_filter) do arg.as(:arg) ( c( "interface-specific" /* Defined counters are interface specific */, "term" arg ( /* One or more firewall terms */ c( "from" ( /* Match criteria */ c( "source-address" ( /* Source IP address */ firewall_addr_simple_object /* Source IP address */ ), "destination-address" ( /* Destination IP address */ firewall_addr_simple_object /* Destination IP address */ ), c( "protocol" ( /* Match IP protocol type */ match_simple_protocol_value /* Match IP protocol type */ ) ), c( "source-port" ( /* Match TCP/UDP source port */ match_simple_port_value /* Match TCP/UDP source port */ ) ), c( "destination-port" ( /* Match TCP/UDP destination port */ match_simple_port_value /* Match TCP/UDP destination port */ ) ), c( "forwarding-class" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */, "three-color-policer" ( /* Police the packet using a three-color-policer */ c( c( "single-rate" arg /* Name of single-rate three-color policer to use to rate-limit traffic */, "two-rate" arg /* Name of two-rate three-color policer to use to rate-limit traffic */ ) ) ) ), "loss-priority" ( /* Packet's loss priority */ ("low" | "medium-high" | "medium-low" | "high") ), "forwarding-class" arg /* Classify packet to forwarding class */, "discard" /* Discard the packet */, "accept" /* Accept the packet */ ) ) ) ) ) ) end rule(:inet_template) do arg.as(:arg) ( c( "attributes" ( /* Template attributes */ c( "destination-address" /* Match IP destination address */, "destination-port" /* Match TCP/UDP destination port */, "destination-port-range-optimize" /* Optimize the destination port range */, "destination-prefix-list" /* Match IP destination prefixes in named list */, "dscp" /* Match Differentiated Services (DiffServ) code point */, "flexible-match-mask" /* Match flexible mask */, "flexible-match-range" /* Match flexible range */, "fragment-flags" /* Match fragment flags */, "icmp-code" /* Match ICMP message code */, "icmp-type" /* Match ICMP message type */, "interface" /* Match interface name */, "ip-options" /* Match IP options */, "is-fragment" /* Match if packet is a fragment */, "packet-length" /* Match packet length */, "precedence" /* Match IP precedence value */, "protocol" /* Match IP protocol type */, "rat-type" /* Match RAT Type */, "redirect-reason" /* Match Redirect Reason */, "source-address" /* Match IP source address */, "source-port" /* Match TCP/UDP source port */, "source-port-range-optimize" /* Optimize the source port range */, "source-prefix-list" /* Match IP source prefixes in named list */, "tcp-established" /* Match packet of an established TCP connection */, "tcp-flags" /* Match TCP flags */, "tcp-initial" /* Match initial packet of a TCP connection */, "ttl" /* Match IP ttl type */, "egress-to-ingress" /* Match egress fields in ingress */ ) ) ) ) end rule(:interface_set_type) do arg.as(:arg) ( c( arg /* Interface list */ ) ) end rule(:interfaces_type) do ("$junos-interface-ifd-name" | arg).as(:arg) ( c( "description" arg /* Text description of interface */, "metadata" arg /* Text metadata attached to interface */, ("disable"), "promiscuous-mode" /* Enable promiscuous mode for L3 interface */, "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "multicast-statistics" /* Enable multicast statistics */, "oam-on-svlan" /* Propagate SVLAN OAM state to CVLANs */, "fabric-options" ( /* Fabric interface specific options */ c( "member-interfaces" arg /* Member interface for the fabric interface */ ) ), "traceoptions" ( /* Interface trace options */ c( "flag" enum(("ipc" | "event" | "media" | "all" | "q921" | "q931")) /* Tracing parameters */.as(:oneline), "file" ( /* Trace file information for ISDN decoded frames */ c( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ) ) ) ), "passive-monitor-mode" /* Use interface to tap packets from another router */, c( "keepalives" ( /* Send or demand keepalive messages */ keepalives_type /* Send or demand keepalive messages */ ).as(:oneline), "no-keepalives" /* Do not send keepalive messages */ ), "traps" /* Enable SNMP notifications on state changes */, "no-traps" /* Don't enable SNMP notifications on state changes */, "interface-mib" /* Enable interface-related MIBs */, "no-interface-mib" /* Don't enable interface-related MIBs */, "accounting-profile" arg /* Accounting profile name */, "anchor-point" /* Anchor point */, "bypass-queueing-chip" /* Enable to bypass queueing chip */, "no-bypass-queueing-chip" /* Don't enable to bypass queueing chip */, c( "per-unit-scheduler" /* Enable subunit queuing on Frame Relay or VLAN IQ interface */, "no-per-unit-scheduler" /* Don't enable subunit queuing on Frame Relay or VLAN IQ interface */, "shared-scheduler" /* Enabled shared queuing on an IQ2 interface */, "hierarchical-scheduler" ( /* Enable hierarchical scheduling */ sc( "maximum-hierarchy-levels" arg /* Maximum hierarchy levels */, "maximum-l2-nodes" arg /* Maximum l2 nodes, allowed numbers are power of 2 between 1 and 16k (needs FPC reboot) */, "maximum-l3-nodes" arg /* Maximum l3 nodes, allowed numbers are power of 2 between 2 and 32k (needs FPC reboot) */, "implicit-hierarchy" /* Implicit hierarchy (follows interface hierarchy) */ ) ).as(:oneline) ), "l2tp-maximum-session" arg /* Maximum L2TP session */, "schedulers" arg /* Number of schedulers to allocate for interface */, "interface-transmit-statistics" /* Interface statistics based on the transmitted packets */, "cascade-port" /* Cascade port */, "dce" /* Respond to Frame Relay status enquiry messages */, c( "vlan-tagging" /* 802.1q VLAN tagging support */, "stacked-vlan-tagging" /* Stacked 802.1q VLAN tagging support */, "flexible-vlan-tagging" /* Support for no tagging, or single and double 802.1q VLAN tagging */, "vlan-vci-tagging" /* CCC for VLAN Q-in-Q and ATM VPI/VCI interworking */ ), "native-vlan-id" arg /* Virtual LAN identifier for untagged frames */, "no-native-vlan-insert" /* Disable native-vlan-id insertion to untagged frames */, "no-pseudowire-down-on-core-isolation" /* Do not bring the pseudowire down in the event of EVPN Core isolation */, "speed" ( /* Link speed */ ("auto" | "auto-10m-100m" | "10m" | "100m" | "1g" | "2.5g" | "5g" | "10g" | "40g" | "oc3" | "oc12" | "oc48") ), "forwarding-class-accounting" /* Configure Forwarding-class-accounting parameters */, "auto-configure" ( /* Auto configuration */ auto_configure_vlan_type /* Auto configuration */ ), "mtu" arg /* Maximum transmit packet size */, "hold-time" ( /* Hold time for link up and link down */ sc( "up" arg /* Link up hold time */, "down" arg /* Link down hold time */ ) ).as(:oneline), "damping" /* Interface damping parameters */, "link-degrade-monitor" ( /* Enable link degrade monitoring */ c( "actions" ( /* Action upon link degrade event */ c( c( "media-based" /* Media based */ ) ) ), "recovery" ( /* Link degrade recovery mechanism */ c( "timer" arg /* Auto recovery timer in seconds */, c( "auto" /* Automatic recovery */, "manual" /* Manual recovery */ ) ) ), "thresholds" ( /* Link degrade threshold parameters */ c( "set" arg /* BER at which link considered degraded(1..16) */, "clear" arg /* BER at which link considered improved(1..16) */, "warning-set" arg /* BER at which link degrade warning raised(1..16) */, "warning-clear" arg /* BER at which link degrade warning cleared(1..16) */, "interval" arg /* Consecutive link degrade events */ ) ) ) ), "satop-options" ( /* Structure-Agnostic TDM over Packet protocol options */ c( "idle-pattern" arg /* An 8-bit hexadecimal pattern to replace TDM data in a lost packet */, "payload-size" arg /* Number of payload bytes per packet */, "excessive-packet-loss-rate" ( /* Packet loss options */ c( "threshold" arg /* Percentile designating the threshold of excessive packet loss rate */, "sample-period" arg /* Number of milliseconds over which excessive packet loss rate is calculated */ ) ), c( "jitter-buffer-packets" arg /* Number of packets in jitter buffer before packet data is played out in the line */, "jitter-buffer-latency" arg /* Number of milliseconds delay in jitter buffer before packet data is played out in the line */, "jitter-buffer-auto-adjust" /* Automatically adjust jitter buffer */ ), "bit-rate" arg /* In multiples of DS0 */ ) ), "cesopsn-options" ( /* Structure-Aware TDM over Packet protocol options */ c( "idle-pattern" arg /* An 8-bit hexadecimal pattern to replace TDM data in a lost packet */, "packetization-latency" arg /* Number of microseconds to create packets */, "payload-size" arg /* Number of payload bytes per packet */, "excessive-packet-loss-rate" ( /* Packet loss options */ c( "threshold" arg /* Percentile designating the threshold of excessive packet loss rate */, "sample-period" arg /* Number of milliseconds over which excessive packet loss rate is calculated */ ) ), c( "jitter-buffer-packets" arg /* Number of packets in jitter buffer before packet data is played out in the line */, "jitter-buffer-latency" arg /* Number of milliseconds delay in jitter buffer before packet data is played out in the line */, "jitter-buffer-auto-adjust" /* Automatically adjust jitter buffer */ ), "bit-rate" arg /* In multiples of DS0 */ ) ), "ima-group-options" /* IMA group options */, "ima-link-options" /* IMA link options */, "multi-chassis-protection" ( /* Inter-Chassis protection configuration */ multi_chassis_protection_group /* Inter-Chassis protection configuration */ ), "clocking" ( /* Interface clock source */ sc( c( "internal" /* Clocking provided by local system */, "external" ( /* Clocking provided by DCE (loop timing) */ c( "interface" ( /* Interface that acts as clock source */ interface_device /* Interface that acts as clock source */ ) ) ) ) ) ).as(:oneline), "link-mode" ( /* Link operational mode */ ("automatic" | "half-duplex" | "full-duplex") ), "media-type" arg /* Interface media type (copper or fiber) */, "encapsulation" ( /* Physical link-layer encapsulation */ ("ethernet" | "fddi" | "token-ring" | "ppp" | "ppp-ccc" | "ppp-tcc" | "ether-vpls-ppp" | "frame-relay" | "frame-relay-ccc" | "frame-relay-tcc" | "extended-frame-relay-ccc" | "extended-frame-relay-tcc" | "flexible-frame-relay" | "frame-relay-port-ccc" | "frame-relay-ether-type" | "frame-relay-ether-type-tcc" | "extended-frame-relay-ether-type-tcc" | "cisco-hdlc" | "cisco-hdlc-ccc" | "cisco-hdlc-tcc" | "vlan-ccc" | "extended-vlan-ccc" | "ethernet-ccc" | "flexible-ethernet-services" | "smds-dxi" | "atm-pvc" | "atm-ccc-cell-relay" | "ethernet-over-atm" | "ethernet-tcc" | "extended-vlan-tcc" | "multilink-frame-relay-uni-nni" | "satop" | "cesopsn" | "ima" | "ethernet-vpls" | "ethernet-bridge" | "vlan-vpls" | "vlan-vci-ccc" | "extended-vlan-vpls" | "extended-vlan-bridge" | "multilink-ppp" | "generic-services") ), "esi" /* ESI configuration of multi-homed interface */, "framing" ( /* Frame type */ c( c( "lan-phy" /* 802.3ae 10-Gbps LAN-mode interface */, "wan-phy" /* 802.3ae 10-Gbps WAN-mode interface */, "sonet" /* SONET framing */, "sdh" /* SDH framing */ ) ) ), "unidirectional" /* Unidirectional Mode */, "lmi" ( /* Local Management Interface settings */ c( "n391dte" arg /* DTE full status polling interval */, "n392dce" arg /* DCE error threshold */, "n392dte" arg /* DTE error threshold */, "n393dce" arg /* DCE monitored event count */, "n393dte" arg /* DTE monitored event count */, "t391dte" arg /* DTE polling timer */, "t392dce" arg /* DCE polling verification timer */, "lmi-type" ( /* Specify the Frame Relay LMI type */ ("ansi" | "itu" | "c-lmi") ) ) ), "mlfr-uni-nni-bundle-options" ( /* Multilink Frame Relay UNI NNI (FRF.16) management settings */ c( "cisco-interoperability" ( /* FRF.16 Cisco interoperability settings */ c( "send-lip-remove-link-for-link-reject" /* Send Link Integrity Protocol remove link on receiving add-link rejection */ ) ), "mrru" arg /* Maximum received reconstructed unit */, "yellow-differential-delay" arg /* Yellow differential delay among bundle links to give warning */, "red-differential-delay" arg /* Red differential delay among bundle links to take action */, "action-red-differential-delay" ( /* Type of actions when differential delay exceeds red limit */ ("remove-link" | "disable-tx") ), "fragment-threshold" arg /* Fragmentation threshold */, "drop-timeout" arg /* Drop timeout */, "link-layer-overhead" ( /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ unsigned_float /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ ), "lmi-type" ( /* Specify the multilink Frame Relay UNI NNI LMI type */ ("ansi" | "itu" | "c-lmi") ), "minimum-links" arg /* Minimum number of links to sustain the bundle */, "hello-timer" arg /* LIP hello timer */, "acknowledge-timer" arg /* LIP ack timer */, "acknowledge-retries" arg /* LIP ack retry times */, "n391" arg /* Multilink Frame Relay UNI NNI full status polling counter */, "n392" arg /* Multilink Frame Relay UNI NNI LMI error threshold */, "n393" arg /* Multilink Frame Relay UNI NNI LMI monitored event count */, "t391" arg /* Multilink Frame Relay UNI NNI link integrity verify polling timer */, "t392" arg /* Multilink Frame Relay UNI NNI polling verification timer */ ) ), "mac" ( /* Hardware MAC address */ mac_unicast /* Hardware MAC address */ ), "receive-bucket" ( /* Set receive bucket parameters */ dcd_rx_bucket_config /* Set receive bucket parameters */ ), "transmit-bucket" ( /* Set transmit bucket parameters */ dcd_tx_bucket_config /* Set transmit bucket parameters */ ), "shared-interface" /* Enable shared interface on the interface */, "sonet-options" ( /* SONET interface-specific options */ sonet_options_type /* SONET interface-specific options */ ), "logical-tunnel-options" ( /* Logical Tunnel interface-specific options */ c( "link-protection" ( /* Enable link protection mode */ c( "revertive" /* Revert back (Default mode) from active backup link to primary, if primary is UP */, "non-revertive" /* Do not revert back from active backup link to primary, if primary is UP */ ) ), "per-unit-mac-disable" /* Disable the creation of per unit mac address on LT IFLs for VPLS/CCC encaps */ ) ), "aggregated-sonet-options" ( /* Aggregated SONET interface-specific options */ c( "minimum-links" arg /* Minimum number of aggregated links */, "link-speed" ( /* Aggregated links speed */ ("oc3" | "oc12" | "oc48" | "oc192" | "oc768" | "mixed") ), "minimum-bandwidth" arg /* Minimum bandwidth necessary to sustain bundle */ ) ), "atm-options" ( /* ATM interface-specific options */ c( "pic-type" ( /* Type of ATM PIC (ATM I, ATM II or ATM CE) */ ("atm-ce" | "atm2" | "atm1") ), "cell-bundle-size" arg /* L2 circuit cell bundle size */, "cell-bundle-timeout" arg /* L2 circuit cell bundle timeout */, "plp-to-clp" /* Enable ATM2 PLP to CLP copy */, "use-null-cw" /* Always insert/strip null control words with cell-relay */, "promiscuous-mode" ( /* Set ATM interface to promiscuous mode */ c( "vpi" arg /* Open this VPI in promiscuous mode */.as(:oneline) ) ), "vpi" arg ( /* Define a virtual path */ c( "maximum-vcs" arg /* Maximum number of virtual circuits on this VP */, "shaping" ( /* Virtual path traffic-shaping options */ dcd_shaping_config /* Virtual path traffic-shaping options */ ), "oam-period" ( /* F4 OAM cell period */ sc( c( arg, "disable" /* Disable F4 OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* F4 OAM virtual path liveness parameters */ c( "up-count" arg /* Number of F4 OAM cells to consider VP up */, "down-count" arg /* Number of F4 OAM cells to consider VP down */ ) ) ) ), "ilmi" /* Enable Interim Local Management Interface */, "linear-red-profiles" arg ( /* ATM2 CoS virtual circuit drop profiles */ sc( "queue-depth" arg /* Maximum queue depth */, "high-plp-threshold" arg /* Fill level percentage when linear RED is applied for high PLP */, "low-plp-threshold" arg /* Fill level percentage when linear RED is applied for low PLP */, "high-plp-max-threshold" arg /* Fill level percentage with 100 percent packet drop for high PLP */, "low-plp-max-threshold" arg /* Fill level percentage with 100 percent packet drop for low PLP */ ) ).as(:oneline), "scheduler-maps" arg ( /* ATM2 CoS parameters assigned to forwarding classes */ c( "vc-cos-mode" ( /* ATM2 virtual circuit CoS mode */ ("strict" | "alternate") ), "forwarding-class" arg ( /* Scheduling parameters associated with forwarding class */ c( "priority" ( /* Queuing priority assigned to forwarding class */ ("low" | "high") ), "transmit-weight" ( /* Transmit weight */ sc( c( "percent" arg /* Transmit weight as percentage */, "cells" arg /* Transmit weight by cells count */ ) ) ).as(:oneline), c( "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline), "linear-red-profile" arg /* Linear RED profile profile name */ ) ) ) ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */ ) ), "multiservice-options" ( /* Multiservice interface-specific options */ c( "syslog" /* Enable system logging on this interface */, "no-syslog" /* Don't enable system logging on this interface */, "core-dump" /* Enable core dumping on this interface */, "no-core-dump" /* Don't enable core dumping on this interface */, "dump-on-flow-control" /* Enable dumping for this interface on prolonged flow-control */, "no-dump-on-flow-control" /* Don't enable dumping for this interface on prolonged flow-control */, "reset-on-flow-control" /* Enable resetting this interface on prolonged flow-control */, "no-reset-on-flow-control" /* Don't enable resetting this interface on prolonged flow-control */, "flow-control-options" ( /* Flow control configuration */ c( "dump-on-flow-control" /* Cause core dump during prolonged flow-control */, "reset-on-flow-control" /* Reset interface during prolonged flow-control */, "down-on-flow-control" /* Bring interface down during prolonged flow-control */, "up-on-flow-control" /* Keep interface up during prolonged flow-control */ ) ) ) ), "ggsn-options" ( /* GGSN interface-specific options */ c( "syslog" /* Enable system logging on this interface */, "no-syslog" /* Don't enable system logging on this interface */, "core-dump" /* Enable core dumping on this interface */, "no-core-dump" /* Don't enable core dumping on this interface */ ) ), "ppp-options" ( /* Point-to-Point Protocol (PPP) interface-specific options */ ppp_options_type /* Point-to-Point Protocol (PPP) interface-specific options */ ), "redundancy-options" /* Redundancy options */, "load-balancing-options" /* Load-balancing on services pics */, "aggregated-inline-services-options" /* Aggregated Inline Service interface specific options */, "anchoring-options" /* Groups anchoring PFEs or FPCs together. */, "lsq-failure-options" /* Link services queuing failure options */, "redundancy-group" /* Redundancy group configuration */, "services-options" ( /* Services interface-specific options */ c( "syslog" ( /* Define system log parameters */ service_set_syslog_object /* Define system log parameters */ ), "jflow-log" ( /* Define Jflow-log parameters. */ c( "message-rate-limit" arg /* Maximum jflow-log NAT error events allowed per second from this interface */ ) ), "deterministic-nat-configuration-log-interval" ( /* Define Deterministic NAT parameters */ c( "interval" arg /* Interval in which deterministic NAT logs are generated */ ) ), "open-timeout" arg /* Timeout period for TCP session establishment */, "close-timeout" arg /* Timeout period for TCP session tear-down */, "inactivity-timeout" arg /* Inactivity timeout period for established sessions (4..86400) */, "inactivity-tcp-timeout" arg /* Inactivity timeout period for TCP established sessions */, "inactivity-asymm-tcp-timeout" arg /* Inactivity timeout period for asymmetric TCP established sessions */, "inactivity-non-tcp-timeout" arg /* Inactivity timeout period for non-TCP established sessions */, "session-timeout" arg /* Session timeout period for established sessions */, "disable-global-timeout-override" /* Disallow overriding global inactivity or session timeout */, "tcp-tickles" arg /* Number of TCP keep-alive packets to be sent for bi-directional TCP flows */, "trio-flow-offload" /* Allow PIC to offload flows to Trio-based PFE */, "fragment-limit" arg /* Maximum number of fragments allowed for a packet */, "reassembly-timeout" arg /* Re-assembly timeout (seconds) for fragments of a packet */, "cgn-pic" /* PIC will be used for Carrier Grade NAT configuration only */, "pba-interim-logging-interval" arg /* Interim logging interval in seconds */, "session-limit" ( /* Session limit */ c( "maximum" arg /* Maximum number of sessions allowed simultaneously */, "rate" arg /* Maximum number of new sessions allowed per second */, "cpu-load-threshold" arg /* CPU limit in percentage for auto-tuning of session rate */ ) ), "ignore-errors" ( /* Ignore anomalies or errors */ sc( "tcp" /* TCP protocol errors */, "alg" /* ALG anomalies or errors */ ) ).as(:oneline), "capture" ( /* Packet capture for SFW and NAT on the Services PIC */ c( "capture-size" arg /* The number of packets to store */, "pkt-size" arg /* Number of bytes to be saved from each packet */, "logs-per-packet" arg /* The number of trace messages stored for each packet */, "max-log-line-size" arg /* The maximum length of a stored trace message */, "filter" ( /* Filtering options for the packet capture */ c( "source-ip" ( /* Filter based on source-ip (and wildcard) */ sc( "wildcard" ( /* Source IP wildcard */ ipaddr /* Source IP wildcard */ ), ipaddr /* Source IP */ ) ).as(:oneline), "dest-ip" ( /* Filter based on dest-ip (and wildcard) */ sc( "wildcard" ( /* Dest IP wildcard */ ipaddr /* Dest IP wildcard */ ), ipaddr /* Dest IP */ ) ).as(:oneline), "sw-sip" ( /* Filter based on source softwire ip (and wildcard) */ sc( "wildcard" ( /* Source IP wildcard */ ipv6addr /* Source IP wildcard */ ), ipv6addr /* Source softwire IP */ ) ).as(:oneline), "sw-dip" ( /* Filter based on destination softwire ip (and wildcard) */ sc( "wildcard" ( /* Destination IP wildcard */ ipaddr /* Destination IP wildcard */ ), ipaddr /* Destination softwire IP */ ) ).as(:oneline), "sport-range" ( /* Filter based on source port */ sc( "low" arg /* Source port range start */, "high" arg /* Source port range end */ ) ).as(:oneline), "dport-range" ( /* Filter based on destination port */ sc( "low" arg /* Destination port range start */, "high" arg /* Destination port range end */ ) ).as(:oneline), "proto" ( /* Filter based on L4 protocol */ ("icmp" | "tcp" | "udp") ) ) ) ) ) ) ), "t3-options" ( /* T3 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("local" | "remote" | "payload") ), "long-buildout" /* Set hardware to drive line longer than 255 feet */, "no-long-buildout" /* Don't set hardware to drive line longer than 255 feet */, "loop-timing" /* Set loop timing for T3 */, "no-loop-timing" /* Don't set loop timing for T3 */, "unframed" /* Enable unframed mode */, "no-unframed" /* Don't enable unframed mode */, "compatibility-mode" ( /* Set CSU compatibility mode */ sc( c( "larscom" ( /* Compatible with Larscom CSU */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "verilink" ( /* Compatible with Verilink CSU (not on 2/4-port T3 PIC) */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "adtran" ( /* Compatible with Adtran CSU (not on 2/4-port T3 PIC) */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "kentrox" ( /* Compatible with Kentrox CSU */ sc( "subrate" arg /* Set subrate value (not on 2/4-port T3 PIC) */ ) ).as(:oneline), "digital-link" ( /* Compatible with Digital Link CSU */ sc( "subrate" ( /* Set subrate value */ ("301Kb" | "601Kb" | "902Kb" | "1.2Mb" | "1.5Mb" | "1.8Mb" | "2.1Mb" | "2.4Mb" | "2.7Mb" | "3.0Mb" | "3.3Mb" | "3.6Mb" | "3.9Mb" | "4.2Mb" | "4.5Mb" | "4.8Mb" | "5.1Mb" | "5.4Mb" | "5.7Mb" | "6.0Mb" | "6.3Mb" | "6.6Mb" | "6.9Mb" | "7.2Mb" | "7.5Mb" | "7.8Mb" | "8.1Mb" | "8.4Mb" | "8.7Mb" | "9.0Mb" | "9.3Mb" | "9.6Mb" | "9.9Mb" | "10.2Mb" | "10.5Mb" | "10.8Mb" | "11.1Mb" | "11.4Mb" | "11.7Mb" | "12.0Mb" | "12.3Mb" | "12.6Mb" | "12.9Mb" | "13.2Mb" | "13.5Mb" | "13.8Mb" | "14.1Mb" | "14.4Mb" | "14.7Mb" | "15.0Mb" | "15.3Mb" | "15.6Mb" | "15.9Mb" | "16.2Mb" | "16.5Mb" | "16.8Mb" | "17.1Mb" | "17.4Mb" | "17.7Mb" | "18.0Mb" | "18.3Mb" | "18.6Mb" | "18.9Mb" | "19.2Mb" | "19.5Mb" | "19.8Mb" | "20.1Mb" | "20.5Mb" | "20.8Mb" | "21.1Mb" | "21.4Mb" | "21.7Mb" | "22.0Mb" | "22.3Mb" | "22.6Mb" | "22.9Mb" | "23.2Mb" | "23.5Mb" | "23.8Mb" | "24.1Mb" | "24.4Mb" | "24.7Mb" | "25.0Mb" | "25.3Mb" | "25.6Mb" | "25.9Mb" | "26.2Mb" | "26.5Mb" | "26.8Mb" | "27.1Mb" | "27.4Mb" | "27.7Mb" | "28.0Mb" | "28.3Mb" | "28.6Mb" | "28.9Mb" | "29.2Mb" | "29.5Mb" | "29.8Mb" | "30.1Mb" | "30.4Mb" | "30.7Mb" | "31.0Mb" | "31.3Mb" | "31.6Mb" | "31.9Mb" | "32.2Mb" | "32.5Mb" | "32.8Mb" | "33.1Mb" | "33.4Mb" | "33.7Mb" | "34.0Mb" | "34.3Mb" | "34.6Mb" | "34.9Mb" | "35.2Mb" | "35.5Mb" | "35.8Mb" | "36.1Mb" | "36.4Mb" | "36.7Mb" | "37.0Mb" | "37.3Mb" | "37.6Mb" | "37.9Mb" | "38.2Mb" | "38.5Mb" | "38.8Mb" | "39.1Mb" | "39.4Mb" | "39.7Mb" | "40.0Mb" | "40.3Mb" | "40.6Mb" | "40.9Mb" | "41.2Mb" | "41.5Mb" | "41.8Mb" | "42.1Mb" | "42.4Mb" | "42.7Mb" | "43.0Mb" | "43.3Mb" | "43.6Mb" | "43.9Mb" | "44.2Mb") ) ) ).as(:oneline) ) ) ).as(:oneline), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */, "cbit-parity" /* Enable C-bit parity mode */, "no-cbit-parity" /* Don't enable C-bit parity mode */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "feac-loop-respond" /* Respond to FEAC loop requests */, "no-feac-loop-respond" /* Don't respond to FEAC loop requests */, "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "buildout" arg /* Line buildout */, "atm-encapsulation" ( /* DS-3 interface encapsulation */ ("plcp" | "direct") ) ) ), "e3-options" ( /* E3 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("local" | "remote") ), "unframed" /* Enable unframed mode */, "no-unframed" /* Don't enable unframed mode */, "compatibility-mode" ( /* Set CSU compatibility mode */ sc( c( "larscom" /* Compatible with Larscom CSU (only non IQ E3 interfaces) */, "digital-link" ( /* Compatible with Digital Link CSU */ sc( "subrate" ( /* Set subrate value */ ("358Kb" | "716Kb" | "1.1Mb" | "1.4Mb" | "1.8Mb" | "2.1Mb" | "2.5Mb" | "2.9Mb" | "3.2Mb" | "3.6Mb" | "3.9Mb" | "4.3Mb" | "4.7Mb" | "5.0Mb" | "5.4Mb" | "5.7Mb" | "6.1Mb" | "6.4Mb" | "6.8Mb" | "7.2Mb" | "7.5Mb" | "7.9Mb" | "8.2Mb" | "8.6Mb" | "9.0Mb" | "9.3Mb" | "9.7Mb" | "10.0Mb" | "10.4Mb" | "10.7Mb" | "11.1Mb" | "11.5Mb" | "11.8Mb" | "12.2Mb" | "12.5Mb" | "12.9Mb" | "13.2Mb" | "13.6Mb" | "14.0Mb" | "14.3Mb" | "14.7Mb" | "15.0Mb" | "15.4Mb" | "15.8Mb" | "16.1Mb" | "16.5Mb" | "16.8Mb" | "17.2Mb" | "17.5Mb" | "17.9Mb" | "18.3Mb" | "18.6Mb" | "19.0Mb" | "19.3Mb" | "19.7Mb" | "20.0Mb" | "20.4Mb" | "20.8Mb" | "21.1Mb" | "21.5Mb" | "21.8Mb" | "22.2Mb" | "22.6Mb" | "22.9Mb" | "23.3Mb" | "23.6Mb" | "24.0Mb" | "24.3Mb" | "24.7Mb" | "25.1Mb" | "25.4Mb" | "25.8Mb" | "26.1Mb" | "26.5Mb" | "26.9Mb" | "27.2Mb" | "27.6Mb" | "27.9Mb" | "28.3Mb" | "28.6Mb" | "29.0Mb" | "29.4Mb" | "29.7Mb" | "30.1Mb" | "30.4Mb" | "30.8Mb" | "31.1Mb" | "31.5Mb" | "31.9Mb" | "32.2Mb" | "32.6Mb" | "32.9Mb" | "33.3Mb" | "33.7Mb" | "34.0Mb") ) ) ).as(:oneline), "kentrox" ( /* Compatible with Kentrox CSU */ sc( "subrate" arg /* Set subrate value (only for E3 IQ interfaces) */ ) ).as(:oneline) ) ) ).as(:oneline), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "invert-data" /* Invert data */, "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "buildout" arg /* Line buildout */, "atm-encapsulation" ( /* E3 interface encapsulation */ ("plcp" | "direct") ), "framing" ( /* E3 line format */ ("g.751" | "g.832") ) ) ), "e1-options" ( /* E1 interface-specific options */ c( "timeslots" arg /* Timeslots (1..32); for example, 1-4,6,9-11,32 (no space) */, "loopback" ( /* Loopback mode */ ("local" | "remote") ), "framing" ( /* Framing mode */ ("g704" | "unframed" | "g704-no-crc4") ), "fcs" ( /* Frame checksum */ ("32" | "16") ), "invert-data" /* Invert data */, "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */ ) ), "t1-options" ( /* T1 interface-specific options */ c( "timeslots" arg /* Timeslots (1..24; for example, 1-3,4,9,22-24 (no space) */, "voice-timeslots" arg /* Voice timeslots (1..24),for example, 1-3,4,9,22-24 (no space) */, "disable-remote-alarm-detection" arg /* Disable detection of a remote alarm */, "loopback" ( /* Loopback mode */ ("local" | "remote" | "payload") ), "buildout" ( /* Line buildout */ ("0-132" | "133-265" | "266-398" | "399-531" | "532-655" | "long-0db" | "long-7.5db" | "long-15db" | "long-22.5db") ), "byte-encoding" ( /* Byte encoding */ ("nx64" | "nx56") ), "line-encoding" ( /* Line encoding */ ("ami" | "b8zs") ), "invert-data" /* Invert data */, "framing" ( /* Framing mode */ ("sf" | "esf") ), "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "remote-loopback-respond" /* Respond to loop requests from remote end */, "crc-major-alarm-threshold" ( /* CRC Major alarm threshold value */ ("1e-3" | "5e-4" | "1e-4" | "5e-5" | "1e-5") ), "crc-minor-alarm-threshold" ( /* CRC Minor alarm threshold value */ ("1e-3" | "5e-4" | "1e-4" | "5e-5" | "1e-5" | "5e-6" | "1e-6") ), "alarm-compliance" arg /* Enforce standard for alarm reporting */ ) ), "ds0-options" ( /* DS-0 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("payload") ), "byte-encoding" ( /* Byte encoding */ ("nx64" | "nx56") ), "invert-data" /* Invert data */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4" | "repeating-1-in-16") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */ ) ), "serial-options" ( /* Serial interface-specific options */ c( "line-protocol" ( /* Line protocol to be used */ ("eia530" | "v.35" | "x.21") ), c( "dte-options" ( /* DTE options/control leads */ c( "ignore-all" /* Ignore all control leads */, "dtr" ( /* Data Transmit Ready signal handling */ sc( c( "assert" /* Assert DTR signal */, "de-assert" /* Deassert DTR signal */, "normal" /* Normal DTR signal */, "auto-synchronize" ( /* Normal DTR signal, with autoresynchronization */ c( "duration" arg /* Duration of autoresynchronization */, "interval" arg /* Interval for autoresynchronization */ ) ) ) ) ).as(:oneline), "control-signal" ( /* X.21 control signal handling */ ("assert" | "de-assert" | "normal") ), "rts" ( /* Request To Send signal handling */ ("assert" | "de-assert" | "normal") ), "dcd" ( /* Data Carrier Detect signal handling */ ("require" | "ignore" | "normal") ), "dsr" ( /* Data Set Ready signal handling */ ("require" | "ignore" | "normal") ), "cts" ( /* Clear To Send signal handling */ ("require" | "ignore" | "normal") ), "indication" ( /* X.21 Indication signal handling */ ("require" | "ignore" | "normal") ), "tm" ( /* Test Mode signal handling */ ("require" | "ignore" | "normal") ) ) ), "dce-options" ( /* DCE options */ c( "ignore-all" /* Ignore all control leads */, "dtr" ( /* Data Transmit Ready signal handling */ ("require" | "ignore" | "normal") ), "rts" ( /* Request To Send signal handling */ ("require" | "ignore" | "normal") ), "dcd" ( /* Data Carrier Detect signal handling */ ("assert" | "de-assert" | "normal") ), "dsr" ( /* Data Set Ready signal handling */ ("assert" | "de-assert" | "normal") ), "cts" ( /* Clear To Send signal handling */ ("assert" | "de-assert" | "normal") ), "tm" ( /* Test Mode signal handling */ ("require" | "ignore" | "normal") ), "dce-loopback-override" /* DCE loopback override */ ) ) ), "dtr-circuit" ( /* Data Transmit Ready circuit mode */ ("balanced" | "unbalanced") ), "dtr-polarity" ( /* Data Transmit Ready signal polarity */ ("positive" | "negative") ), "rts-polarity" ( /* Request To Send signal polarity */ ("positive" | "negative") ), "control-polarity" ( /* X.21 Control signal polarity */ ("positive" | "negative") ), "dcd-polarity" ( /* Data Carrier Detect signal polarity */ ("positive" | "negative") ), "dsr-polarity" ( /* Data Set Ready signal polarity */ ("positive" | "negative") ), "cts-polarity" ( /* Clear To Send signal polarity */ ("positive" | "negative") ), "indication-polarity" ( /* X.21 Indication signal polarity */ ("positive" | "negative") ), "tm-polarity" ( /* Test Mode signal polarity */ ("positive" | "negative") ), "clocking-mode" ( /* Clock mode */ ("dce" | "internal" | "loop") ), "transmit-clock" ( /* Transmit clock phase */ ("invert") ), "clock-rate" ( /* Interface clock rate */ ("2.048mhz" | "2.341mhz" | "2.731mhz" | "3.277mhz" | "4.096mhz" | "5.461mhz" | "8.192mhz" | "16.384mhz" | "1.2khz" | "2.4khz" | "9.6khz" | "19.2khz" | "38.4khz" | "56.0khz" | "64.0khz" | "72.0khz" | "125.0khz" | "148.0khz" | "250.0khz" | "500.0khz" | "800.0khz" | "1.0mhz" | "1.3mhz" | "2.0mhz" | "4.0mhz" | "8.0mhz") ), "loopback" ( /* Loopback mode */ ("local" | "remote" | "dce-local" | "dce-remote") ), "encoding" ( /* Line encoding */ ("nrz" | "nrzi") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ) ) ), "gratuitous-arp-reply" /* Enable gratuitous ARP reply */, "no-gratuitous-arp-reply" /* Don't enable gratuitous ARP reply */, "no-gratuitous-arp-request" /* Ignore gratuitous ARP request */, "no-no-gratuitous-arp-request" /* Don't ignore gratuitous ARP request */, "arp-l2-validate" /* Validate ARP against L2 */, "ether-options" ( /* Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "ethernet-policer-profile" ( /* Ethernet level CoS-based policer configuration */ c( "input-priority-map" ( /* Input policer priority map */ cos_policer_input_priority_map /* Input policer priority map */ ), "output-priority-map" ( /* Output policer priority map */ cos_policer_output_priority_map /* Output policer priority map */ ), "policer" ( /* Policer template definition */ cos_policer /* Policer template definition */ ) ) ), "storm-control" ( /* Storm control profile name to bind */ c( arg /* Profile name */ ) ), "recovery-timeout" ( /* Recovery timeout for this interface */ sc( arg ) ).as(:oneline), "mac-learn-enable" /* Learn MAC addresses dynamically */, "no-mac-learn-enable" /* Don't learn MAC addresses dynamically */ ) ), "asynchronous-notification" /* Enable sending asynchronous notification to peer on CCC-down */, "source-address-filter" arg /* Source address filters */.as(:oneline), "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "configured-flow-control" /* Enable flow control */, "link-mode" arg /* Link duplex */, "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */, "no-auto-mdix" /* Disable auto MDI/MDIX */, "speed" /* Specify speed */, "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "force-up" /* Keep the port up in absence of received LACPDU */, "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ), "link-protection-sub-group" /* Link Protection subgroup configuration */, "port-priority" arg /* Link protection Priority of the port (0 ... 65535) */ ) ), "ieee-802-3az-eee" /* IEEE 802.3az Energy Efficient Ethernet(EEE) */, "mdi-mode" arg /* Cable cross-over mode */, "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant ethernet interface */ ) ), "autostate-exclude" /* Interface will not contribute to IRB state */ ) ), "fibrechannel-options" ( /* Fibre Channel interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "bb-sc-n" arg /* B2B state change number */, "speed" ( /* Specify speed */ ("auto-negotiation" | "1g" | "2g" | "4g" | "8g") ) ) ), "gigether-options" ( /* Gigabit Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "loopback-remote" /* Enable remote loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, c( "no-auto-negotiation" /* Disable auto-negotiation */, "auto-negotiation" ( /* Enable auto-negotiation */ sc( "remote-fault" ( ("local-interface-offline" | "local-interface-online") ) ) ).as(:oneline) ), "mac-mode" arg /* Physical layer protocol of MAC's SERDES interface */, "asynchronous-notification" /* Enable sending asynchronous notification to peer on CCC-down */, "source-address-filter" arg /* Source address filters */.as(:oneline), "pad-to-minimum-frame-size" /* Pad Tx vlan tagged frame to minimum of 68 bytes */, "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant-ethernet interface */ ) ), "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, "link-index" arg /* Desired child link index within the Aggregated Interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ), "distribution-list" arg /* Distribution list to which interface belongs */ ) ), "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "ethernet-policer-profile" ( /* Ethernet level CoS-based policer configuration */ c( "ieee802.1-priority-map" ( /* Premium priority values for IEEE 802.1p bits */ c( "premium" arg /* Premium policer priority map */ ) ), "input-priority-map" ( /* Input policer priority map */ cos_policer_input_priority_map /* Input policer priority map */ ), "output-priority-map" ( /* Output policer priority map */ cos_policer_output_priority_map /* Output policer priority map */ ), "policer" ( /* Policer template definition */ cos_policer /* Policer template definition */ ) ) ), "accept-from" ( /* Accept traffic from or to specified remote MAC */ c( "mac-address" ( /* Remote MAC */ mac_list /* Remote MAC */ ) ) ), "reject-the-rest" /* Accept traffic from only the specified MAC addresses */, "no-reject-the-rest" /* Don't accept traffic from only the specified MAC addresses */, "mac-learn-enable" /* Learn MAC addresses dynamically */ ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */, "no-auto-mdix" /* Disable auto MDI/MDIX */, "ieee-802-3az-eee" /* IEEE 802.3az Energy Efficient Ethernet(EEE) */, "mru" arg /* Maximum receive packet size */, "fec" ( /* Forward Error Correction mode */ ("none" | "fec91" | "fec74") ), "speed" ( /* Speed mode */ ("1g" | "10g") ) ) ), "optics-options" ( /* Optics options */ c( "wavelength" ( /* Wavelength of the optics (nanometers) for 50Ghz/100Ghz spacing */ ("1568.77" | "1568.36" | "1568.31" | "1568.26" | "1568.21" | "1568.16" | "1568.11" | "1568.05" | "1568.00" | "1567.95" | "1567.90" | "1567.85" | "1567.80" | "1567.75" | "1567.70" | "1567.64" | "1567.59" | "1567.54" | "1567.49" | "1567.44" | "1567.39" | "1567.34" | "1567.29" | "1567.23" | "1567.18" | "1567.13" | "1567.08" | "1567.03" | "1566.98" | "1566.93" | "1566.88" | "1566.83" | "1566.77" | "1566.72" | "1566.67" | "1566.62" | "1566.57" | "1566.52" | "1566.47" | "1566.42" | "1566.36" | "1566.31" | "1566.26" | "1566.21" | "1566.16" | "1566.11" | "1566.06" | "1566.01" | "1565.96" | "1565.90" | "1565.85" | "1565.80" | "1565.75" | "1565.70" | "1565.65" | "1565.60" | "1565.55" | "1565.50" | "1565.44" | "1565.39" | "1565.34" | "1565.29" | "1565.24" | "1565.19" | "1565.14" | "1565.09" | "1565.04" | "1564.99" | "1564.93" | "1564.88" | "1564.83" | "1564.78" | "1564.73" | "1564.68" | "1564.63" | "1564.58" | "1564.53" | "1564.47" | "1564.42" | "1564.37" | "1564.32" | "1564.27" | "1564.22" | "1564.17" | "1564.12" | "1564.07" | "1564.02" | "1563.96" | "1563.91" | "1563.86" | "1563.81" | "1563.76" | "1563.71" | "1563.66" | "1563.61" | "1563.56" | "1563.51" | "1563.45" | "1563.40" | "1563.35" | "1563.30" | "1563.25" | "1563.20" | "1563.15" | "1563.10" | "1563.05" | "1563.00" | "1562.95" | "1562.89" | "1562.84" | "1562.79" | "1562.74" | "1562.69" | "1562.64" | "1562.59" | "1562.54" | "1562.49" | "1562.44" | "1562.39" | "1562.33" | "1562.28" | "1562.23" | "1562.18" | "1562.13" | "1562.08" | "1562.03" | "1561.98" | "1561.93" | "1561.88" | "1561.83" | "1561.77" | "1561.72" | "1561.67" | "1561.62" | "1561.57" | "1561.52" | "1561.47" | "1561.42" | "1561.37" | "1561.32" | "1561.27" | "1561.22" | "1561.16" | "1561.11" | "1561.06" | "1561.01" | "1560.96" | "1560.91" | "1560.86" | "1560.81" | "1560.76" | "1560.71" | "1560.66" | "1560.61" | "1560.56" | "1560.50" | "1560.45" | "1560.40" | "1560.35" | "1560.30" | "1560.25" | "1560.20" | "1560.15" | "1560.10" | "1560.05" | "1560.00" | "1559.95" | "1559.90" | "1559.84" | "1559.79" | "1559.74" | "1559.69" | "1559.64" | "1559.59" | "1559.54" | "1559.49" | "1559.44" | "1559.39" | "1559.34" | "1559.29" | "1559.24" | "1559.19" | "1559.14" | "1559.08" | "1559.03" | "1558.98" | "1558.93" | "1558.88" | "1558.83" | "1558.78" | "1558.73" | "1558.68" | "1558.63" | "1558.58" | "1558.53" | "1558.48" | "1558.43" | "1558.38" | "1558.32" | "1558.27" | "1558.22" | "1558.17" | "1558.12" | "1558.07" | "1558.02" | "1557.97" | "1557.92" | "1557.87" | "1557.82" | "1557.77" | "1557.72" | "1557.67" | "1557.62" | "1557.57" | "1557.52" | "1557.46" | "1557.41" | "1557.36" | "1557.31" | "1557.26" | "1557.21" | "1557.16" | "1557.11" | "1557.06" | "1557.01" | "1556.96" | "1556.91" | "1556.86" | "1556.81" | "1556.76" | "1556.71" | "1556.66" | "1556.61" | "1556.55" | "1556.50" | "1556.45" | "1556.40" | "1556.35" | "1556.30" | "1556.25" | "1556.20" | "1556.15" | "1556.10" | "1556.05" | "1556.00" | "1555.95" | "1555.90" | "1555.85" | "1555.80" | "1555.75" | "1555.70" | "1555.65" | "1555.60" | "1555.55" | "1555.49" | "1555.44" | "1555.39" | "1555.34" | "1555.29" | "1555.24" | "1555.19" | "1555.14" | "1555.09" | "1555.04" | "1554.99" | "1554.94" | "1554.89" | "1554.84" | "1554.79" | "1554.74" | "1554.69" | "1554.64" | "1554.59" | "1554.54" | "1554.49" | "1554.44" | "1554.39" | "1554.34" | "1554.29" | "1554.23" | "1554.18" | "1554.13" | "1554.08" | "1554.03" | "1553.98" | "1553.93" | "1553.88" | "1553.83" | "1553.78" | "1553.73" | "1553.68" | "1553.63" | "1553.58" | "1553.53" | "1553.48" | "1553.43" | "1553.38" | "1553.33" | "1553.28" | "1553.23" | "1553.18" | "1553.13" | "1553.08" | "1553.03" | "1552.98" | "1552.93" | "1552.88" | "1552.83" | "1552.78" | "1552.73" | "1552.68" | "1552.62" | "1552.57" | "1552.52" | "1552.47" | "1552.42" | "1552.37" | "1552.32" | "1552.27" | "1552.22" | "1552.17" | "1552.12" | "1552.07" | "1552.02" | "1551.97" | "1551.92" | "1551.87" | "1551.82" | "1551.77" | "1551.72" | "1551.67" | "1551.62" | "1551.57" | "1551.52" | "1551.47" | "1551.42" | "1551.37" | "1551.32" | "1551.27" | "1551.22" | "1551.17" | "1551.12" | "1551.07" | "1551.02" | "1550.97" | "1550.92" | "1550.87" | "1550.82" | "1550.77" | "1550.72" | "1550.67" | "1550.62" | "1550.57" | "1550.52" | "1550.47" | "1550.42" | "1550.37" | "1550.32" | "1550.27" | "1550.22" | "1550.17" | "1550.12" | "1550.07" | "1550.02" | "1549.97" | "1549.92" | "1549.87" | "1549.82" | "1549.77" | "1549.72" | "1549.67" | "1549.62" | "1549.57" | "1549.52" | "1549.47" | "1549.42" | "1549.37" | "1549.32" | "1549.26" | "1549.21" | "1549.16" | "1549.11" | "1549.06" | "1549.01" | "1548.96" | "1548.91" | "1548.86" | "1548.81" | "1548.76" | "1548.71" | "1548.66" | "1548.61" | "1548.56" | "1548.51" | "1548.46" | "1548.41" | "1548.36" | "1548.31" | "1548.26" | "1548.21" | "1548.16" | "1548.11" | "1548.06" | "1548.02" | "1547.97" | "1547.92" | "1547.87" | "1547.82" | "1547.77" | "1547.72" | "1547.67" | "1547.62" | "1547.57" | "1547.52" | "1547.47" | "1547.42" | "1547.37" | "1547.32" | "1547.27" | "1547.22" | "1547.17" | "1547.12" | "1547.07" | "1547.02" | "1546.97" | "1546.92" | "1546.87" | "1546.82" | "1546.77" | "1546.72" | "1546.67" | "1546.62" | "1546.57" | "1546.52" | "1546.47" | "1546.42" | "1546.37" | "1546.32" | "1546.27" | "1546.22" | "1546.17" | "1546.12" | "1546.07" | "1546.02" | "1545.97" | "1545.92" | "1545.87" | "1545.82" | "1545.77" | "1545.72" | "1545.67" | "1545.62" | "1545.57" | "1545.52" | "1545.47" | "1545.42" | "1545.37" | "1545.32" | "1545.27" | "1545.22" | "1545.17" | "1545.12" | "1545.07" | "1545.02" | "1544.97" | "1544.92" | "1544.87" | "1544.82" | "1544.77" | "1544.72" | "1544.68" | "1544.63" | "1544.58" | "1544.53" | "1544.48" | "1544.43" | "1544.38" | "1544.33" | "1544.28" | "1544.23" | "1544.18" | "1544.13" | "1544.08" | "1544.03" | "1543.98" | "1543.93" | "1543.88" | "1543.83" | "1543.78" | "1543.73" | "1543.68" | "1543.63" | "1543.58" | "1543.53" | "1543.48" | "1543.43" | "1543.38" | "1543.33" | "1543.28" | "1543.23" | "1543.18" | "1543.13" | "1543.08" | "1543.04" | "1542.99" | "1542.94" | "1542.89" | "1542.84" | "1542.79" | "1542.74" | "1542.69" | "1542.64" | "1542.59" | "1542.54" | "1542.49" | "1542.44" | "1542.39" | "1542.34" | "1542.29" | "1542.24" | "1542.19" | "1542.14" | "1542.09" | "1542.04" | "1541.99" | "1541.94" | "1541.89" | "1541.84" | "1541.80" | "1541.75" | "1541.70" | "1541.65" | "1541.60" | "1541.55" | "1541.50" | "1541.45" | "1541.40" | "1541.35" | "1541.30" | "1541.25" | "1541.20" | "1541.15" | "1541.10" | "1541.05" | "1541.00" | "1540.95" | "1540.90" | "1540.85" | "1540.80" | "1540.76" | "1540.71" | "1540.66" | "1540.61" | "1540.56" | "1540.51" | "1540.46" | "1540.41" | "1540.36" | "1540.31" | "1540.26" | "1540.21" | "1540.16" | "1540.11" | "1540.06" | "1540.01" | "1539.96" | "1539.91" | "1539.86" | "1539.82" | "1539.77" | "1539.72" | "1539.67" | "1539.62" | "1539.57" | "1539.52" | "1539.47" | "1539.42" | "1539.37" | "1539.32" | "1539.27" | "1539.22" | "1539.17" | "1539.12" | "1539.07" | "1539.03" | "1538.98" | "1538.93" | "1538.88" | "1538.83" | "1538.78" | "1538.73" | "1538.68" | "1538.63" | "1538.58" | "1538.53" | "1538.48" | "1538.43" | "1538.38" | "1538.33" | "1538.28" | "1538.24" | "1538.19" | "1538.14" | "1538.09" | "1538.04" | "1537.99" | "1537.94" | "1537.89" | "1537.84" | "1537.79" | "1537.74" | "1537.69" | "1537.64" | "1537.59" | "1537.55" | "1537.50" | "1537.45" | "1537.40" | "1537.35" | "1537.30" | "1537.25" | "1537.20" | "1537.15" | "1537.10" | "1537.05" | "1537.00" | "1536.95" | "1536.90" | "1536.86" | "1536.81" | "1536.76" | "1536.71" | "1536.66" | "1536.61" | "1536.56" | "1536.51" | "1536.46" | "1536.41" | "1536.36" | "1536.31" | "1536.26" | "1536.22" | "1536.17" | "1536.12" | "1536.07" | "1536.02" | "1535.97" | "1535.92" | "1535.87" | "1535.82" | "1535.77" | "1535.72" | "1535.67" | "1535.63" | "1535.58" | "1535.53" | "1535.48" | "1535.43" | "1535.38" | "1535.33" | "1535.28" | "1535.23" | "1535.18" | "1535.13" | "1535.08" | "1535.04" | "1534.99" | "1534.94" | "1534.89" | "1534.84" | "1534.79" | "1534.74" | "1534.69" | "1534.64" | "1534.59" | "1534.54" | "1534.50" | "1534.45" | "1534.40" | "1534.35" | "1534.30" | "1534.25" | "1534.20" | "1534.15" | "1534.10" | "1534.05" | "1534.00" | "1533.96" | "1533.91" | "1533.86" | "1533.81" | "1533.76" | "1533.71" | "1533.66" | "1533.61" | "1533.56" | "1533.51" | "1533.47" | "1533.42" | "1533.37" | "1533.32" | "1533.27" | "1533.22" | "1533.17" | "1533.12" | "1533.07" | "1533.02" | "1532.98" | "1532.93" | "1532.88" | "1532.83" | "1532.78" | "1532.73" | "1532.68" | "1532.63" | "1532.58" | "1532.53" | "1532.49" | "1532.44" | "1532.39" | "1532.34" | "1532.29" | "1532.24" | "1532.19" | "1532.14" | "1532.09" | "1532.04" | "1532.00" | "1531.95" | "1531.90" | "1531.85" | "1531.80" | "1531.75" | "1531.70" | "1531.65" | "1531.60" | "1531.56" | "1531.51" | "1531.46" | "1531.41" | "1531.36" | "1531.31" | "1531.26" | "1531.21" | "1531.16" | "1531.12" | "1531.07" | "1531.02" | "1530.97" | "1530.92" | "1530.87" | "1530.82" | "1530.77" | "1530.72" | "1530.68" | "1530.63" | "1530.58" | "1530.53" | "1530.48" | "1530.43" | "1530.38" | "1530.33" | "1530.29" | "1530.24" | "1530.19" | "1530.14" | "1530.09" | "1530.04" | "1529.99" | "1529.94" | "1529.89" | "1529.85" | "1529.80" | "1529.75" | "1529.70" | "1529.65" | "1529.60" | "1529.55" | "1529.50" | "1529.46" | "1529.41" | "1529.36" | "1529.31" | "1529.26" | "1529.21" | "1529.16" | "1529.11" | "1529.07" | "1529.02" | "1528.97" | "1528.92" | "1528.87" | "1528.82" | "1528.77" | "1528.38") ), "tx-power" arg /* Transmit laser output power */, "loopback" /* Put the optics in loopback mode */, "los-warning-threshold" arg /* LOS warning threshold */, "los-alarm-threshold" arg /* LOS alarm threshold */, "modulation-format" ( /* Type of Modulation Format */ ("16qam" | "8qam" | "qpsk") ), "laser-enable" /* Enable Laser */, "no-laser-enable" /* Don't enable Laser */, "is-ma" /* Link is enabled with alarms masked */, "no-is-ma" /* Don't link is enabled with alarms masked */, "encoding" ( /* Line encoding */ ("differential" | "non-differential") ), "fec" ( /* Forward Error Correction mode */ ("sdfec" | "sdfec25" | "hgfec" | "sdfec15") ), "high-polarization" /* High polarization tracking mode */, "signal-degrade" ( /* Signal degrade thresholds */ c( "interval" arg /* Time interval */, "ber-threshold-clear" arg /* Ber threshold for signal degrade clear (format: xe-n, example: 4.5e-3) */, "ber-threshold-signal-degrade" arg /* Ber threshold for signal-degrade (format: xe-n, example: 4.5e-3) */, "q-threshold-signal-degrade-clear" arg /* Q threshold for signal-degrade clear (e.g. 14.26) */, "q-threshold-signal-degrade" arg /* Q threshold for signal-degrade (e.g. 9.26) */ ) ), "alarm" enum(("low-light-alarm")) ( /* Set optic alarms */ c( c( "syslog", "link-down" ) ) ), "tca" ( /* Set tca for optic alarms */ c( "tx-power-high-tca" ( /* Tx power high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute tx power high TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour tx power high TCA in dBm */ ) ), "tx-power-low-tca" ( /* Tx power low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute tx power low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour tx power low TCA in dBm */ ) ), "rx-power-high-tca" ( /* Rx power high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute rx power high TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour rx power high TCA in dBm */ ) ), "rx-power-low-tca" ( /* Rx power low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute rx power low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour rx power low TCA in dBm */ ) ), "temperature-high-tca" ( /* Temperature high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute high temperature TCA in celsius */, "threshold-24hrs" arg /* Threshold for 24 hour high temperature TCA in celsius */ ) ), "temperature-low-tca" ( /* Temperature low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute low temperature TCA in celsius */, "threshold-24hrs" arg /* Threshold for 24 hour low temperature TCA in celsius */ ) ), "carrier-frequency-offset-high-tca" ( /* Carrier frequency offset high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency offset high TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency offset high TCA in MHz */ ) ), "carrier-frequency-offset-low-tca" ( /* Carrier frequency offset low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency offset low TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency offset low TCA in MHz */ ) ), "fec-ber" ( /* Optics Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the Optics errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the Optics errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for BER value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* TCA threshold for BER value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ).as(:oneline), "tec-current-high-tca" ( /* TEC Current high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute TEC Current high TCA in mA */, "threshold-24hrs" arg /* Threshold for 24 hour TEC Current high TCA in mA */ ) ), "tec-current-low-tca" ( /* TEC Current low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute TEC Current low TCA in mA */, "threshold-24hrs" arg /* Threshold for 24 hour TEC Current low TCA in mA */ ) ), "residual-isi-high-tca" ( /* Residual ISI high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute Residual ISI high TCA in ps/nm */, "threshold-24hrs" arg /* Threshold for 24 hour Residual ISI high TCA in ps/nm */ ) ), "residual-isi-low-tca" ( /* Residual ISI low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute Residual ISI low TCA in ps/nm */, "threshold-24hrs" arg /* Threshold for 24 hour Residual ISI low TCA in ps/nm */ ) ), "pam-histogram-high-tca" ( /* PAM Histogram high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute PAM Histogram high TCA */, "threshold-24hrs" arg /* Threshold for 24 hour PAM Histogram high TCA */ ) ), "snr-low-tca" ( /* SNR low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute SNR low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour SNR low TCA in dBm */ ) ), "fec-corrected-errors-high-tca" ( /* FEC Corrected Error High Threshold crossing defect trigger */ c( "enable-tca" /* Enable the FEC Corrected Errors threshold crossing alert */, "no-enable-tca" /* Don't enable the FEC Corrected Errors threshold crossing alert */, "threshold" arg /* FEC Corrected-Errs value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* FEC Corrected-Errs value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ), "fec-ucorrected-words-high-tca" ( /* FEC UCorrected Words High Threshold crossing defect trigger */ c( "enable-tca" /* Enable the FEC UCorrected Words threshold crossing alert */, "no-enable-tca" /* Don't enable the FEC UCorrected Words threshold crossing alert */, "threshold" arg /* FEC UCorrected-Words value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* FEC UCorrected-Words value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ), "laser-frequency-error-high-tca" ( /* Laser frequency error high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency error high TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency error high TCA in MHz */ ) ), "laser-frequency-error-low-tca" ( /* Laser frequency error low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency error low TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency error low TCA in MHz */ ) ) ) ), "warning" enum(("low-light-warning")) ( /* Set optic warnings */ c( c( "syslog" /* Set action as syslog */, "link-down" /* Set action as link-down */ ) ) ) ) ), "otn-options" ( /* Optical Transmission Network interface-specific options */ otn_options_type /* Optical Transmission Network interface-specific options */ ), "fastether-options" ( /* Fast Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "ingress-rate-limit" arg /* Ingress rate at port */, "source-address-filter" arg /* Source address filters */.as(:oneline), "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant ethernet interface */ ) ), "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ) ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */ ) ), "redundant-ether-options" ( /* Ethernet redundancy options */ c( "redundancy-group" arg /* Redundancy group of this interface */, "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "source-address-filter" arg /* Source address filters */.as(:oneline), "link-speed" ( /* Link speed of individual interface that joins the RETH */ ("10m" | "100m" | "1g" | "10g") ), "minimum-links" arg /* Minimum number of active links */, "lacp" ( /* Link Aggregation Control Protocol configuration */ c( c( "active" /* Initiate transmission of LACP packets */, "passive" /* Respond to LACP packets */ ), "periodic" ( /* Timer interval for periodic transmission of LACP packets */ ("fast" | "slow") ) ) ) ) ), "aggregated-ether-options" ( /* Aggregated Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "autostate-exclude" /* Interface will not contribute to IRB state */, "link-protection" ( /* Enable link protection mode */ c( "revertive" /* Revert back from active backup link to primary, if primary is UP */, "non-revertive" /* Do not revert back (default mode) from active backup link to primary, if primary is UP */, "backup-state" ( /* Link protection backup link state */ ("accept-data" | "discard-data" | "down") ), "rtg-config" ( /* RTG enable on AE */ c( "preempt-cutover-timer" arg /* RTG preempt-cutover-timer in seconds */ ) ) ) ), "fcoe-lag" /* Enable FIP/FCoE LAG */, "no-fcoe-lag" /* Don't enable FIP/FCoE LAG */, "source-address-filter" /* Source address filters */.as(:oneline), "configured-flow-control" /* Enable flow control */, "load-balance" ( aggregate_load_balance ), "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address */ ipaddr /* BFD local address */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */ ) ), "minimum-links" arg /* Minimum number of aggregated links */, "minimum-bandwidth" ( /* Minimum bandwidth configured for aggregated bundle */ c( "bw-value" arg /* Bandwidth value */, "bw-unit" ( /* Bandwidth unit */ ("bps" | "kbps" | "mbps" | "gbps") ) ) ), "targeted-options" /* Targeting specific options */, c( "logical-interface-fpc-redundancy" /* Enable FPC redundancy for logical interfaces */, "logical-interface-chassis-redundancy" /* Enable CHASSIS redundancy for logical interfaces */ ), "rebalance-periodic" ( c( "start-time" ( /* Start time of the rebalance operation ( Wall clock time ) */ date /* Start time of the rebalance operation ( Wall clock time ) */ ), "interval" arg /* Interval of the rebalance operation in hrs */ ) ), "pad-to-minimum-frame-size" /* Pad Tx vlan tagged frame to minimum of 68 bytes */, "link-speed" ( /* Link speed of individual interface that joins the AE */ ("10m" | "100m" | "1g" | "2.5g" | "5g" | "8g" | "10g" | "25g" | "40g" | "50g" | "80g" | "100g" | "oc192" | "mixed") ), "local-bias" /* Turn on local bias functionality */, "local-minimum-links-threshold" arg /* Specify threshold for minimum links per VC/VCF member */, "resilient-hash" /* Turn on resilient-hash */, "lacp" ( /* Link Aggregation Control Protocol configuration */ c( c( "active" /* Initiate transmission of LACP packets */, "passive" /* Respond to LACP packets */ ), "periodic" ( /* Timer interval for periodic transmission of LACP packets */ ("fast" | "slow") ), "fast-failover" /* To turn off LACP fast-failover */, "link-protection" ( c( "disable" /* To turn off LACP link-protection */, c( "revertive" /* Switch links when better priority link comes up */, "non-revertive" /* Do not switch links when better priority link comes up */ ), "rtg-config" ( /* RTG Feature enable on AE */ c( "preempt-cutover-timer" arg /* RTG preempt-cutover-timer in seconds */ ) ) ) ), "accept-data" /* Keep receiving traffic even when LACP goes down */, "sync-reset" ( /* On minimum-link failure notify out of sync to peer */ ("disable" | "enable") ), "system-priority" arg /* Priority of the system (0 ... 65535) */, "system-id" ( /* Node's System ID, encoded as a MAC address */ mac_addr /* Node's System ID, encoded as a MAC address */ ), "admin-key" arg /* Node's administrative key */, "hold-time" /* Hold time for link up and link down for AE link members */.as(:oneline), "aggregate-wait-time" arg /* Aggregate wait time for the AE */, "force-up" /* Forceup AE interface with LACP */ ) ), "link-protection-sub-group" /* Link Protection subgroup configuration */, "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "storm-control" /* Storm control profile name to bind */, "mac-learn-enable" /* Learn MAC addresses dynamically */ ) ), "mc-ae" /* Multi-chassis aggregation (MC-AE) network device configuration */, "share-standby" /* Share the resources with standby ports, needs FPC reboot to take effect */ ) ), "es-options" ( /* ES PIC interface-specific options */ c( "backup-interface" ( /* Name of backup interface */ interface_device /* Name of backup interface */ ) ) ), "dsl-options" ( /* DSL interface-specific options */ c( "operating-mode" ( /* DSL operating mode */ ("auto" | "ansi-dmt" | "itu-dmt" | "etsi" | "itu-annexb-ur2" | "itu-annexb-non-ur2" | "itu-dmt-bis" | "adsl2plus" | "annexm-itu-dmt-bis" | "annexm-adsl2plus") ) ) ), "vdsl-options" ( /* VDSL interface-specific options */ c( "vdsl-profile" ( /* VDSL profile */ ("auto" | "8a" | "8b" | "8c" | "8d" | "12a" | "12b" | "17a") ), "sra" ( /* DSL SRA */ ("enable" | "disable") ), "v43" ( /* DSL V43 tones */ ("enable" | "disable") ) ) ), "shdsl-options" ( /* SHDSL interface-specific options */ c( "annex" ( /* Type of SHDSL annex */ ("annex-a" | "annex-b" | "annex-f" | "annex-g" | "annex-auto") ), "line-rate" ( /* SHDSL line rate */ ("auto" | arg) ), "loopback" ( /* Loopback mode */ ("local" | "remote") ), "snr-margin" ( /* Signal to noise ratio margin */ c( "current" ( /* Current signal to noise ratio margin */ ("disable" | arg) ), "snext" ( /* SNEXT signal to noise ratio margin */ ("disable" | arg) ) ) ) ) ), "data-input" ( /* Configuration for drop-insert data input */ c( c( "system" /* Data sourced from system */, "interface" ( /* Interface that acts as data source */ interface_device /* Interface that acts as data source */ ) ) ) ), "switch-options" ( /* Front end ports configuration */ c( "switch-port" arg ( c( "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "link-mode" ( /* Link operational mode */ ("half-duplex" | "full-duplex") ), "speed" ( /* Link speed */ ("10m" | "100m" | "1g") ), "vlan-id" arg /* VLAN ID for this port */, "cascade-port" /* Port externally connected to another cascade port */ ) ) ) ), "container-options" ( /* Container interface specific options */ c( "container-type" ( /* Protocol type of the container interface */ c( c( "aps" ( /* APS options on the container */ aps_type /* APS options on the container */ ) ) ) ), "member-interface-type" ( /* Link type of members of container */ c( c( "sonet" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("oc3" | "oc12" | "oc48" | "oc192" | "oc768" | "mixed") ) ) ), "atm" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("oc3" | "oc12" | "oc48") ) ) ), "channelized-sonet" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("coc3" | "coc12" | "coc48" | "coc192" | "coc768") ) ) ), "channelized-sdh" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("cstm1" | "cstm4" | "cstm16" | "coc64" | "cstm256") ) ) ) ) ) ), "redundancy" ( /* Container interface redundancy options */ c( "hold-time" ( /* Hold time for link up and link down */ sc( "up" arg /* Link up hold time */, "down" arg /* Link down hold time */ ) ).as(:oneline) ) ), "container-list" ( /* List of container interfaces this member link is associated to */ interface_device /* List of container interfaces this member link is associated to */ ), c( "primary" /* This member link is primary interface of the container */, "standby" /* This member link is standby interface of the container */ ), "fast-aps" /* Fast APS switch */, "allow-configuration-override" /* Allow physical configuration of member link to override container configuration */ ) ), "layer2-policer" /* Layer2 policing for interface */, "unit" enum(("$junos-underlying-interface-unit" | "$junos-interface-unit" | arg)) ( /* Logical interface */ c( "policer-overhead" ( /* Policer overhead adjustment for this unit */ c( arg, "ingress" arg /* Ingress value in bytes */, "egress" arg /* Egress value in bytes */ ) ), "alias" arg /* Interface alias */, "enhanced-convergence" /* Optimize convergence time for L3 */, "proxy-macip-advertisement" /* Proxy advertisement of type 2 MAC+IP route for EVPN */, "virtual-gateway-accept-data" /* Accept packets destined for virtual gateway address */, "peer-psd" ( /* Peer psd */ sc( arg /* Peer psd name */ ) ).as(:oneline), "peer-interface" ( /* Peer interface */ c( interface_unit /* Peer interface name */ ) ), "interface-shared-with" ( /* Specify which PSD owns this logical interface */ c( arg /* Name of protected system domain (psd[1-31], ex. psd2) */ ) ), ("disable"), "passive-monitor-mode" /* Use interface to tap packets from another router */, "per-session-scheduler" /* Enable per-session queuing on an IQ2 interface */, "account-layer2-overhead" /* Account layer2 overhead in IFL byte statistics */, "forwarding-class-accounting" /* Configure Forwarding-class-accounting parameters for IFL */, "clear-dont-fragment-bit" /* Clear DF bit in packet (AS PIC and J-series only as well as MIF) */, "packet-inject-enable" /* Enable packet inject functionality on this IFL */, "reassemble-packets" /* Do reassembly of fragmented tunnel packets */, "services-options" /* Services interface-specific options */, "rpm" /* Enable RPM service on this interface */, "description" arg /* Text description of interface */, "metadata" arg /* Text metadata attached to interface */, "dial-options" /* Dial options */, "actual-transit-statistics" /* Actual transit statistics */, "demux-source" ( enum(("inet" | "inet6")) ), "demux-destination" ( enum(("inet" | "inet6")) ), "demux" /* Demux based on source or destination address */, "encapsulation" ( /* Logical link-layer encapsulation */ ("atm-nlpid" | "atm-cisco-nlpid" | "atm-snap" | "atm-vc-mux" | "atm-ccc-vc-mux" | "atm-tcc-vc-mux" | "atm-tcc-snap" | "atm-ccc-cell-relay" | "vlan-vci-ccc" | "ether-over-atm-llc" | "ether-vpls-over-atm-llc" | "ppp-over-ether-over-atm-llc" | "ppp-over-ether" | "atm-ppp-vc-mux" | "atm-ppp-llc" | "atm-mlppp-llc" | "frame-relay-ppp" | "frame-relay-ccc" | "frame-relay" | "frame-relay-tcc" | "frame-relay-ether-type" | "frame-relay-ether-type-tcc" | "ether-vpls-fr" | "vlan-ccc" | "ethernet-ccc" | "vlan-vpls" | "vlan-bridge" | "dix" | "ethernet" | "ethernet-vpls" | "ethernet-bridge" | "vlan" | "vlan-tcc" | "multilink-ppp" | "multilink-frame-relay-end-to-end" | "ppp-ccc") ), "gre" /* Allow GRE packets */, "mtu" arg /* Maximum transmission unit packet size */, c( "point-to-point" /* Point-to-point connection */, "multipoint" /* Multipoint connection */ ), "bandwidth" arg /* Logical unit bandwidth (informational only) */, "global-layer2-domainid" arg /* Global Layer-2 Identifier for this interface */, "radio-router" ( /* Parameters for dynamic link cost management */ dynamic_ifbw_parms_type /* Parameters for dynamic link cost management */ ), "traps" /* Enable SNMP notifications on state changes */, "no-traps" /* Don't enable SNMP notifications on state changes */, "routing-services" /* Enable routing services */, "no-routing-services" /* Don't enable routing services */, "arp-resp" ( /* Knob to control ARP response on the interface, default is restricted */ sc( c( "unrestricted" /* Enable unrestricted ARP respone on the interface */, "restricted" /* Enable restricted proxy ARP response on the interface */ ) ) ).as(:oneline), "proxy-arp" ( /* Enable proxy ARP on the interface, default is unrestricted */ sc( c( "unrestricted" /* Enable unrestricted proxy ARP on the interface */, "restricted" /* Enable restricted proxy ARP on the interface */ ) ) ).as(:oneline), c( "vlan-id" ( /* Virtual LAN identifier value for 802.1q VLAN tags */ ("none" | arg) ), "vlan-id-range" arg /* Virtual LAN identifier range of form vid1-vid2 */, "inner-vlan-id-swap-ranges" arg /* Inner vlan-id swap range(s) of form vid1-vid2 for dynamic L2 VLANs */, "vlan-id-list" arg /* List of VLAN identifiers */, "vlan-tag" arg /* IEEE 802.1q tag list for VLAN tagged frames */, "vlan-tags" ( /* IEEE 802.1q tags */ sc( "outer" ( /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ("$junos-stacked-vlan-id" | "$junos-vlan-id" | arg) ), c( "inner" ( /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ("$junos-vlan-id" | arg) ), "inner-range" arg /* [tpid.]vid1-vid2, tpid format is 0xNNNN and is optional */, "inner-list" arg /* List of VLAN identifiers */ ) ) ).as(:oneline) ), "deep-vlan-qualified-learning" arg /* Enable qualified MAC-address learning on the specified vlan tag */, "native-inner-vlan-id" arg /* Native virtual LAN identifier for singly tagged frames */, "inner-vlan-id-range" /* Inner vlan-id range start end */.as(:oneline), "accept-source-mac" ( /* Remote media access control address to/from which to accept traffic */ c( "mac-address" ( /* Remote MAC address */ mac_list /* Remote MAC address */ ) ) ), "input-vlan-map" ( /* VLAN map operation on input */ vlan_map /* VLAN map operation on input */ ), "output-vlan-map" ( /* VLAN map operation on output */ vlan_map /* VLAN map operation on output */ ), "swap-by-poppush" /* Pop original vlan tag and then push a new vlan tag */, "receive-lsp" arg /* Name of incoming label-switched path */, "transmit-lsp" arg /* Name of outgoing label-switched path */, "dlci" arg /* Frame Relay data-link control identifier */, "multicast-dlci" arg /* Frame Relay data-link control identifier for multicast packets */, c( "vci" ( /* ATM point-to-point virtual circuit identifier ([vpi.]vci) */ atm_vci /* ATM point-to-point virtual circuit identifier ([vpi.]vci) */ ), "allow-any-vci" /* Allow all VCIs to open in atm-ccc-cell-relay mode */, "vpi" arg /* ATM point-to-point virtual path identifier (vpi) */, "trunk-id" arg /* ATM trunk identifier */ ), "no-vpivci-swapping" /* Do not swap VPI/VCI for Cell Relay */, c( "psn-vci" ( /* PSN VCI */ atm_vci /* PSN VCI */ ), "psn-vpi" arg /* PSN VPI */ ), "atm-l2circuit-mode" ( /* Select ATM Layer 2 circuit transport mode */ sc( c( "cell" /* ATM Layer 2 circuit cell mode */, "aal5" /* ATM Layer 2 circuit AAL5 mode */ ) ) ).as(:oneline), "vci-range" ( /* ATM VCI range start end */ sc( "start" arg /* ATM VCI range's start value */, "end" arg /* ATM VCI range's end value */ ) ).as(:oneline), "trunk-bandwidth" arg /* ATM trunk bandwidth */, "multicast-vci" ( /* ATM virtual circuit identifier for multicast packets */ atm_vci /* ATM virtual circuit identifier for multicast packets */ ), "shaping" ( /* Virtual circuit traffic-shaping options */ dcd_shaping_config /* Virtual circuit traffic-shaping options */ ), "oam-period" ( /* OAM cell period */ sc( c( arg, "disable" /* Disable F5 OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* OAM virtual circuit liveness parameters */ c( "up-count" arg /* Number of OAM cells to consider VC up */, "down-count" arg /* Number of OAM cells to consider VC down */ ) ), "ppp-options" ( /* Point-to-Point Protocol interface-specific options */ ppp_options_type /* Point-to-Point Protocol interface-specific options */ ), "pppoe-options" ( /* PPP over Ethernet interface-specific options */ pppoe_options_type /* PPP over Ethernet interface-specific options */ ), "pppoe-underlying-options" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ), "advisory-options" ( /* Interface-specific recommendations */ advisory_options_type /* Interface-specific recommendations */ ), "auto-configure" ( /* Auto configuration */ auto_configure_vlan_type /* Auto configuration */ ), "demux-options" ( /* IP demux interface-specific options */ demux_options_type /* IP demux interface-specific options */ ), "targeted-distribution" /* Interface participates in targeted-distribution */, "targeted-options" /* Targeting specific options */, c( "keepalives" ( /* Send or demand keepalive messages */ keepalives_type /* Send or demand keepalive messages */ ).as(:oneline), "no-keepalives" /* Do not send or demand keepalive messages */ ), "inverse-arp" /* Enable inverse ARP */, "transmit-weight" arg /* ATM2 transmit weight for VC under VP tunnel */, "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline), "cell-bundle-size" arg /* L2 circuit cell bundle size */, "cell-bundle-timeout" arg /* L2 circuit cell bundle timeout */, "plp-to-clp" /* Enable ATM2 PLP to CLP copy */, "atm-scheduler-map" arg /* Assign ATM2 CoS scheduling map */, "mrru" arg /* Maximum received reconstructed unit */, "short-sequence" /* Short sequence number header format (MLPPP only) */, "fragment-threshold" arg /* Fragmentation threshold */, "drop-timeout" arg /* Drop timeout */, "disable-mlppp-inner-ppp-pfc" /* Disable compression for inner PPP header in MLPPP payload */, "minimum-links" arg /* Minimum number of links to sustain the bundle */, "multilink-max-classes" arg /* Number of multilink classes */, "compression" ( /* Various packet header compressions */ c( "rtp" ( /* Compress and decompress RTP */ c( "f-max-period" arg /* Maximum number of compressed packets between transmission of full headers */, "queues" ( /* Queue holding RTP packets. Default is queue 1 */ ("q0" | "q1" | "q2" | "q3") ), "port" ( /* UDP destination ports reserved for RTP packets */ sc( "minimum" arg, "maximum" arg ) ).as(:oneline), "maximum-contexts" ( /* Maximum number of simultaneous RTP contexts */ sc( arg ) ).as(:oneline) ) ) ) ), "interleave-fragments" /* Interleave long packets with high priority ones */, "link-layer-overhead" ( /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ unsigned_float /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ ), "accounting-profile" arg /* Accounting profile name */, "peer-unit" arg /* Peer unit number */, "tunnel" ( /* Tunnel parameters */ c( "encapsulation" ( /* Encapsulation over tunnel */ c( "vxlan-gpe" ( c( "source" ( c( "address" ( /* Interface address prefix */ ipv4addr /* Interface address prefix */ ), "interface" ( /* Name of the interface */ interface_name /* Name of the interface */ ) ) ), "destination" ( c( "address" ( /* Interface address prefix */ ipv4addr /* Interface address prefix */ ) ) ), "tunnel-endpoint" ( /* Tunnel end point type */ ("vxlan") ), "destination-udp-port" arg /* Value to write to the destination-udp-port field */, "vni" arg /* Value to write to the vni field */ ) ) ) ), "source" ( /* Tunnel source */ ipaddr /* Tunnel source */ ), "destination" ( /* Tunnel destination */ ipaddr /* Tunnel destination */ ), "key" arg /* Tunnel key */, "backup-destination" ( /* Backup tunnel destination */ ipaddr /* Backup tunnel destination */ ), c( "allow-fragmentation" /* Do not set DF bit on packets */, "do-not-fragment" /* Set DF bit on packets */ ), "ttl" arg /* Time to live */, "traffic-class" arg /* TOS/Traffic class field of IP-header */, "flow-label" arg /* Flow label field of IP6-header */, "path-mtu-discovery" /* Enable path MTU discovery for tunnels */, "no-path-mtu-discovery" /* Don't enable path MTU discovery for tunnels */, "routing-instance" ( /* Routing instance to which tunnel ends belong */ c( "destination" arg /* Routing instance of tunnel destination */ ) ) ) ), "compression-device" ( /* Logical interface used for compression */ interface_unit /* Logical interface used for compression */ ), "atm-policer" /* ATM policing for logical interface */, "layer2-policer" /* Layer2 policing for logical interface */, "filter" /* Filters to apply to all families configured under this logical interface */, "multi-chassis-protection" ( /* Inter-Chassis protection configuration */ multi_chassis_protection_group_ifl /* Inter-Chassis protection configuration */ ), "statistics" /* Enable statistics collection in PFE */, "esi" /* ESI configuration of logical interface */, "virtual-gateway-esi" /* ESI configuration of virtual gateway */, "service" ( /* Service operations */ c( "pcef" arg ( /* PCEF configuration */ c( "activate-all" /* Activate all rules and rulebases in the pcef profile */, "activate" arg /* Name of pcef profile rule or rulebase to activate */ ) ) ) ), "generate-eui64" /* To generate Link Local EUI-64 addresses */, "no-generate-eui64" /* Don't to generate Link Local EUI-64 addresses */, "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "dhcp" ( /* Dynamic Host Configuration Protocol client configuration */ dhcp_client_type /* Dynamic Host Configuration Protocol client configuration */ ), "targeted-broadcast" ( /* Directed broadcast */ c( c( "forward-and-send-to-re" /* Allow packets to be forwarded and sent to re */, "forward-only" /* Allow packets only to be forwarded */ ) ) ), "destination-class-usage" /* Enable destination class usage on this interface */, "transit-options-packets" /* Transit IP options packets (don't send to Routing Engine) */, "transit-ttl-exceeded" /* Transit IP TTL-exceeded packets (don't send to Routing Engine) */, "receive-options-packets" /* Receive IP options packets (don't send to Routing Engine) */, "receive-ttl-exceeded" /* Receive IP TTL-exceeded packets (don't send to Routing Engine) */, "accounting" ( /* Configure interface-based accounting options */ c( "source-class-usage" ( /* Enable source class usage on this interface */ c( "input" /* Specify this interface for source-class-usage input */, "output" /* Specify this interface for source-class-usage output */ ) ), "destination-class-usage" /* Enable destination class usage on this interface */ ) ), "mac-validate" arg /* Validate source MAC address */, "rpf-check" ( /* Enable reverse-path-forwarding checks on this interface */ c( "fail-filter" arg /* Name of filter applied to packets failing RPF check */, "mode" ( /* Mode for reverse path forwarding */ sc( "loose" /* Reverse-path-forwarding loose mode */ ) ).as(:oneline) ) ), "mtu" arg /* Protocol family maximum transmission unit */, "arp-max-cache" arg /* Max interface ARP nexthop cache size */, "arp-new-hold-limit" arg /* Max no. of new unresolved nexthops */, "tcp-mss" arg /* Protocol family tcp maximum segment size */, "no-redirects" /* Do not redirect traffic */, "no-neighbor-learn" /* Disable neighbor address learning on interface */, "unconditional-src-learn" /* Glean from arp packets even when source cannot be validated */, "multicast-only" /* Allow only multicast traffic (tunnels only) */, "primary" /* Candidate for primary interface in system */, "ipsec-sa" arg /* Name of security association */, "allow-filter-on-re" /* Enable kernel filter on network ports */, "demux-source" /* Demux based on source prefix */, "demux-destination" /* Demux based on destination prefix */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "iq-policing-filter" /* Protocol family ingress-queuing-policing-filter */.as(:oneline), "simple-filter" ( /* Filter for doing multifield classification */ c( "input" arg /* Name of simple filter applied to received packets */ ) ), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "arp" arg /* Name of policer applied to received ARP packets */, "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" ( /* Interface sampling */ c( "input" /* Sample all packets input on this interface */, "output" /* Sample all packets output on this interface */ ) ), "service" ( /* Service operations */ c( "input" ( /* Service sets to consider for received packets */ c( "service-set" arg ( /* Service set to consider for received packets */ c( "service-filter" arg /* Name of service filter */ ) ), "post-service-filter" arg /* Post-service filter to apply to received packets */ ) ), "output" ( /* Service sets to consider for transmitted packets */ c( "service-set" arg ( /* Service set to consider for transmitted packets */ c( "service-filter" arg /* Name of service filter */ ) ) ) ) ) ), "next-hop-tunnel" arg ( /* One or more next-hop tunnel tables */ c( "ipsec-vpn" arg /* Name of IPSec VPN */ ) ), "address" arg ( /* Interface address/destination prefix */ c( "destination" ( /* Destination address */ ipv4addr /* Destination address */ ), "destination-profile" arg /* Profile to use for destination address */, "broadcast" ( /* Broadcast address */ ipv4addr /* Broadcast address */ ), "primary" /* Candidate for primary address in system */, "preferred" /* Preferred address on interface */, "master-only" /* Master management IP address for router */, "multipoint-destination" arg ( /* Multipoint NBMA destination */ c( c( "dlci" arg /* Frame Relay data-link control identifier */, "vci" ( /* ATM virtual circuit identifier ([vpi.]vci) */ atm_vci /* ATM virtual circuit identifier ([vpi.]vci) */ ) ), "shaping" ( /* Virtual circuit traffic-shaping options */ dcd_shaping_config /* Virtual circuit traffic-shaping options */ ), "oam-period" ( /* OAM cell period */ sc( c( arg, "disable" /* Disable OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* OAM virtual circuit liveness parameters */ c( "up-count" arg /* Number of OAM cells to consider VC up */, "down-count" arg /* Number of OAM cells to consider VC down */ ) ), "inverse-arp" /* Enable inverse ARP reply messages */, "transmit-weight" arg /* ATM2 transmit weight for VC under VP tunnel */, "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline) ) ), "arp" arg ( /* Static Address Resolution Protocol entries */ sc( "l2-interface" ( /* Layer 2 interface name for ARP entry */ interface_name /* Layer 2 interface name for ARP entry */ ), c( "mac" ( /* MAC address */ mac_unicast /* MAC address */ ), "multicast-mac" ( /* Multicast MAC address */ mac_multicast /* Multicast MAC address */ ) ), "publish" /* Reply to ARP requests for this entry */ ) ).as(:oneline), "web-authentication" ( /* Parameters for web-based firewall-user authentication */ c( "http" /* Enable authentication via HTTP */, "https" /* Enable authentication via HTTPS */, "redirect-to-https" /* Web authentication redirect to HTTPS */ ) ), "vrrp-group" ( /* VRRP group */ vrrp_group /* VRRP group */ ), "virtual-gateway-address" ( /* Virtual Gateway IP address */ ipv4addr /* Virtual Gateway IP address */ ) ) ), "unnumbered-address" ( /* Unnumbered interface address/destination prefix */ sc( interface_unit /* Interface from which to take local address */, "preferred-source-address" ( /* Preferred address on the donor interface */ ("$junos-preferred-source-address" | arg) ), "destination" ( /* Destination address */ ipv4addr /* Destination address */ ), "destination-profile" arg /* Profile to use for destination address */ ) ).as(:oneline), "location-pool-address" /* Location-based IP address pool */, "negotiate-address" /* Negotiate address with remote */ ) ), "iso" ( /* OSI ISO protocol parameters */ c( "address" arg /* Interface address */, "mtu" arg /* Protocol family maximum transmission unit */ ) ), "inet6" ( /* IPv6 protocol parameters */ c( "dhcpv6-client" ( /* Dynamic Host Configuration Protocol DHCPv6 client configuration */ c( "client-type" ( /* DHCPv6 client type */ ("stateful" | "autoconfig") ), "client-ia-type" enum(("ia-na" | "ia-pd")) /* DHCPv6 client identity association type */, "rapid-commit" /* Option is used to signal the use of the two message exchange for address assignment */, "prefix-delegating" ( /* Prefix delegating parameters */ c( "preferred-prefix-length" arg /* Client preferred prefix length */, "sub-prefix-length" arg /* The sub prefix length for LAN interfaces */ ) ), "client-identifier" ( /* DHCP Server identifies a client by client-identifier value */ sc( "duid-type" ( /* DUID identifying a client */ ("duid-llt" | "vendor" | "duid-ll") ) ) ).as(:oneline), "req-option" enum(("dns-server" | "domain" | "ntp-server" | "time-zone" | "sip-server" | "sip-domain" | "nis-server" | "nis-domain" | "fqdn" | "vendor-spec")) /* DHCPV6 client requested option configuration */, "retransmission-attempt" arg /* Number of attempts to retransmit the DHCPV6 client protocol packet */, "no-dns-install" /* Not propagate DNS to kernel */, "update-router-advertisement" ( /* Dhcpv6 client update rpd for prefix delegation */ c( "interface" arg ( /* Interfaces on which to delegate prefix */ c( "managed-configuration" /* Set managed address configuration */, "no-managed-configuration" /* Don't set managed address configuration */, "other-stateful-configuration" /* Set other stateful configuration */, "no-other-stateful-configuration" /* Don't set other stateful configuration */, "max-advertisement-interval" arg /* Maximum advertisement interval */, "min-advertisement-interval" arg /* Minimum advertisement interval */, "enable-recursive-dns-server-option" /* Enables the recursive DNS server option */, "no-enable-recursive-dns-server-option" /* Don't enables the recursive DNS server option */ ) ) ) ), "update-server" /* Propagate TCP/IP settings to DHCP server */ ) ), "rpf-check" ( /* Enable reverse-path-forwarding checks on this interface */ c( "fail-filter" arg /* Name of filter applied to packets failing RPF check */, "mode" ( /* Mode for reverse path forwarding */ sc( "loose" /* Reverse-path-forwarding loose mode */ ) ).as(:oneline) ) ), "accounting" ( /* Interface-based accounting options */ c( "source-class-usage" ( c( "input" /* Interface for source-class-usage input */, "output" /* Interface for source-class-usage output */ ) ), "destination-class-usage" /* Enable destination class usage on this interface */ ) ), "mtu" arg /* Protocol family maximum transmission unit */, "tcp-mss" arg /* Protocol family tcp maximum segment size */, "nd6-stale-time" arg /* Stale time to reconfirm reachability with inet6 neighbour */, "no-neighbor-learn" /* Disable neighbor address learning on interface */, "slaac-enable" /* Enable slaac on management interface */, "ndp-proxy" ( /* Enable ndp proxy on interface */ c( "interface-restricted" /* Enable ndp interface proxy restricted to interface */ ) ), "dad-proxy" ( /* DAD proxy on interface */ c( "interface-restricted" /* Enable DAD interface proxy restricted to interface */ ) ), "nd6-max-cache" arg /* Max interface ND nexthop cache size */, "nd6-new-hold-limit" arg /* Max no. of new unresolved nexthops */, "no-redirects" /* Do not redirect traffic */, "allow-filter-on-re" /* Enable kernel filter on network ports */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" ( /* Interface sampling */ c( "input" /* Sample all packets input on this interface */, "output" /* Sample all packets output on this interface */ ) ), "service" ( /* Service operations */ c( "input" ( /* Service sets to consider for received packets */ c( "service-set" arg ( /* Service set to consider for received packets */ c( "service-filter" arg /* Name of service filter */ ) ), "post-service-filter" arg /* Post-service filter to apply to received packets */ ) ), "output" ( /* Service sets to consider for transmitted packets */ c( "service-set" arg ( /* Service set to consider for transmitted packets */ c( "service-filter" arg /* Name of service filter */ ) ) ) ) ) ), "address" arg ( /* Interface address or destination prefix */ c( "destination" ( /* Destination address */ ipv6addr /* Destination address */ ), "eui-64" /* Generate EUI-64 interface ID */, "primary" /* Candidate for primary address in system */, "preferred" /* Preferred address on interface */, "master-only" /* Master management IP address for router */, "ndp" arg ( /* Static Neighbor Discovery Protocol entries */ sc( "l2-interface" ( /* Layer 2 interface name for NDP entry */ interface_name /* Layer 2 interface name for NDP entry */ ), c( "mac" ( /* MAC address */ mac_unicast /* MAC address */ ), "multicast-mac" ( /* Multicast MAC address */ mac_multicast /* Multicast MAC address */ ) ), "publish" /* Reply to NDP requests for this entry */ ) ).as(:oneline), "vrrp-inet6-group" ( /* VRRP group */ vrrp_group /* VRRP group */ ), "web-authentication" ( /* Parameters for web-based firewall-user authentication */ c( "http" /* Enable authentication via HTTP */, "https" /* Enable authentication via HTTPS */, "redirect-to-https" /* Web authentication redirect to HTTPS */ ) ), "virtual-gateway-address" ( /* Virtual Gateway IP address */ ipv6addr /* Virtual Gateway IP address */ ), "subnet-router-anycast" /* Create a subnet roter anycast address for this address. */ ) ), "demux-source" /* Demux based on source prefix */, "demux-destination" /* Demux based on destination prefix */, "unnumbered-address" ( /* Unnumbered interface address/destination prefix */ sc( interface_unit /* Interface from which to take local address */, "preferred-source-address" ( /* Preferred address on the donor interface */ ("$junos-preferred-source-ipv6-address" | arg) ) ) ).as(:oneline), "dad-disable" /* Disable duplicate-address-detection */, "no-dad-disable" /* Don't disable duplicate-address-detection */, "negotiate-address" /* Negotiate address with remote */ ) ), "mpls" ( /* MPLS protocol parameters */ c( "mtu" arg /* Protocol family maximum transmission unit */, "maximum-labels" arg /* Protocol family maximum number of labels */, "filter" ( /* Packet filtering */ c( c( "input" arg /* Name of filter applied to received packets */, "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" arg /* Name of filter applied to transmitted packets */, "output-list" arg /* List of filter modules applied to transmitted packets */ ), "group" arg /* Interface group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ) ) ), "mlppp" ( /* Multilink PPP protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ ("$junos-bundle-interface-name" | arg) ), c( "service-interface" ( /* Services interface to use */ interface_device /* Services interface to use */ ), "service-device-pool" arg /* Service interface pool name to use */ ), "dynamic-profile" arg /* dynamic profile for interface to use */ ) ), "mlfr-end-to-end" ( /* Multilink Frame Relay end-to-end protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ interface_unit /* Logical interface name this link will join */ ) ) ), "mlfr-uni-nni" ( /* Multilink Frame Relay UNI NNI protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ interface_unit /* Logical interface name this link will join */ ) ) ), "ccc" ( /* Circuit cross-connect parameters */ c( "mtu" arg /* Protocol family maximum transmission unit */, "filter" ( /* Packet filtering */ c( c( "input" arg /* Name of filter applied to received packets */, "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" arg /* Name of filter applied to transmitted packets */, "output-list" arg /* List of filter modules applied to transmitted packets */ ), "group" arg /* Interface group to which interface belongs */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "translate-fecn-and-becn" /* Translate FECN and BECN bits */, c( "translate-discard-eligible" /* Translate DE bit */, "translate-plp-control-word-de" /* Translate PLP to/from Martini Control DE bit */ ), "keep-address-and-control" /* Don't strip PPP address and control bytes */ ) ), "tcc" ( /* Translational cross-connect parameters */ c( "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "proxy" ( c( "inet-address" ( /* Remote host address on non-Ethernet side of Ethernet TCC */ ipv4addr /* Remote host address on non-Ethernet side of Ethernet TCC */ ) ) ), "remote" ( c( "inet-address" ( /* Remote host address on Ethernet side of Ethernet TCC */ ipv4addr /* Remote host address on Ethernet side of Ethernet TCC */ ), "mac-address" ( /* Remote host MAC address on Ethernet side of Ethernet TCC */ mac_addr /* Remote host MAC address on Ethernet side of Ethernet TCC */ ) ) ), "protocols" /* Protocols supported on TCC interface */ ) ), "vpls" ( /* Virtual private LAN service parameters */ c( "core-facing" /* Interface is core facing */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "iq-policing-filter" /* Protocol family ingress-queuing-policing-filter */.as(:oneline), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" /* Interface sampling */ ) ), "bridge" /* Layer-2 bridging parameters */, "ethernet-switching" ( /* Ethernet switching parameters */ ethernet_switching_type /* Ethernet switching parameters */ ), "fibre-channel" ( /* Fibre channel switching parameters */ fibre_channel_type /* Fibre channel switching parameters */ ), "pppoe" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ), "any" ( /* Parameters for 'any' family */ c( "filter" ( /* Layer 2 packet filtering */ c( "input" arg /* Name of filter applied to received packets */, "group" arg /* Group to which interface belongs */ ) ) ) ), "llc2" /* Enable Logical Link Control Type 2 */ ) ), "service-domain" ( /* Service domain to which interface belongs */ ("inside" | "outside") ), "copy-tos-to-outer-ip-header" /* Copy IP payload header's ToS field to GRE delivery header */, "copy-tos-to-outer-ip-header-transit" /* Copy IP ToS field to GRE header for transit packets */, "load-balancing-options" ( /* AMS subunit load balancing options */ c( "preferred-active" ( /* Preferred active Interface name */ interface_device /* Preferred active Interface name */ ), "disable-hash" /* Hash based distribution is not needed for this subunit */, "hash-keys" ( c( "ingress-key" ( /* Hash Key for the ingress direction */ enum(("source-ip" | "destination-ip" | "protocol" | "iif")) ), "egress-key" ( /* Hash Key for the egress direction */ enum(("source-ip" | "destination-ip" | "protocol" | "oif")) ), "ipv6-source-prefix-length" ( /* IPv6 source prefix length for hash computation */ ("56" | "64" | "96" | "128") ) ) ) ) ), "mac" ( /* Configure logical interface MAC address */ mac_unicast /* Configure logical interface MAC address */ ), "virtual-gateway-v4-mac" ( /* Configure virtual gateway IPV4 virtual MAC address */ mac_unicast /* Configure virtual gateway IPV4 virtual MAC address */ ), "virtual-gateway-v6-mac" ( /* Configure virtual gateway IPV6 virtual MAC address */ mac_unicast /* Configure virtual gateway IPV6 virtual MAC address */ ), "forwarding-options" /* Aggregated Ethernet interface forwarding-options */, "etree-ac-role" ( /* ETREE attachment circuit role */ ("root" | "leaf") ), "dialer-options" ( /* Dialer options */ c( "pool" arg /* Dialer pool */, "dial-string" arg /* String to dial out */, "incoming-map" ( /* Map incoming call to dialer */ c( c( "caller" arg /* Caller Id to be screened */.as(:oneline), "accept-all" /* Accept all incoming calls */ ) ) ), "callback" /* Call back on any incoming call to the dialer */, "callback-wait-period" arg /* Time to wait before calling back */, "redial-delay" arg /* Time to wait before redialing */, "idle-timeout" arg /* Delay before taking down the interface */, "watch-list" arg /* Dialer watch list */, "load-threshold" arg /* Load threshold for adding interfaces */, "load-interval" arg /* Interval used to calculate average load */, "activation-delay" arg /* Activation delay */, "deactivation-delay" arg /* Deactivation delay */, "initial-route-check" arg /* Delay to check primary after the router is up */, "always-on" /* Always keep on-line */ ) ), "backup-options" ( /* Backup interface configuration options */ c( "interface" ( /* Backup interface */ interface_name /* Backup interface */ ) ) ), "dynamic-call-admission-control" /* Dynamic call admission control configuration */ ) ), "no-partition" ( /* Use channelizable interface as clear channel */ sc( "interface-type" ( /* Interface type */ ("e1" | "t1" | "at" | "t3" | "e3" | "ct3" | "so" | "cau4") ) ) ).as(:oneline), "partition" arg ( /* Channelized interface partition */ sc( "oc-slice" arg /* Range of SONET/SDH slices (for example, 1, 7-9) */, "timeslots" arg /* Timeslots [(1..24) for T1, (1..31) for E1]; for example, 1-3,4,9,22-24 (no spaces) */, "interface-type" ( /* Sublevel interface type */ ("ds" | "e1" | "t1" | "at" | "ct1" | "ce1" | "t3" | "ct3" | "e3" | "so" | "coc1" | "cau4" | "dc" | "bc") ) ) ).as(:oneline), "radius-options" ( /* Interface RADIUS Options */ radius_options_vlan_type /* Interface RADIUS Options */ ), "modem-options" ( /* MODEM interface-specific options */ c( "init-command-string" arg /* AT command string to initialize modem */, "dialin" ( ("console" | "routable") ) ) ), "isdn-options" ( /* ISDN interface-specific options */ c( "switch-type" ( /* ISDN switch type */ ("ni1" | "etsi" | "att5e" | "ntdms100" | "ntt" | "ni2") ), "media-type" arg /* IDSN media type - voice, data or both */, "spid1" arg /* Service profile identifier */, "spid2" arg /* Additional service profile identifier */, "calling-number" arg /* Calling number included in outgoing calls */, "incoming-called-number" arg ( /* Incoming called number to be screened */ sc( "reject" /* Reject the called number */ ) ).as(:oneline), "tei-option" ( /* ISDN terminal endpoint identifier negotiation options */ ("first-call" | "power-up") ), "static-tei-val" arg /* Static TEI value */, "t310" arg /* Timer T310 value */, "bchannel-allocation" ( /* Allocate PRI dialout b-channel in ascending/descending order */ ("ascending" | "descending") ) ) ), "dialer-options" ( /* Dialer options */ c( "pool" arg ( /* Dialer pool */ sc( "priority" arg /* Dialer pool priority */ ) ).as(:oneline) ) ), "redundant-pseudo-interface-options" ( /* Pseudo interface redundancy options */ c( "redundancy-group" arg /* Redundancy group of this interface */ ) ), "act-sim" arg /* Default SIM slot to connect LTE network */, "cellular-options" ( /* Cellular interface specific options */ c( "sim" arg ( /* SIM slot to connect LTE network */ c( "select-profile" ( /* Profile to be applied */ sc( "profile-id" arg /* Profile to be used for data calls */ ) ).as(:oneline), "radio-access" ( /* Select radio access technology */ sc( c( "automatic" /* Automatically selects radio access type */, "umts-3g-only" /* 3G only */, "umts-3g-preferred" /* UMTS 3G Preferred */, "lte-only" /* Only LTE */, "lte-preferred" /* LTE Preferred */ ) ) ).as(:oneline), "encrypted-sim-unlock-code" ( /* Encrypted PIN */ unreadable /* Encrypted PIN */ ), "gateway" ( /* Set customer gateway for LTE network */ ipprefix /* Set customer gateway for LTE network */ ) ) ) ) ) ) ) end rule(:ip_monitoring_address_type) do arg.as(:arg) ( c( "weight" arg /* Define weight for this IP address */, "interface" ( /* Logical interface through which to monitor this IP address */ s( arg, "secondary-ip-address" arg /* Define source address for monitoring packets on secondary link */ ) ) ) ) end rule(:jsf_application_traffic_control_rule_set_type) do c( "rule-set" arg /* Service rule-set name */ ) end rule(:jsrc_options) do c( "partition" /* JSRC partition definition */ ) end rule(:juniper_access_options) do c( "radius-server" ( /* RADIUS server configuration */ access_radius_server_object /* RADIUS server configuration */ ), "radius-disconnect-port" arg /* Server port on which to access disconnect requests from RADIUS client */, "radius-disconnect" ( /* RADIUS-initiated disconnect configuration for dynamic termination of user sessions by external entity */ radius_disconnect_object /* RADIUS-initiated disconnect configuration for dynamic termination of user sessions by external entity */ ), "domain-name-server" arg /* Default DNS server's IPv4 address */, "domain-name-server-inet" arg /* DNS server's IPv4 address */, "domain-name-server-inet6" arg /* DNS server's IPv6 address */, "wins-server" arg /* Default WINS server's IPv4 address */, "address-pool" ( /* Address pool */ address_pool_object /* Address pool */ ), "group-profile" ( /* Group profile to use for this client */ group_profile_object /* Group profile to use for this client */ ), "profile" arg ( /* Set of attributes that define access */ c( "accounting-order" ( /* Order in which accounting mechanisms are used */ ("radius") ), "authentication-order" ( /* Order in which authentication mechanisms are used */ ("radius" | "password" | "none" | "nasreq" | "ldap" | "securid") ), "authorization-order" /* Order in which authorization mechanisms are used */, "provisioning-order" arg /* Order in which provisioning mechanisms are used */, "preauthentication-order" ( /* Order in which preauthentication mechanisms are used */ ("radius") ), "charging-service-list" ( /* List of used 3gpp charging servicess */ ("ocs") ), "domain-name-server" arg /* Default DNS server's IPv4 address */, "domain-name-server-inet" arg /* DNS server's IPv4 address */, "domain-name-server-inet6" arg /* DNS server's IPv6 address */, "wins-server" arg /* Default WINS server's IPv4 address */, "client" ( /* Entity requesting access */ access_client_object /* Entity requesting access */ ), "address-assignment" ( /* Address assignment pool */ c( "pool" arg /* Name of address-assignment pool */ ) ), "local" ( /* Set configuration for local reporting */ c( "flat-file-profile" arg /* Specifies that the service accounting will be reported as per flat-file profile */ ) ), "radius" ( /* Set of RADIUS configurations */ c( "authentication-server" ( /* The authentication server list to use in the specified order to send authentication messages */ ipaddr /* The authentication server list to use in the specified order to send authentication messages */ ), "accounting-server" ( /* The accounting server list to use in the specified order to send accounting messages */ ipaddr /* The accounting server list to use in the specified order to send accounting messages */ ), "preauthentication-server" ( /* The preauthentication server list to use in the specified order to send preauthentication messages */ ipv4addr /* The preauthentication server list to use in the specified order to send preauthentication messages */ ), "options" /* Specifies the RADIUS options */, "attributes" ( /* Specifies how RADIUS attributes should be handled */ c( "ignore" ( /* Ignores the specified attribute in RADIUS Access-Accept messages */ c( "output-filter" /* Juniper (IANA 4874) Output-filter / Egress-Policy-Name (VSA 26-11) */, "input-filter" /* Juniper (IANA 4874) Input-filter / Ingress-Policy-Name (VSA 26-10) */, "framed-ip-netmask" /* Framed-IP-Netmask (attribute 9) */, "logical-system-routing-instance" /* Juniper (IANA 4874) Logical-system-routing-instance / Virtual-Router (VSA 26-1) */, "dynamic-iflset-name" /* Juniper (IANA 4874) Dynamic interface set / Qos-Set-Name (VSA 26-130) */, "idle-timeout" /* Idle-Timeout (attribute 28) */, "session-timeout" /* Session-Timeout (attribute 27) */, "standard-attribute" arg /* RADIUS standard attribute number */, "vendor-id" arg ( /* Specify the vendor-identifier for a vendor-specific attribute (VSA) */ c( "vendor-attribute" arg /* Vendor specific attribute number */ ) ) ) ), "exclude" ( /* Configures the exclusion of RADIUS attributes in RADIUS messages */ c( "standard-attribute" arg ( /* Specify RADIUS standard attribute number */ c( "packet-type" ( /* Specify packet types to be excluded */ ("access-request" | "accounting-on" | "accounting-off" | "accounting-start" | "accounting-stop") ) ) ), "vendor-id" arg ( /* Specify the vendor-identifier for a vendor-specific attribute (VSA) */ c( "vendor-attribute" arg ( /* Specify vendor specific attribute number */ c( "packet-type" ( /* Specify packet types to be excluded */ ("access-request" | "accounting-on" | "accounting-off" | "accounting-start" | "accounting-stop") ) ) ) ) ), "accounting-authentic" ( /* Excludes RADIUS attribute 45, Acct-Authentic */ ("accounting-on" | "accounting-off" | "accounting-start" | "accounting-stop") ), "accounting-delay-time" ( /* Excludes RADIUS attribute 41, Acct-Delay-Time */ ("accounting-on" | "accounting-off" | "accounting-start" | "accounting-stop") ), "accounting-session-id" ( /* Excludes RADIUS attribute 44, Acct-Session-ID */ ("access-request") ), "accounting-terminate-cause" ( /* Excludes RADIUS attribute 49, Acct-Terminate-Cause */ ("accounting-off") ), "called-station-id" ( /* Excludes RADIUS attribute 30, Called-Station-ID */ ("access-request" | "accounting-start" | "accounting-stop") ), "calling-station-id" ( /* Excludes RADIUS attribute 31, Calling-Station-ID */ ("access-request" | "accounting-start" | "accounting-stop") ), "class" ( /* Excludes RADIUS attribute 25, Class */ ("accounting-start" | "accounting-stop") ), "delegated-ipv6-prefix" ( /* Excludes RADIUS attribute 123, Delegated-IPv6-Prefix */ ("accounting-start" | "accounting-stop") ), "dhcp-options" ( /* Excludes RADIUS attribute 26-55, DHCP-Options */ ("access-request" | "accounting-start" | "accounting-stop") ), "dhcp-gi-address" ( /* Excludes RADIUS attribute 26-57, DHCP-GI-Address */ ("access-request" | "accounting-start" | "accounting-stop") ), "dhcp-mac-address" ( /* Excludes RADIUS attribute 26-56, DHCP-MAC-Address */ ("access-request" | "accounting-start" | "accounting-stop") ), "output-filter" ( /* Excludes RADIUS attribute 26-11, Egress-Policy-Name */ ("accounting-start" | "accounting-stop") ), "event-time-stamp" ( /* Excludes RADIUS attribute 55, Event-Timestamp */ ("accounting-on" | "accounting-off" | "accounting-start" | "accounting-stop") ), "filter-id" ( /* Excludes RADIUS attribute 11, Filter-Id */ ("accounting-start" | "accounting-stop") ), "framed-ip-address" ( /* Excludes RADIUS attribute 8, Framed-IP-Address */ ("access-request" | "accounting-start" | "accounting-stop") ), "framed-ip-netmask" ( /* Excludes RADIUS attribute 9, Framed-IP-Netmask */ ("access-request" | "accounting-start" | "accounting-stop") ), "framed-ip-route" ( /* Excludes RADIUS attribute 22, Framed-Route */ ("accounting-start" | "accounting-stop") ), "framed-ipv6-address" ( /* Excludes RADIUS attribute 168, Framed-IPV6-Address */ ("access-request" | "accounting-start" | "accounting-stop") ), "framed-ipv6-pool" ( /* Excludes RADIUS attribute 100, Framed-IPv6-Pool */ ("accounting-start" | "accounting-stop") ), "framed-ipv6-prefix" ( /* Excludes RADIUS attribute 97, Framed-IPv6-Prefix */ ("accounting-start" | "accounting-stop") ), "framed-ipv6-route" ( /* Excludes RADIUS attribute 99, Framed-IPv6-Route */ ("accounting-start" | "accounting-stop") ), "framed-pool" ( /* Excludes RADIUS attribute 88, Framed-Pool */ ("accounting-start" | "accounting-stop") ), "input-filter" ( /* Excludes RADIUS attribute 26-10, Ingress-Policy-Name */ ("accounting-start" | "accounting-stop") ), "input-gigapackets" ( /* Excludes Juniper (IANA 4874) VSA 26-42, Acct-Input-Gigapackets */ ("accounting-stop") ), "input-gigawords" ( /* Excludes RADIUS attribute 52, Acct-Input-Gigawords */ ("accounting-stop") ), "input-ipv6-packets" ( /* Excludes Juniper (IANA 4874) VSA 26-153, Acct-Input-IPv6-Packets */ ("accounting-stop") ), "input-ipv6-gigawords" ( /* Excludes Juniper (IANA 4874) VSA 26-155, Acct-Input-IPv6-Gigawords */ ("accounting-stop") ), "input-ipv6-octets" ( /* Excludes Juniper (IANA 4874) VSA 26-151, Acct-Input-IPv6-Octets */ ("accounting-stop") ), "interface-description" ( /* Excludes RADIUS attribute 26-63, Interface-Desc */ ("access-request" | "accounting-start" | "accounting-stop") ), "nas-identifier" ( /* Excludes RADIUS attribute 32, NAS-identifier */ ("access-request" | "accounting-on" | "accounting-off" | "accounting-start" | "accounting-stop") ), "nas-port" ( /* Excludes RADIUS attribute 5, NAS-Port */ ("access-request" | "accounting-start" | "accounting-stop") ), "nas-port-id" ( /* Excludes RADIUS attribute 87, NAS-Port-ID */ ("access-request" | "accounting-start" | "accounting-stop") ), "nas-port-type" ( /* Excludes RADIUS attribute 61, NAS-Port-Type */ ("access-request" | "accounting-start" | "accounting-stop") ), "output-gigapackets" ( /* Excludes Juniper (IANA 4874) VSA 26-43, Acct-Output-Gigapackets */ ("accounting-stop") ), "output-gigawords" ( /* Excludes RADIUS attribute 53, Acct-Output-Gigawords */ ("accounting-stop") ), "output-ipv6-packets" ( /* Excludes Juniper (IANA 4874) VSA 26-154, Acct-Output-IPv6-Packets */ ("accounting-stop") ), "output-ipv6-gigawords" ( /* Excludes Juniper (IANA 4874) VSA 26-156, Acct-Output-IPv6-Gigawords */ ("accounting-stop") ), "output-ipv6-octets" ( /* Excludes Juniper (IANA 4874) VSA 26-152, Acct-Output-IPv6-Octets */ ("accounting-stop") ), "dynamic-iflset-name" ( /* Excludes RADIUS attribute 26-130, Dynamic-Iflset-Name */ ("accounting-start" | "accounting-stop") ), "dsl-forum-attributes" ( /* Excludes DSL Forum RADIUS attributes (RFC 4679) */ ("access-request" | "accounting-start" | "accounting-stop") ), "l2c-upstream-data" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-92, L2C-Upstream-Data */ ("access-request" | "accounting-start" | "accounting-stop") ), "l2c-downstream-data" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-93, L2C-Downstream-Data */ ("access-request" | "accounting-start" | "accounting-stop") ), "acc-loop-cir-id" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-110, Acc-Loop-Cir-Id */ ("access-request" | "accounting-start" | "accounting-stop") ), "acc-aggr-cir-id-bin" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-111, Acc-Aggr-Cir-Id-Bin */ ("access-request" | "accounting-start" | "accounting-stop") ), "acc-aggr-cir-id-asc" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-112, Acc-Aggr-Cir-Id-Asc */ ("access-request" | "accounting-start" | "accounting-stop") ), "act-data-rate-up" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-113, Act-Data-Rate-Up */ ("access-request" | "accounting-start" | "accounting-stop") ), "act-data-rate-dn" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-114, Act-Data-Rate-Dn */ ("access-request" | "accounting-start" | "accounting-stop") ), "min-data-rate-up" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-115, Min-Data-Rate-Up */ ("access-request" | "accounting-start" | "accounting-stop") ), "min-data-rate-dn" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-116, Min-Data-Rate-Dn */ ("access-request" | "accounting-start" | "accounting-stop") ), "att-data-rate-up" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-117, Att-Data-Rate-Up */ ("access-request" | "accounting-start" | "accounting-stop") ), "att-data-rate-dn" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-118, Att-Data-Rate-Dn */ ("access-request" | "accounting-start" | "accounting-stop") ), "max-data-rate-up" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-119, Max-Data-Rate-Up */ ("access-request" | "accounting-start" | "accounting-stop") ), "max-data-rate-dn" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-120, Max-Data-Rate-Dn */ ("access-request" | "accounting-start" | "accounting-stop") ), "min-lp-data-rate-up" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-121, Min-Lp-Data-Rate-Up */ ("access-request" | "accounting-start" | "accounting-stop") ), "min-lp-data-rate-dn" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-122, Min-Lp-Data-Rate-Dn */ ("access-request" | "accounting-start" | "accounting-stop") ), "max-interlv-delay-up" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-123, Max-Interlv-Delay-Up */ ("access-request" | "accounting-start" | "accounting-stop") ), "act-interlv-delay-up" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-124, Act-Interlv-Delay-Up */ ("access-request" | "accounting-start" | "accounting-stop") ), "max-interlv-delay-dn" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-125, Max-Interlv-Delay-Dn */ ("access-request" | "accounting-start" | "accounting-stop") ), "act-interlv-delay-dn" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-126, Act-Interlv-Delay-Dn */ ("access-request" | "accounting-start" | "accounting-stop") ), "dsl-line-state" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-127, DSL-Line-State */ ("access-request" | "accounting-start" | "accounting-stop") ), "dsl-type" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-128, DSL-Type */ ("access-request" | "accounting-start" | "accounting-stop") ), "downstream-calculated-qos-rate" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-141, Downstream-Calculated-QoS-Rate */ ("access-request" | "accounting-start" | "accounting-stop") ), "upstream-calculated-qos-rate" ( /* Excludes Juniper (IANA 4874) DSL VSA 26-142, Upstream-Calculated-QoS-Rate */ ("access-request" | "accounting-start" | "accounting-stop") ), "cos-shaping-rate" ( /* Excludes Juniper (IANA 4874) VSA 26-177, Cos-Shaping-Rate */ ("accounting-start" | "accounting-stop") ), "framed-interface-id" ( /* Excludes RADIUS attribute 96, Framed-Interface-Id */ ("access-request" | "accounting-start" | "accounting-stop") ), "chargeable-user-identity" ( /* Excludes RADIUS attribute 89, Chargeable-User-Identity */ ("access-request") ), "l2tp-tx-connect-speed" ( /* Excludes Juniper (IANA 4874) VSA 26-162, , L2TP-Tx-Connect-Speed */ ("access-request" | "accounting-start" | "accounting-stop") ), "l2tp-rx-connect-speed" ( /* Excludes Juniper (IANA 4874) VSA 26-163, , L2TP-Rx-Connect-Speed */ ("access-request" | "accounting-start" | "accounting-stop") ), "tunnel-type" ( /* Excludes RADIUS attribute 64, Tunnel-Type */ ("access-request" | "accounting-start" | "accounting-stop") ), "tunnel-medium-type" ( /* Excludes RADIUS attribute 65, Tunnel-Medium-Type */ ("access-request" | "accounting-start" | "accounting-stop") ), "tunnel-client-endpoint" ( /* Excludes RADIUS attribute 66, Tunnel-Client-Endpoint */ ("access-request" | "accounting-start" | "accounting-stop") ), "tunnel-server-endpoint" ( /* Excludes RADIUS attribute 67, Tunnel-Server-Endpoint */ ("access-request" | "accounting-start" | "accounting-stop") ), "tunnel-assignment-id" ( /* Excludes RADIUS attribute 82, Tunnel-Assignment-Id */ ("access-request" | "accounting-start" | "accounting-stop") ), "tunnel-client-auth-id" ( /* Excludes RADIUS attribute 90, Tunnel-Client-Auth-Id */ ("access-request" | "accounting-start" | "accounting-stop") ), "tunnel-server-auth-id" ( /* Excludes RADIUS attribute 91, Tunnel-Server-Auth-Id */ ("access-request" | "accounting-start" | "accounting-stop") ), "acct-tunnel-connection" ( /* Excludes RADIUS attribute 68, Acct-Tunnel-Connection */ ("access-request" | "accounting-start" | "accounting-stop") ), "acc-loop-remote-id" ( /* Excludes Juniper (IANA 4874) VSA 26-XXX, ERX-Acc-Loop-Remote-Id */ ("access-request" | "accounting-start" | "accounting-stop") ), "acc-loop-encap" ( /* Excludes Juniper (IANA 4874) VSA 26-182, ERX-Acc-Loop-Encap */ ("access-request" | "accounting-start" | "accounting-stop") ), "pppoe-description" ( /* Excludes RADIUS attribute 26-24, PPPOE-Description */ ("access-request" | "accounting-start" | "accounting-stop") ), "virtual-router" ( /* Excludes Juniper (IANA 4874) VSA 26-1, Virtual-Router */ ("access-request" | "accounting-start" | "accounting-stop") ), "first-relay-ipv4-address" ( /* Excludes RADIUS attribute 26-189, DHCP-First-Relay-IPv4-Address */ ("access-request" | "accounting-start" | "accounting-stop") ), "first-relay-ipv6-address" ( /* Excludes RADIUS attribute 26-190, DHCP-First-Relay-IPv6-Address */ ("access-request" | "accounting-start" | "accounting-stop") ), "dhcpv6-options" ( /* Excludes RADIUS attribute 26-207, DHCPv6-Options */ ("access-request" | "accounting-start" | "accounting-stop") ), "dhcp-header" ( /* Excludes RADIUS attribute 26-208, DHCP-Header */ ("access-request") ), "dhcpv6-header" ( /* Excludes RADIUS attribute 26-209, DHCPv6-Header */ ("access-request") ), "acct-request-reason" ( /* Excludes RADIUS attribute 26-210, Acct-Request-Reason */ ("accounting-start" | "accounting-stop") ) ) ) ) ) ) ), "session-options" ( /* Options for an authenticated client's session */ c( "client-group" arg /* One or more groups to which client belongs */, "client-idle-timeout" arg /* Time in minutes of idleness after which access is denied */, "client-idle-timeout-ingress-only" /* Idle timeout applies to ingress traffic only */, "client-session-timeout" arg /* Time in minutes since initial access after which access is denied */, "strip-user-name" ( /* Options for stripping user name string */ c( "delimiter" ( /* Allowable delimiter characters for strip user name separation */ sc( arg ) ).as(:oneline), "parse-direction" ( /* Strip user name parsing direction */ sc( c( "right-to-left" /* Parse the username from right to left */, "left-to-right" /* Parse the username field from left to right */ ) ) ).as(:oneline) ) ), "pcc-context" ( /* Pcc context configurations */ c( "pcef-profile" arg /* Pcef profile name */, "input-service-set" arg /* Input service-set name */, "output-service-set" arg /* Output service-set name */, "input-ipv6-service-set" arg /* Input ipv6 service set name */, "output-ipv6-service-set" arg /* Output ipv6 service set name */, "input-service-filter" arg /* Input service filter name */, "output-service-filter" arg /* Output service filter name */, "input-ipv6-service-filter" arg /* Input ipv6 service filter name */, "output-ipv6-service-filter" arg /* Output ipv6 service filter name */ ) ) ) ), "client-name-filter" ( /* Restrictions on client names */ access_client_name_filter_object /* Restrictions on client names */ ), "ldap-options" ( /* Lightweight Directory Access Protocol options */ access_ldap_options /* Lightweight Directory Access Protocol options */ ), "ldap-server" ( /* Lightweight Directory Access Protocol server */ ldap_server_object /* Lightweight Directory Access Protocol server */ ), "radius-server" ( /* RADIUS server configuration */ profile_radius_server_object /* RADIUS server configuration */ ), "radius-options" ( /* RADIUS options */ access_radius_options /* RADIUS options */ ), "accounting" ( /* Specifies the accounting options */ c( "order" ( /* Order in which accounting mechanisms are used */ ("radius") ), "accounting-stop-on-failure" /* Send an Acct-Stop message if a user fails authentication, but AAA-server grants access */, "accounting-stop-on-access-deny" /* Send an Acct-Stop message if AAA-server denies access */, "immediate-update" /* Send an Acct-Update message on receipt of a Acct-response for the Acct-Start message */, "coa-immediate-update" /* Send an Acct-Update message on completion of processing a change of authorization */, "address-change-immediate-update" /* Send an Acct-Update message to notify address change */, "update-interval" arg /* The interval in min btw accounting updates(Interim-stats off,if unspecified) */, "statistics" ( /* Reports set of statistics attributes based on reporting type */ ("volume-time" | "time") ), "wait-for-acct-on-ack" /* Wait for ACCT-ON-ACK */, "send-acct-status-on-config-change" /* Send ACCT-ON/OFF on config change */, "duplication" /* Send duplicated accounting reports if applied */, "duplication-filter" ( /* Configure duplication filters */ ("interim-original" | "interim-duplicated" | "exclude-attributes") ), "duplication-vrf" ( /* Duplication vrf configurations */ c( "vrf-name" arg /* VRF name */, "access-profile-name" arg /* Access profile name */ ) ), "duplication-attribute-format" ( /* Use attribute format defined under duplication accouting access-profile */ ("username") ), "ancp-speed-change-immediate-update" /* Send an Acct-Update message when ANCP speed change is detected */, "family-state-change-immediate-update" /* Send an Acct-Update message to notify address family activation state change */ ) ), "service" /* Subscriber service configurations */, "jsrc" ( /* Set of JSRC configurations */ c( "attributes" ( /* Specifies how JSRC attributes should be handled */ c( "exclude" ( /* Configures the exclusion of JSRC attributes in DIAMETER messages */ c( "user-name" ( /* Excludes Diameter attribute 1, User-Name */ ("authorization-request" | "provisioning-request") ) ) ) ) ) ) ), "subscriber" ( /* Locally authenticated subscriber configuration */ localauth_subscriber_object /* Locally authenticated subscriber configuration */ ) ) ), "address-assignment" ( /* Address assignment configuration */ address_assignment_type /* Address assignment configuration */ ), "address-protection" /* Initiate Duplicate Address Protection */, "address-preservation" ( /* Enable address preservation */ c( "address-types" ( ("delegated-prefix") ), "aging-time" arg /* Time to hold address reservation */ ) ), "linked-pool-aggregation" /* Enable linked pools aggregation */, "tunnel-profile" /* Set of attributes that define tunnel access */, "tunnel-switch-profile" /* Tunnel switch profile name */, "domain" ( /* Domain map configuration */ domain_map_type /* Domain map configuration */ ), "ppp-options" ( /* Point-to-Point Protocol (PPP) specific options */ c( "compliance" ( /* Standards compliance definition */ c( "rfc" ( /* Enforce compliance with RFC standards */ ("2486") ) ) ) ) ), "gx-plus" ( /* GX-PLUS configuration */ gx_plus_definition /* GX-PLUS configuration */ ), "pcrf" ( /* PCRF configuration */ pcrf_definition /* PCRF configuration */ ), "ocs" ( /* OCS configuration */ ocs_definition /* OCS configuration */ ), "report-interface-descriptions" /* Support reporting of interface descriptions */, "nasreq" ( /* Nasreq configuration */ nasreq_definition /* Nasreq configuration */ ), "protocol-attributes" ( /* Protocol specific attribute configuration */ protocol_attribute_type /* Protocol specific attribute configuration */ ), "aaa-options" /* AAA option configurations */, "radius-options" ( /* RADIUS options */ access_radius_options /* RADIUS options */ ), "ldap-options" ( /* Lightweight Directory Access Protocol options */ access_ldap_options /* Lightweight Directory Access Protocol options */ ), "ldap-server" ( /* Lightweight Directory Access Protocol server options */ ldap_server_object /* Lightweight Directory Access Protocol server options */ ), "securid-server" ( /* SecurID server configuration */ securid_server_object /* SecurID server configuration */ ), "accounting-backup-options" ( /* Pending accounting backup-options */ c( "max-pending-accounting-stops" arg /* Max pending accouting stops */, "max-withhold-time" arg /* Maximum time in mins to hold the pending accounting stops */ ) ), "terminate-code" ( /* Terminate code mapping configuration */ c( "aaa" ( /* AAA terminate-code mapping configuration */ c( "deny" ( /* Terminate-code specification */ c( "authentication-denied" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "no-resources" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "server-request-timeout" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ) ) ), "service-shutdown" ( /* Terminate-code specification */ c( "network-logout" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "remote-reset" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "subscriber-logout" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "time-limit" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "volume-limit" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ) ) ), "shutdown" ( /* Terminate-code specification */ c( "administrative-reset" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "idle-timeout" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "reassign-on-match" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "remote-reset" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "session-timeout" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ) ) ) ) ), "dhcp" ( /* DHCP terminate-code mapping configuration */ c( "client-request" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "lost-carrier" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "nak" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "nas-logout" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "no-offers" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ) ) ), "hybrid-access" ( /* HYBRID-ACCESS terminate-code mapping configuration */ c( "admin-down" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "client-request" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "lost-carrier" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "nak" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "nas-logout" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "no-resource" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ) ) ), "l2tp" /* L2TP terminate-code mapping configuration */, "ppp" /* PPP terminate-code mapping configuration */, "vlan" ( /* VLAN terminate-code mapping configuration */ c( "admin-logout" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "admin-reconnect" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "other" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "out-of-band" ( /* Terminate-code specification */ c( "access-interface-down" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "admin-access-interface-down" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "admin-core-interface-down" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "ancp" ( /* Terminate-code specification */ c( "port-down" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "port-vlan-id-change" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ) ) ), "core-interface-down" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "l2-wholesale" ( /* Terminate-code specification */ c( "no-free-vlans" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ) ) ) ) ), "profile-request-error" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "sdb-error" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ), "subscriber-activate-error" ( /* Terminate-code specification */ c( "radius" ( /* Radius Acct-Terminate-Cause configuration */ sc( arg ) ).as(:oneline) ) ) ) ) ) ), "firewall-authentication" ( /* Type of firewall authentication */ c( "pass-through" ( /* Pass-through firewall authentication settings */ c( "default-profile" arg /* Name of profile to use if not specified in policy */, "ftp" ( /* FTP banners */ banner_object /* FTP banners */ ), "telnet" ( /* Telnet banners */ banner_object /* Telnet banners */ ), "http" ( /* HTTP banners */ banner_object /* HTTP banners */ ) ) ), "web-authentication" ( /* Web-authentication settings */ c( "default-profile" arg /* Name of profile to use for web-authentication */, "banner" ( c( "success" arg /* The message that will be displayed on successful login */ ) ), "timeout" arg /* Web-authentication timeout value in seconds */ ) ), "traceoptions" ( /* Firewall authentication tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "setup" | "authentication" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ) ) end rule(:access_client_name_filter_object) do c( "domain-name" arg /* Domain name to match (must be part of username) */, "separator" arg /* Separator character in domain name */, "count" arg /* Number of separator instances */ ) end rule(:access_client_object) do arg.as(:arg) ( c( "no-rfc2486" /* RFC2486 compliance is not enforced */, "chap-secret" ( /* CHAP secret */ unreadable /* CHAP secret */ ), "pap-password" ( /* PAP password */ unreadable /* PAP password */ ), c( "ppp" /* Configuration for Point-to-Point Protocol */, "l2tp" /* Configuration for Layer 2 Tunneling Protocol */ ), "group-profile" arg /* Group profile name */, "user-group-profile" arg /* User group profile name */, "xauth" ( /* Configure xauth attributes */ c( "ip-address" ( /* Specify the ip-address for client */ ipv4prefix /* Specify the ip-address for client */ ) ) ), "client-group" arg /* One or more groups to which the client belongs */, "firewall-user" ( /* Client is configured as a firewall user */ c( "password" arg /* Password for user */ ) ) ) ) end rule(:access_ldap_options) do c( "revert-interval" arg /* Time after which to revert to primary server */, "base-distinguished-name" arg /* Suffix when assembling user distinguished name (DN) or base DN under which to search for user DN */, c( "assemble" ( /* Derive user distinguished name from 'common-name' and 'base-distinguished-name' */ c( "common-name" arg /* Prefix in user distinguished name (for example, 'cn' or 'uid') */ ) ), "search" ( /* Search for user's distinguished name */ c( "search-filter" arg /* Filter to use in search (examples: 'cn=' or 'givenName=') */, "admin-search" ( /* Perform an administrator search to find user's distinguished name */ c( "distinguished-name" arg /* Administrator's distinguished name */, "password" ( /* Administrator password */ unreadable /* Administrator password */ ) ) ) ) ) ) ) end rule(:access_radius_options) do c( "revert-interval" arg /* Time after which to revert to primary server */, "timeout-grace" arg /* The period after a RADIUS server times out before marking the server as dead */, "request-rate" arg /* Maximum number of RADIUS requests sent per second */, "interim-rate" arg /* Maximum number of RADIUS requests sent per second */, "interim-update-tolerance" arg /* Maximum tolerance for Interim Updates to RADIUS */, "unique-nas-port" ( /* Use unique value for NAS-Port radius attribute */ c( "chassis-id" arg /* Configure chassis identifier field of NAS-Port */, "chassis-id-width" arg /* Number of bits for the chassis identifier field of NAS-Port */ ) ) ) end rule(:access_radius_server_object) do arg.as(:arg) ( c( "port" arg /* RADIUS server authentication port number */, "preauthentication-port" arg /* RADIUS server preauthentication port number */, "accounting-port" arg /* Port number to send RADIUS accounting messages */, "dynamic-request-port" arg /* RADIUS client dynamic request port number */, "secret" ( /* Shared secret with the RADIUS server */ unreadable /* Shared secret with the RADIUS server */ ), "preauthentication-secret" ( /* Shared secret with the RADIUS server */ unreadable /* Shared secret with the RADIUS server */ ), "timeout" arg /* Request timeout period */, "retry" arg /* Retry attempts */, "accounting-timeout" arg /* Accounting request timeout period */, "accounting-retry" arg /* Accounting retry attempts */, "max-outstanding-requests" arg /* Maximum requests in flight to server */, "source-address" ( /* Use specified address as source address */ ipaddr /* Use specified address as source address */ ), "routing-instance" arg /* Use specified routing instance */ ) ) end rule(:address_assignment_type) do c( "neighbor-discovery-router-advertisement" ( /* Designated NDRA pool for this instance */ sc( arg ) ).as(:oneline), "high-utilization" arg /* Generate an SNMP trap when address pool use surpasses this percentage */, "abated-utilization" arg /* Generate an SNMP clear trap when address pool use falls below this percentage */, "high-utilization-v6" arg /* Generate an SNMP trap when address pool use surpasses this percentage */, "abated-utilization-v6" arg /* Generate an SNMP clear trap when address pool use falls below this percentage */, "dynamic-pool" arg ( /* Dynamic address pool */ c( "family" ( /* Address family */ c( "inet6" ( /* IPv6 */ c( "delegated-prefix-length" arg /* Delegated IPv6 network prefix length */, "from-interface" ( /* Get prefix from interface name */ interface_name /* Get prefix from interface name */ ), "range" arg ( /* IPv6 address range */ c( "masked-low" ( /* Lower limit of ipv6 address range */ ipv6prefix_mandatory /* Lower limit of ipv6 address range */ ), "masked-high" ( /* Upper limit of ipv6 address range */ ipv6prefix_mandatory /* Upper limit of ipv6 address range */ ), "prefix-length" arg /* IPv6 delegated prefix length */ ) ), "dhcp-attributes" ( /* DHCP options and match criteria */ dynamic_dhcp_attribute_type /* DHCP options and match criteria */ ) ) ) ) ) ) ), "pool" arg ( /* Address pool */ c( "active-drain" /* Notify client of pool active drain mode */, "hold-down" /* Place pool in passive drain mode */, "link" arg /* Address pool link name */, "family" ( /* Address family */ c( c( "inet" ( /* IPv4 */ c( "network" ( /* Network address */ ipv4prefix /* Network address */ ), "range" arg ( /* Address range */ c( "low" ( /* Lower limit of address range */ ipv4addr /* Lower limit of address range */ ), "high" ( /* Upper limit of address range */ ipv4addr /* Upper limit of address range */ ) ) ), "dhcp-attributes" ( /* DHCP options and match criteria */ dhcp_attribute_type /* DHCP options and match criteria */ ), "xauth-attributes" ( /* Configure xauth attributes */ c( "primary-dns" ( /* Specify the primary-dns IP address */ ipv4prefix /* Specify the primary-dns IP address */ ), "secondary-dns" ( /* Specify the secondary-dns IP address */ ipv4prefix /* Specify the secondary-dns IP address */ ), "primary-wins" ( /* Specify the primary-wins IP address */ ipv4prefix /* Specify the primary-wins IP address */ ), "secondary-wins" ( /* Specify the secondary-wins IP address */ ipv4prefix /* Specify the secondary-wins IP address */ ) ) ), "host" arg ( /* Hostname for static reservations */ c( "hardware-address" ( /* Hardware address */ mac_addr /* Hardware address */ ), "ip-address" ( /* Reserved address */ ipv4addr /* Reserved address */ ) ) ), "excluded-address" arg /* Excluded Addresses */, "excluded-range" arg ( /* Excluded address range */ c( "low" ( /* Lower limit of excluded address range */ ipv4addr /* Lower limit of excluded address range */ ), "high" ( /* Upper limit of excluded address range */ ipv4addr /* Upper limit of excluded address range */ ) ) ) ) ), "inet6" ( /* IPv6 */ c( "prefix" ( /* IPv6 network prefix */ ipv6prefix_mandatory /* IPv6 network prefix */ ), "range" arg ( /* IPv6 address range */ c( "low" ( /* Lower limit of ipv6 address range */ ipv6prefix_mandatory /* Lower limit of ipv6 address range */ ), "high" ( /* Upper limit of ipv6 address range */ ipv6prefix_mandatory /* Upper limit of ipv6 address range */ ), "prefix-length" arg /* IPv6 delegated prefix length */ ) ), "dhcp-attributes" ( /* DHCP options and match criteria */ dhcp_attribute_type /* DHCP options and match criteria */ ), "excluded-address" arg /* Excluded Addresses */, "excluded-range" arg ( /* Excluded address range */ c( "low" ( /* Lower limit of excluded address range */ ipv6addr /* Lower limit of excluded address range */ ), "high" ( /* Upper limit of excluded address range */ ipv6addr /* Upper limit of excluded address range */ ) ) ) ) ) ) ) ) ) ), "location-pool" /* Location-based IP address pool */ ) end rule(:address_pool_object) do arg.as(:arg) ( c( c( "address" ( /* Address or address prefix */ ipv4prefix /* Address or address prefix */ ), "address-range" ( /* Range of addresses for pool */ sc( "low" ( /* Lower limit of address range */ ipv4addr /* Lower limit of address range */ ), "high" ( /* Upper limit of address range */ ipv4addr /* Upper limit of address range */ ), "mask" ( /* Netmask for address pool */ ipv4addr /* Netmask for address pool */ ) ) ).as(:oneline) ), "primary-dns" ( /* Name of primary DNS server */ hostname /* Name of primary DNS server */ ), "secondary-dns" ( /* Name of secondary DNS server */ hostname /* Name of secondary DNS server */ ), "primary-wins" ( /* Name of primary WINS server */ hostname /* Name of primary WINS server */ ), "secondary-wins" ( /* Name of secondary WINS server */ hostname /* Name of secondary WINS server */ ) ) ) end rule(:banner_object) do c( "banner" ( /* Banners that are prompted during authentication */ c( "login" arg /* The message that will be displayed before login */, "success" arg /* The message that will be displayed on successful login */, "fail" arg /* The message that will be displayed after failed user login */ ) ) ) end rule(:dhcp_attribute_type) do c( "option-match" ( /* Match */ c( "option-82" ( c( "circuit-id" arg ( /* Circuit ID portion of the option 82 */ sc( "range" arg /* Range name */ ) ).as(:oneline), "remote-id" arg ( /* Remote ID portion of the option 82 */ sc( "range" arg /* Range name */ ) ).as(:oneline) ) ) ) ), "maximum-lease-time" ( /* Maximum lease time advertised to clients */ ("infinite" | arg) ), "next-server" ( /* Next server that clients need to contact */ ipv4addr /* Next server that clients need to contact */ ), "server-identifier" ( /* Server Identifier - IP address value */ ipv4addr /* Server Identifier - IP address value */ ), "grace-period" arg /* Grace period for leases */, "domain-name" arg /* Domain name advertised to clients */, "name-server" arg /* Domain name servers available to the client */, "wins-server" arg /* WINS name servers */, "router" arg /* Routers advertised to clients */, "boot-file" arg /* Boot filename advertised to clients */, "boot-server" arg /* Boot server advertised to clients */, "tftp-server" ( /* TFTP server IP address advertised to clients */ ipv4addr /* TFTP server IP address advertised to clients */ ), "sip-server" ( /* SIP servers to clients */ c( "name" arg /* SIP server domain name available to clients */, "ip-address" arg /* SIP servers list of IPv4 addresses available to the client */ ) ), "netbios-node-type" ( /* Type of NETBIOS node advertised to clients */ ("b-node" | "p-node" | "m-node" | "h-node") ), "sip-server-domain-name" arg /* SIP server domain name available to clients */, "sip-server-address" arg /* SIP Servers list of IPv6 addresses available to the client */, "dns-server" arg /* Domain name servers available to the client */, "propagate-settings" arg /* Interface name for propagating TCP/IP Settings to pool */, "propagate-ppp-settings" ( /* PPP interface name for propagating DNS/WINS settings */ interface_name /* PPP interface name for propagating DNS/WINS settings */ ), "option" arg ( /* DHCP option */ sc( c( "flag" ( /* Boolean flag value */ ("true" | "false" | "on" | "off") ), "byte" arg /* Unsigned 8-bit value */, "short" arg /* Signed 16-bit numeric value */, "unsigned-short" arg /* Unsigned 16-bit numeric value */, "integer" arg /* Signed 32-bit numeric value */, "unsigned-integer" arg /* Unsigned 32-bit numeric value */, "hex-string" arg /* Hexadecimal string */, "string" arg /* Character string value */, "ip-address" ( /* IP address value */ ipv4addr /* IP address value */ ), "ipv6-address" ( /* IPV6 address value */ ipv6addr /* IPV6 address value */ ), "array" ( /* Array of values */ c( c( "flag" ( /* Array of boolean flag values */ ("true" | "false" | "on" | "off") ), "byte" arg /* Array of unsigned 8-bit values */, "short" arg /* Array of signed 16-bit numeric values */, "unsigned-short" arg /* Array of 16-bit numeric values */, "integer" arg /* Array of signed 32-bit numeric values */, "unsigned-integer" arg /* Array of unsigned 32-bit numeric values */, "hex-string" arg /* Hexadecimal string */, "string" arg /* Array of character string values */, "ip-address" ( /* Array of IP address values */ ipv4addr /* Array of IP address values */ ), "ipv6-address" ( /* Array of IPv6 address values */ ipv6addr /* Array of IPv6 address values */ ) ) ) ) ) ) ).as(:oneline), "valid-lifetime" ( /* Valid lifetime advertised to clients */ ("infinite" | arg) ), "preferred-lifetime" ( /* Preferred lifetime advertised to clients */ ("infinite" | arg) ), "t1-percentage" arg /* T1 time as percentage of preferred lifetime or max lease */, "t2-percentage" arg /* T2 time as percentage of preferred lifetime or max lease */, "exclude-prefix-len" arg /* Length of IPv6 prefix to be excluded from delegated prefix */, "t1-renewal-time" arg /* T1 renewal time */, "t2-rebinding-time" arg /* T2 rebinding time */ ) end rule(:domain_map_type) do c( "map" arg ( /* Domain map definitions */ c( c( "aaa-routing-instance" ( /* Routing instance to be used for applying AAA services */ ("default" | arg) ), "aaa-logical-system" arg ( /* Logical system to be used for applying AAA services */ c( "aaa-routing-instance" ( /* Routing instance to be used for applying AAA services */ ("default" | arg) ) ) ) ), "access-profile" arg /* Access profile to be used for applying AAA services */, "address-pool" arg /* Address pool to use for providing address-allocation services */, "dynamic-profile" arg /* Dynamic profile to be used for this client's session */, "override-password" arg /* Use this password for authentication */, "padn" arg ( /* PPPoE Active Discovery Network parameters to apply for this client's session */ c( "mask" ( /* Destination mask */ ipv4addr /* Destination mask */ ), "metric" arg /* Metric value */ ) ), c( "target-routing-instance" ( /* Routing instance the client's session will be mapped to */ ("default" | arg) ), "target-logical-system" arg ( /* Logical system the client's session will be mapped to */ c( "target-routing-instance" ( /* Routing instance the client's session will be mapped to */ ("default" | arg) ) ) ) ), "strip-domain" /* Enable domain name stripping from the username */, "strip-username" ( /* Enable user name stripping from the username */ sc( c( "right-to-left" /* Strip to first domain delimiter on the right */, "left-to-right" /* Strip to first domain delimiter on the left */ ) ) ).as(:oneline), "tunnel-profile" arg /* Tunnel profile to be used for this client's session */, "tunnel-switch-profile" arg /* Tunnel switch profile */ ) ), "parse-order" ( /* Order in which search parsing is conducted (i.e. look for domain-namd or realm-name first) */ sc( c( "domain-first" /* Search for domain name in username field before searching for realm name */, "realm-first" /* Search for realm name in username field before searching for domain name */ ) ) ).as(:oneline), "delimiter" ( /* Allowable delimiter characters for domain name separation */ sc( arg ) ).as(:oneline), "parse-direction" ( /* Domain name parsing direction */ sc( c( "right-to-left" /* Parse the username from right to left */, "left-to-right" /* Parse the username field from left to right to find domain name */ ) ) ).as(:oneline), "realm-delimiter" ( /* Allowable delimiter characters for realm name separation */ sc( arg ) ).as(:oneline), "realm-parse-direction" ( /* Realm name parsing direction */ sc( c( "left-to-right" /* Parse the username field from left to right to find realm name */, "right-to-left" /* Parse the username field from right to left to find realm name */ ) ) ).as(:oneline) ) end rule(:dynamic_dhcp_attribute_type) do c( "maximum-lease-time" ( /* Maximum lease time advertised to clients */ ("infinite" | arg) ), "valid-lifetime" ( /* Preferred lifetime */ ("infinite" | arg) ), "preferred-lifetime" ( /* Preferred lifetime */ ("infinite" | arg) ), "dns-server" arg /* Domain name servers available to the client */, "t1-percentage" arg /* T1 time as percentage of preferred lifetime advertised to clients */, "t2-percentage" arg /* T2 time as percentage of preferred lifetime advertised to clients */ ) end rule(:group_profile_object) do arg.as(:arg) ( c( "ppp" ( /* Configuration for Point-to-Point Protocol */ c( "framed-pool" arg /* Address pool used to assign an address for the user */, "idle-timeout" arg /* Idle timeout before termination of session */, "ppp-options" ( /* Point-to-Point Protocol interface-specific options */ c( "pap" /* Password Authentication Protocol */, "chap" /* Challenge Handshake Authentication Protocol */, "mru" arg /* The Maximum Receive Unit size in bytes */, "mtu" arg /* The Maximum Transfer Unit size in bytes */, "initiate-ncp" ( /* Enable server initiated NCP */ c( "ip" /* Enable server initiated IPNCP */, "ipv6" /* Enable server initiated IPv6NCP */, "dual-stack-passive" /* Disable server initiated IPNCP/IPv6NCP for dual-stack client */ ) ), "peer-ip-address-optional" /* Set Peer IP Address Optional in IP NCP Negotiations */, "ipcp-suggest-dns-option" /* Suggest peer to negotiate with DNS Addresses options */, "ignore-magic-number-mismatch" /* Ignore magic-number validation failure in LCP keepalive */, "aaa-options" arg /* Attach AAA options name to group-profile */ ) ), "keepalive" arg /* PPP keepalive interval */, "primary-dns" arg /* Primary DNS server name */, "secondary-dns" arg /* Secondary DNS server name */, "primary-wins" arg /* Primary wins server name */, "secondary-wins" arg /* Secondary wins server name */, "encapsulation-overhead" arg /* Encapsulation overhead for Class of Service calculation */, "cell-overhead" /* ATM cell overhead for Class of Service calculation */, "interface-id" arg /* Interface identifier to look up session information */ ) ), "l2tp" /* Configuration for Layer 2 Tunneling Protocol */ ) ) end rule(:gx_plus_definition) do c( "partition" arg ( /* GX-PLUS partition configuration */ c( "diameter-instance" arg /* GX-PLUS diameter instance */, "destination-realm" arg /* GX-PLUS destination realm */, "destination-host" arg /* GX-PLUS destination host */ ) ), "global" ( /* GX-PLUS global parameters */ c( "include-ipv6" /* Send provisioning request for IPv6-only subscribers */, "max-outstanding-requests" arg /* Maximum number of outstanding requests */ ) ) ) end rule(:juniper_class_of_service_options) do c( "forwarding-policy" ( /* Class-of-service forwarding policy */ c( "next-hop-map" arg ( /* Class-of-service next-hop map */ c( "forwarding-class" arg ( /* Forwarding class from which to map */ c( "next-hop" ( /* Next-hop identifier to which to map */ ipaddr_or_interface /* Next-hop identifier to which to map */ ), "lsp-next-hop" arg /* Regular expression for LSP next hop */, "non-lsp-next-hop" /* Any non-RSVP LSP next hop */, "discard" /* Discard next hop */ ) ), "forwarding-class-default" ( /* Next Hop For traffic which does not meet any FC in the next-hop-map */ c( "next-hop" ( /* Next-hop identifier to which to map */ ipaddr_or_interface /* Next-hop identifier to which to map */ ), "lsp-next-hop" arg /* Regular expression for LSP next hop */, "non-lsp-next-hop" /* Any non-RSVP LSP next hop */, "discard" /* Discard next hop */ ) ) ) ), "class" arg ( /* Class-of-service description */ c( "classification-override" ( /* Define classification overrides */ c( "forwarding-class" arg /* Forwarding class name */ ) ) ) ) ) ), "classifiers" ( /* Classify incoming packets based on code point value */ c( "dscp" arg ( /* Differentiated Services code point classifier */ c( "import" ( /* Include this classifier in this definition */ ("default") ), "forwarding-class" arg ( /* Define a classification of code point aliases */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Classify code points to a loss priority */ sc( "code-points" arg /* List of code point aliases and/or bit strings */ ) ).as(:oneline) ) ) ) ), "dscp-ipv6" arg ( /* Differentiated Services code point classifier IPv6 */ c( "import" ( /* Include this classifier in this definition */ ("default") ), "forwarding-class" arg ( /* Define a classification of code point aliases */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Classify code points to a loss priority */ sc( "code-points" arg /* List of code point aliases and/or bit strings */ ) ).as(:oneline) ) ) ) ), "exp" arg ( /* MPLS EXP classifier */ c( "import" ( /* Include this classifier in this definition */ ("default") ), "forwarding-class" arg ( /* Define a classification of code point aliases */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Classify code points to a loss priority */ sc( "code-points" arg /* List of code point aliases and/or bit strings */ ) ).as(:oneline) ) ) ) ), "ieee-802.1" arg ( /* IEEE-802.1 classifier */ c( "import" ( /* Include this classifier in this definition */ ("default") ), "forwarding-class" arg ( /* Define a classification of code point aliases */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Classify code points to a loss priority */ sc( "code-points" arg /* List of code point aliases and/or bit strings */ ) ).as(:oneline) ) ) ) ), "inet-precedence" arg ( /* IPv4 precedence classifier */ c( "import" ( /* Include this classifier in this definition */ ("default") ), "forwarding-class" arg ( /* Define a classification of code point aliases */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Classify code points to a loss priority */ sc( "code-points" arg /* List of code point aliases and/or bit strings */ ) ).as(:oneline) ) ) ) ), "ieee-802.1ad" arg ( /* IEEE-802.1ad (DEI) classifier */ c( "import" ( /* Include this classifier in this definition */ ("default") ), "forwarding-class" arg ( /* Define a classification of code point aliases */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Classify code points to a loss priority */ sc( "code-points" arg /* List of code point aliases and/or bit strings */ ) ).as(:oneline) ) ) ) ) ) ), "traffic-class-map" /* Packet input priority map based on incoming packets code point */, "policy-map" /* Policy-map describing the packet marking rule */, "forwarding-class-map" /* Map forwarding class to queue number for interfaces */, "loss-priority-maps" ( /* Map loss priority of incoming packets based on code point value */ c( "frame-relay-de" arg ( /* Frame relay discard eligible bit loss priority map */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Map code points to a loss priority */ sc( "code-points" arg /* List of bit strings */ ) ).as(:oneline) ) ) ) ), "loss-priority-rewrites" /* Rewrite code point of outgoing packet based on loss priority */, "code-point-aliases" ( /* Mapping of code point aliases to bit strings */ c( "dscp" arg ( /* Differentiated Services code point aliases */ sc( arg /* DSCP 6-bit pattern */ ) ).as(:oneline), "dscp-ipv6" arg ( /* Differentiated Services code point aliases IPv6 */ sc( arg /* DSCP 6-bit pattern */ ) ).as(:oneline), "exp" arg ( /* MPLS EXP code point aliases */ sc( arg /* EXP 3-bit pattern */ ) ).as(:oneline), "ieee-802.1" arg ( /* IEEE-802.1 code point aliases */ sc( arg /* IEEE-802.1 3-bit pattern */ ) ).as(:oneline), "inet-precedence" arg ( /* IPv4 precedence code point aliases */ sc( arg /* IPv4 precedence 3-bit pattern */ ) ).as(:oneline), "ieee-802.1ad" arg ( /* IEEE-802.1ad (DEI) code point aliases */ sc( arg /* IEEE-802.1ad (DEI) 4-bit pattern */ ) ).as(:oneline), "inet6-precedence" /* IPv6 precedence code point aliases */.as(:oneline) ) ), "translation-table" ( /* Translation table */ c( "to-802.1p-from-dscp" arg ( /* DSCP to 802.1 translation table */ c( "to-code-point" arg ( /* IEEE 802.1 code point */ sc( "from-code-points" arg /* DSCP code point */ ) ).as(:oneline) ) ), "to-inet-precedence-from-inet-precedence" /* INET PRECEDENCE to INET PRECEDENCE translation table */, "to-dscp-from-dscp" /* DSCP to DSCP translation table */, "to-dscp-ipv6-from-dscp-ipv6" /* DSCP-IPV6 to DSCP-IPV6 translation table */, "to-exp-from-exp" /* EXP to EXP translation table */ ) ), "host-outbound-traffic" ( /* Classify and mark host traffic to forwarding engine */ c( "forwarding-class" arg /* Classification of host traffic to forwarding engine */, "dscp-code-point" arg /* Static DSCP code point of egress host traffic */, "override-firewall" /* Override firewall filter actions for RE generated traffic */, "translation-table" ( /* Translation table for host outbound packets */ sc( "to-802.1p-from-dscp" arg /* DSCP to 802.1 translation table */ ) ).as(:oneline), "tcp" ( /* Settings for host outbound TCP packets */ c( "raise-internet-control-priority" /* Place packets with IP Precedence set to Internet control into Q3 (network-control) */ ) ), "ieee-802.1" ( /* Mark IEEE 802.1p for host output traffic */ c( "rewrite-rules" /* Mark IEEE 802.1p for host outbound traffic using rewrite-rules */, "default" arg /* Mark IEEE 802.1p for host outbound traffic default value */ ) ), "protocol" ( /* Settings for specific host outbound protocol packets */ c( "isis-over-gre" ( /* Settings for ISIS over GRE packets */ c( "dscp-code-point" arg /* Static DSCP code point of egress host traffic */ ) ) ) ) ) ), "drop-profiles" arg ( /* Random Early Drop (RED) data point map */ c( "fill-level" arg ( /* Fill-level value of data point */ sc( "drop-probability" arg /* Probability packet will be dropped */ ) ).as(:oneline), "interpolate" ( /* Data points interpolated */ c( "fill-level" arg /* Data points for queue full percentage */, "drop-probability" arg /* Data points for packet drop probability */ ) ) ) ), "adaptive-shapers" arg ( /* Define the list of trigger types and associated rates */ c( "trigger" enum(("becn")) ( /* List of trigger types */ sc( "shaping-rate" ( /* Shaping rate for the trigger */ sc( c( arg /* Shaping rate as an absolute rate */, "percent" arg /* Shaping rate as a percentage */ ) ) ).as(:oneline) ) ).as(:oneline) ) ), "virtual-channels" arg /* Define the list of virtual channels */, "virtual-channel-groups" arg ( /* Define list of virtual channel groups */ c( c( "scheduler-map" arg /* Scheduler map applied to this virtual channel */, "shaping-rate" ( /* Shaping rate for the trigger */ sc( c( arg /* Adaptive shaping rate as an absolute rate */, "percent" arg /* Adaptive shaping rate as a percentage */ ) ) ).as(:oneline), "default" /* Default virtual channel */ ) ) ), "copy-plp-all" /* Turn on loss-precedence copying including IP multicast */, "tri-color" /* Enable tricolor marking */, "non-strict-priority-scheduling" /* Enable non-strict-priority scheduling */, "shared-buffer" /* Shared buffer configuration */, "forwarding-classes" ( /* One or more mappings of forwarding class to queue number */ c( "class" /* Forwarding class to map to queue number */.as(:oneline), "queue" arg ( /* Queue number to map to forwarding class */ sc( arg, "priority" ( /* Fabric priority */ ("low" | "high") ), "policing-priority" arg /* Policing priority for hierarchical policers */ ) ).as(:oneline) ) ), "restricted-queues" /* Map forwarding classes to restricted queues */, "traffic-control-profiles" arg ( /* Traffic shaping and scheduling profiles */ c( "scheduler-map" arg /* Mapping of forwarding classes to packet schedulers */, "strict-priority-scheduler" /* Enable strict priority scheduler. */, "atm-service" arg /* ATM service category */, "peak-rate" arg /* ATM Peak Cell Rate (PCR) */, "sustained-rate" arg /* ATM Sustained Cell Rate (SCR) */, "max-burst-size" arg /* ATM Maximum Burst Size (MBS) */, "shaping-rate" ( /* Shaping rate */ sc( c( arg /* Shaping rate as an absolute rate */, "percent" arg /* Shaping rate as a percentage */ ), "burst-size" arg /* Shaping rate burst size */ ) ).as(:oneline), "overhead-accounting" ( /* Overhead accounting */ sc( arg, "bytes" arg /* Byte adjust value */, "frame-mode-bytes" arg /* Overhead bytes when in frame-mode */, "cell-mode-bytes" arg /* Overhead bytes when in cell-mode */ ) ).as(:oneline), "shaping-rate-priority-strict-high" /* Shaping rate for strict high priority traffic */.as(:oneline), "shaping-rate-priority-high" /* Shaping rate for high priority traffic */.as(:oneline), "shaping-rate-priority-medium" /* Shaping rate for medium priority traffic */.as(:oneline), "shaping-rate-priority-medium-low" /* Shaping rate for medium low priority traffic */.as(:oneline), "shaping-rate-priority-low" /* Shaping rate for low priority traffic */.as(:oneline), "shaping-rate-excess-high" /* Shaping rate for excess high traffic */.as(:oneline), "shaping-rate-excess-low" /* Shaping rate for excess low traffic */.as(:oneline), "shaping-rate-excess-medium-high" /* Shaping rate for excess medium-high traffic */.as(:oneline), "shaping-rate-excess-medium-low" /* Shaping rate for excess medium-low traffic */.as(:oneline), "guaranteed-rate" ( /* Guaranteed rate */ sc( c( arg /* Guaranteed rate as an absolute rate */, "percent" arg /* Guaranteed rate as a percentage */ ), "burst-size" arg /* Guaranteed rate burst size */ ) ).as(:oneline), "excess-rate" /* Excess bandwidth sharing proportion */.as(:oneline), "excess-rate-high" /* Excess bandwidth sharing for excess-high priority */.as(:oneline), "excess-rate-medium-high" /* Excess bandwidth sharing for excess-medium-high priority */.as(:oneline), "excess-rate-low" /* Excess bandwidth sharing for excess-low priority */.as(:oneline), "excess-rate-medium-low" /* Excess bandwidth sharing for excess-medium-low priority */.as(:oneline), c( "delay-buffer-rate" ( /* Delay buffer rate */ sc( c( arg /* Delay buffer rate as an absolute rate */, "percent" arg /* Delay buffer rate as a percentage */, "cps" arg /* Delay buffer rate as an absolute cells per second rate */ ) ) ).as(:oneline) ), "adjust-minimum" /* Minimum shaping-rate when adjusted */.as(:oneline) ) ), "forwarding-class-sets" /* Forwarding class sets */, "congestion-notification-profile" /* Congestion notification profile */, "scheduler-map-forwarding-class-sets" /* Mapping of forwarding class sets to packet schedulers */, "system-defaults" /* System defaults */, "dynamic-class-of-service-options" /* Dynamic class-of-service options */, "interfaces" ( /* Apply class-of-service options to interfaces */ c( "interface-set" /* Interface set traffic-control-profile attachment */, cos_interfaces_type ) ), "routing-instances" arg ( /* Apply CoS options to routing instances with VRF table label */ c( "classifiers" ( /* Classifiers applied to incoming packets */ c( "no-default" /* Do not apply default classifiers to this interface */, "exp" ( /* EXP classifier */ sc( ("default") ) ).as(:oneline), "ieee-802.1" /* IEEE-802.1 classifier */.as(:oneline), "dscp" ( /* Differentiated Services code point classifier */ sc( ("default") ) ).as(:oneline), "dscp-ipv6" ( /* Differentiated Services code point classifier IPv6 */ sc( ("default") ) ).as(:oneline) ) ), "rewrite-rules" /* Rewrite rules applied to outgoing packets */, "policy-map" /* Policy-map describing the packet marking rule */.as(:oneline) ) ), "rewrite-rules" ( /* Write code point value of outgoing packets */ c( "dscp" arg ( /* Differentiated Services code point rewrite rule */ c( "import" ( /* Include this rewrite rule in this definition */ ("default") ), "forwarding-class" arg ( /* Markings for named forwarding class */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Code point marking based on loss priority */ sc( "code-point" arg /* Code point aliases or bit string */ ) ).as(:oneline) ) ) ) ), "dscp-ipv6" arg ( /* Differentiated Services code point rewrite rule IPv6 */ c( "import" ( /* Include this rewrite rule in this definition */ ("default") ), "forwarding-class" arg ( /* Markings for named forwarding class */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Code point marking based on loss priority */ sc( "code-point" arg /* Code point aliases or bit string */ ) ).as(:oneline) ) ) ) ), "exp" arg ( /* MPLS EXP rewrite rule */ c( "import" ( /* Include this rewrite rule in this definition */ ("default") ), "forwarding-class" arg ( /* Markings for named forwarding class */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Code point marking based on loss priority */ sc( "code-point" arg /* Code point aliases or bit string */ ) ).as(:oneline) ) ) ) ), "ieee-802.1" arg ( /* IEEE-802.1 rewrite rule */ c( "import" ( /* Include this rewrite rule in this definition */ ("default") ), "forwarding-class" arg ( /* Markings for named forwarding class */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Code point marking based on loss priority */ sc( "code-point" arg /* Code point aliases or bit string */ ) ).as(:oneline) ) ) ) ), "inet-precedence" arg ( /* IPv4 precedence rewrite rule */ c( "import" ( /* Include this rewrite rule in this definition */ ("default") ), "forwarding-class" arg ( /* Markings for named forwarding class */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Code point marking based on loss priority */ sc( "code-point" arg /* Code point aliases or bit string */ ) ).as(:oneline) ) ) ) ), "frame-relay-de" arg ( /* Frame relay discard eligible bit rewrite rule */ c( "import" ( /* Include this rewrite rule in this definition */ ("default") ), "forwarding-class" arg ( /* Markings for named forwarding class */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Code point marking based on loss priority */ sc( "code-point" arg /* Code point aliases or bit string */ ) ).as(:oneline) ) ) ) ), "ieee-802.1ad" arg ( /* IEEE-802.1ad (DEI) rewrite rule */ c( "import" ( /* Include this rewrite rule in this definition */ ("default") ), "forwarding-class" arg ( /* Markings for named forwarding class */ c( "loss-priority" ("low" | "high" | "medium-low" | "medium-high") ( /* Code point marking based on loss priority */ sc( "code-point" arg /* Code point aliases or bit string */ ) ).as(:oneline) ) ) ) ), "inet6-precedence" /* IPv6 precedence rewrite rule */ ) ), "fabric" /* Define CoS parameters of switch fabric */, "scheduler-maps" arg ( /* Mapping of forwarding classes to packet schedulers */ c( "forwarding-class" arg ( /* Forwarding class name to map to scheduler */ sc( "scheduler" arg /* Scheduler name */ ) ).as(:oneline) ) ), "fragmentation-maps" arg ( /* Mapping of forwarding class to fragmentation options */ c( "forwarding-class" arg ( /* Forwarding class name to map to fragmentation options */ c( c( "fragment-threshold" arg /* Fragmentation threshold */, "no-fragmentation" /* Don't allow fragmentation */ ), "multilink-class" arg /* Multilink-Class assigned to the forwarding class */, "drop-timeout" arg /* Drop timeout */ ) ) ) ), "schedulers" arg ( /* Packet schedulers */ c( "transmit-rate" ( /* Transmit rate */ c( c( arg /* Transmit rate as rate */, "percent" arg /* Transmit rate as percentage */, "remainder" ( /* Remainder available */ c( arg ) ) ), c( "exact" /* Enforce exact transmit rate */, "rate-limit" /* Enforce rate limit that uses policer */ ) ) ), "excess-rate" /* Excess bandwidth sharing proportion */.as(:oneline), "shaping-rate" ( /* Shaping rate */ sc( c( arg /* Shaping rate as an absolute rate */, "percent" arg /* Shaping rate as a percentage */ ), "burst-size" arg /* Shaping rate burst size */ ) ).as(:oneline), "buffer-size" ( /* Queue transmission buffer size */ c( c( "percent" arg /* Buffer size as a percentage */, "remainder" ( /* Remainder of buffer size available */ c( arg ) ), "shared" /* Shared buffer allocation */, "temporal" arg /* Buffer size as temporal value */ ), c( "exact" /* Enforce exact buffer size */ ), "buffer-partition" ( /* Partition buffer size among multicast and unicast */ c( "multicast" ( /* Specify multicast fraction of reserved buffer */ c( "percent" arg ) ) ) ) ) ), "shared-buffer" ( /* Queue transmission shared-buffer */ c( "maximum" ( /* Control the amount of shared buffer a given queue can consume */ c( arg, "multicast" ( /* Control the amount of shared buffer mcast pkts consume */ c( arg ) ) ) ) ) ), "priority" arg /* Scheduling priority */, "excess-priority" arg /* Priority in the excess region */, "drop-profile-map" ( /* Assign drop profile to a loss priority and protocol */ s( "loss-priority" ( /* Loss priority value */ ("low" | "high" | "medium-low" | "medium-high" | "any") ), "protocol" ( /* Protocol type */ ("tcp" | "non-tcp" | "any") ), c( "drop-profile" arg /* Name of drop profile to apply */ ) ) ).as(:oneline), "explicit-congestion-notification" /* Enable or Disable Explicit Congestion Notification */, "drop-profile-map-set" /* System drop profile */, "adjust-percent" arg /* Percent of a bandwidth adjustment applied to a queue */, "adjust-minimum" arg /* Minimum shaping-rate when adjusted */ ) ), "adjustment-control-profiles" /* Adjustment control profiles */, "traceoptions" ( /* Trace options for class-of-service process */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("init" | "show" | "route-socket" | "parse" | "process" | "util" | "restart" | "snmp" | "hardware-database" | "asynch" | "dynamic" | "cos-adjustment" | "performance-monitor" | "chassis-scheduler" | "cn-util" | "snmp-timeouts" | "all" | "feature-capability" | "application")) /* Tracing parameters */.as(:oneline) ) ), "multi-destination" /* Multicast class of service */, "application-traffic-control" ( /* Application classifier configuration */ c( "traceoptions" ( /* Trace options for application classifier */ appqos_traceoptions_type /* Trace options for application classifier */ ), "rate-limiters" arg ( /* Configure application-traffic-control rate limiters */ c( "bandwidth-limit" arg /* Bandwidth limit */, "burst-size-limit" arg /* Burst size limit (default with bandwidth-limit and no larger than 6400 * bandwidth) */ ) ), "rule-sets" arg ( /* Configure application-traffic-control rule-sets */ c( "rule" ( /* Rule */ appqos_rule_type /* Rule */ ) ) ) ) ) ) end rule(:appqos_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all")) /* Events and other information to include in trace output */.as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ) ) end rule(:appqos_rule_type) do arg.as(:arg) ( c( "match" ( /* Specify application traffic control rule match-criteria */ c( "application-any" /* Any applications */, "application-unknown" /* Uknown applcations */, "application-known" /* Identifiable applications */, "application" arg, "application-group" arg ) ), "then" ( /* Specify rule action to take when packet match criteria */ c( "forwarding-class" arg /* Forwarding class for outgoing packets */, "dscp-code-point" arg /* DSCP code point bitmap or alias */, "loss-priority" ( /* Packet loss priority */ ("low" | "medium-low" | "medium-high" | "high") ), "rate-limit" ( /* Apply rate limiters */ c( "client-to-server" arg /* Client-to-server rate limiter */, "server-to-client" arg /* Server-to-client rate limiter */, "loss-priority-high" /* Set Rate limiter's action Loss-Priority to high */ ) ), "log" /* Log the action */ ) ) ) ) end rule(:cos_interfaces_type) do arg.as(:arg) ( c( "forwarding-class-set" /* Map forwarding class sets to output traffic control profile */, "congestion-notification-profile" arg /* Congestion notification profile for the interface */, "rewrite-value" /* FC interface rewrite value */, "scheduler-map-forwarding-class-set" arg /* Output scheduler map forwarding-class-set */, "scheduler-map" arg /* Output scheduler map */, "input-scheduler-map" arg /* Input scheduler map */, "scheduler-map-chassis" ( /* Scheduler map applied to chassis queues (not PIC queues) */ ("derived") ), "output-forwarding-class-map" arg /* Output forwarding class map name */, "shaping-rate" ( /* Output shaping rate */ sc( arg /* Shaping rate as an absolute rate */, "overhead" arg /* Shaping overhead bytes to be accounted in egress */ ) ).as(:oneline), "input-excess-bandwidth-share" /* Input Excess bandwidth sharing policy */.as(:oneline), "excess-bandwidth-share" /* Output Excess bandwidth sharing policy */.as(:oneline), "input-shaping-rate" ( /* Input shaping rate */ sc( arg /* Input shaping rate as an absolute rate */ ) ).as(:oneline), "input-traffic-control-profile" ( /* Input traffic control profile */ sc( arg ) ).as(:oneline), "input-traffic-control-profile-remaining" ( /* Input traffic control profile for remaining traffic on the ifd */ sc( arg ) ).as(:oneline), "output-traffic-control-profile" /* Output traffic control profile */.as(:oneline), "output-traffic-control-profile-remaining" /* Output traffic control profile for remaining traffic on the ifd */.as(:oneline), "member-link-scheduler" ( /* Scheduler parameter model for member link */ sc( c( "scale" /* Scale scheduler parameters on aggregate interface */, "replicate" /* Copy scheduler parameters from aggregate interface */ ) ) ).as(:oneline), "traffic-class-map" /* Packet code point to input priority mapping */, "exclude-queue-overhead-bytes" ( /* Exclude the overhead bytes from the queue statistics */ c( "include-hierarchy" /* Perform overhead adjustment on IFD and all children */ ) ), "logical-interface-aggregate-statistics" /* Logical interface aggregate queue statistics */, "unit" enum(("*")) ( /* Logical interface unit (or wildcard) */ c( "output-forwarding-class-map" arg /* Output forwarding class map name */, "forwarding-class" arg /* Forwarding class assigned to incoming packets */, "virtual-channel-group" arg /* Virtual channel group applied to this logical interface */, "vc-shared-scheduler" /* Virtual channel group shared scheduler indicator */, "scheduler-map" arg /* Output scheduler map */, "input-scheduler-map" arg /* Input scheduler map */, "fragmentation-map" arg /* Fragmentation map applied to this logical interface */, "adaptive-shaper" arg /* Adaptive shaper applied to this logical interface */, "shaping-rate" ( /* Output shaping rate */ sc( c( arg /* Shaping rate as an absolute rate */, "percent" arg /* Shaping rate as a percentage */ ) ) ).as(:oneline), "input-shaping-rate" ( /* Input shaping rate */ sc( c( arg /* Shaping rate as an absolute rate */, "percent" arg /* Shaping rate as a percentage */ ) ) ).as(:oneline), "input-traffic-control-profile" ( /* Input traffic control profile */ sc( arg, "shared-instance" arg /* Name of the shared instance */ ) ).as(:oneline), "output-traffic-control-profile" ( /* Output traffic control profile */ sc( arg, "shared-instance" arg /* Name of the shared instance */ ) ).as(:oneline), "output-traffic-control-profile-remaining" /* Output traffic control profile for remaining traffic on the ifl */.as(:oneline), "report-ingress-shaping-rate" ( /* Report ingress shaping rate */ sc( c( arg /* Ingress shaping rate as an absolute value */ ) ) ).as(:oneline), "classifiers" ( /* Classifiers applied to incoming packets */ c( "no-default" /* Do not apply default classifiers to this interface */, "dscp" ("default") ( /* Differentiated Services code point classifier */ c( "family" arg /* Family for DSCP classifier */ ) ), "dscp-ipv6" ("default") ( /* Differentiated Services code point classifier IPv6 */ c( "family" arg /* Family for DSCP Ipv6 classifier */ ) ), "exp" ( /* EXP classifier */ sc( ("default") ) ).as(:oneline), "ieee-802.1" ( /* IEEE-802.1 classifier */ sc( ("default"), "vlan-tag" arg /* VLAN tag used for classification */ ) ).as(:oneline), "inet-precedence" ( /* IPv4 precedence classifier */ sc( ("default") ) ).as(:oneline), "ieee-802.1ad" ( /* IEEE-802.1ad (DEI) classifier */ sc( ("default"), "vlan-tag" arg /* VLAN tag used for classification */ ) ).as(:oneline) ) ), "ingress-rewrite-rules" /* Rewrite rules applied to outgoing packets of the ingress interface */, "loss-priority-maps" ( /* Loss priority maps applied to incoming packets */ c( "frame-relay-de" ( /* Frame Relay discard eligible bit loss priority map */ sc( ("default") ) ).as(:oneline) ) ), "rewrite-rules" ( /* Rewrite rules applied to outgoing packets */ c( "dscp" ("default") ( /* Differentiated Services code point rewrite rule */ sc( "protocol" ( /* Specify protocol matching criteria */ ("mpls" | "gtp-inet-outer" | "gtp-inet-both" | "inet-outer" | "inet-both") ) ) ).as(:oneline), "dscp-ipv6" ("default") ( /* Differentiated Services code point rewrite rule IPv6 */ sc( "protocol" ( /* Specify protocol matching criteria */ ("mpls" | "gtp-inet-outer" | "gtp-inet-both") ) ) ).as(:oneline), "exp" ("default") ( /* EXP rewrite rule */ sc( "protocol" ( /* Specify protocol matching criteria */ ("mpls-any" | "mpls-inet-both" | "mpls-inet-both-non-vpn") ) ) ).as(:oneline), "ieee-802.1" ( /* IEEE-802.1 rewrite rule */ sc( ("default"), "vlan-tag" ( /* One or more VLAN tags to which rewrite rule applies */ ("outer" | "outer-and-inner") ) ) ).as(:oneline), "inet-precedence" ("default") ( /* IPv4 precedence rewrite rule */ sc( "protocol" ( /* Specify protocol matching criteria */ ("mpls" | "gtp-inet-outer" | "gtp-inet-both" | "inet-outer" | "inet-both") ) ) ).as(:oneline), "exp-swap-push-push" /* Copy incoming EXP into all swap-push-push labels */.as(:oneline), "exp-push-push-push" /* Top-label EXP rewrite rule for push-push-push operation */.as(:oneline), "frame-relay-de" ( /* Frame relay discard eligible bit rewrite rule */ sc( ("default") ) ).as(:oneline), "ieee-802.1ad" ( /* IEEE-802.1ad (DEI) rewrite rule */ c( ("default"), "vlan-tag" ( /* One or more VLAN tags to which rewrite rule applies */ ("outer" | "outer-and-inner") ) ) ), "inet6-precedence" /* IPv6 precedence rewrite rule */.as(:oneline) ) ), "loss-priority-rewrites" /* Loss priority rewrites applied to outgoing packets */, "translation-table" /* Translation tables applied to incoming packets */, "policy-map" /* Policy-map describing the packet marking rule */.as(:oneline) ) ), "classifiers" /* Classifiers applied to incoming packets */, "forwarding-class" arg /* Forwarding class assigned to incoming packets */, "rewrite-rules" /* Rewrite rules applied to outgoing packets */, "multi-destination" /* Multi-destination class of service */ ) ) end rule(:juniper_def_rtb_switch_options) do c( "mac-table-size" ( /* Size of MAC address forwarding table */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop") ) ) ), "mac-ip-table-size" ( /* Size of MAC+IP bindings table */ c( arg ) ), "interface-mac-limit" ( /* Maximum MAC address learned per interface */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "interface-mac-ip-limit" ( /* Maximum MAC+IP bindings learned per interface */ c( arg ) ), "mac-notification" ( /* MAC notification options */ c( "notification-interval" arg /* Interval for sending MAC notifications */ ) ), "mac-table-aging-time" arg /* Delay for discarding MAC address if no updates are received */, "no-mac-learning" /* Disable dynamic MAC address learning */, "no-normalization" /* Disable vlan id normalization for interfaces */, "mac-statistics" /* Enable MAC address statistics */, "mib" ( /* Snmp mib options */ c( "dot1q-mib" ( /* Dot1q MIB configuration options */ c( "port-list" ( /* Port list for staticegressports and staticuntaggedports MIB */ ("bit-map" | "string") ) ) ) ) ), "static-rvtep-mac" ( /* Configure Static MAC and remote VxLAN tunnel endpoint entries */ c( "mac" ( /* Unicast MAC address */ s( arg, "remote-vtep" arg /* Configure static remote VXLAN tunnel endpoints */ ) ).as(:oneline) ) ), "service-id" arg /* Service ID required if multi-chassis AE is part of a bridge-domain */, "ovsdb-managed" /* All vxlan bridge domains in routing instance are remote managed */, "vtep-source-interface" ( /* Source layer-3 IFL for VXLAN */ sc( interface_name, c( "inet" /* IPv4 source */, "inet6" /* IPv6 source */ ) ) ).as(:oneline), "voip" ( /* Voice-over-IP configuration */ c( "interface" (arg | "access-ports") ( /* Enable voice over IP on this port */ c( "vlan" arg /* VLAN for voice over IP */, "forwarding-class" arg /* Forwarding class */ ) ) ) ), "unknown-unicast-forwarding" ( /* Set interface for forwarding of unknown unicast packets */ c( "vlan" arg ( /* VLAN for the unknown unicast packets */ c( "interface" ( /* Interface to send unknown unicast packets for the VLAN */ interface_name /* Interface to send unknown unicast packets for the VLAN */ ) ) ) ) ), "authentication-whitelist" /* MAC authentication-whitelist configuration needed to bypass Authentication */, "route-distinguisher" ( /* Route distinguisher for this instance */ sc( arg /* Number in (16 bit:32 bit) or (32 bit 'L':16 bit) or (IP address:16 bit) format */ ) ).as(:oneline), "vrf-import" ( /* Import policy for VRF instance RIBs */ policy_algebra /* Import policy for VRF instance RIBs */ ), "vrf-export" ( /* Export policy for VRF instance RIBs */ policy_algebra /* Export policy for VRF instance RIBs */ ), "vrf-target" ( /* VRF target community configuration */ c( arg /* Target community to use in import and export */, "import" arg /* Target community to use when filtering on import */, "export" arg /* Target community to use when marking routes on export */, "auto" ( /* Auto derive import and export target community from BGP AS & L2 */ juniper_def_rtb_auto_import_as /* Auto derive import and export target community from BGP AS & L2 */ ) ) ), "vtep-remote-interface" ( /* Remote VTEP interface */ c( "remote-ip" arg ( /* Remote VTEP IP address */ c( "dynamic-profile" arg /* Define associate dynamic profile */ ) ), "default" ( /* To all remote vtep interface */ c( "dynamic-profile" arg /* Define associate dynamic profile */ ) ) ) ), "interface" arg ( /* Interface for configuring bridge-options */ c( "interface-mac-limit" ( /* Maximum number of MAC addresses learned on the interface */ c( arg, "disable" /* Disable interface for interface-mac-limit */, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "interface-mac-ip-limit" ( /* Maximum number of MAC+IP bindings learned on the interface */ c( arg ) ), "no-mac-learning" /* Disable dynamic MAC address learning */, "mac-pinning" /* Enable MAC pinning */, "persistent-learning" /* Enable persistent MAC learning on this interface */, "no-mac-notification" /* Disable mac notification on this interface */ ) ), "remote-vtep-list" ( /* Configure static remote VXLAN tunnel endpoints */ ipaddr /* Configure static remote VXLAN tunnel endpoints */ ), "interface-shutdown-action" ( /* Interface shutdown mode for Storm-Control/Mac-Limit/Mac-Move-limit scenario */ ("soft-shutdown" | "hard-shutdown") ), "remote-vtep-v6-list" ( /* Configurate static IPv6 remote VXLAN tunnel endpoints */ ipv6addr /* Configurate static IPv6 remote VXLAN tunnel endpoints */ ), "redundant-trunk-group" /* Redundant trunk group */ ) end rule(:juniper_def_rtb_auto_import_as) do c( "import-as" arg ( /* AS to auto import for a list of VNI ids */ c( "vni-list" arg /* List of VNI identifiers or all */ ) ) ) end rule(:juniper_dynamic_profile_object) do arg.as(:arg) ( c( "variables" ( /* Dynamic variable configuration */ juniper_dynamic_variable_object /* Dynamic variable configuration */ ), "predefined-variable-defaults" ( /* Assign default values to predefined variables */ c( "cos-excess-rate" ( /* Default for junos-cos-excess-rate */ c( "proportion" arg /* Excess rate as proportion */, "percent" arg /* Excess rate as percentage */ ) ), "cos-excess-rate-high" ( /* Default for junos-cos-excess-rate-high */ c( "proportion" arg /* Excess rate as proportion */, "percent" arg /* Excess rate as percentage */ ) ), "cos-excess-rate-low" ( /* Default for junos-cos-excess-rate-low */ c( "proportion" arg /* Excess rate as proportion */, "percent" arg /* Excess rate as percentage */ ) ), "cos-scheduler-tx" ( /* Default for junos-cos-scheduler-tx */ c( "rate" arg /* Transmit rate as rate */, "percent" arg /* Transmit rate as percentage */ ) ), "cos-scheduler-bs" ( /* Default for junos-cos-scheduler-bs */ c( "percent" arg /* Buffer size as percentage */, "temporal" arg /* Buffer size as temporal */ ) ), "cos-scheduler-shaping-rate" ( /* Default for junos-cos-scheduler-shaping-rate */ c( "rate" arg /* Shaping rate as rate */, "percent" arg /* Shaping rate as percentage */ ) ), base_default_variable_object ) ), "routing-instances" ( /* Routing instance configuration */ c( c( "interface" ("$junos-interface-name" | arg) ( /* Interface name for this routing instance */ c( c( "any" /* Interface used for both unicast and multicast traffic */, "unicast" /* Interface used for unicast traffic only */, "multicast" /* Interface used for multicast traffic only */ ), "primary" /* Preferred multicast vt interface for the routing-instance */, "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ) ) ), "routing-options" ( /* Protocol-independent routing option configuration */ c( "rib" arg ( /* Routing table options */ c( "static" ( /* Static routes */ c( "rib-group" arg /* Routing table group */, "defaults" ( /* Global route options */ c( "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "route" arg ( /* Static route */ c( c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "reject" /* Drop packets to destination; send ICMP unreachables */, "discard" /* Drop packets to destination; send no ICMP unreachables */, "receive" /* Install a receive route for the destination */, "next-table" arg /* Next hop to another table */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "lsp-next-hop" ( /* LSP next hop */ lsp_nh_obj /* LSP next hop */ ), "static-lsp-next-hop" ( /* Static LSP next hop */ lsp_nh_obj /* Static LSP next hop */ ), "p2mp-lsp-next-hop" ( /* Point-to-multipoint LSP next hop */ lsp_nh_obj /* Point-to-multipoint LSP next hop */ ), "p2mp-ldp-next-hop" ( /* Point-to-multipoint LDP LSP next hop */ p2mp_ldp_lsp_nh_obj /* Point-to-multipoint LDP LSP next hop */ ), "backup-pe-group" arg /* Multicast source redundancy group */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ), "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "static-route" ( /* Static route Status */ sc( "bfd-admin-down" ( /* Static route State on BFD ADMIN DOWN */ ("active" | "passive") ) ) ).as(:oneline), "iso-route" arg ( /* ISO family static route */ c( c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "reject" /* Drop packets to destination; send ICMP unreachables */, "discard" /* Drop packets to destination; send no ICMP unreachables */, "receive" /* Install a receive route for the destination */, "next-table" arg /* Next hop to another table */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "lsp-next-hop" ( /* LSP next hop */ lsp_nh_obj /* LSP next hop */ ), "static-lsp-next-hop" ( /* Static LSP next hop */ lsp_nh_obj /* Static LSP next hop */ ), "p2mp-lsp-next-hop" ( /* Point-to-multipoint LSP next hop */ lsp_nh_obj /* Point-to-multipoint LSP next hop */ ), "p2mp-ldp-next-hop" ( /* Point-to-multipoint LDP LSP next hop */ p2mp_ldp_lsp_nh_obj /* Point-to-multipoint LDP LSP next hop */ ), "backup-pe-group" arg /* Multicast source redundancy group */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ), "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "route-target-filter" arg ( /* Route-target-filter route */ c( "neighbor" ( /* BGP peers for filter */ ipaddr /* BGP peers for filter */ ), "group" arg /* BGP groups for filter */, "local" /* Locally originated filter */ ) ) ) ), "martians" ( /* Invalid routes */ martian_type /* Invalid routes */ ), "aggregate" ( /* Coalesced routes */ rib_aggregate_type /* Coalesced routes */ ), "generate" ( /* Route of last resort */ rib_aggregate_type /* Route of last resort */ ), c( "maximum-routes" ( /* Maximum number of routes */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline), "maximum-paths" ( /* Maximum number of paths */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline) ), "maximum-prefixes" ( /* Maximum number of prefixes */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline), "multipath" ( /* Protocol-independent load balancing */ c( "vpn-unequal-cost" ( /* Include VPN routes with unequal IGP metrics */ sc( "equal-external-internal" /* Include external and internal VPN routes */ ) ).as(:oneline), "as-path-compare" /* Compare AS path sequences in addition to AS path length */ ) ), "protect" ( /* Protocol-independent protection */ sc( "core" /* Protect against unreachability to service-edge router */ ) ).as(:oneline), "label" ( /* Label processing */ c( "allocation" ( /* Label allocation policy */ policy_algebra /* Label allocation policy */ ), "substitution" ( /* Label substitution policy */ policy_algebra /* Label substitution policy */ ) ) ), "access" ( /* Access routes */ c( "route" arg ( /* Access route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "metric" arg /* Metric value */, "preference" arg /* Preference value */, "tag" arg /* Tag string */, "tag2" arg /* Tag2 string */ ) ) ) ), "access-internal" ( /* Access-internal routes */ c( "route" arg ( /* Access-internal route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ) ) ) ) ), "bgp-static" ( /* Routes for BGP static advertisements */ c( "route" arg ( /* BGP-static route */ c( "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ) ) ), "flow" ( /* Locally defined flow routing information */ c( "validation" ( /* Flow route validation options */ flow_validation /* Flow route validation options */ ), "route" ( /* Flow route */ flow_route_inet6 /* Flow route */ ), "interface-group" ( /* Interface-group for applying flow-spec filter */ flow_interface_group /* Interface-group for applying flow-spec filter */ ) ) ) ) ), "access" ( /* Access routes */ c( "route" arg ( /* Access route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "metric" arg /* Metric value */, "preference" arg /* Preference value */, "tag" arg /* Tag string */, "tag2" arg /* Tag2 string */ ) ) ) ), "access-internal" ( /* Access-internal routes */ c( "route" arg ( /* Access-internal route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ) ) ) ) ), "multicast" ( /* Global multicast options */ c( "traceoptions" ( /* Global multicast trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("parse" | "config-internal" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "rpf" arg, "scope" arg ( /* Multicast address scope */ c( "prefix" ( /* Administratively scoped address */ ipprefix /* Administratively scoped address */ ), "interface" ( /* Interface on which to configure scoping */ interface_name /* Interface on which to configure scoping */ ) ) ), "scope-policy" ( /* Scoping policy */ policy_algebra /* Scoping policy */ ), "flow-map" arg ( /* Multicast flow map configuration */ c( "policy" ( /* Policy for matched flows */ policy_algebra /* Policy for matched flows */ ), "bandwidth" ( /* Bandwidth properties for matched flows */ sc( arg /* Static or default bandwidth for the matched flows */, "adaptive" /* Auto-sense bandwidth for matched flows */ ) ).as(:oneline), "redundant-sources" ( /* Redundant source addresses */ ipaddr /* Redundant source addresses */ ), "forwarding-cache" ( /* Forwarding cache properties for matched flows */ c( "timeout" ( /* Timeout properties for matched flows */ sc( c( arg, "never" ( /* Forwarding cache entries never time out */ c( "non-discard-entry-only" /* Apply only to non-discard entries */ ) ) ) ) ).as(:oneline) ) ) ) ), "resolve-filter" ( /* Multicast resolve policy filter */ policy_algebra /* Multicast resolve policy filter */ ), "ssm-groups" ( /* Source-specific multicast group ranges */ ipprefix /* Source-specific multicast group ranges */ ), "asm-override-ssm" /* Allow ASM state for SSM group ranges */, "rpf-check-policy" ( /* Disable RPF check for a source group pair */ policy_algebra /* Disable RPF check for a source group pair */ ), "pim-to-igmp-proxy" ( /* PIM-to-IGMP proxy */ c( "upstream-interface" ( /* Upstream interface list */ interface_name /* Upstream interface list */ ) ) ), "pim-to-mld-proxy" ( /* PIM-to-MLD proxy */ c( "upstream-interface" ( /* Upstream interface list */ interface_name /* Upstream interface list */ ) ) ), "forwarding-cache" ( /* Multicast forwarding cache */ c( "allow-maximum" /* Allow maximum of global and family level threshold values for suppress and reuse */, "family" enum(("inet" | "inet6")) ( /* Protocol family */ c( "threshold" ( /* Multicast forwarding cache suppress threshold */ c( "suppress" arg /* Suppress threshold */, "reuse" arg /* Reuse threshold */, "mvpn-rpt-suppress" arg /* MVPN RP tree entry suppress threshold */, "mvpn-rpt-reuse" arg /* MVPN RP tree entry reuse threshold */, "log-warning" arg /* Percentage at which to start generating warnings */ ) ) ) ), "threshold" ( /* Threshold */ c( "suppress" arg /* Suppress threshold */, "reuse" arg /* Reuse threshold */, "mvpn-rpt-suppress" arg /* MVPN RP tree entry suppress threshold */, "mvpn-rpt-reuse" arg /* MVPN RP tree entry reuse threshold */, "log-warning" arg /* Percentage at which to start generating warnings */ ) ), "timeout" arg /* Forwarding cache entry timeout in minutes */ ) ), "interface" ( /* Multicast interface options */ multicast_interface_options_type /* Multicast interface options */ ), "ssm-map" arg ( /* SSM map definitions */ c( "policy" ( /* Policy for matching group */ policy_algebra /* Policy for matching group */ ), "source" ( /* One or more source addresses */ ipaddr /* One or more source addresses */ ) ) ), "stream-protection" /* Multicast only Fast Re-Route */, "backup-pe-group" arg ( /* Backup PE group definitions */ c( "backups" ( /* One or more IP addresses */ ipaddr /* One or more IP addresses */ ), "local-address" ( /* Address to be used as local-address for this group */ ipaddr /* Address to be used as local-address for this group */ ) ) ), "omit-wildcard-address" /* Omit wildcard source/group fields in SPMSI AD NLRI */, "local-address" ( /* Local address for PIM and MVPN sessions */ ipv4addr /* Local address for PIM and MVPN sessions */ ) ) ) ) ) ) ) ), "interfaces" ( /* Interface configuration */ c( "pic-set" /* NP bundling configuration */, "interface-set" ("$junos-interface-set-name" | arg | "$junos-svlan-interface-set-name" | "$junos-tagged-vlan-interface-set-name" | "$junos-phy-ifd-interface-set-name" | "$junos-pon-id-interface-set-name") ( /* Logical interface set configuration */ c( "targeted-distribution" /* Interface participates in targeted-distribution */, "targeted-options" /* Targeting specific options */, "interface" arg ( /* One or more interfaces that belong to interface set */ c( "unit" arg /* One or more logical interface unit numbers */, "vlan-tags-outer" arg /* One or more outer VLAN tags */ ) ), "pppoe-underlying-options" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ) ) ), "stacked-interface-set" ( /* Stacked interface set configuration */ c( "interface-set" ("$junos-aggregation-interface-set-name" | arg) ( /* Stacked parent interface set configuration */ c( "interface-set" ("$junos-interface-set-name" | arg | "$junos-svlan-interface-set-name" | "$junos-tagged-vlan-interface-set-name" | "$junos-phy-ifd-interface-set-name" | "$junos-pon-id-interface-set-name") /* Stacked child interface set configuration */ ) ) ) ), "traceoptions" ( /* Interface trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "kernel" | "change-events" | "kernel-detail" | "config-states" | "resource-usage" | "gres-events" | "select-events" | "bfd-events" | "lib-events" | "reserved" | "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "informational" | "debugging" | "verbose" | "japi")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "interface-range" arg ( /* Interface ranges configuration */ c( "member" arg /* Interfaces belonging to the interface range */, "member-range" arg ( /* Interfaces range in to format */ sc( "end-range" ( interface_device ) ) ).as(:oneline), "description" arg /* Text description of interface */, "metadata" arg /* Text metadata attached to interface */, ("disable"), "promiscuous-mode" /* Enable promiscuous mode for L3 interface */, "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "multicast-statistics" /* Enable multicast statistics */, "oam-on-svlan" /* Propagate SVLAN OAM state to CVLANs */, "fabric-options" ( /* Fabric interface specific options */ c( "member-interfaces" arg /* Member interface for the fabric interface */ ) ), "traceoptions" ( /* Interface trace options */ c( "flag" enum(("ipc" | "event" | "media" | "all" | "q921" | "q931")) /* Tracing parameters */.as(:oneline), "file" ( /* Trace file information for ISDN decoded frames */ c( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ) ) ) ), "passive-monitor-mode" /* Use interface to tap packets from another router */, c( "keepalives" ( /* Send or demand keepalive messages */ keepalives_type /* Send or demand keepalive messages */ ).as(:oneline), "no-keepalives" /* Do not send keepalive messages */ ), "traps" /* Enable SNMP notifications on state changes */, "no-traps" /* Don't enable SNMP notifications on state changes */, "interface-mib" /* Enable interface-related MIBs */, "no-interface-mib" /* Don't enable interface-related MIBs */, "accounting-profile" arg /* Accounting profile name */, "anchor-point" /* Anchor point */, "bypass-queueing-chip" /* Enable to bypass queueing chip */, "no-bypass-queueing-chip" /* Don't enable to bypass queueing chip */, c( "per-unit-scheduler" /* Enable subunit queuing on Frame Relay or VLAN IQ interface */, "no-per-unit-scheduler" /* Don't enable subunit queuing on Frame Relay or VLAN IQ interface */, "shared-scheduler" /* Enabled shared queuing on an IQ2 interface */, "hierarchical-scheduler" ( /* Enable hierarchical scheduling */ sc( "maximum-hierarchy-levels" arg /* Maximum hierarchy levels */, "maximum-l2-nodes" arg /* Maximum l2 nodes, allowed numbers are power of 2 between 1 and 16k (needs FPC reboot) */, "maximum-l3-nodes" arg /* Maximum l3 nodes, allowed numbers are power of 2 between 2 and 32k (needs FPC reboot) */, "implicit-hierarchy" /* Implicit hierarchy (follows interface hierarchy) */ ) ).as(:oneline) ), "l2tp-maximum-session" arg /* Maximum L2TP session */, "schedulers" arg /* Number of schedulers to allocate for interface */, "interface-transmit-statistics" /* Interface statistics based on the transmitted packets */, "cascade-port" /* Cascade port */, "dce" /* Respond to Frame Relay status enquiry messages */, c( "vlan-tagging" /* 802.1q VLAN tagging support */, "stacked-vlan-tagging" /* Stacked 802.1q VLAN tagging support */, "flexible-vlan-tagging" /* Support for no tagging, or single and double 802.1q VLAN tagging */, "vlan-vci-tagging" /* CCC for VLAN Q-in-Q and ATM VPI/VCI interworking */ ), "native-vlan-id" arg /* Virtual LAN identifier for untagged frames */, "no-native-vlan-insert" /* Disable native-vlan-id insertion to untagged frames */, "no-pseudowire-down-on-core-isolation" /* Do not bring the pseudowire down in the event of EVPN Core isolation */, "speed" ( /* Link speed */ ("auto" | "auto-10m-100m" | "10m" | "100m" | "1g" | "2.5g" | "5g" | "10g" | "40g" | "oc3" | "oc12" | "oc48") ), "forwarding-class-accounting" /* Configure Forwarding-class-accounting parameters */, "auto-configure" ( /* Auto configuration */ auto_configure_vlan_type /* Auto configuration */ ), "mtu" arg /* Maximum transmit packet size */, "hold-time" ( /* Hold time for link up and link down */ sc( "up" arg /* Link up hold time */, "down" arg /* Link down hold time */ ) ).as(:oneline), "damping" /* Interface damping parameters */, "link-degrade-monitor" ( /* Enable link degrade monitoring */ c( "actions" ( /* Action upon link degrade event */ c( c( "media-based" /* Media based */ ) ) ), "recovery" ( /* Link degrade recovery mechanism */ c( "timer" arg /* Auto recovery timer in seconds */, c( "auto" /* Automatic recovery */, "manual" /* Manual recovery */ ) ) ), "thresholds" ( /* Link degrade threshold parameters */ c( "set" arg /* BER at which link considered degraded(1..16) */, "clear" arg /* BER at which link considered improved(1..16) */, "warning-set" arg /* BER at which link degrade warning raised(1..16) */, "warning-clear" arg /* BER at which link degrade warning cleared(1..16) */, "interval" arg /* Consecutive link degrade events */ ) ) ) ), "satop-options" ( /* Structure-Agnostic TDM over Packet protocol options */ c( "idle-pattern" arg /* An 8-bit hexadecimal pattern to replace TDM data in a lost packet */, "payload-size" arg /* Number of payload bytes per packet */, "excessive-packet-loss-rate" ( /* Packet loss options */ c( "threshold" arg /* Percentile designating the threshold of excessive packet loss rate */, "sample-period" arg /* Number of milliseconds over which excessive packet loss rate is calculated */ ) ), c( "jitter-buffer-packets" arg /* Number of packets in jitter buffer before packet data is played out in the line */, "jitter-buffer-latency" arg /* Number of milliseconds delay in jitter buffer before packet data is played out in the line */, "jitter-buffer-auto-adjust" /* Automatically adjust jitter buffer */ ), "bit-rate" arg /* In multiples of DS0 */ ) ), "cesopsn-options" ( /* Structure-Aware TDM over Packet protocol options */ c( "idle-pattern" arg /* An 8-bit hexadecimal pattern to replace TDM data in a lost packet */, "packetization-latency" arg /* Number of microseconds to create packets */, "payload-size" arg /* Number of payload bytes per packet */, "excessive-packet-loss-rate" ( /* Packet loss options */ c( "threshold" arg /* Percentile designating the threshold of excessive packet loss rate */, "sample-period" arg /* Number of milliseconds over which excessive packet loss rate is calculated */ ) ), c( "jitter-buffer-packets" arg /* Number of packets in jitter buffer before packet data is played out in the line */, "jitter-buffer-latency" arg /* Number of milliseconds delay in jitter buffer before packet data is played out in the line */, "jitter-buffer-auto-adjust" /* Automatically adjust jitter buffer */ ), "bit-rate" arg /* In multiples of DS0 */ ) ), "ima-group-options" /* IMA group options */, "ima-link-options" /* IMA link options */, "multi-chassis-protection" ( /* Inter-Chassis protection configuration */ multi_chassis_protection_group /* Inter-Chassis protection configuration */ ), "clocking" ( /* Interface clock source */ sc( c( "internal" /* Clocking provided by local system */, "external" ( /* Clocking provided by DCE (loop timing) */ c( "interface" ( /* Interface that acts as clock source */ interface_device /* Interface that acts as clock source */ ) ) ) ) ) ).as(:oneline), "link-mode" ( /* Link operational mode */ ("automatic" | "half-duplex" | "full-duplex") ), "media-type" arg /* Interface media type (copper or fiber) */, "encapsulation" ( /* Physical link-layer encapsulation */ ("ethernet" | "fddi" | "token-ring" | "ppp" | "ppp-ccc" | "ppp-tcc" | "ether-vpls-ppp" | "frame-relay" | "frame-relay-ccc" | "frame-relay-tcc" | "extended-frame-relay-ccc" | "extended-frame-relay-tcc" | "flexible-frame-relay" | "frame-relay-port-ccc" | "frame-relay-ether-type" | "frame-relay-ether-type-tcc" | "extended-frame-relay-ether-type-tcc" | "cisco-hdlc" | "cisco-hdlc-ccc" | "cisco-hdlc-tcc" | "vlan-ccc" | "extended-vlan-ccc" | "ethernet-ccc" | "flexible-ethernet-services" | "smds-dxi" | "atm-pvc" | "atm-ccc-cell-relay" | "ethernet-over-atm" | "ethernet-tcc" | "extended-vlan-tcc" | "multilink-frame-relay-uni-nni" | "satop" | "cesopsn" | "ima" | "ethernet-vpls" | "ethernet-bridge" | "vlan-vpls" | "vlan-vci-ccc" | "extended-vlan-vpls" | "extended-vlan-bridge" | "multilink-ppp" | "generic-services") ), "esi" /* ESI configuration of multi-homed interface */, "framing" ( /* Frame type */ c( c( "lan-phy" /* 802.3ae 10-Gbps LAN-mode interface */, "wan-phy" /* 802.3ae 10-Gbps WAN-mode interface */, "sonet" /* SONET framing */, "sdh" /* SDH framing */ ) ) ), "unidirectional" /* Unidirectional Mode */, "lmi" ( /* Local Management Interface settings */ c( "n391dte" arg /* DTE full status polling interval */, "n392dce" arg /* DCE error threshold */, "n392dte" arg /* DTE error threshold */, "n393dce" arg /* DCE monitored event count */, "n393dte" arg /* DTE monitored event count */, "t391dte" arg /* DTE polling timer */, "t392dce" arg /* DCE polling verification timer */, "lmi-type" ( /* Specify the Frame Relay LMI type */ ("ansi" | "itu" | "c-lmi") ) ) ), "mlfr-uni-nni-bundle-options" ( /* Multilink Frame Relay UNI NNI (FRF.16) management settings */ c( "cisco-interoperability" ( /* FRF.16 Cisco interoperability settings */ c( "send-lip-remove-link-for-link-reject" /* Send Link Integrity Protocol remove link on receiving add-link rejection */ ) ), "mrru" arg /* Maximum received reconstructed unit */, "yellow-differential-delay" arg /* Yellow differential delay among bundle links to give warning */, "red-differential-delay" arg /* Red differential delay among bundle links to take action */, "action-red-differential-delay" ( /* Type of actions when differential delay exceeds red limit */ ("remove-link" | "disable-tx") ), "fragment-threshold" arg /* Fragmentation threshold */, "drop-timeout" arg /* Drop timeout */, "link-layer-overhead" ( /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ unsigned_float /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ ), "lmi-type" ( /* Specify the multilink Frame Relay UNI NNI LMI type */ ("ansi" | "itu" | "c-lmi") ), "minimum-links" arg /* Minimum number of links to sustain the bundle */, "hello-timer" arg /* LIP hello timer */, "acknowledge-timer" arg /* LIP ack timer */, "acknowledge-retries" arg /* LIP ack retry times */, "n391" arg /* Multilink Frame Relay UNI NNI full status polling counter */, "n392" arg /* Multilink Frame Relay UNI NNI LMI error threshold */, "n393" arg /* Multilink Frame Relay UNI NNI LMI monitored event count */, "t391" arg /* Multilink Frame Relay UNI NNI link integrity verify polling timer */, "t392" arg /* Multilink Frame Relay UNI NNI polling verification timer */ ) ), "mac" ( /* Hardware MAC address */ mac_unicast /* Hardware MAC address */ ), "receive-bucket" ( /* Set receive bucket parameters */ dcd_rx_bucket_config /* Set receive bucket parameters */ ), "transmit-bucket" ( /* Set transmit bucket parameters */ dcd_tx_bucket_config /* Set transmit bucket parameters */ ), "shared-interface" /* Enable shared interface on the interface */, "sonet-options" ( /* SONET interface-specific options */ sonet_options_type /* SONET interface-specific options */ ), "logical-tunnel-options" ( /* Logical Tunnel interface-specific options */ c( "link-protection" ( /* Enable link protection mode */ c( "revertive" /* Revert back (Default mode) from active backup link to primary, if primary is UP */, "non-revertive" /* Do not revert back from active backup link to primary, if primary is UP */ ) ), "per-unit-mac-disable" /* Disable the creation of per unit mac address on LT IFLs for VPLS/CCC encaps */ ) ), "aggregated-sonet-options" ( /* Aggregated SONET interface-specific options */ c( "minimum-links" arg /* Minimum number of aggregated links */, "link-speed" ( /* Aggregated links speed */ ("oc3" | "oc12" | "oc48" | "oc192" | "oc768" | "mixed") ), "minimum-bandwidth" arg /* Minimum bandwidth necessary to sustain bundle */ ) ), "atm-options" ( /* ATM interface-specific options */ c( "pic-type" ( /* Type of ATM PIC (ATM I, ATM II or ATM CE) */ ("atm-ce" | "atm2" | "atm1") ), "cell-bundle-size" arg /* L2 circuit cell bundle size */, "cell-bundle-timeout" arg /* L2 circuit cell bundle timeout */, "plp-to-clp" /* Enable ATM2 PLP to CLP copy */, "use-null-cw" /* Always insert/strip null control words with cell-relay */, "promiscuous-mode" ( /* Set ATM interface to promiscuous mode */ c( "vpi" arg /* Open this VPI in promiscuous mode */.as(:oneline) ) ), "vpi" arg ( /* Define a virtual path */ c( "maximum-vcs" arg /* Maximum number of virtual circuits on this VP */, "shaping" ( /* Virtual path traffic-shaping options */ dcd_shaping_config /* Virtual path traffic-shaping options */ ), "oam-period" ( /* F4 OAM cell period */ sc( c( arg, "disable" /* Disable F4 OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* F4 OAM virtual path liveness parameters */ c( "up-count" arg /* Number of F4 OAM cells to consider VP up */, "down-count" arg /* Number of F4 OAM cells to consider VP down */ ) ) ) ), "ilmi" /* Enable Interim Local Management Interface */, "linear-red-profiles" arg ( /* ATM2 CoS virtual circuit drop profiles */ sc( "queue-depth" arg /* Maximum queue depth */, "high-plp-threshold" arg /* Fill level percentage when linear RED is applied for high PLP */, "low-plp-threshold" arg /* Fill level percentage when linear RED is applied for low PLP */, "high-plp-max-threshold" arg /* Fill level percentage with 100 percent packet drop for high PLP */, "low-plp-max-threshold" arg /* Fill level percentage with 100 percent packet drop for low PLP */ ) ).as(:oneline), "scheduler-maps" arg ( /* ATM2 CoS parameters assigned to forwarding classes */ c( "vc-cos-mode" ( /* ATM2 virtual circuit CoS mode */ ("strict" | "alternate") ), "forwarding-class" arg ( /* Scheduling parameters associated with forwarding class */ c( "priority" ( /* Queuing priority assigned to forwarding class */ ("low" | "high") ), "transmit-weight" ( /* Transmit weight */ sc( c( "percent" arg /* Transmit weight as percentage */, "cells" arg /* Transmit weight by cells count */ ) ) ).as(:oneline), c( "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline), "linear-red-profile" arg /* Linear RED profile profile name */ ) ) ) ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */ ) ), "multiservice-options" ( /* Multiservice interface-specific options */ c( "syslog" /* Enable system logging on this interface */, "no-syslog" /* Don't enable system logging on this interface */, "core-dump" /* Enable core dumping on this interface */, "no-core-dump" /* Don't enable core dumping on this interface */, "dump-on-flow-control" /* Enable dumping for this interface on prolonged flow-control */, "no-dump-on-flow-control" /* Don't enable dumping for this interface on prolonged flow-control */, "reset-on-flow-control" /* Enable resetting this interface on prolonged flow-control */, "no-reset-on-flow-control" /* Don't enable resetting this interface on prolonged flow-control */, "flow-control-options" ( /* Flow control configuration */ c( "dump-on-flow-control" /* Cause core dump during prolonged flow-control */, "reset-on-flow-control" /* Reset interface during prolonged flow-control */, "down-on-flow-control" /* Bring interface down during prolonged flow-control */, "up-on-flow-control" /* Keep interface up during prolonged flow-control */ ) ) ) ), "ggsn-options" ( /* GGSN interface-specific options */ c( "syslog" /* Enable system logging on this interface */, "no-syslog" /* Don't enable system logging on this interface */, "core-dump" /* Enable core dumping on this interface */, "no-core-dump" /* Don't enable core dumping on this interface */ ) ), "ppp-options" ( /* Point-to-Point Protocol (PPP) interface-specific options */ ppp_options_type /* Point-to-Point Protocol (PPP) interface-specific options */ ), "redundancy-options" /* Redundancy options */, "load-balancing-options" /* Load-balancing on services pics */, "aggregated-inline-services-options" /* Aggregated Inline Service interface specific options */, "anchoring-options" /* Groups anchoring PFEs or FPCs together. */, "lsq-failure-options" /* Link services queuing failure options */, "redundancy-group" /* Redundancy group configuration */, "services-options" ( /* Services interface-specific options */ c( "syslog" ( /* Define system log parameters */ service_set_syslog_object /* Define system log parameters */ ), "jflow-log" ( /* Define Jflow-log parameters. */ c( "message-rate-limit" arg /* Maximum jflow-log NAT error events allowed per second from this interface */ ) ), "deterministic-nat-configuration-log-interval" ( /* Define Deterministic NAT parameters */ c( "interval" arg /* Interval in which deterministic NAT logs are generated */ ) ), "open-timeout" arg /* Timeout period for TCP session establishment */, "close-timeout" arg /* Timeout period for TCP session tear-down */, "inactivity-timeout" arg /* Inactivity timeout period for established sessions (4..86400) */, "inactivity-tcp-timeout" arg /* Inactivity timeout period for TCP established sessions */, "inactivity-asymm-tcp-timeout" arg /* Inactivity timeout period for asymmetric TCP established sessions */, "inactivity-non-tcp-timeout" arg /* Inactivity timeout period for non-TCP established sessions */, "session-timeout" arg /* Session timeout period for established sessions */, "disable-global-timeout-override" /* Disallow overriding global inactivity or session timeout */, "tcp-tickles" arg /* Number of TCP keep-alive packets to be sent for bi-directional TCP flows */, "trio-flow-offload" /* Allow PIC to offload flows to Trio-based PFE */, "fragment-limit" arg /* Maximum number of fragments allowed for a packet */, "reassembly-timeout" arg /* Re-assembly timeout (seconds) for fragments of a packet */, "cgn-pic" /* PIC will be used for Carrier Grade NAT configuration only */, "pba-interim-logging-interval" arg /* Interim logging interval in seconds */, "session-limit" ( /* Session limit */ c( "maximum" arg /* Maximum number of sessions allowed simultaneously */, "rate" arg /* Maximum number of new sessions allowed per second */, "cpu-load-threshold" arg /* CPU limit in percentage for auto-tuning of session rate */ ) ), "ignore-errors" ( /* Ignore anomalies or errors */ sc( "tcp" /* TCP protocol errors */, "alg" /* ALG anomalies or errors */ ) ).as(:oneline), "capture" ( /* Packet capture for SFW and NAT on the Services PIC */ c( "capture-size" arg /* The number of packets to store */, "pkt-size" arg /* Number of bytes to be saved from each packet */, "logs-per-packet" arg /* The number of trace messages stored for each packet */, "max-log-line-size" arg /* The maximum length of a stored trace message */, "filter" ( /* Filtering options for the packet capture */ c( "source-ip" ( /* Filter based on source-ip (and wildcard) */ sc( "wildcard" ( /* Source IP wildcard */ ipaddr /* Source IP wildcard */ ), ipaddr /* Source IP */ ) ).as(:oneline), "dest-ip" ( /* Filter based on dest-ip (and wildcard) */ sc( "wildcard" ( /* Dest IP wildcard */ ipaddr /* Dest IP wildcard */ ), ipaddr /* Dest IP */ ) ).as(:oneline), "sw-sip" ( /* Filter based on source softwire ip (and wildcard) */ sc( "wildcard" ( /* Source IP wildcard */ ipv6addr /* Source IP wildcard */ ), ipv6addr /* Source softwire IP */ ) ).as(:oneline), "sw-dip" ( /* Filter based on destination softwire ip (and wildcard) */ sc( "wildcard" ( /* Destination IP wildcard */ ipaddr /* Destination IP wildcard */ ), ipaddr /* Destination softwire IP */ ) ).as(:oneline), "sport-range" ( /* Filter based on source port */ sc( "low" arg /* Source port range start */, "high" arg /* Source port range end */ ) ).as(:oneline), "dport-range" ( /* Filter based on destination port */ sc( "low" arg /* Destination port range start */, "high" arg /* Destination port range end */ ) ).as(:oneline), "proto" ( /* Filter based on L4 protocol */ ("icmp" | "tcp" | "udp") ) ) ) ) ) ) ), "t3-options" ( /* T3 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("local" | "remote" | "payload") ), "long-buildout" /* Set hardware to drive line longer than 255 feet */, "no-long-buildout" /* Don't set hardware to drive line longer than 255 feet */, "loop-timing" /* Set loop timing for T3 */, "no-loop-timing" /* Don't set loop timing for T3 */, "unframed" /* Enable unframed mode */, "no-unframed" /* Don't enable unframed mode */, "compatibility-mode" ( /* Set CSU compatibility mode */ sc( c( "larscom" ( /* Compatible with Larscom CSU */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "verilink" ( /* Compatible with Verilink CSU (not on 2/4-port T3 PIC) */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "adtran" ( /* Compatible with Adtran CSU (not on 2/4-port T3 PIC) */ sc( "subrate" arg /* Set subrate value */ ) ).as(:oneline), "kentrox" ( /* Compatible with Kentrox CSU */ sc( "subrate" arg /* Set subrate value (not on 2/4-port T3 PIC) */ ) ).as(:oneline), "digital-link" ( /* Compatible with Digital Link CSU */ sc( "subrate" ( /* Set subrate value */ ("301Kb" | "601Kb" | "902Kb" | "1.2Mb" | "1.5Mb" | "1.8Mb" | "2.1Mb" | "2.4Mb" | "2.7Mb" | "3.0Mb" | "3.3Mb" | "3.6Mb" | "3.9Mb" | "4.2Mb" | "4.5Mb" | "4.8Mb" | "5.1Mb" | "5.4Mb" | "5.7Mb" | "6.0Mb" | "6.3Mb" | "6.6Mb" | "6.9Mb" | "7.2Mb" | "7.5Mb" | "7.8Mb" | "8.1Mb" | "8.4Mb" | "8.7Mb" | "9.0Mb" | "9.3Mb" | "9.6Mb" | "9.9Mb" | "10.2Mb" | "10.5Mb" | "10.8Mb" | "11.1Mb" | "11.4Mb" | "11.7Mb" | "12.0Mb" | "12.3Mb" | "12.6Mb" | "12.9Mb" | "13.2Mb" | "13.5Mb" | "13.8Mb" | "14.1Mb" | "14.4Mb" | "14.7Mb" | "15.0Mb" | "15.3Mb" | "15.6Mb" | "15.9Mb" | "16.2Mb" | "16.5Mb" | "16.8Mb" | "17.1Mb" | "17.4Mb" | "17.7Mb" | "18.0Mb" | "18.3Mb" | "18.6Mb" | "18.9Mb" | "19.2Mb" | "19.5Mb" | "19.8Mb" | "20.1Mb" | "20.5Mb" | "20.8Mb" | "21.1Mb" | "21.4Mb" | "21.7Mb" | "22.0Mb" | "22.3Mb" | "22.6Mb" | "22.9Mb" | "23.2Mb" | "23.5Mb" | "23.8Mb" | "24.1Mb" | "24.4Mb" | "24.7Mb" | "25.0Mb" | "25.3Mb" | "25.6Mb" | "25.9Mb" | "26.2Mb" | "26.5Mb" | "26.8Mb" | "27.1Mb" | "27.4Mb" | "27.7Mb" | "28.0Mb" | "28.3Mb" | "28.6Mb" | "28.9Mb" | "29.2Mb" | "29.5Mb" | "29.8Mb" | "30.1Mb" | "30.4Mb" | "30.7Mb" | "31.0Mb" | "31.3Mb" | "31.6Mb" | "31.9Mb" | "32.2Mb" | "32.5Mb" | "32.8Mb" | "33.1Mb" | "33.4Mb" | "33.7Mb" | "34.0Mb" | "34.3Mb" | "34.6Mb" | "34.9Mb" | "35.2Mb" | "35.5Mb" | "35.8Mb" | "36.1Mb" | "36.4Mb" | "36.7Mb" | "37.0Mb" | "37.3Mb" | "37.6Mb" | "37.9Mb" | "38.2Mb" | "38.5Mb" | "38.8Mb" | "39.1Mb" | "39.4Mb" | "39.7Mb" | "40.0Mb" | "40.3Mb" | "40.6Mb" | "40.9Mb" | "41.2Mb" | "41.5Mb" | "41.8Mb" | "42.1Mb" | "42.4Mb" | "42.7Mb" | "43.0Mb" | "43.3Mb" | "43.6Mb" | "43.9Mb" | "44.2Mb") ) ) ).as(:oneline) ) ) ).as(:oneline), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */, "cbit-parity" /* Enable C-bit parity mode */, "no-cbit-parity" /* Don't enable C-bit parity mode */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "feac-loop-respond" /* Respond to FEAC loop requests */, "no-feac-loop-respond" /* Don't respond to FEAC loop requests */, "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "buildout" arg /* Line buildout */, "atm-encapsulation" ( /* DS-3 interface encapsulation */ ("plcp" | "direct") ) ) ), "e3-options" ( /* E3 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("local" | "remote") ), "unframed" /* Enable unframed mode */, "no-unframed" /* Don't enable unframed mode */, "compatibility-mode" ( /* Set CSU compatibility mode */ sc( c( "larscom" /* Compatible with Larscom CSU (only non IQ E3 interfaces) */, "digital-link" ( /* Compatible with Digital Link CSU */ sc( "subrate" ( /* Set subrate value */ ("358Kb" | "716Kb" | "1.1Mb" | "1.4Mb" | "1.8Mb" | "2.1Mb" | "2.5Mb" | "2.9Mb" | "3.2Mb" | "3.6Mb" | "3.9Mb" | "4.3Mb" | "4.7Mb" | "5.0Mb" | "5.4Mb" | "5.7Mb" | "6.1Mb" | "6.4Mb" | "6.8Mb" | "7.2Mb" | "7.5Mb" | "7.9Mb" | "8.2Mb" | "8.6Mb" | "9.0Mb" | "9.3Mb" | "9.7Mb" | "10.0Mb" | "10.4Mb" | "10.7Mb" | "11.1Mb" | "11.5Mb" | "11.8Mb" | "12.2Mb" | "12.5Mb" | "12.9Mb" | "13.2Mb" | "13.6Mb" | "14.0Mb" | "14.3Mb" | "14.7Mb" | "15.0Mb" | "15.4Mb" | "15.8Mb" | "16.1Mb" | "16.5Mb" | "16.8Mb" | "17.2Mb" | "17.5Mb" | "17.9Mb" | "18.3Mb" | "18.6Mb" | "19.0Mb" | "19.3Mb" | "19.7Mb" | "20.0Mb" | "20.4Mb" | "20.8Mb" | "21.1Mb" | "21.5Mb" | "21.8Mb" | "22.2Mb" | "22.6Mb" | "22.9Mb" | "23.3Mb" | "23.6Mb" | "24.0Mb" | "24.3Mb" | "24.7Mb" | "25.1Mb" | "25.4Mb" | "25.8Mb" | "26.1Mb" | "26.5Mb" | "26.9Mb" | "27.2Mb" | "27.6Mb" | "27.9Mb" | "28.3Mb" | "28.6Mb" | "29.0Mb" | "29.4Mb" | "29.7Mb" | "30.1Mb" | "30.4Mb" | "30.8Mb" | "31.1Mb" | "31.5Mb" | "31.9Mb" | "32.2Mb" | "32.6Mb" | "32.9Mb" | "33.3Mb" | "33.7Mb" | "34.0Mb") ) ) ).as(:oneline), "kentrox" ( /* Compatible with Kentrox CSU */ sc( "subrate" arg /* Set subrate value (only for E3 IQ interfaces) */ ) ).as(:oneline) ) ) ).as(:oneline), "payload-scrambler" /* Enable payload scrambling */, "no-payload-scrambler" /* Don't enable payload scrambling */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "invert-data" /* Invert data */, "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "buildout" arg /* Line buildout */, "atm-encapsulation" ( /* E3 interface encapsulation */ ("plcp" | "direct") ), "framing" ( /* E3 line format */ ("g.751" | "g.832") ) ) ), "e1-options" ( /* E1 interface-specific options */ c( "timeslots" arg /* Timeslots (1..32); for example, 1-4,6,9-11,32 (no space) */, "loopback" ( /* Loopback mode */ ("local" | "remote") ), "framing" ( /* Framing mode */ ("g704" | "unframed" | "g704-no-crc4") ), "fcs" ( /* Frame checksum */ ("32" | "16") ), "invert-data" /* Invert data */, "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */ ) ), "t1-options" ( /* T1 interface-specific options */ c( "timeslots" arg /* Timeslots (1..24; for example, 1-3,4,9,22-24 (no space) */, "voice-timeslots" arg /* Voice timeslots (1..24),for example, 1-3,4,9,22-24 (no space) */, "disable-remote-alarm-detection" arg /* Disable detection of a remote alarm */, "loopback" ( /* Loopback mode */ ("local" | "remote" | "payload") ), "buildout" ( /* Line buildout */ ("0-132" | "133-265" | "266-398" | "399-531" | "532-655" | "long-0db" | "long-7.5db" | "long-15db" | "long-22.5db") ), "byte-encoding" ( /* Byte encoding */ ("nx64" | "nx56") ), "line-encoding" ( /* Line encoding */ ("ami" | "b8zs") ), "invert-data" /* Invert data */, "framing" ( /* Framing mode */ ("sf" | "esf") ), "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e3" | "pseudo-2e4" | "pseudo-2e5" | "pseudo-2e6" | "pseudo-2e7" | "pseudo-2e9-o153" | "pseudo-2e10" | "pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e17" | "pseudo-2e18" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "pseudo-2e21" | "pseudo-2e22" | "pseudo-2e23-o151" | "pseudo-2e25" | "pseudo-2e28" | "pseudo-2e29" | "pseudo-2e31" | "pseudo-2e32" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */, "remote-loopback-respond" /* Respond to loop requests from remote end */, "crc-major-alarm-threshold" ( /* CRC Major alarm threshold value */ ("1e-3" | "5e-4" | "1e-4" | "5e-5" | "1e-5") ), "crc-minor-alarm-threshold" ( /* CRC Minor alarm threshold value */ ("1e-3" | "5e-4" | "1e-4" | "5e-5" | "1e-5" | "5e-6" | "1e-6") ), "alarm-compliance" arg /* Enforce standard for alarm reporting */ ) ), "ds0-options" ( /* DS-0 interface-specific options */ c( "loopback" ( /* Loopback mode */ ("payload") ), "byte-encoding" ( /* Byte encoding */ ("nx64" | "nx56") ), "invert-data" /* Invert data */, "fcs" ( /* Frame checksum */ ("32" | "16") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ), "start-end-flag" ( /* Set start/end flags on transmission */ ("shared" | "filler") ), "bert-algorithm" ( /* Set BERT algorithm */ ("pseudo-2e11-o152" | "pseudo-2e15-o151" | "pseudo-2e20-o153" | "pseudo-2e20-o151" | "all-ones-repeating" | "all-zeros-repeating" | "alternating-ones-zeros" | "alternating-double-ones-zeros" | "repeating-3-in-24" | "repeating-1-in-8" | "repeating-1-in-4" | "repeating-1-in-16") ), "bert-error-rate" arg /* Bit error rate (10^-n for n > 0, and zero for n = 0) */, "bert-period" arg /* Length of BERT test */ ) ), "serial-options" ( /* Serial interface-specific options */ c( "line-protocol" ( /* Line protocol to be used */ ("eia530" | "v.35" | "x.21") ), c( "dte-options" ( /* DTE options/control leads */ c( "ignore-all" /* Ignore all control leads */, "dtr" ( /* Data Transmit Ready signal handling */ sc( c( "assert" /* Assert DTR signal */, "de-assert" /* Deassert DTR signal */, "normal" /* Normal DTR signal */, "auto-synchronize" ( /* Normal DTR signal, with autoresynchronization */ c( "duration" arg /* Duration of autoresynchronization */, "interval" arg /* Interval for autoresynchronization */ ) ) ) ) ).as(:oneline), "control-signal" ( /* X.21 control signal handling */ ("assert" | "de-assert" | "normal") ), "rts" ( /* Request To Send signal handling */ ("assert" | "de-assert" | "normal") ), "dcd" ( /* Data Carrier Detect signal handling */ ("require" | "ignore" | "normal") ), "dsr" ( /* Data Set Ready signal handling */ ("require" | "ignore" | "normal") ), "cts" ( /* Clear To Send signal handling */ ("require" | "ignore" | "normal") ), "indication" ( /* X.21 Indication signal handling */ ("require" | "ignore" | "normal") ), "tm" ( /* Test Mode signal handling */ ("require" | "ignore" | "normal") ) ) ), "dce-options" ( /* DCE options */ c( "ignore-all" /* Ignore all control leads */, "dtr" ( /* Data Transmit Ready signal handling */ ("require" | "ignore" | "normal") ), "rts" ( /* Request To Send signal handling */ ("require" | "ignore" | "normal") ), "dcd" ( /* Data Carrier Detect signal handling */ ("assert" | "de-assert" | "normal") ), "dsr" ( /* Data Set Ready signal handling */ ("assert" | "de-assert" | "normal") ), "cts" ( /* Clear To Send signal handling */ ("assert" | "de-assert" | "normal") ), "tm" ( /* Test Mode signal handling */ ("require" | "ignore" | "normal") ), "dce-loopback-override" /* DCE loopback override */ ) ) ), "dtr-circuit" ( /* Data Transmit Ready circuit mode */ ("balanced" | "unbalanced") ), "dtr-polarity" ( /* Data Transmit Ready signal polarity */ ("positive" | "negative") ), "rts-polarity" ( /* Request To Send signal polarity */ ("positive" | "negative") ), "control-polarity" ( /* X.21 Control signal polarity */ ("positive" | "negative") ), "dcd-polarity" ( /* Data Carrier Detect signal polarity */ ("positive" | "negative") ), "dsr-polarity" ( /* Data Set Ready signal polarity */ ("positive" | "negative") ), "cts-polarity" ( /* Clear To Send signal polarity */ ("positive" | "negative") ), "indication-polarity" ( /* X.21 Indication signal polarity */ ("positive" | "negative") ), "tm-polarity" ( /* Test Mode signal polarity */ ("positive" | "negative") ), "clocking-mode" ( /* Clock mode */ ("dce" | "internal" | "loop") ), "transmit-clock" ( /* Transmit clock phase */ ("invert") ), "clock-rate" ( /* Interface clock rate */ ("2.048mhz" | "2.341mhz" | "2.731mhz" | "3.277mhz" | "4.096mhz" | "5.461mhz" | "8.192mhz" | "16.384mhz" | "1.2khz" | "2.4khz" | "9.6khz" | "19.2khz" | "38.4khz" | "56.0khz" | "64.0khz" | "72.0khz" | "125.0khz" | "148.0khz" | "250.0khz" | "500.0khz" | "800.0khz" | "1.0mhz" | "1.3mhz" | "2.0mhz" | "4.0mhz" | "8.0mhz") ), "loopback" ( /* Loopback mode */ ("local" | "remote" | "dce-local" | "dce-remote") ), "encoding" ( /* Line encoding */ ("nrz" | "nrzi") ), "idle-cycle-flag" ( /* Value to transmit in idle cycles */ ("flags" | "ones") ) ) ), "gratuitous-arp-reply" /* Enable gratuitous ARP reply */, "no-gratuitous-arp-reply" /* Don't enable gratuitous ARP reply */, "no-gratuitous-arp-request" /* Ignore gratuitous ARP request */, "no-no-gratuitous-arp-request" /* Don't ignore gratuitous ARP request */, "arp-l2-validate" /* Validate ARP against L2 */, "ether-options" ( /* Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "ethernet-policer-profile" ( /* Ethernet level CoS-based policer configuration */ c( "input-priority-map" ( /* Input policer priority map */ cos_policer_input_priority_map /* Input policer priority map */ ), "output-priority-map" ( /* Output policer priority map */ cos_policer_output_priority_map /* Output policer priority map */ ), "policer" ( /* Policer template definition */ cos_policer /* Policer template definition */ ) ) ), "storm-control" ( /* Storm control profile name to bind */ c( arg /* Profile name */ ) ), "recovery-timeout" ( /* Recovery timeout for this interface */ sc( arg ) ).as(:oneline), "mac-learn-enable" /* Learn MAC addresses dynamically */, "no-mac-learn-enable" /* Don't learn MAC addresses dynamically */ ) ), "asynchronous-notification" /* Enable sending asynchronous notification to peer on CCC-down */, "source-address-filter" arg /* Source address filters */.as(:oneline), "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "configured-flow-control" /* Enable flow control */, "link-mode" arg /* Link duplex */, "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */, "no-auto-mdix" /* Disable auto MDI/MDIX */, "speed" /* Specify speed */, "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "force-up" /* Keep the port up in absence of received LACPDU */, "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ), "link-protection-sub-group" /* Link Protection subgroup configuration */, "port-priority" arg /* Link protection Priority of the port (0 ... 65535) */ ) ), "ieee-802-3az-eee" /* IEEE 802.3az Energy Efficient Ethernet(EEE) */, "mdi-mode" arg /* Cable cross-over mode */, "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant ethernet interface */ ) ), "autostate-exclude" /* Interface will not contribute to IRB state */ ) ), "fibrechannel-options" ( /* Fibre Channel interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "bb-sc-n" arg /* B2B state change number */, "speed" ( /* Specify speed */ ("auto-negotiation" | "1g" | "2g" | "4g" | "8g") ) ) ), "gigether-options" ( /* Gigabit Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "loopback-remote" /* Enable remote loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, c( "no-auto-negotiation" /* Disable auto-negotiation */, "auto-negotiation" ( /* Enable auto-negotiation */ sc( "remote-fault" ( ("local-interface-offline" | "local-interface-online") ) ) ).as(:oneline) ), "mac-mode" arg /* Physical layer protocol of MAC's SERDES interface */, "asynchronous-notification" /* Enable sending asynchronous notification to peer on CCC-down */, "source-address-filter" arg /* Source address filters */.as(:oneline), "pad-to-minimum-frame-size" /* Pad Tx vlan tagged frame to minimum of 68 bytes */, "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant-ethernet interface */ ) ), "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, "link-index" arg /* Desired child link index within the Aggregated Interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ), "distribution-list" arg /* Distribution list to which interface belongs */ ) ), "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "ethernet-policer-profile" ( /* Ethernet level CoS-based policer configuration */ c( "ieee802.1-priority-map" ( /* Premium priority values for IEEE 802.1p bits */ c( "premium" arg /* Premium policer priority map */ ) ), "input-priority-map" ( /* Input policer priority map */ cos_policer_input_priority_map /* Input policer priority map */ ), "output-priority-map" ( /* Output policer priority map */ cos_policer_output_priority_map /* Output policer priority map */ ), "policer" ( /* Policer template definition */ cos_policer /* Policer template definition */ ) ) ), "accept-from" ( /* Accept traffic from or to specified remote MAC */ c( "mac-address" ( /* Remote MAC */ mac_list /* Remote MAC */ ) ) ), "reject-the-rest" /* Accept traffic from only the specified MAC addresses */, "no-reject-the-rest" /* Don't accept traffic from only the specified MAC addresses */, "mac-learn-enable" /* Learn MAC addresses dynamically */ ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */, "no-auto-mdix" /* Disable auto MDI/MDIX */, "ieee-802-3az-eee" /* IEEE 802.3az Energy Efficient Ethernet(EEE) */, "mru" arg /* Maximum receive packet size */, "fec" ( /* Forward Error Correction mode */ ("none" | "fec91" | "fec74") ), "speed" ( /* Speed mode */ ("1g" | "10g") ) ) ), "optics-options" ( /* Optics options */ c( "wavelength" ( /* Wavelength of the optics (nanometers) for 50Ghz/100Ghz spacing */ ("1568.77" | "1568.36" | "1568.31" | "1568.26" | "1568.21" | "1568.16" | "1568.11" | "1568.05" | "1568.00" | "1567.95" | "1567.90" | "1567.85" | "1567.80" | "1567.75" | "1567.70" | "1567.64" | "1567.59" | "1567.54" | "1567.49" | "1567.44" | "1567.39" | "1567.34" | "1567.29" | "1567.23" | "1567.18" | "1567.13" | "1567.08" | "1567.03" | "1566.98" | "1566.93" | "1566.88" | "1566.83" | "1566.77" | "1566.72" | "1566.67" | "1566.62" | "1566.57" | "1566.52" | "1566.47" | "1566.42" | "1566.36" | "1566.31" | "1566.26" | "1566.21" | "1566.16" | "1566.11" | "1566.06" | "1566.01" | "1565.96" | "1565.90" | "1565.85" | "1565.80" | "1565.75" | "1565.70" | "1565.65" | "1565.60" | "1565.55" | "1565.50" | "1565.44" | "1565.39" | "1565.34" | "1565.29" | "1565.24" | "1565.19" | "1565.14" | "1565.09" | "1565.04" | "1564.99" | "1564.93" | "1564.88" | "1564.83" | "1564.78" | "1564.73" | "1564.68" | "1564.63" | "1564.58" | "1564.53" | "1564.47" | "1564.42" | "1564.37" | "1564.32" | "1564.27" | "1564.22" | "1564.17" | "1564.12" | "1564.07" | "1564.02" | "1563.96" | "1563.91" | "1563.86" | "1563.81" | "1563.76" | "1563.71" | "1563.66" | "1563.61" | "1563.56" | "1563.51" | "1563.45" | "1563.40" | "1563.35" | "1563.30" | "1563.25" | "1563.20" | "1563.15" | "1563.10" | "1563.05" | "1563.00" | "1562.95" | "1562.89" | "1562.84" | "1562.79" | "1562.74" | "1562.69" | "1562.64" | "1562.59" | "1562.54" | "1562.49" | "1562.44" | "1562.39" | "1562.33" | "1562.28" | "1562.23" | "1562.18" | "1562.13" | "1562.08" | "1562.03" | "1561.98" | "1561.93" | "1561.88" | "1561.83" | "1561.77" | "1561.72" | "1561.67" | "1561.62" | "1561.57" | "1561.52" | "1561.47" | "1561.42" | "1561.37" | "1561.32" | "1561.27" | "1561.22" | "1561.16" | "1561.11" | "1561.06" | "1561.01" | "1560.96" | "1560.91" | "1560.86" | "1560.81" | "1560.76" | "1560.71" | "1560.66" | "1560.61" | "1560.56" | "1560.50" | "1560.45" | "1560.40" | "1560.35" | "1560.30" | "1560.25" | "1560.20" | "1560.15" | "1560.10" | "1560.05" | "1560.00" | "1559.95" | "1559.90" | "1559.84" | "1559.79" | "1559.74" | "1559.69" | "1559.64" | "1559.59" | "1559.54" | "1559.49" | "1559.44" | "1559.39" | "1559.34" | "1559.29" | "1559.24" | "1559.19" | "1559.14" | "1559.08" | "1559.03" | "1558.98" | "1558.93" | "1558.88" | "1558.83" | "1558.78" | "1558.73" | "1558.68" | "1558.63" | "1558.58" | "1558.53" | "1558.48" | "1558.43" | "1558.38" | "1558.32" | "1558.27" | "1558.22" | "1558.17" | "1558.12" | "1558.07" | "1558.02" | "1557.97" | "1557.92" | "1557.87" | "1557.82" | "1557.77" | "1557.72" | "1557.67" | "1557.62" | "1557.57" | "1557.52" | "1557.46" | "1557.41" | "1557.36" | "1557.31" | "1557.26" | "1557.21" | "1557.16" | "1557.11" | "1557.06" | "1557.01" | "1556.96" | "1556.91" | "1556.86" | "1556.81" | "1556.76" | "1556.71" | "1556.66" | "1556.61" | "1556.55" | "1556.50" | "1556.45" | "1556.40" | "1556.35" | "1556.30" | "1556.25" | "1556.20" | "1556.15" | "1556.10" | "1556.05" | "1556.00" | "1555.95" | "1555.90" | "1555.85" | "1555.80" | "1555.75" | "1555.70" | "1555.65" | "1555.60" | "1555.55" | "1555.49" | "1555.44" | "1555.39" | "1555.34" | "1555.29" | "1555.24" | "1555.19" | "1555.14" | "1555.09" | "1555.04" | "1554.99" | "1554.94" | "1554.89" | "1554.84" | "1554.79" | "1554.74" | "1554.69" | "1554.64" | "1554.59" | "1554.54" | "1554.49" | "1554.44" | "1554.39" | "1554.34" | "1554.29" | "1554.23" | "1554.18" | "1554.13" | "1554.08" | "1554.03" | "1553.98" | "1553.93" | "1553.88" | "1553.83" | "1553.78" | "1553.73" | "1553.68" | "1553.63" | "1553.58" | "1553.53" | "1553.48" | "1553.43" | "1553.38" | "1553.33" | "1553.28" | "1553.23" | "1553.18" | "1553.13" | "1553.08" | "1553.03" | "1552.98" | "1552.93" | "1552.88" | "1552.83" | "1552.78" | "1552.73" | "1552.68" | "1552.62" | "1552.57" | "1552.52" | "1552.47" | "1552.42" | "1552.37" | "1552.32" | "1552.27" | "1552.22" | "1552.17" | "1552.12" | "1552.07" | "1552.02" | "1551.97" | "1551.92" | "1551.87" | "1551.82" | "1551.77" | "1551.72" | "1551.67" | "1551.62" | "1551.57" | "1551.52" | "1551.47" | "1551.42" | "1551.37" | "1551.32" | "1551.27" | "1551.22" | "1551.17" | "1551.12" | "1551.07" | "1551.02" | "1550.97" | "1550.92" | "1550.87" | "1550.82" | "1550.77" | "1550.72" | "1550.67" | "1550.62" | "1550.57" | "1550.52" | "1550.47" | "1550.42" | "1550.37" | "1550.32" | "1550.27" | "1550.22" | "1550.17" | "1550.12" | "1550.07" | "1550.02" | "1549.97" | "1549.92" | "1549.87" | "1549.82" | "1549.77" | "1549.72" | "1549.67" | "1549.62" | "1549.57" | "1549.52" | "1549.47" | "1549.42" | "1549.37" | "1549.32" | "1549.26" | "1549.21" | "1549.16" | "1549.11" | "1549.06" | "1549.01" | "1548.96" | "1548.91" | "1548.86" | "1548.81" | "1548.76" | "1548.71" | "1548.66" | "1548.61" | "1548.56" | "1548.51" | "1548.46" | "1548.41" | "1548.36" | "1548.31" | "1548.26" | "1548.21" | "1548.16" | "1548.11" | "1548.06" | "1548.02" | "1547.97" | "1547.92" | "1547.87" | "1547.82" | "1547.77" | "1547.72" | "1547.67" | "1547.62" | "1547.57" | "1547.52" | "1547.47" | "1547.42" | "1547.37" | "1547.32" | "1547.27" | "1547.22" | "1547.17" | "1547.12" | "1547.07" | "1547.02" | "1546.97" | "1546.92" | "1546.87" | "1546.82" | "1546.77" | "1546.72" | "1546.67" | "1546.62" | "1546.57" | "1546.52" | "1546.47" | "1546.42" | "1546.37" | "1546.32" | "1546.27" | "1546.22" | "1546.17" | "1546.12" | "1546.07" | "1546.02" | "1545.97" | "1545.92" | "1545.87" | "1545.82" | "1545.77" | "1545.72" | "1545.67" | "1545.62" | "1545.57" | "1545.52" | "1545.47" | "1545.42" | "1545.37" | "1545.32" | "1545.27" | "1545.22" | "1545.17" | "1545.12" | "1545.07" | "1545.02" | "1544.97" | "1544.92" | "1544.87" | "1544.82" | "1544.77" | "1544.72" | "1544.68" | "1544.63" | "1544.58" | "1544.53" | "1544.48" | "1544.43" | "1544.38" | "1544.33" | "1544.28" | "1544.23" | "1544.18" | "1544.13" | "1544.08" | "1544.03" | "1543.98" | "1543.93" | "1543.88" | "1543.83" | "1543.78" | "1543.73" | "1543.68" | "1543.63" | "1543.58" | "1543.53" | "1543.48" | "1543.43" | "1543.38" | "1543.33" | "1543.28" | "1543.23" | "1543.18" | "1543.13" | "1543.08" | "1543.04" | "1542.99" | "1542.94" | "1542.89" | "1542.84" | "1542.79" | "1542.74" | "1542.69" | "1542.64" | "1542.59" | "1542.54" | "1542.49" | "1542.44" | "1542.39" | "1542.34" | "1542.29" | "1542.24" | "1542.19" | "1542.14" | "1542.09" | "1542.04" | "1541.99" | "1541.94" | "1541.89" | "1541.84" | "1541.80" | "1541.75" | "1541.70" | "1541.65" | "1541.60" | "1541.55" | "1541.50" | "1541.45" | "1541.40" | "1541.35" | "1541.30" | "1541.25" | "1541.20" | "1541.15" | "1541.10" | "1541.05" | "1541.00" | "1540.95" | "1540.90" | "1540.85" | "1540.80" | "1540.76" | "1540.71" | "1540.66" | "1540.61" | "1540.56" | "1540.51" | "1540.46" | "1540.41" | "1540.36" | "1540.31" | "1540.26" | "1540.21" | "1540.16" | "1540.11" | "1540.06" | "1540.01" | "1539.96" | "1539.91" | "1539.86" | "1539.82" | "1539.77" | "1539.72" | "1539.67" | "1539.62" | "1539.57" | "1539.52" | "1539.47" | "1539.42" | "1539.37" | "1539.32" | "1539.27" | "1539.22" | "1539.17" | "1539.12" | "1539.07" | "1539.03" | "1538.98" | "1538.93" | "1538.88" | "1538.83" | "1538.78" | "1538.73" | "1538.68" | "1538.63" | "1538.58" | "1538.53" | "1538.48" | "1538.43" | "1538.38" | "1538.33" | "1538.28" | "1538.24" | "1538.19" | "1538.14" | "1538.09" | "1538.04" | "1537.99" | "1537.94" | "1537.89" | "1537.84" | "1537.79" | "1537.74" | "1537.69" | "1537.64" | "1537.59" | "1537.55" | "1537.50" | "1537.45" | "1537.40" | "1537.35" | "1537.30" | "1537.25" | "1537.20" | "1537.15" | "1537.10" | "1537.05" | "1537.00" | "1536.95" | "1536.90" | "1536.86" | "1536.81" | "1536.76" | "1536.71" | "1536.66" | "1536.61" | "1536.56" | "1536.51" | "1536.46" | "1536.41" | "1536.36" | "1536.31" | "1536.26" | "1536.22" | "1536.17" | "1536.12" | "1536.07" | "1536.02" | "1535.97" | "1535.92" | "1535.87" | "1535.82" | "1535.77" | "1535.72" | "1535.67" | "1535.63" | "1535.58" | "1535.53" | "1535.48" | "1535.43" | "1535.38" | "1535.33" | "1535.28" | "1535.23" | "1535.18" | "1535.13" | "1535.08" | "1535.04" | "1534.99" | "1534.94" | "1534.89" | "1534.84" | "1534.79" | "1534.74" | "1534.69" | "1534.64" | "1534.59" | "1534.54" | "1534.50" | "1534.45" | "1534.40" | "1534.35" | "1534.30" | "1534.25" | "1534.20" | "1534.15" | "1534.10" | "1534.05" | "1534.00" | "1533.96" | "1533.91" | "1533.86" | "1533.81" | "1533.76" | "1533.71" | "1533.66" | "1533.61" | "1533.56" | "1533.51" | "1533.47" | "1533.42" | "1533.37" | "1533.32" | "1533.27" | "1533.22" | "1533.17" | "1533.12" | "1533.07" | "1533.02" | "1532.98" | "1532.93" | "1532.88" | "1532.83" | "1532.78" | "1532.73" | "1532.68" | "1532.63" | "1532.58" | "1532.53" | "1532.49" | "1532.44" | "1532.39" | "1532.34" | "1532.29" | "1532.24" | "1532.19" | "1532.14" | "1532.09" | "1532.04" | "1532.00" | "1531.95" | "1531.90" | "1531.85" | "1531.80" | "1531.75" | "1531.70" | "1531.65" | "1531.60" | "1531.56" | "1531.51" | "1531.46" | "1531.41" | "1531.36" | "1531.31" | "1531.26" | "1531.21" | "1531.16" | "1531.12" | "1531.07" | "1531.02" | "1530.97" | "1530.92" | "1530.87" | "1530.82" | "1530.77" | "1530.72" | "1530.68" | "1530.63" | "1530.58" | "1530.53" | "1530.48" | "1530.43" | "1530.38" | "1530.33" | "1530.29" | "1530.24" | "1530.19" | "1530.14" | "1530.09" | "1530.04" | "1529.99" | "1529.94" | "1529.89" | "1529.85" | "1529.80" | "1529.75" | "1529.70" | "1529.65" | "1529.60" | "1529.55" | "1529.50" | "1529.46" | "1529.41" | "1529.36" | "1529.31" | "1529.26" | "1529.21" | "1529.16" | "1529.11" | "1529.07" | "1529.02" | "1528.97" | "1528.92" | "1528.87" | "1528.82" | "1528.77" | "1528.38") ), "tx-power" arg /* Transmit laser output power */, "loopback" /* Put the optics in loopback mode */, "los-warning-threshold" arg /* LOS warning threshold */, "los-alarm-threshold" arg /* LOS alarm threshold */, "modulation-format" ( /* Type of Modulation Format */ ("16qam" | "8qam" | "qpsk") ), "laser-enable" /* Enable Laser */, "no-laser-enable" /* Don't enable Laser */, "is-ma" /* Link is enabled with alarms masked */, "no-is-ma" /* Don't link is enabled with alarms masked */, "encoding" ( /* Line encoding */ ("differential" | "non-differential") ), "fec" ( /* Forward Error Correction mode */ ("sdfec" | "sdfec25" | "hgfec" | "sdfec15") ), "high-polarization" /* High polarization tracking mode */, "signal-degrade" ( /* Signal degrade thresholds */ c( "interval" arg /* Time interval */, "ber-threshold-clear" arg /* Ber threshold for signal degrade clear (format: xe-n, example: 4.5e-3) */, "ber-threshold-signal-degrade" arg /* Ber threshold for signal-degrade (format: xe-n, example: 4.5e-3) */, "q-threshold-signal-degrade-clear" arg /* Q threshold for signal-degrade clear (e.g. 14.26) */, "q-threshold-signal-degrade" arg /* Q threshold for signal-degrade (e.g. 9.26) */ ) ), "alarm" enum(("low-light-alarm")) ( /* Set optic alarms */ c( c( "syslog", "link-down" ) ) ), "tca" ( /* Set tca for optic alarms */ c( "tx-power-high-tca" ( /* Tx power high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute tx power high TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour tx power high TCA in dBm */ ) ), "tx-power-low-tca" ( /* Tx power low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute tx power low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour tx power low TCA in dBm */ ) ), "rx-power-high-tca" ( /* Rx power high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute rx power high TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour rx power high TCA in dBm */ ) ), "rx-power-low-tca" ( /* Rx power low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute rx power low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour rx power low TCA in dBm */ ) ), "temperature-high-tca" ( /* Temperature high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute high temperature TCA in celsius */, "threshold-24hrs" arg /* Threshold for 24 hour high temperature TCA in celsius */ ) ), "temperature-low-tca" ( /* Temperature low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute low temperature TCA in celsius */, "threshold-24hrs" arg /* Threshold for 24 hour low temperature TCA in celsius */ ) ), "carrier-frequency-offset-high-tca" ( /* Carrier frequency offset high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency offset high TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency offset high TCA in MHz */ ) ), "carrier-frequency-offset-low-tca" ( /* Carrier frequency offset low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency offset low TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency offset low TCA in MHz */ ) ), "fec-ber" ( /* Optics Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the Optics errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the Optics errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for BER value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* TCA threshold for BER value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ).as(:oneline), "tec-current-high-tca" ( /* TEC Current high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute TEC Current high TCA in mA */, "threshold-24hrs" arg /* Threshold for 24 hour TEC Current high TCA in mA */ ) ), "tec-current-low-tca" ( /* TEC Current low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute TEC Current low TCA in mA */, "threshold-24hrs" arg /* Threshold for 24 hour TEC Current low TCA in mA */ ) ), "residual-isi-high-tca" ( /* Residual ISI high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute Residual ISI high TCA in ps/nm */, "threshold-24hrs" arg /* Threshold for 24 hour Residual ISI high TCA in ps/nm */ ) ), "residual-isi-low-tca" ( /* Residual ISI low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute Residual ISI low TCA in ps/nm */, "threshold-24hrs" arg /* Threshold for 24 hour Residual ISI low TCA in ps/nm */ ) ), "pam-histogram-high-tca" ( /* PAM Histogram high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute PAM Histogram high TCA */, "threshold-24hrs" arg /* Threshold for 24 hour PAM Histogram high TCA */ ) ), "snr-low-tca" ( /* SNR low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute SNR low TCA in dBm */, "threshold-24hrs" arg /* Threshold for 24 hour SNR low TCA in dBm */ ) ), "fec-corrected-errors-high-tca" ( /* FEC Corrected Error High Threshold crossing defect trigger */ c( "enable-tca" /* Enable the FEC Corrected Errors threshold crossing alert */, "no-enable-tca" /* Don't enable the FEC Corrected Errors threshold crossing alert */, "threshold" arg /* FEC Corrected-Errs value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* FEC Corrected-Errs value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ), "fec-ucorrected-words-high-tca" ( /* FEC UCorrected Words High Threshold crossing defect trigger */ c( "enable-tca" /* Enable the FEC UCorrected Words threshold crossing alert */, "no-enable-tca" /* Don't enable the FEC UCorrected Words threshold crossing alert */, "threshold" arg /* FEC UCorrected-Words value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* FEC UCorrected-Words value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ), "laser-frequency-error-high-tca" ( /* Laser frequency error high TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency error high TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency error high TCA in MHz */ ) ), "laser-frequency-error-low-tca" ( /* Laser frequency error low TCA */ c( "enable-tca" /* Enable tca */, "no-enable-tca" /* Don't enable tca */, "threshold" arg /* Threshold for 15 minute frequency error low TCA in MHz */, "threshold-24hrs" arg /* Threshold for 24 hour frequency error low TCA in MHz */ ) ) ) ), "warning" enum(("low-light-warning")) ( /* Set optic warnings */ c( c( "syslog" /* Set action as syslog */, "link-down" /* Set action as link-down */ ) ) ) ) ), "otn-options" ( /* Optical Transmission Network interface-specific options */ otn_options_type /* Optical Transmission Network interface-specific options */ ), "fastether-options" ( /* Fast Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "ingress-rate-limit" arg /* Ingress rate at port */, "source-address-filter" arg /* Source address filters */.as(:oneline), "redundant-parent" ( /* Parent of this interface */ c( interface_device /* Join a redundant ethernet interface */ ) ), "ieee-802.3ad" ( /* IEEE 802.3ad */ c( "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "port-priority" arg /* Priority of the port (0 ... 65535) */ ) ), interface_device /* Join an aggregated Ethernet interface */, c( "primary" /* Primary interface for link-protection mode */, "backup" /* Backup interface for link-protection mode */ ) ) ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ), "ignore-l3-incompletes" /* Ignore L3 incomplete errors */ ) ), "redundant-ether-options" ( /* Ethernet redundancy options */ c( "redundancy-group" arg /* Redundancy group of this interface */, "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "source-address-filter" arg /* Source address filters */.as(:oneline), "link-speed" ( /* Link speed of individual interface that joins the RETH */ ("10m" | "100m" | "1g" | "10g") ), "minimum-links" arg /* Minimum number of active links */, "lacp" ( /* Link Aggregation Control Protocol configuration */ c( c( "active" /* Initiate transmission of LACP packets */, "passive" /* Respond to LACP packets */ ), "periodic" ( /* Timer interval for periodic transmission of LACP packets */ ("fast" | "slow") ) ) ) ) ), "aggregated-ether-options" ( /* Aggregated Ethernet interface-specific options */ c( "loopback" /* Enable loopback */, "no-loopback" /* Don't enable loopback */, "flow-control" /* Enable flow control */, "no-flow-control" /* Don't enable flow control */, "source-filtering" /* Enable source address filtering */, "no-source-filtering" /* Don't enable source address filtering */, "autostate-exclude" /* Interface will not contribute to IRB state */, "link-protection" ( /* Enable link protection mode */ c( "revertive" /* Revert back from active backup link to primary, if primary is UP */, "non-revertive" /* Do not revert back (default mode) from active backup link to primary, if primary is UP */, "backup-state" ( /* Link protection backup link state */ ("accept-data" | "discard-data" | "down") ), "rtg-config" ( /* RTG enable on AE */ c( "preempt-cutover-timer" arg /* RTG preempt-cutover-timer in seconds */ ) ) ) ), "fcoe-lag" /* Enable FIP/FCoE LAG */, "no-fcoe-lag" /* Don't enable FIP/FCoE LAG */, "source-address-filter" /* Source address filters */.as(:oneline), "configured-flow-control" /* Enable flow control */, "load-balance" ( aggregate_load_balance ), "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address */ ipaddr /* BFD local address */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */ ) ), "minimum-links" arg /* Minimum number of aggregated links */, "minimum-bandwidth" ( /* Minimum bandwidth configured for aggregated bundle */ c( "bw-value" arg /* Bandwidth value */, "bw-unit" ( /* Bandwidth unit */ ("bps" | "kbps" | "mbps" | "gbps") ) ) ), "targeted-options" /* Targeting specific options */, c( "logical-interface-fpc-redundancy" /* Enable FPC redundancy for logical interfaces */, "logical-interface-chassis-redundancy" /* Enable CHASSIS redundancy for logical interfaces */ ), "rebalance-periodic" ( c( "start-time" ( /* Start time of the rebalance operation ( Wall clock time ) */ date /* Start time of the rebalance operation ( Wall clock time ) */ ), "interval" arg /* Interval of the rebalance operation in hrs */ ) ), "pad-to-minimum-frame-size" /* Pad Tx vlan tagged frame to minimum of 68 bytes */, "link-speed" ( /* Link speed of individual interface that joins the AE */ ("10m" | "100m" | "1g" | "2.5g" | "5g" | "8g" | "10g" | "25g" | "40g" | "50g" | "80g" | "100g" | "oc192" | "mixed") ), "local-bias" /* Turn on local bias functionality */, "local-minimum-links-threshold" arg /* Specify threshold for minimum links per VC/VCF member */, "resilient-hash" /* Turn on resilient-hash */, "lacp" ( /* Link Aggregation Control Protocol configuration */ c( c( "active" /* Initiate transmission of LACP packets */, "passive" /* Respond to LACP packets */ ), "periodic" ( /* Timer interval for periodic transmission of LACP packets */ ("fast" | "slow") ), "fast-failover" /* To turn off LACP fast-failover */, "link-protection" ( c( "disable" /* To turn off LACP link-protection */, c( "revertive" /* Switch links when better priority link comes up */, "non-revertive" /* Do not switch links when better priority link comes up */ ), "rtg-config" ( /* RTG Feature enable on AE */ c( "preempt-cutover-timer" arg /* RTG preempt-cutover-timer in seconds */ ) ) ) ), "accept-data" /* Keep receiving traffic even when LACP goes down */, "sync-reset" ( /* On minimum-link failure notify out of sync to peer */ ("disable" | "enable") ), "system-priority" arg /* Priority of the system (0 ... 65535) */, "system-id" ( /* Node's System ID, encoded as a MAC address */ mac_addr /* Node's System ID, encoded as a MAC address */ ), "admin-key" arg /* Node's administrative key */, "hold-time" /* Hold time for link up and link down for AE link members */.as(:oneline), "aggregate-wait-time" arg /* Aggregate wait time for the AE */, "force-up" /* Forceup AE interface with LACP */ ) ), "link-protection-sub-group" /* Link Protection subgroup configuration */, "ethernet-switch-profile" ( /* Ethernet virtual LAN/media access control-level options */ c( "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier values for VLAN-tagged frames */, "storm-control" /* Storm control profile name to bind */, "mac-learn-enable" /* Learn MAC addresses dynamically */ ) ), "mc-ae" /* Multi-chassis aggregation (MC-AE) network device configuration */, "share-standby" /* Share the resources with standby ports, needs FPC reboot to take effect */ ) ), "es-options" ( /* ES PIC interface-specific options */ c( "backup-interface" ( /* Name of backup interface */ interface_device /* Name of backup interface */ ) ) ), "dsl-options" ( /* DSL interface-specific options */ c( "operating-mode" ( /* DSL operating mode */ ("auto" | "ansi-dmt" | "itu-dmt" | "etsi" | "itu-annexb-ur2" | "itu-annexb-non-ur2" | "itu-dmt-bis" | "adsl2plus" | "annexm-itu-dmt-bis" | "annexm-adsl2plus") ) ) ), "vdsl-options" ( /* VDSL interface-specific options */ c( "vdsl-profile" ( /* VDSL profile */ ("auto" | "8a" | "8b" | "8c" | "8d" | "12a" | "12b" | "17a") ), "sra" ( /* DSL SRA */ ("enable" | "disable") ), "v43" ( /* DSL V43 tones */ ("enable" | "disable") ) ) ), "shdsl-options" ( /* SHDSL interface-specific options */ c( "annex" ( /* Type of SHDSL annex */ ("annex-a" | "annex-b" | "annex-f" | "annex-g" | "annex-auto") ), "line-rate" ( /* SHDSL line rate */ ("auto" | arg) ), "loopback" ( /* Loopback mode */ ("local" | "remote") ), "snr-margin" ( /* Signal to noise ratio margin */ c( "current" ( /* Current signal to noise ratio margin */ ("disable" | arg) ), "snext" ( /* SNEXT signal to noise ratio margin */ ("disable" | arg) ) ) ) ) ), "data-input" ( /* Configuration for drop-insert data input */ c( c( "system" /* Data sourced from system */, "interface" ( /* Interface that acts as data source */ interface_device /* Interface that acts as data source */ ) ) ) ), "switch-options" ( /* Front end ports configuration */ c( "switch-port" arg ( c( "auto-negotiation" /* Enable auto-negotiation */, "no-auto-negotiation" /* Don't enable auto-negotiation */, "link-mode" ( /* Link operational mode */ ("half-duplex" | "full-duplex") ), "speed" ( /* Link speed */ ("10m" | "100m" | "1g") ), "vlan-id" arg /* VLAN ID for this port */, "cascade-port" /* Port externally connected to another cascade port */ ) ) ) ), "container-options" ( /* Container interface specific options */ c( "container-type" ( /* Protocol type of the container interface */ c( c( "aps" ( /* APS options on the container */ aps_type /* APS options on the container */ ) ) ) ), "member-interface-type" ( /* Link type of members of container */ c( c( "sonet" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("oc3" | "oc12" | "oc48" | "oc192" | "oc768" | "mixed") ) ) ), "atm" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("oc3" | "oc12" | "oc48") ) ) ), "channelized-sonet" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("coc3" | "coc12" | "coc48" | "coc192" | "coc768") ) ) ), "channelized-sdh" ( c( "member-interface-speed" ( /* Link speed of members of container */ ("cstm1" | "cstm4" | "cstm16" | "coc64" | "cstm256") ) ) ) ) ) ), "redundancy" ( /* Container interface redundancy options */ c( "hold-time" ( /* Hold time for link up and link down */ sc( "up" arg /* Link up hold time */, "down" arg /* Link down hold time */ ) ).as(:oneline) ) ), "container-list" ( /* List of container interfaces this member link is associated to */ interface_device /* List of container interfaces this member link is associated to */ ), c( "primary" /* This member link is primary interface of the container */, "standby" /* This member link is standby interface of the container */ ), "fast-aps" /* Fast APS switch */, "allow-configuration-override" /* Allow physical configuration of member link to override container configuration */ ) ), "layer2-policer" /* Layer2 policing for interface */, "unit" enum(("$junos-underlying-interface-unit" | "$junos-interface-unit" | arg)) ( /* Logical interface */ c( "policer-overhead" ( /* Policer overhead adjustment for this unit */ c( arg, "ingress" arg /* Ingress value in bytes */, "egress" arg /* Egress value in bytes */ ) ), "alias" arg /* Interface alias */, "enhanced-convergence" /* Optimize convergence time for L3 */, "proxy-macip-advertisement" /* Proxy advertisement of type 2 MAC+IP route for EVPN */, "virtual-gateway-accept-data" /* Accept packets destined for virtual gateway address */, "peer-psd" ( /* Peer psd */ sc( arg /* Peer psd name */ ) ).as(:oneline), "peer-interface" ( /* Peer interface */ c( interface_unit /* Peer interface name */ ) ), "interface-shared-with" ( /* Specify which PSD owns this logical interface */ c( arg /* Name of protected system domain (psd[1-31], ex. psd2) */ ) ), ("disable"), "passive-monitor-mode" /* Use interface to tap packets from another router */, "per-session-scheduler" /* Enable per-session queuing on an IQ2 interface */, "account-layer2-overhead" /* Account layer2 overhead in IFL byte statistics */, "forwarding-class-accounting" /* Configure Forwarding-class-accounting parameters for IFL */, "clear-dont-fragment-bit" /* Clear DF bit in packet (AS PIC and J-series only as well as MIF) */, "packet-inject-enable" /* Enable packet inject functionality on this IFL */, "reassemble-packets" /* Do reassembly of fragmented tunnel packets */, "services-options" /* Services interface-specific options */, "rpm" /* Enable RPM service on this interface */, "description" arg /* Text description of interface */, "metadata" arg /* Text metadata attached to interface */, "dial-options" /* Dial options */, "actual-transit-statistics" /* Actual transit statistics */, "demux-source" ( enum(("inet" | "inet6")) ), "demux-destination" ( enum(("inet" | "inet6")) ), "demux" /* Demux based on source or destination address */, "encapsulation" ( /* Logical link-layer encapsulation */ ("atm-nlpid" | "atm-cisco-nlpid" | "atm-snap" | "atm-vc-mux" | "atm-ccc-vc-mux" | "atm-tcc-vc-mux" | "atm-tcc-snap" | "atm-ccc-cell-relay" | "vlan-vci-ccc" | "ether-over-atm-llc" | "ether-vpls-over-atm-llc" | "ppp-over-ether-over-atm-llc" | "ppp-over-ether" | "atm-ppp-vc-mux" | "atm-ppp-llc" | "atm-mlppp-llc" | "frame-relay-ppp" | "frame-relay-ccc" | "frame-relay" | "frame-relay-tcc" | "frame-relay-ether-type" | "frame-relay-ether-type-tcc" | "ether-vpls-fr" | "vlan-ccc" | "ethernet-ccc" | "vlan-vpls" | "vlan-bridge" | "dix" | "ethernet" | "ethernet-vpls" | "ethernet-bridge" | "vlan" | "vlan-tcc" | "multilink-ppp" | "multilink-frame-relay-end-to-end" | "ppp-ccc") ), "gre" /* Allow GRE packets */, "mtu" arg /* Maximum transmission unit packet size */, c( "point-to-point" /* Point-to-point connection */, "multipoint" /* Multipoint connection */ ), "bandwidth" arg /* Logical unit bandwidth (informational only) */, "global-layer2-domainid" arg /* Global Layer-2 Identifier for this interface */, "radio-router" ( /* Parameters for dynamic link cost management */ dynamic_ifbw_parms_type /* Parameters for dynamic link cost management */ ), "traps" /* Enable SNMP notifications on state changes */, "no-traps" /* Don't enable SNMP notifications on state changes */, "routing-services" /* Enable routing services */, "no-routing-services" /* Don't enable routing services */, "arp-resp" ( /* Knob to control ARP response on the interface, default is restricted */ sc( c( "unrestricted" /* Enable unrestricted ARP respone on the interface */, "restricted" /* Enable restricted proxy ARP response on the interface */ ) ) ).as(:oneline), "proxy-arp" ( /* Enable proxy ARP on the interface, default is unrestricted */ sc( c( "unrestricted" /* Enable unrestricted proxy ARP on the interface */, "restricted" /* Enable restricted proxy ARP on the interface */ ) ) ).as(:oneline), c( "vlan-id" ( /* Virtual LAN identifier value for 802.1q VLAN tags */ ("none" | arg) ), "vlan-id-range" arg /* Virtual LAN identifier range of form vid1-vid2 */, "inner-vlan-id-swap-ranges" arg /* Inner vlan-id swap range(s) of form vid1-vid2 for dynamic L2 VLANs */, "vlan-id-list" arg /* List of VLAN identifiers */, "vlan-tag" arg /* IEEE 802.1q tag list for VLAN tagged frames */, "vlan-tags" ( /* IEEE 802.1q tags */ sc( "outer" ( /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ("$junos-stacked-vlan-id" | "$junos-vlan-id" | arg) ), c( "inner" ( /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ("$junos-vlan-id" | arg) ), "inner-range" arg /* [tpid.]vid1-vid2, tpid format is 0xNNNN and is optional */, "inner-list" arg /* List of VLAN identifiers */ ) ) ).as(:oneline) ), "deep-vlan-qualified-learning" arg /* Enable qualified MAC-address learning on the specified vlan tag */, "native-inner-vlan-id" arg /* Native virtual LAN identifier for singly tagged frames */, "inner-vlan-id-range" /* Inner vlan-id range start end */.as(:oneline), "accept-source-mac" ( /* Remote media access control address to/from which to accept traffic */ c( "mac-address" ( /* Remote MAC address */ mac_list /* Remote MAC address */ ) ) ), "input-vlan-map" ( /* VLAN map operation on input */ vlan_map /* VLAN map operation on input */ ), "output-vlan-map" ( /* VLAN map operation on output */ vlan_map /* VLAN map operation on output */ ), "swap-by-poppush" /* Pop original vlan tag and then push a new vlan tag */, "receive-lsp" arg /* Name of incoming label-switched path */, "transmit-lsp" arg /* Name of outgoing label-switched path */, "dlci" arg /* Frame Relay data-link control identifier */, "multicast-dlci" arg /* Frame Relay data-link control identifier for multicast packets */, c( "vci" ( /* ATM point-to-point virtual circuit identifier ([vpi.]vci) */ atm_vci /* ATM point-to-point virtual circuit identifier ([vpi.]vci) */ ), "allow-any-vci" /* Allow all VCIs to open in atm-ccc-cell-relay mode */, "vpi" arg /* ATM point-to-point virtual path identifier (vpi) */, "trunk-id" arg /* ATM trunk identifier */ ), "no-vpivci-swapping" /* Do not swap VPI/VCI for Cell Relay */, c( "psn-vci" ( /* PSN VCI */ atm_vci /* PSN VCI */ ), "psn-vpi" arg /* PSN VPI */ ), "atm-l2circuit-mode" ( /* Select ATM Layer 2 circuit transport mode */ sc( c( "cell" /* ATM Layer 2 circuit cell mode */, "aal5" /* ATM Layer 2 circuit AAL5 mode */ ) ) ).as(:oneline), "vci-range" ( /* ATM VCI range start end */ sc( "start" arg /* ATM VCI range's start value */, "end" arg /* ATM VCI range's end value */ ) ).as(:oneline), "trunk-bandwidth" arg /* ATM trunk bandwidth */, "multicast-vci" ( /* ATM virtual circuit identifier for multicast packets */ atm_vci /* ATM virtual circuit identifier for multicast packets */ ), "shaping" ( /* Virtual circuit traffic-shaping options */ dcd_shaping_config /* Virtual circuit traffic-shaping options */ ), "oam-period" ( /* OAM cell period */ sc( c( arg, "disable" /* Disable F5 OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* OAM virtual circuit liveness parameters */ c( "up-count" arg /* Number of OAM cells to consider VC up */, "down-count" arg /* Number of OAM cells to consider VC down */ ) ), "ppp-options" ( /* Point-to-Point Protocol interface-specific options */ ppp_options_type /* Point-to-Point Protocol interface-specific options */ ), "pppoe-options" ( /* PPP over Ethernet interface-specific options */ pppoe_options_type /* PPP over Ethernet interface-specific options */ ), "pppoe-underlying-options" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ), "advisory-options" ( /* Interface-specific recommendations */ advisory_options_type /* Interface-specific recommendations */ ), "auto-configure" ( /* Auto configuration */ auto_configure_vlan_type /* Auto configuration */ ), "demux-options" ( /* IP demux interface-specific options */ demux_options_type /* IP demux interface-specific options */ ), "targeted-distribution" /* Interface participates in targeted-distribution */, "targeted-options" /* Targeting specific options */, c( "keepalives" ( /* Send or demand keepalive messages */ keepalives_type /* Send or demand keepalive messages */ ).as(:oneline), "no-keepalives" /* Do not send or demand keepalive messages */ ), "inverse-arp" /* Enable inverse ARP */, "transmit-weight" arg /* ATM2 transmit weight for VC under VP tunnel */, "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline), "cell-bundle-size" arg /* L2 circuit cell bundle size */, "cell-bundle-timeout" arg /* L2 circuit cell bundle timeout */, "plp-to-clp" /* Enable ATM2 PLP to CLP copy */, "atm-scheduler-map" arg /* Assign ATM2 CoS scheduling map */, "mrru" arg /* Maximum received reconstructed unit */, "short-sequence" /* Short sequence number header format (MLPPP only) */, "fragment-threshold" arg /* Fragmentation threshold */, "drop-timeout" arg /* Drop timeout */, "disable-mlppp-inner-ppp-pfc" /* Disable compression for inner PPP header in MLPPP payload */, "minimum-links" arg /* Minimum number of links to sustain the bundle */, "multilink-max-classes" arg /* Number of multilink classes */, "compression" ( /* Various packet header compressions */ c( "rtp" ( /* Compress and decompress RTP */ c( "f-max-period" arg /* Maximum number of compressed packets between transmission of full headers */, "queues" ( /* Queue holding RTP packets. Default is queue 1 */ ("q0" | "q1" | "q2" | "q3") ), "port" ( /* UDP destination ports reserved for RTP packets */ sc( "minimum" arg, "maximum" arg ) ).as(:oneline), "maximum-contexts" ( /* Maximum number of simultaneous RTP contexts */ sc( arg ) ).as(:oneline) ) ) ) ), "interleave-fragments" /* Interleave long packets with high priority ones */, "link-layer-overhead" ( /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ unsigned_float /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ ), "accounting-profile" arg /* Accounting profile name */, "peer-unit" arg /* Peer unit number */, "tunnel" ( /* Tunnel parameters */ c( "encapsulation" ( /* Encapsulation over tunnel */ c( "vxlan-gpe" ( c( "source" ( c( "address" ( /* Interface address prefix */ ipv4addr /* Interface address prefix */ ), "interface" ( /* Name of the interface */ interface_name /* Name of the interface */ ) ) ), "destination" ( c( "address" ( /* Interface address prefix */ ipv4addr /* Interface address prefix */ ) ) ), "tunnel-endpoint" ( /* Tunnel end point type */ ("vxlan") ), "destination-udp-port" arg /* Value to write to the destination-udp-port field */, "vni" arg /* Value to write to the vni field */ ) ) ) ), "source" ( /* Tunnel source */ ipaddr /* Tunnel source */ ), "destination" ( /* Tunnel destination */ ipaddr /* Tunnel destination */ ), "key" arg /* Tunnel key */, "backup-destination" ( /* Backup tunnel destination */ ipaddr /* Backup tunnel destination */ ), c( "allow-fragmentation" /* Do not set DF bit on packets */, "do-not-fragment" /* Set DF bit on packets */ ), "ttl" arg /* Time to live */, "traffic-class" arg /* TOS/Traffic class field of IP-header */, "flow-label" arg /* Flow label field of IP6-header */, "path-mtu-discovery" /* Enable path MTU discovery for tunnels */, "no-path-mtu-discovery" /* Don't enable path MTU discovery for tunnels */, "routing-instance" ( /* Routing instance to which tunnel ends belong */ c( "destination" arg /* Routing instance of tunnel destination */ ) ) ) ), "compression-device" ( /* Logical interface used for compression */ interface_unit /* Logical interface used for compression */ ), "atm-policer" /* ATM policing for logical interface */, "layer2-policer" /* Layer2 policing for logical interface */, "filter" /* Filters to apply to all families configured under this logical interface */, "multi-chassis-protection" ( /* Inter-Chassis protection configuration */ multi_chassis_protection_group_ifl /* Inter-Chassis protection configuration */ ), "statistics" /* Enable statistics collection in PFE */, "esi" /* ESI configuration of logical interface */, "virtual-gateway-esi" /* ESI configuration of virtual gateway */, "service" ( /* Service operations */ c( "pcef" arg ( /* PCEF configuration */ c( "activate-all" /* Activate all rules and rulebases in the pcef profile */, "activate" arg /* Name of pcef profile rule or rulebase to activate */ ) ) ) ), "generate-eui64" /* To generate Link Local EUI-64 addresses */, "no-generate-eui64" /* Don't to generate Link Local EUI-64 addresses */, "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "dhcp" ( /* Dynamic Host Configuration Protocol client configuration */ dhcp_client_type /* Dynamic Host Configuration Protocol client configuration */ ), "targeted-broadcast" ( /* Directed broadcast */ c( c( "forward-and-send-to-re" /* Allow packets to be forwarded and sent to re */, "forward-only" /* Allow packets only to be forwarded */ ) ) ), "destination-class-usage" /* Enable destination class usage on this interface */, "transit-options-packets" /* Transit IP options packets (don't send to Routing Engine) */, "transit-ttl-exceeded" /* Transit IP TTL-exceeded packets (don't send to Routing Engine) */, "receive-options-packets" /* Receive IP options packets (don't send to Routing Engine) */, "receive-ttl-exceeded" /* Receive IP TTL-exceeded packets (don't send to Routing Engine) */, "accounting" ( /* Configure interface-based accounting options */ c( "source-class-usage" ( /* Enable source class usage on this interface */ c( "input" /* Specify this interface for source-class-usage input */, "output" /* Specify this interface for source-class-usage output */ ) ), "destination-class-usage" /* Enable destination class usage on this interface */ ) ), "mac-validate" arg /* Validate source MAC address */, "rpf-check" ( /* Enable reverse-path-forwarding checks on this interface */ c( "fail-filter" arg /* Name of filter applied to packets failing RPF check */, "mode" ( /* Mode for reverse path forwarding */ sc( "loose" /* Reverse-path-forwarding loose mode */ ) ).as(:oneline) ) ), "mtu" arg /* Protocol family maximum transmission unit */, "arp-max-cache" arg /* Max interface ARP nexthop cache size */, "arp-new-hold-limit" arg /* Max no. of new unresolved nexthops */, "tcp-mss" arg /* Protocol family tcp maximum segment size */, "no-redirects" /* Do not redirect traffic */, "no-neighbor-learn" /* Disable neighbor address learning on interface */, "unconditional-src-learn" /* Glean from arp packets even when source cannot be validated */, "multicast-only" /* Allow only multicast traffic (tunnels only) */, "primary" /* Candidate for primary interface in system */, "ipsec-sa" arg /* Name of security association */, "allow-filter-on-re" /* Enable kernel filter on network ports */, "demux-source" /* Demux based on source prefix */, "demux-destination" /* Demux based on destination prefix */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "iq-policing-filter" /* Protocol family ingress-queuing-policing-filter */.as(:oneline), "simple-filter" ( /* Filter for doing multifield classification */ c( "input" arg /* Name of simple filter applied to received packets */ ) ), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "arp" arg /* Name of policer applied to received ARP packets */, "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" ( /* Interface sampling */ c( "input" /* Sample all packets input on this interface */, "output" /* Sample all packets output on this interface */ ) ), "service" ( /* Service operations */ c( "input" ( /* Service sets to consider for received packets */ c( "service-set" arg ( /* Service set to consider for received packets */ c( "service-filter" arg /* Name of service filter */ ) ), "post-service-filter" arg /* Post-service filter to apply to received packets */ ) ), "output" ( /* Service sets to consider for transmitted packets */ c( "service-set" arg ( /* Service set to consider for transmitted packets */ c( "service-filter" arg /* Name of service filter */ ) ) ) ) ) ), "next-hop-tunnel" arg ( /* One or more next-hop tunnel tables */ c( "ipsec-vpn" arg /* Name of IPSec VPN */ ) ), "address" arg ( /* Interface address/destination prefix */ c( "destination" ( /* Destination address */ ipv4addr /* Destination address */ ), "destination-profile" arg /* Profile to use for destination address */, "broadcast" ( /* Broadcast address */ ipv4addr /* Broadcast address */ ), "primary" /* Candidate for primary address in system */, "preferred" /* Preferred address on interface */, "master-only" /* Master management IP address for router */, "multipoint-destination" arg ( /* Multipoint NBMA destination */ c( c( "dlci" arg /* Frame Relay data-link control identifier */, "vci" ( /* ATM virtual circuit identifier ([vpi.]vci) */ atm_vci /* ATM virtual circuit identifier ([vpi.]vci) */ ) ), "shaping" ( /* Virtual circuit traffic-shaping options */ dcd_shaping_config /* Virtual circuit traffic-shaping options */ ), "oam-period" ( /* OAM cell period */ sc( c( arg, "disable" /* Disable OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* OAM virtual circuit liveness parameters */ c( "up-count" arg /* Number of OAM cells to consider VC up */, "down-count" arg /* Number of OAM cells to consider VC down */ ) ), "inverse-arp" /* Enable inverse ARP reply messages */, "transmit-weight" arg /* ATM2 transmit weight for VC under VP tunnel */, "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline) ) ), "arp" arg ( /* Static Address Resolution Protocol entries */ sc( "l2-interface" ( /* Layer 2 interface name for ARP entry */ interface_name /* Layer 2 interface name for ARP entry */ ), c( "mac" ( /* MAC address */ mac_unicast /* MAC address */ ), "multicast-mac" ( /* Multicast MAC address */ mac_multicast /* Multicast MAC address */ ) ), "publish" /* Reply to ARP requests for this entry */ ) ).as(:oneline), "web-authentication" ( /* Parameters for web-based firewall-user authentication */ c( "http" /* Enable authentication via HTTP */, "https" /* Enable authentication via HTTPS */, "redirect-to-https" /* Web authentication redirect to HTTPS */ ) ), "vrrp-group" ( /* VRRP group */ vrrp_group /* VRRP group */ ), "virtual-gateway-address" ( /* Virtual Gateway IP address */ ipv4addr /* Virtual Gateway IP address */ ) ) ), "unnumbered-address" ( /* Unnumbered interface address/destination prefix */ sc( interface_unit /* Interface from which to take local address */, "preferred-source-address" ( /* Preferred address on the donor interface */ ("$junos-preferred-source-address" | arg) ), "destination" ( /* Destination address */ ipv4addr /* Destination address */ ), "destination-profile" arg /* Profile to use for destination address */ ) ).as(:oneline), "location-pool-address" /* Location-based IP address pool */, "negotiate-address" /* Negotiate address with remote */ ) ), "iso" ( /* OSI ISO protocol parameters */ c( "address" arg /* Interface address */, "mtu" arg /* Protocol family maximum transmission unit */ ) ), "inet6" ( /* IPv6 protocol parameters */ c( "dhcpv6-client" ( /* Dynamic Host Configuration Protocol DHCPv6 client configuration */ c( "client-type" ( /* DHCPv6 client type */ ("stateful" | "autoconfig") ), "client-ia-type" enum(("ia-na" | "ia-pd")) /* DHCPv6 client identity association type */, "rapid-commit" /* Option is used to signal the use of the two message exchange for address assignment */, "prefix-delegating" ( /* Prefix delegating parameters */ c( "preferred-prefix-length" arg /* Client preferred prefix length */, "sub-prefix-length" arg /* The sub prefix length for LAN interfaces */ ) ), "client-identifier" ( /* DHCP Server identifies a client by client-identifier value */ sc( "duid-type" ( /* DUID identifying a client */ ("duid-llt" | "vendor" | "duid-ll") ) ) ).as(:oneline), "req-option" enum(("dns-server" | "domain" | "ntp-server" | "time-zone" | "sip-server" | "sip-domain" | "nis-server" | "nis-domain" | "fqdn" | "vendor-spec")) /* DHCPV6 client requested option configuration */, "retransmission-attempt" arg /* Number of attempts to retransmit the DHCPV6 client protocol packet */, "no-dns-install" /* Not propagate DNS to kernel */, "update-router-advertisement" ( /* Dhcpv6 client update rpd for prefix delegation */ c( "interface" arg ( /* Interfaces on which to delegate prefix */ c( "managed-configuration" /* Set managed address configuration */, "no-managed-configuration" /* Don't set managed address configuration */, "other-stateful-configuration" /* Set other stateful configuration */, "no-other-stateful-configuration" /* Don't set other stateful configuration */, "max-advertisement-interval" arg /* Maximum advertisement interval */, "min-advertisement-interval" arg /* Minimum advertisement interval */, "enable-recursive-dns-server-option" /* Enables the recursive DNS server option */, "no-enable-recursive-dns-server-option" /* Don't enables the recursive DNS server option */ ) ) ) ), "update-server" /* Propagate TCP/IP settings to DHCP server */ ) ), "rpf-check" ( /* Enable reverse-path-forwarding checks on this interface */ c( "fail-filter" arg /* Name of filter applied to packets failing RPF check */, "mode" ( /* Mode for reverse path forwarding */ sc( "loose" /* Reverse-path-forwarding loose mode */ ) ).as(:oneline) ) ), "accounting" ( /* Interface-based accounting options */ c( "source-class-usage" ( c( "input" /* Interface for source-class-usage input */, "output" /* Interface for source-class-usage output */ ) ), "destination-class-usage" /* Enable destination class usage on this interface */ ) ), "mtu" arg /* Protocol family maximum transmission unit */, "tcp-mss" arg /* Protocol family tcp maximum segment size */, "nd6-stale-time" arg /* Stale time to reconfirm reachability with inet6 neighbour */, "no-neighbor-learn" /* Disable neighbor address learning on interface */, "slaac-enable" /* Enable slaac on management interface */, "ndp-proxy" ( /* Enable ndp proxy on interface */ c( "interface-restricted" /* Enable ndp interface proxy restricted to interface */ ) ), "dad-proxy" ( /* DAD proxy on interface */ c( "interface-restricted" /* Enable DAD interface proxy restricted to interface */ ) ), "nd6-max-cache" arg /* Max interface ND nexthop cache size */, "nd6-new-hold-limit" arg /* Max no. of new unresolved nexthops */, "no-redirects" /* Do not redirect traffic */, "allow-filter-on-re" /* Enable kernel filter on network ports */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" ( /* Interface sampling */ c( "input" /* Sample all packets input on this interface */, "output" /* Sample all packets output on this interface */ ) ), "service" ( /* Service operations */ c( "input" ( /* Service sets to consider for received packets */ c( "service-set" arg ( /* Service set to consider for received packets */ c( "service-filter" arg /* Name of service filter */ ) ), "post-service-filter" arg /* Post-service filter to apply to received packets */ ) ), "output" ( /* Service sets to consider for transmitted packets */ c( "service-set" arg ( /* Service set to consider for transmitted packets */ c( "service-filter" arg /* Name of service filter */ ) ) ) ) ) ), "address" arg ( /* Interface address or destination prefix */ c( "destination" ( /* Destination address */ ipv6addr /* Destination address */ ), "eui-64" /* Generate EUI-64 interface ID */, "primary" /* Candidate for primary address in system */, "preferred" /* Preferred address on interface */, "master-only" /* Master management IP address for router */, "ndp" arg ( /* Static Neighbor Discovery Protocol entries */ sc( "l2-interface" ( /* Layer 2 interface name for NDP entry */ interface_name /* Layer 2 interface name for NDP entry */ ), c( "mac" ( /* MAC address */ mac_unicast /* MAC address */ ), "multicast-mac" ( /* Multicast MAC address */ mac_multicast /* Multicast MAC address */ ) ), "publish" /* Reply to NDP requests for this entry */ ) ).as(:oneline), "vrrp-inet6-group" ( /* VRRP group */ vrrp_group /* VRRP group */ ), "web-authentication" ( /* Parameters for web-based firewall-user authentication */ c( "http" /* Enable authentication via HTTP */, "https" /* Enable authentication via HTTPS */, "redirect-to-https" /* Web authentication redirect to HTTPS */ ) ), "virtual-gateway-address" ( /* Virtual Gateway IP address */ ipv6addr /* Virtual Gateway IP address */ ), "subnet-router-anycast" /* Create a subnet roter anycast address for this address. */ ) ), "demux-source" /* Demux based on source prefix */, "demux-destination" /* Demux based on destination prefix */, "unnumbered-address" ( /* Unnumbered interface address/destination prefix */ sc( interface_unit /* Interface from which to take local address */, "preferred-source-address" ( /* Preferred address on the donor interface */ ("$junos-preferred-source-ipv6-address" | arg) ) ) ).as(:oneline), "dad-disable" /* Disable duplicate-address-detection */, "no-dad-disable" /* Don't disable duplicate-address-detection */, "negotiate-address" /* Negotiate address with remote */ ) ), "mpls" ( /* MPLS protocol parameters */ c( "mtu" arg /* Protocol family maximum transmission unit */, "maximum-labels" arg /* Protocol family maximum number of labels */, "filter" ( /* Packet filtering */ c( c( "input" arg /* Name of filter applied to received packets */, "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" arg /* Name of filter applied to transmitted packets */, "output-list" arg /* List of filter modules applied to transmitted packets */ ), "group" arg /* Interface group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ) ) ), "mlppp" ( /* Multilink PPP protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ ("$junos-bundle-interface-name" | arg) ), c( "service-interface" ( /* Services interface to use */ interface_device /* Services interface to use */ ), "service-device-pool" arg /* Service interface pool name to use */ ), "dynamic-profile" arg /* dynamic profile for interface to use */ ) ), "mlfr-end-to-end" ( /* Multilink Frame Relay end-to-end protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ interface_unit /* Logical interface name this link will join */ ) ) ), "mlfr-uni-nni" ( /* Multilink Frame Relay UNI NNI protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ interface_unit /* Logical interface name this link will join */ ) ) ), "ccc" ( /* Circuit cross-connect parameters */ c( "mtu" arg /* Protocol family maximum transmission unit */, "filter" ( /* Packet filtering */ c( c( "input" arg /* Name of filter applied to received packets */, "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" arg /* Name of filter applied to transmitted packets */, "output-list" arg /* List of filter modules applied to transmitted packets */ ), "group" arg /* Interface group to which interface belongs */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "translate-fecn-and-becn" /* Translate FECN and BECN bits */, c( "translate-discard-eligible" /* Translate DE bit */, "translate-plp-control-word-de" /* Translate PLP to/from Martini Control DE bit */ ), "keep-address-and-control" /* Don't strip PPP address and control bytes */ ) ), "tcc" ( /* Translational cross-connect parameters */ c( "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "proxy" ( c( "inet-address" ( /* Remote host address on non-Ethernet side of Ethernet TCC */ ipv4addr /* Remote host address on non-Ethernet side of Ethernet TCC */ ) ) ), "remote" ( c( "inet-address" ( /* Remote host address on Ethernet side of Ethernet TCC */ ipv4addr /* Remote host address on Ethernet side of Ethernet TCC */ ), "mac-address" ( /* Remote host MAC address on Ethernet side of Ethernet TCC */ mac_addr /* Remote host MAC address on Ethernet side of Ethernet TCC */ ) ) ), "protocols" /* Protocols supported on TCC interface */ ) ), "vpls" ( /* Virtual private LAN service parameters */ c( "core-facing" /* Interface is core facing */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "iq-policing-filter" /* Protocol family ingress-queuing-policing-filter */.as(:oneline), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" /* Interface sampling */ ) ), "bridge" /* Layer-2 bridging parameters */, "ethernet-switching" ( /* Ethernet switching parameters */ ethernet_switching_type /* Ethernet switching parameters */ ), "fibre-channel" ( /* Fibre channel switching parameters */ fibre_channel_type /* Fibre channel switching parameters */ ), "pppoe" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ), "any" ( /* Parameters for 'any' family */ c( "filter" ( /* Layer 2 packet filtering */ c( "input" arg /* Name of filter applied to received packets */, "group" arg /* Group to which interface belongs */ ) ) ) ), "llc2" /* Enable Logical Link Control Type 2 */ ) ), "service-domain" ( /* Service domain to which interface belongs */ ("inside" | "outside") ), "copy-tos-to-outer-ip-header" /* Copy IP payload header's ToS field to GRE delivery header */, "copy-tos-to-outer-ip-header-transit" /* Copy IP ToS field to GRE header for transit packets */, "load-balancing-options" ( /* AMS subunit load balancing options */ c( "preferred-active" ( /* Preferred active Interface name */ interface_device /* Preferred active Interface name */ ), "disable-hash" /* Hash based distribution is not needed for this subunit */, "hash-keys" ( c( "ingress-key" ( /* Hash Key for the ingress direction */ enum(("source-ip" | "destination-ip" | "protocol" | "iif")) ), "egress-key" ( /* Hash Key for the egress direction */ enum(("source-ip" | "destination-ip" | "protocol" | "oif")) ), "ipv6-source-prefix-length" ( /* IPv6 source prefix length for hash computation */ ("56" | "64" | "96" | "128") ) ) ) ) ), "mac" ( /* Configure logical interface MAC address */ mac_unicast /* Configure logical interface MAC address */ ), "virtual-gateway-v4-mac" ( /* Configure virtual gateway IPV4 virtual MAC address */ mac_unicast /* Configure virtual gateway IPV4 virtual MAC address */ ), "virtual-gateway-v6-mac" ( /* Configure virtual gateway IPV6 virtual MAC address */ mac_unicast /* Configure virtual gateway IPV6 virtual MAC address */ ), "forwarding-options" /* Aggregated Ethernet interface forwarding-options */, "etree-ac-role" ( /* ETREE attachment circuit role */ ("root" | "leaf") ), "dialer-options" ( /* Dialer options */ c( "pool" arg /* Dialer pool */, "dial-string" arg /* String to dial out */, "incoming-map" ( /* Map incoming call to dialer */ c( c( "caller" arg /* Caller Id to be screened */.as(:oneline), "accept-all" /* Accept all incoming calls */ ) ) ), "callback" /* Call back on any incoming call to the dialer */, "callback-wait-period" arg /* Time to wait before calling back */, "redial-delay" arg /* Time to wait before redialing */, "idle-timeout" arg /* Delay before taking down the interface */, "watch-list" arg /* Dialer watch list */, "load-threshold" arg /* Load threshold for adding interfaces */, "load-interval" arg /* Interval used to calculate average load */, "activation-delay" arg /* Activation delay */, "deactivation-delay" arg /* Deactivation delay */, "initial-route-check" arg /* Delay to check primary after the router is up */, "always-on" /* Always keep on-line */ ) ), "backup-options" ( /* Backup interface configuration options */ c( "interface" ( /* Backup interface */ interface_name /* Backup interface */ ) ) ), "dynamic-call-admission-control" /* Dynamic call admission control configuration */ ) ), "no-partition" ( /* Use channelizable interface as clear channel */ sc( "interface-type" ( /* Interface type */ ("e1" | "t1" | "at" | "t3" | "e3" | "ct3" | "so" | "cau4") ) ) ).as(:oneline), "partition" arg ( /* Channelized interface partition */ sc( "oc-slice" arg /* Range of SONET/SDH slices (for example, 1, 7-9) */, "timeslots" arg /* Timeslots [(1..24) for T1, (1..31) for E1]; for example, 1-3,4,9,22-24 (no spaces) */, "interface-type" ( /* Sublevel interface type */ ("ds" | "e1" | "t1" | "at" | "ct1" | "ce1" | "t3" | "ct3" | "e3" | "so" | "coc1" | "cau4" | "dc" | "bc") ) ) ).as(:oneline), "radius-options" ( /* Interface RADIUS Options */ radius_options_vlan_type /* Interface RADIUS Options */ ), "modem-options" ( /* MODEM interface-specific options */ c( "init-command-string" arg /* AT command string to initialize modem */, "dialin" ( ("console" | "routable") ) ) ), "isdn-options" ( /* ISDN interface-specific options */ c( "switch-type" ( /* ISDN switch type */ ("ni1" | "etsi" | "att5e" | "ntdms100" | "ntt" | "ni2") ), "media-type" arg /* IDSN media type - voice, data or both */, "spid1" arg /* Service profile identifier */, "spid2" arg /* Additional service profile identifier */, "calling-number" arg /* Calling number included in outgoing calls */, "incoming-called-number" arg ( /* Incoming called number to be screened */ sc( "reject" /* Reject the called number */ ) ).as(:oneline), "tei-option" ( /* ISDN terminal endpoint identifier negotiation options */ ("first-call" | "power-up") ), "static-tei-val" arg /* Static TEI value */, "t310" arg /* Timer T310 value */, "bchannel-allocation" ( /* Allocate PRI dialout b-channel in ascending/descending order */ ("ascending" | "descending") ) ) ), "dialer-options" ( /* Dialer options */ c( "pool" arg ( /* Dialer pool */ sc( "priority" arg /* Dialer pool priority */ ) ).as(:oneline) ) ), "redundant-pseudo-interface-options" ( /* Pseudo interface redundancy options */ c( "redundancy-group" arg /* Redundancy group of this interface */ ) ), "act-sim" arg /* Default SIM slot to connect LTE network */, "cellular-options" ( /* Cellular interface specific options */ c( "sim" arg ( /* SIM slot to connect LTE network */ c( "select-profile" ( /* Profile to be applied */ sc( "profile-id" arg /* Profile to be used for data calls */ ) ).as(:oneline), "radio-access" ( /* Select radio access technology */ sc( c( "automatic" /* Automatically selects radio access type */, "umts-3g-only" /* 3G only */, "umts-3g-preferred" /* UMTS 3G Preferred */, "lte-only" /* Only LTE */, "lte-preferred" /* LTE Preferred */ ) ) ).as(:oneline), "encrypted-sim-unlock-code" ( /* Encrypted PIN */ unreadable /* Encrypted PIN */ ), "gateway" ( /* Set customer gateway for LTE network */ ipprefix /* Set customer gateway for LTE network */ ) ) ) ) ) ) ), interfaces_type ) ), "logical-systems" /* Logical systems */, "protocols" ( /* Routing protocol configuration */ c( "igmp" ( /* IGMP options */ c( "traceoptions" ( /* Trace options for IGMP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "mtrace" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "maximum-transmit-rate" arg /* Maximum transmission rate (packets per second) */, "accounting" /* Enable join and leave event notification */, "interface" ("$junos-interface-name" | arg) ( /* Interface options for IGMP */ c( ("disable"), "version" arg /* Set IGMP version number on this interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "group-increment" ( /* Mask for the incrementing group IP address */ ipv4addr /* Mask for the incrementing group IP address */ ), "group-count" arg /* Number of groups */, "exclude" /* Exclude sources */, "source" arg ( /* IP multicast source address */ c( "source-increment" ( /* Mask for the incrementing source IP address */ ipv4addr /* Mask for the incrementing source IP address */ ), "source-count" arg /* Number of sources */ ) ) ) ) ) ), "ssm-map" arg /* Map for SSM translation of IGMPv1 or IGMPv2 messages */, "ssm-map-policy" ( /* SSM map policy name */ policy_algebra /* SSM map policy name */ ), "immediate-leave" /* Group removed immediately, last membership query not sent */, "promiscuous-mode" /* Accept igmp messages coming from different subnet */, "accounting" /* Enable join and leave event notification */, "no-accounting" /* Don't enable join and leave event notification */, "group-policy" ( /* Group filter applied to incoming IGMP report messages */ policy_algebra /* Group filter applied to incoming IGMP report messages */ ), "group-limit" arg /* Maximum number of (source,group) per interface */, "group-threshold" arg /* Percentage of limit at which to generate warnings */, "log-interval" arg /* Time between consecutive log messages */, "passive" ( /* Suppress sending and receiving IGMP messages */ sc( "allow-receive" /* Allow receiving IGMP messages */, "send-general-query" /* Send IGMP general query messages */, "send-group-query" /* Send IGMP group query messages */ ) ).as(:oneline), "oif-map" ( /* Output interface map */ policy_algebra /* Output interface map */ ), "distributed" /* Distributed IGMP interface */ ) ), "amt" ( /* Automatic Multicast Tunnel options for IGMP */ c( "relay" ( /* AMT relay options for IGMP */ c( "defaults" ( /* Default AMT relay options for IGMP */ c( "version" arg /* Set IGMP version number on AMT interfaces */, "ssm-map" arg /* Map for SSM translation of IGMPv1 or IGMPv2 messages */, "ssm-map-policy" ( /* SSM map policy name */ policy_algebra /* SSM map policy name */ ), "accounting" /* Enable join and leave event notification */, "no-accounting" /* Don't enable join and leave event notification */, "group-policy" ( /* Group filter applied to incoming IGMP report messages */ policy_algebra /* Group filter applied to incoming IGMP report messages */ ), "group-limit" arg /* Maximum number of (source,group) per interface */, "group-threshold" arg /* Percentage of limit at which to generate warnings */, "log-interval" arg /* Time between consecutive log messages */, "robust-count" arg /* Expected packet loss on a subnet */, "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */ ) ) ) ) ) ) ) ), "oam" ( /* Operation, Administration, and Management configuration */ c( "ethernet" ( /* OAM configuration for Ethernet */ c( "link-fault-management" ( /* 802.3ah Ethernet OAM configuration */ c( "traceoptions" ( /* Trace options for link-fault management */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "protocol" | "action-profile" | "all")) /* Tracing parameters */.as(:oneline) ) ), "action-profile" arg ( /* Define an action profile */ c( "event" ( /* Events this action profile will check */ c( "link-adjacency-loss" /* Loss of adjacency with OAM peer */, "protocol-down" /* Upper layer indication on protocol down */, "link-event-rate" ( c( "symbol-period" arg /* Rate of receiving symbol period events */, "frame-error" arg /* Rate of receiving frame error events */, "frame-period" arg /* Rate of receiving frame period events */, "frame-period-summary" arg /* Rate of receiving frame period summary events */ ) ) ) ), "action" ( /* Action to take on specified events */ c( "syslog" /* Generate syslog message */, "link-down" /* Mark the interface down for transit traffic */, "send-critical-event" /* Start sending OAM PDUs with critical event bit set */ ) ) ) ), "interface" arg ( /* Interface on which to set Ethernet OAM parameters */ c( "apply-action-profile" arg /* Apply the specified action profile on the interface */, "pdu-interval" arg /* Periodic OAM protocol data unit interval */, "loopback-tracking" /* Enable link down on loopback detection */, "detect-loc" /* Detects initial lack of adjacency formation */, "link-discovery" ( /* Mode of discovery */ ("active" | "passive") ), "pdu-threshold" arg /* Number of PDUs missed before declaring peer lost */, "remote-loopback" /* Put remote DTE into remote-loopback mode */, "negotiation-options" ( /* 802.3ah features supported on the interface */ c( "no-allow-link-events" /* Do not emit periodic PDUs detailing framing and symbol errors */, "allow-remote-loopback" /* Allow local port to be put into loopback mode */ ) ), "event-thresholds" ( /* Thresholds for sending 802.3ah events */ c( "symbol-period" arg /* Threshold for sending symbol period events */, "frame-error" arg /* Threshold for sending frame error events */, "frame-period" arg /* Threshold for sending frame period error events */, "frame-period-summary" arg /* Threshold for sending frame period summary error events */ ) ) ) ) ) ), "connectivity-fault-management" ( /* Configurations related to 802.1ag ethernet oam */ c( "performance-monitoring" /* Configurations related to ethernet performance monitoring */, "connection-protection" /* Configurations related to Carrier Ethernet Transport Mode */, "no-aggregate-delegate-processing" /* Do not distribute aggregate session to pfe */, "enhanced-cfm-mode" /* Enables Enhanced CFM Mode */, "traceoptions" ( /* Trace options for connectivity fault management */ cfm_traceoptions /* Trace options for connectivity fault management */ ), "action-profile" arg ( /* Action profiles to use when one or more remote maintenance association endpoints are down */ c( "event" ( /* Events that need to be monitored */ c( "interface-status-tlv" ( /* Values that need to be monitored in interface status TLV */ ("down" | "lower-layer-down") ), "port-status-tlv" ( /* Values that need to be monitored in port status TLV */ ("blocked") ), "adjacency-loss" /* Connectivity is lost */, "rdi" /* RDI received from some MEP */, "connection-protection-tlv" ( /* Values that need to be monitored in connection protection TLV */ ("using-working-path" | "using-protection-path") ), "server-mep-defects" arg /* Defects which are monitored by Server MEP */, "ais-trigger-condition" /* Defect condition that generates alarm indication signal */ ) ), "action" ( c( "interface-down" /* Mark the interface as down */, "revertive-interface-down" /* Wait for CC loss-threshold to bring back the interface up */, "non-revertive-interface-down" /* Interface will not be brought up when CC is received */, "propagate-remote-mac-flush" /* Remote mac-flush */, "interface-group-down" /* Mark the interface group as down */, "log-and-generate-ais" ( c( "level" arg /* Server maintenance domain levels range */, "interval" ( /* Interval between AIS messages */ ("1s" | "1m") ), "priority" arg /* 802.1p priority of AIS packet */ ) ) ) ), "clear-action" ( c( "interface-down" ( /* Mark the interface as down */ sc( "peer-interface" /* Mark the interface as down */ ) ).as(:oneline), "propagate-remote-mac-flush" /* Remote mac flush */ ) ), "default-actions" ( /* Action that needs to be taken */ c( "interface-down" /* Bring the interface down */ ) ) ) ), "server-mep" /* Server MEP to use when generation of AIS is required to monitor different services */, "policer" ( /* Rate limit Ethernet OAM packets for all sessions */ c( "continuity-check" arg /* Policer to rate limit Continuity Check Ethernet OAM messages */, "other" arg /* Policer to rate limit non Continuity Check Ethernet OAM messages */, "all" arg /* Policer to rate limit all Ethernet OAM messages */ ) ), "linktrace" ( /* Linktrace protocol global options */ c( "path-database-size" arg /* Number of linktrace reply entries to be stored per linktrace request */, "age" ( /* Time after which a stale request-response entry is deleted */ ("10s" | "30s" | "1m" | "10m" | "30m") ) ) ), "maintenance-domain" ("default-0" | "default-1" | "default-2" | "default-3" | "default-4" | "default-5" | "default-6" | "default-7" | arg) ( /* Maintenance domain configuration */ c( "bridge-domain" /* Bridge-domain information for the default maintenance domain */.as(:oneline), "vlan" arg /* VLAN information for the default maintenance domain */.as(:oneline), "virtual-switch" arg ( /* Virtual switch Bridge-domain information for the default maintenance domain */ c( "bridge-domain" arg ( sc( "vlan-id" arg /* VLAN id */ ) ).as(:oneline) ) ), "instance" arg /* VPLS instance name for the default maintenance domain */.as(:oneline), "interface" arg /* Name of interface for the default maintenance domain */.as(:oneline), "level" arg /* Level value for maintenance domain */, "name-format" ( /* Format of maintenance domain name */ ("none" | "dns" | "mac+2oct" | "character-string") ), "mip-half-function" ( /* Half function to be implemented by MIP */ ("none" | "default" | "explicit") ), "maintenance-association" arg ( /* Maintenance association configuration */ c( "debug-session" /* Debug the CFM session */, "short-name-format" ( /* Format of Maintenance Association Name */ ("2octet" | "rfc-2685-vpn-id" | "vlan" | "character-string" | "icc") ), "protect-maintenance-association" /* Maintenance association used for connection protection */.as(:oneline), "primary-vid" ( /* VLAN id */ ("none" | arg) ), "continuity-check" ( /* Continuity check configuration */ c( "interval" ( /* Interval between continuity-check messages */ ("10ms" | "100ms" | "1s" | "10s" | "1m" | "10m" | "3.3ms") ), "loss-threshold" arg /* Number of continuity-check messages lost before marking endpoint as down */, "hold-interval" arg /* Time before flushing MEP database if no updates occur */, "port-status-tlv" /* Include port status TLV in CCM */, "interface-status-tlv" /* Include interface status TLV in CCM */, "connection-protection-tlv" /* Include connection protection OUI TLV in CCM */, "convey-loss-threshold" /* Include Loss Threshold OUI TLV in CCM */, "interface-status-send-rdi" /* Send RDI on interface operation status down in CCM */, "sendid-tlv" ( /* Include sendid-tlv in CCM/LBM/LTM */ c( "send-chassis-tlv" /* Attach Chassis ID & Mgmt Addr to CCM/LBM/LTM */ ) ) ) ), "mip-half-function" ( /* Half function to be implemented by MIP */ ("none" | "default" | "explicit" | "defer") ), "mep" arg ( /* Maintenance association endpoint configuration */ c( "interface" ( /* Name of interface */ sc( interface_unit, "vlan" arg /* Trunk port interface VLAN identifier */, c( "working" /* Monitory the primary path */, "protect" /* Monitory the protect path */ ) ) ).as(:oneline), "direction" ( /* Direction of maintenance endpoint */ ("up" | "down") ), "priority" arg /* 802.1p priority of continuity-check and link-trace packet */, "auto-discovery" /* Accept continuity-check messages from all remote MEPs */, "action-profile" arg /* Name of the action profile */, "remote-mep" arg ( /* Remote maintenance association endpoint configuration */ c( "action-profile" arg /* Name of the action profile */, "interface-group" ( /* Mark this interface group down Profile configured with action interface-group-down */ c( interface_device /* Interface device name */, "unit-list" arg /* One or more logical interface unit numbers */ ) ), "sla-iterator-profile" arg ( /* Name of the iterator profile */ c( "iteration-count" arg /* Iterations to partake for acquiring SLA measurements */, "priority" arg /* The vlan pcp value to be sent in the Y.1731 frame */, "data-tlv-size" arg /* Size of the data-tlv portion of Y.1731 frame */ ) ), "detect-loc" /* Detects initial loss of connectivity with remote mep */ ) ), "lowest-priority-defect" ( /* Lowest priority defect that is allowed to generate a fault alarm */ ("all-defects" | "mac-rem-err-xcon" | "rem-err-xcon" | "err-xcon" | "xcon" | "no-defect") ) ) ), "policer" ( /* Rate limit Ethernet OAM packets for this session */ c( "continuity-check" arg /* Policer to rate limit Continuity Check Ethernet OAM messages */, "other" arg /* Policer to rate limit non Continuity Check Ethernet OAM messages */, "all" arg /* Policer to rate limit all Ethernet OAM messages */ ) ) ) ) ) ), "sendid-tlv" ( /* Include sendid-tlv in CCM/LBM/LTM */ c( "send-chassis-tlv" /* Attach Chassis ID & Mgmt Addr to CCM/LBM/LTM */ ) ) ) ), "evcs" arg ( /* Ethernet virtual circuits configuration */ c( "evc-protocol" ( /* Signaling protocol to monitor EVC status */ sc( c( "cfm" ( /* Connectivity fault management */ sc( "maintenance-domain" arg /* Maintenance domain name */, "maintenance-association" arg /* Maintenance association name */, "mep" arg /* Identifier for maintenance association endpoint */, "faults" /* CFM faults to trigger ELMI */ ) ).as(:oneline), "vpls" ( /* Virtual private LAN service (BGP/LDP) */ sc( "routing-instance" arg /* Routing instance name */ ) ).as(:oneline), "l2circuit" /* L2circuit */, "l2vpn" /* L2vpn */ ) ) ).as(:oneline), "remote-uni-count" arg /* Number of remote UNIs in the EVC */, "async-status-msg-transmit-interval" arg /* Time interval between E-LMI async status messages per EVC */, "multipoint-to-multipoint" /* Multipoint to Multipoint EVC */ ) ), "lmi" ( /* Ethernet local management interface configuration */ c( "traceoptions" ( /* Trace options for ethernet local management interface */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "protocol" | "init" | "error" | "packet" | "all")) /* Tracing parameters */.as(:oneline) ) ), "status-counter" arg /* E-LMI status counter (N393) */, "polling-verification-timer" arg /* Polling verification timer (T392) */, "interface" arg ( /* Interface options */ c( "uni-id" arg /* UNI identifier */, "status-counter" arg /* E-LMI status counter (N393) */, "polling-verification-timer" arg /* Polling verification timer (T392) */, "evc-map-type" ( /* CE-VLAN ID/EVC map type */ ("all-to-one-bundling" | "service-multiplexing" | "bundling") ), "evc" arg ( /* EVC configuration */ c( "default-evc" /* Default EVC */, "vlan-list" arg /* Vlans mapped to this EVC */ ) ) ) ) ) ), "fnp" ( /* Failure notification protocol configuration */ c( "traceoptions" ( /* Tracing options for FNP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("events" | "pdu" | "timers" | "error" | "all")) /* Tracing parameters */.as(:oneline) ) ), "interval" ( /* Interval between FNP messages */ ("100ms" | "1s" | "10s" | "1m" | "10m") ), "loss-threshold" arg /* Number of FNP messages lost before clearing FNP state */, "interface" arg ( /* Interface configuration */ c( "domain-id" arg /* Ethernet domain identifier */ ) ) ) ) ) ), "gre-tunnel" ( c( "traceoptions" ( /* Trace options for GRE keepalives */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "protocol" | "snmp" | "all")) /* Tracing parameters */.as(:oneline) ) ), "interface" arg ( c( "keepalive-time" arg /* Keepalive time */, "hold-time" arg /* Hold time */ ) ) ) ) ) ), "mld" ( /* MLD options */ c( "traceoptions" ( /* Trace options for MLD */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "mtrace" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "maximum-transmit-rate" arg /* Maximum transmission rate (packets per second) */, "accounting" /* Enable join and leave event notification */, "interface" ("$junos-interface-name" | arg) ( /* Interface options for MLD */ c( ("disable"), "version" arg /* Set mld version number on this interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "group-increment" ( /* Mask for the incrementing group IP address */ ipv6addr /* Mask for the incrementing group IP address */ ), "group-count" arg /* Number of groups */, "exclude" /* Exclude sources */, "source" arg ( /* IP multicast source address */ c( "source-increment" ( /* Mask for the incrementing source IP address */ ipv6addr /* Mask for the incrementing source IP address */ ), "source-count" arg /* Number of sources */ ) ) ) ) ) ), "ssm-map" arg /* Map for ssm translation of mld v1 messages */, "ssm-map-policy" ( /* SSM map policy name */ policy_algebra /* SSM map policy name */ ), "immediate-leave" /* Group removed immediately, last membership query not sent */, "group-policy" ( /* Group filter applied to incoming mld report messages */ policy_algebra /* Group filter applied to incoming mld report messages */ ), "group-limit" arg /* Maximum number of (source,group) per interface */, "group-threshold" arg /* Percentage of group-limit at which to start generating warnings */, "log-interval" arg /* Time between consecutive log messages */, "accounting" /* Enable join and leave event notification */, "no-accounting" /* Don't enable join and leave event notification */, "passive" ( /* Suppress sending and receiving mld messages */ sc( "allow-receive" /* Allow receiving mld messages */, "send-general-query" /* Send mld general query messages */, "send-group-query" /* Send mld group query messages */ ) ).as(:oneline), "oif-map" ( /* Output interface map */ policy_algebra /* Output interface map */ ), "distributed" /* Distributed MLD interface */ ) ) ) ), "pim" ( /* PIM configuration */ juniper_protocols_pim /* PIM configuration */ ), "router-advertisement" ( /* IPv6 router advertisement options */ c( "traceoptions" ( /* Trace options for router advertisement */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) /* Tracing parameters */.as(:oneline) ) ), "interface" ("$junos-interface-name" | arg) ( /* Interfaces on which to configure router advertisement */ c( "preference" ( /* Set the Preference for Router Selection */ ("medium" | "high" | "low") ), "max-advertisement-interval" arg /* Maximum advertisement interval */, "min-advertisement-interval" arg /* Minimum advertisement interval */, "managed-configuration" /* Set managed address configuration */, "no-managed-configuration" /* Don't set managed address configuration */, "other-stateful-configuration" /* Set other stateful configuration */, "no-other-stateful-configuration" /* Don't set other stateful configuration */, "link-mtu" /* Link MTU */, "no-link-mtu" /* Don't link MTU */, "solicit-router-advertisement-unicast" /* Enbale solicited router advertisement as unicast */, "reachable-time" arg /* Reachable time */, "retransmit-timer" arg /* Retransmit timer */, "virtual-router-only" /* Send advertisemnets only for vrrp-inet6-group */, "current-hop-limit" arg /* Current hop limit */, "default-lifetime" arg /* Router lifetime */, "dns-server-address" ("$junos-ipv6-dns-server-address" | arg) ( /* Recursive DNS address configuration */ c( "lifetime" arg /* DNS address lifetime */ ) ), "prefix" arg ( /* Prefix configuration */ c( "valid-lifetime" arg /* Valid lifetime (fixed) */, "on-link" /* Set on-link flag */, "no-on-link" /* Don't set on-link flag */, "preferred-lifetime" arg /* Preferred lifetime (fixed) */, "autonomous" /* Set autonomous flag */, "no-autonomous" /* Don't set autonomous flag */ ) ) ) ), "ra-secure" ( /* Protect box against rogue incoming RA messages */ c( "accept-current-hop-limit-min" arg /* Current hop limit acceptable min for incoming RA */, "accept-current-hop-limit-max" arg /* Current hop acceptable min for incoming RA */, "accept-reachable-time-min" arg /* Reachable Time acceptable min for incoming RA */, "accept-reachable-time-max" arg /* Reachable Time acceptable max for incoming RA */, "accept-retransmit-time-min" arg /* Retransmit Time acceptable min for incoming RA */, "accept-retransmit-time-max" arg /* Retransmit Time acceptable min for incoming RA */ ) ) ) ) ) ), "class-of-service" ( /* Class-of-service configuration */ juniper_class_of_service_options /* Class-of-service configuration */ ), "routing-options" ( /* Protocol-independent routing option configuration */ c( "rib" arg ( /* Routing table options */ c( "static" ( /* Static routes */ c( "rib-group" arg /* Routing table group */, "defaults" ( /* Global route options */ c( "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "route" arg ( /* Static route */ c( c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "reject" /* Drop packets to destination; send ICMP unreachables */, "discard" /* Drop packets to destination; send no ICMP unreachables */, "receive" /* Install a receive route for the destination */, "next-table" arg /* Next hop to another table */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "lsp-next-hop" ( /* LSP next hop */ lsp_nh_obj /* LSP next hop */ ), "static-lsp-next-hop" ( /* Static LSP next hop */ lsp_nh_obj /* Static LSP next hop */ ), "p2mp-lsp-next-hop" ( /* Point-to-multipoint LSP next hop */ lsp_nh_obj /* Point-to-multipoint LSP next hop */ ), "p2mp-ldp-next-hop" ( /* Point-to-multipoint LDP LSP next hop */ p2mp_ldp_lsp_nh_obj /* Point-to-multipoint LDP LSP next hop */ ), "backup-pe-group" arg /* Multicast source redundancy group */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ), "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "static-route" ( /* Static route Status */ sc( "bfd-admin-down" ( /* Static route State on BFD ADMIN DOWN */ ("active" | "passive") ) ) ).as(:oneline), "iso-route" arg ( /* ISO family static route */ c( c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "reject" /* Drop packets to destination; send ICMP unreachables */, "discard" /* Drop packets to destination; send no ICMP unreachables */, "receive" /* Install a receive route for the destination */, "next-table" arg /* Next hop to another table */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "lsp-next-hop" ( /* LSP next hop */ lsp_nh_obj /* LSP next hop */ ), "static-lsp-next-hop" ( /* Static LSP next hop */ lsp_nh_obj /* Static LSP next hop */ ), "p2mp-lsp-next-hop" ( /* Point-to-multipoint LSP next hop */ lsp_nh_obj /* Point-to-multipoint LSP next hop */ ), "p2mp-ldp-next-hop" ( /* Point-to-multipoint LDP LSP next hop */ p2mp_ldp_lsp_nh_obj /* Point-to-multipoint LDP LSP next hop */ ), "backup-pe-group" arg /* Multicast source redundancy group */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ), "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "route-target-filter" arg ( /* Route-target-filter route */ c( "neighbor" ( /* BGP peers for filter */ ipaddr /* BGP peers for filter */ ), "group" arg /* BGP groups for filter */, "local" /* Locally originated filter */ ) ) ) ), "martians" ( /* Invalid routes */ martian_type /* Invalid routes */ ), "aggregate" ( /* Coalesced routes */ rib_aggregate_type /* Coalesced routes */ ), "generate" ( /* Route of last resort */ rib_aggregate_type /* Route of last resort */ ), c( "maximum-routes" ( /* Maximum number of routes */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline), "maximum-paths" ( /* Maximum number of paths */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline) ), "maximum-prefixes" ( /* Maximum number of prefixes */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline), "multipath" ( /* Protocol-independent load balancing */ c( "vpn-unequal-cost" ( /* Include VPN routes with unequal IGP metrics */ sc( "equal-external-internal" /* Include external and internal VPN routes */ ) ).as(:oneline), "as-path-compare" /* Compare AS path sequences in addition to AS path length */ ) ), "protect" ( /* Protocol-independent protection */ sc( "core" /* Protect against unreachability to service-edge router */ ) ).as(:oneline), "label" ( /* Label processing */ c( "allocation" ( /* Label allocation policy */ policy_algebra /* Label allocation policy */ ), "substitution" ( /* Label substitution policy */ policy_algebra /* Label substitution policy */ ) ) ), "access" ( /* Access routes */ c( "route" arg ( /* Access route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "metric" arg /* Metric value */, "preference" arg /* Preference value */, "tag" arg /* Tag string */, "tag2" arg /* Tag2 string */ ) ) ) ), "access-internal" ( /* Access-internal routes */ c( "route" arg ( /* Access-internal route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ) ) ) ) ), "bgp-static" ( /* Routes for BGP static advertisements */ c( "route" arg ( /* BGP-static route */ c( "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ) ) ), "flow" ( /* Locally defined flow routing information */ c( "validation" ( /* Flow route validation options */ flow_validation /* Flow route validation options */ ), "route" ( /* Flow route */ flow_route_inet6 /* Flow route */ ), "interface-group" ( /* Interface-group for applying flow-spec filter */ flow_interface_group /* Interface-group for applying flow-spec filter */ ) ) ) ) ), "access" ( /* Access routes */ c( "route" arg ( /* Access route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "metric" arg /* Metric value */, "preference" arg /* Preference value */, "tag" arg /* Tag string */, "tag2" arg /* Tag2 string */ ) ) ) ), "access-internal" ( /* Access-internal routes */ c( "route" arg ( /* Access-internal route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ) ) ) ) ), "multicast" ( /* Global multicast options */ c( "traceoptions" ( /* Global multicast trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("parse" | "config-internal" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "rpf" arg, "scope" arg ( /* Multicast address scope */ c( "prefix" ( /* Administratively scoped address */ ipprefix /* Administratively scoped address */ ), "interface" ( /* Interface on which to configure scoping */ interface_name /* Interface on which to configure scoping */ ) ) ), "scope-policy" ( /* Scoping policy */ policy_algebra /* Scoping policy */ ), "flow-map" arg ( /* Multicast flow map configuration */ c( "policy" ( /* Policy for matched flows */ policy_algebra /* Policy for matched flows */ ), "bandwidth" ( /* Bandwidth properties for matched flows */ sc( arg /* Static or default bandwidth for the matched flows */, "adaptive" /* Auto-sense bandwidth for matched flows */ ) ).as(:oneline), "redundant-sources" ( /* Redundant source addresses */ ipaddr /* Redundant source addresses */ ), "forwarding-cache" ( /* Forwarding cache properties for matched flows */ c( "timeout" ( /* Timeout properties for matched flows */ sc( c( arg, "never" ( /* Forwarding cache entries never time out */ c( "non-discard-entry-only" /* Apply only to non-discard entries */ ) ) ) ) ).as(:oneline) ) ) ) ), "resolve-filter" ( /* Multicast resolve policy filter */ policy_algebra /* Multicast resolve policy filter */ ), "ssm-groups" ( /* Source-specific multicast group ranges */ ipprefix /* Source-specific multicast group ranges */ ), "asm-override-ssm" /* Allow ASM state for SSM group ranges */, "rpf-check-policy" ( /* Disable RPF check for a source group pair */ policy_algebra /* Disable RPF check for a source group pair */ ), "pim-to-igmp-proxy" ( /* PIM-to-IGMP proxy */ c( "upstream-interface" ( /* Upstream interface list */ interface_name /* Upstream interface list */ ) ) ), "pim-to-mld-proxy" ( /* PIM-to-MLD proxy */ c( "upstream-interface" ( /* Upstream interface list */ interface_name /* Upstream interface list */ ) ) ), "forwarding-cache" ( /* Multicast forwarding cache */ c( "allow-maximum" /* Allow maximum of global and family level threshold values for suppress and reuse */, "family" enum(("inet" | "inet6")) ( /* Protocol family */ c( "threshold" ( /* Multicast forwarding cache suppress threshold */ c( "suppress" arg /* Suppress threshold */, "reuse" arg /* Reuse threshold */, "mvpn-rpt-suppress" arg /* MVPN RP tree entry suppress threshold */, "mvpn-rpt-reuse" arg /* MVPN RP tree entry reuse threshold */, "log-warning" arg /* Percentage at which to start generating warnings */ ) ) ) ), "threshold" ( /* Threshold */ c( "suppress" arg /* Suppress threshold */, "reuse" arg /* Reuse threshold */, "mvpn-rpt-suppress" arg /* MVPN RP tree entry suppress threshold */, "mvpn-rpt-reuse" arg /* MVPN RP tree entry reuse threshold */, "log-warning" arg /* Percentage at which to start generating warnings */ ) ), "timeout" arg /* Forwarding cache entry timeout in minutes */ ) ), "interface" ( /* Multicast interface options */ multicast_interface_options_type /* Multicast interface options */ ), "ssm-map" arg ( /* SSM map definitions */ c( "policy" ( /* Policy for matching group */ policy_algebra /* Policy for matching group */ ), "source" ( /* One or more source addresses */ ipaddr /* One or more source addresses */ ) ) ), "stream-protection" /* Multicast only Fast Re-Route */, "backup-pe-group" arg ( /* Backup PE group definitions */ c( "backups" ( /* One or more IP addresses */ ipaddr /* One or more IP addresses */ ), "local-address" ( /* Address to be used as local-address for this group */ ipaddr /* Address to be used as local-address for this group */ ) ) ), "omit-wildcard-address" /* Omit wildcard source/group fields in SPMSI AD NLRI */, "local-address" ( /* Local address for PIM and MVPN sessions */ ipv4addr /* Local address for PIM and MVPN sessions */ ) ) ) ) ), "firewall" ( /* Define a firewall configuration */ c( "family" ( /* Protocol family */ c( "inet" ( /* Protocol family IPv4 for firewall filter */ c( "dialer-filter" ( /* Define an IPv4 dialer filter */ inet_dialer_filter /* Define an IPv4 dialer filter */ ), "prefix-action" ( /* Define a prefix action */ prefix_action /* Define a prefix action */ ), "filter" ( /* Define an IPv4 firewall filter */ inet_filter /* Define an IPv4 firewall filter */ ), "template" ( /* Define an Inet firewall template */ inet_template /* Define an Inet firewall template */ ), "simple-filter" ( /* Define an IPv4 firewall simple filter */ inet_simple_filter /* Define an IPv4 firewall simple filter */ ), "service-filter" ( /* One or more IPv4 service filters */ inet_service_filter /* One or more IPv4 service filters */ ), "fast-update-filter" ( /* One or more fast update filters */ inet_fuf /* One or more fast update filters */ ) ) ), "inet6" ( /* Protocol family IPv6 for firewall filter */ c( "dialer-filter" ( /* Define an IPv6 dialer filter */ inet6_dialer_filter /* Define an IPv6 dialer filter */ ), "filter" ( /* Define an IPv6 firewall filter */ inet6_filter /* Define an IPv6 firewall filter */ ), "service-filter" ( /* One or more IPv6 service filters */ inet6_service_filter /* One or more IPv6 service filters */ ), "fast-update-filter" ( /* One or more fast update filters */ inet6_fuf /* One or more fast update filters */ ), "template" ( /* Define an Inet6 firewall template */ inet6_template /* Define an Inet6 firewall template */ ) ) ), "mpls" ( /* Protocol family MPLS for firewall filter */ c( "dialer-filter" ( /* Define an mpls dialer filter */ mpls_dialer_filter /* Define an mpls dialer filter */ ), "filter" ( mpls_filter ), "template" ( /* Define an MPLS firewall template */ mpls_template /* Define an MPLS firewall template */ ) ) ), "vpls" ( /* Protocol family VPLS for firewall filter */ c( "filter" ( vpls_filter ) ) ), "evpn" ( /* Protocol family EVPN for firewall filter */ c( "filter" ( vpls_filter ) ) ), "bridge" /* Protocol family BRIDGE for firewall filter */, "ccc" ( /* Protocol family CCC for firewall filter */ c( "filter" ( ccc_filter ) ) ), "any" ( /* Protocol-independent filter */ c( "filter" ( /* Define a protocol independent filter */ any_filter /* Define a protocol independent filter */ ), "template" ( /* Define Protocol independent filter template */ any_template /* Define Protocol independent filter template */ ) ) ), "ethernet-switching" ( /* Protocol family Ethernet Switching for firewall filter */ c( "filter" ( /* Define an Ethernet Switching firewall filter */ es_filter /* Define an Ethernet Switching firewall filter */ ), "template" ( /* Define an ethernet switching firewall template */ es_template /* Define an ethernet switching firewall template */ ) ) ) ) ), "policer" ( /* Policer template definition */ firewall_policer /* Policer template definition */ ), "flexible-match" ( /* Flexible packet match template definition */ firewall_flexible_match /* Flexible packet match template definition */ ), "tunnel-end-point" ( /* Tunnel end-point template definition */ tunnel_end_point /* Tunnel end-point template definition */ ), "hierarchical-policer" ( /* Hierarchical policer template definition */ firewall_hierpolicer /* Hierarchical policer template definition */ ), "interface-set" ( /* Interface set definition */ interface_set_type /* Interface set definition */ ), "load-balance-group" ( /* Load-balance group definition */ firewall_load_balance_group /* Load-balance group definition */ ), "atm-policer" ( /* Atm policer */ atm_policer_type /* Atm policer */ ), "three-color-policer" ( /* Three-color policer */ three_color_policer_type /* Three-color policer */ ), "filter" ( /* Define an IPv4 firewall filter */ inet_filter /* Define an IPv4 firewall filter */ ) ) ), "services" ( /* Service PIC applications settings */ c( "aacl" /* Application Aware Access List services configuration */, "captive-portal-content-delivery" /* Configuration for captive portal and content delivery service */ ) ), "profile-variable-set" ( /* Dynamic profiles variable configuration */ juniper_dynamic_profile_varset_object /* Dynamic profiles variable configuration */ ), "policy-options" ( /* Routing policy option configuration */ c( "prefix-list" arg ( /* Define a named set of address prefixes */ c( prefix_list_items, "apply-path" arg /* Apply IP prefixes from a configuration statement */ ) ) ) ), "extensible-subscriber-services" ( /* Extensible subscriber services */ c( "vsas" arg /* Service VSAs */ ) ), "access-cac" ( /* Access ucac configuration */ c( "interface" ( /* Access ucac interface options */ access_cac_interface_options /* Access ucac interface options */ ) ) ), "profile-type" ( /* Profile type */ c( "remote-device-service" /* Service profile to be programmed on a remote device */ ) ) ) ) end rule(:access_cac_interface_options) do arg.as(:arg) ( c( "multicast-video-bandwidth" ( /* Maximum multicast bandwidth for the interface */ sc( arg /* Bandwidth used in access cac configuration */ ) ).as(:oneline), "video-bandwidth" ( /* Maximum video bandwidth for the interface */ sc( arg /* Bandwidth used in access cac configuration */ ) ).as(:oneline), c( "no-qos-adjust" /* No qos adjustment */, "qos-adjust-hierarchical" ( /* Ucac interface set configuration */ c( "interface-set" /* Enable hierarchical adjust on iflset */ ) ) ), "multicast-video-policy" arg ( /* Mcast video policy */ c( "family" ( /* Access cac multicast policy family */ c( c( "inet" ( /* Family inet */ c( "source" ( /* One or more multicast source addresses */ ipv4addr /* One or more multicast source addresses */ ), "group" ( /* One or more multicast group addresses */ ipv4addr /* One or more multicast group addresses */ ) ) ), "inet6" ( /* Family inet6 */ c( "source" ( /* One or more multicast source addresses */ ipv6addr /* One or more multicast source addresses */ ), "group" ( /* One or more multicast group addresses */ ipv6addr /* One or more multicast group addresses */ ) ) ) ) ) ), "bandwidth" ( /* Maximum video bandwidth for the interface */ c( arg /* Bandwidth used in access cac configuration */ ) ), "adaptive" /* Use multicast real traffic rate */ ) ) ) ) end rule(:base_default_variable_object) do ("igmp-enable" | "igmp-access-group-name" | "igmp-access-source-group-name" | "igmp-version" | "igmp-immediate-leave" | "mld-access-group-name" | "mld-access-source-group-name" | "mld-immediate-leave" | "input-filter" | "output-filter" | "input-ipv6-filter" | "output-ipv6-filter" | "adf-rule-v4" | "adf-rule-v6" | "cos-scheduler-map" | "cos-shaping-rate" | "cos-guaranteed-rate" | "cos-delay-buffer-rate" | "cos-traffic-control-profile" | "cos-shaping-mode" | "cos-byte-adjust" | "cos-scheduler" | "cos-scheduler-pri" | "cos-scheduler-dropfile-low" | "cos-scheduler-dropfile-medium-low" | "cos-scheduler-dropfile-medium-high" | "cos-scheduler-dropfile-high" | "cos-scheduler-dropfile-any" | "cos-scheduler-excess-rate" | "cos-scheduler-explicit-congestion-notification" | "cos-scheduler-excess-priority" | "interface-set-name" | "aggregation-interface-set-name" | "cos-adjust-minimum" | "cos-excess-rate-high" | "cos-excess-rate-low" | "cos-shaping-rate-burst" | "cos-byte-adjust-frame" | "cos-byte-adjust-cell" | "cos-shaping-rate-priority-high" | "cos-shaping-rate-priority-high-burst" | "cos-shaping-rate-priority-medium" | "cos-shaping-rate-priority-medium-burst" | "cos-shaping-rate-priority-low" | "cos-shaping-rate-priority-low-burst" | "cos-shaping-rate-excess-high" | "cos-shaping-rate-excess-high-burst" | "cos-shaping-rate-excess-low" | "cos-shaping-rate-excess-low-burst" | "cos-guaranteed-rate-burst" | "cos-traffic-control-profile-remaining" | "routing-instances" | "pim-enable" | "interface-mtu" | "inner-vlan-tag-protocol-id").as(:arg) ( c( arg /* Default value for predefined variable */ ) ) end rule(:cfm_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "protocol" | "init" | "error" | "issu" | "all")) /* Tracing parameters */.as(:oneline) ) end rule(:flow_interface_group) do c( arg, "exclude" /* Don't apply flow-spec filter to traffic on this group */ ).as(:oneline) end rule(:flow_route_inet6) do arg.as(:arg) ( c( "no-install" /* Don't install firewall filter in forwarding */, "match" ( /* Flow definition */ flow_route_qualifier_inet6 /* Flow definition */ ), "then" ( /* Actions to take for this flow */ flow_route_op /* Actions to take for this flow */ ) ) ) end rule(:flow_route_op) do c( "community" arg /* Name of BGP community */, c( "accept" /* Allow traffic through */, "discard" /* Discard all traffic for this flow */, "rate-limit" arg /* Rate in bits/sec to limit the flow traffic */ ), "routing-instance" arg /* Redirect to instance identified via Route Target community */, "sample" /* Sample traffic that matches this flow */, "mark" arg /* Set DSCP value for traffic that matches this flow */, "next-term" /* Continue the filter evaluation after matching this flow */ ) end rule(:flow_route_qualifier_inet6) do c( "protocol" ( /* IP protocol value */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "tcp-flags" ( /* TCP flags */ ("fin" | "syn" | "rst" | "push" | "ack" | "urgent" | arg) ), "packet-length" ( /* Packet length (0-65535) */ policy_algebra /* Packet length (0-65535) */ ), "dscp" ( /* Differentiated Services (DiffServ) code point (DSCP) (0-63) */ policy_algebra /* Differentiated Services (DiffServ) code point (DSCP) (0-63) */ ), "fragment" ( ("dont-fragment" | "not-a-fragment" | "is-fragment" | "first-fragment" | "last-fragment") ), "destination" ( /* Destination prefix for this traffic flow */ flow_prefix_with_offset /* Destination prefix for this traffic flow */ ), "source" ( /* Source prefix for this traffic flow */ flow_prefix_with_offset /* Source prefix for this traffic flow */ ), "icmp6-type" ( /* ICMP message type */ ("echo-request" | "echo-reply" | "destination-unreachable" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "packet-too-big" | "membership-query" | "membership-report" | "membership-termination" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | arg) ), "icmp6-code" ( /* ICMP message code */ ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ), "flow-label" ( /* Flow-label (0-1048575) */ policy_algebra /* Flow-label (0-1048575) */ ) ) end rule(:flow_prefix_with_offset) do c( ipv6prefix, "prefix-offset" arg /* Offset from where prefix match will start */ ).as(:oneline) end rule(:flow_validation) do c( "traceoptions" ( /* Trace options */ flow_dep_traceoptions /* Trace options */ ) ) end rule(:flow_dep_traceoptions) do c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("resolution" | "flash" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */, "filter" ( /* Filter to apply to tracing */ sc( "match-on" ( /* Argument on which to match */ ("prefix" | "route-attribute") ), "policy" ( /* Filter policy */ policy_algebra /* Filter policy */ ) ) ).as(:oneline) ) ).as(:oneline) ) end rule(:juniper_dynamic_profile_varset_object) do arg.as(:arg) ( c( "junos-mep-id" arg /* Dynamic variable to substitute 'mep' value in the profile */, "junos-md-level" arg /* Dynamic variable to substitute 'level' value in the profile */, "junos-remote-mep-id" arg /* Dynamic variable to substitute 'remote-mep' value in the profile */, "junos-md-name" arg /* Dynamic variable to substitute 'maintenance-domain' in profile */, "junos-ma-name" arg /* Dynamic variable to substitute 'maintenance-association' in profile */, "junos-loss-threshold" arg /* Dynamic variable to substitute 'loss-threshold' in profile */, "junos-md-name-format" ( /* Dynamic variable to substitute 'name-format' in profile */ ("none" | "dns" | "mac+2oct" | "character-string") ), "junos-ma-name-format" ( /* Dynamic variable to substitute 'short-name-format' in profile */ ("2octet" | "rfc-2685-vpn-id" | "vlan" | "character-string" | "icc") ), "junos-ccm-interval" ( /* Dynamic variable to substitute 'interval' in profile */ ("10ms" | "100ms" | "1s" | "10s" | "1m" | "10m") ), "junos-action-profile" arg /* Dynamic variable to substitute 'action-profile' in profile */, "junos-layer2-output-policer" arg /* Dynamic variable to substitute 'layer2 output-policer' */ ) ) end rule(:juniper_dynamic_variable_object) do arg.as(:arg) ( c( "equals" arg /* Computable expression of dynamic profile variables */, "default-value" arg /* Default value for variable */, "mandatory" /* Variable must be supplied by external server */, "uid-reference" /* Variable that refers to the uid variable */, "uid" /* Compute unique Id value for the variable */ ) ) end rule(:juniper_enhanced_category_type) do arg.as(:arg) ( c( "action" ( /* Action to perform when web traffic matches category */ ("permit" | "log-and-permit" | "block" | "quarantine") ), "custom-message" arg /* Custom message */ ) ) end rule(:juniper_enhanced_server) do c( "host" arg /* Server host IP address or string host name */, "port" arg /* Server port */, "proxy-profile" arg /* Proxy profile */, "routing-instance" arg /* Routing instance name */ ) end rule(:juniper_enhanced_site_reputation_setting) do c( "very-safe" ( /* Action when site reputation is very safe */ ("permit" | "log-and-permit" | "block" | "quarantine") ), "moderately-safe" ( /* Action when site reputation is moderately safe */ ("permit" | "log-and-permit" | "block" | "quarantine") ), "fairly-safe" ( /* Action when site reputation is fairly safe */ ("permit" | "log-and-permit" | "block" | "quarantine") ), "suspicious" ( /* Action when site reputation is suspicious */ ("permit" | "log-and-permit" | "block" | "quarantine") ), "harmful" ( /* Action when site reputation is harmful */ ("permit" | "log-and-permit" | "block" | "quarantine") ) ) end rule(:juniper_forwarding_options) do c( "storm-control-profiles" arg ( /* Storm control profile for this instance */ c( "all" ( /* For all BUM traffic */ c( c( "bandwidth-percentage" arg /* Percentage of link bandwidth */, "bandwidth-level" arg /* Link bandwidth */ ), "no-broadcast" /* Disable broadcast storm control */, "no-unknown-unicast" /* Disable unknown unicast storm control */, c( "no-multicast" /* Disable multicast storm control */, "no-registered-multicast" /* Disable registered multicast storm control */, "no-unregistered-multicast" /* Disable unregistered multicast storm control */ ) ) ), "action-shutdown" /* Disable port for excessive storm control errors */ ) ), c( "sampling" ( /* Statistical traffic sampling options */ juniper_sampling_options /* Statistical traffic sampling options */ ), "packet-capture" ( /* Packet capture options */ juniper_packet_capture_options /* Packet capture options */ ) ), "monitoring" ( /* Configure lawful interception of traffic */ juniper_monitoring_options /* Configure lawful interception of traffic */ ), "accounting" ( /* Configure accounting of traffic */ juniper_packet_accounting_options /* Configure accounting of traffic */ ), "analyzer" ( /* Analyzer options */ smpl_analyzer_type /* Analyzer options */ ), "port-mirroring" ( /* Configure port mirroring of traffic */ juniper_port_mirror_options /* Configure port mirroring of traffic */ ), "multicast-replication" ( /* Set mode of multicast replication */ c( "ingress" /* Complete ingress replication */, "local-latency-fairness" /* Complete parallel replication */, "evpn" ( /* EVPN IRB multicast related options */ c( "irb" ( ("local-only" | "local-remote") ) ) ) ) ), "load-balance" ( /* Configure load-balancing attributes on the forwarding path */ c( "indexed-load-balance" /* Use indexed permuted next hop lists for unilist and aggregate next hops */, "per-flow" ( c( "hash-seed" /* Enable per flow seed value on packet forwarding engine */ ) ), "per-prefix" ( c( "hash-seed" arg /* Specifies per-router input value for per-prefix load-balancing hash function */ ) ) ) ), "hash-key" ( /* Select data used in the hash key */ junos_hash_key /* Select data used in the hash key */ ), "local-bias" /* Turn on local bias functionality */, "enhanced-hash-key" /* Select data used in the hash key for Enhanced IP Forwarding Engines */, "next-hop" ( /* Next hop throttle */ c( "arp-throttle" arg /* Change the arp throttling time(seconds) */, "arp-detect" arg /* Change the arp throttling detect time(milliseconds) */ ) ), "multicast" ( /* Multicast resolve and mismatch rate */ c( "resolve-rate" arg /* Multicast resolve rate */, "mismatch-rate" arg /* Multicast interface mismatch rate */, "policer" ) ), "rpf-loose-mode-discard" /* Configure rpf loose mode behavior */, "l2circuit-control-passthrough" /* Configure passthrough for control protocol packets on L2 Circuit */, "explicit-null-cos" ( /* Configure to use MPLS explicit null exp for COS classification */ c( "inet" /* Include family inet */, "inet6" /* Include family inet6 */ ) ), "helpers" ( /* Port forwarding configuration */ c( "traceoptions" ( /* Trace options for helper */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("trace" | "address" | "main" | "config" | "ifdb" | "io" | "rtsock" | "ui" | "util" | "gencfg" | "domain" | "tftp" | "bootp" | "port" | "if-rtsdb" | "all")) /* Area of UDP forwarding helper process on which to enable debugging output */.as(:oneline) ) ), "rtsdb-client-traceoptions" ( /* SHM rtsock database client library trace options */ c( "if-rtsdb" ( /* Trace interface hierarchy rtsdb */ c( "flag" enum(("init" | "routing-socket" | "map" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ) ) ), "domain" ( /* Incoming DNS request forwarding configuration */ c( "description" arg /* Text description of server */, "server" ( /* Server information */ sc( ipv4addr /* Name or address of server to which to forward */, c( "logical-system" ( /* Logical system of server to which to forward */ sc( arg /* Name of logical system */, "routing-instance" arg /* Routing instance of server to which to forward */ ) ).as(:oneline), "routing-instance" arg /* Routing instance of server to which to forward */ ) ) ).as(:oneline), "interface" arg ( /* Incoming DNS request forwarding interface configuration */ c( "no-listen" /* Do not listen on this interface */, "broadcast" /* If the layer 2 interface is unknown then broadcast */, "description" arg /* Text description of server */, "server" ( /* Server information */ sc( ipv4addr /* Name or address of server to which to forward */, c( "logical-system" ( /* Logical system of server to which to forward */ sc( arg /* Name of logical system */, "routing-instance" arg /* Routing instance of server to which to forward */ ) ).as(:oneline), "routing-instance" arg /* Routing instance of server to which to forward */ ) ) ).as(:oneline) ) ) ) ), "tftp" ( /* Incoming TFTP request forwarding configuration */ c( "description" arg /* Text description of server */, "server" ( /* Server information */ sc( ipv4addr /* Name or address of server to which to forward */, c( "logical-system" ( /* Logical system of server to which to forward */ sc( arg /* Name of logical system */, "routing-instance" arg /* Routing instance of server to which to forward */ ) ).as(:oneline), "routing-instance" arg /* Routing instance of server to which to forward */ ) ) ).as(:oneline), "interface" arg ( /* Incoming TFTP request forwarding interface configuration */ c( "no-listen" /* Do not listen on this interface */, "broadcast" /* If the layer 2 interface is unknown then broadcast */, "description" arg /* Text description of server */, "server" ( /* Server information */ sc( ipv4addr /* Name or address of server to which to forward */, c( "logical-system" ( /* Logical system of server to which to forward */ sc( arg /* Name of logical system */, "routing-instance" arg /* Routing instance of server to which to forward */ ) ).as(:oneline), "routing-instance" arg /* Routing instance of server to which to forward */ ) ) ).as(:oneline) ) ) ) ), "bootp" ( /* Incoming BOOTP/DHCP request forwarding configuration */ c( "relay-agent-option" /* Use DHCP Relay Agent option in relayed BOOTP/DHCP messages */, "dhcp-option82" ( /* Configure DHCP option 82 */ dhcp_option82_type /* Configure DHCP option 82 */ ), "description" arg /* Text description of servers */, "server" arg ( /* Server information */ c( "logical-system" arg ( /* Logical system of server to which to forward */ sc( "routing-instance" arg /* Routing instance of server to which to forward */ ) ).as(:oneline), "routing-instance" arg /* Routing instance of server to which to forward */ ) ), "maximum-hop-count" arg /* Maximum number of hops per packet */, "minimum-wait-time" arg /* Minimum number of seconds before requests are forwarded */, "client-response-ttl" arg /* IP time-to-live value to set in responses to client */, "source-address-giaddr" /* Use GIADDR as the source IP address for relayed packets */, "vpn" /* Enable vpn encryption */, "apply-secondary-as-giaddr" /* Enable DHCP relay to use secondary gateway ip on all interfaces */, "interface" arg ( /* Incoming BOOTP/DHCP request forwarding interface configuration */ c( "no-listen" /* Do not listen on this interface */, "broadcast" /* If the layer 2 interface is unknown then broadcast */, "description" arg /* Text description of servers */, "server" arg ( /* Server information */ c( "logical-system" arg ( /* Logical system of server to which to forward */ sc( "routing-instance" arg /* Routing instance of server to which to forward */ ) ).as(:oneline), "routing-instance" arg /* Routing instance of server to which to forward */ ) ), "maximum-hop-count" arg /* Maximum number of hops per packet */, "minimum-wait-time" arg /* Minimum number of seconds before requests are forwarded */, "client-response-ttl" arg /* IP time-to-live value to set in responses to client */, "source-address-giaddr" /* Use GIADDR as the source IP address for relayed packets */, "vpn" /* Enable vpn encryption */, "dhcp-option82" ( /* Configure DHCP option 82 */ dhcp_option82_type /* Configure DHCP option 82 */ ), "apply-secondary-as-giaddr" /* Enable DHCP relay to use secondary gateway ip on this interface */ ) ) ) ), "port" arg ( /* Incoming arbitrary protocol request forwarding configuration */ c( "description" arg /* Text description of server */, "server" arg ( /* Server information */ c( c( "logical-system" ( /* Logical system of server to which to forward */ sc( arg /* Name of logical system */, "routing-instance" arg /* Routing instance of server to which to forward */ ) ).as(:oneline), "routing-instance" arg /* Routing instance of server to which to forward */ ) ) ), "interface" arg ( /* Incoming request forwarding interface configuration */ c( "no-listen" /* Do not listen on this interface */, "broadcast" /* If the layer 2 interface is unknown then broadcast */, "description" arg /* Text description of server */, "server" arg ( /* Server information */ c( c( "logical-system" ( /* Logical system of server to which to forward */ sc( arg /* Name of logical system */, "routing-instance" arg /* Routing instance of server to which to forward */ ) ).as(:oneline), "routing-instance" arg /* Routing instance of server to which to forward */ ) ) ) ) ) ) ) ) ), "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "filter" ( /* Filtering for forwarding table */ c( "input" arg /* Name of input filter to apply for forwarded packets */, "output" arg /* Name of output filter to apply for forwarded packets */ ) ) ) ), "inet6" ( /* IPv6 parameters */ c( "filter" ( /* Filtering for forwarding table */ c( "input" arg /* Name of input filter to apply for forwarded packets */, "output" arg /* Name of output filter to apply for forwarded packets */ ) ), "route-accounting" /* Enable IPv6 route accounting */, "source-checking" /* Discard IPv6 packet when source address type is unspecified, loopback, multicast or link-local */ ) ), "mpls" ( /* MPLS parameters */ c( "filter" ( /* Filtering for forwarding table */ c( "input" arg /* Name of input filter to apply for forwarded packets */, "output" arg /* Name of output filter to apply for forwarded packets */ ) ) ) ), "vpls" ( /* VPLS parameters */ c( "filter" ( /* Filtering for VPLS DMAC forwarding table */ c( "input" arg /* Name of input filter to apply for forwarded packets */ ) ), "flood" ( /* Filtering for VPLS flood table */ c( "input" arg /* Name of input filter to apply for VPLS flood packets */ ) ) ) ), "evpn" ( /* EVPN parameters */ c( "filter" ( /* Filtering for EVPN DMAC forwarding table */ c( "input" arg /* Name of input filter to apply for forwarded packets */ ) ), "flood" ( /* Filtering for EVPN flood table */ c( "input" arg /* Name of input filter to apply for EVPN flood packets */ ) ) ) ) ) ), "next-hop-group" ( /* Next hop group forwarding option */ juniper_next_hop_group_options /* Next hop group forwarding option */ ), "dhcp-relay" ( /* Dynamic Host Configuration Protocol relay configuration */ jdhcp_relay_type /* Dynamic Host Configuration Protocol relay configuration */ ), "load-balance-label-capability" /* Load balance label capability */, "no-load-balance-label-capability" /* Don't load balance label capability */, "fast-reroute-priority" arg /* Fast-reroute repair priority */, "ip-options-protocol-queue" arg ( /* IP Options protocol logical queue parameters */ c( "protocol-id" arg /* Protocol Identifier */, "queue-depth" arg /* Size of the protocol logical options queue */ ) ), "link-layer-broadcast-inet-check" /* Enable destination mac and destination ip address check */, "cut-through" /* Enable cut-through forwarding */, "vrf-fallback" /* Enable vrf-fallback forwarding. This will restart PFE */, "no-hierarchical-ecmp" /* Disable hierarchical ecmp. This will restart PFE */, "ipmc-miss-do-l2mc" /* Do L2MC forwarding when IPMC miss */, "hyper-mode" /* Enable hyper mode */, "no-hyper-mode" /* Don't enable hyper mode */, "ecmp-do-local-lookup" /* Do ECMP local lookup only */, "access-security" ( /* Access security configuration */ jdhcp_access_security_type /* Access security configuration */ ), "forwarding-sandbox" ( /* Create forwarding sandbox */ juniper_forwarding_sandbox_options /* Create forwarding sandbox */ ), "vxlan-routing" /* VXLAN Routing forwarding options */, "satellite" /* Satellite forwarding options */ ) end rule(:dhcp_option82_type) do c( "disable" /* Disable DHCP option 82 on this VLAN */, "circuit-id" ( /* Configure DHCP option 82 circuit id */ c( "prefix" ( /* Configure DHCP option 82 circuit id prefix */ ("hostname") ), "use-interface-description" /* Use interface description instead of name */, "use-vlan-id" /* Use VLAN id instead of name */ ) ), "remote-id" ( /* Configure DHCP option 82 remote id */ c( "prefix" ( /* Configure DHCP option 82 remote id prefix */ ("none" | "hostname" | "mac") ), "use-interface-description" /* Use interface description instead of name */, "use-string" arg /* Use raw string instead of the default remote id */ ) ), "vendor-id" ( /* Configure DHCP option 82 vendor id */ c( arg /* Use raw string instead of the default vendor id */ ) ) ) end rule(:jdhcp_access_security_type) do c( "router-advertisement-guard" ( /* Router Advertisement Guard Configuration */ c( "policy" arg ( /* Router Advertisement Guard policy */ c( "discard" ( /* Discard parameters */ c( "source-ip-address-list" arg /* IPv6 Source address list name */, "source-mac-address-list" arg /* Source mac address list name */, "prefix-list-name" arg /* Prefix-list Name */ ) ), "accept" ( /* Accept parameters */ c( "match-list" ( /* List of parameters to check */ c( "source-ip-address-list" arg /* IPv6 Source address list name */, "source-mac-address-list" arg /* Source mac address list name */, "prefix-list-name" arg /* Prefix-list Name */, "match-criteria" ( /* Match Criteria */ ("match-all" | "match-any") ) ) ), "match-options" ( /* List of Options to check */ c( "hop-limit" ( /* Hop limit */ c( "maximum" arg /* Maximum hop limit */, "minimum" arg /* Minimum hop limit */ ) ), "route-preference" ( /* Accept route preference */ c( "maximum" ( /* Maximum route preference */ ("low" | "medium" | "high") ) ) ), "managed-config-flag" /* Check Managed config flag */, "other-config-flag" /* Check Other config flag */ ) ) ) ) ) ), "interface" ( /* RA Guard config on Interface */ c( interface_policy /* Interface Configuration */ ) ), "vlans" ( /* RA Guard config on Vlan */ c( vlan_policy /* Virtual LAN Configuration */ ) ) ) ) ) end rule(:interface_policy) do arg.as(:arg) ( c( "policy" ( /* Attach policy */ c( arg /* Router Advertisement Guard policy name */, c( "stateful" /* Stateful router advertisement guard */, "stateless" /* Stateless router advertisement guard */ ) ) ), "mark-interface" ( /* Mark interface */ c( c( "trusted" /* Mark interface trusted */, "block" /* Block router-advertisement */ ) ) ) ) ) end rule(:jdhcp_relay_type) do c( "traceoptions" ( /* DHCP relay trace options */ jdhcp_traceoptions_type /* DHCP relay trace options */ ), "persistent-storage" ( /* Trigger to enable flat file storage */ sc( "automatic" /* Trigger automatically */ ) ).as(:oneline), "duplicate-clients-on-interface" /* Allow duplicate clients on different interfaces in a subnet */, "duplicate-clients-in-subnet" ( /* Allow duplicate clients in a subnet */ jdhcp_duplicate_clients_in_subnet_type /* Allow duplicate clients in a subnet */ ).as(:oneline), "interface-traceoptions" ( /* DHCP relay interface trace options */ jdhcp_interface_traceoptions_type /* DHCP relay interface trace options */ ), "dhcpv6" ( /* DHCPv6 configuration */ dhcpv6_relay_type /* DHCPv6 configuration */ ), "arp-inspection" /* Enable Dynamic ARP Inspection */, "forward-snooped-clients" ( /* Forward snooped (unicast) packets */ sc( c( "configured-interfaces" /* Forward snooped (unicast) packets on configured interfaces */, "non-configured-interfaces" /* Forward snooped (unicast) packets on non-configured interfaces */, "all-interfaces" /* Forward snooped (unicast) packets on configured and non-configured interfaces */ ) ) ).as(:oneline), "authentication" ( /* DHCP authentication */ authentication_type /* DHCP authentication */ ), "liveness-detection" ( /* DHCP client liveness detection processing */ dhcp_liveness_detection_type /* DHCP client liveness detection processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline), "overrides" ( /* DHCP override processing */ override_type /* DHCP override processing */ ), "relay-option" ( /* DHCP option processing */ dhcp_generic_v4_option /* DHCP option processing */ ), "server-match" ( /* Server match processing */ c( "default-action" ( /* Server match default action */ server_match_action_choice /* Server match default action */ ), "address" arg ( /* Server address */ c( c( "forward-only" /* Forward without subscriber services when a match is made */, "create-relay-entry" /* Create relay entry and allow subscriber services */ ) ) ) ) ), "relay-option-60" ( /* DHCP option-60 processing */ relay_option_60_type_top /* DHCP option-60 processing */ ), "relay-option-82" ( /* DHCP option-82 processing */ relay_option_82_type /* DHCP option-82 processing */ ), "forward-only" ( /* Forward DHCP packets without creating binding */ forward_only_to_rc_type /* Forward DHCP packets without creating binding */ ), "description" arg /* Text description of servers */, "maximum-hop-count" arg /* Maximum number of hops per packet */, "minimum-wait-time" arg /* Minimum number of seconds before requests are forwarded */, "client-response-ttl" arg /* IP time-to-live value to set in responses to client */, "source-ip-change" /* Use address of egress interface as source ip */, "forward-only-replies" /* Forward-only replies from server to appropriate logical-system:routing-instance based on options */, "server-group" ( /* Define a DHCP server group */ server_group_type /* Define a DHCP server group */ ), "active-server-group" ( /* Name of DHCP server group */ dhcpv4_gbl_active_sg_type /* Name of DHCP server group */ ), "route-suppression" ( /* Suppress access-internal and/or destination route addition */ dhcp_route_suppression_type /* Suppress access-internal and/or destination route addition */ ), "group" ( /* Define a DHCP group */ dhcp_group /* Define a DHCP group */ ), "dual-stack-group" ( /* Define a DHCP dual stack group */ dhcp_dual_stack_group /* Define a DHCP dual stack group */ ), "no-snoop" /* Do not snoop DHCP packets */, "server-response-time" arg /* Number of seconds in a period of activity between the last server response and an unaswered request */, "lease-time-validation" ( /* Configure lease time violation validation */ c( "lease-time-threshold" arg /* Threshold for lease time violation in seconds */, "violation-action" ( /* Lease time validation violation action */ sc( "drop" /* Drop dhcpv4 offer and ack packets */ ) ).as(:oneline) ) ), "leasequery" ( /* DHCP leasequery configuration */ relay_leasequery_type /* DHCP leasequery configuration */ ), "bulk-leasequery" ( /* DHCP bulk leasequery configuration */ relay_bulk_leasequery_v4_type /* DHCP bulk leasequery configuration */ ), "remote-id-mismatch" ( /* DHCP client remote-id mismatch */ dhcp_remote_id_mismatch_type /* DHCP client remote-id mismatch */ ) ) end rule(:authentication_type) do c( "password" arg /* Username password to use */, "username-include" ( /* Add username options */ c( "delimiter" arg /* Change delimiter/separator character */, "domain-name" arg /* Add domain name */, "user-prefix" arg /* Add user defined prefix */, "mac-address" /* Include MAC address */, "option-82" ( /* Include option 82 */ sc( "circuit-id" /* Include option 82 circuit-id (sub option 1) */, "remote-id" /* Include option 82 remote-id (sub option 2) */ ) ).as(:oneline), "logical-system-name" /* Include logical system name */, "routing-instance-name" /* Include routing instance name */, "option-60" /* Include option 60 */, "circuit-type" /* Include circuit type */, "interface-name" /* Include interface name */, "interface-description" ( /* Include interface description */ ("device" | "logical") ), "vlan-tags" /* Include the vlan tag(s) */ ) ) ) end rule(:dhcp_dual_stack_group) do arg.as(:arg) ( c( "authentication" ( /* DHCP authentication */ dual_stack_authentication_type /* DHCP authentication */ ), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to be used for jdhcpd */, "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "liveness-detection" ( /* DHCP client liveness detection processing */ dhcp_liveness_detection_dualstack_type /* DHCP client liveness detection processing */ ), "relay-agent-interface-id" ( /* Interface-id option processing */ v6_relay_option_interface_id_type /* Interface-id option processing */ ), "relay-agent-remote-id" ( /* Remote-id option processing */ v6_relay_option_remote_id_type /* Remote-id option processing */ ), "classification-key" ( /* Classification key for identifying dual stack household */ classification_types /* Classification key for identifying dual stack household */ ), "dual-stack-interface-client-limit" arg /* Limit the number of client allowed on an interface */, "protocol-master" ( /* Select family as protocol master */ jdhcp_dual_stack_protocol_mstr_type /* Select family as protocol master */ ).as(:oneline), "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline) ) ) end rule(:classification_types) do c( "mac-address" /* MAC address of client */, "circuit-id" /* Circuit-id as key */, "remote-id" /* Remote-id as key */ ) end rule(:dhcp_generic_v4_option) do c( "option-number" ( /* Option number */ ("60" | "77") ), "equals" ( /* Generic option equals */ relay_v4_option_ascii_hex /* Generic option equals */ ), "default-action" ( /* Generic option default action */ dhcp_v4_option_default_action /* Generic option default action */ ), "starts-with" ( /* Generic option starts with */ relay_v4_option_ascii_hex /* Generic option starts with */ ), "option-60" ( /* Add option 60 processing */ dhcp_generic_v4_option_type /* Add option 60 processing */ ), "option-77" ( /* Add option 77 processing */ dhcp_generic_v4_option_type /* Add option 77 processing */ ), "option-order" enum(("60" | "77")) /* Options precedence order */ ) end rule(:dhcp_generic_v4_option_type) do c( "equals" ( /* Generic option equals */ relay_v4_option_ascii_hex /* Generic option equals */ ), "default-action" ( /* Generic option default action */ dhcp_v4_option_default_action /* Generic option default action */ ), "starts-with" ( /* Generic option starts with */ relay_v4_option_ascii_hex /* Generic option starts with */ ) ) end rule(:dhcp_group) do arg.as(:arg) ( c( "active-server-group" ( /* Name of DHCP server group */ dhcpv4_gp_active_sg_type /* Name of DHCP server group */ ), "authentication" ( /* DHCP authentication */ authentication_type /* DHCP authentication */ ), "liveness-detection" ( /* DHCP client liveness detection processing */ dhcp_liveness_detection_type /* DHCP client liveness detection processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "overrides" ( /* DHCP override processing */ override_type /* DHCP override processing */ ), "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline), "server-match" ( /* Server match processing */ c( "default-action" ( /* Server match default action */ server_match_action_choice /* Server match default action */ ), "address" arg ( /* Server address */ c( c( "forward-only" /* Forward without subscriber services when a match is made */, "create-relay-entry" /* Create relay entry and allow subscriber services */ ) ) ) ) ), "relay-option" ( /* DHCP option processing */ dhcp_generic_v4_option /* DHCP option processing */ ), "relay-option-60" ( /* DHCP option-60 processing */ relay_option_60_type_group /* DHCP option-60 processing */ ), "relay-option-82" ( /* DHCP option-82 processing */ relay_option_82_type /* DHCP option-82 processing */ ), "forward-only" ( /* Forward DHCP packets without creating binding */ forward_only_to_rc_type /* Forward DHCP packets without creating binding */ ), "route-suppression" ( /* Suppress access-internal and/or destination route addition */ dhcp_route_suppression_type /* Suppress access-internal and/or destination route addition */ ), "description" arg /* Text description of servers */, "maximum-hop-count" arg /* Maximum number of hops per packet */, "minimum-wait-time" arg /* Minimum number of seconds before requests are forwarded */, "client-response-ttl" arg /* IP time-to-live value to set in responses to client */, "source-ip-change" /* Use address of egress interface as source ip */, "interface" arg ( /* One or more interfaces */ c( "upto" ( /* Interface up to */ interface_name /* Interface up to */ ), "exclude" /* Exclude this interface range */, "trace" /* Enable tracing for this interface */, "overrides" ( /* DHCP override processing */ override_type /* DHCP override processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline) ) ), "remote-id-mismatch" ( /* DHCP client remote-id mismatch */ dhcp_remote_id_mismatch_type /* DHCP client remote-id mismatch */ ), "lease-time-validation" ( /* Configure lease time violation validation */ c( "lease-time-threshold" arg /* Threshold for lease time violation in seconds */, "violation-action" ( /* Lease time validation violation action */ sc( "drop" /* Drop dhcpv4 offer and ack packets */ ) ).as(:oneline) ) ) ) ) end rule(:dhcp_liveness_detection_dualstack_type) do c( "failure-action" ( /* Liveness detection failure action options */ dhcp_liveness_detection_failure_action_type /* Liveness detection failure action options */ ).as(:oneline), "method" ( /* Liveness detection method options */ c( c( "layer2-liveness-detection" ( /* Address resolution options */ dhcp_arp_nud_liveness_detection_type /* Address resolution options */ ) ) ) ) ) end rule(:dhcp_arp_nud_liveness_detection_type) do c( "transmit-interval" arg /* Transmit interval for address resolution */, "max-consecutive-retries" arg /* Retry attempts */ ) end rule(:dhcp_liveness_detection_failure_action_type) do c( c( "clear-binding" /* Clear the client binding */, "clear-binding-if-interface-up" /* Clear the client binding only if the incoming interface is up */, "log-only" /* Maintain the client binding and log the failure event */ ) ).as(:oneline) end rule(:dhcp_liveness_detection_type) do c( "failure-action" ( /* Liveness detection failure action options */ dhcp_liveness_detection_failure_action_type /* Liveness detection failure action options */ ).as(:oneline), "method" ( /* Liveness detection method options */ c( c( "bfd" ( /* Bidirectional Forwarding Detection (BFD) options */ dhcp_bfd_liveness_detection_type /* Bidirectional Forwarding Detection (BFD) options */ ), "layer2-liveness-detection" ( /* Address resolution options */ dhcp_arp_nud_liveness_detection_type /* Address resolution options */ ) ) ) ) ) end rule(:dhcp_bfd_liveness_detection_type) do c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "session-mode" ( /* BFD single-hop or multihop session-mode */ ("automatic" | "single-hop" | "multihop") ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */ ) end rule(:dhcp_remote_id_mismatch_type) do c( "disconnect" /* Disconnect session on remote-id mismatch */ ) end rule(:dhcp_route_suppression_type) do c( c( "access-internal" /* Suppress access-internal and destination route addition */, "destination" /* Suppress destination route addition */ ) ) end rule(:dhcp_v4_option_default_action) do c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "local-server-group" arg /* Name of DHCP local server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) end rule(:dhcpv4_gbl_active_sg_type) do c( arg, "allow-server-change" /* Accept DHCP-ACK from any server in this group */ ).as(:oneline) end rule(:dhcpv4_gp_active_sg_type) do c( arg, "allow-server-change" /* Accept DHCP-ACK from any server in this group */ ).as(:oneline) end rule(:dhcpv6_relay_type) do c( "authentication" ( /* DHCPv6 authentication */ dhcpv6_authentication_type /* DHCPv6 authentication */ ), "persistent-storage" ( /* Trigger to enable flat file storage */ sc( "automatic" /* Trigger automatically */ ) ).as(:oneline), "liveness-detection" ( /* DHCPv6 client liveness detection processing */ dhcpv6_liveness_detection_type /* DHCPv6 client liveness detection processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline), "overrides" ( /* DHCPv6 override processing */ dhcpv6_override_relay_type /* DHCPv6 override processing */ ), "relay-option" ( /* DHCPv6 option processing */ dhcp_generic_v6_option /* DHCPv6 option processing */ ), "server-match" ( /* Server match processing */ c( "default-action" ( /* Server match default action */ server_match_action_choice /* Server match default action */ ), "duid" ( /* Match duid processing */ c( "equals" ( /* Duid equals */ server_match_v6_ascii_hex /* Duid equals */ ), "starts-with" ( /* Duid starts with */ server_match_v6_ascii_hex /* Duid starts with */ ) ) ), "address" arg ( /* Server ipv6 address */ c( c( "forward-only" /* Forward without subscriber services when a match is made */, "create-relay-entry" /* Create relay entry and allow subscriber services */ ) ) ) ) ), "relay-agent-option-79" /* Add the client MAC address to the Relay Forward header. */, "vendor-specific-information" ( /* DHCPv6 option 17 vendor-specific processing */ jdhcp_vendor_specific_type /* DHCPv6 option 17 vendor-specific processing */ ), "forward-only" ( /* Forward DHCPv6 packets without creating binding */ forward_only_to_rc_type /* Forward DHCPv6 packets without creating binding */ ), "forward-only-replies" /* Forward-only replies from server to appropriate logical-system:routing-instance based on options */, "forward-snooped-clients" ( /* Forward snooped (unicast) packets */ sc( c( "configured-interfaces" /* Forward snooped (unicast) packets on configured interfaces */, "non-configured-interfaces" /* Forward snooped (unicast) packets on non-configured interfaces */, "all-interfaces" /* Forward snooped (unicast) packets on configured and non-configured interfaces */ ) ) ).as(:oneline), "route-suppression" ( /* Suppress access-internal and/or access route addition */ dhcpv6_route_suppression_type /* Suppress access-internal and/or access route addition */ ), "group" ( /* Define a DHCPv6 relay group */ dhcpv6_relay_group /* Define a DHCPv6 relay group */ ), "relay-agent-interface-id" ( /* DHCPv6 interface-id option processing */ v6_relay_option_interface_id_type /* DHCPv6 interface-id option processing */ ), "relay-agent-remote-id" ( /* DHCPv6 remote-id option processing */ v6_relay_option_remote_id_type /* DHCPv6 remote-id option processing */ ), "server-group" ( /* Define a DHCPv6 server group */ v6_server_group_type /* Define a DHCPv6 server group */ ), "active-server-group" ( /* Name of DHCPv6 server group */ dhcpv6_gbl_active_sg_type /* Name of DHCPv6 server group */ ), "server-response-time" arg /* Number of seconds in a period of activity between the last server response and an unaswered request */, "lease-time-validation" ( /* Configure lease time violation validation */ c( "lease-time-threshold" arg /* Threshold for lease time violation in seconds */, "violation-action" ( /* Lease time validation violation action */ sc( "drop" /* Drop dhcpv6 advertise and reply packets */ ) ).as(:oneline) ) ), "no-snoop" /* Do not snoop DHCPV6 packets */, "leasequery" ( /* DHCPv6 leasequery configuration */ relay_leasequery_type /* DHCPv6 leasequery configuration */ ), "bulk-leasequery" ( /* DHCPv6 bulk leasequery configuration */ relay_bulk_leasequery_v6_type /* DHCPv6 bulk leasequery configuration */ ), "remote-id-mismatch" ( /* DHCP client remote-id mismatch */ dhcp_remote_id_mismatch_type /* DHCP client remote-id mismatch */ ), "duplicate-clients" ( /* Allow duplicate clients */ dhcpv6_duplicate_clients_type /* Allow duplicate clients */ ).as(:oneline) ) end rule(:dhcp_generic_v6_option) do c( "option-number" ( /* Option number */ ("15" | "16") ), "equals" ( /* Generic option equals */ relay_v6_option_ascii_hex /* Generic option equals */ ), "default-action" ( /* Generic option default action */ dhcp_v6_option_default_action /* Generic option default action */ ), "starts-with" ( /* Generic option starts with */ relay_v6_option_ascii_hex /* Generic option starts with */ ), "option-15" ( /* Add option 15 processing */ dhcp_generic_v6_option_type /* Add option 15 processing */ ), "option-16" ( /* Add option 16 processing */ dhcp_generic_v6_option_type /* Add option 16 processing */ ), "option-order" enum(("15" | "16")) /* Options precedence order */ ) end rule(:dhcp_generic_v6_option_type) do c( "equals" ( /* Generic option equals */ relay_v6_option_ascii_hex /* Generic option equals */ ), "default-action" ( /* Generic option default action */ dhcp_v6_option_default_action /* Generic option default action */ ), "starts-with" ( /* Generic option starts with */ relay_v6_option_ascii_hex /* Generic option starts with */ ) ) end rule(:dhcp_v6_option_default_action) do c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) end rule(:dhcpv6_authentication_type) do c( "password" arg /* Username password to use */, "username-include" ( /* Add username options */ c( "delimiter" arg /* Change delimiter/separator character */, "domain-name" arg /* Add domain name */, "user-prefix" arg /* Add user defined prefix */, "mac-address" /* Include MAC address */, "client-id" /* Include client ID */, "relay-agent-remote-id" ( /* Include the relay agent remote ID */ c( c( "enterprise-id" /* Only use enterprise-id portion of option-37 */, "remote-id" /* Only use remote-id portion of option-37 */ ) ) ), "logical-system-name" /* Include logical system name */, "routing-instance-name" /* Include routing instance name */, "relay-agent-subscriber-id" /* Include the relay agent subscriber ID */, "relay-agent-interface-id" /* Include the relay agent interface ID */, "circuit-type" /* Include circuit type */, "interface-name" /* Include interface name */, "interface-description" ( /* Include interface description */ ("device" | "logical") ), "vlan-tags" /* Include the vlan tag(s) */ ) ) ) end rule(:dhcpv6_duplicate_clients_type) do c( c( "incoming-interface" /* Allow duplicate clients on different underlying interfaces */ ) ).as(:oneline) end rule(:dhcpv6_gbl_active_sg_type) do c( arg ) end rule(:dhcpv6_liveness_detection_type) do c( "failure-action" ( /* Liveness detection failure action options */ dhcp_liveness_detection_failure_action_type /* Liveness detection failure action options */ ).as(:oneline), "method" ( /* Liveness detection method options */ c( c( "bfd" ( /* Bidirectional Forwarding Detection (BFD) options */ dhcp_bfd_liveness_detection_type /* Bidirectional Forwarding Detection (BFD) options */ ), "layer2-liveness-detection" ( /* Neighbor discovery options */ dhcp_arp_nud_liveness_detection_type /* Neighbor discovery options */ ) ) ) ) ) end rule(:dhcpv6_override_relay_type) do c( "allow-snooped-clients" /* Allow client creation from snooped PDUs */, "no-allow-snooped-clients" /* Don't allow client creation from snooped PDUs */, "delay-authentication" /* Delay subscriber authentication in DHCP protocol processing until request packet */, "interface-client-limit" arg /* Limit the number of clients allowed on an interface */, "dual-stack" arg /* Dual stack group to use. */, "no-bind-on-request" /* Do not bind if stray DHCPv6 RENEW, REBIND is received */, "client-negotiation-match" ( /* Use secondary match criteria for SOLICIT PDU */ sc( c( "incoming-interface" /* Use incoming interface */ ) ) ).as(:oneline), "send-release-on-delete" /* Always send RELEASE to the server when a binding is deleted */, "always-process-option-request-option" /* Always process option even after address allocation failure */, "relay-source" ( /* Interface for relay source */ interface_name /* Interface for relay source */ ), "delete-binding-on-renegotiation" /* Delete binding on renegotiation */, "asymmetric-lease-time" arg /* Use a reduced lease time for the client. In seconds */, "asymmetric-prefix-lease-time" arg /* Use a reduced prefix lease time for the client. In seconds */ ) end rule(:dhcpv6_relay_group) do arg.as(:arg) ( c( "active-server-group" ( /* Name of DHCPv6 server group */ dhcpv6_gp_active_sg_type /* Name of DHCPv6 server group */ ), "dual-stack-group" ( /* Define a DHCP dual stack group */ dhcp_dual_stack_group /* Define a DHCP dual stack group */ ), "authentication" ( /* DHCPv6 authentication */ dhcpv6_authentication_type /* DHCPv6 authentication */ ), "liveness-detection" ( /* DHCPv6 client liveness detection processing */ dhcpv6_liveness_detection_type /* DHCPv6 client liveness detection processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline), "overrides" ( /* DHCPv6 override processing */ dhcpv6_override_relay_type /* DHCPv6 override processing */ ), "relay-option" ( /* DHCPv6 option processing */ dhcp_generic_v6_option /* DHCPv6 option processing */ ), "vendor-specific-information" ( /* DHCPv6 option 17 vendor-specific processing */ jdhcp_vendor_specific_type /* DHCPv6 option 17 vendor-specific processing */ ), "forward-only" ( /* Forward DHCPv6 packets without creating binding */ forward_only_to_rc_type /* Forward DHCPv6 packets without creating binding */ ), "relay-agent-interface-id" ( /* DHCPv6 interface-id option processing */ v6_relay_option_interface_id_type /* DHCPv6 interface-id option processing */ ), "relay-agent-remote-id" ( /* DHCPv6 remote-id option processing */ v6_relay_option_remote_id_type /* DHCPv6 remote-id option processing */ ), "route-suppression" ( /* Suppress access-internal and/or access route addition */ dhcpv6_route_suppression_type /* Suppress access-internal and/or access route addition */ ), "relay-agent-option-79" /* Add the client MAC address to the Relay Forward header. */, "interface" arg ( /* One or more interfaces */ c( "upto" ( /* Interface up to */ interface_name /* Interface up to */ ), "exclude" /* Exclude this interface range */, "trace" /* Enable tracing for this interface */, "overrides" ( /* DHCPv6 override processing */ dhcpv6_override_relay_type /* DHCPv6 override processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline) ) ), "lease-time-validation" ( /* Configure lease time violation validation */ c( "lease-time-threshold" arg /* Threshold for lease time violation in seconds */, "violation-action" ( /* Lease time validation violation action */ sc( "drop" /* Drop dhcpv6 advertise and reply packets */ ) ).as(:oneline) ) ), "remote-id-mismatch" ( /* DHCP client remote-id mismatch */ dhcp_remote_id_mismatch_type /* DHCP client remote-id mismatch */ ), "server-match" ( /* Server match processing */ c( "default-action" ( /* Server match default action */ server_match_action_choice /* Server match default action */ ), "duid" ( /* Match duid processing */ c( "equals" ( /* Duid equals */ server_match_v6_ascii_hex /* Duid equals */ ), "starts-with" ( /* Duid starts with */ server_match_v6_ascii_hex /* Duid starts with */ ) ) ), "address" arg ( /* Server ipv6 address */ c( c( "forward-only" /* Forward without subscriber services when a match is made */, "create-relay-entry" /* Create relay entry and allow subscriber services */ ) ) ) ) ) ) ) end rule(:dhcpv6_gp_active_sg_type) do c( arg ) end rule(:dhcpv6_route_suppression_type) do c( "access" /* Suppress access route addition */, "access-internal" /* Suppress access-internal route addition */ ).as(:oneline) end rule(:dual_stack_authentication_type) do c( "password" arg /* Username password to use */, "username-include" ( /* Add username options */ c( "delimiter" arg /* Change delimiter/separator character */, "domain-name" arg /* Add domain name */, "user-prefix" arg /* Add user defined prefix */, "mac-address" /* Include MAC address */, "relay-agent-remote-id" /* Include the relay agent remote ID */, "logical-system-name" /* Include logical system name */, "routing-instance-name" /* Include routing instance name */, "relay-agent-interface-id" /* Include the relay agent interface ID */, "interface-name" /* Include interface name */, "interface-description" ( /* Include interface description */ ("device" | "logical") ), "circuit-type" /* Include circuit type */, "vlan-tags" /* Include the vlan tag(s) */ ) ) ) end rule(:dynamic_profile_type) do c( arg, c( "use-primary" arg /* Dynamic profile to use on the primary interface */, "aggregate-clients" ( /* Aggregate client profiles */ c( c( "merge" /* Merge the client dynamic profiles */, "replace" /* Replace client dynamic profiles */ ) ) ) ) ).as(:oneline) end rule(:forward_only_to_rc_type) do c( "logical-system" ( ("default" | "current" | arg) ), "routing-instance" ( ("default" | "current" | arg) ) ) end rule(:jdhcp_dual_stack_protocol_mstr_type) do c( c( "inet" /* INET family has protocol master behavior */, "inet6" /* INET6 family has protocol master behavior */ ) ).as(:oneline) end rule(:jdhcp_duplicate_clients_in_subnet_type) do c( c( "incoming-interface" /* Allow duplicate clients on different interfaces in a subnet */, "option-82" /* Allow duplicate clients using different option-82 options in a subnet */ ) ).as(:oneline) end rule(:jdhcp_interface_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("state" | "packet" | "flow" | "packet-option" | "dhcpv6-state" | "dhcpv6-packet" | "dhcpv6-packet-option" | "all")) /* Interface trace categories */.as(:oneline) ) end rule(:jdhcp_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("state" | "packet" | "flow" | "packet-option" | "dhcpv6-state" | "dhcpv6-packet" | "dhcpv6-packet-option" | "all" | "database" | "persistent" | "lockout-db" | "interface" | "rtsock" | "flow-notify" | "io" | "ha" | "ui" | "general" | "fwd" | "rpd" | "auth" | "profile" | "session-db" | "performance" | "statistics" | "dhcpv6-io" | "dhcpv6-rpd" | "dhcpv6-session-db" | "dhcpv6-general" | "liveness-detection" | "security-persistence" | "mclag" | "ra-guard")) /* DHCP operations to include in debugging trace */.as(:oneline) ) end rule(:jdhcp_vendor_specific_type) do c( "host-name" /* Add router host name */, "location" /* Add location information expressed as interface name format */ ).as(:oneline) end rule(:juniper_forwarding_sandbox_options) do arg.as(:arg) ( c( "size" ( /* Size of the sandbox */ ("small" | "medium" | "large") ), "port" ( /* Sandbox port */ juniper_forwarding_sandbox_port_options /* Sandbox port */ ) ) ) end rule(:juniper_forwarding_sandbox_port_options) do arg.as(:arg) ( c( "interface" arg /* Interface to which the port is mapped */ ) ) end rule(:juniper_logical_system) do arg.as(:arg) ( c( "interfaces" ( /* Interface configuration */ c( lr_interfaces_type ) ), "protocols" ( /* Routing protocol configuration */ juniper_protocols /* Routing protocol configuration */ ), "policy-options" ( /* Policy option configuration */ juniper_policy_options /* Policy option configuration */ ), "routing-instances" ( /* Routing instance configuration */ c( juniper_routing_instance ) ), "routing-options" ( /* Protocol-independent routing option configuration */ juniper_routing_options /* Protocol-independent routing option configuration */ ), "forwarding-options" ( /* Configure options to control packet forwarding */ c( "dhcp-relay" ( /* Dynamic Host Configuration Protocol relay configuration */ jdhcp_relay_type /* Dynamic Host Configuration Protocol relay configuration */ ), "storm-control-profiles" arg ( /* Storm control profile for this instance */ c( "all" ( /* For all BUM traffic */ c( c( "bandwidth-percentage" arg /* Percentage of link bandwidth */, "bandwidth-level" arg /* Link bandwidth */ ), "no-broadcast" /* Disable broadcast storm control */, "no-unknown-unicast" /* Disable unknown unicast storm control */, c( "no-multicast" /* Disable multicast storm control */, "no-registered-multicast" /* Disable registered multicast storm control */, "no-unregistered-multicast" /* Disable unregistered multicast storm control */ ) ) ), "action-shutdown" /* Disable port for excessive storm control errors */ ) ), "sampling" ( c( "family" ( /* Address family of packets to sample */ c( "inet" ( /* Sample IPv4 packets */ c( "output" ( /* Configure output options for packet sampling */ c( "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_sampling_inet_lr_type /* Configure sending traffic aggregates in cflowd format */ ) ) ) ) ), "mpls" ( /* Sample MPLS packets */ c( "output" ( /* Configure output options for packet sampling */ c( "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_sampling_mpls_lr_type /* Configure sending traffic aggregates in cflowd format */ ) ) ) ) ) ) ), "instance" /* Instance of sampling parameters */ ) ) ) ), "system" ( /* System parameters */ c( "arp" ( /* ARP settings */ c( "aging-timer" arg /* Change the ARP aging time value */, "interfaces" ( /* Logical interface on which to specify ARP aging timer */ c( arp_interface_type ) ), "passive-learning" /* ARP passive learning */, "purging" /* ARP purging when link goes down */, "gratuitous-arp-on-ifup" /* Gratuitous ARP announcement on interface up */, "gratuitous-arp-delay" arg /* Delay gratuitous ARP request */, "non-subscriber-no-reply" /* Do not reply to ARP requests from non-subscribers */ ) ), "services" ( /* System services */ c( "dhcp-local-server" ( /* Dynamic Host Configuration Protocol server configuration */ jdhcp_local_server_type /* Dynamic Host Configuration Protocol server configuration */ ), "dhcp-proxy-client" ( /* Dynamic Host Configuration Protocol Proxy client configuration */ jdhcp_proxy_client_type /* Dynamic Host Configuration Protocol Proxy client configuration */ ), "static-subscribers" ( /* Static Subscriber Client configuration */ jsscd_static_subscribers_type /* Static Subscriber Client configuration */ ) ) ), "processes" ( /* Process control */ c( "routing" ( /* Routing process */ c( c( "force-32-bit" /* Always use 32-bit mode */, "force-64-bit" /* Always use 64-bit mode */, "auto-64-bit" /* Ignored; same as force-32-bit */ ) ) ) ) ) ) ), "access" ( /* Network access configuration */ c( "address-assignment" ( /* Address assignment configuration */ address_assignment_type /* Address assignment configuration */ ), "address-protection" /* Initiate Duplicate Address Protection */, "firewall-authentication" ( /* Type of firewall authentication */ c( "pass-through" ( /* Pass-through firewall authentication settings */ c( "default-profile" arg /* Name of profile to use if not specified in policy */, "ftp" ( /* FTP banners */ banner_object /* FTP banners */ ), "telnet" ( /* Telnet banners */ banner_object /* Telnet banners */ ), "http" ( /* HTTP banners */ banner_object /* HTTP banners */ ) ) ), "web-authentication" ( /* Web-authentication settings */ c( "default-profile" arg /* Name of profile to use for web-authentication */, "banner" ( c( "success" arg /* The message that will be displayed on successful login */ ) ), "timeout" arg /* Web-authentication timeout value in seconds */ ) ), "traceoptions" ( /* Firewall authentication tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "setup" | "authentication" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ) ) ), "access-profile" ( /* Access profile for this instance */ sc( arg /* Profile name */ ) ).as(:oneline), "firewall" ( /* Define a firewall configuration */ c( "family" ( /* Protocol family */ c( "inet" ( /* Protocol family IPv4 for firewall filter */ c( "dialer-filter" ( /* Define an IPv4 dialer filter */ inet_dialer_filter /* Define an IPv4 dialer filter */ ), "prefix-action" ( /* Define a prefix action */ prefix_action /* Define a prefix action */ ), "filter" ( /* Define an IPv4 firewall filter */ inet_filter /* Define an IPv4 firewall filter */ ), "template" ( /* Define an Inet firewall template */ inet_template /* Define an Inet firewall template */ ), "simple-filter" ( /* Define an IPv4 firewall simple filter */ inet_simple_filter /* Define an IPv4 firewall simple filter */ ), "service-filter" ( /* One or more IPv4 service filters */ inet_service_filter /* One or more IPv4 service filters */ ), "fast-update-filter" ( /* One or more fast update filters */ inet_fuf /* One or more fast update filters */ ) ) ), "inet6" ( /* Protocol family IPv6 for firewall filter */ c( "dialer-filter" ( /* Define an IPv6 dialer filter */ inet6_dialer_filter /* Define an IPv6 dialer filter */ ), "filter" ( /* Define an IPv6 firewall filter */ inet6_filter /* Define an IPv6 firewall filter */ ), "service-filter" ( /* One or more IPv6 service filters */ inet6_service_filter /* One or more IPv6 service filters */ ), "fast-update-filter" ( /* One or more fast update filters */ inet6_fuf /* One or more fast update filters */ ), "template" ( /* Define an Inet6 firewall template */ inet6_template /* Define an Inet6 firewall template */ ) ) ), "mpls" ( /* Protocol family MPLS for firewall filter */ c( "dialer-filter" ( /* Define an mpls dialer filter */ mpls_dialer_filter /* Define an mpls dialer filter */ ), "filter" ( mpls_filter ), "template" ( /* Define an MPLS firewall template */ mpls_template /* Define an MPLS firewall template */ ) ) ), "vpls" ( /* Protocol family VPLS for firewall filter */ c( "filter" ( vpls_filter ) ) ), "evpn" ( /* Protocol family EVPN for firewall filter */ c( "filter" ( vpls_filter ) ) ), "bridge" /* Protocol family BRIDGE for firewall filter */, "ccc" ( /* Protocol family CCC for firewall filter */ c( "filter" ( ccc_filter ) ) ), "any" ( /* Protocol-independent filter */ c( "filter" ( /* Define a protocol independent filter */ any_filter /* Define a protocol independent filter */ ), "template" ( /* Define Protocol independent filter template */ any_template /* Define Protocol independent filter template */ ) ) ), "ethernet-switching" ( /* Protocol family Ethernet Switching for firewall filter */ c( "filter" ( /* Define an Ethernet Switching firewall filter */ es_filter /* Define an Ethernet Switching firewall filter */ ), "template" ( /* Define an ethernet switching firewall template */ es_template /* Define an ethernet switching firewall template */ ) ) ) ) ), "policer" ( /* Policer template definition */ firewall_policer /* Policer template definition */ ), "flexible-match" ( /* Flexible packet match template definition */ firewall_flexible_match /* Flexible packet match template definition */ ), "tunnel-end-point" ( /* Tunnel end-point template definition */ tunnel_end_point /* Tunnel end-point template definition */ ), "hierarchical-policer" ( /* Hierarchical policer template definition */ firewall_hierpolicer /* Hierarchical policer template definition */ ), "interface-set" ( /* Interface set definition */ interface_set_type /* Interface set definition */ ), "load-balance-group" ( /* Load-balance group definition */ firewall_load_balance_group /* Load-balance group definition */ ), "atm-policer" ( /* Atm policer */ atm_policer_type /* Atm policer */ ), "three-color-policer" ( /* Three-color policer */ three_color_policer_type /* Three-color policer */ ), "filter" ( /* Define an IPv4 firewall filter */ inet_filter /* Define an IPv4 firewall filter */ ) ) ), "multicast-snooping-options" ( /* Multicast snooping option configuration */ juniper_multicast_snooping_options /* Multicast snooping option configuration */ ), "services" ( /* Service PIC daemon configuration */ c( "flow-monitoring" ( /* Configure flow monitoring under logical-systems */ c( "version9" ( /* Version 9 configuration */ c( "template" ( /* One or more version 9 templates */ version9_template /* One or more version 9 templates */ ) ) ) ) ), "icap-redirect" ( /* Configure ICAP redirection service */ c( "profile" ( /* Congifure ICAP service profile */ icap_profile_object /* Congifure ICAP service profile */ ), "traceoptions" ( /* ICAP redirect trace options */ icap_redirect_traceoptions /* ICAP redirect trace options */ ) ) ) ) ), "bridge-domains" ( /* Bridge domain configuration */ c( juniper_bridge_domains ) ), "switch-options" ( /* Options for default routing-instance of type virtual-switch */ juniper_def_rtb_switch_options /* Options for default routing-instance of type virtual-switch */ ), "security" ( /* Security configuration */ c( "alarms" ( /* Configure security alarms */ c( "audible" ( /* Beep when new security alarms arrive */ c( "continuous" /* Keep beeping until all security alarms have been cleared */ ) ), "potential-violation" ( /* Configure potential security violations */ c( "authentication" arg /* Raise alarm for specified number of authentication failures */, "cryptographic-self-test" /* Raise alarm for cryptographic self test failures */, "decryption-failures" ( /* No. of decryption failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 1000] */ ) ), "encryption-failures" ( /* No. of encryption failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 1000] */ ) ), "ike-phase1-failures" ( /* No. of IKE Phase-1 failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 20] */ ) ), "ike-phase2-failures" ( /* No. of IKE Phase-2 failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 20] */ ) ), "key-generation-self-test" /* Raise alarm for key generation self test failures */, "non-cryptographic-self-test" /* Raise alarm for non-cryptographic self test failures */, "policy" ( /* Raise alarm for flow policy violations */ c( "source-ip" ( /* Configure source address type of policy violation */ c( "threshold" arg /* Number of source IP address matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total source IP address number that can be done policy violation check concurrently */ ) ), "destination-ip" ( /* Configure destination address type of policy violation */ c( "threshold" arg /* Number of destination IP address matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total destination IP address number that can be done policy violation check concurrently */ ) ), "application" ( /* Configure application type of policy violation */ c( "threshold" arg /* Number of application matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total application number that can be done policy violation check concurrently */ ) ), "policy-match" ( /* Configure policy type of policy violation */ c( "threshold" arg /* Number of policy matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total concurrent number of policy check violations */ ) ) ) ), "replay-attacks" ( /* No. of Replay attacks before which an alarm needs to be raised */ c( "threshold" arg /* Replay threshold value */ ) ), "security-log-percent-full" arg /* Raise alarm when security log exceeds this percent capacity */, "idp" /* Raise alarm for idp attack */ ) ) ) ), "log" ( /* Configure security log */ c( "exclude" arg ( /* List of security log criteria to exclude from the audit log */ c( "destination-address" ( /* Destination address */ ipaddr /* Destination address */ ), "destination-port" arg /* Destination port */, "event-id" arg /* Event ID filter */, "failure" /* Event was a failure */, "interface-name" arg /* Name of interface */, "policy-name" arg /* Policy name filter */, "process" arg /* Process that generated the event */, "protocol" arg /* Protocol filter */, "source-address" ( /* Source address */ ipaddr /* Source address */ ), "source-port" arg /* Source port */, "success" /* Event was successful */, "username" arg /* Username filter */ ) ), "limit" arg /* Limit number of security log entries to keep in memory */, "cache" ( /* Cache security log events in the audit log buffer */ c( "exclude" arg ( /* List of security log criteria to exclude from the audit log */ c( "destination-address" ( /* Destination address */ ipaddr /* Destination address */ ), "destination-port" arg /* Destination port */, "event-id" arg /* Event ID filter */, "failure" /* Event was a failure */, "interface-name" arg /* Name of interface */, "policy-name" arg /* Policy name filter */, "process" arg /* Process that generated the event */, "protocol" arg /* Protocol filter */, "source-address" ( /* Source address */ ipaddr /* Source address */ ), "source-port" arg /* Source port */, "success" /* Event was successful */, "username" arg /* Username filter */ ) ), "limit" arg /* Limit number of security log entries to keep in memory */ ) ), "disable" /* Disable security logging for the device */, "utc-timestamp" /* Use UTC time for security log timestamps */, "mode" ( /* Controls how security logs are processed and exported */ ("stream" | "event") ), "event-rate" arg /* Control plane event rate */, "format" ( /* Set security log format for the device */ ("syslog" | "sd-syslog" | "binary") ), "rate-cap" arg /* Data plane event rate */, "max-database-record" arg /* Maximum records in database */, "report" /* Set security log report settings */, c( "source-address" ( /* Source ip address used when exporting security logs */ ipaddr /* Source ip address used when exporting security logs */ ), "source-interface" ( /* Source interface used when exporting security logs */ interface_name /* Source interface used when exporting security logs */ ) ), "transport" ( /* Set security log transport settings */ c( "tcp-connections" arg /* Set tcp connection number per-stream */, "protocol" ( /* Set security log transport protocol for the device */ ("udp" | "tcp" | "tls") ), "tls-profile" arg /* TLS profile */ ) ), "facility-override" ( /* Alternate facility for logging to remote host */ ("authorization" | "daemon" | "ftp" | "kernel" | "user" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7") ), "stream" arg ( /* Set security log stream settings */ c( "severity" ( /* Severity threshold for security logs */ ("emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug") ), "format" ( /* Specify the log stream format */ ("syslog" | "sd-syslog" | "welf" | "binary") ), "category" enum(("all" | "content-security" | "fw-auth" | "screen" | "alg" | "nat" | "flow" | "sctp" | "gtp" | "ipsec" | "idp" | "rtlog" | "pst-ds-lite" | "appqos" | "secintel" | "aamw")) /* Selects the type of events that may be logged */, "filter" enum(("threat-attack")) /* Selects the filter to filter the logs to be logged */, "host" ( /* Destination to send security logs to */ host_object /* Destination to send security logs to */ ), "rate-limit" ( /* Rate-limit for security logs */ c( arg ) ), "file" ( /* Security log file options for logs in local file */ c( "localfilename" arg /* Name of local log file */, "size" arg /* Maximum size of local log file in megabytes */, "rotation" arg /* Maximum number of rotate files */, "allow-duplicates" /* To disable log consolidation */ ) ) ) ), "file" ( /* Security log file options for logs in binary format */ c( "filename" arg /* Name of binary log file */, "size" arg /* Maximum size of binary log file in megabytes */, "path" arg /* Path to binary log files */, "files" arg /* Maximum number of binary log files */ ) ), "traceoptions" ( /* Security log daemon trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("source" | "configuration" | "all" | "report" | "hpl")) /* List of things to include in trace */.as(:oneline) ) ) ) ), "certificates" ( /* X.509 certificate configuration */ c( "local" ( /* Local X.509 certificate configuration */ certificate_object /* Local X.509 certificate configuration */ ), "path-length" arg /* Maximum certificate path length */, "maximum-certificates" arg /* Maximum number of certificates to cache */, "cache-size" arg /* Maximum size of certificate cache */, "cache-timeout-negative" arg /* Time in seconds to cache negative responses */, "enrollment-retry" arg /* Number of retry attempts for an enrollment request */, "certification-authority" arg ( /* CA X.509 certificate configuration */ c( "ca-name" arg /* CA name */, "file" arg /* File to read certificate from */, "crl" arg /* File to read crl from */, "enrollment-url" arg /* URL */, "ldap-url" arg /* URL */, "encoding" ( /* Encoding to use for certificate or CRL on disk */ ("binary" | "pem") ) ) ) ) ), "authentication-key-chains" ( /* Authentication key chain configuration */ security_authentication_key_chains /* Authentication key chain configuration */ ), "ssh-known-hosts" ( /* SSH known host list */ c( "host" arg ( /* SSH known host entry */ c( "rsa1-key" arg /* Base64 encoded RSA key (protocol version 1) */, "rsa-key" arg /* Base64 encoded RSA key */, "dsa-key" arg /* Base64 encoded DSA key */, "ecdsa-key" arg /* Base64 encoded ECDSA key */, "ecdsa-sha2-nistp256-key" arg /* Base64 encoded ECDSA-SHA2-NIST256 key */, "ecdsa-sha2-nistp384-key" arg /* Base64 encoded ECDSA-SHA2-NIST384 key */, "ecdsa-sha2-nistp521-key" arg /* Base64 encoded ECDSA-SHA2-NIST521 key */, "ed25519-key" arg /* Base64 encoded ED25519 key */ ) ) ) ), "key-protection" /* Common-Criteria key-protection configuration */, "pki" ( /* PKI service configuration */ security_pki /* PKI service configuration */ ), "ike" ( /* IKE configuration */ security_ike /* IKE configuration */ ), "ipsec" ( /* IPSec configuration */ security_ipsec_vpn /* IPSec configuration */ ), "group-vpn" ( /* Group VPN configuration */ security_group_vpn /* Group VPN configuration */ ), "ipsec-policy" ( /* IPSec policy configuration */ security_ipsec_policies /* IPSec policy configuration */ ), "idp" ( /* Configure IDP */ c( "idp-policy" ( /* Configure IDP policy */ idp_policy_type /* Configure IDP policy */ ), "active-policy" arg /* Set active policy */, "default-policy" arg /* Set active policy */, "custom-attack" ( /* Configure custom attacks */ custom_attack_type /* Configure custom attacks */ ), "custom-attack-group" ( /* Configure custom attack groups */ custom_attack_group_type /* Configure custom attack groups */ ), "dynamic-attack-group" ( /* Configure dynamic attack groups */ dynamic_attack_group_type /* Configure dynamic attack groups */ ), "traceoptions" ( /* Trace options for idp services */ idpd_traceoptions_type /* Trace options for idp services */ ), "security-package" ( /* Security package options */ c( "url" arg /* URL of Security package download */, "source-address" ( /* Source address to be used for sending download request */ ipv4addr /* Source address to be used for sending download request */ ), "proxy-profile" arg /* Proxy profile of security package download */, "install" ( /* Configure install command */ c( "ignore-version-check" /* Skip version check when attack database gets installed */ ) ), "automatic" ( /* Scheduled download and update */ c( "start-time" ( /* Start time (YYYY-MM-DD.HH:MM:SS) */ time /* Start time (YYYY-MM-DD.HH:MM:SS) */ ), "interval" arg /* Interval */, "download-timeout" arg /* Maximum time for download to complete */, ("enable") ) ) ) ), "sensor-configuration" ( /* IDP Sensor Configuration */ c( "log" ( /* IDP Log Configuration */ c( "cache-size" arg /* Log cache size */, "suppression" ( /* Log suppression */ c( ("disable"), "include-destination-address" /* Include destination address while performing a log suppression */, "no-include-destination-address" /* Don't include destination address while performing a log suppression */, "start-log" arg /* Suppression start log */, "max-logs-operate" arg /* Maximum logs can be operate on */, "max-time-report" arg /* Time after suppressed logs will be reported */ ) ) ) ), "packet-log" ( /* IDP Packetlog Configuration */ c( "total-memory" arg /* Total memory unit(%) */, "max-sessions" arg /* Max num of sessions in unit(%) */, "threshold-logging-interval" arg /* Interval of logs for max limit session/memory reached in minutes */, "source-address" ( /* Source IP address used to transport packetlog to a host */ ipv4addr /* Source IP address used to transport packetlog to a host */ ), "host" ( /* Destination host to send packetlog to */ c( ipv4addr /* IP address */, "port" arg /* UDP port number */ ) ) ) ), "application-identification" ( /* Application identification */ c( ("disable"), "application-system-cache" /* Application system cache */, "no-application-system-cache" /* Don't application system cache */, "max-tcp-session-packet-memory" arg /* Max TCP session memory */, "max-udp-session-packet-memory" arg /* Max UDP session memory */, "max-sessions" arg /* Max sessions that can run AI at the same time */, "max-packet-memory" arg /* Max packet memory */, "max-packet-memory-ratio" arg /* Max packet memory ratio */, "max-reass-packet-memory-ratio" arg /* Max reass packet memory ratio */, "application-system-cache-timeout" arg /* Application system cache timeout */ ) ), "flow" ( /* Flow configuration */ c( "log-errors" /* Flow log errors */, "no-log-errors" /* Don't flow log errors */, "reset-on-policy" /* Flow reset-on-policy */, "no-reset-on-policy" /* Don't flow reset-on-policy */, "allow-icmp-without-flow" /* Allow icmp without flow */, "no-allow-icmp-without-flow" /* Don't allow icmp without flow */, "hash-table-size" arg /* Flow hash table size */, "reject-timeout" arg /* Flow reject timeout */, "max-timers-poll-ticks" arg /* Maximum timers poll ticks */, "fifo-max-size" arg /* Maximum fifo size */, "udp-anticipated-timeout" arg /* Maximum udp anticipated timeout */, "allow-nonsyn-connection" /* Allow TCP non-syn connection */, "drop-on-limit" /* Drop connections on exceeding resource limits */, "drop-on-failover" /* Drop traffic on HA failover sessions */, "drop-if-no-policy-loaded" /* Drop all traffic till IDP policy gets loaded */, "max-sessions-offset" arg /* Maximum session offset limit percentage */, "min-objcache-limit-lt" arg /* Memory lower threshold limit percentage */, "min-objcache-limit-ut" arg /* Memory upper threshold limit percentage */, "session-steering" /* Session steering for session anticipation */, "idp-bypass-cpu-usg-overload" /* Enable IDP bypass of sessions/packets on CPU usage overload */, "idp-bypass-cpu-threshold" arg /* Threshold of CPU usage in percentage for IDP bypass */, "idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */ ) ), "re-assembler" ( /* Re-assembler configuration */ c( "drop-on-syn-in-window" /* Drop session when SYN is seen in the window */, "no-drop-on-syn-in-window" /* Don't drop session when SYN is seen in the window */, "ignore-memory-overflow" /* Ignore memory overflow */, "no-ignore-memory-overflow" /* Don't ignore memory overflow */, "ignore-reassembly-memory-overflow" /* Ignore packet reassembly memory overflow */, "no-ignore-reassembly-memory-overflow" /* Don't ignore packet reassembly memory overflow */, "ignore-reassembly-overflow" /* Ignore global reassembly overflow */, "max-packet-mem" arg /* Maximum packet memory */, "max-flow-mem" arg /* Maximum flow memory */, "max-packet-mem-ratio" arg /* Maximum packet memory ratio */, "action-on-reassembly-failure" ( /* Select the action on reassembly failures */ ("ignore" | "drop" | "drop-session") ), "tcp-error-logging" /* Enable logging on tcp errors */, "no-tcp-error-logging" /* Don't enable logging on tcp errors */, "max-synacks-queued" arg /* Maximum syn-acks queued with different SEQ numbers */, "force-tcp-window-checks" /* Force TCP window checks if uni-directional policy is configured */, "no-force-tcp-window-checks" /* Don't force TCP window checks if uni-directional policy is configured */ ) ), "ips" ( /* Ips configuration */ c( "process-override" /* Process override */, "no-process-override" /* Don't process override */, "detect-shellcode" /* Detect shellcode */, "no-detect-shellcode" /* Don't detect shellcode */, "process-ignore-s2c" /* Process ignore s2c */, "no-process-ignore-s2c" /* Don't process ignore s2c */, "ignore-regular-expression" /* Ignore regular expression */, "no-ignore-regular-expression" /* Don't ignore regular expression */, "process-port" arg /* Process port */, "fifo-max-size" arg /* Maximum fifo size */, "log-supercede-min" arg /* Minimum log supercede */, "content-decompression-max-memory-kb" arg /* Maximum memory usage in kilo bytes */, "content-decompression-max-ratio" arg /* Maximum decompression ratio supported */, "session-pkt-depth" arg /* Session pkt scanning depth */ ) ), "global" ( /* Global configuration */ c( "enable-packet-pool" /* Enable packet pool */, "no-enable-packet-pool" /* Don't enable packet pool */, "enable-all-qmodules" /* Enable all qmodules */, "no-enable-all-qmodules" /* Don't enable all qmodules */, "policy-lookup-cache" /* Policy lookup cache */, "no-policy-lookup-cache" /* Don't policy lookup cache */, "memory-limit-percent" arg /* Memory limit percentage */ ) ), "detector" ( /* Detector Configuration */ c( "protocol-name" ( /* Apropriate help string */ proto_object /* Apropriate help string */ ) ) ), "ssl-inspection" ( /* SSL inspection */ c( "sessions" arg /* Number of SSL sessions to inspect */, "session-id-cache-timeout" arg /* Timeout value for SSL session ID cache */, "maximum-cache-size" arg /* Maximum SSL session ID cache size */, "cache-prune-chunk-size" arg /* Number of cache entries to delete when pruning SSL session ID cache */, "key-protection" /* Enable SSL key protection */ ) ), "disable-low-memory-handling" /* Do not abort IDP operations under low memory condition */, "high-availability" ( /* High availability configuration */ c( "no-policy-cold-synchronization" /* Disable policy cold synchronization */ ) ), "security-configuration" ( /* IDP security configuration */ c( "protection-mode" ( /* Enable security protection mode */ ("datacenter" | "datacenter-full" | "perimeter" | "perimeter-full") ) ) ) ) ), "max-sessions" arg /* Max number of IDP sessions */, "logical-system" ( /* Configure max IDP sessions for the logial system */ logical_system_type /* Configure max IDP sessions for the logial system */ ), "processes" /* Configure IDP Processes */ ) ), "address-book" ( /* Security address book */ named_address_book_type /* Security address book */ ), "alg" ( /* Configure ALG security options */ alg_object /* Configure ALG security options */ ), "application-firewall" ( /* Configure application-firewall rule-sets */ c( "traceoptions" ( /* Rule-sets Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "profile" arg ( /* Configure application-firewall profile */ c( "block-message" ( /* Block message settings */ c( "type" ( /* Type of block message desired */ c( c( "custom-text" ( /* Custom defined block message */ c( "content" arg /* Content of custom-text */ ) ), "custom-redirect-url" ( /* Custom redirect URL server */ c( "content" arg /* URL of block message */ ) ) ) ) ) ) ) ) ), "rule-sets" arg ( /* Configure application-firewall rule-sets */ c( "rule" ( /* Rule */ appfw_rule_type /* Rule */ ), "default-rule" ( /* Specify default rule for a rule-set */ c( c( "permit" /* Permit packets */, "deny" ( /* Deny packets */ c( "block-message" /* Block message */ ) ), "reject" ( /* Reject packets */ c( "block-message" /* Block message */ ) ) ) ) ), "profile" arg /* Profile for block message */ ) ), "nested-application" ( /* Configure nested application dynamic lookup */ c( "dynamic-lookup" ( /* Configure dynamic lookup */ c( "enable" /* Enable dynamic lookup */ ) ) ) ) ) ), "application-tracking" ( /* Application tracking configuration */ c( "disable" /* Disable Application tracking */, c( "first-update-interval" arg /* Interval when the first update message is sent */, "first-update" /* Generate Application tracking initial message when a session is created */ ), "session-update-interval" arg /* Frequency in which Application tracking update messages are generated */ ) ), "utm" ( /* Content security service configuration */ c( "traceoptions" ( /* Trace options for utm */ utm_traceoptions /* Trace options for utm */ ), "application-proxy" ( /* Application proxy settings */ c( "traceoptions" ( /* Trace options for application proxy */ utm_apppxy_traceoptions /* Trace options for application proxy */ ) ) ), "ipc" ( /* IPC settings */ c( "traceoptions" ( /* Trace options for IPC */ utm_ipc_traceoptions /* Trace options for IPC */ ) ) ), "custom-objects" ( /* Custom-objects settings */ c( "category-package" ( /* Category package download and install options */ c( "url" arg /* HTTPS URL of category package download */, "proxy-profile" arg /* Proxy profile */, "routing-instance" arg /* Routing instance name */, "automatic" ( /* Scheduled download and install */ c( "start-time" ( /* Start time (YYYY-MM-DD.HH:MM:SS) */ time /* Start time (YYYY-MM-DD.HH:MM:SS) */ ), "interval" arg /* Interval in hours */, "enable" /* Enable automatic download and install */ ) ) ) ), "mime-pattern" ( /* Configure mime-list object */ mime_list_type /* Configure mime-list object */ ), "filename-extension" ( /* Configure extension-list object */ extension_list_type /* Configure extension-list object */ ), "url-pattern" ( /* Configure url-list object */ url_list_type /* Configure url-list object */ ), "custom-url-category" ( /* Configure category-list object */ category_list_type /* Configure category-list object */ ), "protocol-command" ( /* Configure command-list object */ command_list_type /* Configure command-list object */ ), "custom-message" ( /* Configure custom-message object */ custom_message_type /* Configure custom-message object */ ) ) ), "default-configuration" ( /* Global default UTM configurations */ c( "anti-virus" ( /* Configure anti-virus feature */ default_anti_virus_feature /* Configure anti-virus feature */ ), "web-filtering" ( /* Configure web-filtering feature */ default_webfilter_feature /* Configure web-filtering feature */ ), "anti-spam" ( /* Configure anti-spam feature */ default_anti_spam_feature /* Configure anti-spam feature */ ), "content-filtering" ( /* Configure content filtering feature */ default_content_filtering_feature /* Configure content filtering feature */ ) ) ), "feature-profile" ( /* Feature-profile settings */ c( "anti-virus" ( /* Configure anti-virus feature */ anti_virus_feature /* Configure anti-virus feature */ ), "web-filtering" ( /* Configure web-filtering feature */ webfilter_feature /* Configure web-filtering feature */ ), "anti-spam" ( /* Configure anti-spam feature */ anti_spam_feature /* Configure anti-spam feature */ ), "content-filtering" ( /* Configure content filtering feature */ content_filtering_feature /* Configure content filtering feature */ ) ) ), "utm-policy" ( /* Configure profile */ profile_setting /* Configure profile */ ) ) ), "dynamic-address" ( /* Configure security dynamic address */ c( "traceoptions" ( /* Security dynamic address tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "control" | "ipc" | "ip-entry" | "file-retrieval" | "lookup" | "all")) /* Tracing parameters */.as(:oneline) ) ), "feed-server" arg ( /* Security dynamic address feed-server */ c( "description" arg /* Text description of feed-server */, "hostname" arg /* Hostname or IP address of feed-server */, "update-interval" arg /* Interval to retrieve update */, "hold-interval" arg /* Time to keep IP entry when update failed */, "feed-name" arg ( /* Feed name in feed-server */ c( "description" arg /* Text description of feed in feed-server */, "path" arg /* Path of feed, appended to feed-server to form a complete URL */, "update-interval" arg /* Interval to retrieve update */, "hold-interval" arg /* Time to keep IP entry when update failed */ ) ) ) ), "address-name" arg ( /* Security dynamic address name */ c( "description" arg /* Text description of dynamic address */, "profile" ( /* Information to categorize feed data into this dynamic address */ c( "feed-name" arg /* Name of feed in feed-server for this dynamic address */, "category" arg ( /* Name of category */ c( "feed" arg /* Name of feed under category */, "property" arg ( /* Property to match */ c( c( "string" arg /* Value type is strings */ ) ) ) ) ) ) ) ) ) ) ), "dynamic-vpn" /* Configure dynamic VPN */, "dynamic-application" ( /* Configure dynamic-application */ c( "traceoptions" ( /* Dynamic application tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "profile" arg ( /* Configure application-firewall profile */ c( "redirect-message" ( /* Redirect message settings */ c( "type" ( /* Type of redirect message desired */ c( c( "custom-text" ( /* Custom defined text block message */ c( "content" arg /* Content of custom-text */ ) ), "redirect-url" ( /* Custom redirect URL server */ c( "content" arg /* URL of block message */ ) ) ) ) ) ) ) ) ) ) ), "softwires" ( /* Configure softwire feature */ softwires_object /* Configure softwire feature */ ), "forwarding-options" ( /* Security-forwarding-options configuration */ c( "family" ( /* Security forwarding-options for family */ c( "inet6" ( /* Family IPv6 */ c( "mode" ( /* Forwarding mode */ ("packet-based" | "flow-based" | "drop") ) ) ), "mpls" ( /* Family MPLS */ c( "mode" ( /* Forwarding mode */ ("packet-based") ) ) ), "iso" ( /* Family ISO */ c( "mode" ( /* Forwarding mode */ ("packet-based") ) ) ) ) ), "mirror-filter" ( /* Security mirror filters */ mirror_filter_type /* Security mirror filters */ ), "secure-wire" ( /* Secure-wire cross connections */ secure_wire_type /* Secure-wire cross connections */ ) ) ), "advanced-services" /* Advanced services configuration */, "flow" ( /* FLOW configuration */ c( "enhanced-routing-mode" /* Enable enhanced route scaling */, "traceoptions" ( /* Trace options for flow services */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "basic-datapath" | "high-availability" | "host-traffic" | "fragmentation" | "multicast" | "route" | "session" | "session-scan" | "tcp-basic" | "tunnel")) /* Events and other information to include in trace output */.as(:oneline), "rate-limit" arg /* Limit the incoming rate of trace messages */, "packet-filter" ( /* Flow packet debug filters */ flow_filter_type /* Flow packet debug filters */ ), "trace-level" ( /* FLow trace level */ c( c( "error" /* Error messages */, "brief" /* Brief messages */, "detail" /* Detail messages */ ) ) ) ) ), "pending-sess-queue-length" ( /* Maximum queued length per pending session */ ("normal" | "moderate" | "high") ), "enable-reroute-uniform-link-check" ( /* Enable reroute check with uniform link */ c( "nat" /* Enable NAT check */ ) ), "allow-dns-reply" /* Allow unmatched incoming DNS reply packet */, "route-change-timeout" arg /* Timeout value for route change to nonexistent route */, "syn-flood-protection-mode" ( /* TCP SYN flood protection mode */ ("syn-cookie" | "syn-proxy") ), "allow-embedded-icmp" /* Allow embedded ICMP packets not matching a session to pass through */, "mcast-buffer-enhance" /* Allow to hold more packets during multicast session creation */, "allow-reverse-ecmp" /* Allow reverse ECMP route lookup */, "sync-icmp-session" /* Allow icmp sessions to sync to peer node */, "ipsec-performance-acceleration" /* Accelerate the IPSec traffic performance */, "aging" ( /* Aging configuration */ c( "early-ageout" arg /* Delay before device declares session invalid */, "low-watermark" arg /* Percentage of session-table capacity at which aggressive aging-out ends */, "high-watermark" arg /* Percentage of session-table capacity at which aggressive aging-out starts */ ) ), "ethernet-switching" ( /* Ethernet-switching configuration for flow */ c( "block-non-ip-all" /* Block all non-IP and non-ARP traffic including broadcast/multicast */, "bypass-non-ip-unicast" /* Allow all non-IP (including unicast) traffic */, "no-packet-flooding" ( /* Stop IP flooding, send ARP/ICMP to trigger MAC learning */ c( "no-trace-route" /* Don't send ICMP to trigger MAC learning */ ) ), "bpdu-vlan-flooding" /* Set 802.1D BPDU flooding based on VLAN */ ) ), "tcp-mss" ( /* TCP maximum segment size configuration */ c( "all-tcp" ( /* Enable MSS override for all packets */ c( "mss" arg /* MSS value */ ) ), "ipsec-vpn" ( /* Enable MSS override for all packets entering IPSec tunnel */ c( "mss" arg /* MSS value */ ) ), "gre-in" ( /* Enable MSS override for all GRE packets coming out of an IPSec tunnel */ c( "mss" arg /* MSS value */ ) ), "gre-out" ( /* Enable MSS override for all GRE packets entering an IPsec tunnel */ c( "mss" arg /* MSS value */ ) ) ) ), "tcp-session" ( /* Transmission Control Protocol session configuration */ c( "rst-invalidate-session" /* Immediately end session on receipt of reset (RST) segment */, "fin-invalidate-session" /* Immediately end session on receipt of fin (FIN) segment */, "rst-sequence-check" /* Check sequence number in reset (RST) segment */, "no-syn-check" /* Disable creation-time SYN-flag check */, "strict-syn-check" /* Enable strict syn check */, "no-syn-check-in-tunnel" /* Disable creation-time SYN-flag check for tunnel packets */, "no-sequence-check" /* Disable sequence-number checking */, "tcp-initial-timeout" arg /* Timeout for TCP session when initialization fails */, "maximum-window" ( /* Maximum TCP proxy scaled receive window, default 256K bytes */ ("64K" | "128K" | "256K" | "512K" | "1M") ), "time-wait-state" ( /* Session timeout value in time-wait state, default 150 seconds */ c( c( "session-ageout" /* Allow session to ageout using service based timeout values */, "session-timeout" arg /* Configure session timeout value for time-wait state */ ), "apply-to-half-close-state" /* Apply time-wait-state timeout to half-close state */ ) ) ) ), "force-ip-reassembly" /* Force to reassemble ip fragments */, "preserve-incoming-fragment-size" /* Preserve incoming fragment size for egress MTU */, "advanced-options" ( /* Flow config advanced options */ c( "drop-matching-reserved-ip-address" /* Drop matching reserved source IP address */, "drop-matching-link-local-address" /* Drop matching link local address */, "reverse-route-packet-mode-vr" /* Allow reverse route lookup with packet mode vr */ ) ), "load-distribution" ( /* Flow config SPU load distribution */ c( "session-affinity" /* SPU load distribution based on the service anchor SPU */ ) ), "packet-log" ( /* Configure flow packet log */ c( "enable" /* Enable log for dropped packet */, "throttle-interval" arg /* Interval should be configured as a power of two */, "packet-filter" ( /* Configure packet log filter */ flow_filter_type /* Configure packet log filter */ ) ) ), "power-mode-ipsec" /* Enable power mode ipsec processing */ ) ), "firewall-authentication" ( /* Firewall authentication parameters */ c( "traceoptions" ( /* Data-plane firewall authentication tracing options */ c( "flag" enum(("authentication" | "proxy" | "all")) ( /* Events to include in trace output */ sc( c( "terse" /* Include terse amount of output in trace */, "detail" /* Include detailed amount of output in trace */, "extensive" /* Include extensive amount of output in trace */ ) ) ).as(:oneline) ) ) ) ), "screen" ( /* Configure screen feature */ c( "trap" ( /* Configure trap interval */ sc( "interval" arg /* Trap interval */ ) ).as(:oneline), "ids-option" ( /* Configure ids-option */ ids_option_type /* Configure ids-option */ ), "traceoptions" ( /* Trace options for Network Security Screen */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "all")) /* Tracing parameters */.as(:oneline) ) ), "white-list" ( /* Set of IP addresses for white list */ ids_wlist_type /* Set of IP addresses for white list */ ) ) ), "nat" ( /* Configure Network Address Translation */ nat_object /* Configure Network Address Translation */ ), "forwarding-process" ( /* Configure security forwarding-process options */ c( "enhanced-services-mode" /* Enable enhanced application services mode */, "application-services" ( /* Configure application service options */ c( "maximize-alg-sessions" /* Maximize ALG session capacity */, "maximize-persistent-nat-capacity" /* Increase persistent NAT capacity by reducing maximum flow sessions */, "maximize-cp-sessions" /* Maximize CP session capacity */, "session-distribution-mode" arg /* Session distribution mode */, "enable-gtpu-distribution" /* Enable GTP-U distribution */, "packet-ordering-mode" arg /* Packet ordering mode */, "maximize-idp-sessions" /* Run security services in dedicated processes to maximize IDP session capacity */ ) ) ) ), "policies" ( /* Configure Network Security Policies */ policy_object_type /* Configure Network Security Policies */ ), "tcp-encap" ( /* Configure TCP Encapsulation. */ c( "traceoptions" ( /* Trace options for TCP encapsulation service */ ragw_traceoptions /* Trace options for TCP encapsulation service */ ), "profile" arg ( /* Configure profile. */ c( "ssl-profile" arg /* SSL Termination profile */, "log" /* Enable logging for remote-access */ ) ), "global-options" ( /* Global settings for TCP encapsulation */ c( "enable-tunnel-tracking" /* Track ESP tunnels */ ) ) ) ), "resource-manager" ( /* Configure resource manager security options */ c( "traceoptions" ( /* Traceoptions for resource manager */ c( "flag" enum(("client" | "group" | "resource" | "gate" | "session" | "chassis cluster" | "messaging" | "service pinhole" | "error" | "all")) ( /* Resource manager objects and events to include in trace */ sc( c( "terse" /* Set trace verbosity level to terse */, "detail" /* Set trace verbosity level to detail */, "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "analysis" ( /* Configure security analysis */ c( "no-report" /* Stops security analysis reporting */ ) ), "traceoptions" ( /* Network security daemon tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "compilation" | "all")) /* Tracing parameters */.as(:oneline), "rate-limit" arg /* Limit the incoming rate of trace messages */ ) ), "datapath-debug" ( /* Datapath debug options */ c( "traceoptions" ( /* End to end debug trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline) ) ), "capture-file" ( /* Packet capture options */ sc( arg /* Capture file name */, "format" ( /* Capture file format */ ("pcap") ), "size" arg /* Maximum file size */, "files" arg /* Maximum number of files */, "world-readable" /* Allow any user to read packet-capture files */, "no-world-readable" /* Don't allow any user to read packet-capture files */ ) ).as(:oneline), "maximum-capture-size" arg /* Max packet capture length */, "action-profile" ( /* Action profile definitions */ e2e_action_profile /* Action profile definitions */ ), "packet-filter" ( /* Packet filter configuration */ end_to_end_debug_filter /* Packet filter configuration */ ) ) ), "user-identification" ( /* Configure user-identification */ c( "traceoptions" ( /* User-identification Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all")) /* Tracing parameters */.as(:oneline) ) ), "authentication-source" ( /* Configure user-identification authentication-source */ authentication_source_type /* Configure user-identification authentication-source */ ) ) ), "zones" ( /* Zone configuration */ c( "functional-zone" ( /* Functional zone */ c( "management" ( /* Host for out of band management interfaces */ c( "interfaces" ( /* Interfaces that are part of this zone */ zone_interface_list_type /* Interfaces that are part of this zone */ ), "screen" arg /* Name of ids option object applied to the zone */, "host-inbound-traffic" ( /* Allowed system services & protocols */ zone_host_inbound_traffic_t /* Allowed system services & protocols */ ), "description" arg /* Text description of zone */ ) ) ) ), "security-zone" ( /* Security zones */ security_zone_type /* Security zones */ ) ) ), "advance-policy-based-routing" ( /* Configure Network Security APBR Policies */ c( "traceoptions" ( /* Advance policy based routing tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "tunables" ( /* Configure advance policy based routing tunables */ c( "max-route-change" arg /* Maximum route change */, "drop-on-zone-mismatch" /* Drop session if zone mismatches */, "enable-logging" /* Enable AppTrack logging */ ) ), "profile" arg ( /* Configure advance-policy-based-routing profile */ c( "rule" ( /* Specify an advance policy based routing rule */ apbr_rule_type /* Specify an advance policy based routing rule */ ) ) ), "active-probe-params" arg ( /* Active probe's settings */ c( "settings" ( /* Settings */ appqoe_probe_params /* Settings */ ) ) ), "metrics-profile" arg ( /* Configure metric profiles */ c( "sla-threshold" ( /* Configure SLA metric threshold */ appqoe_sla_metric_profile /* Configure SLA metric threshold */ ) ) ), "overlay-path" arg ( /* List of overlay paths */ c( "tunnel-path" ( /* Tunnel start & end ip addresses */ appqoe_probe_path /* Tunnel start & end ip addresses */ ), "probe-path" ( /* Probe start & end ip addresses */ appqoe_probe_path /* Probe start & end ip addresses */ ) ) ), "destination-path-group" arg ( /* Group of tunnels to a particular destination */ c( "probe-routing-instance" ( /* Set routing instance for the probe-path */ c( arg /* Name of routing instance */ ) ), "overlay-path" arg /* List of paths */ ) ), "sla-options" ( /* Global SLA options */ c( "local-route-switch" ( /* Enable/disable Automatic local route switching */ c( c( "enabled" /* Enable */, "disabled" /* Disable */ ) ) ), "log-type" ( /* Choose the logging mechanism */ c( c( "syslog" /* Choose syslog */ ) ) ), "max-passive-probe-limit" ( /* Set max passive probe limits */ c( "number-of-probes" ( /* Number of passive probes to be sent */ c( arg ) ), "interval" ( /* Interval within which to send */ c( arg ) ) ) ) ) ), "sla-rule" arg ( /* Create SLA rule */ c( "switch-idle-time" ( /* Idle timeout period where no SLA violation will be detected once path switch has happened */ c( arg ) ), "metrics-profile" ( /* Set metrics profile for the SLA */ c( arg /* Metrics Profile name */ ) ), "active-probe-params" ( /* Set Probe params for the overlay-path */ c( arg /* Probe parameter's name */ ) ), "passive-probe-params" ( /* Passive probe settings */ c( "sampling-percentage" ( /* Mininmum percentage of Sessions to be evaluated for the application */ c( arg ) ), "violation-count" ( /* Number of SLA violations within sampling period to be considered as a violation. */ c( arg ) ), "sampling-period" ( /* Time period in which the sampling is done */ c( arg ) ), "sla-export-factor" ( /* Enabled sampling window based SLA exporting */ c( arg ) ), "type" ( /* Choose type of SLA measurement */ c( c( "book-ended" /* Choose custom method of probing within WAN link */ ) ) ), "sampling-frequency" ( /* Sampling frequency settings */ c( "interval" ( /* Time based sampling interval */ c( arg ) ), "ratio" ( /* 1:N based sampling ratio */ c( arg ) ) ) ) ) ) ) ), "policy" arg ( /* Define a policy context from this zone */ c( "policy" ( /* Define security policy in specified zone-to-zone direction */ sla_policy_type /* Define security policy in specified zone-to-zone direction */ ) ) ) ) ), "gprs" ( /* GPRS configuration */ c( "gtp" ( /* GPRS tunneling protocol configuration */ c( "profile" arg ( /* Configure GTP Profile */ c( "min-message-length" arg /* Minimum message length, from 0 to 65535 */, "max-message-length" arg /* Maximum message length, from 1 to 65535 */, "timeout" arg /* Tunnel idle timeout */, "rate-limit" arg /* Limit messages per second */, "log" ( /* GPRS tunneling protocol logs */ c( "forwarded" ( /* Log passed good packets */ ("basic" | "detail") ), "state-invalid" ( /* Dropped by state-inspection or sanity failure */ ("basic" | "detail") ), "prohibited" ( /* Dropped for type/length/version filtering */ ("basic" | "detail") ), "gtp-u" enum(("all" | "dropped")) /* Logs for gtp-u */, "rate-limited" ( /* Dropped for rate-limit */ c( c( "basic" /* Basic logs */, "detail" /* Detailed logs */ ), "frequency-number" arg /* Logging frequency over threshold, set by rate-limit */ ) ) ) ), "remove-ie" ( /* Remove information elements */ c( "version" enum(("v1")) ( /* GTP version */ c( "release" enum(("R6" | "R7" | "R8" | "R9")) /* Remove information elements by release */, "number" ( /* Remove information elements by number */ c( arg ) ) ) ) ) ), "path-rate-limit" ( /* Limit control messages based on IP pairs */ c( "message-type" enum(("create-req" | "delete-req" | "echo-req" | "other")) ( /* Specific group of control messages */ c( "drop-threshold" ( /* Set drop threshold for path rate limiting */ c( "forward" arg /* Limit messages of forward direction */, "reverse" arg /* Limit messages of reverse direction */ ) ), "alarm-threshold" ( /* Set alarm threshold for path rate limiting */ c( "forward" arg /* Limit messages of forward direction */, "reverse" arg /* Limit messages of reverse direction */ ) ) ) ) ) ), "drop" ( /* Drop certain type of messages */ c( "aa-create-pdp" ( /* Create AA pdp request/response message */ c( c( "0" /* Version 0 */ ) ) ), "aa-delete-pdp" ( /* Delete AA pdp request/response message */ c( c( "0" /* Version 0 */ ) ) ), "bearer-resource" ( /* Bearer resource command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "change-notification" ( /* Change notification request/response message */ c( c( "2" /* Version 2 */ ) ) ), "config-transfer" ( /* Configuration transfer message */ c( c( "2" /* Version 2 */ ) ) ), "context" ( /* Context request/response/ack message */ c( c( "2" /* Version 2 */ ) ) ), "create-bearer" ( /* Create bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-data-forwarding" ( /* Create indirect data forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-pdp" ( /* Create pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "create-session" ( /* Create session request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-tnl-forwarding" ( /* Create forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "cs-paging" ( /* CS paging indication message */ c( c( "2" /* Version 2 */ ) ) ), "data-record" ( /* Data record request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "delete-bearer" ( /* Delete bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-command" ( /* Delete bearer command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "delete-data-forwarding" ( /* Delete indirect data forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-pdn" ( /* Delete PDN connection set request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-pdp" ( /* Delete pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "delete-session" ( /* Delete session request/response message */ c( c( "2" /* Version 2 */ ) ) ), "detach" ( /* Detach notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "downlink-notification" ( /* Downlink data notification/ack/failure message */ c( c( "2" /* Version 2 */ ) ) ), "echo" ( /* Echo request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "error-indication" ( /* Error indication message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "failure-report" ( /* Failure report request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "fwd-access" ( /* Forward access context notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "fwd-relocation" ( /* Forward relocation request/response/comp/comp-ack message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "fwd-srns-context" ( /* Forward SRNS context/context-ack message */ c( c( "1" /* Version 1 */ ) ) ), "g-pdu" ( /* G-PDU (user PDU) message/T-PDU */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "identification" ( /* Identification request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-start" ( /* MBMS session start request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-stop" ( /* MBMS session stop request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-update" ( /* MBMS session update request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "modify-bearer" ( /* Modify bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "modify-command" ( /* Modify bearer command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "node-alive" ( /* Node alive request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "note-ms-present" ( /* Note MS GPRS present request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "pdu-notification" ( /* PDU notification requst/response/reject/reject-response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "ran-info" ( /* RAN info relay message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "redirection" ( /* Redirection request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "release-access" ( /* Release access-bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "relocation-cancel" ( /* Relocation cancel request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "resume" ( /* Resume notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "send-route" ( /* Send route info request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "sgsn-context" ( /* SGSN context request/response/ack message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "stop-paging" ( /* Stop paging indication message */ c( c( "2" /* Version 2 */ ) ) ), "supported-extension" ( /* Supported extension headers notification message */ c( c( "1" /* Version 1 */ ) ) ), "suspend" ( /* Suspend notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "trace-session" ( /* Trace session activation/deactivation message */ c( c( "2" /* Version 2 */ ) ) ), "update-bearer" ( /* Update bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "update-pdn" ( /* Update PDN connection set request/response message */ c( c( "2" /* Version 2 */ ) ) ), "update-pdp" ( /* Update pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "ver-not-supported" ( /* Version not supported message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ) ) ), "apn" arg ( /* GTP Access Point Name (APN) filter */ c( "imsi-prefix" arg ( /* Specific filter prefix digits for International Mobile Subscriber Identification(IMSI) */ c( "action" ( /* Configure GTP profile APN action */ c( c( "pass" /* Pass all selection modes for this APN */, "drop" /* Drop all selection modes for this APN */, "selection" ( /* Allowed selection modes for this APN */ c( "ms" /* Mobile Station selection mode */, "net" /* Network selection mode */, "vrf" /* Subscriber verified mode */ ) ) ) ) ) ) ) ) ), "restart-path" ( /* Restart GTP paths */ ("echo" | "create" | "all") ), "seq-number-validated" /* Validate G-PDU sequence number */, "gtp-in-gtp-denied" /* Deny nested GTP */, "u-tunnel-validated" /* Validate GTP-u tunnel */, "end-user-address-validated" /* Validate end user address */, "req-timeout" arg /* Request message timeout, default timeout value 5 seconds */, "handover-on-roaming-intf" /* Enable tunnel setup by Handover messages on roaming interface */, "handover-group" ( /* SGSN handover group configuration */ c( arg ) ) ) ), "traceoptions" ( /* Trace options for GPRS tunneling protocol */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "parser" | "chassis-cluster" | "gsn" | "jmpi" | "tnl" | "req" | "path" | "all")) /* Tracing parameters */.as(:oneline), "trace-level" ( /* GTP trace level */ c( c( "error" /* Match error conditions */, "warning" /* Match warning messages */, "notice" /* Match conditions that should be handled specially */, "info" /* Match informational messages */, "verbose" /* Match verbose messages */ ) ) ) ) ), "handover-group" arg ( /* Set handover group */ c( "address-book" arg ( /* Set addreess book */ c( "address-set" ( /* Set address set */ c( arg ) ) ) ) ) ), "handover-default" ( /* Set handover default deny */ c( "deny" /* Handover default deny */ ) ) ) ), "sctp" ( /* GPRS stream control transmission protocol configuration */ c( "profile" arg ( /* Configure stream transmission protocol */ c( "nat-only" /* Only do payload IPs translation for SCTP packet */, "association-timeout" arg /* SCTP association timeout length, in minutes */, "handshake-timeout" arg /* SCTP handshake timeout, in seconds */, "drop" ( /* Disallowed SCTP payload message */ c( "m3ua-service" enum(("sccp" | "tup" | "isup")) /* MTP level 3 (MTP3) user adaptation layer service */.as(:oneline), "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "all" | arg)) /* SCTP payload protocol identifier */.as(:oneline) ) ), "permit" ( /* Permit SCTP payload message */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "all" | arg)) /* SCTP payload protocol identifier */.as(:oneline) ) ), "limit" ( /* Packet limits */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "others" | arg)) ( /* Payload Rate limit */ sc( "rate" arg /* Rate limit */ ) ).as(:oneline), "address" arg ( /* Rate limit for a list of IP addresses */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "others" | arg)) ( /* Payload Rate limit */ sc( "rate" arg /* Rate limit */ ) ).as(:oneline) ) ), "rate" ( /* Rate limit */ c( "sccp" arg /* Global SCCP messages rate limit */, "ssp" arg /* Global SSP messages rate limit */, "sst" arg /* Global SST messages rate limit */, "address" arg ( /* Rate limit for a list of IP addresses */ c( "sccp" arg /* SCCP messages rate limit */, "ssp" arg /* SSP messages rate limit */, "sst" arg /* SST messages rate limit */ ) ) ) ) ) ) ) ), "multichunk-inspection" ( /* Configure for SCTP multi chunks inspection */ c( c( "disable" /* Set multichunk inspection flag to disable */ ) ) ), "nullpdu" ( /* Configure for SCTP NULLPDU protocol value */ c( "protocol" ( /* SCTP NULLPDU payload protocol identifier */ c( c( "ID-0x0000" /* Set 0x0000 to be NULLPDU ID value */, "ID-0xFFFF" /* Set 0xFFFF to be NULLPDU ID value */ ) ) ) ) ), "log" enum(("configuration" | "rate-limit" | "association" | "data-message-drop" | "control-message-drop" | "control-message-all")) /* GPRS stream control transmission protocol logs */.as(:oneline), "traceoptions" ( /* Trace options for GPRS stream control transmission protocol */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "detail" | "flow" | "parser" | "chassis-cluster" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ) ) ), "ngfw" ( /* Next generation unified L4/L7 firewall */ c( "default-profile" ( /* Unified L4/L7 firewall default profile configuration */ c( "ssl-proxy" ( /* SSL proxy services */ c( "profile-name" arg /* Specify SSL proxy service profile name */ ) ), "application-traffic-control" ( /* Application traffic control services */ jsf_application_traffic_control_rule_set_type /* Application traffic control services */ ) ) ) ) ), "macsec" ( /* MAC Security configuration */ security_macsec /* MAC Security configuration */ ) ) ), "applications" ( /* Define applications by protocol characteristics */ c( "application" ( /* Define an application */ application_object /* Define an application */ ), "application-set" ( /* Define an application set */ application_set_object /* Define an application set */ ) ) ), "schedulers" ( /* Security scheduler */ c( "scheduler" ( /* Scheduler configuration */ scheduler_object_type /* Scheduler configuration */ ) ) ), "vlans" ( /* VLAN configuration */ c( vlan_types /* Virtual LAN */ ) ) ) ) end rule(:arp_interface_type) do arg.as(:arg) ( c( "aging-timer" arg /* Change the ARP aging time value */ ) ) end rule(:cflowd_sampling_inet_lr_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ), "local-dump" /* Dump cflowd records to log file before exporting */, "no-local-dump" /* Don't dump cflowd records to log file before exporting */, "source-address" ( /* Source IPv4 address for cflowd packets */ ipv4addr /* Source IPv4 address for cflowd packets */ ), "version9" ( /* Export data in version 9 format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ), "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ) ) ) end rule(:aggregation_type) do c( "autonomous-system" /* Aggregate by autonomous system number */, "protocol-port" /* Aggregate by protocol and port number */, "source-prefix" /* Aggregate by source prefix */, "destination-prefix" /* Aggregate by destination prefix */, "source-destination-prefix" ( /* Aggregate by source and destination prefix */ c( "caida-compliant" /* Compatible with Caida record format for prefix aggregation (v8) */ ) ) ) end rule(:cflowd_sampling_mpls_lr_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ), "local-dump" /* Dump cflowd records to log file before exporting */, "no-local-dump" /* Don't dump cflowd records to log file before exporting */, "source-address" ( /* Source IPv4 address for cflowd packets */ ipv4addr /* Source IPv4 address for cflowd packets */ ), "version9" /* Export data in version 9 format */, "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ) ) ) end rule(:jdhcp_local_server_type) do c( "traceoptions" ( /* DHCP local server trace options */ jdhcp_traceoptions_type /* DHCP local server trace options */ ), "interface-traceoptions" ( /* DHCP local server interface trace options */ jdhcp_interface_traceoptions_type /* DHCP local server interface trace options */ ), "dhcpv6" ( /* DHCPv6 configuration */ dhcpv6_local_server_type /* DHCPv6 configuration */ ), "pool-match-order" enum(("external-authority" | "ip-address-first" | "option-82" | "option-82-strict")) /* Define order of attribute matching for pool selection */, "duplicate-clients-on-interface" /* Allow duplicate clients on different interfaces in a subnet */, "duplicate-clients-in-subnet" ( /* Allow duplicate clients in a subnet */ jdhcp_duplicate_clients_in_subnet_type /* Allow duplicate clients in a subnet */ ).as(:oneline), "forward-snooped-clients" ( /* Forward snooped (unicast) packets */ sc( c( "configured-interfaces" /* Forward snooped (unicast) packets on configured interfaces */, "non-configured-interfaces" /* Forward snooped (unicast) packets on non-configured interfaces */, "all-interfaces" /* Forward snooped (unicast) packets on configured and non-configured interfaces */ ) ) ).as(:oneline), "authentication" ( /* DHCP authentication */ authentication_type /* DHCP authentication */ ), "persistent-storage" ( /* Trigger to enable flat file storage */ sc( "automatic" /* Trigger automatically */ ) ).as(:oneline), "liveness-detection" ( /* DHCP client liveness detection processing */ dhcp_liveness_detection_type /* DHCP client liveness detection processing */ ), "reconfigure" ( /* DHCP reconfigure processing */ reconfigure_type /* DHCP reconfigure processing */ ), "overrides" ( /* DHCP override processing */ override_local_server_type /* DHCP override processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline), "route-suppression" ( /* Suppress access-internal and/or destination route addition */ dhcp_route_suppression_type /* Suppress access-internal and/or destination route addition */ ), "group" ( /* Define a DHCP local server group */ dhcp_local_server_group /* Define a DHCP local server group */ ), "dual-stack-group" ( /* Define a DHCP dual stack group */ dhcp_local_server_dual_stack_group /* Define a DHCP dual stack group */ ), "lease-time-validation" ( /* Configure lease time violation validation */ c( "lease-time-threshold" arg /* Threshold for lease time violation seconds */, "violation-action" ( /* Lease time validation violation action */ sc( c( "strict" /* Reject discover and renew */, "override-lease" /* Override assigned lease time with threshold */ ) ) ).as(:oneline) ) ), c( "requested-ip-network-match" arg /* Subnet to match server's address for active and giaddr for passive clients */, "requested-ip-interface-match" /* Use incoming-interface's subnet to check */ ), "no-snoop" /* Do not snoop DHCP packets */, "allow-leasequery" ( /* Allow DHCP leasequery */ server_leasequery_type /* Allow DHCP leasequery */ ), "remote-id-mismatch" ( /* DHCP client remote-id mismatch */ dhcp_remote_id_mismatch_type /* DHCP client remote-id mismatch */ ), "reauthenticate" ( /* DHCP client reauthenticate processing */ sc( "lease-renewal" /* Reauthenticate on each renew, rebind, DISCOVER or SOLICIT */, "remote-id-mismatch" /* Reauthenticate on remote-id mismatch for renew, rebind and re-negotiation */ ) ).as(:oneline), "allow-bulk-leasequery" ( /* Allow DHCP bulk leasequery */ server_bulk_leasequery_type /* Allow DHCP bulk leasequery */ ) ) end rule(:dhcp_local_server_dual_stack_group) do arg.as(:arg) ( c( "authentication" ( /* DHCP authentication */ dual_stack_authentication_type /* DHCP authentication */ ), "access-profile" arg /* Access profile to be used for jdhcpd */, "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "on-demand-address-allocation" /* Allocate addresses on demand */, "classification-key" ( /* Classification key for identifying dual stack household */ classification_types /* Classification key for identifying dual stack household */ ), "dual-stack-interface-client-limit" arg /* Limit the number of client allowed on an interface */, "protocol-master" ( /* Select family as protocol master */ jdhcp_dual_stack_protocol_mstr_type /* Select family as protocol master */ ).as(:oneline), "liveness-detection" ( /* DHCP client liveness detection processing */ dhcp_liveness_detection_dualstack_type /* DHCP client liveness detection processing */ ), "reauthenticate" ( /* DHCP client reauthenticate processing */ sc( "lease-renewal" /* Reauthenticate on each renew, rebind, DISCOVER or SOLICIT */, "remote-id-mismatch" /* Reauthenticate on remote-id mismatch for renew, rebind and re-negotiation */ ) ).as(:oneline), "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline) ) ) end rule(:dhcp_local_server_group) do arg.as(:arg) ( c( "authentication" ( /* DHCP authentication */ authentication_type /* DHCP authentication */ ), "liveness-detection" ( /* DHCP client liveness detection processing */ dhcp_liveness_detection_type /* DHCP client liveness detection processing */ ), "reconfigure" ( /* DHCP reconfigure processing */ reconfigure_type /* DHCP reconfigure processing */ ), "overrides" ( /* DHCP override processing */ override_local_server_type /* DHCP override processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline), "route-suppression" ( /* Suppress access-internal and/or destination route addition */ dhcp_route_suppression_type /* Suppress access-internal and/or destination route addition */ ), "interface" arg ( /* One or more interfaces */ c( "upto" ( /* Interface up to */ interface_name /* Interface up to */ ), "exclude" /* Exclude this interface range */, "trace" /* Enable tracing for this interface */, "overrides" ( /* DHCP override processing */ override_local_server_type /* DHCP override processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline) ) ), "lease-time-validation" ( /* Configure lease time violation validation */ c( "lease-time-threshold" arg /* Threshold for lease time violation seconds */, "violation-action" ( /* Lease time validation violation action */ sc( c( "strict" /* Reject discover and renew */, "override-lease" /* Override assigned lease time with threshold */ ) ) ).as(:oneline) ) ), "remote-id-mismatch" ( /* DHCP client remote-id mismatch */ dhcp_remote_id_mismatch_type /* DHCP client remote-id mismatch */ ), "reauthenticate" ( /* DHCP client reauthenticate processing */ sc( "lease-renewal" /* Reauthenticate on each renew, rebind, DISCOVER or SOLICIT */, "remote-id-mismatch" /* Reauthenticate on remote-id mismatch for renew, rebind and re-negotiation */ ) ).as(:oneline) ) ) end rule(:dhcpv6_local_server_type) do c( "authentication" ( /* DHCPv6 authentication */ dhcpv6_authentication_type /* DHCPv6 authentication */ ), "liveness-detection" ( /* DHCPv6 client liveness detection processing */ dhcpv6_liveness_detection_type /* DHCPv6 client liveness detection processing */ ), "reconfigure" ( /* DHCPv6 reconfigure processing */ dhcpv6_reconfigure_type /* DHCPv6 reconfigure processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "forward-snooped-clients" ( /* Forward snooped (unicast) packets */ sc( c( "configured-interfaces" /* Forward snooped (unicast) packets on configured interfaces */, "non-configured-interfaces" /* Forward snooped (unicast) packets on non-configured interfaces */, "all-interfaces" /* Forward snooped (unicast) packets on configured and non-configured interfaces */ ) ) ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline), "overrides" ( /* DHCPv6 override processing */ dhcpv6_override_local_server_type /* DHCPv6 override processing */ ), "route-suppression" ( /* Suppress access-internal and/or access route addition */ dhcpv6_route_suppression_type /* Suppress access-internal and/or access route addition */ ), "group" ( /* Define a DHCPv6 local server group */ dhcpv6_local_server_group /* Define a DHCPv6 local server group */ ), "lease-time-validation" ( /* Configure lease time violation validation */ c( "lease-time-threshold" arg /* Threshold for lease time violation seconds */, "violation-action" ( /* Lease time validation violation action */ sc( c( "strict" /* Reject solicit and renew */, "override-lease" /* Override assigned lease time with threshold */ ) ) ).as(:oneline) ) ), c( "requested-ip-network-match" arg /* Subnet to match server's address for active and link-address for passive clients */, "requested-ip-interface-match" /* Use incoming-interface's subnet to check */ ), "no-snoop" /* Do not snoop DHCPV6 packets */, "persistent-storage" ( /* Trigger to enable flat file storage */ sc( "automatic" /* Trigger automatically */ ) ).as(:oneline), "server-duid-type" ( /* Define the DUID type to be used as the Server ID. Type supported is DUID-LL */ duid_type /* Define the DUID type to be used as the Server ID. Type supported is DUID-LL */ ), "remote-id-mismatch" ( /* DHCP client remote-id mismatch */ dhcp_remote_id_mismatch_type /* DHCP client remote-id mismatch */ ), "reauthenticate" ( /* DHCP client reauthenticate processing */ sc( "lease-renewal" /* Reauthenticate on each renew, rebind, DISCOVER or SOLICIT */, "remote-id-mismatch" /* Reauthenticate on remote-id mismatch for renew, rebind and re-negotiation */ ) ).as(:oneline), "allow-leasequery" ( /* Allow DHCPv6 leasequery */ server_leasequery_type /* Allow DHCPv6 leasequery */ ), "allow-bulk-leasequery" ( /* Allow DHCPv6 bulk leasequery */ server_bulk_leasequery_type /* Allow DHCPv6 bulk leasequery */ ), "duplicate-clients" ( /* Allow duplicate clients */ dhcpv6_duplicate_clients_type /* Allow duplicate clients */ ).as(:oneline), "dynamic-server" ( /* DHCPv6 dynamic server configuration */ dhcpv6_dynamic_server_type /* DHCPv6 dynamic server configuration */ ) ) end rule(:dhcpv6_dynamic_server_type) do c( "overrides" ( /* DHCPv6 override processing */ dhcpv6_override_dynamic_server_type /* DHCPv6 override processing */ ), "group" ( /* Define a DHCPv6 dynamic server group */ dhcpv6_dynamic_server_group /* Define a DHCPv6 dynamic server group */ ) ) end rule(:dhcpv6_dynamic_server_group) do arg.as(:arg) ( c( "neighbor-discovery-router-advertisement" arg /* Designated NDRA pool for this group */, "overrides" ( /* DHCP override processing */ dhcpv6_override_dynamic_server_type /* DHCP override processing */ ), "interface" arg ( /* One or more interfaces */ c( "overrides" ( /* DHCP override processing */ dhcpv6_override_dynamic_server_type /* DHCP override processing */ ) ) ) ) ) end rule(:dhcpv6_local_server_group) do arg.as(:arg) ( c( "authentication" ( /* DHCP authentication */ dhcpv6_authentication_type /* DHCP authentication */ ), "liveness-detection" ( /* DHCPv6 client liveness detection processing */ dhcpv6_liveness_detection_type /* DHCPv6 client liveness detection processing */ ), "reconfigure" ( /* DHCPv6 reconfigure processing */ dhcpv6_reconfigure_type /* DHCPv6 reconfigure processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline), "overrides" ( /* DHCP override processing */ dhcpv6_override_local_server_type /* DHCP override processing */ ), "route-suppression" ( /* Suppress access-internal and/or access route addition */ dhcpv6_route_suppression_type /* Suppress access-internal and/or access route addition */ ), "interface" arg ( /* One or more interfaces */ c( "upto" ( /* Interface up to */ interface_name /* Interface up to */ ), "exclude" /* Exclude this interface range */, "trace" /* Enable tracing for this interface */, "overrides" ( /* DHCP override processing */ dhcpv6_override_local_server_type /* DHCP override processing */ ), "dynamic-profile" ( /* Dynamic profile to use */ dynamic_profile_type /* Dynamic profile to use */ ).as(:oneline), "service-profile" arg /* Dynamic profile to use for default service activation */, "access-profile" arg /* Access profile to use for AAA services */, "short-cycle-protection" ( /* Short cycle lockout configuration */ sc( "lockout-min-time" arg /* Short cycle lockout time in seconds */, "lockout-max-time" arg /* Short cycle lockout time in seconds */ ) ).as(:oneline) ) ), "lease-time-validation" ( /* Configure lease time violation validation */ c( "lease-time-threshold" arg /* Threshold for lease time violation seconds */, "violation-action" ( /* Lease time validation violation action */ sc( c( "strict" /* Reject solicit and renew */, "override-lease" /* Override assigned lease time with threshold */ ) ) ).as(:oneline) ) ), "remote-id-mismatch" ( /* DHCP client remote-id mismatch */ dhcp_remote_id_mismatch_type /* DHCP client remote-id mismatch */ ), "reauthenticate" ( /* DHCP client reauthenticate processing */ sc( "lease-renewal" /* Reauthenticate on each renew, rebind, DISCOVER or SOLICIT */, "remote-id-mismatch" /* Reauthenticate on remote-id mismatch for renew, rebind and re-negotiation */ ) ).as(:oneline) ) ) end rule(:dhcpv6_override_dynamic_server_type) do c( "interface-client-limit" arg /* Limit the number of clients allowed on an interface */, "rapid-commit" /* Enable rapid commit processing */, "process-inform" ( /* Process INFORMATION request PDUs */ c( "pool" arg /* Pool name for family inet6 */ ) ), "delegated-pool" arg /* Delegated pool name for inet6 */, "ia-na-pool" arg /* IA_NA pool name for inet6 */ ) end rule(:dhcpv6_override_local_server_type) do c( "interface-client-limit" arg /* Limit the number of clients allowed on an interface */, "rapid-commit" /* Enable rapid commit processing */, "client-negotiation-match" ( /* Use secondary match criteria for SOLICIT PDU */ sc( c( "incoming-interface" /* Use incoming interface */ ) ) ).as(:oneline), "process-inform" ( /* Process INFORMATION request PDUs */ c( "pool" arg /* Pool name for family inet6 */ ) ), "delay-advertise" ( /* Filter options for dhcp-server */ dhcpv6_filter_option /* Filter options for dhcp-server */ ), "delegated-pool" arg /* Delegated pool name for inet6 */, "multi-address-embedded-option-response" /* If the client requests multiple addresses place the options in each address */, "always-process-option-request-option" /* Always process option even after address allocation failure */, "delete-binding-on-renegotiation" /* Delete binding on renegotiation */, "top-level-status-code" /* A top level status code option rather than encapsulated in IA for NoAddrsAvail in Advertise PDUs */, "always-add-option-dns-server" /* Add option-23, DNS recursive name server in Advertise and Reply */, "asymmetric-lease-time" arg /* Use a reduced lease time for the client. In seconds */, "asymmetric-prefix-lease-time" arg /* Use a reduced prefix lease time for the client. In seconds */, "protocol-attributes" arg /* DHCPv6 attributes to use as defined under access protocol-attributes */, "dual-stack" arg /* Dual stack group to use */ ) end rule(:dhcpv6_filter_option) do c( "delay-time" arg /* Time delay between solicit and advertise */, "based-on" ( /* Option number */ c( "option-18" ( /* Option 18 */ c( "equals" ( /* Generic option equals */ server_v6_option_ascii_hex /* Generic option equals */ ), "not-equals" ( /* Generic option not equals */ server_v6_option_ascii_hex /* Generic option not equals */ ), "starts-with" ( /* Generic option starts-with */ server_v6_option_ascii_hex /* Generic option starts-with */ ) ) ), "option-37" ( /* Option 37 */ c( "equals" ( /* Generic option equals */ server_v6_option_ascii_hex /* Generic option equals */ ), "not-equals" ( /* Generic option not equals */ server_v6_option_ascii_hex /* Generic option not equals */ ), "starts-with" ( /* Generic option starts-with */ server_v6_option_ascii_hex /* Generic option starts-with */ ) ) ), "option-15" ( /* Option 15 */ c( "equals" ( /* Generic option equals */ server_v6_option_ascii_hex /* Generic option equals */ ), "not-equals" ( /* Generic option not equals */ server_v6_option_ascii_hex /* Generic option not equals */ ), "starts-with" ( /* Generic option starts-with */ server_v6_option_ascii_hex /* Generic option starts-with */ ) ) ), "option-16" ( /* Option 16 */ c( "equals" ( /* Generic option equals */ server_v6_option_ascii_hex /* Generic option equals */ ), "not-equals" ( /* Generic option not equals */ server_v6_option_ascii_hex /* Generic option not equals */ ), "starts-with" ( /* Generic option starts-with */ server_v6_option_ascii_hex /* Generic option starts-with */ ) ) ) ) ) ) end rule(:dhcpv6_reconfigure_type) do c( "strict" /* Only allow packets containing Reconfigure Accept Option */, "clear-on-abort" /* Delete client on reconfiguration abort */, "attempts" arg /* Number of reconfigure attempts before aborting */, "timeout" arg /* Initial timeout value for retry */, "token" arg /* Reconfigure token */, "trigger" ( /* DHCP reconfigure trigger */ reconfigure_trigger_type /* DHCP reconfigure trigger */ ), "support-option-pd-exclude" /* Request prefix exclude option in reconfigure message */ ) end rule(:duid_type) do c( "duid_ll" /* Link Layer Address based DUID */ ) end rule(:jdhcp_proxy_client_type) do c( "dhcpv4-profiles" ( /* DHCPv4 proxy client profile configuration */ dhcpv4_profile /* DHCPv4 proxy client profile configuration */ ), "dhcpv6-profiles" ( /* DHCPv6 proxy client profile configuration */ dhcpv6_profile /* DHCPv6 proxy client profile configuration */ ), "traceoptions" ( /* DHCP proxy-client trace options */ jdhcp_traceoptions_type /* DHCP proxy-client trace options */ ) ) end rule(:dhcpv4_profile) do arg.as(:arg) ( c( "pool-name" arg /* This pool name will be sent to sever in subnet-name-suboption(3) of subnet allocation option(220). It is optional. It shall be sent only if configured. */, "lease-time" arg /* Default least time requested in seconds. If DHCP client does not get the lease time from DHCP server, it will use this default lease time as the lease time. By default, the value of lease-time is zero */, "retransmission-attempt" arg /* Number of attempts to retransmit the DHCP client protocol message */, "retransmission-interval" arg /* Number of seconds between successive retransmissions of DHCP client protocols messages */, "dead-server-retry-interval" arg /* Number of seconds before reconnecting to a server which was marked as down in previous attempts */, "dhcp-server-selection-algorithm" ( /* DHCP server selection algorithm to be used */ ("highest-priority-server" | "round-robin") ), "dead-server-successive-retry-attempt" arg /* Number of successive retry attempts before declaring an unresponsive server as dead */, "bind-interface" ( /* Primary IPv4 address of bind-interface is source of DHCP packets */ interface_unit /* Primary IPv4 address of bind-interface is source of DHCP packets */ ), "servers" arg ( /* DHCP server */ c( "priority" arg /* Server priority */ ) ) ) ) end rule(:dhcpv6_profile) do arg.as(:arg) ( c( "pool-name" arg /* This pool name will be sent to sever in subnet-name-suboption(3) of subnet allocation option(220). It is optional. It shall be sent only if configured. */, "lease-time" arg /* Default least time requested in seconds. If DHCP client does not get the lease time from DHCP server, it will use this default lease time as the lease time. By default, the value of lease-time is zero */, "retransmission-attempt" arg /* Number of attempts to retransmit the DHCP client protocol message */, "retransmission-interval" arg /* Number of seconds between successive retransmissions of DHCP client protocols messages */, "bind-interface" ( /* Source interface of DHCP control packets */ interface_unit /* Source interface of DHCP control packets */ ) ) ) end rule(:jsscd_static_subscribers_type) do c( "access-profile" ( /* Access profile reference */ jsscd_access_profile_type /* Access profile reference */ ), "dynamic-profile" ( /* Dynamic profile reference */ jsscd_dynamic_profile_type /* Dynamic profile reference */ ), "service-profile" ( /* Dynamic profile to use for default service activation */ jsscd_service_profile_type /* Dynamic profile to use for default service activation */ ), "authentication" ( /* Static Subscriber Client authentication */ jsscd_authentication_type /* Static Subscriber Client authentication */ ), "group" ( /* Static Subscriber Client group configuration */ jsscd_group_type /* Static Subscriber Client group configuration */ ), "auto-login" /* Auto login the operator logged-out static subscribers */, "baseline-stats" /* Baseline the statistics for static subscribers */, "interface" arg ( /* One or more interfaces */ c( "subscriber-ip-address" ( /* Assigned IP address to report externally */ c( ipv4addr /* IPv4 address */ ) ), "subscriber-ipv6-address" ( /* Assigned IPv6 address to report externally */ c( ipv6prefix /* IPv6 Address or Prefix */ ) ) ) ) ) end rule(:jsscd_access_profile_type) do c( arg /* Profile name */ ) end rule(:jsscd_authentication_type) do c( "password" ( /* Username password to use */ unreadable /* Username password to use */ ), "username-include" ( /* Add username options */ c( "delimiter" arg /* Change delimiter/separator character */, "domain-name" arg /* Add domain name */, "user-prefix" arg /* Add user defined prefix */, "interface" /* Include interface name */, "logical-system-name" /* Include logical system name */, "routing-instance-name" /* Include routing instance name */, "vlan-tags" /* Include vlan tag(s) */ ) ) ) end rule(:jsscd_dynamic_profile_type) do c( arg, "aggregate-clients" ( /* Aggregate client profiles */ c( c( "merge" /* Merge the client dynamic profiles */, "replace" /* Replace client dynamic profiles */ ) ) ) ) end rule(:jsscd_group_type) do arg.as(:arg) ( c( "service-profile" ( /* Dynamic profile to use for default service activation */ jsscd_service_profile_type /* Dynamic profile to use for default service activation */ ), "access-profile" ( /* Access profile reference */ jsscd_access_profile_type /* Access profile reference */ ), "dynamic-profile" ( /* Dynamic profile reference */ jsscd_dynamic_profile_type /* Dynamic profile reference */ ), "authentication" ( /* Static Subscriber Client authentication */ jsscd_authentication_type /* Static Subscriber Client authentication */ ), "interface" arg ( /* One or more interfaces */ sc( "upto" ( /* Interface up to */ interface_unit /* Interface up to */ ), "exclude" /* Exclude this interface range */ ) ).as(:oneline), "auto-login" /* Auto login the operator logged-out static subscribers */ ) ) end rule(:jsscd_service_profile_type) do c( arg ) end rule(:juniper_bridge_domains) do arg.as(:arg) ( c( "description" arg /* Text description of bridge domain */, "domain-type" ( /* Type of bridge domain */ ("bridge") ), c( "vlan-id" ( /* IEEE 802.1q VLAN identifier for bridging domain */ ("all" | "none" | "inner-all" | arg) ), "vlan-tags" ( /* IEEE 802.1q VLAN tags for bridging domain */ sc( "outer" arg /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */, "inner" arg /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ) ).as(:oneline), "vlan-id-list" arg /* Create bridge-domain for each of the vlan-id specified in the vlan-id-list */ ), "isid-list" arg /* Create bridge-domain for isid (Valid isid:256..16777214) */, "vlan-id-scope-local" /* Enable the scope of vlan-id local to avoid transmitting vlan tagged packets */, "service-id" arg /* Service id required if bridge-domain is of type MC-AE and vlan-id all or vlan-id none or vlan-tags */, "domain-id" arg /* Domain-id for auto derived Route Target */, "no-local-switching" /* Disable local switching within CE-facing interfaces */, "mcae-mac-synchronize" /* Enable IRB MAC synchronization in this bridge domain */, "mcae-mac-flush" /* Enable MCAE MAC flush in a/s mode for a bridge domain on MCAE link up */, "no-irb-layer-2-copy" /* Disable transmission of layer-2 copy of packets of irb routing-interface */, "no-arp-suppression" /* Disable suppression of ARP/NDP for EVPN */, "enable-mac-move-action" /* Enable blocking action due to mac-move in this Bridge Domain */, "interface" ("$junos-interface-name" | arg) ( /* Interface name for this bridge domain */ c( "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ) ) ), "routing-interface" ( /* Routing interface name for this bridge-domain */ interface_unit /* Routing interface name for this bridge-domain */ ), "forwarding-options" ( /* Forwarding options configuration */ juniper_bridge_forwarding_options /* Forwarding options configuration */ ), "multicast-snooping-options" ( /* Multicast snooping option configuration */ juniper_multicast_snooping_options /* Multicast snooping option configuration */ ), "bridge-options" ( /* Bridge domain configuration */ juniper_protocols_bd /* Bridge domain configuration */ ), "protocols" ( c( "igmp-snooping" ( /* IGMP snooping configuration */ juniper_bd_protocols_igmp_snooping /* IGMP snooping configuration */ ), "mld-snooping" ( /* MLD snooping configuration */ juniper_bd_protocols_mld_snooping /* MLD snooping configuration */ ) ) ), "vxlan" ( c( "ovsdb-managed" /* Bridge-domain is managed remotely via VXLAN OVSDB Controller */, "vni" arg /* VXLAN identifier */, "multicast-group" ( /* Multicast group registered for VXLAN segment */ ipv4addr /* Multicast group registered for VXLAN segment */ ), "encapsulate-inner-vlan" /* Retain inner VLAN in the packet */, "decapsulate-accept-inner-vlan" /* Accept VXLAN packets with inner VLAN */, "unreachable-vtep-aging-timer" arg /* Unreachable VXLAN tunnel endpoint removal timer */, "ingress-node-replication" /* Enable ingress node replication */ ) ), "isolated-vlan" arg /* Isolated VLAN ID for private vlan bridge domain */, "community-vlans" arg /* List of Community VLANs for private vlan bridge domain */ ) ) end rule(:juniper_bd_protocols_igmp_snooping) do c( "traceoptions" ( /* Trace options for IGMP Snooping */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "l2-querier" ( /* Enable L2 querier mode */ c( "source-address" ( /* Source IP address to use for L2 querier */ ipv4addr /* Source IP address to use for L2 querier */ ) ) ), "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "learn-pim-router" /* Learn PIM router interfaces from PIM hellos */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ), "irb" /* Proxy IGMP reports to IRB */ ) ), "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ), "vlan" arg ( /* Vlan options */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ), "qualified-vlan" arg ( /* VLAN options for qualified-learning */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ) ) ) ) ) ) end rule(:juniper_bd_protocols_mld_snooping) do c( "traceoptions" ( /* Trace options for MLD Snooping */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv6addr /* Source IP address to use for proxy */ ), "irb" /* Proxy IGMP reports to IRB */ ) ), "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ), "vlan" arg ( /* Vlan options */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv6addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ), "qualified-vlan" arg ( /* VLAN options for qualified-learning */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv6addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ) ) ) ) ) ) end rule(:juniper_bridge_forwarding_options) do c( "filter" ( /* Filtering for bridge forwarding table */ c( "input" arg /* Name of input filter to apply for forwarded packets */, "output" arg /* Name of output filter to apply for forwarded packets */ ) ), "flood" ( /* Filtering for bridge flood table */ c( "input" arg /* Name of input filter to apply for bridge flood packets */ ) ), "dhcp-relay" ( /* Dynamic Host Configuration Protocol relay configuration */ jdhcp_relay_type /* Dynamic Host Configuration Protocol relay configuration */ ), "dhcp-security" ( /* Dynamic ARP Inspection configuration */ jdhcp_security_type /* Dynamic ARP Inspection configuration */ ) ) end rule(:jdhcp_security_type) do c( "no-dhcp-snooping" /* Disable dhcp snooping */, "arp-inspection" /* Enable dynamic ARP inspection */, "ip-source-guard" /* Enable IP source guard */, "no-dhcpv6-snooping" /* Disable DHCPv6 snooping */, "neighbor-discovery-inspection" /* Enable neighbor discovery inspection */, "ipv6-source-guard" /* Enable IPv6 source guard */, "light-weight-dhcpv6-relay" /* Enable light weight dhcpv6 relay */, "group" ( /* Define a DHCP security group for overriding defaults */ ds_group /* Define a DHCP security group for overriding defaults */ ), "option-82" ( /* DHCP option-82 processing for snooped packets */ security_option_82_type /* DHCP option-82 processing for snooped packets */ ), "dhcpv6-options" ( /* DHCPv6 option processing for snooped packets */ security_dhcpv6_options_type /* DHCPv6 option processing for snooped packets */ ) ) end rule(:ds_group) do arg.as(:arg) ( c( "overrides" ( /* DHCP override processing */ ds_override_type /* DHCP override processing */ ), "interface" arg ( /* One or more interfaces */ c( "static-ip" ( /* Static IP address configuration */ ip_mac_static /* Static IP address configuration */ ), "static-ipv6" ( /* Static IPv6 address configuration */ ipv6_mac_static /* Static IPv6 address configuration */ ) ) ) ) ) end rule(:ds_override_type) do c( "trusted" /* Make this trusted group of interfaces */, "untrusted" /* Make this untrusted group of interfaces */, "no-option82" /* Make this group of interfaces not to add option82 */, "no-option37" /* Make this group of interfaces not to add option37 */, "no-option18" /* Make this group of interfaces not to add option18 */, "no-option16" /* Make this group of interfaces not to add option16 */, "no-option79" /* Make this group of interfaces not to add option79 */, "no-dhcpv6-options" /* Make this group of interfaces not to add any DHCPv6 options */ ) end rule(:ip_mac_static) do arg.as(:arg) ( c( "mac" ( /* MAC address */ mac_addr /* MAC address */ ) ) ).as(:oneline) end rule(:ipv6_mac_static) do arg.as(:arg) ( c( "mac" ( /* MAC address */ mac_addr /* MAC address */ ) ) ).as(:oneline) end rule(:juniper_monitoring_options) do arg.as(:arg) ( c( "family" ( /* Address family of packets to monitor */ c( "inet" ( /* Monitor IPv4 packets */ c( "input" ( /* Monitor data acquisition */ monitoring_input_type /* Monitor data acquisition */ ), "output" ( /* Monitoring data disposition */ monitoring_output_type /* Monitoring data disposition */ ) ) ) ) ) ) ) end rule(:juniper_multicast_snooping_options) do c( "options" ( /* Miscellaneous options */ c( "syslog" ( /* Set system logging level */ c( "level" ( /* Logging level */ sc( "emergency" /* Emergency level */, "alert" /* Alert level */, "critical" /* Critical level */, "error" /* Error level */, "warning" /* Warning level */, "notice" /* Notice level */, "info" /* Informational level */, "debug" /* Debugging level */ ) ).as(:oneline), "upto" ( /* Log up to a particular logging level */ ("emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug") ), "mark" arg /* Periodically mark the trace file */ ) ) ) ), "traceoptions" ( /* Multicast snooping trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("parse" | "config-internal" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "forwarding-cache" ( /* Multicast forwarding cache */ c( "threshold" ( /* Threshold */ c( "suppress" arg /* Suppress threshold */, "reuse" arg /* Reuse threshold */ ) ) ) ), "flood-groups" ( /* Groups for which the traffic will be flooded */ ipaddr /* Groups for which the traffic will be flooded */ ), "host-outbound-traffic" ( /* Host generated protocol packets */ c( "forwarding-class" arg /* Forwarding class name */, "dot1p" arg /* Dot1p bits */ ) ), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "restart-duration" arg /* Maximum time for graceful restart to finish */ ) ), "ignore-stp-topology-change" /* Don't process stp topology change */, "multichassis-lag-replicate-state" ( /* Enable multichassis lag replication */ c( "suppress-report" /* Enable mclag report suppression */ ) ), "nexthop-hold-time" arg /* Nexthop hold time in milliseconds */ ) end rule(:juniper_next_hop_group_options) do arg.as(:arg) ( c( "group-type" ( /* Next hop group type */ ("inet" | "layer-2" | "inet6") ), "interface" ( /* Interfaces through which to send sampled traffic */ next_hop_group_intf_type /* Interfaces through which to send sampled traffic */ ), "next-hop-subgroup" ( /* Group of interfaces through which to send sampled traffic */ juniper_next_hop_subgroup_options /* Group of interfaces through which to send sampled traffic */ ) ) ) end rule(:juniper_next_hop_subgroup_options) do arg.as(:arg) ( c( "interface" ( /* Interface through which to send the sampled traffic */ next_hop_subgroup_intf_type /* Interface through which to send the sampled traffic */ ) ) ) end rule(:juniper_packet_accounting_options) do arg.as(:arg) ( c( "output" ( /* Accounting data disposition */ packet_accounting_output_type /* Accounting data disposition */ ) ) ) end rule(:juniper_packet_capture_options) do c( ("disable"), "file" ( /* Parameters for file that contains captured packets */ sc( "filename" arg /* Name of file */, "files" arg /* Maximum number of files */, "size" arg /* Maximum file size */, "world-readable" /* Allow any user to read packet-capture files */, "no-world-readable" /* Don't allow any user to read packet-capture files */ ) ).as(:oneline), "maximum-capture-size" arg /* Maximum packet size to capture */ ) end rule(:juniper_pic_services_logging_options) do c( "traceoptions" ( /* Fsad trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("init" | "bookkeeping" | "connections" | "charging" | "flow-collector" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) end rule(:juniper_policy_options) do c( "satellite-policies" ( /* Satellite Policy configuration */ satellite_policy_options /* Satellite Policy configuration */ ), "prefix-list" arg ( /* Define a named set of address prefixes */ c( prefix_list_items, "apply-path" arg /* Apply IP prefixes from a configuration statement */ ) ), "route-filter-list" arg ( /* Define a named set of route-filter address prefixes */ c( route_filter_list_items ) ), "source-address-filter-list" arg ( /* Define a named set of source address filter address prefixes */ c( source_address_filter_list_items ) ), "mac-list" arg ( /* Define a named set of mac addresses */ c( mac_addr_list_items ) ), "vsi-policy" arg ( /* Define a named set of VSI policies */ c( "from" ( /* Conditions to match the VSI policy */ c( "vsi-manager" ( /* VSI manager */ s( arg, "vsi-type" arg /* VSI type */, "vsi-version" arg /* VSI version */, "vsi-instance" arg /* VSI instance */ ) ) ) ), "then" ( /* Actions to take if 'from' conditions match */ c( "filter" arg /* Filter name */ ) ) ) ), "policy-statement" arg ( /* Routing policy */ c( "defaults" ( /* Policy default behaviour */ c( "route-filter" ( /* Set route filter behaviour */ sc( c( "no-walkup" /* Route filter walk up disable */, "walkup" /* Route filter walk up enable */ ) ) ).as(:oneline) ) ), "term" arg ( /* Policy term */ c( "from" ( /* Conditions to match the source of a route */ c( "instance" arg /* Routing protocol instance */, "instance-any" /* Any routing protocol instance */, "instance-list" arg /* A list of routing protocol instances */, "family" ( ("inet" | "inet-vpn" | "inet6" | "inet6-vpn" | "iso-vpn" | "iso" | "evpn" | "inet-mvpn" | "inet6-mvpn" | "inet-mdt" | "route-target" | "traffic-engineering") ), "protocol" ( /* Protocol from which route was learned */ ("aggregate" | "bgp" | "direct" | "dvmrp" | "isis" | "esis" | "l2circuit" | "l2vpn" | "local" | "ospf" | "ospf2" | "ospf3" | "pim" | "rip" | "ripng" | "static" | "arp" | "frr" | "mpls" | "ldp" | "rsvp" | "msdp" | "route-target" | "access" | "access-internal" | "anchor" | "bgp-static" | "vpls" | "evpn" | "spring-te" | "bgp-ls-epe") ), "rib" arg /* Routing table */, "neighbor" ( /* Neighboring router */ ipaddr /* Neighboring router */ ), "next-hop" ( /* Next-hop router */ ipaddr /* Next-hop router */ ), "interface" ( /* Interface name or address */ ipaddr_or_interface /* Interface name or address */ ), "area" ( /* OSPF area identifier */ areaid /* OSPF area identifier */ ), "as-path" arg /* Name of AS path regular expression (BGP only) */, "as-path-group" arg /* Name of AS path group (BGP only) */, "origin" ( /* BGP origin attribute */ ("igp" | "egp" | "incomplete") ), "community" arg /* BGP community */, "level" arg /* IS-IS level */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */ ) ), "validation-database" ( /* Name to identify a validation-state */ ("valid" | "invalid" | "unknown") ), "metric" arg /* Metric value */, "metric2" arg /* Metric value 2 */, "metric3" arg /* Metric value 3 */, "metric4" arg /* Metric value 4 */, "tag" arg /* Tag string */, "tag2" arg /* Tag string 2 */, "preference" arg /* Preference value */, "preference2" arg /* Preference value 2 */, "color" arg /* Color (preference) value */, "color2" arg /* Color (preference) value 2 */, "local-preference" arg /* Local preference associated with a route */, "policy" ( /* Name of policy to evaluate */ policy_algebra /* Name of policy to evaluate */ ), "route-filter" ( /* List of routes to match */ control_route_filter_type /* List of routes to match */ ), "source-address-filter" ( /* List of source addresses to match */ control_source_address_filter_type /* List of source addresses to match */ ), "prefix-list" ( /* List of prefix-lists of routes to match */ control_prefix_list_type /* List of prefix-lists of routes to match */ ), "prefix-list-filter" ( /* List of prefix-list-filters to match */ control_prefix_list_filter_type /* List of prefix-list-filters to match */ ), "rtf-prefix-list" ( /* List of rtf-prefix-lists of routes to match */ control_rtf_prefix_list_type /* List of rtf-prefix-lists of routes to match */ ), "route-filter-list" ( /* List of route-filter-lists of routes to match */ control_route_filter_list_type /* List of route-filter-lists of routes to match */ ), "source-address-filter-list" ( /* List of source-address-filter-lists of routes to match */ control_source_address_filter_list_type /* List of source-address-filter-lists of routes to match */ ), "multicast-scope" ( /* Multicast scope to match */ sc( c( "node-local" /* Node-local scope */, "link-local" /* Link-local scope */, "site-local" /* Site-local scope */, "organization-local" /* Organization-local scope */, "global" /* Global scope */, arg ), c( "orhigher" /* Match higher values */, "orlower" /* Match lower values */ ) ) ).as(:oneline), "aggregate-contributor" /* Match more specifics of an aggregate */, "state" ( /* Route state */ ("active" | "inactive") ), "route-type" ( /* Route type */ ("internal" | "external") ), "nlri-route-type" arg /* Route type from NLRI */, "next-hop-type" ( /* Next-hop type */ ("merged") ), "condition" arg /* Condition to match on */, "community-count" ( /* Number of BGP communities */ community_count_type /* Number of BGP communities */ ), "as-path-unique-count" ( /* Number of unique BGP ASes excluding confederations */ as_path_unique_count_type /* Number of unique BGP ASes excluding confederations */ ), "as-path-calc-length" ( /* Number of BGP ASes excluding confederations */ as_path_calc_length_type /* Number of BGP ASes excluding confederations */ ), "traffic-engineering" ( /* Traffic-Engineering related parameters */ c( "protocol" ( /* Protocol that originated the entry */ ("direct" | "ospf" | "isis-level-1" | "isis-level-2" | "static" | "unknown") ), "node" ( /* Node-related parameters */ c( "as" arg /* AS number */, "node-type" ( /* Real or pseudo-node */ ("router" | "pseudo-node") ), "router-id" ( /* IP prefix to match the router-id against */ ipprefix /* IP prefix to match the router-id against */ ), "sys-id" ( /* ISO address of the node */ sysid /* ISO address of the node */ ) ) ), "ipv4-prefix" ( /* IPV4 prefix-related parameters */ c( "as" arg /* AS number */, "router-id" ( /* IP prefix to match the router-id against */ ipprefix /* IP prefix to match the router-id against */ ), "prefix" ( /* IP prefix to match against */ ipprefix /* IP prefix to match against */ ), "sys-id" ( /* ISO address of the node */ sysid /* ISO address of the node */ ) ) ), "link" ( /* Link-related parameters */ c( "from" ( /* Specify parameter of the 'from' side */ c( "as" arg /* AS number */, "router-id" ( /* IP prefix to match the router-id against */ ipprefix /* IP prefix to match the router-id against */ ), "sys-id" ( /* System-ID of the node */ sysid /* System-ID of the node */ ), "node-type" ( /* Type of the node */ ("router" | "pseudo-node") ), "link-address" ( /* IP prefix to match the link address against */ ipprefix /* IP prefix to match the link address against */ ) ) ), "to" ( /* Specify parameters of the 'to' side */ c( "as" arg /* AS number */, "router-id" ( /* IP prefix to match the router-id against */ ipprefix /* IP prefix to match the router-id against */ ), "sys-id" ( /* System-ID of the node */ sysid /* System-ID of the node */ ), "node-type" ( /* Type of the node */ ("router" | "pseudo-node") ), "link-address" ( /* IP prefix to match the link address against */ ipprefix /* IP prefix to match the link address against */ ) ) ) ) ) ) ), "route-distinguisher" arg /* Name of the route-distinguisher */ ) ), "to" ( /* Conditions to match the destination of a route */ c( "instance" arg /* Routing protocol instance */, "instance-any" /* Any routing protocol instance */, "instance-list" arg /* A list of routing protocol instances */, "family" ( ("inet" | "inet-vpn" | "inet6" | "inet6-vpn" | "iso-vpn" | "iso" | "evpn" | "inet-mvpn" | "inet6-mvpn" | "inet-mdt" | "route-target" | "traffic-engineering") ), "protocol" ( /* Protocol from which route was learned */ ("aggregate" | "bgp" | "direct" | "dvmrp" | "isis" | "esis" | "l2circuit" | "l2vpn" | "local" | "ospf" | "ospf2" | "ospf3" | "pim" | "rip" | "ripng" | "static" | "arp" | "frr" | "mpls" | "ldp" | "rsvp" | "msdp" | "route-target" | "access" | "access-internal" | "anchor" | "bgp-static" | "vpls" | "evpn" | "spring-te" | "bgp-ls-epe") ), "rib" arg /* Routing table */, "neighbor" ( /* Neighboring router */ ipaddr /* Neighboring router */ ), "next-hop" ( /* Next-hop router */ ipaddr /* Next-hop router */ ), "interface" ( /* Interface name or address */ ipaddr_or_interface /* Interface name or address */ ), "area" ( /* OSPF area identifier */ areaid /* OSPF area identifier */ ), "as-path" arg /* Name of AS path regular expression (BGP only) */, "as-path-group" arg /* Name of AS path group (BGP only) */, "origin" ( /* BGP origin attribute */ ("igp" | "egp" | "incomplete") ), "community" arg /* BGP community */, "level" arg /* IS-IS level */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */ ) ), "validation-database" ( /* Name to identify a validation-state */ ("valid" | "invalid" | "unknown") ), "metric" arg /* Metric value */, "metric2" arg /* Metric value 2 */, "metric3" arg /* Metric value 3 */, "metric4" arg /* Metric value 4 */, "tag" arg /* Tag string */, "tag2" arg /* Tag string 2 */, "preference" arg /* Preference value */, "preference2" arg /* Preference value 2 */, "color" arg /* Color (preference) value */, "color2" arg /* Color (preference) value 2 */, "local-preference" arg /* Local preference associated with a route */, "policy" ( /* Name of policy to evaluate */ policy_algebra /* Name of policy to evaluate */ ) ) ), "then" ( /* Actions to take if 'from' and 'to' conditions match */ c( "metric" ( /* Metric value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */, "igp" ( /* Track the IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "minimum-igp" ( /* Track the minimum IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "expression" ( /* Calculate value based on route metric and metric2 */ metric_expression_type /* Calculate value based on route metric and metric2 */ ), "aigp" /* Use aigp, if it exists, to set the IGP metric */ ) ) ), "metric2" ( /* Metric value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric3" ( /* Metric value 3 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric4" ( /* Metric value 4 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag" ( /* Tag string */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag2" ( /* Tag string 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference" ( /* Preference value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference2" ( /* Preference value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color" ( /* Color (preference) value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color2" ( /* Color (preference) value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "local-preference" ( /* Local preference associated with a route */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "priority" ( /* Set priority for route installation */ ("high" | "medium" | "low") ), "prefix-segment" ( /* Set prefix segment attributes */ sc( "index" arg /* Set prefix segment index */, "node-segment" /* Set node segment flag for this prefix segment */ ) ).as(:oneline), "label-allocation" ( /* Set label allocation mode */ ("per-table" | "per-nexthop" | "per-table-localize") ), "add-path" ( /* Set BGP add-path attributes */ sc( "send-count" arg /* Number of add-paths sent */ ) ).as(:oneline), "validation-state" ( /* Set validation-state of a route */ ("valid" | "invalid" | "unknown") ), "origin" ( /* BGP path origin */ ("igp" | "egp" | "incomplete") ), "aigp-originate" ( /* Originate a BGP AIGP attribute */ sc( "distance" arg /* AIGP distance */ ) ).as(:oneline), "aigp-adjust" ( /* Adjust a BGP AIGP attribute */ sc( c( "add", "subtract", "multiply", "divide" ), c( arg /* Adjustment value */, "distance-to-protocol-nexthop" /* Metric2 */ ) ) ).as(:oneline), "community" ( /* BGP community properties associated with a route */ s( c( "equal-literal" arg /* Set the BGP communities in the route */, "set" arg /* Set the BGP communities in the route */, "plus-literal" arg /* Add BGP communities to the route */, "add" arg /* Add BGP communities to the route */, "minus-literal" arg /* Remove BGP communities from the route */, "delete" arg /* Remove BGP communities from the route */ ), arg ) ).as(:oneline), "damping" arg /* Define BGP route flap damping parameters */, "aggregate-bandwidth" /* Advertise aggregate outbound link bandwidth */, "limit-bandwidth" arg /* Limit advertised aggregate outbound link bandwidth */, "no-entropy-label-capability" /* Don't advertise entropy label capability */, "as-path-prepend" arg /* Prepend AS numbers to an AS path (BGP only) */, "as-path-expand" ( /* Prepend AS numbers prior to adding local-as (BGP only) */ sc( c( "last-as" ( /* Prepend last AS */ sc( "count" arg /* Repeat count */ ) ).as(:oneline), arg /* AS path string */ ) ) ).as(:oneline), "next-hop" ( /* Set the address of the next-hop router */ sc( c( "self" /* Use a local address as the next-hop address */, "peer-address" /* Use the remote peer address as the next-hop address */, "reject" /* Use a reject next hop */, "discard" /* Use a discard next hop */, "next-table" arg /* Perform a forwarding lookup in the specified table */, ipaddr /* Next-hop address */ ) ) ).as(:oneline), "install-nexthop" ( /* Choose the next hop to be used for forwarding */ sc( "strict" /* Do not use any other available next hops */, c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ), "except" ( /* Do not choose to install matching next hops */ c( c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ) ) ) ) ).as(:oneline), "trace" /* Log matches to a trace file */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */, "nssa-only" /* Clear P-bit on lsa type 7 */ ) ), "load-balance" ( /* Type of load balancing in forwarding table */ sc( c( "per-packet" /* Load balance on a per-packet basis */, "random" /* Load balance using packet random spray */, "per-prefix" /* Load balance on a per-prefix basis */, "consistent-hash" /* Give a prefix consistent load-balancing */, "source-ip-only" /* Give a source based ip load-balancing */, "destination-ip-only" /* Give a destination based ip load-balancing */ ) ) ).as(:oneline), "no-route-localize" /* Force route install on all fib-remote PFEs */, "install-to-fib" /* Install route to fib */, "no-install-to-fib" /* Don't install route to fib */, "analyze" /* Send to registered controllers for analysis */, "class" arg /* Set class-of-service parameters */, "destination-class" arg /* Set destination class in forwarding table */, "source-class" arg /* Set source class in forwarding table */, "forwarding-class" arg /* Set source or destination class in forwarding table */, "map-to-interface" ( /* Set output logical interface */ sc( c( "self" /* Map the interface to itself */, interface_name /* Output logical interface */ ) ) ).as(:oneline), "ssm-source" ( /* List of Sources for SSM mapping */ ipaddr /* List of Sources for SSM mapping */ ), "p2mp-lsp-root" ( /* P2mp lsp root address */ c( "address" ( /* Ipv4 root address */ ipv4addr /* Ipv4 root address */ ) ) ), "cos-next-hop-map" arg /* Set CoS-based next-hop map in forwarding table */, "dynamic-tunnel-attributes" arg /* Choose the dynamic tunnel attributes used for forwarding */, "selected-mldp-egress" /* This node should act as egress node for MLDP inband signalling */, "mhop-bfd-port" /* Use port number 4784 for MPLS-BFD as per RFC5884 */, "no-backup" /* This prefix should not have backup */, "default-action" ( /* Set default policy action */ ("accept" | "reject") ), "next" ( /* Skip to next policy or term */ ("policy" | "term") ), c( "accept" /* Accept a route */, "reject" /* Reject a route */ ), "bgp-output-queue-priority" ( /* Set the BGP Update output queue priority. */ sc( c( "priority" arg /* Output queue priority; higher is better */, "expedited" /* Expedited queue; highest priority */ ) ) ).as(:oneline), "multipath-resolve" /* Use all paths for resolution over this prefix */ ) ) ) ), "from" ( /* Conditions to match the source of a route */ c( "instance" arg /* Routing protocol instance */, "instance-any" /* Any routing protocol instance */, "instance-list" arg /* A list of routing protocol instances */, "family" ( ("inet" | "inet-vpn" | "inet6" | "inet6-vpn" | "iso-vpn" | "iso" | "evpn" | "inet-mvpn" | "inet6-mvpn" | "inet-mdt" | "route-target" | "traffic-engineering") ), "protocol" ( /* Protocol from which route was learned */ ("aggregate" | "bgp" | "direct" | "dvmrp" | "isis" | "esis" | "l2circuit" | "l2vpn" | "local" | "ospf" | "ospf2" | "ospf3" | "pim" | "rip" | "ripng" | "static" | "arp" | "frr" | "mpls" | "ldp" | "rsvp" | "msdp" | "route-target" | "access" | "access-internal" | "anchor" | "bgp-static" | "vpls" | "evpn" | "spring-te" | "bgp-ls-epe") ), "rib" arg /* Routing table */, "neighbor" ( /* Neighboring router */ ipaddr /* Neighboring router */ ), "next-hop" ( /* Next-hop router */ ipaddr /* Next-hop router */ ), "interface" ( /* Interface name or address */ ipaddr_or_interface /* Interface name or address */ ), "area" ( /* OSPF area identifier */ areaid /* OSPF area identifier */ ), "as-path" arg /* Name of AS path regular expression (BGP only) */, "as-path-group" arg /* Name of AS path group (BGP only) */, "origin" ( /* BGP origin attribute */ ("igp" | "egp" | "incomplete") ), "community" arg /* BGP community */, "level" arg /* IS-IS level */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */ ) ), "validation-database" ( /* Name to identify a validation-state */ ("valid" | "invalid" | "unknown") ), "metric" arg /* Metric value */, "metric2" arg /* Metric value 2 */, "metric3" arg /* Metric value 3 */, "metric4" arg /* Metric value 4 */, "tag" arg /* Tag string */, "tag2" arg /* Tag string 2 */, "preference" arg /* Preference value */, "preference2" arg /* Preference value 2 */, "color" arg /* Color (preference) value */, "color2" arg /* Color (preference) value 2 */, "local-preference" arg /* Local preference associated with a route */, "policy" ( /* Name of policy to evaluate */ policy_algebra /* Name of policy to evaluate */ ), "route-filter" ( /* List of routes to match */ control_route_filter_type /* List of routes to match */ ), "source-address-filter" ( /* List of source addresses to match */ control_source_address_filter_type /* List of source addresses to match */ ), "prefix-list" ( /* List of prefix-lists of routes to match */ control_prefix_list_type /* List of prefix-lists of routes to match */ ), "prefix-list-filter" ( /* List of prefix-list-filters to match */ control_prefix_list_filter_type /* List of prefix-list-filters to match */ ), "rtf-prefix-list" ( /* List of rtf-prefix-lists of routes to match */ control_rtf_prefix_list_type /* List of rtf-prefix-lists of routes to match */ ), "route-filter-list" ( /* List of route-filter-lists of routes to match */ control_route_filter_list_type /* List of route-filter-lists of routes to match */ ), "source-address-filter-list" ( /* List of source-address-filter-lists of routes to match */ control_source_address_filter_list_type /* List of source-address-filter-lists of routes to match */ ), "multicast-scope" ( /* Multicast scope to match */ sc( c( "node-local" /* Node-local scope */, "link-local" /* Link-local scope */, "site-local" /* Site-local scope */, "organization-local" /* Organization-local scope */, "global" /* Global scope */, arg ), c( "orhigher" /* Match higher values */, "orlower" /* Match lower values */ ) ) ).as(:oneline), "aggregate-contributor" /* Match more specifics of an aggregate */, "state" ( /* Route state */ ("active" | "inactive") ), "route-type" ( /* Route type */ ("internal" | "external") ), "nlri-route-type" arg /* Route type from NLRI */, "next-hop-type" ( /* Next-hop type */ ("merged") ), "condition" arg /* Condition to match on */, "community-count" ( /* Number of BGP communities */ community_count_type /* Number of BGP communities */ ), "as-path-unique-count" ( /* Number of unique BGP ASes excluding confederations */ as_path_unique_count_type /* Number of unique BGP ASes excluding confederations */ ), "as-path-calc-length" ( /* Number of BGP ASes excluding confederations */ as_path_calc_length_type /* Number of BGP ASes excluding confederations */ ), "traffic-engineering" ( /* Traffic-Engineering related parameters */ c( "protocol" ( /* Protocol that originated the entry */ ("direct" | "ospf" | "isis-level-1" | "isis-level-2" | "static" | "unknown") ), "node" ( /* Node-related parameters */ c( "as" arg /* AS number */, "node-type" ( /* Real or pseudo-node */ ("router" | "pseudo-node") ), "router-id" ( /* IP prefix to match the router-id against */ ipprefix /* IP prefix to match the router-id against */ ), "sys-id" ( /* ISO address of the node */ sysid /* ISO address of the node */ ) ) ), "ipv4-prefix" ( /* IPV4 prefix-related parameters */ c( "as" arg /* AS number */, "router-id" ( /* IP prefix to match the router-id against */ ipprefix /* IP prefix to match the router-id against */ ), "prefix" ( /* IP prefix to match against */ ipprefix /* IP prefix to match against */ ), "sys-id" ( /* ISO address of the node */ sysid /* ISO address of the node */ ) ) ), "link" ( /* Link-related parameters */ c( "from" ( /* Specify parameter of the 'from' side */ c( "as" arg /* AS number */, "router-id" ( /* IP prefix to match the router-id against */ ipprefix /* IP prefix to match the router-id against */ ), "sys-id" ( /* System-ID of the node */ sysid /* System-ID of the node */ ), "node-type" ( /* Type of the node */ ("router" | "pseudo-node") ), "link-address" ( /* IP prefix to match the link address against */ ipprefix /* IP prefix to match the link address against */ ) ) ), "to" ( /* Specify parameters of the 'to' side */ c( "as" arg /* AS number */, "router-id" ( /* IP prefix to match the router-id against */ ipprefix /* IP prefix to match the router-id against */ ), "sys-id" ( /* System-ID of the node */ sysid /* System-ID of the node */ ), "node-type" ( /* Type of the node */ ("router" | "pseudo-node") ), "link-address" ( /* IP prefix to match the link address against */ ipprefix /* IP prefix to match the link address against */ ) ) ) ) ) ) ), "route-distinguisher" arg /* Name of the route-distinguisher */ ) ), "to" ( /* Conditions to match the destination of a route */ c( "instance" arg /* Routing protocol instance */, "instance-any" /* Any routing protocol instance */, "instance-list" arg /* A list of routing protocol instances */, "family" ( ("inet" | "inet-vpn" | "inet6" | "inet6-vpn" | "iso-vpn" | "iso" | "evpn" | "inet-mvpn" | "inet6-mvpn" | "inet-mdt" | "route-target" | "traffic-engineering") ), "protocol" ( /* Protocol from which route was learned */ ("aggregate" | "bgp" | "direct" | "dvmrp" | "isis" | "esis" | "l2circuit" | "l2vpn" | "local" | "ospf" | "ospf2" | "ospf3" | "pim" | "rip" | "ripng" | "static" | "arp" | "frr" | "mpls" | "ldp" | "rsvp" | "msdp" | "route-target" | "access" | "access-internal" | "anchor" | "bgp-static" | "vpls" | "evpn" | "spring-te" | "bgp-ls-epe") ), "rib" arg /* Routing table */, "neighbor" ( /* Neighboring router */ ipaddr /* Neighboring router */ ), "next-hop" ( /* Next-hop router */ ipaddr /* Next-hop router */ ), "interface" ( /* Interface name or address */ ipaddr_or_interface /* Interface name or address */ ), "area" ( /* OSPF area identifier */ areaid /* OSPF area identifier */ ), "as-path" arg /* Name of AS path regular expression (BGP only) */, "as-path-group" arg /* Name of AS path group (BGP only) */, "origin" ( /* BGP origin attribute */ ("igp" | "egp" | "incomplete") ), "community" arg /* BGP community */, "level" arg /* IS-IS level */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */ ) ), "validation-database" ( /* Name to identify a validation-state */ ("valid" | "invalid" | "unknown") ), "metric" arg /* Metric value */, "metric2" arg /* Metric value 2 */, "metric3" arg /* Metric value 3 */, "metric4" arg /* Metric value 4 */, "tag" arg /* Tag string */, "tag2" arg /* Tag string 2 */, "preference" arg /* Preference value */, "preference2" arg /* Preference value 2 */, "color" arg /* Color (preference) value */, "color2" arg /* Color (preference) value 2 */, "local-preference" arg /* Local preference associated with a route */, "policy" ( /* Name of policy to evaluate */ policy_algebra /* Name of policy to evaluate */ ) ) ), "then" ( /* Actions to take if 'from' and 'to' conditions match */ c( "metric" ( /* Metric value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */, "igp" ( /* Track the IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "minimum-igp" ( /* Track the minimum IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "expression" ( /* Calculate value based on route metric and metric2 */ metric_expression_type /* Calculate value based on route metric and metric2 */ ), "aigp" /* Use aigp, if it exists, to set the IGP metric */ ) ) ), "metric2" ( /* Metric value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric3" ( /* Metric value 3 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric4" ( /* Metric value 4 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag" ( /* Tag string */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag2" ( /* Tag string 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference" ( /* Preference value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference2" ( /* Preference value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color" ( /* Color (preference) value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color2" ( /* Color (preference) value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "local-preference" ( /* Local preference associated with a route */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "priority" ( /* Set priority for route installation */ ("high" | "medium" | "low") ), "prefix-segment" ( /* Set prefix segment attributes */ sc( "index" arg /* Set prefix segment index */, "node-segment" /* Set node segment flag for this prefix segment */ ) ).as(:oneline), "label-allocation" ( /* Set label allocation mode */ ("per-table" | "per-nexthop" | "per-table-localize") ), "add-path" ( /* Set BGP add-path attributes */ sc( "send-count" arg /* Number of add-paths sent */ ) ).as(:oneline), "validation-state" ( /* Set validation-state of a route */ ("valid" | "invalid" | "unknown") ), "origin" ( /* BGP path origin */ ("igp" | "egp" | "incomplete") ), "aigp-originate" ( /* Originate a BGP AIGP attribute */ sc( "distance" arg /* AIGP distance */ ) ).as(:oneline), "aigp-adjust" ( /* Adjust a BGP AIGP attribute */ sc( c( "add", "subtract", "multiply", "divide" ), c( arg /* Adjustment value */, "distance-to-protocol-nexthop" /* Metric2 */ ) ) ).as(:oneline), "community" ( /* BGP community properties associated with a route */ s( c( "equal-literal" arg /* Set the BGP communities in the route */, "set" arg /* Set the BGP communities in the route */, "plus-literal" arg /* Add BGP communities to the route */, "add" arg /* Add BGP communities to the route */, "minus-literal" arg /* Remove BGP communities from the route */, "delete" arg /* Remove BGP communities from the route */ ), arg ) ).as(:oneline), "damping" arg /* Define BGP route flap damping parameters */, "aggregate-bandwidth" /* Advertise aggregate outbound link bandwidth */, "limit-bandwidth" arg /* Limit advertised aggregate outbound link bandwidth */, "no-entropy-label-capability" /* Don't advertise entropy label capability */, "as-path-prepend" arg /* Prepend AS numbers to an AS path (BGP only) */, "as-path-expand" ( /* Prepend AS numbers prior to adding local-as (BGP only) */ sc( c( "last-as" ( /* Prepend last AS */ sc( "count" arg /* Repeat count */ ) ).as(:oneline), arg /* AS path string */ ) ) ).as(:oneline), "next-hop" ( /* Set the address of the next-hop router */ sc( c( "self" /* Use a local address as the next-hop address */, "peer-address" /* Use the remote peer address as the next-hop address */, "reject" /* Use a reject next hop */, "discard" /* Use a discard next hop */, "next-table" arg /* Perform a forwarding lookup in the specified table */, ipaddr /* Next-hop address */ ) ) ).as(:oneline), "install-nexthop" ( /* Choose the next hop to be used for forwarding */ sc( "strict" /* Do not use any other available next hops */, c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ), "except" ( /* Do not choose to install matching next hops */ c( c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ) ) ) ) ).as(:oneline), "trace" /* Log matches to a trace file */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */, "nssa-only" /* Clear P-bit on lsa type 7 */ ) ), "load-balance" ( /* Type of load balancing in forwarding table */ sc( c( "per-packet" /* Load balance on a per-packet basis */, "random" /* Load balance using packet random spray */, "per-prefix" /* Load balance on a per-prefix basis */, "consistent-hash" /* Give a prefix consistent load-balancing */, "source-ip-only" /* Give a source based ip load-balancing */, "destination-ip-only" /* Give a destination based ip load-balancing */ ) ) ).as(:oneline), "no-route-localize" /* Force route install on all fib-remote PFEs */, "install-to-fib" /* Install route to fib */, "no-install-to-fib" /* Don't install route to fib */, "analyze" /* Send to registered controllers for analysis */, "class" arg /* Set class-of-service parameters */, "destination-class" arg /* Set destination class in forwarding table */, "source-class" arg /* Set source class in forwarding table */, "forwarding-class" arg /* Set source or destination class in forwarding table */, "map-to-interface" ( /* Set output logical interface */ sc( c( "self" /* Map the interface to itself */, interface_name /* Output logical interface */ ) ) ).as(:oneline), "ssm-source" ( /* List of Sources for SSM mapping */ ipaddr /* List of Sources for SSM mapping */ ), "p2mp-lsp-root" ( /* P2mp lsp root address */ c( "address" ( /* Ipv4 root address */ ipv4addr /* Ipv4 root address */ ) ) ), "cos-next-hop-map" arg /* Set CoS-based next-hop map in forwarding table */, "dynamic-tunnel-attributes" arg /* Choose the dynamic tunnel attributes used for forwarding */, "selected-mldp-egress" /* This node should act as egress node for MLDP inband signalling */, "mhop-bfd-port" /* Use port number 4784 for MPLS-BFD as per RFC5884 */, "no-backup" /* This prefix should not have backup */, "default-action" ( /* Set default policy action */ ("accept" | "reject") ), "next" ( /* Skip to next policy or term */ ("policy" | "term") ), c( "accept" /* Accept a route */, "reject" /* Reject a route */ ), "bgp-output-queue-priority" ( /* Set the BGP Update output queue priority. */ sc( c( "priority" arg /* Output queue priority; higher is better */, "expedited" /* Expedited queue; highest priority */ ) ) ).as(:oneline), "multipath-resolve" /* Use all paths for resolution over this prefix */ ) ) ) ), "defaults" ( /* Policy default behaviour */ c( "route-filter" ( /* Set route filter behaviour */ sc( "walkup" /* Route filter walk up enable */ ) ).as(:oneline) ) ), "community" arg ( /* BGP community information */ c( "invert-match" /* Invert the result of the community expression matching */, "members" arg /* Community members */ ) ), "route-distinguisher" arg ( /* Route-distinguisher information */ c( "members" arg /* Route distinguisher string in ( *:X ) or ( Y:* ) or (X:Y) format */ ) ), "as-path" arg ( /* BGP autonomous system path regular expression */ c( arg /* AS path regular expression */ ) ), "as-path-group" arg ( /* Group a set of AS paths */ c( "as-path" arg ( /* BGP autonomous system path regular expression */ sc( arg /* AS path regular expression */ ) ).as(:oneline) ) ), "damping" arg ( /* BGP route flap damping properties */ c( ("disable"), "half-life" arg /* Decay half-life */, "reuse" arg /* Reuse threshold (figure-of-merit value) */, "suppress" arg /* Cutoff threshold (figure-of-merit value) */, "max-suppress" arg /* Maximum hold-down time */ ) ), "condition" arg ( /* Define a route advertisement condition */ c( c( "route-active-on" ( /* Route is active on a specific node */ ("node0" | "node1") ), "if-route-exists" ( /* Route exists in a specific routing table */ c( "address-family" ( /* Indicates the address family of the route to match on */ c( c( "inet" ( /* Route to match corresponds to an inet/inet6 prefix */ c( "table" arg /* Routing table in which route should exist */, ipprefix /* Exact address of the route */ ) ), "ccc" ( /* Route to match corresponds to a ccc prefix */ c( interface_name /* Logical interface used to establish ccc route */, "table" arg /* Routing table in which route should exist */, "standby" /* Indicates if route must be in standby state to be considered a match */, "peer-unit" arg /* Associated LT ifl's peer-unit. Required for LT-based routes */ ) ) ) ) ), "table" arg /* Routing table in which route should exist */, ipprefix /* Exact address of the route */ ) ) ) ) ), "rtf-prefix-list" arg ( /* Define a named set of family route target prefixes */ c( rtf_prefix_list_items ) ), "application-maps" ( /* Define application maps */ application_map_object /* Define application maps */ ) ) end rule(:application_map_object) do arg.as(:arg) ( c( "application" arg ( /* Name of the application */ sc( "code-points" arg /* List of code point bit strings */ ) ).as(:oneline) ) ) end rule(:as_path_calc_length_type) do arg.as(:arg) ( c( c( "equal" /* Match equal values */, "orhigher" /* Match higher or equal values */, "orlower" /* Match lower or equal values */ ) ) ).as(:oneline) end rule(:as_path_unique_count_type) do arg.as(:arg) ( c( c( "equal" /* Match equal values */, "orhigher" /* Match higher or equal values */, "orlower" /* Match lower or equal values */ ) ) ).as(:oneline) end rule(:community_count_type) do arg.as(:arg) ( c( c( "equal" /* Match equal values */, "orhigher" /* Match higher or equal values */, "orlower" /* Match lower or equal values */ ) ) ).as(:oneline) end rule(:control_prefix_list_filter_type) do s( arg, c( "exact" arg /* Exactly match the prefix length */, "longer" arg /* Mask is greater than the prefix length */, "orlonger" arg /* Mask is greater than or equal to the prefix length */ ), c( "metric" ( /* Metric value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */, "igp" ( /* Track the IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "minimum-igp" ( /* Track the minimum IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "expression" ( /* Calculate value based on route metric and metric2 */ metric_expression_type /* Calculate value based on route metric and metric2 */ ), "aigp" /* Use aigp, if it exists, to set the IGP metric */ ) ) ), "metric2" ( /* Metric value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric3" ( /* Metric value 3 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric4" ( /* Metric value 4 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag" ( /* Tag string */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag2" ( /* Tag string 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference" ( /* Preference value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference2" ( /* Preference value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color" ( /* Color (preference) value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color2" ( /* Color (preference) value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "local-preference" ( /* Local preference associated with a route */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "priority" ( /* Set priority for route installation */ ("high" | "medium" | "low") ), "prefix-segment" ( /* Set prefix segment attributes */ sc( "index" arg /* Set prefix segment index */, "node-segment" /* Set node segment flag for this prefix segment */ ) ).as(:oneline), "label-allocation" ( /* Set label allocation mode */ ("per-table" | "per-nexthop" | "per-table-localize") ), "add-path" ( /* Set BGP add-path attributes */ sc( "send-count" arg /* Number of add-paths sent */ ) ).as(:oneline), "validation-state" ( /* Set validation-state of a route */ ("valid" | "invalid" | "unknown") ), "origin" ( /* BGP path origin */ ("igp" | "egp" | "incomplete") ), "aigp-originate" ( /* Originate a BGP AIGP attribute */ sc( "distance" arg /* AIGP distance */ ) ).as(:oneline), "aigp-adjust" ( /* Adjust a BGP AIGP attribute */ sc( c( "add", "subtract", "multiply", "divide" ), c( arg /* Adjustment value */, "distance-to-protocol-nexthop" /* Metric2 */ ) ) ).as(:oneline), "community" ( /* BGP community properties associated with a route */ s( c( "equal-literal" arg /* Set the BGP communities in the route */, "set" arg /* Set the BGP communities in the route */, "plus-literal" arg /* Add BGP communities to the route */, "add" arg /* Add BGP communities to the route */, "minus-literal" arg /* Remove BGP communities from the route */, "delete" arg /* Remove BGP communities from the route */ ), arg ) ).as(:oneline), "damping" arg /* Define BGP route flap damping parameters */, "aggregate-bandwidth" /* Advertise aggregate outbound link bandwidth */, "limit-bandwidth" arg /* Limit advertised aggregate outbound link bandwidth */, "no-entropy-label-capability" /* Don't advertise entropy label capability */, "as-path-prepend" arg /* Prepend AS numbers to an AS path (BGP only) */, "as-path-expand" ( /* Prepend AS numbers prior to adding local-as (BGP only) */ sc( c( "last-as" ( /* Prepend last AS */ sc( "count" arg /* Repeat count */ ) ).as(:oneline), arg /* AS path string */ ) ) ).as(:oneline), "next-hop" ( /* Set the address of the next-hop router */ sc( c( "self" /* Use a local address as the next-hop address */, "peer-address" /* Use the remote peer address as the next-hop address */, "reject" /* Use a reject next hop */, "discard" /* Use a discard next hop */, "next-table" arg /* Perform a forwarding lookup in the specified table */, ipaddr /* Next-hop address */ ) ) ).as(:oneline), "install-nexthop" ( /* Choose the next hop to be used for forwarding */ sc( "strict" /* Do not use any other available next hops */, c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ), "except" ( /* Do not choose to install matching next hops */ c( c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ) ) ) ) ).as(:oneline), "trace" /* Log matches to a trace file */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */, "nssa-only" /* Clear P-bit on lsa type 7 */ ) ), "load-balance" ( /* Type of load balancing in forwarding table */ sc( c( "per-packet" /* Load balance on a per-packet basis */, "random" /* Load balance using packet random spray */, "per-prefix" /* Load balance on a per-prefix basis */, "consistent-hash" /* Give a prefix consistent load-balancing */, "source-ip-only" /* Give a source based ip load-balancing */, "destination-ip-only" /* Give a destination based ip load-balancing */ ) ) ).as(:oneline), "no-route-localize" /* Force route install on all fib-remote PFEs */, "install-to-fib" /* Install route to fib */, "no-install-to-fib" /* Don't install route to fib */, "analyze" /* Send to registered controllers for analysis */, "class" arg /* Set class-of-service parameters */, "destination-class" arg /* Set destination class in forwarding table */, "source-class" arg /* Set source class in forwarding table */, "forwarding-class" arg /* Set source or destination class in forwarding table */, "map-to-interface" ( /* Set output logical interface */ sc( c( "self" /* Map the interface to itself */, interface_name /* Output logical interface */ ) ) ).as(:oneline), "ssm-source" ( /* List of Sources for SSM mapping */ ipaddr /* List of Sources for SSM mapping */ ), "p2mp-lsp-root" ( /* P2mp lsp root address */ c( "address" ( /* Ipv4 root address */ ipv4addr /* Ipv4 root address */ ) ) ), "cos-next-hop-map" arg /* Set CoS-based next-hop map in forwarding table */, "dynamic-tunnel-attributes" arg /* Choose the dynamic tunnel attributes used for forwarding */, "selected-mldp-egress" /* This node should act as egress node for MLDP inband signalling */, "mhop-bfd-port" /* Use port number 4784 for MPLS-BFD as per RFC5884 */, "no-backup" /* This prefix should not have backup */, "default-action" ( /* Set default policy action */ ("accept" | "reject") ), "next" ( /* Skip to next policy or term */ ("policy" | "term") ), c( "accept" /* Accept a route */, "reject" /* Reject a route */ ), "bgp-output-queue-priority" ( /* Set the BGP Update output queue priority. */ sc( c( "priority" arg /* Output queue priority; higher is better */, "expedited" /* Expedited queue; highest priority */ ) ) ).as(:oneline), "multipath-resolve" /* Use all paths for resolution over this prefix */ ) ) end rule(:control_prefix_list_type) do arg.as(:arg) end rule(:control_route_filter_list_type) do arg.as(:arg) end rule(:control_route_filter_type) do s( arg, c( "exact" arg /* Exactly match the prefix length */, "longer" arg /* Mask is greater than the prefix length */, "orlonger" arg /* Mask is greater than or equal to the prefix length */, "upto" arg /* Mask falls between two prefix lengths */, "through" arg /* Route falls between two prefixes */, "prefix-length-range" arg /* Mask falls between two prefix lengths */, "address-mask" arg /* Mask applied to prefix address */ ), c( "metric" ( /* Metric value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */, "igp" ( /* Track the IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "minimum-igp" ( /* Track the minimum IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "expression" ( /* Calculate value based on route metric and metric2 */ metric_expression_type /* Calculate value based on route metric and metric2 */ ), "aigp" /* Use aigp, if it exists, to set the IGP metric */ ) ) ), "metric2" ( /* Metric value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric3" ( /* Metric value 3 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric4" ( /* Metric value 4 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag" ( /* Tag string */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag2" ( /* Tag string 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference" ( /* Preference value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference2" ( /* Preference value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color" ( /* Color (preference) value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color2" ( /* Color (preference) value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "local-preference" ( /* Local preference associated with a route */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "priority" ( /* Set priority for route installation */ ("high" | "medium" | "low") ), "prefix-segment" ( /* Set prefix segment attributes */ sc( "index" arg /* Set prefix segment index */, "node-segment" /* Set node segment flag for this prefix segment */ ) ).as(:oneline), "label-allocation" ( /* Set label allocation mode */ ("per-table" | "per-nexthop" | "per-table-localize") ), "add-path" ( /* Set BGP add-path attributes */ sc( "send-count" arg /* Number of add-paths sent */ ) ).as(:oneline), "validation-state" ( /* Set validation-state of a route */ ("valid" | "invalid" | "unknown") ), "origin" ( /* BGP path origin */ ("igp" | "egp" | "incomplete") ), "aigp-originate" ( /* Originate a BGP AIGP attribute */ sc( "distance" arg /* AIGP distance */ ) ).as(:oneline), "aigp-adjust" ( /* Adjust a BGP AIGP attribute */ sc( c( "add", "subtract", "multiply", "divide" ), c( arg /* Adjustment value */, "distance-to-protocol-nexthop" /* Metric2 */ ) ) ).as(:oneline), "community" ( /* BGP community properties associated with a route */ s( c( "equal-literal" arg /* Set the BGP communities in the route */, "set" arg /* Set the BGP communities in the route */, "plus-literal" arg /* Add BGP communities to the route */, "add" arg /* Add BGP communities to the route */, "minus-literal" arg /* Remove BGP communities from the route */, "delete" arg /* Remove BGP communities from the route */ ), arg ) ).as(:oneline), "damping" arg /* Define BGP route flap damping parameters */, "aggregate-bandwidth" /* Advertise aggregate outbound link bandwidth */, "limit-bandwidth" arg /* Limit advertised aggregate outbound link bandwidth */, "no-entropy-label-capability" /* Don't advertise entropy label capability */, "as-path-prepend" arg /* Prepend AS numbers to an AS path (BGP only) */, "as-path-expand" ( /* Prepend AS numbers prior to adding local-as (BGP only) */ sc( c( "last-as" ( /* Prepend last AS */ sc( "count" arg /* Repeat count */ ) ).as(:oneline), arg /* AS path string */ ) ) ).as(:oneline), "next-hop" ( /* Set the address of the next-hop router */ sc( c( "self" /* Use a local address as the next-hop address */, "peer-address" /* Use the remote peer address as the next-hop address */, "reject" /* Use a reject next hop */, "discard" /* Use a discard next hop */, "next-table" arg /* Perform a forwarding lookup in the specified table */, ipaddr /* Next-hop address */ ) ) ).as(:oneline), "install-nexthop" ( /* Choose the next hop to be used for forwarding */ sc( "strict" /* Do not use any other available next hops */, c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ), "except" ( /* Do not choose to install matching next hops */ c( c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ) ) ) ) ).as(:oneline), "trace" /* Log matches to a trace file */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */, "nssa-only" /* Clear P-bit on lsa type 7 */ ) ), "load-balance" ( /* Type of load balancing in forwarding table */ sc( c( "per-packet" /* Load balance on a per-packet basis */, "random" /* Load balance using packet random spray */, "per-prefix" /* Load balance on a per-prefix basis */, "consistent-hash" /* Give a prefix consistent load-balancing */, "source-ip-only" /* Give a source based ip load-balancing */, "destination-ip-only" /* Give a destination based ip load-balancing */ ) ) ).as(:oneline), "no-route-localize" /* Force route install on all fib-remote PFEs */, "install-to-fib" /* Install route to fib */, "no-install-to-fib" /* Don't install route to fib */, "analyze" /* Send to registered controllers for analysis */, "class" arg /* Set class-of-service parameters */, "destination-class" arg /* Set destination class in forwarding table */, "source-class" arg /* Set source class in forwarding table */, "forwarding-class" arg /* Set source or destination class in forwarding table */, "map-to-interface" ( /* Set output logical interface */ sc( c( "self" /* Map the interface to itself */, interface_name /* Output logical interface */ ) ) ).as(:oneline), "ssm-source" ( /* List of Sources for SSM mapping */ ipaddr /* List of Sources for SSM mapping */ ), "p2mp-lsp-root" ( /* P2mp lsp root address */ c( "address" ( /* Ipv4 root address */ ipv4addr /* Ipv4 root address */ ) ) ), "cos-next-hop-map" arg /* Set CoS-based next-hop map in forwarding table */, "dynamic-tunnel-attributes" arg /* Choose the dynamic tunnel attributes used for forwarding */, "selected-mldp-egress" /* This node should act as egress node for MLDP inband signalling */, "mhop-bfd-port" /* Use port number 4784 for MPLS-BFD as per RFC5884 */, "no-backup" /* This prefix should not have backup */, "default-action" ( /* Set default policy action */ ("accept" | "reject") ), "next" ( /* Skip to next policy or term */ ("policy" | "term") ), c( "accept" /* Accept a route */, "reject" /* Reject a route */ ), "bgp-output-queue-priority" ( /* Set the BGP Update output queue priority. */ sc( c( "priority" arg /* Output queue priority; higher is better */, "expedited" /* Expedited queue; highest priority */ ) ) ).as(:oneline), "multipath-resolve" /* Use all paths for resolution over this prefix */ ) ) end rule(:control_rtf_prefix_list_type) do arg.as(:arg) end rule(:control_source_address_filter_list_type) do arg.as(:arg) end rule(:control_source_address_filter_type) do s( arg, c( "exact" arg /* Exactly match the prefix length */, "longer" arg /* Mask is greater than the prefix length */, "orlonger" arg /* Mask is greater than or equal to the prefix length */, "upto" arg /* Mask falls between two prefix lengths */, "through" arg /* Route falls between two prefixes */, "prefix-length-range" arg /* Mask falls between two prefix lengths */ ), c( "metric" ( /* Metric value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */, "igp" ( /* Track the IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "minimum-igp" ( /* Track the minimum IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "expression" ( /* Calculate value based on route metric and metric2 */ metric_expression_type /* Calculate value based on route metric and metric2 */ ), "aigp" /* Use aigp, if it exists, to set the IGP metric */ ) ) ), "metric2" ( /* Metric value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric3" ( /* Metric value 3 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric4" ( /* Metric value 4 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag" ( /* Tag string */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag2" ( /* Tag string 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference" ( /* Preference value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference2" ( /* Preference value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color" ( /* Color (preference) value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color2" ( /* Color (preference) value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "local-preference" ( /* Local preference associated with a route */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "priority" ( /* Set priority for route installation */ ("high" | "medium" | "low") ), "prefix-segment" ( /* Set prefix segment attributes */ sc( "index" arg /* Set prefix segment index */, "node-segment" /* Set node segment flag for this prefix segment */ ) ).as(:oneline), "label-allocation" ( /* Set label allocation mode */ ("per-table" | "per-nexthop" | "per-table-localize") ), "add-path" ( /* Set BGP add-path attributes */ sc( "send-count" arg /* Number of add-paths sent */ ) ).as(:oneline), "validation-state" ( /* Set validation-state of a route */ ("valid" | "invalid" | "unknown") ), "origin" ( /* BGP path origin */ ("igp" | "egp" | "incomplete") ), "aigp-originate" ( /* Originate a BGP AIGP attribute */ sc( "distance" arg /* AIGP distance */ ) ).as(:oneline), "aigp-adjust" ( /* Adjust a BGP AIGP attribute */ sc( c( "add", "subtract", "multiply", "divide" ), c( arg /* Adjustment value */, "distance-to-protocol-nexthop" /* Metric2 */ ) ) ).as(:oneline), "community" ( /* BGP community properties associated with a route */ s( c( "equal-literal" arg /* Set the BGP communities in the route */, "set" arg /* Set the BGP communities in the route */, "plus-literal" arg /* Add BGP communities to the route */, "add" arg /* Add BGP communities to the route */, "minus-literal" arg /* Remove BGP communities from the route */, "delete" arg /* Remove BGP communities from the route */ ), arg ) ).as(:oneline), "damping" arg /* Define BGP route flap damping parameters */, "aggregate-bandwidth" /* Advertise aggregate outbound link bandwidth */, "limit-bandwidth" arg /* Limit advertised aggregate outbound link bandwidth */, "no-entropy-label-capability" /* Don't advertise entropy label capability */, "as-path-prepend" arg /* Prepend AS numbers to an AS path (BGP only) */, "as-path-expand" ( /* Prepend AS numbers prior to adding local-as (BGP only) */ sc( c( "last-as" ( /* Prepend last AS */ sc( "count" arg /* Repeat count */ ) ).as(:oneline), arg /* AS path string */ ) ) ).as(:oneline), "next-hop" ( /* Set the address of the next-hop router */ sc( c( "self" /* Use a local address as the next-hop address */, "peer-address" /* Use the remote peer address as the next-hop address */, "reject" /* Use a reject next hop */, "discard" /* Use a discard next hop */, "next-table" arg /* Perform a forwarding lookup in the specified table */, ipaddr /* Next-hop address */ ) ) ).as(:oneline), "install-nexthop" ( /* Choose the next hop to be used for forwarding */ sc( "strict" /* Do not use any other available next hops */, c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ), "except" ( /* Do not choose to install matching next hops */ c( c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ) ) ) ) ).as(:oneline), "trace" /* Log matches to a trace file */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */, "nssa-only" /* Clear P-bit on lsa type 7 */ ) ), "load-balance" ( /* Type of load balancing in forwarding table */ sc( c( "per-packet" /* Load balance on a per-packet basis */, "random" /* Load balance using packet random spray */, "per-prefix" /* Load balance on a per-prefix basis */, "consistent-hash" /* Give a prefix consistent load-balancing */, "source-ip-only" /* Give a source based ip load-balancing */, "destination-ip-only" /* Give a destination based ip load-balancing */ ) ) ).as(:oneline), "no-route-localize" /* Force route install on all fib-remote PFEs */, "install-to-fib" /* Install route to fib */, "no-install-to-fib" /* Don't install route to fib */, "analyze" /* Send to registered controllers for analysis */, "class" arg /* Set class-of-service parameters */, "destination-class" arg /* Set destination class in forwarding table */, "source-class" arg /* Set source class in forwarding table */, "forwarding-class" arg /* Set source or destination class in forwarding table */, "map-to-interface" ( /* Set output logical interface */ sc( c( "self" /* Map the interface to itself */, interface_name /* Output logical interface */ ) ) ).as(:oneline), "ssm-source" ( /* List of Sources for SSM mapping */ ipaddr /* List of Sources for SSM mapping */ ), "p2mp-lsp-root" ( /* P2mp lsp root address */ c( "address" ( /* Ipv4 root address */ ipv4addr /* Ipv4 root address */ ) ) ), "cos-next-hop-map" arg /* Set CoS-based next-hop map in forwarding table */, "dynamic-tunnel-attributes" arg /* Choose the dynamic tunnel attributes used for forwarding */, "selected-mldp-egress" /* This node should act as egress node for MLDP inband signalling */, "mhop-bfd-port" /* Use port number 4784 for MPLS-BFD as per RFC5884 */, "no-backup" /* This prefix should not have backup */, "default-action" ( /* Set default policy action */ ("accept" | "reject") ), "next" ( /* Skip to next policy or term */ ("policy" | "term") ), c( "accept" /* Accept a route */, "reject" /* Reject a route */ ), "bgp-output-queue-priority" ( /* Set the BGP Update output queue priority. */ sc( c( "priority" arg /* Output queue priority; higher is better */, "expedited" /* Expedited queue; highest priority */ ) ) ).as(:oneline), "multipath-resolve" /* Use all paths for resolution over this prefix */ ) ) end rule(:juniper_port_mirror_options) do c( "traceoptions" ( /* Port-mirroring trace options */ sampling_traceoptions_type /* Port-mirroring trace options */ ), "disable" /* Disable the global port-mirroring instance */, "disable-all-instances" /* Disable the all port-mirroring instances */, "mirror-once" /* Sample the packet for port mirroring only once */, "no-preserve-ingress-tag" /* Mirror the packet retaining tag value before normalization */, "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "family" ( /* Address family of packets to mirror */ c( "inet" ( /* Mirror IPv4 packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* One or more next hops for port-mirrored packets */ inet_pm_family_output_type /* One or more next hops for port-mirrored packets */ ) ) ), "inet6" ( /* Mirror IPv6 packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* One or more next hops for port-mirrored packets */ inet6_pm_family_output_type /* One or more next hops for port-mirrored packets */ ) ) ), "mpls" ( /* Mirror MPLS packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* One or more next hops for port-mirrored packets */ mpls_pm_family_output_type /* One or more next hops for port-mirrored packets */ ) ) ), "any" /* Mirror any packets */, "vpls" ( /* Mirror Layer-2 bridged/vpls packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Destination for port-mirrored packets */ layer2_pm_family_output_type /* Destination for port-mirrored packets */ ) ) ), "ethernet-switching" /* Mirror Layer-2 ethernet-switched packets */, "ccc" ( /* Mirror layer-2 ccc packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Destination for port-mirrored packets */ layer2_pm_family_output_type /* Destination for port-mirrored packets */ ) ) ) ) ), "instance" arg ( /* Instance of port-mirroring parameters */ c( "disable" /* Disable the this port-mirroring instance */, c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "input-parameters-instance" arg /* Name of port-mirroring instance to use for input parameters */ ), "family" ( /* Address family of packets to mirror */ c( "inet" ( /* Mirror IPv4 packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* One or more next hops for port-mirrored packets */ inet_pm_family_output_type /* One or more next hops for port-mirrored packets */ ) ) ), "inet6" ( /* Mirror IPv6 packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* One or more next hops for port-mirrored packets */ inet6_pm_family_output_type /* One or more next hops for port-mirrored packets */ ) ) ), "mpls" ( /* Mirror MPLS packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* One or more next hops for port-mirrored packets */ mpls_pm_family_output_type /* One or more next hops for port-mirrored packets */ ) ) ), "any" /* Mirror any packets */, "vpls" ( /* Mirror Layer-2 bridged/vpls packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Destination for port-mirrored packets */ layer2_pm_family_output_type /* Destination for port-mirrored packets */ ) ) ), "ethernet-switching" /* Mirror Layer-2 ethernet-switched packets */, "ccc" ( /* Mirror layer-2 ccc packets */ c( "input" ( /* Settings for sampling of input packets */ pm_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Destination for port-mirrored packets */ layer2_pm_family_output_type /* Destination for port-mirrored packets */ ) ) ) ) ) ) ) ) end rule(:inet6_pm_family_output_type) do c( c( "interface" ( /* Interfaces through which to send sampled traffic */ inet6_pm_intf_type /* Interfaces through which to send sampled traffic */ ), "next-hop-group" arg /* Next-hop-group through which to send port-mirror traffic */ ), "no-filter-check" /* Do not check for filters on port-mirroring interface */, "server-profile" arg /* Server profile name */ ) end rule(:inet6_pm_intf_type) do arg.as(:arg) ( c( "next-hop" ( /* Address of next hop through which to send sampled traffic */ inet6_next_hop_type /* Address of next hop through which to send sampled traffic */ ) ) ) end rule(:inet6_next_hop_type) do arg.as(:arg) end rule(:inet_pm_family_output_type) do c( c( "interface" ( /* Interfaces through which to send sampled traffic */ inet_pm_intf_type /* Interfaces through which to send sampled traffic */ ), "next-hop-group" arg /* Next-hop-group through which to send port-mirror traffic */ ), "no-filter-check" /* Do not check for filters on port-mirroring interface */, "ip-address" ( /* ERSPAN Destination IP Address */ ipv4addr /* ERSPAN Destination IP Address */ ), "routing-instance" ( /* Routing instances */ inet_pm_output_routing_instance_type /* Routing instances */ ), "server-profile" arg /* Server profile name */ ) end rule(:inet_pm_intf_type) do arg.as(:arg) ( c( "next-hop" ( /* Address of next hop through which to send sampled traffic */ inet_next_hop_type /* Address of next hop through which to send sampled traffic */ ) ) ) end rule(:inet_next_hop_type) do arg.as(:arg) end rule(:inet_pm_output_routing_instance_type) do arg.as(:arg) ( c( "ip-address" ( /* ERSPAN Destination IP Address */ ipv4addr /* ERSPAN Destination IP Address */ ) ) ) end rule(:juniper_protocols) do c( "overlay" ( /* Overlay protocol */ juniper_protocols_overlayd /* Overlay protocol */ ), "l2iw" ( /* Configuration for Layer 2 interworking */ c( "traceoptions" ( /* Trace options for Layer 2 circuits */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ) ) ), "igmp" ( /* IGMP options */ c( "traceoptions" ( /* Trace options for IGMP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "mtrace" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "maximum-transmit-rate" arg /* Maximum transmission rate (packets per second) */, "accounting" /* Enable join and leave event notification */, "interface" ("$junos-interface-name" | arg) ( /* Interface options for IGMP */ c( ("disable"), "version" arg /* Set IGMP version number on this interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "group-increment" ( /* Mask for the incrementing group IP address */ ipv4addr /* Mask for the incrementing group IP address */ ), "group-count" arg /* Number of groups */, "exclude" /* Exclude sources */, "source" arg ( /* IP multicast source address */ c( "source-increment" ( /* Mask for the incrementing source IP address */ ipv4addr /* Mask for the incrementing source IP address */ ), "source-count" arg /* Number of sources */ ) ) ) ) ) ), "ssm-map" arg /* Map for SSM translation of IGMPv1 or IGMPv2 messages */, "ssm-map-policy" ( /* SSM map policy name */ policy_algebra /* SSM map policy name */ ), "immediate-leave" /* Group removed immediately, last membership query not sent */, "promiscuous-mode" /* Accept igmp messages coming from different subnet */, "accounting" /* Enable join and leave event notification */, "no-accounting" /* Don't enable join and leave event notification */, "group-policy" ( /* Group filter applied to incoming IGMP report messages */ policy_algebra /* Group filter applied to incoming IGMP report messages */ ), "group-limit" arg /* Maximum number of (source,group) per interface */, "group-threshold" arg /* Percentage of limit at which to generate warnings */, "log-interval" arg /* Time between consecutive log messages */, "passive" ( /* Suppress sending and receiving IGMP messages */ sc( "allow-receive" /* Allow receiving IGMP messages */, "send-general-query" /* Send IGMP general query messages */, "send-group-query" /* Send IGMP group query messages */ ) ).as(:oneline), "oif-map" ( /* Output interface map */ policy_algebra /* Output interface map */ ), "distributed" /* Distributed IGMP interface */ ) ), "amt" ( /* Automatic Multicast Tunnel options for IGMP */ c( "relay" ( /* AMT relay options for IGMP */ c( "defaults" ( /* Default AMT relay options for IGMP */ c( "version" arg /* Set IGMP version number on AMT interfaces */, "ssm-map" arg /* Map for SSM translation of IGMPv1 or IGMPv2 messages */, "ssm-map-policy" ( /* SSM map policy name */ policy_algebra /* SSM map policy name */ ), "accounting" /* Enable join and leave event notification */, "no-accounting" /* Don't enable join and leave event notification */, "group-policy" ( /* Group filter applied to incoming IGMP report messages */ policy_algebra /* Group filter applied to incoming IGMP report messages */ ), "group-limit" arg /* Maximum number of (source,group) per interface */, "group-threshold" arg /* Percentage of limit at which to generate warnings */, "log-interval" arg /* Time between consecutive log messages */, "robust-count" arg /* Expected packet loss on a subnet */, "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */ ) ) ) ) ) ) ) ), "mld" ( /* MLD options */ c( "traceoptions" ( /* Trace options for MLD */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "mtrace" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "maximum-transmit-rate" arg /* Maximum transmission rate (packets per second) */, "accounting" /* Enable join and leave event notification */, "interface" ("$junos-interface-name" | arg) ( /* Interface options for MLD */ c( ("disable"), "version" arg /* Set mld version number on this interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "group-increment" ( /* Mask for the incrementing group IP address */ ipv6addr /* Mask for the incrementing group IP address */ ), "group-count" arg /* Number of groups */, "exclude" /* Exclude sources */, "source" arg ( /* IP multicast source address */ c( "source-increment" ( /* Mask for the incrementing source IP address */ ipv6addr /* Mask for the incrementing source IP address */ ), "source-count" arg /* Number of sources */ ) ) ) ) ) ), "ssm-map" arg /* Map for ssm translation of mld v1 messages */, "ssm-map-policy" ( /* SSM map policy name */ policy_algebra /* SSM map policy name */ ), "immediate-leave" /* Group removed immediately, last membership query not sent */, "group-policy" ( /* Group filter applied to incoming mld report messages */ policy_algebra /* Group filter applied to incoming mld report messages */ ), "group-limit" arg /* Maximum number of (source,group) per interface */, "group-threshold" arg /* Percentage of group-limit at which to start generating warnings */, "log-interval" arg /* Time between consecutive log messages */, "accounting" /* Enable join and leave event notification */, "no-accounting" /* Don't enable join and leave event notification */, "passive" ( /* Suppress sending and receiving mld messages */ sc( "allow-receive" /* Allow receiving mld messages */, "send-general-query" /* Send mld general query messages */, "send-group-query" /* Send mld group query messages */ ) ).as(:oneline), "oif-map" ( /* Output interface map */ policy_algebra /* Output interface map */ ), "distributed" /* Distributed MLD interface */ ) ) ) ), "amt" ( /* AMT configuration */ juniper_protocols_amt /* AMT configuration */ ), "router-discovery" ( /* ICMP router discovery options */ juniper_protocols_router_discovery /* ICMP router discovery options */ ), "router-advertisement" ( /* IPv6 router advertisement options */ c( "traceoptions" ( /* Trace options for router advertisement */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) /* Tracing parameters */.as(:oneline) ) ), "interface" ("$junos-interface-name" | arg) ( /* Interfaces on which to configure router advertisement */ c( "preference" ( /* Set the Preference for Router Selection */ ("medium" | "high" | "low") ), "max-advertisement-interval" arg /* Maximum advertisement interval */, "min-advertisement-interval" arg /* Minimum advertisement interval */, "managed-configuration" /* Set managed address configuration */, "no-managed-configuration" /* Don't set managed address configuration */, "other-stateful-configuration" /* Set other stateful configuration */, "no-other-stateful-configuration" /* Don't set other stateful configuration */, "link-mtu" /* Link MTU */, "no-link-mtu" /* Don't link MTU */, "solicit-router-advertisement-unicast" /* Enbale solicited router advertisement as unicast */, "reachable-time" arg /* Reachable time */, "retransmit-timer" arg /* Retransmit timer */, "virtual-router-only" /* Send advertisemnets only for vrrp-inet6-group */, "current-hop-limit" arg /* Current hop limit */, "default-lifetime" arg /* Router lifetime */, "dns-server-address" ("$junos-ipv6-dns-server-address" | arg) ( /* Recursive DNS address configuration */ c( "lifetime" arg /* DNS address lifetime */ ) ), "prefix" arg ( /* Prefix configuration */ c( "valid-lifetime" arg /* Valid lifetime (fixed) */, "on-link" /* Set on-link flag */, "no-on-link" /* Don't set on-link flag */, "preferred-lifetime" arg /* Preferred lifetime (fixed) */, "autonomous" /* Set autonomous flag */, "no-autonomous" /* Don't set autonomous flag */ ) ) ) ), "ra-secure" ( /* Protect box against rogue incoming RA messages */ c( "accept-current-hop-limit-min" arg /* Current hop limit acceptable min for incoming RA */, "accept-current-hop-limit-max" arg /* Current hop acceptable min for incoming RA */, "accept-reachable-time-min" arg /* Reachable Time acceptable min for incoming RA */, "accept-reachable-time-max" arg /* Reachable Time acceptable max for incoming RA */, "accept-retransmit-time-min" arg /* Retransmit Time acceptable min for incoming RA */, "accept-retransmit-time-max" arg /* Retransmit Time acceptable min for incoming RA */ ) ) ) ), "sap" ( /* Session Advertisement Protocol options */ c( ("disable"), "listen" arg ( /* Address for SAP and SDP to listen on */ sc( "port" arg /* Port to listen for session advertisements */ ) ).as(:oneline) ) ), "rsvp" ( /* RSVP options */ juniper_protocols_rsvp /* RSVP options */ ), "mpls" ( /* Multiprotocol Label Switching options */ juniper_protocols_mpls /* Multiprotocol Label Switching options */ ), "bgp" ( /* BGP options */ juniper_protocols_bgp /* BGP options */ ), "dvmrp" ( /* DVMRP options */ c( ("disable"), "traceoptions" ( /* Trace options for DVMRP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("route" | "poison" | "packets" | "probe" | "report" | "neighbor" | "prune" | "graft" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "interface" arg ( /* DVMRP interface options */ c( ("disable"), "mode" ( /* Mode of interface */ ("forwarding" | "unicast-routing") ), "metric" arg /* DVMRP metric value */, "hold-time" arg /* When neighbors think the interface is down */ ) ) ) ), "isis" ( /* IS-IS options */ juniper_protocols_isis /* IS-IS options */ ), "esis" ( /* End system-intermediate system options */ juniper_protocols_esis /* End system-intermediate system options */ ), "msdp" ( /* MSDP configuration */ juniper_protocols_msdp /* MSDP configuration */ ), "ospf" ( /* OSPF configuration */ juniper_protocols_ospf /* OSPF configuration */ ), "ospf3" ( /* OSPFv3 configuration */ c( "realm" ("ipv6-unicast" | "ipv6-multicast" | "ipv4-unicast" | "ipv4-multicast") ( /* OSPFv3 realm configuration */ c( ("disable"), "traceoptions" ( /* Trace options for OSPF */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("spf" | "error" | "event" | "packet-dump" | "flooding" | "lsa-analysis" | "packets" | "hello" | "database-description" | "lsa-request" | "lsa-update" | "lsa-ack" | "ldp-synchronization" | "on-demand" | "nsr-synchronization" | "graceful-restart" | "restart-signaling" | "backup-spf" | "source-packet-routing" | "post-convergence-lfa" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology parameters */ c( "disable" /* Disable this topology */, "topology-id" arg /* Topology identifier */, "overload" /* Set the overload mode (repel transit traffic) */, "rib-group" arg /* Routing table group for importing routes */, "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */ ) ), "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */, "rib-group" arg /* Routing table group for importing OSPF routes */, "job-stats" /* Collect job statistics */, "overload" ( /* Set the overload mode (repel transit traffic) */ c( "timeout" arg /* Time after which overload mode is reset */, "allow-route-leaking" /* Allow routes to be leaked when overload is configured */, "stub-network" /* Advertise Stub Network with maximum metric */, "intra-area-prefix" /* Advertise Intra Area Prefix with maximum metric */, "as-external" /* Advertise As External with maximum usable metric */ ) ), "database-protection" ( /* Configure database protection attributes */ c( "maximum-lsa" arg /* Maximum allowed non self-generated LSAs */, "warning-only" /* Emit only a warning when LSA maximum limit is exceeded */, "warning-threshold" arg /* Percentage of LSA maximum above which to trigger warning */, "ignore-count" arg /* Maximum number of times to go into ignore state */, "ignore-time" arg /* Time to stay in ignore state and ignore all neighbors */, "reset-time" arg /* Time after which the ignore count gets reset to zero */ ) ), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "restart-duration" arg /* Time for all neighbors to become full */, "notify-duration" arg /* Time to send all max-aged grace LSAs */, "helper-disable" ( /* Disable graceful restart helper capability */ c( c( "standard" /* Disable helper-mode for rfc3623 based GR */, "restart-signaling" /* Disable helper mode for restart-signaling */, "both" /* Disable helper mode for both the types of GR */ ) ) ), "no-strict-lsa-checking" /* Do not abort graceful helper mode upon LSA changes */ ) ), "traffic-engineering" ( /* Configure traffic engineering attributes */ c( "no-topology" /* Disable dissemination of TE link-state topology information */, "multicast-rpf-routes" /* Install routes for multicast RPF checks into inet.2 */, "igp-topology" /* Download IGP topology into TED */, "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "shortcuts" ( /* Use label-switched paths as next hops, if possible */ c( "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "lsp-metric-into-summary" /* Advertise LSP metric into summary LSAs */ ) ), "advertise-unnumbered-interfaces" /* Advertise unnumbered interfaces */, "credibility-protocol-preference" /* TED protocol credibility follows protocol preference */ ) ), "route-type-community" ( /* Specify BGP extended community value to encode OSPF route type */ ("iana" | "vendor") ), "domain-id" ( /* Configure domain ID */ sc( c( arg /* Domain ID */, "disable" /* Disable domain ID */ ) ) ).as(:oneline), c( "domain-vpn-tag" arg /* Domain VPN tag for external LSA */, "no-domain-vpn-tag" /* Disable domain VPN tag */ ), "preference" arg /* Preference of internal routes */, "external-preference" arg /* Preference of external routes */, "labeled-preference" arg /* Preference of labeled routes */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy (for external routes or setting priority) */ policy_algebra /* Import policy (for external routes or setting priority) */ ), "reference-bandwidth" arg /* Bandwidth for calculating metric defaults */, "lsa-refresh-interval" arg /* LSA refresh interval (minutes) */, "spf-delay" arg /* Time to wait before running an SPF */, "no-rfc-1583" /* Disable RFC1583 compatibility */, "source-packet-routing" ( /* Enable source packet routing (SPRING) */ c( "node-segment" ( /* Enable support for Node segments in SPRING */ c( "ipv4-index" arg /* Set ipv4 node segment index */, "index-range" arg /* Set range of node segment indices allowed */ ) ), "mapping-server" arg /* Mapping server name */, "install-prefix-sid-for-best-route" /* For best route install a exact prefix sid route */ ) ), "forwarding-address-to-broadcast" /* Set forwarding address in Type 5 LSA in broadcast network */, c( "no-nssa-abr" /* Disable full NSSA functionality at ABR */ ), "sham-link" ( /* Configure parameters for sham links */ c( "local" ( /* Local sham link endpoint address */ ipaddr /* Local sham link endpoint address */ ), "no-advertise-local" /* Don't advertise local sham link endpoint as stub in router LSA */ ) ), "area" arg ( /* Configure an OSPF area */ c( c( "stub" ( /* Configure a stub area */ sc( "default-metric" arg /* Metric for the default route in this stub area */, "summaries" /* Flood summary LSAs into this stub area */, "no-summaries" /* Don't flood summary LSAs into this stub area */ ) ).as(:oneline), "nssa" ( /* Configure a not-so-stubby area */ c( "default-lsa" ( /* Configure a default LSA */ c( "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "type-7" /* Flood type 7 default LSA if no-summaries is configured */ ) ), "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "summaries" /* Flood summary LSAs into this NSSA area */, "no-summaries" /* Don't flood summary LSAs into this NSSA area */, "area-range" arg ( /* Configure NSSA area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" ( /* Override the dynamic metric for this area-range */ c( arg, "metric-type" arg /* Set the metric type for the override metric */ ) ) ) ) ) ) ), "area-range" arg ( /* Configure area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" arg /* Override the dynamic metric for this area-range */ ) ), "network-summary-export" ( /* Export policy for Type 3 Summary LSAs */ policy_algebra /* Export policy for Type 3 Summary LSAs */ ), "network-summary-import" ( /* Import policy for Type 3 Summary LSAs */ policy_algebra /* Import policy for Type 3 Summary LSAs */ ), "inter-area-prefix-export" ( /* Export policy for Inter Area Prefix LSAs */ policy_algebra /* Export policy for Inter Area Prefix LSAs */ ), "inter-area-prefix-import" ( /* Import policy for Inter Area Prefix LSAs */ policy_algebra /* Import policy for Inter Area Prefix LSAs */ ), "authentication-type" ( /* Authentication type */ ("none" | "simple" | "md5") ), "virtual-link" ( /* Configure virtual links */ s( "neighbor-id" arg /* Router ID of a virtual neighbor */, "transit-area" arg /* Transit area in common with virtual neighbor */, c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ) ), "sham-link-remote" arg ( /* Configure parameters for remote sham link endpoint */ c( "metric" arg /* Sham link metric */, "ipsec-sa" arg /* IPSec security association name */, "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "interface" arg ( /* Include an interface in this area */ c( ("disable"), "interface-type" ( /* Type of interface */ ("nbma" | "p2mp" | "p2p" | "p2mp-over-lan") ), "post-convergence-lfa" ( /* Protect interface using post-convergence backup path */ c( "node-protection" ( /* Compute backup path assuming node failure */ c( "cost" arg /* Cost for node protection */ ) ) ) ), c( "link-protection" /* Protect interface from link faults only */, "node-link-protection" /* Protect interface from both link and node faults */ ), "no-eligible-backup" /* Not eligible to backup traffic from protected interfaces */, "no-eligible-remote-backup" /* Not eligible for Remote-LFA backup traffic from protected interfaces */, "passive" ( /* Do not run OSPF, but advertise it */ c( "traffic-engineering" ( /* Advertise TE link information */ c( "remote-node-id" ( /* Remote address of the link */ ipaddr /* Remote address of the link */ ), "remote-node-router-id" ( /* TE Router-ID of the remote node */ ipv4addr /* TE Router-ID of the remote node */ ) ) ) ) ), "secondary" /* Treat interface as secondary */, "own-router-lsa" /* Generate a separate router LSA for this interface */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ), "metric" arg /* Interface metric */, "te-metric" arg /* Traffic engineering metric */, "priority" arg /* Designated router priority */, "ldp-synchronization" ( /* Advertise maximum metric until LDP is operational */ ldp_sync_obj /* Advertise maximum metric until LDP is operational */ ), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ), "transmit-interval" arg /* OSPF packet transmit interval (milliseconds) */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "full-neighbors-only" /* Setup BFD sessions only to Full neighbors */ ) ), "dynamic-neighbors" /* Learn neighbors dynamically on a p2mp interface */, "no-advertise-adjacency-segment" /* Do not advertise an adjacency segment for this interface */, "neighbor" arg ( /* NBMA neighbor */ sc( "eligible" /* Eligible to be DR on an NBMA network */ ) ).as(:oneline), "poll-interval" arg /* Poll interval for NBMA interfaces */, "no-interface-state-traps" /* Do not send interface state change traps */ ) ), "no-source-packet-routing" /* Disable SPRING in this area */, "no-context-identifier-advertisement" /* Disable context identifier advertisments in this area */, "context-identifier" arg /* Configure context identifier in support of edge protection */, "label-switched-path" arg ( /* Configuration for advertisement of a label-switched path */ c( ("disable"), "metric" arg /* Interface metric */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "peer-interface" arg ( /* Configuration for peer interface */ c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */ ) ) ) ) ) ), ("disable"), "traceoptions" ( /* Trace options for OSPF */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("spf" | "error" | "event" | "packet-dump" | "flooding" | "lsa-analysis" | "packets" | "hello" | "database-description" | "lsa-request" | "lsa-update" | "lsa-ack" | "ldp-synchronization" | "on-demand" | "nsr-synchronization" | "graceful-restart" | "restart-signaling" | "backup-spf" | "source-packet-routing" | "post-convergence-lfa" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology parameters */ c( "disable" /* Disable this topology */, "topology-id" arg /* Topology identifier */, "overload" /* Set the overload mode (repel transit traffic) */, "rib-group" arg /* Routing table group for importing routes */, "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */ ) ), "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */, "rib-group" arg /* Routing table group for importing OSPF routes */, "job-stats" /* Collect job statistics */, "overload" ( /* Set the overload mode (repel transit traffic) */ c( "timeout" arg /* Time after which overload mode is reset */, "allow-route-leaking" /* Allow routes to be leaked when overload is configured */, "stub-network" /* Advertise Stub Network with maximum metric */, "intra-area-prefix" /* Advertise Intra Area Prefix with maximum metric */, "as-external" /* Advertise As External with maximum usable metric */ ) ), "database-protection" ( /* Configure database protection attributes */ c( "maximum-lsa" arg /* Maximum allowed non self-generated LSAs */, "warning-only" /* Emit only a warning when LSA maximum limit is exceeded */, "warning-threshold" arg /* Percentage of LSA maximum above which to trigger warning */, "ignore-count" arg /* Maximum number of times to go into ignore state */, "ignore-time" arg /* Time to stay in ignore state and ignore all neighbors */, "reset-time" arg /* Time after which the ignore count gets reset to zero */ ) ), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "restart-duration" arg /* Time for all neighbors to become full */, "notify-duration" arg /* Time to send all max-aged grace LSAs */, "helper-disable" ( /* Disable graceful restart helper capability */ c( c( "standard" /* Disable helper-mode for rfc3623 based GR */, "restart-signaling" /* Disable helper mode for restart-signaling */, "both" /* Disable helper mode for both the types of GR */ ) ) ), "no-strict-lsa-checking" /* Do not abort graceful helper mode upon LSA changes */ ) ), "traffic-engineering" ( /* Configure traffic engineering attributes */ c( "no-topology" /* Disable dissemination of TE link-state topology information */, "multicast-rpf-routes" /* Install routes for multicast RPF checks into inet.2 */, "igp-topology" /* Download IGP topology into TED */, "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "shortcuts" ( /* Use label-switched paths as next hops, if possible */ c( "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "lsp-metric-into-summary" /* Advertise LSP metric into summary LSAs */ ) ), "advertise-unnumbered-interfaces" /* Advertise unnumbered interfaces */, "credibility-protocol-preference" /* TED protocol credibility follows protocol preference */ ) ), "route-type-community" ( /* Specify BGP extended community value to encode OSPF route type */ ("iana" | "vendor") ), "domain-id" ( /* Configure domain ID */ sc( c( arg /* Domain ID */, "disable" /* Disable domain ID */ ) ) ).as(:oneline), c( "domain-vpn-tag" arg /* Domain VPN tag for external LSA */, "no-domain-vpn-tag" /* Disable domain VPN tag */ ), "preference" arg /* Preference of internal routes */, "external-preference" arg /* Preference of external routes */, "labeled-preference" arg /* Preference of labeled routes */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy (for external routes or setting priority) */ policy_algebra /* Import policy (for external routes or setting priority) */ ), "reference-bandwidth" arg /* Bandwidth for calculating metric defaults */, "lsa-refresh-interval" arg /* LSA refresh interval (minutes) */, "spf-delay" arg /* Time to wait before running an SPF */, "no-rfc-1583" /* Disable RFC1583 compatibility */, "source-packet-routing" ( /* Enable source packet routing (SPRING) */ c( "node-segment" ( /* Enable support for Node segments in SPRING */ c( "ipv4-index" arg /* Set ipv4 node segment index */, "index-range" arg /* Set range of node segment indices allowed */ ) ), "mapping-server" arg /* Mapping server name */, "install-prefix-sid-for-best-route" /* For best route install a exact prefix sid route */ ) ), "forwarding-address-to-broadcast" /* Set forwarding address in Type 5 LSA in broadcast network */, c( "no-nssa-abr" /* Disable full NSSA functionality at ABR */ ), "sham-link" ( /* Configure parameters for sham links */ c( "local" ( /* Local sham link endpoint address */ ipaddr /* Local sham link endpoint address */ ), "no-advertise-local" /* Don't advertise local sham link endpoint as stub in router LSA */ ) ), "area" arg ( /* Configure an OSPF area */ c( c( "stub" ( /* Configure a stub area */ sc( "default-metric" arg /* Metric for the default route in this stub area */, "summaries" /* Flood summary LSAs into this stub area */, "no-summaries" /* Don't flood summary LSAs into this stub area */ ) ).as(:oneline), "nssa" ( /* Configure a not-so-stubby area */ c( "default-lsa" ( /* Configure a default LSA */ c( "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "type-7" /* Flood type 7 default LSA if no-summaries is configured */ ) ), "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "summaries" /* Flood summary LSAs into this NSSA area */, "no-summaries" /* Don't flood summary LSAs into this NSSA area */, "area-range" arg ( /* Configure NSSA area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" ( /* Override the dynamic metric for this area-range */ c( arg, "metric-type" arg /* Set the metric type for the override metric */ ) ) ) ) ) ) ), "area-range" arg ( /* Configure area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" arg /* Override the dynamic metric for this area-range */ ) ), "network-summary-export" ( /* Export policy for Type 3 Summary LSAs */ policy_algebra /* Export policy for Type 3 Summary LSAs */ ), "network-summary-import" ( /* Import policy for Type 3 Summary LSAs */ policy_algebra /* Import policy for Type 3 Summary LSAs */ ), "inter-area-prefix-export" ( /* Export policy for Inter Area Prefix LSAs */ policy_algebra /* Export policy for Inter Area Prefix LSAs */ ), "inter-area-prefix-import" ( /* Import policy for Inter Area Prefix LSAs */ policy_algebra /* Import policy for Inter Area Prefix LSAs */ ), "authentication-type" ( /* Authentication type */ ("none" | "simple" | "md5") ), "virtual-link" ( /* Configure virtual links */ s( "neighbor-id" arg /* Router ID of a virtual neighbor */, "transit-area" arg /* Transit area in common with virtual neighbor */, c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ) ), "sham-link-remote" arg ( /* Configure parameters for remote sham link endpoint */ c( "metric" arg /* Sham link metric */, "ipsec-sa" arg /* IPSec security association name */, "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "interface" arg ( /* Include an interface in this area */ c( ("disable"), "interface-type" ( /* Type of interface */ ("nbma" | "p2mp" | "p2p" | "p2mp-over-lan") ), "post-convergence-lfa" ( /* Protect interface using post-convergence backup path */ c( "node-protection" ( /* Compute backup path assuming node failure */ c( "cost" arg /* Cost for node protection */ ) ) ) ), c( "link-protection" /* Protect interface from link faults only */, "node-link-protection" /* Protect interface from both link and node faults */ ), "no-eligible-backup" /* Not eligible to backup traffic from protected interfaces */, "no-eligible-remote-backup" /* Not eligible for Remote-LFA backup traffic from protected interfaces */, "passive" ( /* Do not run OSPF, but advertise it */ c( "traffic-engineering" ( /* Advertise TE link information */ c( "remote-node-id" ( /* Remote address of the link */ ipaddr /* Remote address of the link */ ), "remote-node-router-id" ( /* TE Router-ID of the remote node */ ipv4addr /* TE Router-ID of the remote node */ ) ) ) ) ), "secondary" /* Treat interface as secondary */, "own-router-lsa" /* Generate a separate router LSA for this interface */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ), "metric" arg /* Interface metric */, "te-metric" arg /* Traffic engineering metric */, "priority" arg /* Designated router priority */, "ldp-synchronization" ( /* Advertise maximum metric until LDP is operational */ ldp_sync_obj /* Advertise maximum metric until LDP is operational */ ), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ), "transmit-interval" arg /* OSPF packet transmit interval (milliseconds) */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "full-neighbors-only" /* Setup BFD sessions only to Full neighbors */ ) ), "dynamic-neighbors" /* Learn neighbors dynamically on a p2mp interface */, "no-advertise-adjacency-segment" /* Do not advertise an adjacency segment for this interface */, "neighbor" arg ( /* NBMA neighbor */ sc( "eligible" /* Eligible to be DR on an NBMA network */ ) ).as(:oneline), "poll-interval" arg /* Poll interval for NBMA interfaces */, "no-interface-state-traps" /* Do not send interface state change traps */ ) ), "no-source-packet-routing" /* Disable SPRING in this area */, "no-context-identifier-advertisement" /* Disable context identifier advertisments in this area */, "context-identifier" arg /* Configure context identifier in support of edge protection */, "label-switched-path" arg ( /* Configuration for advertisement of a label-switched path */ c( ("disable"), "metric" arg /* Interface metric */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "peer-interface" arg ( /* Configuration for peer interface */ c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */ ) ) ) ) ) ), "ldp" ( /* LDP options */ juniper_protocols_ldp /* LDP options */ ), "pim" ( /* PIM configuration */ juniper_protocols_pim /* PIM configuration */ ), "rip" ( /* RIP options */ juniper_protocols_rip /* RIP options */ ), "ripng" ( /* RIPng options */ juniper_protocols_ripng /* RIPng options */ ), "connections" ( /* Circuit cross-connect configuration */ c( "interface-switch" arg ( /* Bidirectional switch between interfaces */ c( "interface" arg /* Interface to be switched */ ) ), "remote-interface-switch" arg ( /* Bidirectional switch between a local and a remote interface */ c( "interface" ( /* Local interface name */ interface_name /* Local interface name */ ), "transmit-lsp" arg /* Name of outgoing label-switched path */, "receive-lsp" arg /* Name of incoming label-switched path */ ) ), "lsp-switch" arg ( /* Unidirectional switch between two label-switched paths */ c( "transmit-lsp" arg /* Name of outgoing label-switched path */, "receive-lsp" arg /* Name of incoming label-switched path */ ) ), "p2mp-transmit-switch" arg ( /* Local interface to point-to-multipoint LSP switch */ c( "input-interface" ( /* Input interface name */ interface_name /* Input interface name */ ), "transmit-p2mp-lsp" arg /* Point-to-multipoint LSP name on which to transmit */, "output-interface" ( /* Outgoing interface name */ interface_name /* Outgoing interface name */ ) ) ), "p2mp-receive-switch" arg ( /* Point-to-multipoint LSP to local interfaces switch */ c( "receive-p2mp-lsp" arg /* Point-to-multipoint LSP name on which to receive */, "output-interface" ( /* Next outgoing interface name */ interface_name /* Next outgoing interface name */ ) ) ) ) ), "vrrp" ( /* VRRP options */ c( "traceoptions" ( /* Trace options for VRRP */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ), "microsecond-stamp" /* Timestamp with microsecond granularity */ ) ).as(:oneline), "flag" enum(("database" | "general" | "interfaces" | "normal" | "packets" | "state" | "timer" | "ppm" | "all")) /* Tracing parameters */.as(:oneline) ) ), "failover-delay" arg /* Additional failover delay timer */, "startup-silent-period" arg /* Period for ignoring master down timer at device startup */, "asymmetric-hold-time" /* Priority hold time asymmetric behaviour */, "delegate-processing" /* Switch to distributed PPMD */, "skew-timer-disable" /* Disable the skew timer */, "global-advertisements-threshold" arg /* Number of vrrp advertisements missed before declaring master down */, "inherit-advertisement-interval" arg /* Advertisement interval for inherit sessions */, "version-3" /* VRRPv3 conformance */ ) ), "l2circuit" ( /* Configuration for Layer 2 circuits over MPLS */ c( "traceoptions" ( /* Trace options for Layer 2 circuits */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "topology" | "fec" | "connections" | "oam" | "egress-protection" | "auto-sensing" | "sdb" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "neighbor" arg ( /* List of Layer 2 circuits to this neighbor */ c( "interface" arg ( /* Interface forming the Layer 2 circuit */ c( "static" ( /* Configuration of static Pseudowire */ c( "incoming-label" arg /* Layer 2 circuit incoming static label */, "outgoing-label" arg /* Layer 2 circuit outgoing static label */, "send-oam" /* Turn on sending of l2ckt ping */ ) ), "psn-tunnel-endpoint" ( /* Endpoint of the transport tunnel on the remote PE */ ipv4addr /* Endpoint of the transport tunnel on the remote PE */ ), "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ), "virtual-circuit-id" arg /* Identifier for this Layer 2 circuit */, "description" arg /* Text description of Layer 2 circuit */, "control-word" /* Add control word to the Layer 2 encapsulation */, "no-control-word" /* Don't add control word to the Layer 2 encapsulation */, "flow-label-transmit" /* Advertise capability to push Flow Label in transmit direction to remote PE */, "flow-label-transmit-static" /* Push Flow Label on PW packets sent to remote PE */, "flow-label-receive" /* Advertise capability to pop Flow Label in receive direction to remote PE */, "flow-label-receive-static" /* Pop Flow Label from PW packets received from remote PE */, "community" arg /* Community associated with this Layer 2 circuit */, "mtu" arg /* MTU to be advertised for this Layer 2 circuit */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "ignore-mtu-mismatch" /* Allow different MTUs on interfaces */, "no-revert" /* Don't revert to primary-interface */, "bandwidth" ( /* Bandwidth to reserve (bps) */ bandwidth_type /* Bandwidth to reserve (bps) */ ), "pseudowire-status-tlv" ( /* Send pseudowire status TLV */ c( "hot-standby-vc-on" /* Activate pseudowire upon arrival of 'hot-standby' status TLV message */ ) ), "switchover-delay" arg /* Layer 2 circuit switchover delay */, "revert-time" ( /* Enable pseudowire redundancy reversion */ sc( arg, "maximum" arg /* Maximum reversion interval to add over revert-time delay */ ) ).as(:oneline), "connection-protection" /* End-2-end protection via OAM failure detection */, "backup-neighbor" arg ( /* Configuration of redundant l2circuit */ c( "static" ( /* Configuration of static Pseudowire */ c( "incoming-label" arg /* Layer 2 circuit incoming static label */, "outgoing-label" arg /* Layer 2 circuit outgoing static label */ ) ), "virtual-circuit-id" arg /* Identifier for this Layer 2 circuit */, "community" arg /* Community associated with this Layer 2 circuit */, "psn-tunnel-endpoint" ( /* Endpoint of the transport tunnel on the remote PE */ ipv4addr /* Endpoint of the transport tunnel on the remote PE */ ), "standby" /* Keep backup pseudowire in continuous standby */, "hot-standby" /* Keep backup pseudowire in continuous standby mode and ready for traffic forwarding */ ) ), "oam" /* OAM Configuration for Layer 2 circuit */, "egress-protection" ( /* Egress protection for Layer 2 circuit */ c( c( "protector-interface" ( /* Name of the protector interface for local protection */ interface_name /* Name of the protector interface for local protection */ ), "protector-pe" ( /* Address of the protector PE */ sc( ipv4addr /* Address of the protector PE */, "context-identifier" ( /* Identifier of the context used for this protection */ ipv4addr /* Identifier of the context used for this protection */ ), "lsp" arg /* Name of the label-switched path used for the protection */ ) ).as(:oneline) ), "protected-l2circuit" ( /* Primary Layer 2 circuit to be protected */ sc( arg /* Name of the protected Layer 2 circuit */, "ingress-pe" ( /* Ingress PE address of the protected Layer 2 circuit */ ipv4addr /* Ingress PE address of the protected Layer 2 circuit */ ), "egress-pe" ( /* Egress PE address of the protected Layer 2 circuit */ ipv4addr /* Egress PE address of the protected Layer 2 circuit */ ), "virtual-circuit-id" arg /* Identifier of the protected Layer 2 circuit */ ) ).as(:oneline) ) ) ) ) ) ), "local-switching" ( /* Configuration of Layer 2 circuits local switching */ c( "interface" arg ( /* Interface forming the local Layer 2 circuit */ c( "no-revert" /* Do not revert to primary-interface */, "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ), "connection-protection" /* End-2-end protection via OAM failure detection */, "neighbor" arg ( /* Configuration of Layer 2 circuit */ c( "virtual-circuit-id" arg /* Identifier for this Layer 2 circuit */, "community" arg /* Community associated with this Layer 2 circuit */, "psn-tunnel-endpoint" ( /* Endpoint of the transport tunnel on the neighbor PE */ ipv4addr /* Endpoint of the transport tunnel on the neighbor PE */ ), "mtu" arg /* MTU to be advertised for this Layer 2 circuit */ ) ), "backup-neighbor" arg ( /* Configuration of redundant l2circuit */ c( "virtual-circuit-id" arg /* Identifier for this Layer 2 circuit */, "psn-tunnel-endpoint" ( /* Endpoint of the transport tunnel on the backup neighbor PE */ ipv4addr /* Endpoint of the transport tunnel on the backup neighbor PE */ ), "community" arg /* Community associated with this Layer 2 circuit */, "mtu" arg /* MTU to be advertised for this Layer 2 circuit */ ) ), "end-interface" ( /* Interface name of the other end point */ c( "interface" ( /* Interface name */ interface_name /* Interface name */ ), "no-revert" /* Do not revert to primary-interface */, "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ), "backup-interface" ( /* Name of backup interface */ interface_name /* Name of backup interface */ ) ) ), "description" arg /* Text description of Layer 2 circuit */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "ignore-mtu-mismatch" /* Allow different MTUs on interfaces */ ) ) ) ), "auto-sensing" ( /* Configuration of PW auto-sensing */ c( "password" ( /* Password for authentication with Radius server; 1 to 15 characters long */ unreadable /* Password for authentication with Radius server; 1 to 15 characters long */ ) ) ) ) ), "evpn" ( /* Configuration EVPN default routing instance */ c( "traceoptions" ( /* Trace options for Layer 2 VPNs */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "topology" | "nlri" | "connections" | "automatic-site" | "oam" | "mac-database" | "nsr" | "egress-protection" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "es-import-oldstyle" /* Enable noncompliant ES import route-target computation */, "mac-history" arg /* Number of history entries to be maitained per mac */, "mac-list" arg ( /* Configure MAC lists */ c( "mac-address" ( /* MAC address */ mac_addr /* MAC address */ ) ) ), "vni-options" ( /* Vni options */ juniper_protocols_vni_options /* Vni options */ ), "encapsulation" arg /* Encapsulation type for EVPN */, "extended-vlan-list" /* List of VLAN identifiers that are to be EVPN extended */, "multicast-mode" arg /* Multicast mode for EVPN */, "default-gateway" arg /* Default gateway mode */, "designated-forwarder-election-hold-time" arg /* Time to wait before electing a DF(seconds) */, "extended-vni-list" /* List of VNI identifiers or all, that are to be EVPN extended */, "duplicate-mac-detection" /* Duplicate MAC detection settings */, "mac-mobility" /* MAC mobility settings */, "no-core-isolation" /* Disable EVPN Core isolation */ ) ), "link-management" ( /* LMP options */ juniper_protocols_lmp /* LMP options */ ), "pgm" ( /* PGM options */ juniper_protocols_pgm /* PGM options */ ), "bfd" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "traceoptions" ( /* Trace options for BFD */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("adjacency" | "event" | "error" | "rtsock" | "packet" | "ppm-packet" | "pipe" | "pipe-detail" | "state" | "timer" | "nsr-synchronization" | "nsr-packet" | "issu" | "slow-start" | "session" | "all")) /* Trace flag information */.as(:oneline) ) ), "no-issu-timer-negotiation" /* Disable ISSU timer negotiation */, "sbfd" ( /* Seamless BFD parameters */ c( "pool" arg /* List of Seamless BFD endpoints */, "local-discriminator" arg ( /* Local discriminator for Seamless BFD responder */ c( "minimum-receive-interval" arg /* Minimum receive interval for Seamless BFD responder */ ) ) ) ) ) ), "mvpn" ( /* BGP-MVPN configuration */ juniper_protocols_mvpn /* BGP-MVPN configuration */ ), "vpls" /* Configuration for global vpls module */, "source-packet-routing" ( /* Enable source packet routing (SPRING) */ c( "traceoptions" ( /* Trace options for soure-packet-routing */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("controller" | "state" | "route" | "general" | "interface" | "all")) /* Tracing parameters */.as(:oneline) ) ), "lsp-external-controller" arg /* External path computing entity */, "preference" arg /* Route preference for SPRING-TE routes */, "sr-preference-override" arg /* SR-preference override for static SR-policies.Higher value is more preferred */, "sr-preference" arg /* SR-preference for static SR-policies.Higher value is more preferred */, "maximum-segment-list-depth" arg /* Maximum segment list depth for SR-TE policies */, "segment-list" arg ( /* Explicit path for SR-TE segments */ c( c( "label" arg /* Next label in SR-TE segment-list */, "ip-address" ( /* IP address of the hop */ ipaddr /* IP address of the hop */ ) ), "bfd-liveness-detection" ( /* Bidirectional forwarding detection options */ c( "sbfd" ( /* Seamless BFD parameters */ c( "remote-discriminator" arg /* Remote discriminator of reflector */ ) ), "minimum-interval" arg /* Minimum transmit and receive interval */, "multiplier" arg /* Detection time multiplier */, "no-router-alert-option" /* Do not set the Router Alert option in IP header */ ) ), "inherit-label-nexthops" /* Inherit label nexthops for first hop in this segment list */ ) ), "source-routing-path" arg ( /* Configure a source-routing-path */ c( "to" ( /* Ip-address of the tunnel end-point */ ipaddr /* Ip-address of the tunnel end-point */ ), "color" arg /* Color identifier for the tunnel end-point */, "no-ingress" /* Disable ingress functionality for this tunnel */, "binding-sid" arg /* Specify the binding-label to enable transit functionality for this tunnel */, "install" arg /* Install prefix */.as(:oneline), "preference" arg /* Preference for routes downloaded for this tunnel */, "metric" arg /* Metric for routes downloaded for this tunnel */, "sr-preference" arg /* SR-preference for SPRING-TE routes. Higher value is more preferred */, "primary" arg ( /* Configure a primary segment list for this source-routing-path */ c( "weight" arg /* Specify the balance factor for this segment list in SR-TE tunnel */ ) ), "secondary" arg /* Configure a secondary segment list for this source-routing-path */ ) ), "inherit-label-nexthops" /* Inherit label nexthops for first hop in segment lists */, "telemetry" ( /* Enable telemetry on SR-TE policies */ c( "statistics" ( /* Enable traffic-statistics collection on SR-TE policies */ c( "no-transit" /* Disable statistics collection on binding sid route */, "no-ingress" /* Disable statistics collection on destination route */ ) ) ) ) ) ), "neighbor-discovery" ( /* IPv6 neighbor discovery */ c( "onlink-subnet-only" /* Onlink subnet only knob */, "no-dad-on-state-change" /* Disable DAD on interface state change */, "ndp-proxy" ( /* Configure NDP PROXY behaviour */ c( "no-proxy-on-resolve" /* Disable proxy on unresolved address */ ) ), "dad-proxy" ( /* Configure DAD PROXY behaviour */ c( "no-proxy-on-resolve" /* Disable proxy on unresolved address */ ) ), "secure" /* SEND process configuration */ ) ), "iccp" /* ICCP options */, "ilmi" ( /* Interim Local Management Interface Protocol configuration */ c( "traceoptions" ( /* ILMI trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("database" | "routing-socket" | "state" | "debug" | "event" | "packet" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ), "lacp" ( /* Link Aggregation Control Protocol configuration */ c( "traceoptions" ( /* LACP trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "process" | "startup" | "protocol" | "packet" | "ppm" | "bfd" | "mc-ae" | "all")) /* Events and packet types to include in the trace */.as(:oneline) ) ), "ppm" ( /* Force PPM processing */ ("centralized") ), "fast-hello-issu" /* ISSU support for peer lacp configured in fast periodic */ ) ), "oam" ( /* Operation, Administration, and Management configuration */ c( "ethernet" ( /* OAM configuration for Ethernet */ c( "link-fault-management" ( /* 802.3ah Ethernet OAM configuration */ c( "traceoptions" ( /* Trace options for link-fault management */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "protocol" | "action-profile" | "all")) /* Tracing parameters */.as(:oneline) ) ), "action-profile" arg ( /* Define an action profile */ c( "event" ( /* Events this action profile will check */ c( "link-adjacency-loss" /* Loss of adjacency with OAM peer */, "protocol-down" /* Upper layer indication on protocol down */, "link-event-rate" ( c( "symbol-period" arg /* Rate of receiving symbol period events */, "frame-error" arg /* Rate of receiving frame error events */, "frame-period" arg /* Rate of receiving frame period events */, "frame-period-summary" arg /* Rate of receiving frame period summary events */ ) ) ) ), "action" ( /* Action to take on specified events */ c( "syslog" /* Generate syslog message */, "link-down" /* Mark the interface down for transit traffic */, "send-critical-event" /* Start sending OAM PDUs with critical event bit set */ ) ) ) ), "interface" arg ( /* Interface on which to set Ethernet OAM parameters */ c( "apply-action-profile" arg /* Apply the specified action profile on the interface */, "pdu-interval" arg /* Periodic OAM protocol data unit interval */, "loopback-tracking" /* Enable link down on loopback detection */, "detect-loc" /* Detects initial lack of adjacency formation */, "link-discovery" ( /* Mode of discovery */ ("active" | "passive") ), "pdu-threshold" arg /* Number of PDUs missed before declaring peer lost */, "remote-loopback" /* Put remote DTE into remote-loopback mode */, "negotiation-options" ( /* 802.3ah features supported on the interface */ c( "no-allow-link-events" /* Do not emit periodic PDUs detailing framing and symbol errors */, "allow-remote-loopback" /* Allow local port to be put into loopback mode */ ) ), "event-thresholds" ( /* Thresholds for sending 802.3ah events */ c( "symbol-period" arg /* Threshold for sending symbol period events */, "frame-error" arg /* Threshold for sending frame error events */, "frame-period" arg /* Threshold for sending frame period error events */, "frame-period-summary" arg /* Threshold for sending frame period summary error events */ ) ) ) ) ) ), "connectivity-fault-management" ( /* Configurations related to 802.1ag ethernet oam */ c( "performance-monitoring" /* Configurations related to ethernet performance monitoring */, "connection-protection" /* Configurations related to Carrier Ethernet Transport Mode */, "no-aggregate-delegate-processing" /* Do not distribute aggregate session to pfe */, "enhanced-cfm-mode" /* Enables Enhanced CFM Mode */, "traceoptions" ( /* Trace options for connectivity fault management */ cfm_traceoptions /* Trace options for connectivity fault management */ ), "action-profile" arg ( /* Action profiles to use when one or more remote maintenance association endpoints are down */ c( "event" ( /* Events that need to be monitored */ c( "interface-status-tlv" ( /* Values that need to be monitored in interface status TLV */ ("down" | "lower-layer-down") ), "port-status-tlv" ( /* Values that need to be monitored in port status TLV */ ("blocked") ), "adjacency-loss" /* Connectivity is lost */, "rdi" /* RDI received from some MEP */, "connection-protection-tlv" ( /* Values that need to be monitored in connection protection TLV */ ("using-working-path" | "using-protection-path") ), "server-mep-defects" arg /* Defects which are monitored by Server MEP */, "ais-trigger-condition" /* Defect condition that generates alarm indication signal */ ) ), "action" ( c( "interface-down" /* Mark the interface as down */, "revertive-interface-down" /* Wait for CC loss-threshold to bring back the interface up */, "non-revertive-interface-down" /* Interface will not be brought up when CC is received */, "propagate-remote-mac-flush" /* Remote mac-flush */, "interface-group-down" /* Mark the interface group as down */, "log-and-generate-ais" ( c( "level" arg /* Server maintenance domain levels range */, "interval" ( /* Interval between AIS messages */ ("1s" | "1m") ), "priority" arg /* 802.1p priority of AIS packet */ ) ) ) ), "clear-action" ( c( "interface-down" ( /* Mark the interface as down */ sc( "peer-interface" /* Mark the interface as down */ ) ).as(:oneline), "propagate-remote-mac-flush" /* Remote mac flush */ ) ), "default-actions" ( /* Action that needs to be taken */ c( "interface-down" /* Bring the interface down */ ) ) ) ), "server-mep" /* Server MEP to use when generation of AIS is required to monitor different services */, "policer" ( /* Rate limit Ethernet OAM packets for all sessions */ c( "continuity-check" arg /* Policer to rate limit Continuity Check Ethernet OAM messages */, "other" arg /* Policer to rate limit non Continuity Check Ethernet OAM messages */, "all" arg /* Policer to rate limit all Ethernet OAM messages */ ) ), "linktrace" ( /* Linktrace protocol global options */ c( "path-database-size" arg /* Number of linktrace reply entries to be stored per linktrace request */, "age" ( /* Time after which a stale request-response entry is deleted */ ("10s" | "30s" | "1m" | "10m" | "30m") ) ) ), "maintenance-domain" ("default-0" | "default-1" | "default-2" | "default-3" | "default-4" | "default-5" | "default-6" | "default-7" | arg) ( /* Maintenance domain configuration */ c( "bridge-domain" /* Bridge-domain information for the default maintenance domain */.as(:oneline), "vlan" arg /* VLAN information for the default maintenance domain */.as(:oneline), "virtual-switch" arg ( /* Virtual switch Bridge-domain information for the default maintenance domain */ c( "bridge-domain" arg ( sc( "vlan-id" arg /* VLAN id */ ) ).as(:oneline) ) ), "instance" arg /* VPLS instance name for the default maintenance domain */.as(:oneline), "interface" arg /* Name of interface for the default maintenance domain */.as(:oneline), "level" arg /* Level value for maintenance domain */, "name-format" ( /* Format of maintenance domain name */ ("none" | "dns" | "mac+2oct" | "character-string") ), "mip-half-function" ( /* Half function to be implemented by MIP */ ("none" | "default" | "explicit") ), "maintenance-association" arg ( /* Maintenance association configuration */ c( "debug-session" /* Debug the CFM session */, "short-name-format" ( /* Format of Maintenance Association Name */ ("2octet" | "rfc-2685-vpn-id" | "vlan" | "character-string" | "icc") ), "protect-maintenance-association" /* Maintenance association used for connection protection */.as(:oneline), "primary-vid" ( /* VLAN id */ ("none" | arg) ), "continuity-check" ( /* Continuity check configuration */ c( "interval" ( /* Interval between continuity-check messages */ ("10ms" | "100ms" | "1s" | "10s" | "1m" | "10m" | "3.3ms") ), "loss-threshold" arg /* Number of continuity-check messages lost before marking endpoint as down */, "hold-interval" arg /* Time before flushing MEP database if no updates occur */, "port-status-tlv" /* Include port status TLV in CCM */, "interface-status-tlv" /* Include interface status TLV in CCM */, "connection-protection-tlv" /* Include connection protection OUI TLV in CCM */, "convey-loss-threshold" /* Include Loss Threshold OUI TLV in CCM */, "interface-status-send-rdi" /* Send RDI on interface operation status down in CCM */, "sendid-tlv" ( /* Include sendid-tlv in CCM/LBM/LTM */ c( "send-chassis-tlv" /* Attach Chassis ID & Mgmt Addr to CCM/LBM/LTM */ ) ) ) ), "mip-half-function" ( /* Half function to be implemented by MIP */ ("none" | "default" | "explicit" | "defer") ), "mep" arg ( /* Maintenance association endpoint configuration */ c( "interface" ( /* Name of interface */ sc( interface_unit, "vlan" arg /* Trunk port interface VLAN identifier */, c( "working" /* Monitory the primary path */, "protect" /* Monitory the protect path */ ) ) ).as(:oneline), "direction" ( /* Direction of maintenance endpoint */ ("up" | "down") ), "priority" arg /* 802.1p priority of continuity-check and link-trace packet */, "auto-discovery" /* Accept continuity-check messages from all remote MEPs */, "action-profile" arg /* Name of the action profile */, "remote-mep" arg ( /* Remote maintenance association endpoint configuration */ c( "action-profile" arg /* Name of the action profile */, "interface-group" ( /* Mark this interface group down Profile configured with action interface-group-down */ c( interface_device /* Interface device name */, "unit-list" arg /* One or more logical interface unit numbers */ ) ), "sla-iterator-profile" arg ( /* Name of the iterator profile */ c( "iteration-count" arg /* Iterations to partake for acquiring SLA measurements */, "priority" arg /* The vlan pcp value to be sent in the Y.1731 frame */, "data-tlv-size" arg /* Size of the data-tlv portion of Y.1731 frame */ ) ), "detect-loc" /* Detects initial loss of connectivity with remote mep */ ) ), "lowest-priority-defect" ( /* Lowest priority defect that is allowed to generate a fault alarm */ ("all-defects" | "mac-rem-err-xcon" | "rem-err-xcon" | "err-xcon" | "xcon" | "no-defect") ) ) ), "policer" ( /* Rate limit Ethernet OAM packets for this session */ c( "continuity-check" arg /* Policer to rate limit Continuity Check Ethernet OAM messages */, "other" arg /* Policer to rate limit non Continuity Check Ethernet OAM messages */, "all" arg /* Policer to rate limit all Ethernet OAM messages */ ) ) ) ) ) ), "sendid-tlv" ( /* Include sendid-tlv in CCM/LBM/LTM */ c( "send-chassis-tlv" /* Attach Chassis ID & Mgmt Addr to CCM/LBM/LTM */ ) ) ) ), "evcs" arg ( /* Ethernet virtual circuits configuration */ c( "evc-protocol" ( /* Signaling protocol to monitor EVC status */ sc( c( "cfm" ( /* Connectivity fault management */ sc( "maintenance-domain" arg /* Maintenance domain name */, "maintenance-association" arg /* Maintenance association name */, "mep" arg /* Identifier for maintenance association endpoint */, "faults" /* CFM faults to trigger ELMI */ ) ).as(:oneline), "vpls" ( /* Virtual private LAN service (BGP/LDP) */ sc( "routing-instance" arg /* Routing instance name */ ) ).as(:oneline), "l2circuit" /* L2circuit */, "l2vpn" /* L2vpn */ ) ) ).as(:oneline), "remote-uni-count" arg /* Number of remote UNIs in the EVC */, "async-status-msg-transmit-interval" arg /* Time interval between E-LMI async status messages per EVC */, "multipoint-to-multipoint" /* Multipoint to Multipoint EVC */ ) ), "lmi" ( /* Ethernet local management interface configuration */ c( "traceoptions" ( /* Trace options for ethernet local management interface */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "protocol" | "init" | "error" | "packet" | "all")) /* Tracing parameters */.as(:oneline) ) ), "status-counter" arg /* E-LMI status counter (N393) */, "polling-verification-timer" arg /* Polling verification timer (T392) */, "interface" arg ( /* Interface options */ c( "uni-id" arg /* UNI identifier */, "status-counter" arg /* E-LMI status counter (N393) */, "polling-verification-timer" arg /* Polling verification timer (T392) */, "evc-map-type" ( /* CE-VLAN ID/EVC map type */ ("all-to-one-bundling" | "service-multiplexing" | "bundling") ), "evc" arg ( /* EVC configuration */ c( "default-evc" /* Default EVC */, "vlan-list" arg /* Vlans mapped to this EVC */ ) ) ) ) ) ), "fnp" ( /* Failure notification protocol configuration */ c( "traceoptions" ( /* Tracing options for FNP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("events" | "pdu" | "timers" | "error" | "all")) /* Tracing parameters */.as(:oneline) ) ), "interval" ( /* Interval between FNP messages */ ("100ms" | "1s" | "10s" | "1m" | "10m") ), "loss-threshold" arg /* Number of FNP messages lost before clearing FNP state */, "interface" arg ( /* Interface configuration */ c( "domain-id" arg /* Ethernet domain identifier */ ) ) ) ) ) ), "gre-tunnel" ( c( "traceoptions" ( /* Trace options for GRE keepalives */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "protocol" | "snmp" | "all")) /* Tracing parameters */.as(:oneline) ) ), "interface" arg ( c( "keepalive-time" arg /* Keepalive time */, "hold-time" arg /* Hold time */ ) ) ) ) ) ), "ptp" ( /* Precision Time Protocol v2 options */ c( "clock-mode" ( /* Clock mode */ ("ordinary" | "boundary") ), "profile-type" ( /* PTP profile type */ ("g.8275.1" | "g.8275.1.enh" | "g.8275.2.enh" | "enterprise-profile" | "smpte" | "aes67" | "aes67-smpte") ), "e2e-transparent" /* Enable end-to-end IEEE1588 transparent clock functionality */, "priority1" arg /* Used in selecting best master clock */, "priority2" arg /* Tie-breaker in selecting best master clock */, "local-priority" arg /* Priority assigned to the local clock */, "domain" arg /* PTP domain number */, "path-trace" /* Enable path tracing */, "unicast-negotiation" /* Enable unicast negotiation */, "phy-timestamping" /* PHY time-stamping feature */, "ipv4-dscp" arg /* IPv4 dscp value to be used for PTP packets */, "performance-monitor" /* PTP packet delay metrics */, "utc-leap-seconds" arg /* UTC leap seconds offset */, "slave" ( /* PTP Slave parameters */ c( "frequency-only" /* Only for frequency syntonization */, "delay-request" arg /* Log mean interval between delay requests */, "announce-timeout" arg /* Timeout period for announce messages */, "announce-interval" arg /* Log mean interval between announce messages */, "sync-interval" arg /* Requested log mean interval between sync messages */, "grant-duration" arg /* Length of grants in seconds requested during unicast-negotiation */, "convert-clock-class-to-quality-level" /* Enable PTP clock class to ESMC quality level mapping */, "clock-class-to-quality-level-mapping" ( /* PTP clock class to ESMC quality level mapping */ c( "quality-level" enum(("prc" | "ssu-a" | "ssu-b" | "sec" | "prs" | "st2" | "tnc" | "st3e" | "st3" | "smc" | "st4" | "stu")) ( c( "clock-class" arg /* PTP clock class threshold value */ ) ) ) ), "interface" arg ( /* Interface on which to respond to upstream PTP master */ c( "unicast-mode" ( /* Configure upstream unicast PTP master clock sources */ c( "transport" ( /* Encapsulation for PTP packet transport */ ("ipv4" | "ipv6") ), "local-priority" arg /* Priority assigned to the port */, "clock-source" ( /* Configure PTP master parameters */ s( arg, "local-ip-address" arg /* Must be IP address on local interface */, c( "asymmetry" arg /* Adjust the slave-to-master delay by value specified in nanoseconds */ ) ) ) ) ), "multicast-mode" ( /* Configure PTP slave clock to use multicast frames */ c( "transport" ( /* Encapsulation for PTP packet transport */ c( c( "ieee-802.3" ( /* PTP over 802.3 frames */ sc( "link-local" /* Use link local 802.3 MAC address */ ) ).as(:oneline), "ipv4" /* Use IP as transport */.as(:oneline) ) ) ), "local-priority" arg /* Priority assigned to the port */, "asymmetry" arg /* Adjust the slave-to-master delay by value specified in nanoseconds */, "local-ip-address" ( /* IP address on local interface */ ipv4addr /* IP address on local interface */ ) ) ), "primary" arg /* Configure primary interface name for the ae bundle */, "secondary" arg /* Configure secondary interface name for the ae bundle */ ) ), "hybrid" ( /* Hybrid mode configuration options */ c( "periodic-alignment" ( /* PTP hybrid periodic phase re-alignment */ ("enable" | "disable") ), "re-alignment-threshold" arg, "synchronous-ethernet-mapping" ( /* PTP source to synchronous ethernet interface mapping */ c( "clock-source" arg ( /* PTP source being mapped */ c( "interface" (arg) /* Synchonous ethernet interface name */ ) ) ) ) ) ) ) ), "master" ( /* PTP Master parameters */ c( "announce-interval" arg /* Log mean interval between announce messages */, "sync-interval" arg /* Log mean interval between sync messages */, "min-announce-interval" arg /* Min log mean interval between announce messages */, "max-announce-interval" arg /* Max log mean interval between announce messages */, "min-sync-interval" arg /* Min log mean interval between sync messages */, "max-sync-interval" arg /* Max log mean interval between sync messages */, "min-delay-response-interval" arg /* Min log mean interval between delay-resp messages */, "max-delay-response-interval" arg /* Max log mean interval between delay-resp messages */, "delay-req-timeout" arg /* Max timeout(in secs) for delay request messages */, "clock-step" ( /* Type of clock step */ ("one-step" | "two-step") ), "interface" arg ( /* Interface on which to respond to downstream PTP slaves */ c( "unicast-mode" ( /* Configure downstream PTP clock slaves */ c( "transport" ( /* Encapsulation for PTP packet transport */ ("ipv4" | "ipv6") ), "clock-client" ( /* Configure PTP master parameters */ s( arg, "local-ip-address" arg /* IP address of local PTP master interface */, c( "manual" /* This slave does not use unicast negotiation */ ) ) ) ) ), "multicast-mode" ( /* Configure PTP master clock to use multicast frames */ c( "transport" ( /* Encapsulation for PTP packet transport */ c( c( "ieee-802.3" ( /* PTP over 802.3 frames */ sc( "link-local" /* Use link local 802.3 MAC address */ ) ).as(:oneline), "ipv4" /* Use IP as transport */.as(:oneline) ) ) ), "local-priority" arg /* Priority assigned to the port */, "local-ip-address" ( /* IP address on local interface */ ipv4addr /* IP address on local interface */ ) ) ), "primary" arg /* Configure primary interface name for the ae bundle */, "secondary" arg /* Configure secondary interface name for the ae bundle */ ) ) ) ), "stateful" ( /* PTP stateful parameters */ c( "interface" arg ( /* Interfaces which will set to PTP stateful role */ c( "multicast-mode" ( /* Configure PTP stateful clock to use multicast frames */ c( "transport" ( /* Encapsulation for PTP packet transport */ c( c( "ieee-802.3" ( /* PTP over 802.3 frames */ sc( "link-local" /* Use link local 802.3 MAC address */ ) ).as(:oneline) ) ) ), "local-priority" arg /* Priority assigned to the port */, "asymmetry" arg /* Adjust the slave-to-master delay by value specified in nanoseconds */ ) ), "primary" arg /* Configure primary interface name for the ae bundle */, "secondary" arg /* Configure secondary interface name for the ae bundle */ ) ) ) ) ) ), "clock-synchronization" ( /* Configuring parameters common to SyncE and PTP */ c( "traceoptions" ( /* Configure trace information for PTP and synce */ clksync_traceoptions /* Configure trace information for PTP and synce */ ) ) ), "dot1x" ( /* 802.1X options */ juniper_protocols_dot1x /* 802.1X options */ ), "dlsw" ( /* DLSw options */ juniper_protocols_dlsw /* DLSw options */ ), "ppp-service" ( /* Configure PPP service */ c( "traceoptions" ( /* Trace options for PPP service */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("accounting-statistics" | "authentication" | "chap" | "events" | "gres" | "init" | "interface-db" | "lcp" | "memory" | "ncp" | "packet-error" | "pap" | "parse" | "profile" | "receive-packets" | "routing-process" | "rtp" | "rtsock" | "session-db" | "smi-services-sentry" | "states" | "transmit-packets" | "tunnel" | "all")) /* Area of PPP service to enable debugging output */.as(:oneline), "filter" ( /* Trace filtering */ c( "aci" arg /* Regular expression to match ACI */, "ari" arg /* Regular expression to match ARI */, "service-name" arg /* Service name */, "underlying-interface" ( /* Underlying interface name */ ("$junos-underlying-interface" | arg) ), "user" /* Filter by user name */ ) ) ) ), "on-demand-ip-address" /* Enable On-Demand IPv4 address allocation and de-allocation */, "reject-unauthorized-ipv6cp" /* Reject IPv6 NCP if no appropriate IPv6 address or prefix is authorized */, "pppoe-lcp-options-strict" /* Enforce RFC 2516 MUST requirements for FCS, ACFC and ACCM */ ) ), "l2-learning" ( /* Layer 2 forwarding configuration */ juniper_protocols_bridge /* Layer 2 forwarding configuration */ ), "dcbx", "lldp" ( /* Link Layer Detection Protocol */ c( ("disable"), "traceoptions" ( /* Trace options for LLDP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("all" | "configuration" | "rtsock" | "packet" | "protocol" | "interface" | "vlan" | "snmp" | "jvision")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "management-address" ( /* LLDP management address */ ipaddr /* LLDP management address */ ), "advertisement-interval" arg /* Transmit interval for LLDP messages */, "transmit-delay" arg /* Transmit delay time interval for LLDP messages */, "hold-multiplier" arg /* Hold timer interval for LLDP messages */, "ptopo-configuration-trap-interval" arg /* Interval for physical topology configuration change trap */, "ptopo-configuration-maximum-hold-time" arg /* Hold time for physical topology connection entries */, "lldp-configuration-notification-interval" arg /* Time interval for LLDP notification */, "port-id-subtype" ( /* Sub-type to be used for Port ID TLV generation */ ("locally-assigned" | "interface-name") ), "port-description-type" ( /* The Interfaces Group MIB object to be used for Port Description TLV generation */ ("interface-alias" | "interface-description") ), "neighbour-port-info-display" ( /* Show lldp neighbors to display port-id or port-description */ ("port-id" | "port-description") ), "mau-type" /* Populate mau-type in lldp PDU */, "vlan-name-tlv-option" ( /* Vlan tlv options to transmit vlan name or vlan-id */ ("vlan-id" | "name") ), "tlv-select" ( /* Select TLVs to be sent */ enum(("port-description" | "system-name" | "system-description" | "system-capabilities" | "management-address" | "mac-phy-config-status" | "power-vi-mdi" | "link-aggregation" | "maximum-frame-size" | "jnpr-chassis-serial" | "jnpr-vcp" | "jnpr-mode-change" | "jnpr-mode-change-error" | "jnpr-mode-change-ip-address" | "jnpr-mode-change-image-name" | "jnpr-mode-change-ftp-login" | "jnpr-mode-change-image-md5" | "jnpr-mode-change-ftp-server" | "port-vid" | "port-protocol-vid" | "vlan-name" | "protocol-id" | "evb")) ), "tlv-filter" ( /* Filter TLVs to be sent */ enum(("all" | "port-description" | "system-name" | "system-description" | "system-capabilities" | "management-address" | "mac-phy-config-status" | "power-vi-mdi" | "link-aggregation" | "maximum-frame-size" | "jnpr-chassis-serial" | "jnpr-vcp" | "jnpr-mode-change" | "jnpr-mode-change-error" | "jnpr-mode-change-ip-address" | "jnpr-mode-change-image-name" | "jnpr-mode-change-ftp-login" | "jnpr-mode-change-image-md5" | "jnpr-mode-change-ftp-server" | "port-vid" | "port-protocol-vid" | "vlan-name" | "protocol-id" | "evb")) ), "interface" (arg | "all") ( /* Interface configuration */ c( ("disable"), "power-negotiation" /* LLDP power negotiation */, "tlv-select" ( /* Select TLV(s) to be sent */ enum(("port-description" | "system-name" | "system-description" | "system-capabilities" | "management-address" | "mac-phy-config-status" | "power-vi-mdi" | "link-aggregation" | "maximum-frame-size" | "jnpr-chassis-serial" | "jnpr-vcp" | "jnpr-mode-change" | "jnpr-mode-change-error" | "jnpr-mode-change-ip-address" | "jnpr-mode-change-image-name" | "jnpr-mode-change-ftp-login" | "jnpr-mode-change-image-md5" | "jnpr-mode-change-ftp-server" | "port-vid" | "port-protocol-vid" | "vlan-name" | "protocol-id" | "evb")) ), "tlv-filter" ( /* Filter TLV(s) to be sent */ enum(("all" | "port-description" | "system-name" | "system-description" | "system-capabilities" | "management-address" | "mac-phy-config-status" | "power-vi-mdi" | "link-aggregation" | "maximum-frame-size" | "jnpr-chassis-serial" | "jnpr-vcp" | "jnpr-mode-change" | "jnpr-mode-change-error" | "jnpr-mode-change-ip-address" | "jnpr-mode-change-image-name" | "jnpr-mode-change-ftp-login" | "jnpr-mode-change-image-md5" | "jnpr-mode-change-ftp-server" | "port-vid" | "port-protocol-vid" | "vlan-name" | "protocol-id" | "evb")) ) ) ) ) ), "lldp-med" ( /* LLDP Media Endpoint Discovery */ c( "fast-start" arg /* Discovery count for MED */, "interface" (arg | "all") ( /* Interface configuration */ c( ("disable"), "location" ( c( c( "civic-based" ( /* Postal address */ civic_address_elements /* Postal address */ ), "elin" arg /* Emergency line identification (ELIN) string */, "co-ordinate" ( /* Address based on longitude and latitude coordinates */ co_ordinate_elements /* Address based on longitude and latitude coordinates */ ) ) ) ), "tlv-select" ( /* Select TLV(s) to be sent */ enum(("med-capabilities" | "network-policy" | "location-id" | "ext-power-via-mdi")) ), "tlv-filter" ( /* Filter TLV(s) to be sent */ enum(("all" | "med-capabilities" | "network-policy" | "location-id" | "ext-power-via-mdi")) ) ) ), "tlv-select" ( /* Select MED TLVs to be sent */ enum(("med-capabilities" | "network-policy" | "location-id" | "ext-power-via-mdi")) ), "tlv-filter" ( /* Filter MED TLVs to be sent */ enum(("all" | "med-capabilities" | "network-policy" | "location-id" | "ext-power-via-mdi")) ) ) ), "igmp-snooping" ( /* IGMP snooping configuration */ juniper_default_ri_protocols_igmp_snooping /* IGMP snooping configuration */ ), "mld-snooping" ( /* MLD snooping configuration */ juniper_default_ri_protocols_mld_snooping /* MLD snooping configuration */ ), "pcep" ( /* Path computation client configuration */ c( "message-rate-limit" arg /* Messages per minute rate that path computation client will handle at maximum. 0 - disabled */, "update-rate-limit" arg /* Updates per minute rate that path computation client will handle at maximum. 0 - disabled */, "max-provisioned-lsps" arg /* Defines max count of externally provisioned LSPs over all conected PCEs (default: 16000) */, "pce-group" arg ( /* PCE group definition */ c( "pce-type" ( /* Type of the PCE (e.g. stateful or stateless) */ sc( "active" /* The PCE can modify delegated LSPs */, c( "stateful" /* The PCE is stateful */ ) ) ).as(:oneline), "lsp-provisioning" /* The PCE is capable of provisioning LSPs */, "p2mp-lsp-report-capability" /* The PCE is capable of reporting P2MP LSPs */, "p2mp-lsp-update-capability" /* The PCE is capable of update P2MP LSPs */, "p2mp-lsp-init-capability" /* The PCE is capable of provisioning P2MP LSPs */, "lsp-cleanup-timer" arg /* LSP cleanup time (default: 60) */, "spring-capability" /* PCE is capable of supporting SPRING based provisioning */, "max-sid-depth" arg /* Max SID Depth (default: 5) */, "lsp-retry-delegation" /* Retry LSP delegation process is enabled */, "lsp-retry-delegation-timer" arg /* LSP retry delegation timer in case delegation failure or re-delegate (default: 3600) */, "request-timer" arg /* The amount of time path computation client waits for a reply before resending its requests */, "max-unknown-requests" arg /* Max unknown requests per minute after which the connection will be closed. 0 - disabled */, "max-unknown-messages" arg /* Max unknown messages per minute after which the connection will be closed. 0 - disabled */, "traceoptions" ( /* Path Computation Element Protocol trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("pcep" | "all")) /* Area of Path Computation Client Daemon to enable debugging output */.as(:oneline) ) ), "delegation-cleanup-timeout" arg /* Return control of LSPs or Re-delegation time after PCEP session disconnect (default: 30) */ ) ), "pce" arg ( /* Per PCE configuration */ c( "local-address" ( /* Address of local end of PCEP session */ ipv4addr /* Address of local end of PCEP session */ ), "destination-ipv4-address" ( /* IPV4 Address of PCE */ ipv4addr /* IPV4 Address of PCE */ ), "destination-port" arg /* Destination TCP port PCE is listening on */, "delegation-priority" arg /* This PCE's priority among configured stateful PCEs in one pce-group */, "request-priority" arg /* This PCE's priority among configured stateless PCEs in one pce-group */, "pce-group" arg /* Assign this PCE to defined pce group. PCE will inherit default values from the pce-group */, "authentication-key" arg /* MD5 authentication key */, "authentication-algorithm" ( /* Authentication algorithm name */ ("md5") ), "authentication-key-chain" arg /* Key chain name */, "pce-type" ( /* Type of the PCE (e.g. stateful or stateless) */ sc( "active" /* The PCE can modify delegated LSPs */, c( "stateful" /* The PCE is stateful */ ) ) ).as(:oneline), "lsp-provisioning" /* The PCE is capable of provisioning LSPs */, "p2mp-lsp-report-capability" /* The PCE is capable of reporting P2MP LSPs */, "p2mp-lsp-update-capability" /* The PCE is capable of update P2MP LSPs */, "p2mp-lsp-init-capability" /* The PCE is capable of provisioning P2MP LSPs */, "lsp-cleanup-timer" arg /* LSP cleanup time (default: 60) */, "spring-capability" /* PCE is capable of supporting SPRING based provisioning */, "max-sid-depth" arg /* Max SID Depth (default: 5) */, "lsp-retry-delegation" /* Retry LSP delegation process is enabled */, "lsp-retry-delegation-timer" arg /* LSP retry delegation timer in case delegation failure or re-delegate (default: 3600) */, "request-timer" arg /* The amount of time path computation client waits for a reply before resending its requests */, "max-unknown-requests" arg /* Max unknown requests per minute after which the connection will be closed. 0 - disabled */, "max-unknown-messages" arg /* Max unknown messages per minute after which the connection will be closed. 0 - disabled */, "traceoptions" ( /* Path Computation Element Protocol trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("pcep" | "all")) /* Area of Path Computation Client Daemon to enable debugging output */.as(:oneline) ) ), "delegation-cleanup-timeout" arg /* Return control of LSPs or Re-delegation time after PCEP session disconnect (default: 30) */ ) ), "traceoptions" ( /* Path Computation Client Daemon trace options */ pccd_traceoptions_type /* Path Computation Client Daemon trace options */ ) ) ), "ppp" ( /* Configure PPP process */ c( "traceoptions" ( /* PPP trace options */ ppp_traceoptions_type /* PPP trace options */ ), "monitor-session" ( /* Monitor packet exchange for PPP session */ s( ("all" | arg) ) ) ) ), "pppoe" ( /* Configure PPPoE process */ c( "traceoptions" ( /* PPPoE trace options */ pppoe_traceoptions_type /* PPPoE trace options */ ), "pado-advertise" /* Enable PADO advertising of PPPoE Service-Names */, "service-name-tables" /* PPPoE Service Name Tables */ ) ), "r2cp" ( /* Radio-to-Router Control Protocol configuration */ c( ("disable"), "traceoptions" ( /* R2CP trace options */ r2cp_traceoptions_type /* R2CP trace options */ ), "server-port" arg /* R2CP server port number */, "client-port" ( /* R2CP client port number */ sc( c( arg, c( "any" /* Accept R2CP messages sent on any port */ ) ) ) ).as(:oneline), "node-terminate-count" arg /* Node Term retransmit count */, "node-terminate-interval" arg /* Node Terminate interval */, "session-terminate-count" arg /* Session Term retransmit count */, "session-terminate-interval" arg /* Session Term interval */, "radio" arg ( c( "interface" ( /* Interface listening for R2CP messages */ interface_unit /* Interface listening for R2CP messages */ ), "down-count" arg /* Number of missed keepalives before radio is assumed 'down' */, "virtual-channel-group" arg /* Virtual channel group name */, "radio-interface" arg ) ) ) ), "layer2-control" ( /* Global options for layer 2 protocols */ juniper_protocols_l2control /* Global options for layer 2 protocols */ ), "rstp" ( /* Rapid Spanning Tree Protocol options */ juniper_protocols_stp /* Rapid Spanning Tree Protocol options */ ), "mstp" ( /* Multiple Spanning Tree Protocol options */ juniper_protocols_mstp /* Multiple Spanning Tree Protocol options */ ), "vstp" ( /* VLAN Spanning Tree Protocol options */ juniper_protocols_vstp /* VLAN Spanning Tree Protocol options */ ), "loop-detect" ( /* Layer2 Loop Detect on interface with non-IP L2 Multicast mac as destination mac */ c( "interface" (arg | "all-extended-ports") ( /* Interface name to block Loop Detect PDUs on */ c( "disable" /* Disable loop detect feature on a port */ ) ), "destination-mac" ( /* Destination non-IP L2 multicast mac to be used for transmitting Loop Detect PDUs */ mac_multicast /* Destination non-IP L2 multicast mac to be used for transmitting Loop Detect PDUs */ ), "transmit-interval" arg /* Loop Detect PDU TX interval in sec --default 30s */ ) ), "protection-group" ( /* Protection group */ juniper_protocols_protection_group /* Protection group */ ), "mvrp" ( /* MVRP configuration */ juniper_protocols_mvrp /* MVRP configuration */ ) ) end rule(:bandwidth_type) do c( arg /* Bandwidth to reserve */, "ct0" arg /* Bandwidth from traffic class 0 */, "ct1" arg /* Bandwidth from traffic class 1 */, "ct2" arg /* Bandwidth from traffic class 2 */, "ct3" arg /* Bandwidth from traffic class 3 */ ) end rule(:civic_address_elements) do c( "what" arg /* Type of address */, "country-code" arg /* Two-letter country code */, "ca-type" arg ( c( "ca-value" arg /* Address element value */ ) ) ) end rule(:clksync_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("init" | "routing-socket" | "synchronization" | "ptp" | "protocol" | "configuration" | "debug" | "ppm" | "error" | "hybrid" | "framer" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) end rule(:co_ordinate_elements) do c( "longitude" arg /* Longitude vlaue */, "lattitude" arg /* Lattitude vlaue */ ) end rule(:juniper_default_ri_protocols_igmp_snooping) do c( "vlan" ("all" | arg) ( /* VLAN options */ c( "traceoptions" ( /* Trace options for IGMP Snooping */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "group" | "client-notification" | "route" | "normal" | "general" | "state" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "l2-querier" ( /* Enable L2 querier mode */ c( "source-address" ( /* Source IP address to use for L2 querier */ ipv4addr /* Source IP address to use for L2 querier */ ) ) ), "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ) ) ), "data-forwarding" /* MVR Data forwarding options */, "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interface */, "host-only-interface" /* Enable interface to be treated as host-side interface */, "group-limit" arg /* Maximum number of groups an interface can join */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "qualified-vlan" arg ( /* VLAN options for qualified-learning */ c( "query-interval" arg /* When to send host query messages */, "l2-querier" ( /* Enable L2 querier mode */ c( "source-address" ( /* Source IP address to use for L2 querier */ ipv4addr /* Source IP address to use for L2 querier */ ) ) ), "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interface */, "host-only-interface" /* Enable interface to be treated as host-side interface */, "group-limit" arg /* Maximum number of groups an interface can join */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ) ) ) ) ), "traceoptions" /* Trace options for IGMP Snooping */, "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" /* Enable proxy mode */, "interface" /* Interface options for IGMP */ ) end rule(:juniper_default_ri_protocols_mld_snooping) do c( "vlan" ("all" | arg) ( /* VLAN options */ c( "traceoptions" ( /* Trace options for MLD Snooping */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of groups an interface can join */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "qualified-vlan" arg ( /* VLAN options for qualified-learning */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of groups an interface can join */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ) ) ) ) ), "traceoptions" /* Trace options for MLD Snooping */, "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" /* Enable proxy mode */, "interface" /* Interface options for MLD */ ) end rule(:juniper_ospf_authentication) do c( c( "simple-password" ( /* Authentication key */ unreadable /* Authentication key */ ), "md5" arg ( /* MD5 authentication key */ sc( "key" ( /* MD5 authentication key value */ unreadable /* MD5 authentication key value */ ), "start-time" ( /* Start time for key transmission (YYYY-MM-DD.HH:MM) */ time /* Start time for key transmission (YYYY-MM-DD.HH:MM) */ ) ) ).as(:oneline) ) ) end rule(:juniper_protocols_amt) do c( "traceoptions" ( /* Trace options for AMT */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "errors" | "tunnels" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "relay" ( /* AMT relay */ juniper_protocols_amt_relay /* AMT relay */ ) ) end rule(:juniper_protocols_amt_relay) do c( "family" ( /* Protocol family */ c( "inet" ( c( "anycast-prefix" ( /* IPv4 anycast prefix */ ipv4prefix /* IPv4 anycast prefix */ ), "local-address" ( /* IPv4 local address */ ipv4addr /* IPv4 local address */ ) ) ) ) ), "secret-key-timeout" arg /* Time interval for the secret key to expire */, "tunnel-limit" arg /* Number of AMT tunnels */, "unicast-stream-limit" arg /* Maximum number of AMT unicast streams(s,g,intf) */, "accounting" /* Enable AMT accounting */, "tunnel-devices" ( /* Tunnel devices to be used for creating ud interfaces */ interface_device /* Tunnel devices to be used for creating ud interfaces */ ) ) end rule(:juniper_protocols_bd) do c( "mac-table-size" ( /* Size of MAC address forwarding table */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop") ) ) ), "mac-ip-table-size" ( /* Size of MAC+IP bindings table */ c( arg ) ), "interface-mac-limit" ( /* Maximum MAC address learned per interface */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "interface-mac-ip-limit" ( /* Maximum MAC+IP bindings learned per interface */ c( arg ) ), "mac-notification" ( /* MAC notification options */ c( "notification-interval" arg /* Interval for sending MAC notifications */ ) ), "mac-table-aging-time" arg /* Delay for discarding MAC address if no updates are received */, "no-mac-learning" /* Disable dynamic MAC address learning */, "no-normalization" /* Disable vlan id normalization for interfaces */, "mac-statistics" /* Enable MAC address statistics */, "mib" ( /* Snmp mib options */ c( "dot1q-mib" ( /* Dot1q MIB configuration options */ c( "port-list" ( /* Port list for staticegressports and staticuntaggedports MIB */ ("bit-map" | "string") ) ) ) ) ), "static-rvtep-mac" ( /* Configure Static MAC and remote VxLAN tunnel endpoint entries */ c( "mac" ( /* Unicast MAC address */ s( arg, "remote-vtep" arg /* Configure static remote VXLAN tunnel endpoints */ ) ).as(:oneline) ) ), "interface" arg ( /* Interface that connect this site to the VPN */ c( "interface-mac-limit" ( /* Maximum number of MAC addresses learned on the interface */ c( arg, "disable" /* Disable interface for interface-mac-limit */, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "vpws-service-id" ( /* Service-id for EVPN VPWS routing instance */ c( "local" arg /* Local EVPN VPWS service id */, "remote" arg /* Remote EVPN VPWS service id */ ) ), "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ), "action-priority" arg /* Blocking priority of this interface on mac move detection */, "remote-site-id" arg /* Site identifier associated with this interface */, "target-attachment-identifier" arg /* FEC 129 VPWS target attachment identifier */, "flow-label-transmit" /* Advertise capability to push Flow Label in transmit direction to remote PE */, "flow-label-receive" /* Advertise capability to push Flow Label in receive direction to remote PE */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "mtu" arg /* MTU to be advertised to the remote end */, "ignore-mtu-mismatch" /* Allow different MTU values on local and remote end */, c( "control-word" /* Adds control-word to the Layer 2 encapsulation */, "no-control-word" /* Disables control-word to the Layer 2 encapsulation */ ), "pseudowire-status-tlv" /* Send pseudowire status TLV */, "oam" /* OAM Configuration for VPN */, "community" arg /* Community associated with this interface */, "static-mac" arg ( /* Static MAC addresses assigned to this interface */ c( "vlan-id" arg /* VLAN ID of learning VLAN */ ) ), "interface-mac-ip-limit" ( /* Maximum number of MAC+IP bindings learned on the interface */ c( arg ) ), "no-mac-learning" /* Disable dynamic MAC address learning */, "mac-pinning" /* Enable MAC pinning */, "description" arg /* Text description */, "persistent-learning" /* Enable persistent MAC learning on this interface */ ) ), "traceoptions" ( /* Trace options for this bridge domain */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "routing-socket" | "interface-device" | "interface-logical" | "interface-family" | "learning-domain" | "ipc" | "mac-learning" | "initialization" | "flood-next-hop" | "storm-control" | "unknown-unicast-forwarding" | "all")) /* Type of operation or event to include in trace */.as(:oneline) ) ) ) end rule(:juniper_protocols_bgp) do c( ("disable"), "precision-timers" /* Use precision timers for scheduling keepalives */, "no-precision-timers" /* Don't use precision timers for scheduling keepalives */, "path-selection" ( /* Configure path selection strategy */ c( "cisco-non-deterministic" /* Use Cisco IOS nondeterministic path selection algorithm */, "always-compare-med" /* Always compare MED values, regardless of neighbor AS */, "med-plus-igp" ( /* Add IGP cost to next-hop to MED before comparing MED values */ c( "med-multiplier" arg /* Multiplier for MED */, "igp-multiplier" arg /* Multiplier for IGP cost to next-hop */ ) ), "external-router-id" /* Compare router ID on BGP externals */, "as-path-ignore" /* Ignore AS path comparison during path selection */, "l2vpn-use-bgp-rules" /* Use standard BGP rules during L2VPN path selection */ ) ), "snmp-options" ( /* Customize SNMP behaviors specifically for BGP MIBs */ c( "backward-traps-only-from-established" /* Limit traps for backward transitions to only those moving from Established state. */, "emit-inet-address-length-in-oid" /* Emit Length in OID for InetAddress MIB type. */ ) ), "advertise-from-main-vpn-tables" /* Advertise VPN routes from bgp.Xvpn.0 tables in master instance */, "stale-labels-holddown-period" arg /* Duration (sec) MPLS labels allocated by BGP are kept after they go stale */, "holddown-all-stale-labels" /* Hold all BGP stale-labels, facilating make-before-break for new label advertisements */, "egress-te-backup-paths" ( /* Backup-path for Egress-TE peer interface failure */ c( "template" arg ( /* Backup-path template */ c( "peer" arg /* Egress peer TE backup exit path */, "remote-nexthop" ( /* Resolve and use tunnel to this next-hop as backup path */ c( ipaddr /* Address of remote-nexthop to use as backup path */ ) ), "ip-forward" ( /* Use IP-forward backup path for Egress TE */ c( arg /* Routing-instance to use as IP forward backup-path */ ) ) ) ) ) ), "sr-preference-override" arg /* Replace received segment routing traffic engineering preference value with override value */, "traceoptions" ( /* Trace options for BGP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("damping" | "packets" | "open" | "update" | "keepalive" | "refresh" | "nsr-synchronization" | "bfd" | "4byte-as" | "add-path" | "graceful-restart" | "egress-te" | "thread-io" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */, "filter" ( /* Filter to apply to this flag */ bgp_filter_obj /* Filter to apply to this flag */ ) ) ).as(:oneline) ) ), "description" arg /* Text description */, "metric-out" ( /* Route metric sent in MED */ sc( c( arg, "minimum-igp" ( /* Track the minimum IGP metric */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "igp" ( /* Track the IGP metric */ sc( arg /* Metric offset for MED */, "delay-med-update" /* Delay updating MED when IGP metric increases */ ) ).as(:oneline) ) ) ).as(:oneline), "multihop" ( /* Configure an EBGP multihop session */ c( "ttl" arg /* TTL value for the session */, "no-nexthop-change" /* Do not change next hop to self in advertisements */ ) ), "route-server-client" /* Enable route server client behavior */, "accept-remote-nexthop" /* Allow import policy to specify a non-directly connected next-hop */, "preference" arg /* Preference value */, "local-preference" arg /* Value of LOCAL_PREF path attribute */, "local-address" ( /* Address of local end of BGP session */ ipaddr /* Address of local end of BGP session */ ), "local-interface" ( /* Local interface for IPv6 link local EBGP peering */ interface_name /* Local interface for IPv6 link local EBGP peering */ ), "forwarding-context" arg /* Routing-instance used for data-forwarding and transport-session */, "hold-time" arg /* Hold time used when negotiating with a peer */, "passive" /* Do not send open messages to a peer */, "advertise-inactive" /* Advertise inactive routes */, "advertise-peer-as" /* Advertise routes received from the same autonomous system */, "no-advertise-peer-as" /* Don't advertise routes received from the same autonomous system */, "advertise-external" ( /* Advertise best external routes */ sc( "conditional" /* Route matches active route upto med-comparison rule */ ) ).as(:oneline), "keep" ( /* How to retain routes in the routing table */ ("all" | "none") ), "rfc6514-compliant-safi129" /* Compliant with RFC6514 SAFI129 format */, "no-aggregator-id" /* Set router ID in aggregator path attribute to 0 */, "mtu-discovery" /* Enable TCP path MTU discovery */, "enforce-first-as" /* Enforce first AS in AS-path is the neighbor's AS */, "out-delay" arg /* How long before exporting routes from routing table */, "ttl" ( /* TTL value for the single-hop peer */ ("1" | "255") ), "log-updown" /* Log a message for peer state transitions */, "damping" /* Enable route flap damping */, "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "nlri" ( /* NLRI type to include in updates */ ("unicast" | "multicast" | "any") ), "bgp-error-tolerance" ( /* Handle BGP malformed updates softly */ c( "malformed-update-log-interval" arg /* Time used when logging malformed update */, c( "malformed-route-limit" arg /* Maximum number of malformed routes from a peer */, "no-malformed-route-limit" /* No malformed route limit */ ) ) ), "family" ( /* Protocol family for NLRIs in updates */ c( "inet" ( /* IPv4 NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_topo /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_default /* Include multicast NLRI */ ), "flow" ( /* Include flow NLRI */ bgp_afi_flow /* Include flow NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_default /* Include unicast or multicast NLRI */ ), "labeled-unicast" ( /* Include labeled unicast NLRI */ bgp_afi_labeled /* Include labeled unicast NLRI */ ), "segment-routing-te" ( /* Include segment-routing TE policy */ bgp_afi_srte /* Include segment-routing TE policy */ ) ) ), "inet-vpn" ( /* IPv4 Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_vpn /* Include multicast NLRI */ ), "flow" ( /* Include flow VPN NLRI */ bgp_afi_flow /* Include flow VPN NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_vpn /* Include unicast or multicast NLRI */ ) ) ), "inet6" ( /* IPv6 NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_topo /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_default /* Include multicast NLRI */ ), "flow" ( /* Include flow NLRI */ bgp_afi_flow /* Include flow NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_default /* Include unicast or multicast NLRI */ ), "labeled-unicast" ( /* Include labeled unicast NLRI */ bgp_afi_inet6_labeled /* Include labeled unicast NLRI */ ), "segment-routing-te" ( /* Include segment-routing TE policy */ bgp_afi_srte /* Include segment-routing TE policy */ ) ) ), "inet6-vpn" ( /* IPv6 Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_vpn /* Include multicast NLRI */ ), "flow" ( /* Include flow VPN NLRI */ bgp_afi_flow /* Include flow VPN NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_vpn /* Include unicast or multicast NLRI */ ) ) ), "iso-vpn" ( /* ISO Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ) ) ), "l2vpn" ( /* MPLS-based Layer 2 VPN and VPLS NLRI parameters */ c( "auto-discovery-only" ( /* Include auto-discovery NLRI for LDP Layer 2 VPN and VPLS */ bgp_afi_default /* Include auto-discovery NLRI for LDP Layer 2 VPN and VPLS */ ), "auto-discovery-mspw" ( /* Include auto-discovery NLRI for LDP Signalled MultiSegment PW */ bgp_afi_default /* Include auto-discovery NLRI for LDP Signalled MultiSegment PW */ ), "signaling" ( /* Include Layer 2 VPN and VPLS signaling NLRI */ bgp_afi_l2vpn /* Include Layer 2 VPN and VPLS signaling NLRI */ ) ) ), "evpn" ( /* EVPN NLRI parameters */ c( "signaling" ( /* Include EVPN signaling NLRI */ bgp_afi_default /* Include EVPN signaling NLRI */ ) ) ), "inet-mvpn" ( /* IPv4 MVPN NLRI parameters */ c( "signaling" ( /* Include IPv4 multicast VPN signaling NLRI */ bgp_afi_default /* Include IPv4 multicast VPN signaling NLRI */ ) ) ), "inet6-mvpn" ( /* IPv6 MVPN NLRI parameters */ c( "signaling" ( /* Include IPv6 multicast VPN signaling NLRI */ bgp_afi_default /* Include IPv6 multicast VPN signaling NLRI */ ) ) ), "inet-mdt" ( /* IPv4 Multicast Distribution Tree (MDT) NLRI parameters */ c( "signaling" ( /* Include IPv4 multicast VPN auto-discovery NLRI */ bgp_afi_default /* Include IPv4 multicast VPN auto-discovery NLRI */ ) ) ), "traffic-engineering" ( /* Traffic Engineering (BGP-TE) NLRI parameters */ c( "unicast" ( /* Include BGP-TE NLRI */ bgp_afi_default /* Include BGP-TE NLRI */ ) ) ), "route-target" ( /* Route target NLRI used for VPN route filtering */ c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "proxy-generate" ( /* Generate route target NLRI for peers that don't support it */ c( "route-target-policy" ( /* Limit VPN routes that are used to generate proxy route-target filters */ policy_algebra /* Limit VPN routes that are used to generate proxy route-target filters */ ) ) ), "external-paths" arg /* Number of external paths accepted for route filtering */, "advertise-default" /* Advertise default and suppress more specific routes */, "damping" /* Enable route flap damping */, "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ) ) ), "bridge-vpn" /* Bridge VPN NLRI parameters */, "fabric-vpn" /* Fabric VPN NLRI parameters */ ) ), "authentication-key" arg /* MD5 authentication key */, "authentication-algorithm" ( /* Authentication algorithm name */ ("md5" | "hmac-sha-1-96" | "aes-128-cmac-96") ), "authentication-key-chain" arg /* Key chain name */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "vpn-apply-export" /* Apply BGP export policy when exporting VPN routes */, "egress-te" ( /* Use Egress Peering traffic engineering */ c( "backup-path" arg /* The 'egress-te-backup-paths template' to use for this peer */ ) ), "remove-private" ( /* Remove well-known private AS numbers */ c( "all" ( /* Remove all private AS numbers and do not stop at the first public AS number */ sc( "replace" ( /* Replace private AS numbers with the BGP Group's local AS number */ sc( "nearest" /* Use closest public AS number to replace a private AS number */ ) ).as(:oneline) ) ).as(:oneline), "no-peer-loop-check" /* Remove peer loop-check */ ) ), "cluster" ( /* Cluster identifier */ areaid /* Cluster identifier */ ), "no-client-reflect" /* Disable intracluster route redistribution */, "peer-as" arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, "local-as" ( /* Local autonomous system number */ sc( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, "loops" arg /* Maximum number of times this AS can be in an AS path */, "private" /* Hide this local AS in paths learned from this peering */, "alias" /* Treat this AS as an alias to the system AS */, "no-prepend-global-as" /* Do not prepend global autonomous-system number in advertised paths */ ) ).as(:oneline), "ipsec-sa" arg /* IPSec SA name */, "unconfigured-peer-graceful-restart" /* BGP unconfigured peer graceful restart options */, "graceful-restart" ( /* BGP graceful restart options */ c( ("disable"), "restart-time" arg /* Restart time used when negotiating with a peer */, "stale-routes-time" arg /* Maximum time for which stale routes are kept */, "long-lived" ( /* Long-lived graceful restart options */ c( "receiver" ( /* Long-lived graceful restart receiver (helper) options */ c( ("disable") ) ), "advertise-to-non-llgr-neighbor" ( /* Advertise stale routes to non-LLGR neighbors */ c( "omit-no-export" /* Do not attach no-export community to stale routes */ ) ) ) ), "forwarding-state-bit" ( /* Control forwarding-state flag negotiation */ ("as-rr-client" | "from-fib") ), "dont-help-shared-fate-bfd-down" /* Honor BFD-Down(C=0) if GR-restart not in progress */ ) ), "include-mp-next-hop" /* Include NEXT-HOP attribute in multiprotocol updates */, "idle-after-switch-over" ( /* Stop peer session from coming up after nonstop-routing switch-over */ sc( c( "forever" /* Idle the peer until the user intervenes */, arg ) ) ).as(:oneline), "outbound-route-filter" ( /* Dynamically negotiated cooperative route filtering */ c( "bgp-orf-cisco-mode" /* Using BGP ORF capability code 130 and Prefix ORF type 128 */, "extended-community" ( /* Extended community filtering */ c( "accept" /* Honor remote requests for extended community ORF */, "no-accept" /* Don't honor remote requests for extended community ORF */, "vrf-filter" /* Request remote filtering using locally configured VRF import targets */ ) ), "prefix-based" ( /* Prefix-based outbound route filtering */ c( "accept" ( /* Honor Prefix-based ORFs from remote peers */ c( "inet" /* Honor IPv4 prefix filters */, "inet6" /* Honor IPv6 prefix filters */ ) ) ) ) ) ), "multipath" ( /* Allow load sharing among multiple BGP paths */ c( "disable" /* Disable Multipath */, "multiple-as" /* Use paths received from different ASs */ ) ), "tcp-mss" arg /* Maximum TCP segment size */, "tcp-aggressive-transmission" /* Enable aggressive transmission of pure TCP ACKs and retransmissions */, "bmp" ( /* Specific settings to override the routing-options settings */ c( "monitor" ( /* Enable/Disable monitoring */ ("enable" | "disable") ), "route-monitoring" ( /* Control route monitoring settings */ c( "none" /* Do not send route montoring messages */, "pre-policy" ( /* Send pre policy route montoring messages */ sc( "exclude-non-feasible" /* Exclude looped routes, etc */ ) ).as(:oneline), "post-policy" ( /* Send post policy route montoring messages */ sc( "exclude-non-eligible" /* Exclude unresolved routes, etc. */ ) ).as(:oneline) ) ) ) ), "advertise-bgp-static" ( /* Advertise bgp-static routes */ c( "policy" ( /* Static route advertisement policy */ policy_algebra /* Static route advertisement policy */ ) ) ), "add-path-display-ipv4-address" /* Display add-path path-id in IPv4 address format */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "session-mode" ( /* BFD single-hop or multihop session-mode */ ("automatic" | "single-hop" | "multihop") ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */ ) ), "egress-te-sid-stats" /* Create BGP-Peer-SID sensor */, "egress-te-set-segment" arg ( /* Configure BGP-Peer-Set segment */ c( "label" ( /* BGP-Peer-Set SID label from static label pool */ c( arg ) ), "egress-te-backup-segment" ( /* Backup segment for FRR */ c( "label" ( /* Backup segment label from static label pool */ c( arg ) ) ) ) ) ), "output-queue-priority" ( /* BGP output queue priority scheduler for updates */ c( "expedited" ( /* Expedited queue; highest priority */ sc( "update-tokens" arg /* Number of tokens */ ) ).as(:oneline), "priority" arg ( /* Output queue priority 1..16; higher is better */ sc( "update-tokens" arg /* Number of tokens */ ) ).as(:oneline), "defaults" ( /* Map policy's priority class and BGP output-queue */ c( "low" ( /* Assign the 'low' priority class to this output-queue */ bgp_output_queue_priority_class /* Assign the 'low' priority class to this output-queue */ ), "medium" ( /* Assign the 'medium' priority class to this output-queue */ bgp_output_queue_priority_class /* Assign the 'medium' priority class to this output-queue */ ), "high" ( /* Assign the 'high' priority class to this output-queue */ bgp_output_queue_priority_class /* Assign the 'high' priority class to this output-queue */ ) ) ) ) ), "group" arg ( /* Define a peer group */ c( "type" ( /* Type of peer group */ ("internal" | "external") ), "protocol" ( /* IGP to use to resolve the next hop */ ("rip" | "ospf" | "isis") ), "traceoptions" ( /* Trace options for BGP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("damping" | "packets" | "open" | "update" | "keepalive" | "refresh" | "nsr-synchronization" | "bfd" | "4byte-as" | "add-path" | "graceful-restart" | "egress-te" | "thread-io" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */, "filter" ( /* Filter to apply to this flag */ bgp_filter_obj /* Filter to apply to this flag */ ) ) ).as(:oneline) ) ), "description" arg /* Text description */, "metric-out" ( /* Route metric sent in MED */ sc( c( arg, "minimum-igp" ( /* Track the minimum IGP metric */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "igp" ( /* Track the IGP metric */ sc( arg /* Metric offset for MED */, "delay-med-update" /* Delay updating MED when IGP metric increases */ ) ).as(:oneline) ) ) ).as(:oneline), "multihop" ( /* Configure an EBGP multihop session */ c( "ttl" arg /* TTL value for the session */, "no-nexthop-change" /* Do not change next hop to self in advertisements */ ) ), "route-server-client" /* Enable route server client behavior */, "accept-remote-nexthop" /* Allow import policy to specify a non-directly connected next-hop */, "preference" arg /* Preference value */, "local-preference" arg /* Value of LOCAL_PREF path attribute */, "local-address" ( /* Address of local end of BGP session */ ipaddr /* Address of local end of BGP session */ ), "local-interface" ( /* Local interface for IPv6 link local EBGP peering */ interface_name /* Local interface for IPv6 link local EBGP peering */ ), "forwarding-context" arg /* Routing-instance used for data-forwarding and transport-session */, "hold-time" arg /* Hold time used when negotiating with a peer */, "passive" /* Do not send open messages to a peer */, "advertise-inactive" /* Advertise inactive routes */, "advertise-peer-as" /* Advertise routes received from the same autonomous system */, "no-advertise-peer-as" /* Don't advertise routes received from the same autonomous system */, "advertise-external" ( /* Advertise best external routes */ sc( "conditional" /* Route matches active route upto med-comparison rule */ ) ).as(:oneline), "keep" ( /* How to retain routes in the routing table */ ("all" | "none") ), "rfc6514-compliant-safi129" /* Compliant with RFC6514 SAFI129 format */, "no-aggregator-id" /* Set router ID in aggregator path attribute to 0 */, "mtu-discovery" /* Enable TCP path MTU discovery */, "enforce-first-as" /* Enforce first AS in AS-path is the neighbor's AS */, "out-delay" arg /* How long before exporting routes from routing table */, "ttl" ( /* TTL value for the single-hop peer */ ("1" | "255") ), "log-updown" /* Log a message for peer state transitions */, "damping" /* Enable route flap damping */, "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "nlri" ( /* NLRI type to include in updates */ ("unicast" | "multicast" | "any") ), "bgp-error-tolerance" ( /* Handle BGP malformed updates softly */ c( "malformed-update-log-interval" arg /* Time used when logging malformed update */, c( "malformed-route-limit" arg /* Maximum number of malformed routes from a peer */, "no-malformed-route-limit" /* No malformed route limit */ ) ) ), "family" ( /* Protocol family for NLRIs in updates */ c( "inet" ( /* IPv4 NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_topo /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_default /* Include multicast NLRI */ ), "flow" ( /* Include flow NLRI */ bgp_afi_flow /* Include flow NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_default /* Include unicast or multicast NLRI */ ), "labeled-unicast" ( /* Include labeled unicast NLRI */ bgp_afi_labeled /* Include labeled unicast NLRI */ ), "segment-routing-te" ( /* Include segment-routing TE policy */ bgp_afi_srte /* Include segment-routing TE policy */ ) ) ), "inet-vpn" ( /* IPv4 Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_vpn /* Include multicast NLRI */ ), "flow" ( /* Include flow VPN NLRI */ bgp_afi_flow /* Include flow VPN NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_vpn /* Include unicast or multicast NLRI */ ) ) ), "inet6" ( /* IPv6 NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_topo /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_default /* Include multicast NLRI */ ), "flow" ( /* Include flow NLRI */ bgp_afi_flow /* Include flow NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_default /* Include unicast or multicast NLRI */ ), "labeled-unicast" ( /* Include labeled unicast NLRI */ bgp_afi_inet6_labeled /* Include labeled unicast NLRI */ ), "segment-routing-te" ( /* Include segment-routing TE policy */ bgp_afi_srte /* Include segment-routing TE policy */ ) ) ), "inet6-vpn" ( /* IPv6 Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_vpn /* Include multicast NLRI */ ), "flow" ( /* Include flow VPN NLRI */ bgp_afi_flow /* Include flow VPN NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_vpn /* Include unicast or multicast NLRI */ ) ) ), "iso-vpn" ( /* ISO Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ) ) ), "l2vpn" ( /* MPLS-based Layer 2 VPN and VPLS NLRI parameters */ c( "auto-discovery-only" ( /* Include auto-discovery NLRI for LDP Layer 2 VPN and VPLS */ bgp_afi_default /* Include auto-discovery NLRI for LDP Layer 2 VPN and VPLS */ ), "auto-discovery-mspw" ( /* Include auto-discovery NLRI for LDP Signalled MultiSegment PW */ bgp_afi_default /* Include auto-discovery NLRI for LDP Signalled MultiSegment PW */ ), "signaling" ( /* Include Layer 2 VPN and VPLS signaling NLRI */ bgp_afi_l2vpn /* Include Layer 2 VPN and VPLS signaling NLRI */ ) ) ), "evpn" ( /* EVPN NLRI parameters */ c( "signaling" ( /* Include EVPN signaling NLRI */ bgp_afi_default /* Include EVPN signaling NLRI */ ) ) ), "inet-mvpn" ( /* IPv4 MVPN NLRI parameters */ c( "signaling" ( /* Include IPv4 multicast VPN signaling NLRI */ bgp_afi_default /* Include IPv4 multicast VPN signaling NLRI */ ) ) ), "inet6-mvpn" ( /* IPv6 MVPN NLRI parameters */ c( "signaling" ( /* Include IPv6 multicast VPN signaling NLRI */ bgp_afi_default /* Include IPv6 multicast VPN signaling NLRI */ ) ) ), "inet-mdt" ( /* IPv4 Multicast Distribution Tree (MDT) NLRI parameters */ c( "signaling" ( /* Include IPv4 multicast VPN auto-discovery NLRI */ bgp_afi_default /* Include IPv4 multicast VPN auto-discovery NLRI */ ) ) ), "traffic-engineering" ( /* Traffic Engineering (BGP-TE) NLRI parameters */ c( "unicast" ( /* Include BGP-TE NLRI */ bgp_afi_default /* Include BGP-TE NLRI */ ) ) ), "route-target" ( /* Route target NLRI used for VPN route filtering */ c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "proxy-generate" ( /* Generate route target NLRI for peers that don't support it */ c( "route-target-policy" ( /* Limit VPN routes that are used to generate proxy route-target filters */ policy_algebra /* Limit VPN routes that are used to generate proxy route-target filters */ ) ) ), "external-paths" arg /* Number of external paths accepted for route filtering */, "advertise-default" /* Advertise default and suppress more specific routes */, "damping" /* Enable route flap damping */, "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ) ) ), "bridge-vpn" /* Bridge VPN NLRI parameters */, "fabric-vpn" /* Fabric VPN NLRI parameters */ ) ), "authentication-key" arg /* MD5 authentication key */, "authentication-algorithm" ( /* Authentication algorithm name */ ("md5" | "hmac-sha-1-96" | "aes-128-cmac-96") ), "authentication-key-chain" arg /* Key chain name */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "vpn-apply-export" /* Apply BGP export policy when exporting VPN routes */, "egress-te" ( /* Use Egress Peering traffic engineering */ c( "backup-path" arg /* The 'egress-te-backup-paths template' to use for this peer */ ) ), "remove-private" ( /* Remove well-known private AS numbers */ c( "all" ( /* Remove all private AS numbers and do not stop at the first public AS number */ sc( "replace" ( /* Replace private AS numbers with the BGP Group's local AS number */ sc( "nearest" /* Use closest public AS number to replace a private AS number */ ) ).as(:oneline) ) ).as(:oneline), "no-peer-loop-check" /* Remove peer loop-check */ ) ), "cluster" ( /* Cluster identifier */ areaid /* Cluster identifier */ ), "no-client-reflect" /* Disable intracluster route redistribution */, "peer-as" arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, "local-as" ( /* Local autonomous system number */ sc( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, "loops" arg /* Maximum number of times this AS can be in an AS path */, "private" /* Hide this local AS in paths learned from this peering */, "alias" /* Treat this AS as an alias to the system AS */, "no-prepend-global-as" /* Do not prepend global autonomous-system number in advertised paths */ ) ).as(:oneline), "ipsec-sa" arg /* IPSec SA name */, "unconfigured-peer-graceful-restart" /* BGP unconfigured peer graceful restart options */, "graceful-restart" ( /* BGP graceful restart options */ c( ("disable"), "restart-time" arg /* Restart time used when negotiating with a peer */, "stale-routes-time" arg /* Maximum time for which stale routes are kept */, "long-lived" ( /* Long-lived graceful restart options */ c( "receiver" ( /* Long-lived graceful restart receiver (helper) options */ c( ("disable") ) ), "advertise-to-non-llgr-neighbor" ( /* Advertise stale routes to non-LLGR neighbors */ c( "omit-no-export" /* Do not attach no-export community to stale routes */ ) ) ) ), "forwarding-state-bit" ( /* Control forwarding-state flag negotiation */ ("as-rr-client" | "from-fib") ), "dont-help-shared-fate-bfd-down" /* Honor BFD-Down(C=0) if GR-restart not in progress */ ) ), "include-mp-next-hop" /* Include NEXT-HOP attribute in multiprotocol updates */, "idle-after-switch-over" ( /* Stop peer session from coming up after nonstop-routing switch-over */ sc( c( "forever" /* Idle the peer until the user intervenes */, arg ) ) ).as(:oneline), "outbound-route-filter" ( /* Dynamically negotiated cooperative route filtering */ c( "bgp-orf-cisco-mode" /* Using BGP ORF capability code 130 and Prefix ORF type 128 */, "extended-community" ( /* Extended community filtering */ c( "accept" /* Honor remote requests for extended community ORF */, "no-accept" /* Don't honor remote requests for extended community ORF */, "vrf-filter" /* Request remote filtering using locally configured VRF import targets */ ) ), "prefix-based" ( /* Prefix-based outbound route filtering */ c( "accept" ( /* Honor Prefix-based ORFs from remote peers */ c( "inet" /* Honor IPv4 prefix filters */, "inet6" /* Honor IPv6 prefix filters */ ) ) ) ) ) ), "multipath" ( /* Allow load sharing among multiple BGP paths */ c( "disable" /* Disable Multipath */, "multiple-as" /* Use paths received from different ASs */ ) ), "tcp-mss" arg /* Maximum TCP segment size */, "tcp-aggressive-transmission" /* Enable aggressive transmission of pure TCP ACKs and retransmissions */, "bmp" ( /* Specific settings to override the routing-options settings */ c( "monitor" ( /* Enable/Disable monitoring */ ("enable" | "disable") ), "route-monitoring" ( /* Control route monitoring settings */ c( "none" /* Do not send route montoring messages */, "pre-policy" ( /* Send pre policy route montoring messages */ sc( "exclude-non-feasible" /* Exclude looped routes, etc */ ) ).as(:oneline), "post-policy" ( /* Send post policy route montoring messages */ sc( "exclude-non-eligible" /* Exclude unresolved routes, etc. */ ) ).as(:oneline) ) ) ) ), "advertise-bgp-static" ( /* Advertise bgp-static routes */ c( "policy" ( /* Static route advertisement policy */ policy_algebra /* Static route advertisement policy */ ) ) ), "add-path-display-ipv4-address" /* Display add-path path-id in IPv4 address format */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "session-mode" ( /* BFD single-hop or multihop session-mode */ ("automatic" | "single-hop" | "multihop") ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */ ) ), "as-override" /* Replace neighbor AS number with our AS number */, "allow" ( /* Configure peer connections for specific networks */ ipprefix /* Configure peer connections for specific networks */ ), "optimal-route-reflection" ( /* Enable optimal route reflection for this client group */ c( "igp-primary" ( /* Primary node identifier for this client group */ ipv4addr /* Primary node identifier for this client group */ ), "igp-backup" ( /* Backup node identifier for this client group */ ipv4addr /* Backup node identifier for this client group */ ) ) ), "mvpn-iana-rt-import" /* Use IANA assigned rt-import type value for MVPN */, "neighbor" arg ( /* Configure a neighbor */ c( "egress-te-node-segment" ( /* Configure BGP-Peer-Node segment */ c( "label" ( /* BGP-Peer-Node SID label from static label pool */ c( arg ) ), "egress-te-set" ( /* Configure as a member of a SET segment */ c( arg /* Set name */, "weight" arg /* Weight for set segment */ ) ), "egress-te-backup-segment" ( /* Backup segment for FRR */ c( "label" ( /* Backup segment label from static label pool */ c( arg ) ) ) ) ) ), "egress-te-adj-segment" arg ( /* Configure BGP-Peer-Adj segment */ c( "label" ( /* BGP-Peer-Adj SID label from static label pool */ c( arg ) ), "next-hop" ( /* Address of directly connected next-hop to use */ c( ipaddr /* Address of directly connected next-hop */ ) ), "egress-te-set" ( /* Configure as a member of a SET segment */ c( arg /* Set name */, "weight" arg /* Weight for set segment */ ) ), "egress-te-backup-segment" ( /* Backup segment for FRR */ c( "label" ( /* Backup segment label from static label pool */ c( arg ) ) ) ) ) ), "traceoptions" ( /* Trace options for BGP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("damping" | "packets" | "open" | "update" | "keepalive" | "refresh" | "nsr-synchronization" | "bfd" | "4byte-as" | "add-path" | "graceful-restart" | "egress-te" | "thread-io" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */, "filter" ( /* Filter to apply to this flag */ bgp_filter_obj /* Filter to apply to this flag */ ) ) ).as(:oneline) ) ), "description" arg /* Text description */, "metric-out" ( /* Route metric sent in MED */ sc( c( arg, "minimum-igp" ( /* Track the minimum IGP metric */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "igp" ( /* Track the IGP metric */ sc( arg /* Metric offset for MED */, "delay-med-update" /* Delay updating MED when IGP metric increases */ ) ).as(:oneline) ) ) ).as(:oneline), "multihop" ( /* Configure an EBGP multihop session */ c( "ttl" arg /* TTL value for the session */, "no-nexthop-change" /* Do not change next hop to self in advertisements */ ) ), "route-server-client" /* Enable route server client behavior */, "accept-remote-nexthop" /* Allow import policy to specify a non-directly connected next-hop */, "preference" arg /* Preference value */, "local-preference" arg /* Value of LOCAL_PREF path attribute */, "local-address" ( /* Address of local end of BGP session */ ipaddr /* Address of local end of BGP session */ ), "local-interface" ( /* Local interface for IPv6 link local EBGP peering */ interface_name /* Local interface for IPv6 link local EBGP peering */ ), "forwarding-context" arg /* Routing-instance used for data-forwarding and transport-session */, "hold-time" arg /* Hold time used when negotiating with a peer */, "passive" /* Do not send open messages to a peer */, "advertise-inactive" /* Advertise inactive routes */, "advertise-peer-as" /* Advertise routes received from the same autonomous system */, "no-advertise-peer-as" /* Don't advertise routes received from the same autonomous system */, "advertise-external" ( /* Advertise best external routes */ sc( "conditional" /* Route matches active route upto med-comparison rule */ ) ).as(:oneline), "keep" ( /* How to retain routes in the routing table */ ("all" | "none") ), "rfc6514-compliant-safi129" /* Compliant with RFC6514 SAFI129 format */, "no-aggregator-id" /* Set router ID in aggregator path attribute to 0 */, "mtu-discovery" /* Enable TCP path MTU discovery */, "enforce-first-as" /* Enforce first AS in AS-path is the neighbor's AS */, "out-delay" arg /* How long before exporting routes from routing table */, "ttl" ( /* TTL value for the single-hop peer */ ("1" | "255") ), "log-updown" /* Log a message for peer state transitions */, "damping" /* Enable route flap damping */, "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "nlri" ( /* NLRI type to include in updates */ ("unicast" | "multicast" | "any") ), "bgp-error-tolerance" ( /* Handle BGP malformed updates softly */ c( "malformed-update-log-interval" arg /* Time used when logging malformed update */, c( "malformed-route-limit" arg /* Maximum number of malformed routes from a peer */, "no-malformed-route-limit" /* No malformed route limit */ ) ) ), "family" ( /* Protocol family for NLRIs in updates */ c( "inet" ( /* IPv4 NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_topo /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_default /* Include multicast NLRI */ ), "flow" ( /* Include flow NLRI */ bgp_afi_flow /* Include flow NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_default /* Include unicast or multicast NLRI */ ), "labeled-unicast" ( /* Include labeled unicast NLRI */ bgp_afi_labeled /* Include labeled unicast NLRI */ ), "segment-routing-te" ( /* Include segment-routing TE policy */ bgp_afi_srte /* Include segment-routing TE policy */ ) ) ), "inet-vpn" ( /* IPv4 Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_vpn /* Include multicast NLRI */ ), "flow" ( /* Include flow VPN NLRI */ bgp_afi_flow /* Include flow VPN NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_vpn /* Include unicast or multicast NLRI */ ) ) ), "inet6" ( /* IPv6 NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_topo /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_default /* Include multicast NLRI */ ), "flow" ( /* Include flow NLRI */ bgp_afi_flow /* Include flow NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_default /* Include unicast or multicast NLRI */ ), "labeled-unicast" ( /* Include labeled unicast NLRI */ bgp_afi_inet6_labeled /* Include labeled unicast NLRI */ ), "segment-routing-te" ( /* Include segment-routing TE policy */ bgp_afi_srte /* Include segment-routing TE policy */ ) ) ), "inet6-vpn" ( /* IPv6 Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ), "multicast" ( /* Include multicast NLRI */ bgp_afi_vpn /* Include multicast NLRI */ ), "flow" ( /* Include flow VPN NLRI */ bgp_afi_flow /* Include flow VPN NLRI */ ), "any" ( /* Include unicast or multicast NLRI */ bgp_afi_vpn /* Include unicast or multicast NLRI */ ) ) ), "iso-vpn" ( /* ISO Layer 3 VPN NLRI parameters */ c( "unicast" ( /* Include unicast NLRI */ bgp_afi_vpn_protection /* Include unicast NLRI */ ) ) ), "l2vpn" ( /* MPLS-based Layer 2 VPN and VPLS NLRI parameters */ c( "auto-discovery-only" ( /* Include auto-discovery NLRI for LDP Layer 2 VPN and VPLS */ bgp_afi_default /* Include auto-discovery NLRI for LDP Layer 2 VPN and VPLS */ ), "auto-discovery-mspw" ( /* Include auto-discovery NLRI for LDP Signalled MultiSegment PW */ bgp_afi_default /* Include auto-discovery NLRI for LDP Signalled MultiSegment PW */ ), "signaling" ( /* Include Layer 2 VPN and VPLS signaling NLRI */ bgp_afi_l2vpn /* Include Layer 2 VPN and VPLS signaling NLRI */ ) ) ), "evpn" ( /* EVPN NLRI parameters */ c( "signaling" ( /* Include EVPN signaling NLRI */ bgp_afi_default /* Include EVPN signaling NLRI */ ) ) ), "inet-mvpn" ( /* IPv4 MVPN NLRI parameters */ c( "signaling" ( /* Include IPv4 multicast VPN signaling NLRI */ bgp_afi_default /* Include IPv4 multicast VPN signaling NLRI */ ) ) ), "inet6-mvpn" ( /* IPv6 MVPN NLRI parameters */ c( "signaling" ( /* Include IPv6 multicast VPN signaling NLRI */ bgp_afi_default /* Include IPv6 multicast VPN signaling NLRI */ ) ) ), "inet-mdt" ( /* IPv4 Multicast Distribution Tree (MDT) NLRI parameters */ c( "signaling" ( /* Include IPv4 multicast VPN auto-discovery NLRI */ bgp_afi_default /* Include IPv4 multicast VPN auto-discovery NLRI */ ) ) ), "traffic-engineering" ( /* Traffic Engineering (BGP-TE) NLRI parameters */ c( "unicast" ( /* Include BGP-TE NLRI */ bgp_afi_default /* Include BGP-TE NLRI */ ) ) ), "route-target" ( /* Route target NLRI used for VPN route filtering */ c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "proxy-generate" ( /* Generate route target NLRI for peers that don't support it */ c( "route-target-policy" ( /* Limit VPN routes that are used to generate proxy route-target filters */ policy_algebra /* Limit VPN routes that are used to generate proxy route-target filters */ ) ) ), "external-paths" arg /* Number of external paths accepted for route filtering */, "advertise-default" /* Advertise default and suppress more specific routes */, "damping" /* Enable route flap damping */, "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ) ) ), "bridge-vpn" /* Bridge VPN NLRI parameters */, "fabric-vpn" /* Fabric VPN NLRI parameters */ ) ), "authentication-key" arg /* MD5 authentication key */, "authentication-algorithm" ( /* Authentication algorithm name */ ("md5" | "hmac-sha-1-96" | "aes-128-cmac-96") ), "authentication-key-chain" arg /* Key chain name */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "vpn-apply-export" /* Apply BGP export policy when exporting VPN routes */, "egress-te" ( /* Use Egress Peering traffic engineering */ c( "backup-path" arg /* The 'egress-te-backup-paths template' to use for this peer */ ) ), "remove-private" ( /* Remove well-known private AS numbers */ c( "all" ( /* Remove all private AS numbers and do not stop at the first public AS number */ sc( "replace" ( /* Replace private AS numbers with the BGP Group's local AS number */ sc( "nearest" /* Use closest public AS number to replace a private AS number */ ) ).as(:oneline) ) ).as(:oneline), "no-peer-loop-check" /* Remove peer loop-check */ ) ), "cluster" ( /* Cluster identifier */ areaid /* Cluster identifier */ ), "no-client-reflect" /* Disable intracluster route redistribution */, "peer-as" arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, "local-as" ( /* Local autonomous system number */ sc( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, "loops" arg /* Maximum number of times this AS can be in an AS path */, "private" /* Hide this local AS in paths learned from this peering */, "alias" /* Treat this AS as an alias to the system AS */, "no-prepend-global-as" /* Do not prepend global autonomous-system number in advertised paths */ ) ).as(:oneline), "ipsec-sa" arg /* IPSec SA name */, "unconfigured-peer-graceful-restart" /* BGP unconfigured peer graceful restart options */, "graceful-restart" ( /* BGP graceful restart options */ c( ("disable"), "restart-time" arg /* Restart time used when negotiating with a peer */, "stale-routes-time" arg /* Maximum time for which stale routes are kept */, "long-lived" ( /* Long-lived graceful restart options */ c( "receiver" ( /* Long-lived graceful restart receiver (helper) options */ c( ("disable") ) ), "advertise-to-non-llgr-neighbor" ( /* Advertise stale routes to non-LLGR neighbors */ c( "omit-no-export" /* Do not attach no-export community to stale routes */ ) ) ) ), "forwarding-state-bit" ( /* Control forwarding-state flag negotiation */ ("as-rr-client" | "from-fib") ), "dont-help-shared-fate-bfd-down" /* Honor BFD-Down(C=0) if GR-restart not in progress */ ) ), "include-mp-next-hop" /* Include NEXT-HOP attribute in multiprotocol updates */, "idle-after-switch-over" ( /* Stop peer session from coming up after nonstop-routing switch-over */ sc( c( "forever" /* Idle the peer until the user intervenes */, arg ) ) ).as(:oneline), "outbound-route-filter" ( /* Dynamically negotiated cooperative route filtering */ c( "bgp-orf-cisco-mode" /* Using BGP ORF capability code 130 and Prefix ORF type 128 */, "extended-community" ( /* Extended community filtering */ c( "accept" /* Honor remote requests for extended community ORF */, "no-accept" /* Don't honor remote requests for extended community ORF */, "vrf-filter" /* Request remote filtering using locally configured VRF import targets */ ) ), "prefix-based" ( /* Prefix-based outbound route filtering */ c( "accept" ( /* Honor Prefix-based ORFs from remote peers */ c( "inet" /* Honor IPv4 prefix filters */, "inet6" /* Honor IPv6 prefix filters */ ) ) ) ) ) ), "multipath" ( /* Allow load sharing among multiple BGP paths */ c( "disable" /* Disable Multipath */, "multiple-as" /* Use paths received from different ASs */ ) ), "tcp-mss" arg /* Maximum TCP segment size */, "tcp-aggressive-transmission" /* Enable aggressive transmission of pure TCP ACKs and retransmissions */, "bmp" ( /* Specific settings to override the routing-options settings */ c( "monitor" ( /* Enable/Disable monitoring */ ("enable" | "disable") ), "route-monitoring" ( /* Control route monitoring settings */ c( "none" /* Do not send route montoring messages */, "pre-policy" ( /* Send pre policy route montoring messages */ sc( "exclude-non-feasible" /* Exclude looped routes, etc */ ) ).as(:oneline), "post-policy" ( /* Send post policy route montoring messages */ sc( "exclude-non-eligible" /* Exclude unresolved routes, etc. */ ) ).as(:oneline) ) ) ) ), "advertise-bgp-static" ( /* Advertise bgp-static routes */ c( "policy" ( /* Static route advertisement policy */ policy_algebra /* Static route advertisement policy */ ) ) ), "add-path-display-ipv4-address" /* Display add-path path-id in IPv4 address format */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "session-mode" ( /* BFD single-hop or multihop session-mode */ ("automatic" | "single-hop" | "multihop") ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */ ) ), "as-override" /* Replace neighbor AS number with our AS number */ ) ) ) ), "multipath-build-priority" ( /* Configure the multipath build priority */ c( c( "low" /* Do multipath build with low priority */, "medium" /* Do multipath build with medium priority */ ) ) ), "traffic-statistics-labeled-path" ( /* Collect periodic ingress labeled statistics for BGP label-switched paths */ c( "file" ( /* Statistics file options */ trace_file_type /* Statistics file options */ ), "interval" arg /* Time interval to collect statistics */ ) ) ) end rule(:bgp_af_gr) do c( "long-lived" ( /* Long-lived graceful restart options */ c( "restarter" ( /* Long-lived graceful restart restarter options */ c( ("disable"), "stale-time" arg /* Stale time in seconds or dhms notation (1..16777215) */ ) ) ) ), "forwarding-state-bit" ( /* Control forwarding-state flag negotiation */ ("set" | "from-fib") ) ) end rule(:bgp_afi_default) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "add-path" ( /* Advertise multiple paths to peer */ apath_options /* Advertise multiple paths to peer */ ), "aigp" ( /* Allow sending and receiving of AIGP attribute */ bgpaf_aigp_options /* Allow sending and receiving of AIGP attribute */ ), "damping" /* Enable route flap damping */, "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "delay-route-advertisements" ( /* Delay route updates for this family until FIB-sync */ c( "minimum-delay" ( /* Minumum-delay to ensure KRT sees the route flash */ c( "routing-uptime" arg /* Min delay(sec) advertisement after RPD start */, "inbound-convergence" arg /* Min delay(sec) advertisement after source-peer sent all routes */ ) ), "maximum-delay" ( /* Maximum delay deferring routes */ c( "route-age" arg /* Max delay(sec) advertisement route age */, "routing-uptime" arg /* Max delay(sec) advertisement after RPD start */ ) ) ) ), "defer-initial-multipath-build" ( /* Defer initial multipath build until EOR is received */ c( "maximum-delay" arg /* Max delay(sec) multipath build after peer is up */ ) ), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "extended-nexthop" /* Extended nexthop encoding */, "extended-nexthop-color" /* Resolve using extended color nexthop */, "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ) ) end rule(:apath_options) do c( "receive" /* Receive multiple paths from peer */, "send" ( /* Send multiple paths to peer */ c( "prefix-policy" ( /* Perform add-path only for prefixes that match policy */ policy_algebra /* Perform add-path only for prefixes that match policy */ ), "path-count" arg /* Number of paths to advertise */, "multipath" /* Include only multipath contributor routes */ ) ) ) end rule(:bgp_afi_flow) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "add-path" ( /* Advertise multiple paths to peer */ apath_options /* Advertise multiple paths to peer */ ), "aigp" ( /* Allow sending and receiving of AIGP attribute */ bgpaf_aigp_options /* Allow sending and receiving of AIGP attribute */ ), "damping" /* Enable route flap damping */, "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "delay-route-advertisements" ( /* Delay route updates for this family until FIB-sync */ c( "minimum-delay" ( /* Minumum-delay to ensure KRT sees the route flash */ c( "routing-uptime" arg /* Min delay(sec) advertisement after RPD start */, "inbound-convergence" arg /* Min delay(sec) advertisement after source-peer sent all routes */ ) ), "maximum-delay" ( /* Maximum delay deferring routes */ c( "route-age" arg /* Max delay(sec) advertisement route age */, "routing-uptime" arg /* Max delay(sec) advertisement after RPD start */ ) ) ) ), "defer-initial-multipath-build" ( /* Defer initial multipath build until EOR is received */ c( "maximum-delay" arg /* Max delay(sec) multipath build after peer is up */ ) ), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "extended-nexthop" /* Extended nexthop encoding */, "extended-nexthop-color" /* Resolve using extended color nexthop */, "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ), "no-validate" ( /* Bypass validation procedure for routes that match policy */ policy_algebra /* Bypass validation procedure for routes that match policy */ ), "strip-nexthop" /* Strip the next-hop from the outgoing flow update */, "allow-policy-add-nexthop" /* Allow policy to add nexthop to a route without nexthop */ ) end rule(:bgp_afi_inet6_labeled) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "add-path" ( /* Advertise multiple paths to peer */ apath_options /* Advertise multiple paths to peer */ ), "aigp" ( /* Allow sending and receiving of AIGP attribute */ bgpaf_aigp_options /* Allow sending and receiving of AIGP attribute */ ), "damping" /* Enable route flap damping */, "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "delay-route-advertisements" ( /* Delay route updates for this family until FIB-sync */ c( "minimum-delay" ( /* Minumum-delay to ensure KRT sees the route flash */ c( "routing-uptime" arg /* Min delay(sec) advertisement after RPD start */, "inbound-convergence" arg /* Min delay(sec) advertisement after source-peer sent all routes */ ) ), "maximum-delay" ( /* Maximum delay deferring routes */ c( "route-age" arg /* Max delay(sec) advertisement route age */, "routing-uptime" arg /* Max delay(sec) advertisement after RPD start */ ) ) ) ), "defer-initial-multipath-build" ( /* Defer initial multipath build until EOR is received */ c( "maximum-delay" arg /* Max delay(sec) multipath build after peer is up */ ) ), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "extended-nexthop" /* Extended nexthop encoding */, "extended-nexthop-color" /* Resolve using extended color nexthop */, "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ), "aggregate-label" ( /* Aggregate labels of incoming routes with the same FEC */ c( "community" arg /* Community to identify the FEC of incoming routes */ ) ), "per-group-label" /* Advertise prefixes with unique labels per group */, "traffic-statistics" ( /* Collect statistics for BGP label-switched paths */ bgpaf_traffic_statistics /* Collect statistics for BGP label-switched paths */ ), "rib" ( /* Select table used by labeled unicast routes */ c( "inet6.3" /* Use inet6.3 to exchange labeled unicast routes */ ) ), "explicit-null" ( /* Advertise explicit null */ sc( "connected-only" /* Advertise explicit null only for connected routes */ ) ).as(:oneline), "protection" /* Compute backup path for active nexthop failure */.as(:oneline) ) end rule(:bgp_afi_l2vpn) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "add-path" ( /* Advertise multiple paths to peer */ apath_options /* Advertise multiple paths to peer */ ), "aigp" ( /* Allow sending and receiving of AIGP attribute */ bgpaf_aigp_options /* Allow sending and receiving of AIGP attribute */ ), "damping" /* Enable route flap damping */, "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "delay-route-advertisements" ( /* Delay route updates for this family until FIB-sync */ c( "minimum-delay" ( /* Minumum-delay to ensure KRT sees the route flash */ c( "routing-uptime" arg /* Min delay(sec) advertisement after RPD start */, "inbound-convergence" arg /* Min delay(sec) advertisement after source-peer sent all routes */ ) ), "maximum-delay" ( /* Maximum delay deferring routes */ c( "route-age" arg /* Max delay(sec) advertisement route age */, "routing-uptime" arg /* Max delay(sec) advertisement after RPD start */ ) ) ) ), "defer-initial-multipath-build" ( /* Defer initial multipath build until EOR is received */ c( "maximum-delay" arg /* Max delay(sec) multipath build after peer is up */ ) ), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "extended-nexthop" /* Extended nexthop encoding */, "extended-nexthop-color" /* Resolve using extended color nexthop */, "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ), "egress-protection" ( /* Egress router protection */ c( "context-identifier" ( /* Context identifier */ c( ipv4addr /* IP address */ ) ), "keep-import" ( /* Import policy */ policy_algebra /* Import policy */ ) ) ) ) end rule(:bgp_afi_labeled) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "add-path" ( /* Advertise multiple paths to peer */ apath_options /* Advertise multiple paths to peer */ ), "aigp" ( /* Allow sending and receiving of AIGP attribute */ bgpaf_aigp_options /* Allow sending and receiving of AIGP attribute */ ), "damping" /* Enable route flap damping */, "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "delay-route-advertisements" ( /* Delay route updates for this family until FIB-sync */ c( "minimum-delay" ( /* Minumum-delay to ensure KRT sees the route flash */ c( "routing-uptime" arg /* Min delay(sec) advertisement after RPD start */, "inbound-convergence" arg /* Min delay(sec) advertisement after source-peer sent all routes */ ) ), "maximum-delay" ( /* Maximum delay deferring routes */ c( "route-age" arg /* Max delay(sec) advertisement route age */, "routing-uptime" arg /* Max delay(sec) advertisement after RPD start */ ) ) ) ), "defer-initial-multipath-build" ( /* Defer initial multipath build until EOR is received */ c( "maximum-delay" arg /* Max delay(sec) multipath build after peer is up */ ) ), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "extended-nexthop" /* Extended nexthop encoding */, "extended-nexthop-color" /* Resolve using extended color nexthop */, "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ), "aggregate-label" ( /* Aggregate labels of incoming routes with the same FEC */ c( "community" arg /* Community to identify the FEC of incoming routes */ ) ), "per-prefix-label" /* Allocate a unique label to each advertised prefix */, "per-group-label" /* Advertise prefixes with unique labels per group */, "traffic-statistics" ( /* Collect statistics for BGP label-switched paths */ bgpaf_traffic_statistics /* Collect statistics for BGP label-switched paths */ ), "rib" ( /* Select table used by labeled unicast routes */ c( "inet.3" /* Use inet.3 to exchange labeled unicast routes */ ) ), "explicit-null" ( /* Advertise explicit null */ sc( "connected-only" /* Advertise explicit null only for connected routes */ ) ).as(:oneline), "protection" /* Compute backup path for active nexthop failure */, "egress-protection" ( /* Egress router protection */ c( "context-identifier" ( /* Context identifier */ c( ipv4addr /* IP address */ ) ), "keep-import" ( /* Import policy */ policy_algebra /* Import policy */ ) ) ), "resolve-vpn" /* Install received NLRI in inet.3 also */, "entropy-label" ( /* Use entropy label for entropy label capable BGP LSPs */ c( "import" ( /* Policy to select BGP LSPs to use entropy label */ policy_algebra /* Policy to select BGP LSPs to use entropy label */ ), "no-next-hop-validation" /* Don't validate next hop field against route next hop */ ) ) ) end rule(:bgp_afi_srte) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "damping" /* Enable route flap damping */, "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ) ) end rule(:bgp_afi_topo) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "add-path" ( /* Advertise multiple paths to peer */ apath_options /* Advertise multiple paths to peer */ ), "aigp" ( /* Allow sending and receiving of AIGP attribute */ bgpaf_aigp_options /* Allow sending and receiving of AIGP attribute */ ), "damping" /* Enable route flap damping */, "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "delay-route-advertisements" ( /* Delay route updates for this family until FIB-sync */ c( "minimum-delay" ( /* Minumum-delay to ensure KRT sees the route flash */ c( "routing-uptime" arg /* Min delay(sec) advertisement after RPD start */, "inbound-convergence" arg /* Min delay(sec) advertisement after source-peer sent all routes */ ) ), "maximum-delay" ( /* Maximum delay deferring routes */ c( "route-age" arg /* Max delay(sec) advertisement route age */, "routing-uptime" arg /* Max delay(sec) advertisement after RPD start */ ) ) ) ), "defer-initial-multipath-build" ( /* Defer initial multipath build until EOR is received */ c( "maximum-delay" arg /* Max delay(sec) multipath build after peer is up */ ) ), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "extended-nexthop" /* Extended nexthop encoding */, "extended-nexthop-color" /* Resolve using extended color nexthop */, "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ), "protection" /* Compute backup path for active nexthop failure */.as(:oneline), "topology" arg ( /* Multi topology routing tables */ c( "community" arg /* Community to identify multi topology routes */ ) ) ) end rule(:bgp_afi_vpn) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "add-path" ( /* Advertise multiple paths to peer */ apath_options /* Advertise multiple paths to peer */ ), "aigp" ( /* Allow sending and receiving of AIGP attribute */ bgpaf_aigp_options /* Allow sending and receiving of AIGP attribute */ ), "damping" /* Enable route flap damping */, "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "delay-route-advertisements" ( /* Delay route updates for this family until FIB-sync */ c( "minimum-delay" ( /* Minumum-delay to ensure KRT sees the route flash */ c( "routing-uptime" arg /* Min delay(sec) advertisement after RPD start */, "inbound-convergence" arg /* Min delay(sec) advertisement after source-peer sent all routes */ ) ), "maximum-delay" ( /* Maximum delay deferring routes */ c( "route-age" arg /* Max delay(sec) advertisement route age */, "routing-uptime" arg /* Max delay(sec) advertisement after RPD start */ ) ) ) ), "defer-initial-multipath-build" ( /* Defer initial multipath build until EOR is received */ c( "maximum-delay" arg /* Max delay(sec) multipath build after peer is up */ ) ), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "extended-nexthop" /* Extended nexthop encoding */, "extended-nexthop-color" /* Resolve using extended color nexthop */, "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ), "aggregate-label" ( /* Aggregate labels of incoming routes with the same FEC */ c( "community" arg /* Community to identify the FEC of incoming routes */ ) ) ) end rule(:bgp_afi_vpn_protection) do c( "prefix-limit" ( /* Limit maximum number of prefixes from a peer */ bgpaf_prefix_limit /* Limit maximum number of prefixes from a peer */ ), "accepted-prefix-limit" ( /* Limit maximum number of prefixes accepted from a peer */ bgpaf_accepted_prefix_limit /* Limit maximum number of prefixes accepted from a peer */ ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "add-path" ( /* Advertise multiple paths to peer */ apath_options /* Advertise multiple paths to peer */ ), "aigp" ( /* Allow sending and receiving of AIGP attribute */ bgpaf_aigp_options /* Allow sending and receiving of AIGP attribute */ ), "damping" /* Enable route flap damping */, "local-ipv4-address" ( /* Local IPv4 address */ ipv4addr /* Local IPv4 address */ ), "loops" ( /* Allow local AS in received AS paths */ bgpaf_loops /* Allow local AS in received AS paths */ ).as(:oneline), "delay-route-advertisements" ( /* Delay route updates for this family until FIB-sync */ c( "minimum-delay" ( /* Minumum-delay to ensure KRT sees the route flash */ c( "routing-uptime" arg /* Min delay(sec) advertisement after RPD start */, "inbound-convergence" arg /* Min delay(sec) advertisement after source-peer sent all routes */ ) ), "maximum-delay" ( /* Maximum delay deferring routes */ c( "route-age" arg /* Max delay(sec) advertisement route age */, "routing-uptime" arg /* Max delay(sec) advertisement after RPD start */ ) ) ) ), "defer-initial-multipath-build" ( /* Defer initial multipath build until EOR is received */ c( "maximum-delay" arg /* Max delay(sec) multipath build after peer is up */ ) ), "graceful-restart" ( /* BGP graceful restart options */ bgp_af_gr /* BGP graceful restart options */ ), "extended-nexthop" /* Extended nexthop encoding */, "extended-nexthop-color" /* Resolve using extended color nexthop */, "no-install" /* Dont install received routes in forwarding */, "output-queue-priority" ( /* Default output-queue to assign updates to */ bgp_output_queue_priority_class /* Default output-queue to assign updates to */ ), "route-refresh-priority" ( /* Default output-queue to assign route refreshes to */ bgp_output_queue_priority_class /* Default output-queue to assign route refreshes to */ ), "withdraw-priority" ( /* Default output-queue to assign withdrawn routes to */ bgp_output_queue_priority_class /* Default output-queue to assign withdrawn routes to */ ), "aggregate-label" ( /* Aggregate labels of incoming routes with the same FEC */ c( "community" arg /* Community to identify the FEC of incoming routes */ ) ), "egress-protection" ( /* Egress router protection */ c( "context-identifier" ( /* Context identifier */ c( ipv4addr /* IP address */ ) ), "keep-import" ( /* Import policy */ policy_algebra /* Import policy */ ) ) ) ) end rule(:bgp_output_queue_priority_class) do c( c( "priority" arg /* Output queue priority; higher is better */, "expedited" /* Expedited queue; highest priority */ ) ).as(:oneline) end rule(:bgp_filter_obj) do c( "match-on" ( /* Argument on which to match */ ("prefix") ), "policy" ( /* Filter policy */ policy_algebra /* Filter policy */ ) ).as(:oneline) end rule(:bgpaf_accepted_prefix_limit) do c( "maximum" arg /* Maximum number of prefixes accepted from a peer */, "teardown" ( /* Clear peer connection on reaching limit */ sc( arg, "idle-timeout" ( /* Timeout before attempting to restart peer */ sc( c( "forever" /* Idle the peer until the user intervenes */, arg ) ) ).as(:oneline) ) ).as(:oneline) ) end rule(:bgpaf_aigp_options) do c( "disable" /* Disable sending and receiving of AIGP attribute */ ) end rule(:bgpaf_loops) do c( arg ).as(:oneline) end rule(:bgpaf_prefix_limit) do c( "maximum" arg /* Maximum number of prefixes from a peer */, "teardown" ( /* Clear peer connection on reaching limit */ sc( arg, "idle-timeout" ( /* Timeout before attempting to restart peer */ sc( c( "forever" /* Idle the peer until the user intervenes */, arg ) ) ).as(:oneline) ) ).as(:oneline) ) end rule(:bgpaf_traffic_statistics) do c( "labeled-path" /* Ingress labeled path statistics */, "file" ( /* Statistics file options */ trace_file_type /* Statistics file options */ ), "interval" arg /* Time to collect statistics (seconds) */ ) end rule(:juniper_protocols_bridge) do c( "traceoptions" ( /* Trace options for Layer 2 address service */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "routing-socket" | "interface-device" | "interface-logical" | "interface-family" | "bridging-domain" | "routing-instance" | "bridge-interface" | "learning-domain" | "ipc" | "mac-learning" | "initialization" | "flood-next-hop" | "irb" | "vpls-ping" | "vpls-loop-prev" | "logical-system" | "bmac-next-hop" | "bridge-bmac-next-hop" | "isid" | "mc-ae" | "kack" | "storm-control" | "redundant-trunk-group" | "unknown-unicast-forwarding" | "vxlan" | "all")) /* Type of operation or event to include in trace */.as(:oneline), "in-memory-debug" /* Enable trace parameters in the memory */ ) ), "global-mac-move" ( /* Enable mac move related options at global level */ c( "notification-time" arg /* Periodical time interval in secs during which MAC move notification occurs */, "threshold-time" arg /* Time during which if certain number of MAC moves happen warrant recording */, "reopen-time" arg /* Time after which a blocked interface is reopened */, "threshold-count" arg /* Count of MAC moves which warrant recording when happen in certain time */, "traceoptions" ( /* Enable logging for the MAC moves */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline) ) ), "log" /* Syslog all the MAC moves as stored in the mac-move-buffer */, "disable-action" /* Disable mac move action globally */, "cooloff-time" arg /* Time interval in secs during which no further actions are taken */, "statistical-approach-wait-time" arg /* Time during which MAC moves are monitored to collect statistics */, "interface-recovery-time" arg /* Time interval after which interface is made operationally up */, "exclusive-mac" arg /* MAC addresses to be excluded in mac-move-limit or in VPLS loop prevention algorithm */ ) ), "global-mac-table-aging-time" arg /* System level MAC table aging time */, "global-mac-ip-table-aging-time" arg /* System level MAC+IP table aging time */, "global-mode" ( /* Global L2 Mode */ ("transparent-bridge" | "switching") ), "global-le-aging-time" arg /* Set LE aging time */, "global-le-bridge-domain-aging-time" arg /* Set LE bridge-domain aging time */, "mclag-arpreq-sync" /* Enable syncing ARP REQ packets to peer MCLAG PE */, "global-mac-pinning-discard-notification-interval" arg /* Set interval for MAC Pinning discard notification */, "global-mac-limit" ( /* System level MAC limit options */ c( arg, "packet-action" ( ("drop") ) ) ), "global-mac-ip-limit" ( /* System level MAC+IP limit options */ c( arg ) ), "global-mac-statistics" /* Enable MAC address statistics at system level */, "global-static-mac-move-drop-log" /* Set global static mac move drop and log notification. */, "decapsulate-accept-inner-vlan" /* Accept VxLAN packets with inner VLAN disabled by default */, "destination-udp-port" arg /* VXLAN destination UDP port */, "source-udp-port" arg /* VXLAN source UDP port */, "disable-vxlan-multicast-transit" /* VXLAN multicast group configuration */, "global-no-mac-learning" /* Disable dynamic MAC address learning at system level */, "global-no-hw-mac-learning" /* Disable hardware MAC-address learning at system level */, "global-no-control-mac-aging" /* Disable control MAC-address aging from software */, "mclag-arp-nd-sync" /* Arp and ND entry sync from peer device. */, "no-mclag-ifa-sync" /* IFA entry disable sync from/to peer device. */ ) end rule(:juniper_protocols_dlsw) do c( "local-peer" ( /* Local peer IP address */ ipv4addr /* Local peer IP address */ ), "promiscuous" /* Accept all peer connections */, "connection-idle-timeout" arg /* Timeout for idle remote peer */, "receive-initial-pacing" arg /* Default value of initial receive pacing window */, "multicast-address" ( /* Multicast IP address */ ipv4addr /* Multicast IP address */ ), "explorer-wait-time" arg /* Explorer wait time */, "reachability-cache-timeout" arg /* Timeout for reachability cache */, "remote-peer" ( /* Remote peer configuration */ c( dlsw_peer_type ) ), "dlsw-cos" ( /* Configure CoS parameters */ c( "type-of-service" arg /* IP type-of-service value */, "destination-interface" ( /* Name of destination interface for DLSw packets */ interface_name /* Name of destination interface for DLSw packets */ ) ) ), "traceoptions" ( /* Trace options */ c( "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the trace file */, "no-world-readable" /* Don't allow any user to read the trace file */ ) ).as(:oneline), "flag" enum(("info" | "parse" | "route-socket" | "packets" | "events" | "error" | "memory" | "critical" | "all")) /* Tracing parameters */.as(:oneline) ) ), "load-balance" ( /* Load balance circuits among remote peers */ sc( c( "circuit-weight" /* Load balance circuits based on circuit weight configured */ ) ) ).as(:oneline) ) end rule(:dlsw_peer_type) do arg.as(:arg) ( c( "keepalive-interval" arg /* DLSw keepalive interval (0 = forever) */, "cost" arg /* DLSw peer cost */, "circuit-weight" arg /* DLSw peer circuit weight */ ) ) end rule(:juniper_protocols_dot1x) do c( "traceoptions" ( /* Trace options for 802.1X */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("dot1x-debug" | "parse" | "esw-if" | "eapol" | "config-internal" | "normal" | "general" | "state" | "task" | "timer" | "vlan" | "all" | "dot1x-ipc" | "dot1x-event" | "iccp")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "authenticator" ( /* 802.1X authenticator options */ c( "authentication-profile-name" arg /* Access profile name to use for authentication */, "no-mac-table-binding" /* Disable association between mac table and dot1x */, "radius-options" ( /* Info sent to radius server */ c( "add-interface-text-description" /* Appends interface text description to NAS-Port-Id */, c( "use-vlan-name" /* Vlan name */, "use-vlan-id" /* Vlan id */ ) ) ), "static" arg ( /* Static MAC configuration needed to bypass 802.1X */ c( "vlan-assignment" arg /* VLAN name or 802.1q tag for the MAC address */, "bridge-domain-assignment" arg /* Bridge-domain name or 802.1q tag for the MAC address */, "interface" ( /* Interface on which authentication is bypassed */ interface_name /* Interface on which authentication is bypassed */ ) ) ), "interface" ("all" | arg) ( /* 802.1X interface specific options */ c( "authentication-order" ( /* Flexible authentication order */ ("dot1x" | "mac-radius" | "captive-portal") ), "disable" /* Disable 802.1X on this interface */, "supplicant" ( /* Set supplicant mode for this interface */ ("single" | "single-secure" | "multiple") ), "retries" arg /* Number of retries after which port is placed into wait state */, "quiet-period" arg /* Time to wait after an authentication failure */, "transmit-period" arg /* Interval before retransmitting initial EAPOL PDUs */, "multi-domain" ( /* Enable multi domain authentication */ c( "packet-action" ( /* Set packet action for this interface */ ("drop-and-log" | "shutdown") ), "max-data-session" arg /* Data session limit in multi domain authentication */, "recovery-timeout" arg /* Multi domain recovery timeout */ ) ), "mac-radius" ( /* Enable MAC-RADIUS */ c( "restrict" /* Bypass dot1x authentication, use MAC RADIUS only */, "flap-on-disconnect" /* Reset an interface on receiving a disconnect request */, "ignore-port-bounce" /* To ignore the port-bounce request received from RADIUS server */, "authentication-protocol" ( /* Set mac-radius authentication method */ c( c( "eap-md5" /* Authentication protocol EAP-MD5 */, "pap" /* Authentication protocol PAP */, "eap-peap" ( /* Authentication protocol EAP-PEAP */ c( "resume" /* Enable resume functionality for faster authentication */ ) ) ) ) ) ) ), c( "no-reauthentication" /* Disable reauthentication */, "reauthentication" arg /* Reauthentication interval */ ), "supplicant-timeout" arg /* Time to wait for a client response */, "server-timeout" arg /* Authentication server timeout interval */, "maximum-requests" arg /* Number of EAPOL RequestIDs to send before timing out */, "guest-vlan" arg /* VLAN name or 802.1q tag for unauthenticated or non-responsive hosts */, "guest-bridge-domain" arg /* Bridge-domain name or 802.1q tag for unauthenticated or non-responsive hosts */, "server-reject-vlan" ( /* VLAN name or 802.1q tag for authentication rejected clients */ sc( arg /* VLAN name or VLAN Tag (1..4095) */, "block-interval" arg /* Interval for authenticator to ignore the EAP-Start packets. */, "eapol-block" /* Force the authenticator to ignore EAPOL-Start packets. */ ) ).as(:oneline), "server-reject-bridge-domain" /* VLAN name or 802.1q tag for authentication rejected clients */.as(:oneline), "eapol-block" ( /* Force the authenticator to ignore EAPOL-Start packets */ c( "server-fail" ( /* Block EAPOL-Start during RADIUS Timeout */ c( arg ) ), "mac-radius" /* Block EAPOL-Start when client is authenticated in mac-radius mode */, "captive-portal" /* Block EAPOL-Start when client is authenticated in captive-portal mode */ ) ), "lldp-med-bypass" /* Bypass dot1x authentication, use lldp-med based authentication */, "server-fail" ( /* Action to be taken when server is inaccessible */ sc( c( "deny" /* Force client authentication to fail */, "permit" /* Force client authentication to succeed */, "vlan-name" arg /* VLAN name or 802.1q tag for unreachable servers */, "bridge-domain" arg /* Bridge-domain name or 802.1q tag for unreachable servers */, "use-cache" /* Use the previous state of the client */ ) ) ).as(:oneline), "server-fail-voip" /* Action to be taken for VOIP client when server is inaccessible */.as(:oneline), "redirect-url" arg /* CWA redirect URL to be used for unauthenticated users */, "no-tagged-mac-authentication" /* Don't allow tagged mac for radius authentication */ ) ) ) ) ) end rule(:juniper_protocols_esis) do c( ("disable"), "traceoptions" ( /* Trace options for ES-IS */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "esh" | "ish" | "graceful-restart" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "preference" arg /* Preference of routes */, "graceful-restart" ( /* ES-IS graceful restart options */ sc( ("disable"), "restart-duration" arg /* Maximum time for graceful restart to finish */ ) ).as(:oneline), "interface" arg ( /* Interface configuration */ c( "hold-time" arg /* Time after which neighbors think the interface is down */, "end-system-configuration-timer" arg /* Suggested end system configuration timer */, ("disable") ) ) ) end rule(:juniper_protocols_isis) do c( ("disable"), "traceoptions" ( /* Trace options for IS-IS */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "spf" | "packets" | "hello" | "lsp" | "psn" | "csn" | "layer2-map" | "lsp-generation" | "graceful-restart" | "ldp-synchronization" | "nsr-synchronization" | "spring" | "traffic-statistics" | "prefix-sid" | "adj-sid" | "post-convergence-lfa" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "reference-bandwidth" arg /* Bandwidth for calculating metric defaults */, "layer2-map" /* Kernel ARP/ND creation for nexthops */, "no-layer2-map" /* Don't kernel ARP/ND creation for nexthops */, "job-stats" /* Collect job statistics */, "lsp-lifetime" arg /* Lifetime of LSPs */, "max-lsp-size" arg /* Maximum size allowed for LSPs */, "max-hello-size" arg /* Maximum size allowed for ISIS Hello PDUs */, "max-snp-size" arg /* Maximum size allowed for Sequence Number (Complete/Partial) PDUs */, "spf-delay" arg /* Time to wait before running an SPF */, "authentication-key" ( /* Authentication key (password) */ unreadable /* Authentication key (password) */ ), "authentication-type" ( /* Authentication type */ ("md5" | "simple") ), "loose-authentication-check" /* Verify authentication only if PDU has authentication TLV */, "max-areas" arg /* Maximum number of advertised Areas */, "no-authentication-check" /* Disable authentication checking */, "no-ipv4-routing" /* Disable IPv4 routing */, "no-ipv6-routing" /* Disable IPv6 routing */, "clns-routing" /* Enable CLNS routing */, "clns-updown-compatibility" /* Set the Up/Down Bit in place of the I/E bit in CLNS TLVs */, "no-adjacency-holddown" /* Disable adjacency hold down */, "multicast-topology" /* Enable multicast topology */, "ignore-attached-bit" /* Ignore the attached bit in Level 1 LSPs */, "rib-group" ( /* Routing table group for importing IS-IS routes */ rib_group_type /* Routing table group for importing IS-IS routes */ ), "spf-options" ( /* Configure SPF attributes */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of rapid SPF runs before SPF holddown */, "multipath" ( /* Configure multipath options */ c( "weighted" ( /* Weighted multipath options */ c( "one-hop" /* Enable load balancing on onehop multipath based on interface bandwidth */ ) ) ) ) ) ), "backup-spf-options" ( /* Configure backup SPF attributes */ c( "per-prefix-calculation" /* Calculate backup nexthops for non-best prefix originators */, "remote-backup-calculation" /* Calculate Remote LFA backup nexthops */, "use-post-convergence-lfa" ( /* Calculate Post Convergence Backup Nexthops */ c( "maximum-labels" arg /* Set maximum number of label supported for post convergence path calculations */, "maximum-backup-paths" arg /* Set maximum equal cost backup post convergence paths */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use SPRING routed paths for protection */ ) ), "topologies" ( /* Enable topologies */ c( "ipv4-multicast" /* Enable IPv4-multicast topology */, "ipv6-unicast" /* Enable IPv6-unicast topology */, "ipv6-multicast" /* Enable IPv6-multicast topology */ ) ), "overload" ( /* Set the overload bit (no transit traffic) */ c( "timeout" arg /* Time after which overload bit is reset */, "advertise-high-metrics" /* Advertise high metrics instead of setting the overload bit */, "allow-route-leaking" /* Allow routes to be leaked when overload is configured */, "internal-prefixes" /* Allow internal prefixes to be advertised with high metric */, "external-prefixes" /* Allow external prefixes to be advertised with high metric */ ) ), "traffic-engineering" ( /* Configure traffic engineering attributes */ c( ("disable"), "igp-topology" /* Download IGP topology into TED */, "credibility-protocol-preference" /* Follow IGP protocol preference for TED protocol credibility */, "ipv4-multicast-rpf-routes" /* Install IPv4 routes for multicast RPF checks into inet.2 */, "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "family" enum(("inet" | "inet6" | "inet-mpls" | "inet6-mpls")) ( /* Address family specific traffic-engineering attributes */ c( "shortcuts" ( /* Use label-switched paths as next hops, if possible */ c( "multicast-rpf-routes" /* Install routes for multicast RPF checks into multicast RIB */ ) ) ) ), "shortcuts" ( /* Use label-switched paths as next hops, if possible */ c( "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */ ) ), "multipath" ( /* Configure label-switched-path multipath behavior */ c( "lsp-equal-cost" /* Include equal cost label-switched-paths */ ) ) ) ), "graceful-restart" ( /* IS-IS graceful restart options */ sc( ("disable"), "helper-disable" /* Disable graceful restart helper capability */, "restart-duration" arg /* Maximum time for graceful restart to finish */ ) ).as(:oneline), "source-packet-routing" ( /* Enable Source Packet Routing (SPRING) */ c( "adjacency-segment" ( /* Configure attributes for Adjacency Segments in SPRING */ c( "hold-time" arg /* Duration(ms) for which adjacency segments will be retained after isolating from an interface */ ) ), "sensor-based-stats" ( /* Configure sensor based stats in SPRING */ c( "per-interface-per-member-link" ( /* Configure sensor based stats per nexthop */ sc( "ingress" /* Enable sensor based stats on ingress interface */, "egress" /* Enable sensor based stats on egress interface */ ) ).as(:oneline), "per-sid" ( /* Configure sensor based stats per spring route */ sc( "ingress" /* Enable sensor based stats for per-sid ingress accounting */ ) ).as(:oneline) ) ), "srgb" ( /* Set the SRGB global block in SPRING */ sc( "start-label" arg /* Start range for SRGB label block */, "index-range" arg /* Index to the SRGB start label block */ ) ).as(:oneline), "node-segment" ( /* Enable support for Node segments in SPRING */ c( "ipv4-index" arg /* Set IPv4 Node Segment index */, "ipv6-index" arg /* Set IPv6 Node Segment index */, "index-range" arg /* Set Range of Node Segment indices allowed */ ) ), "traffic-statistics" ( /* Enable support for traffic statistics in SPRING */ c( "statistics-granularity" ( /* Granularity for traffic statistics in SPRING */ c( "per-interface" /* Interface Based traffic statistics in SPRING */ ) ), "auto-bandwidth" arg /* Auto bandwidth name */ ) ), "explicit-null" /* Set E and P bits in all Prefix SID advertisements */, "mapping-server" arg /* Mapping server name */, "ldp-stitching" /* Enable SR to LDP stitching */ ) ), "level" arg ( /* Configure global level attributes */ c( ("disable"), "authentication-key" ( /* Authentication key (password) */ unreadable /* Authentication key (password) */ ), "authentication-type" ( /* Authentication type */ ("md5" | "simple") ), "purge-originator" ( /* Add Purge Originator information */ ("self" | "empty") ), "no-hello-authentication" /* Disable authentication for hello packets */, "no-csnp-authentication" /* Disable authentication for CSN packets */, "no-psnp-authentication" /* Disable authentication for PSN packets */, "authentication-key-chain" arg /* Key chain name */, "wide-metrics-only" /* Generate wide metrics only */, "preference" arg /* Preference of internal routes */, "external-preference" arg /* Preference of external routes */, "labeled-preference" arg /* Preference of labeled IS-IS routes */, "prefix-export-limit" arg /* Maximum number of external prefixes that can be exported */, "source-packet-routing" ( /* Enable Source Packet Routing (SPRING) */ c( ("disable") ) ) ) ), "interface" arg ( /* Interface configuration */ c( ("disable"), "authentication-key" ( /* Authentication key (password) */ unreadable /* Authentication key (password) */ ), "authentication-type" ( /* Authentication type */ ("md5" | "simple") ), "auto-bandwidth" ( /* Auto bandwidth configuration */ c( "template-name" arg /* Auto bandwidth template name */, ("disable") ) ), "flood-group" arg /* ISO Area that this interface should send LSPs to */, "no-advertise-adjacency-segment" /* Do not advertise an adjacency segment for this interface */, "hello-authentication-key" ( /* Authentication key (password) for hello packets */ unreadable /* Authentication key (password) for hello packets */ ), "hello-authentication-type" ( /* Authentication type for hello packets */ ("md5" | "simple") ), "hello-padding-type" ( /* Type of padding for hello packets */ ("strict" | "adaptive" | "loose" | "disable") ), "interface-group-holddown-delay" arg /* Time to wait before including in BBM calculation */, "layer2-map" /* Kernel ARP/ND creation for nexthops */, "no-layer2-map" /* Don't kernel ARP/ND creation for nexthops */, "ldp-synchronization" ( /* Advertise maximum metric until LDP is operational */ ldp_sync_obj /* Advertise maximum metric until LDP is operational */ ), "max-hello-size" arg /* Maximum size allowed for ISIS Hello PDUs */, "lsp-interval" arg /* Interval between LSP transmissions */, "csnp-interval" ( /* Rate of CSN packets (for LAN interfaces only) */ sc( c( arg, "disable" /* Do not send CSN packets on this interface */ ) ) ).as(:oneline), "mesh-group" ( /* Add the interface to a mesh group */ sc( c( arg /* Mesh group number for this interface */, "blocked" /* Do not flood new LSPs on this interface */ ) ) ).as(:oneline), "point-to-point" /* Treat interface as point to point */, c( "link-protection" /* Protect interface from link faults only */, "node-link-protection" /* Protect interface from both link and node faults */ ), "no-eligible-backup" /* Not eligible for backup traffic from protected interfaces */, "passive" ( /* Do not run IS-IS, but advertise it */ c( "remote-node-iso" ( /* ISO System-ID of the remote node */ sysid /* ISO System-ID of the remote node */ ), "remote-node-id" ( /* Remote address of the link */ ipv4addr /* Remote address of the link */ ) ) ), "no-eligible-remote-backup" /* Not eligible for Remote-LFA backup traffic from protected interfaces */, "checksum" /* Enable checksum for packets on this interface */, "no-unicast-topology" /* Do not include this interface in the unicast topology */, "no-ipv4-multicast" /* Do not include this interface in the IPv4 multicast topology */, "no-ipv6-unicast" /* Do not include this interface in the IPv6 unicast topology */, "no-ipv6-multicast" /* Do not include this interface in the IPv6 multicast topology */, "no-adjacency-down-notification" /* Do not inform other protocols about adjacency down events */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ) ) ), "family" enum(("inet" | "inet6")) ( /* Address family specific interface attributes */ c( "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ) ) ) ) ), "level" arg ( /* Configure levels on this interface */ c( ("disable"), "post-convergence-lfa" ( /* Configure backup along post convergence on this interface */ c( "node-protection" ( /* Enable node protection */ c( "cost" arg /* Cost for node protection */ ) ), "fate-sharing-protection" /* Enable fate-sharing protection */ ) ), "metric" arg /* Metric for this level */, "ipv4-multicast-metric" arg /* IPv4 multicast metric for this level */, "ipv6-unicast-metric" arg /* IPv6 unicast metric for this level */, "ipv6-multicast-metric" arg /* IPv6 multicast metric for this level */, "no-advertise-adjacency-segment" /* Do not advertise an adjacency segment for this level */, "te-metric" arg /* Traffic engineering metric */, "topology" enum(("default" | "ipv4-multicast" | "ipv6-unicast" | "ipv6-multicast")) ( /* Topology specific attributes */ c( "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ), "authentication-key" ( /* Authentication key (password) */ unreadable /* Authentication key (password) */ ), "authentication-type" ( /* Authentication type */ ("md5" | "simple") ), "hello-authentication-key" ( /* Authentication key (password) for hello packets */ unreadable /* Authentication key (password) for hello packets */ ), "hello-authentication-type" ( /* Authentication type for hello packets */ ("md5" | "simple") ), "hello-authentication-key-chain" arg /* Key chain name */, "hello-interval" arg /* Interval between hello packet transmissions */, "hold-time" arg /* Time after which neighbors think the interface is down */, "priority" arg /* Designated router election priority */, "passive" ( /* Do not run IS-IS at this level, but advertise it */ c( "remote-node-iso" ( /* ISO System-ID of the remote node */ sysid /* ISO System-ID of the remote node */ ), "remote-node-id" ( /* Remote address of the link */ ipv4addr /* Remote address of the link */ ) ) ), "ipv4-adjacency-segment" ( /* Configure ipv4 adjacency segment */ c( "protected" ( /* Adjacency SID is eligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline), "unprotected" ( /* Adjacency SID uneligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline) ) ), "ipv6-adjacency-segment" ( /* Configure ipv6 adjacency segment */ c( "protected" ( /* Adjacency SID is eligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline), "unprotected" ( /* Adjacency SID uneligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline) ) ), "lan-neighbor" arg ( /* Configuration specific to a LAN neighbor */ c( "ipv4-adjacency-segment" ( /* Configure ipv4 adjacency segment */ c( "protected" ( /* Adjacency SID is eligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline), "unprotected" ( /* Adjacency SID uneligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline) ) ), "ipv6-adjacency-segment" ( /* Configure ipv6 adjacency segment */ c( "protected" ( /* Adjacency SID is eligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline), "unprotected" ( /* Adjacency SID uneligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline) ) ) ) ) ) ), "link-degradation-threshold" ( /* Link up and down thresholds (in %) for proactive link protection */ sc( "link-down" arg /* Signal degradation threshold above which link marked down */, "link-up" arg /* Signal degradation threshold below which link is marked up. */ ) ).as(:oneline) ) ), "interface-group" arg ( /* Interface grouping configuration */ c( "interface" arg ( /* List interfaces for this group */ c( "weight" arg /* Interface weight for adjacency set */ ) ), "level" arg ( /* Configure levels on this interface-group */ c( "topology" enum(("default" | "ipv4-multicast" | "ipv6-unicast" | "ipv6-multicast")) ( /* Topology specific attributes */ c( "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ), "ipv4-adjacency-segment" ( /* Configure ipv4 adjacency segment */ c( "protected" ( /* Adjacency SID is eligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline), "unprotected" ( /* Adjacency SID uneligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline) ) ), "ipv6-adjacency-segment" ( /* Configure ipv6 adjacency segment */ c( "protected" ( /* Adjacency SID is eligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline), "unprotected" ( /* Adjacency SID uneligible for protection */ sc( c( "index" ( /* Adjacency SID indexed from SRGB */ sc( arg ) ).as(:oneline), "label" arg /* Adjacency SID from static label pool */, "dynamic" /* Dynamically allocate an adjacency segment */ ) ) ).as(:oneline) ) ) ) ), "link-group-protection" ( /* Configure link group protection */ c( "minimum-bandwidth" arg /* Minimum bandwidth to carry traffic */, "revert-bandwidth" arg /* Revert bandwidth to carry traffic */ ) ) ) ), "label-switched-path" arg ( /* Configuration for advertisement of a label-switched path */ c( "level" arg ( /* Level to advertise this label-switched path */ c( ("disable"), "metric" arg /* SPF metric for this level */ ) ) ) ), "context-identifier" arg ( /* Configuration for advertisement of a context-identifier */ c( "level" arg ( /* Level to advertise this context-identifier */ c( ("disable") ) ) ) ) ) end rule(:juniper_protocols_l2control) do c( "traceoptions" ( /* Global tracing options for STP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("parse" | "regex-parse" | "config-internal" | "normal" | "general" | "state" | "task" | "timer" | "ppmlite" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "nonstop-bridging" /* Enable nonstop operation */, "bpdu-block" ( /* Block BPDU on interface (BPDU Protect) */ c( "interface" (arg | "all") ( /* Interface name to block BPDU on */ c( "disable" /* Disable bpdu-block on a port */, "drop" /* Drop xSTP BPDUs */ ) ), "disable-timeout" arg /* Disable timeout for BPDU Protect */ ) ), "mac-rewrite" ( /* Mac rewrite functionality */ c( "interface" arg ( c( "enable-all-ifl" /* Enable tunneling for all the IFLs under the interface */, "protocol" ( /* Protocols for which mac rewrite need to be enabled */ c( "stp" /* Enable mac rewrite for STP */, "vtp" /* Enable mac rewrite for VTP */, "cdp" /* Enable mac rewrite for CDP */, "ieee8021x" /* Enable mac rewrite for 8021X */, "ieee8023ah" /* Enable mac rewrite for 8023AH */, "elmi" /* Enable mac rewrite for ELMI */, "lacp" /* Enable mac rewrite for LACP */, "lldp" /* Enable mac rewrite for LLDP */, "mmrp" /* Enable mac rewrite for MMRP */, "mvrp" /* Enable mac rewrite for MVRP */, "pvstp" /* Enable mac rewrite for PVSTP+ */, "gvrp" /* Enable mac rewrite for GVRP */, "vstp" /* Enable mac rewrite for VSTP */, "udld" /* Enable mac rewrite for UDLD */ ) ) ) ) ) ) ) end rule(:juniper_protocols_ldp) do c( "traceoptions" ( /* Trace options for LDP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "event" | "packet-dump" | "packets" | "periodic" | "initialization" | "notification" | "address" | "label" | "binding" | "path" | "ppmd" | "nsr-synchronization" | "link-protection" | "p2mp-nsr-synchronization" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */, "filter" ( /* Filter to apply to this flag */ ldp_filter_obj /* Filter to apply to this flag */ ) ) ).as(:oneline) ) ), "traffic-statistics" ( /* Collect statistics for LDP label-switched paths */ c( "file" ( /* Statistics file options */ trace_file_type /* Statistics file options */ ), "interval" arg /* Time to collect statistics (seconds) */, "no-penultimate-hop" /* No penultimate hop statistics collection */ ) ), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "helper-disable" /* Disable the graceful restart helper capability */, "recovery-time" arg /* Time required for recovery */, "maximum-neighbor-recovery-time" arg /* Maximum time stale mappings are maintained */, "reconnect-time" arg /* Time required to reestablish session after graceful restart */, "maximum-neighbor-reconnect-time" arg /* Maximum reconnect time allowed from a restarting neighbor */ ) ), "auto-targeted-session" ( /* Configure auto targeted session parameters for rLFA only */ c( "teardown-delay" arg /* Auto targeted session tear down delay */, "maximum-sessions" arg /* Auto targeted maximum sessions */ ) ), "preference" arg /* Route preference */, "no-forwarding" /* Do not use LDP ingress routes for forwarding */, "rib-group" arg /* Routing table group for importing ingress routes */, "l2-smart-policy" /* Do not export or import Layer 3 FECs for Layer 2 sessions */, "track-igp-metric" /* Track the IGP metric */, "strict-targeted-hellos" /* Do not send targeted hellos to unconfigured neighbors */, "longest-match" ( /* Configure longest match */ c( arg ) ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "egress-policy" ( /* Configure LSP egress policy */ policy_algebra /* Configure LSP egress policy */ ), "dod-request-policy" ( /* Configure DoD label request policy */ policy_algebra /* Configure DoD label request policy */ ), "next-hop" ( /* LDP next-hop control */ c( "merged" ( /* Merged next hop */ c( "policy" ( /* Merged next-hop policy */ policy_algebra /* Merged next-hop policy */ ) ) ), "no-rsvp-tunneling" ( /* No rsvp tunneling */ c( "policy" ( /* No rsvp tunneling next-hop policy */ policy_algebra /* No rsvp tunneling next-hop policy */ ) ) ) ) ), "mtu-discovery" /* Enable TCP path MTU discovery */, "no-mtu-discovery" /* Don't enable TCP path MTU discovery */, "deaggregate" /* Deaggregate FECs into separate labels */, "no-deaggregate" /* Don't deaggregate FECs into separate labels */, "explicit-null" /* Advertise the EXPLICIT_NULL label for egress FECs */, "label-withdrawal-delay" arg /* Delay label withdrawal for FECs to avoid label churn */, "make-before-break" ( /* Configure make before break */ c( "timeout" arg /* Make before break timeout */, "switchover-delay" arg /* Make before break switchover delay */ ) ), "transport-address" ( /* Address used for TCP sessions */ sc( c( "router-id" /* Use router ID for TCP connections */, "interface" /* Use interface address for TCP connections */, ipaddr /* Use specified address for TCP connections */ ) ) ).as(:oneline), "keepalive-interval" arg /* Keepalive interval (seconds) */, "keepalive-timeout" arg /* Keepalive timeout (seconds) */, "interface" arg ( /* Enable LDP on this interface */ c( ("disable"), "hello-interval" arg /* Hello interval (seconds) */, "hold-time" arg /* Hello hold time (seconds) */, "link-protection" ( /* Enable link protection to protect interface for link faults only */ c( ("disable"), "dynamic-rsvp-lsp" /* Enable setup of dynamic rsvp lsp for link protection */ ) ), "transport-address" ( /* Address used for TCP sessions */ ("router-id" | "interface") ), "allow-subnet-mismatch" /* Allow subnet mismatch for source address in hello packet */, "no-allow-subnet-mismatch" /* Don't allow subnet mismatch for source address in hello packet */ ) ), "neighbor" arg /* Configure a remote LDP neighbor */, "session" arg ( /* Configure session parameters */ c( "authentication-key" arg /* MD5 authentication key */, "authentication-algorithm" ( /* Authentication algorithm name */ ("md5" | "hmac-sha-1-96" | "aes-128-cmac-96") ), "authentication-key-chain" arg /* Key chain name */, "downstream-on-demand" /* Configure downstream on demand label distribution mode */, "mtu-discovery" /* Enable TCP path MTU discovery */, "no-mtu-discovery" /* Don't enable TCP path MTU discovery */ ) ), "session-group" arg ( /* Configure session group parameters */ c( "authentication-key" arg /* MD5 authentication key */, "authentication-algorithm" ( /* Authentication algorithm name */ ("md5" | "hmac-sha-1-96" | "aes-128-cmac-96") ), "authentication-key-chain" arg /* Key chain name */, "downstream-on-demand" /* Configure downstream on demand label distribution mode */, "mtu-discovery" /* Enable TCP path MTU discovery */, "no-mtu-discovery" /* Don't enable TCP path MTU discovery */ ) ), "session-protection" ( /* Configure session protection */ sc( "timeout" arg /* Session protection timeout */ ) ).as(:oneline), "igp-synchronization" ( /* Configure IGP synchronization parameters */ c( "holddown-interval" arg /* Time to hold the up notification to the IGPs */ ) ), "log-updown" ( /* Logging actions for LSP up/down events */ c( "trap" ( /* SNMP traps options */ sc( ("disable") ) ).as(:oneline) ) ), "policing" ( /* Configure policing for an LDP FEC */ c( "fec" arg ( /* Forwarding equivalence class */ c( "ingress-traffic" arg /* Name of filter to use for policing ingress LDP traffic */, "transit-traffic" arg /* Name of filter to use for policing transit LDP traffic */ ) ) ) ), "entropy-label" ( /* Insert entropy label for a LDP FEC */ c( "ingress-policy" ( /* Entropy label ingress policy */ policy_algebra /* Entropy label ingress policy */ ) ) ), "oam" ( /* Configure periodic OAM for a LDP FEC */ c( "ingress-policy" ( /* OAM ingress policy */ policy_algebra /* OAM ingress policy */ ), "bfd-port-egress-policy" ( /* OAM egress policy */ policy_algebra /* OAM egress policy */ ), "fec" arg ( /* Forwarding equivalence class */ c( c( "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "ecmp" /* Enable equal cost multipath (ECMP) support for BFD */, "failure-action" ( /* Action to take when BFD session goes down */ sc( c( "remove-route" /* Remove LDP route from the ribs */, "remove-nexthop" /* Remove LDP nexthop from the route */ ) ) ).as(:oneline), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "no-router-alert-option" /* Do not set Router-Alert options in IP header for MPLS-BFD */, "use-ip-ttl-1" /* Set TTL value to 1 in IP header for MPLS-BFD */ ) ), "no-bfd-liveness-detection" /* Disable BFD liveness detection */ ), "periodic-traceroute" ( /* Configure periodic traceroute */ c( "frequency" arg /* Time between traceroute attempts */, "ttl" arg /* Maximum time-to-live value */, "retries" arg /* Number of times to resend probe */, "wait" arg /* Time to wait before resending probe */, "paths" arg /* Maximum number of paths to traverse */, "source" ( /* Source address to use when sending probes */ ipv4addr /* Source address to use when sending probes */ ), "exp" arg /* Class-of-service value to use when sending probes */, "fanout" arg /* Maximum number of nexthops to search per node */, "disable" /* Disable periodic traceroute for a FEC */ ) ) ) ), "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "ecmp" /* Enable equal cost multipath (ECMP) support for BFD */, "failure-action" ( /* Action to take when BFD session goes down */ sc( c( "remove-route" /* Remove LDP route from the ribs */, "remove-nexthop" /* Remove LDP nexthop from the route */ ) ) ).as(:oneline), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "no-router-alert-option" /* Do not set Router-Alert options in IP header for MPLS-BFD */, "use-ip-ttl-1" /* Set TTL value to 1 in IP header for MPLS-BFD */ ) ), "periodic-traceroute" ( /* Configure periodic traceroute */ c( "frequency" arg /* Time between traceroute attempts */, "ttl" arg /* Maximum time-to-live value */, "retries" arg /* Number of times to resend probe */, "wait" arg /* Time to wait before resending probe */, "paths" arg /* Maximum number of paths to traverse */, "source" ( /* Source address to use when sending probes */ ipv4addr /* Source address to use when sending probes */ ), "exp" arg /* Class-of-service value to use when sending probes */, "fanout" arg /* Maximum number of nexthops to search per node */ ) ), "lsp-ping-interval" arg /* Time interval between LSP ping messages */ ) ), "targeted-hello" ( /* Configure targeted hello parameters */ c( "hello-interval" arg /* Hello interval (seconds) */, "hold-time" arg /* Hold interval (seconds) */ ) ), "p2mp" ( /* Advertise P2MP capability to peers */ c( "recursive" ( /* Configure P2MP recursive parameters */ c( "route" /* Allow recursive route resolution to signal P2MP FEC */ ) ), "root-address" arg ( /* Configure the root address of P2MP LSP */ c( "lsp-id" arg /* Configure the generic LSP identifier */, "group-address" arg ( /* IPv4/Ipv6 group address for mLDP LSP */ c( "source-address" arg /* IPv4/Ipv6 source address */ ) ) ) ), "no-rsvp-tunneling" /* Do not allow LDP P2MP to use RSVP-TE LSPs for tunneling */ ) ), "sr-mapping-client" ( /* Enable LDP to SR mapping-client functionality */ c( "policy" ( /* SR mapping-client policy */ policy_algebra /* SR mapping-client policy */ ) ) ), "upstream-label-assignment" /* Allow Upstream Label Assignment capability */, "family" enum(("inet" | "inet6")) /* Address family */, "transport-preference" ( /* TCP transport preference */ ("ipv4" | "ipv6") ), "dual-transport" ( /* Use separate IPv4 and IPv6 TCP transport */ c( "inet-lsr-id" ( /* LSR identifier for address family inet */ ipv4addr /* LSR identifier for address family inet */ ), "inet6-lsr-id" ( /* LSR identifier for address family inet6 */ ipv4addr /* LSR identifier for address family inet6 */ ) ) ) ) end rule(:juniper_protocols_lmp) do c( "te-link" arg ( /* Traffic engineering link */ c( "local-address" ( /* Address of the local end of the link */ ipaddr /* Address of the local end of the link */ ), "remote-address" ( /* Address of the remote end of the link */ ipaddr /* Address of the remote end of the link */ ), "remote-id" arg /* Link ID for the remote end of the link */, "te-metric" arg /* Traffic engineering metric of the link */, ("disable"), "ethernet-vlan" ( /* TE link used for setup of L2 VLAN LSP */ c( "vlan-id-range" arg /* VLAN id */ ) ), c( "interface" arg ( /* Member interface of TE link */ c( "local-address" ( /* Local address of the resource */ ipaddr /* Local address of the resource */ ), "remote-address" ( /* Remote address of the resource */ ipaddr /* Remote address of the resource */ ), "remote-id" arg /* Interface ID for the remote end of the resource */, ("disable") ) ), "label-switched-path" arg ( /* Member forwarding adjacency LSP of TE link */ c( "local-address" ( /* Local address of the resource */ ipaddr /* Local address of the resource */ ), "remote-address" ( /* Remote address of the resource */ ipaddr /* Remote address of the resource */ ), "remote-id" arg /* Interface ID for the remote end of the resource */, ("disable") ) ) ) ) ), "peer" arg ( /* Define a network or LMP peer */ c( "address" ( /* Address of peer */ ipaddr /* Address of peer */ ), "lmp-protocol" ( /* LMP protocol attributes */ c( "hello-interval" arg /* Interval between Hello messages */, "hello-dead-interval" arg /* Delay for control channel shutdown when no Hello received */, "retransmission-interval" arg /* Minimum time before retransmitting a message */, "retry-limit" arg /* Number of times to retransmit a message */, "passive" /* Do not send Config messages to peer */ ) ), "control-channel" ( /* Control channel interfaces by priority */ interface_name /* Control channel interfaces by priority */ ), "lmp-control-channel" ( /* Control channel IDs */ lmp_control_channel_type /* Control channel IDs */ ), "te-link" arg /* List of TE links managed by this peer */ ) ), "traceoptions" ( /* LMP trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("init" | "show" | "route-socket" | "parse" | "process" | "server" | "routing" | "packets" | "hello-packets" | "state" | "nsr-synchronization" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ) ) end rule(:juniper_protocols_mpls) do c( ("disable"), "lsp-external-controller" arg ( /* External path computing entity */ c( "label-switched-path-template" ( /* Template for externally provisioned LSP parameters */ c( c( arg, "default-template" /* Use default parameters */ ) ) ), "pce-controlled-lsp" arg ( /* Template for externally provisioned LSP using regular expression */ c( "label-switched-path-template" ( /* Template for externally provisioned LSP parameters */ c( arg ) ) ) ) ) ), "path-mtu" ( /* Path MTU configuration */ c( "allow-fragmentation" /* If needed, fragment IP before encapsulating in MPLS */, "rsvp" ( /* RSVP-specific path MTU options */ c( "mtu-signaling" /* Enable RSVP path MTU signaling */ ) ) ) ), "diffserv-te" ( /* Global diffserv-traffic-engineering options */ c( "bandwidth-model" ( /* Bandwidth constraint model supported */ ("extended-mam" | "mam" | "rdm") ), "te-class-matrix" ( /* Supported combinations of traffic-class and preemption */ c( "te0" ( /* Definition for traffic-engineering class te0 */ te_class_object /* Definition for traffic-engineering class te0 */ ).as(:oneline), "te1" ( /* Definition for traffic-engineering class te1 */ te_class_object /* Definition for traffic-engineering class te1 */ ).as(:oneline), "te2" ( /* Definition for traffic-engineering class te2 */ te_class_object /* Definition for traffic-engineering class te2 */ ).as(:oneline), "te3" ( /* Definition for traffic-engineering class te3 */ te_class_object /* Definition for traffic-engineering class te3 */ ).as(:oneline), "te4" ( /* Definition for traffic-engineering class te4 */ te_class_object /* Definition for traffic-engineering class te4 */ ).as(:oneline), "te5" ( /* Definition for traffic-engineering class te5 */ te_class_object /* Definition for traffic-engineering class te5 */ ).as(:oneline), "te6" ( /* Definition for traffic-engineering class te6 */ te_class_object /* Definition for traffic-engineering class te6 */ ).as(:oneline), "te7" ( /* Definition for traffic-engineering class te7 */ te_class_object /* Definition for traffic-engineering class te7 */ ).as(:oneline) ) ) ) ), "auto-policing" ( /* Automatic policing of LSPs */ c( "class" enum(("all" | "ct0" | "ct1" | "ct2" | "ct3")) ( /* Forwarding class */ c( c( "drop" /* Drop packets if bandwidth is exceeded */, "loss-priority-high" /* Set loss priority to high if bandwidth is exceeded */, "loss-priority-low" /* Set loss priority to low if bandwidth is exceeded */ ) ) ) ) ), "statistics" ( /* Collect statistics for signaled label-switched paths */ c( "file" ( /* Statistics file options */ trace_file_type /* Statistics file options */ ), "interval" arg /* Time to collect statistics (seconds) */, "auto-bandwidth" /* Enable auto bandwidth allocation */, "no-transit-statistics" /* Disable transit LSP statistics collection */, c( "no-transit-statistics-polling" /* Disable polling and display of transit lsp statistics */, "transit-statistics-polling" /* Enable polling and display of transit lsp statistics */ ), "statistics-query-batch-size" arg /* Number of LSPs for which statistics will be queried together */, "traffic-class-statistics" /* Create per traffic class statistics sensors for LSPs */ ) ), "log-updown" ( /* Logging actions for LSP up/down events */ c( "syslog" /* Send syslog messages */, "no-syslog" /* Don't send syslog messages */, c( "trap" /* Send SNMP traps */, "no-trap" ( /* Don't send SNMP traps */ c( "mpls-lsp-traps" /* Dont send mpls lsp up/down traps */, "rfc3812-traps" /* Dont send rfc3812 traps */ ) ) ), "trap-path-down" /* Send SNMP traps when a path goes down */, "trap-path-up" /* Send SNMP traps when a path goes up */ ) ), "optimize-adaptive-teardown" ( /* Post make before break adaptive teardown */ c( "p2p" /* Turn on post make before break adaptive teardown for p2p */, "timeout" arg /* Timeout for adaptive teardown to clean up LSP */ ) ), "traffic-engineering" ( /* Traffic-engineering control */ c( c( "bgp" /* BGP destinations only */, "bgp-igp" /* BGP and IGP destinations */, "bgp-igp-both-ribs" /* BGP and IGP destinations with routes in both routing tables */, "mpls-forwarding" /* Use MPLS routes for forwarding, not routing */ ), "database" ( /* Traffic engineering database */ c( "import" ( /* Configure TED import parameters */ c( "igp-topology" ( /* Download IGP topology into RIB */ c( "bgp-link-state" /* Export IGP topology, instead of TE topology, into BGP-LS */ ) ), "policy" ( /* Configure import policy */ policy_algebra /* Configure import policy */ ), "identifier" arg /* BGP-TE identifier */, "bgp-ls-identifier" arg /* BGP-TE domain identifier */ ) ), "export" ( /* Configure TED export related parameters */ c( "policy" ( /* Export policy */ policy_algebra /* Export policy */ ), "credibility" ( /* TED credibility value for entries from BGP-TE */ c( "unknown" arg /* Entries sourced from unknown entities */, "direct" arg /* Entries sourced from directly connected links */, "static" arg /* Entries sourced from static configuration */, "ospf" arg /* Entries sourced from ospf */, "isis-level-1" arg /* Entries sourced from ISIS Level 1 */, "isis-level-2" arg /* Entries sourced from ISIS Level 2 */ ) ) ) ) ) ) ) ), "traceoptions" ( /* Trace options for MPLS */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("connection" | "connection-detail" | "cspf" | "cspf-node" | "cspf-link" | "cspf-abstract" | "state" | "error" | "lsping" | "graceful-restart" | "nsr-synchronization" | "nsr-synchronization-detail" | "static" | "egress-protection" | "all" | "autobw-state" | "externally-controlled-lsp" | "ted-import" | "ted-export" | "lsp-history" | "abstract-hop")) /* Tracing parameters */.as(:oneline) ) ), "admin-groups" arg ( /* Administrative groups */ c( arg ) ), "advertisement-hold-time" arg /* Time that an 'LSP down' advertisement will be delayed */, "rsvp-error-hold-time" arg /* Time that RSVP PathErr events will be remembered */, "optimize-aggressive" /* Run aggressive optimization algorithm based on IGP metric only */, "smart-optimize-timer" arg /* Path optimization interval after a link traversed by the path goes down */, "optimize-switchover-delay" arg /* Delay before switching LSP to newly optimized path */, "no-propagate-ttl" /* Disable TTL propagation from IP to MPLS (on push) and MPLS to IP (on pop) */, "sensor-based-stats" /* Enable sensor based statistics collection */, "explicit-null" /* Advertise the EXPLICIT_NULL label when the router is the egress */, "ipv6-tunneling" /* Allow MPLS LSPs to be used for tunneling IPv6 traffic */, "icmp-tunneling" /* Allow MPLS LSPs to be used for tunneling ICMP error packets */, "revert-timer" arg /* Hold-down window before reverting back to primary path, 0 means disable */, "optimize-hold-dead-delay" arg /* Delay before tearing down the old optimized path */, "expand-loose-hop" /* Perform CSPF path computation to expand loose hops */, "mib-mpls-show-p2mp" /* Show p2mp tunnels entries in mpls mib walk */, "bandwidth" ( /* Bandwidth to reserve (bps) */ bandwidth_type /* Bandwidth to reserve (bps) */ ), "class-of-service" arg /* Class-of-service value */, "no-decrement-ttl" /* Do not decrement the TTL within an LSP */, "hop-limit" arg /* Maximum allowed router hops */, "no-cspf" /* Disable automatic path computation */, "admin-down" /* Set GMPLS LSP to administrative down state */, "optimize-timer" arg /* Periodical path reoptimizations */, "preference" arg /* Preference value */, "priority" ( /* Preemption priorities */ c( arg, arg ) ), "record" /* Record transit routers */, "no-record" /* Don't record transit routers */, "standby" /* Keep backup paths in continuous standby */, "exclude-srlg" /* Exclude SRLG links for secondary path */, "admin-group" ( /* Administrative group policy */ admin_group_include_exclude /* Administrative group policy */ ), "admin-group-extended" ( /* Extended administrative group policy */ admin_group_include_exclude /* Extended administrative group policy */ ), "oam" ( /* Periodic OAM */ periodic_oam /* Periodic OAM */ ), "ultimate-hop-popping" /* Request ultimate hop popping from egress */, "sync-active-path-bandwidth" /* Signal standby path with bandwidth obtained from active path */, "cross-credibility-cspf" /* Compute paths across multi-protocol links and nodes */, "label-switched-path" arg ( /* Label-switched path */ c( ("disable"), "traceoptions" ( /* Trace options for MPLS label-switched path */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("cspf" | "cspf-node" | "cspf-link" | "cspf-abstract" | "state" | "all")) /* Tracing parameters */.as(:oneline) ) ), "no-install-to-address" /* Don't install host route 'to' address into routing tables */, "backup" /* Use LSP for IGP backup */, "from" ( /* Address of ingress router */ ipv4addr /* Address of ingress router */ ), "pop-and-forward" /* Enable LSP as pop-and-forward with auto-delegation */, c( "to" ( /* Address of egress router */ ipv4addr /* Address of egress router */ ), "template" /* Template for dynamic lsp paramaters */ ), "corouted-bidirectional" /* Setup the LSP as a corouted bidirectional LSP */, "corouted-bidirectional-passive" /* Associate LSP with incoming corouted bidirectional LSP */, "metric" arg /* Metric value */, "ldp-tunneling" /* Allow LDP to use this LSP for tunneling */, "soft-preemption" /* Attempt make-before-break service while preempting this LSP */, "install" arg ( /* Install prefix */ sc( "active" /* Install prefix into forwarding table */ ) ).as(:oneline), "retry-timer" arg /* Time before retrying the primary path */, "retry-limit" arg /* Maximum number of times to retry primary path */, "lsp-attributes" ( /* Attributes for generalized LSP */ c( "signal-bandwidth" ( /* Signal bandwidth for the LSP */ ("ds1" | "vt1-5" | "e1" | "vt2" | "ethernet" | "e3" | "ds3" | "sts-1" | "fastether" | "stm-1" | "stm-4" | "gigether" | "stm-16" | "stm-64" | "10gigether" | "stm-256" | "100gige") ), "switching-type" ( /* LSP switching type desired */ ("psc-1" | "lambda" | "fiber" | "tdm" | "ethernet-vlan") ), "encoding-type" ( /* LSP encoding type desired */ ("packet" | "ethernet" | "pdh" | "sonet-sdh") ), "gpid" ( /* Generalized PID */ ("ipv4" | "ethernet" | "ppp" | "hdlc" | "pos-no-scrambling-crc-16" | "pos-no-scrambling-crc-32" | "pos-scrambling-crc-16" | "pos-scrambling-crc-32") ), "upstream-label" ( /* Upstream Label for the bidirectional label-switched path */ c( "vlan-id" arg /* VLAN ID label for the label-switched path */ ) ) ) ), "revert-timer" arg /* Hold-down window before reverting back to primary path, 0 means disable */, "optimize-hold-dead-delay" arg /* Delay before tearing down the old optimized path */, "bandwidth" ( /* Bandwidth to reserve (bps) */ bandwidth_type /* Bandwidth to reserve (bps) */ ), "class-of-service" arg /* Class-of-service value */, "no-decrement-ttl" /* Do not decrement the TTL within an LSP */, "hop-limit" arg /* Maximum allowed router hops */, "no-cspf" /* Disable automatic path computation */, "admin-down" /* Set GMPLS LSP to administrative down state */, "optimize-timer" arg /* Periodical path reoptimizations */, "preference" arg /* Preference value */, "priority" ( /* Preemption priorities */ c( arg, arg ) ), "record" /* Record transit routers */, "no-record" /* Don't record transit routers */, "standby" /* Keep backup paths in continuous standby */, "exclude-srlg" /* Exclude SRLG links for secondary path */, "admin-group" ( /* Administrative group policy */ admin_group_include_exclude /* Administrative group policy */ ), "admin-group-extended" ( /* Extended administrative group policy */ admin_group_include_exclude /* Extended administrative group policy */ ), "oam" ( /* Periodic OAM */ periodic_oam /* Periodic OAM */ ), "ultimate-hop-popping" /* Request ultimate hop popping from egress */, "sync-active-path-bandwidth" /* Signal standby path with bandwidth obtained from active path */, "cross-credibility-cspf" /* Compute paths across multi-protocol links and nodes */, "entropy-label" /* Enable entropy label */, "self-ping-duration" arg /* Duration over which to run self-ping (65535 = until success). Default = 1800s */, "no-self-ping" /* Do not run self-ping for this LSP */, c( "random" /* Randomly select among equal-cost paths */, "least-fill" /* Select the least filled among equal-cost paths */, "most-fill" /* Select the most filled among equal-cost paths */ ), "description" arg /* Text description of label-switched path */, c( "link-protection" /* Protect LSP from link faults only */, "node-link-protection" /* Protect LSP from both link and node faults */ ), "intra-domain" /* Intra-domain LSP */, "inter-domain" /* Inter-domain LSP */, "adaptive" /* Have the LSP smoothly cut over to new routes */, "fast-reroute" ( /* Fast reroute */ c( "hop-limit" arg /* Maximum allowed router hops */, c( "bandwidth" arg /* Bandwidth to reserve (bps) */, "bandwidth-percent" arg /* Percentage of main path bandwidth to reserve */ ), c( "no-include-any" /* Disable include-any checking */, "include-any" arg /* Groups, one or more of which must be present */ ), c( "no-include-all" /* Disable include-all checking */, "include-all" arg /* Groups, all of which must be present */ ), c( "no-exclude" /* Disable exclude checking */, "exclude" arg /* Groups, all of which must be absent */ ) ) ), "p2mp" ( /* Point-to-multipoint label-switched path */ sc( arg /* Name of point-to-multipoint LSP */ ) ).as(:oneline), "auto-bandwidth" ( /* Do auto bandwidth allocation for this LSP */ c( "adjust-interval" arg /* Time to adjust LSP bandwidth */, "adjust-threshold" arg /* Percentage change in average LSP utilization to trigger auto-adjustment */, "adjust-threshold-absolute" arg /* Change in average LSP utilization to trigger auto-adjustment */, "adjust-threshold-activate-bandwidth" arg /* Adjusts signaled bw if greater than this value */, "minimum-bandwidth" arg /* Minimum LSP bandwidth */, "maximum-bandwidth" arg /* Maximum LSP bandwidth */, "minimum-bandwidth-adjust-interval" arg /* Duration for which minimum bandwidth will be frozen */, "minimum-bandwidth-adjust-threshold-change" arg /* Change in max average bandwidth to freeze min bandwidth */, "minimum-bandwidth-adjust-threshold-value" arg /* Freeze min bandwidth if max average bandwidth falls below this bw */, "monitor-bandwidth" /* Monitor LSP bandwidth without adjustments */, "adjust-threshold-overflow-limit" arg /* Number of consecutive overflow samples to trigger auto-adjustment */, "adjust-threshold-underflow-limit" arg /* Number of consecutive underflow samples to trigger auto-adjustment */, "resignal-minimum-bandwidth" /* Resignal the LSP using minimum-bandwidth */, "sync-active-path-bandwidth" /* Signal standby path with bandwidth obtained from active path */ ) ), "optimize-on-change" ( /* Specify additional re-optimization triggers for this LSP */ c( "link-congestion" /* Optimize when a link becomes congested */ ) ), "deselect-on-bandwidth-failure" ( /* Deselect active path if it cannot meet the bandwidth constraint */ c( "tear-lsp" /* Bring down active path when all paths fail to reserve required bandwidth */ ) ), "track-igp-metric" ( /* Track IGP metric for LSP install prefixes */ c( "install-v4-prefixes" /* Track IGP metric for IPV4 prefixes */, "install-v6-prefixes" /* Track IGP metric for IPV6 prefixes */ ) ), "associate-lsp" ( /* Associate the LSP for OAM */ c( arg /* Name of assocation LSP */, "from" ( /* Address of ingress router of associated LSP */ ipv4addr /* Address of ingress router of associated LSP */ ) ) ), "primary" arg ( /* Preferred path */ c( "bandwidth" ( /* Bandwidth to reserve (bps) */ bandwidth_type /* Bandwidth to reserve (bps) */ ), "class-of-service" arg /* Class-of-service value */, "no-decrement-ttl" /* Do not decrement the TTL within an LSP */, "hop-limit" arg /* Maximum allowed router hops */, "no-cspf" /* Disable automatic path computation */, "admin-down" /* Set GMPLS LSP to administrative down state */, "optimize-timer" arg /* Periodical path reoptimizations */, "preference" arg /* Preference value */, "priority" ( /* Preemption priorities */ c( arg, arg ) ), "record" /* Record transit routers */, "no-record" /* Don't record transit routers */, "standby" /* Keep backup paths in continuous standby */, "exclude-srlg" /* Exclude SRLG links for secondary path */, "admin-group" ( /* Administrative group policy */ admin_group_include_exclude /* Administrative group policy */ ), "admin-group-extended" ( /* Extended administrative group policy */ admin_group_include_exclude /* Extended administrative group policy */ ), "oam" ( /* Periodic OAM */ periodic_oam /* Periodic OAM */ ), "ultimate-hop-popping" /* Request ultimate hop popping from egress */, "sync-active-path-bandwidth" /* Signal standby path with bandwidth obtained from active path */, "cross-credibility-cspf" /* Compute paths across multi-protocol links and nodes */, "adaptive" /* Have the LSP smoothly cut over to new routes */, "select" ( ("manual" | "unconditional") ), "upstream-label" ( /* Upstream Label for the bidirectional label-switched path */ c( "vlan-id" arg /* VLAN ID label for the label-switched path */ ) ), "optimize-on-change" ( /* Specify additional re-optimization triggers for this path */ c( "link-congestion" /* Optimize when a link becomes congested */ ) ) ) ), "secondary" arg ( /* Backup path */ c( "bandwidth" ( /* Bandwidth to reserve (bps) */ bandwidth_type /* Bandwidth to reserve (bps) */ ), "class-of-service" arg /* Class-of-service value */, "no-decrement-ttl" /* Do not decrement the TTL within an LSP */, "hop-limit" arg /* Maximum allowed router hops */, "no-cspf" /* Disable automatic path computation */, "admin-down" /* Set GMPLS LSP to administrative down state */, "optimize-timer" arg /* Periodical path reoptimizations */, "preference" arg /* Preference value */, "priority" ( /* Preemption priorities */ c( arg, arg ) ), "record" /* Record transit routers */, "no-record" /* Don't record transit routers */, "standby" /* Keep backup paths in continuous standby */, "exclude-srlg" /* Exclude SRLG links for secondary path */, "admin-group" ( /* Administrative group policy */ admin_group_include_exclude /* Administrative group policy */ ), "admin-group-extended" ( /* Extended administrative group policy */ admin_group_include_exclude /* Extended administrative group policy */ ), "oam" ( /* Periodic OAM */ periodic_oam /* Periodic OAM */ ), "ultimate-hop-popping" /* Request ultimate hop popping from egress */, "sync-active-path-bandwidth" /* Signal standby path with bandwidth obtained from active path */, "cross-credibility-cspf" /* Compute paths across multi-protocol links and nodes */, "adaptive" /* Have the LSP smoothly cut over to new routes */, "select" ( ("manual" | "unconditional") ), "upstream-label" ( /* Upstream Label for the bidirectional label-switched path */ c( "vlan-id" arg /* VLAN ID label for the label-switched path */ ) ), "optimize-on-change" ( /* Specify additional re-optimization triggers for this path */ c( "link-congestion" /* Optimize when a link becomes congested */ ) ) ) ), "policing" ( /* Traffic policing for this LSP */ sc( "filter" arg /* Name of filter to use for policing LSP traffic */, "no-auto-policing" /* Turn off automatic policing for this LSP */ ) ).as(:oneline), "lsp-external-controller" arg /* Name of the external path computing entity */, "associate-backup-pe-groups" /* Associate this LSP with backup-pe groups */, "egress-protection" /* Use this LSP for egress protection data transport */ ) ), "deselect-on-bandwidth-failure" ( /* Deselect active path if it cannot meet the bandwidth constraint */ c( "tear-lsp" /* Bring down active path when all paths fail to reserve required bandwidth */ ) ), "track-igp-metric" ( /* Track IGP metric for LSP install prefixes */ c( "install-v4-prefixes" /* Track IGP metric for IPV4 prefixes */, "install-v6-prefixes" /* Track IGP metric for IPV6 prefixes */ ) ), "container-label-switched-path" arg ( c( ("disable"), "description" arg /* Text description of label-switched path */, "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg, "default-template" /* Use default parameters */ ) ) ), "to" ( /* Address of egress router */ ipv4addr /* Address of egress router */ ), "suffix" arg /* Suffix to generate names of members of container LSP */, "splitting-merging" ( /* Do splitting and merging */ c( "maximum-member-lsps" arg /* Maximum number of LSPs */, "minimum-member-lsps" arg /* Minimum number of LSPs */, "splitting-bandwidth" arg /* Maximum bandwidth threshold for splitting */, "merging-bandwidth" arg /* Minimum bandwidth threshold for merging */, "maximum-signaling-bandwidth" arg /* Maximum bandwidth for signaling during normalization */, "minimum-signaling-bandwidth" arg /* Minimum bandwidth for signaling during normalization */, "splitting-merging-threshold" arg /* Change in aggregate LSP utilization to trigger splitting or merging */, "normalization" ( /* Do normalization */ c( "normalize-interval" arg /* Time to normalize container LSP */, "failover-normalization" /* Do pre-mature normalization in case some LSPs go down before next normalization */, "no-incremental-normalize" /* Do not normalize unless all LSPs are successfully signaled */, "normalization-retry-duration" arg /* Time before retrying the container LSP normalization */, "normalization-retry-limits" arg /* Maximum number of times to retry container LSP normalization */ ) ), "sampling" ( /* Sampling information */ c( "cut-off-threshold" arg /* Cut-off percentile to remove outliers from aggregate samples */, c( "use-average-aggregate" /* Use average of the samples */, "use-percentile" arg /* Use a percentile of the samples */ ) ) ) ) ), "lsp-external-controller" arg /* Name of the external path computing entity */ ) ), "transit-lsp-association" arg ( /* Transit label switch path assoication */ c( "lsp-name-1" arg /* Name of assocation LSP 1 */, "from-1" ( /* Address of associated LSP 1 */ ipv4addr /* Address of associated LSP 1 */ ), "lsp-name-2" arg /* Name of assocation LSP 2 */, "from-2" ( /* Address of associated LSP 2 */ ipv4addr /* Address of associated LSP 2 */ ) ) ), "path" arg ( /* Route of a label-switched path */ c( sc( "abstract" /* Next system in path is abstract */, c( "loose" /* Next hop might not be adjacent */, "loose-link" /* Next hop link might not be adjacent */, "strict" /* Next hop must be adjacent */ ) ).as(:oneline) ) ), "static-label-switched-path" arg ( /* Static label-switched path */ c( c( "bypass" ( /* Bypass ingress label-switched path */ c( "bandwidth" arg /* Bandwidth to reserve */, "description" arg /* Text description of label-switched path */, "next-hop" ( /* IPv4 or IPv6 address or interface of next-hop router */ ipaddr_or_interface /* IPv4 or IPv6 address or interface of next-hop router */ ), "next-table" arg /* Next-table for lookup */, "push" arg /* Label to push */, "to" ( /* Address of egress router */ ipaddr /* Address of egress router */ ) ) ), "transit" arg ( /* Transit label-switched path */ c( "bandwidth" arg /* Bandwidth to reserve */, "description" arg /* Text description of label-switched path */, "link-protection" ( /* Bypass link protection */ sc( "bypass-name" arg /* Bypass label-switched path name */ ) ).as(:oneline), "next-hop" ( /* IPv4 or IPv6 address or interface of next-hop router */ ipaddr_or_interface /* IPv4 or IPv6 address or interface of next-hop router */ ), "member-interface" ( /* AE member interface name */ interface_unit /* AE member interface name */ ), "node-protection" ( /* Bypass node protection */ sc( "bypass-name" arg /* Bypass label-switched path name */, "next-next-label" arg /* Label expected by next-next-hop */ ) ).as(:oneline), c( "swap" arg /* Swap top label with this label */, "pop" /* Pop the top label */, "stitch" /* Swap top label with the resolved LSP */ ) ) ), "ingress" ( /* Ingress LSR configuration for a static LSP */ c( "bandwidth" arg /* Bandwidth to reserve */, "class-of-service" arg /* Class-of-service value */, "description" arg /* Text description of label-switched path */, "install" arg ( /* Install prefix */ sc( "active" /* Install prefix into forwarding table */ ) ).as(:oneline), "metric" arg /* Metric value */, "next-hop" ( /* IPv4 address or interface of next-hop router */ ipv4addr_or_interface /* IPv4 address or interface of next-hop router */ ), "link-protection" ( /* Bypass link protection */ sc( "bypass-name" arg /* Bypass label-switched path name */ ) ).as(:oneline), "node-protection" ( /* Bypass node protection */ sc( "bypass-name" arg /* Bypass label-switched path name */, "next-next-label" arg /* Label expected by next-next-hop */ ) ).as(:oneline), "no-install-to-address" /* Don't install host route 'to' address into routing tables */, "policing" ( /* Traffic policing for this LSP */ sc( "filter" arg /* Name of filter to use for policing LSP traffic */, "no-auto-policing" /* Turn off automatic policing for this LSP */ ) ).as(:oneline), "preference" arg /* Preference value */, "to" ( /* Address of egress router */ ipv4addr /* Address of egress router */ ), "push" arg /* Label to push */, "entropy-label" /* Enable entropy label */ ) ), "segment" ( /* Segment for segment routing */ c( arg, "description" arg /* Text description of label-switched path */, "next-hop" ( /* IPv4 address or interface of next-hop router */ ipv4addr_or_interface /* IPv4 address or interface of next-hop router */ ), c( "swap" arg /* Swap the SID label to this label */, "pop" /* Pop the SID label */ ) ) ) ) ) ), "constituent-list" arg ( /* MPLS constituent list for abstract hops */ c( "srlg" arg /* SRLG Name */, "admin-group" arg /* Administrative groups */, "admin-group-extended" arg /* Extended administrative groups */ ) ), "abstract-hop" arg ( /* MPLS abstract hop */ c( "operator" ( /* Operation among constituent lists */ ("AND" | "OR") ), "constituent-list" arg ( /* Building abstract hop using constituent lists */ c( c( "include-any-list" /* Include any */, "include-all-list" /* Include all */, "exclude-any-list" /* Exclude any */, "exclude-all-list" /* Exclude all */ ) ) ) ) ), "interface" arg ( /* MPLS interface options */ c( ("disable"), "srlg" arg /* SRLG Name */, "always-mark-connection-protection-tlv" /* Mark connection protection tlv on this interface */, "switch-away-lsps" /* Switch away protected LSPs to their bypass LSPs */, "admin-group" arg /* Administrative groups */, "admin-group-extended" arg /* Extended administrative groups */, "static" ( /* Static label-switch path related configurations */ c( "protection-revert-time" arg /* FRR revert wait time, 0 means disable */ ) ) ) ), "egress-protection" ( /* Egress router protection */ c( "context-identifier" arg ( /* Context identifier */ c( c( "primary" /* Primary */, "protector" /* Protector */ ), "metric" arg /* IGP metric */, "advertise-mode" ( /* Advertise mode */ ("stub-proxy" | "stub-alias") ), "admin-group" arg /* Administrative groups */ ) ), "traceoptions" ( /* Trace options for egress-protection */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("state" | "route" | "error" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ), "label-history" ( /* MPLS label history recording */ c( "max-entries" arg /* Limit for the number of history entry per label */ ) ), "label-range" ( /* MPLS labels ranges */ c( "lsi-label-range" arg ( /* LSI-label-range */ sc( arg ) ).as(:oneline), "block-label-range" arg ( /* Block-label-range */ sc( arg ) ).as(:oneline), "dynamic-label-range" arg ( /* Dynamic-label-range */ sc( arg ) ).as(:oneline), "static-label-range" arg ( /* Static-label-range */ sc( arg ) ).as(:oneline), "label-limit" arg /* Limit for the number of concurrent active labels */ ) ) ) end rule(:admin_group_include_exclude) do c( c( "include-any" arg /* Groups, one or more of which must be present */ ), c( "include-all" arg /* Groups, all of which must be present */ ), c( "exclude" arg /* Groups, all of which must be absent */ ) ) end rule(:juniper_protocols_msdp) do c( "data-encapsulation" ( /* Set encapsulation of data packets */ ("disable" | "enable") ), "rib-group" ( /* Routing table group */ rib_group_inet_type /* Routing table group */ ), "active-source-limit" ( /* Limit the number of active sources accepted */ c( "maximum" arg /* Maximum number of active sources accepted */, "threshold" arg /* RED threshold for active source acceptance */, "log-warning" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between log messages */ ) ), ("disable"), "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "local-address" ( /* Local address */ ipv4addr /* Local address */ ), "traceoptions" ( /* Trace options for MSDP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "route" | "nsr-synchronization" | "source-active" | "source-active-request" | "source-active-response" | "keepalive" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "peer" arg ( /* Configure an MSDP peer */ c( ("disable"), "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "local-address" ( /* Local address */ ipv4addr /* Local address */ ), "traceoptions" ( /* Trace options for MSDP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "route" | "nsr-synchronization" | "source-active" | "source-active-request" | "source-active-response" | "keepalive" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "active-source-limit" ( /* Limit the number of active sources accepted */ c( "maximum" arg /* Maximum number of active sources accepted */, "threshold" arg /* RED threshold for active source acceptance */, "log-warning" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between log messages */ ) ), "keep-alive" arg /* Time limit for sending out periodic keep alive to peer */, "hold-time" arg /* Max time to terminating a peer for having not received any message from */, "sa-hold-time" arg /* Max time for holding a sa message before timing out */, "default-peer" /* Default RPF peer */, "authentication-key" arg /* MD5 authentication key */ ) ), "keep-alive" arg /* Time limit for sending out periodic keep alive to peer */, "hold-time" arg /* Max time to terminating a peer for having not received any message from */, "sa-hold-time" arg /* Max time for holding a sa message before timing out */, "source" arg ( /* Configure parameters for each source */ c( "active-source-limit" ( /* Limit the number of active sources accepted */ c( "maximum" arg /* Maximum number of active sources accepted */, "threshold" arg /* RED threshold for active source acceptance */, "log-warning" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between log messages */ ) ) ) ), "group" arg ( /* Configure MSDP peer groups */ c( "mode" ( /* MSDP group source-active flooding mode */ ("standard" | "mesh-group") ), ("disable"), "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "local-address" ( /* Local address */ ipv4addr /* Local address */ ), "traceoptions" ( /* Trace options for MSDP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "route" | "nsr-synchronization" | "source-active" | "source-active-request" | "source-active-response" | "keepalive" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "peer" arg ( /* Configure an MSDP peer */ c( ("disable"), "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "local-address" ( /* Local address */ ipv4addr /* Local address */ ), "traceoptions" ( /* Trace options for MSDP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "route" | "nsr-synchronization" | "source-active" | "source-active-request" | "source-active-response" | "keepalive" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "active-source-limit" ( /* Limit the number of active sources accepted */ c( "maximum" arg /* Maximum number of active sources accepted */, "threshold" arg /* RED threshold for active source acceptance */, "log-warning" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between log messages */ ) ), "keep-alive" arg /* Time limit for sending out periodic keep alive to peer */, "hold-time" arg /* Max time to terminating a peer for having not received any message from */, "sa-hold-time" arg /* Max time for holding a sa message before timing out */, "default-peer" /* Default RPF peer */, "authentication-key" arg /* MD5 authentication key */ ) ) ) ) ) end rule(:juniper_protocols_mstp) do c( ("disable"), "bpdu-destination-mac-address" ( /* Destination MAC address in the spanning tree BPDUs */ ("provider-bridge-group") ), "configuration-name" arg /* Configuration name (part of MST configuration identifier) */, "revision-level" arg /* Revision level (part of MST configuration identifier) */, "max-hops" arg /* Maximum number of hops */, "max-age" arg /* Maximum age of received protocol bpdu */, "hello-time" arg /* Time interval between configuration BPDUs */, "forward-delay" arg /* Time spent in listening or learning state */, "system-identifier" ( /* Sytem identifier to represent this node */ mac_unicast /* Sytem identifier to represent this node */ ), "traceoptions" ( /* Tracing options for debugging protocol operation */ stp_trace_options /* Tracing options for debugging protocol operation */ ), "bridge-priority" arg /* Priority of the bridge (in increments of 4k - 0,4k,8k,..60k) */, "backup-bridge-priority" arg /* Priority of the bridge (in increments of 4k - 4k,8k,..60k) */, "bpdu-block-on-edge" /* Block BPDU on all interfaces configured as edge (BPDU Protect) */, "vpls-flush-on-topology-change" /* Enable VPLS MAC flush on root protected CE interface receving topology change */, "priority-hold-time" arg /* Hold time before switching to primary priority when core domain becomes up */, "system-id" ( /* System ID to IP mapping */ system_id_ip_map /* System ID to IP mapping */ ), "interface" ( /* Interface options */ mstp_interface /* Interface options */ ), "msti" arg ( /* Per-MSTI options */ c( "bridge-priority" arg /* Priority of the bridge (in increments of 4k - 0,4k,8k,..60k) */, "backup-bridge-priority" arg /* Priority of the bridge (in increments of 4k - 4k,8k,..60k) */, "vlan" arg /* VLAN ID or VLAN ID range [1..4094] */, "interface" ( /* Interface options */ mstp_interface /* Interface options */ ) ) ) ) end rule(:juniper_protocols_mvpn) do c( "traceoptions" ( /* Trace options for BGP-MVPN */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "nlri" | "topology" | "tunnel" | "umh" | "intra-as-ad" | "inter-as-ad" | "spmsi-ad" | "leaf-ad" | "source-active" | "cmcast-join" | "mdt-safi-ad" | "mvpn-limit" | "nsr-synchronization" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "autodiscovery-only" ( /* Use MVPN exclusively for PE router autodiscovery */ c( "intra-as" ( /* Intra-AS autodiscovery options */ c( "inclusive" /* Inclusive provider tunnel autodiscovery */ ) ) ) ), "family" ( /* BGP-MVPN address family */ c( "any" ( /* BGP-MVPN properties for all families */ c( "disable" /* Disable all families */ ) ), "inet" ( /* IPv4 BGP-MVPN properties */ c( "autodiscovery-only" ( /* Use MVPN exclusively for PE router autodiscovery */ c( "intra-as" ( /* Intra-AS autodiscovery options */ c( "inclusive" /* Inclusive provider tunnel autodiscovery */ ) ) ) ), "disable" /* Disable family IPv4 */ ) ), "inet6" ( /* IPv6 BGP-MVPN properties */ c( "autodiscovery-only" ( /* Use MVPN exclusively for PE router autodiscovery */ c( "intra-as" ( /* Intra-AS autodiscovery options */ c( "inclusive" /* Inclusive provider tunnel autodiscovery */ ) ) ) ), "disable" /* Disable family IPv6 */ ) ) ) ), c( "receiver-site" /* MVPN instance has sites only with multicast receivers */, "sender-site" /* MVPN instance has sites only with multicast sources */ ), "unicast-umh-election" /* Upstream Multicast Hop election based on unicast route preference */, "static-umh" ( /* Upstream Multicast Hop election based on static configuration */ c( "primary" ( /* Primary Upstream Multicast Hop */ ipv4addr /* Primary Upstream Multicast Hop */ ), "backup" ( /* Secondary Upstream Multicast Hop */ ipv4addr /* Secondary Upstream Multicast Hop */ ), c( "source-tree" /* Mandatory attribute - static-umh applies only to MVPN source-tree c-multicast joins */ ) ) ), "cmcast-joins-limit-inet" arg /* Maximum number of cmcast entries for v4 */, "cmcast-joins-limit-inet6" arg /* Maximum number of cmcast entries for v6 */, "mvpn-mode" ( /* MVPN mode of operation */ c( c( "rpt-spt" ( /* MVPN works in multicast RPT and SPT mode */ c( "spt-switch-timer" arg /* Timeout before a PE router switches between RPT and SPT */ ) ), "spt-only" ( /* MVPN works in multicast SPT only mode (default mode) */ c( "source-active-advertisement" ( /* Attributes associated with advertising Source-Active A-D routes */ c( "dampen" arg /* Time to wait before re-advertising source-active route */, "min-rate" arg /* Minimum traffic rate required to advertise Source-Active route */ ) ), "convert-sa-to-msdp" /* Turn on MVPN SA route to MSDP SA conversion */ ) ) ) ) ), "route-target" ( /* Configure route-targets for MVPN routes */ c( "import-target" ( /* Target communities used when importing routes */ c( "unicast" ( /* Use the same target community as configured for unicast */ sc( c( "receiver" /* Target community used when importing receiver site routes */, "sender" /* Target community used when importing sender site routes */ ) ) ).as(:oneline), "target" ( /* Target community */ sc( arg, c( "receiver" /* Target community used when importing receiver site routes */, "sender" /* Target community used when importing sender site routes */ ) ) ).as(:oneline) ) ), "export-target" ( /* Target communities used when exporting routes */ c( "unicast" /* Use the same target community as configured for unicast */, "target" arg /* Target community */ ) ) ) ), "mvpn-join-load-balance" ( /* MVPN Join Load Balancing Algorithm */ c( c( "bytewise-xor-hash" /* Upstream selection using bytewise XOR hash */ ) ) ), "install-discard" /* Install MVPN discard forwarding entries */, "sender-based-rpf" /* Forward multicast traffic only from a selected sender PE */, "hot-root-standby" ( /* MVPN live-live - hot root standby */ c( c( "source-tree" /* MVPN live-live - hot root standby for source tree */ ), "min-rate" ( /* Minimum traffic rate for the provider tunnel below which switchover is initiated (in bps) */ c( "rate" arg /* Minium traffic rate for the provider tunnel below which switchover is initiated (in bps) */, "revert-delay" arg /* Time to delay updating of multicast routes to allow for multicast convergence */ ) ) ) ), "hierarchical-nexthop" /* Enable hierarchical nexthop usage */, "no-nexthop-sharing-for-selective-tunnel" /* Disable Tunnel nexthops from getting shared for selective tunnel */, "inter-region-template" ( /* MVPN inter-region tunnel mapping template */ c( "template" arg ( /* Define a inter-region template */ c( "region" arg ( /* BGP peer group names used as region */ c( c( "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */, "ingress-replication" ( /* Ingress replication tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "incoming" /* Same as incoming provider tunnel */ ) ) ), "all-regions" ( /* Used for all regions not specified */ c( c( "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */, "ingress-replication" ( /* Ingress replication tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "incoming" /* Same as incoming provider tunnel */ ) ) ) ) ) ) ), "source-redundancy" /* Assume all the sources for a particular group is sending same data */, "umh-selection-additional-input" ( /* Additional parameters to consider during UMH */ c( "source-active-preference" /* Use the preference set in the source active route */, "tunnel-status" /* Use the RSVP tunnel status */ ) ) ) end rule(:juniper_protocols_mvrp) do c( "traceoptions" ( /* Tracing options for MVRP */ mrp_trace_options /* Tracing options for MVRP */ ), "join-timer" arg /* Join timer interval */, "leave-timer" arg /* Leave timer interval */, "leaveall-timer" arg /* Leaveall timer interval */, "no-dynamic-vlan" /* Disable dynamic VLAN creation */, "no-attribute-length-in-pdu" /* No attribute length while sending pdu */, "bpdu-destination-mac-address" ( /* Destination MAC address in the MVRP BPDUs */ ("provider-bridge-group") ), "interface" arg ( /* Configure interface options */ c( "join-timer" arg /* Join timer interval */, "leave-timer" arg /* Leave timer interval */, "leaveall-timer" arg /* Leaveall timer interval */, "point-to-point" /* Port is point to point */, "registration" ( /* Registration mode */ ("normal" | "restricted" | "forbidden") ) ) ) ) end rule(:juniper_protocols_ospf) do c( ("disable"), "traceoptions" ( /* Trace options for OSPF */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("spf" | "error" | "event" | "packet-dump" | "flooding" | "lsa-analysis" | "packets" | "hello" | "database-description" | "lsa-request" | "lsa-update" | "lsa-ack" | "ldp-synchronization" | "on-demand" | "nsr-synchronization" | "graceful-restart" | "restart-signaling" | "backup-spf" | "source-packet-routing" | "post-convergence-lfa" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology parameters */ c( "disable" /* Disable this topology */, "topology-id" arg /* Topology identifier */, "overload" /* Set the overload mode (repel transit traffic) */, "rib-group" arg /* Routing table group for importing routes */, "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */ ) ), "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */, "rib-group" arg /* Routing table group for importing OSPF routes */, "job-stats" /* Collect job statistics */, "overload" ( /* Set the overload mode (repel transit traffic) */ c( "timeout" arg /* Time after which overload mode is reset */, "allow-route-leaking" /* Allow routes to be leaked when overload is configured */, "stub-network" /* Advertise Stub Network with maximum metric */, "intra-area-prefix" /* Advertise Intra Area Prefix with maximum metric */, "as-external" /* Advertise As External with maximum usable metric */ ) ), "database-protection" ( /* Configure database protection attributes */ c( "maximum-lsa" arg /* Maximum allowed non self-generated LSAs */, "warning-only" /* Emit only a warning when LSA maximum limit is exceeded */, "warning-threshold" arg /* Percentage of LSA maximum above which to trigger warning */, "ignore-count" arg /* Maximum number of times to go into ignore state */, "ignore-time" arg /* Time to stay in ignore state and ignore all neighbors */, "reset-time" arg /* Time after which the ignore count gets reset to zero */ ) ), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "restart-duration" arg /* Time for all neighbors to become full */, "notify-duration" arg /* Time to send all max-aged grace LSAs */, "helper-disable" ( /* Disable graceful restart helper capability */ c( c( "standard" /* Disable helper-mode for rfc3623 based GR */, "restart-signaling" /* Disable helper mode for restart-signaling */, "both" /* Disable helper mode for both the types of GR */ ) ) ), "no-strict-lsa-checking" /* Do not abort graceful helper mode upon LSA changes */ ) ), "traffic-engineering" ( /* Configure traffic engineering attributes */ c( "no-topology" /* Disable dissemination of TE link-state topology information */, "multicast-rpf-routes" /* Install routes for multicast RPF checks into inet.2 */, "igp-topology" /* Download IGP topology into TED */, "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "shortcuts" ( /* Use label-switched paths as next hops, if possible */ c( "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "lsp-metric-into-summary" /* Advertise LSP metric into summary LSAs */ ) ), "advertise-unnumbered-interfaces" /* Advertise unnumbered interfaces */, "credibility-protocol-preference" /* TED protocol credibility follows protocol preference */ ) ), "route-type-community" ( /* Specify BGP extended community value to encode OSPF route type */ ("iana" | "vendor") ), "domain-id" ( /* Configure domain ID */ sc( c( arg /* Domain ID */, "disable" /* Disable domain ID */ ) ) ).as(:oneline), c( "domain-vpn-tag" arg /* Domain VPN tag for external LSA */, "no-domain-vpn-tag" /* Disable domain VPN tag */ ), "preference" arg /* Preference of internal routes */, "external-preference" arg /* Preference of external routes */, "labeled-preference" arg /* Preference of labeled routes */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy (for external routes or setting priority) */ policy_algebra /* Import policy (for external routes or setting priority) */ ), "reference-bandwidth" arg /* Bandwidth for calculating metric defaults */, "lsa-refresh-interval" arg /* LSA refresh interval (minutes) */, "spf-delay" arg /* Time to wait before running an SPF */, "no-rfc-1583" /* Disable RFC1583 compatibility */, "source-packet-routing" ( /* Enable source packet routing (SPRING) */ c( "node-segment" ( /* Enable support for Node segments in SPRING */ c( "ipv4-index" arg /* Set ipv4 node segment index */, "index-range" arg /* Set range of node segment indices allowed */ ) ), "mapping-server" arg /* Mapping server name */, "install-prefix-sid-for-best-route" /* For best route install a exact prefix sid route */ ) ), "forwarding-address-to-broadcast" /* Set forwarding address in Type 5 LSA in broadcast network */, c( "no-nssa-abr" /* Disable full NSSA functionality at ABR */ ), "sham-link" ( /* Configure parameters for sham links */ c( "local" ( /* Local sham link endpoint address */ ipaddr /* Local sham link endpoint address */ ), "no-advertise-local" /* Don't advertise local sham link endpoint as stub in router LSA */ ) ), "area" arg ( /* Configure an OSPF area */ c( c( "stub" ( /* Configure a stub area */ sc( "default-metric" arg /* Metric for the default route in this stub area */, "summaries" /* Flood summary LSAs into this stub area */, "no-summaries" /* Don't flood summary LSAs into this stub area */ ) ).as(:oneline), "nssa" ( /* Configure a not-so-stubby area */ c( "default-lsa" ( /* Configure a default LSA */ c( "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "type-7" /* Flood type 7 default LSA if no-summaries is configured */ ) ), "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "summaries" /* Flood summary LSAs into this NSSA area */, "no-summaries" /* Don't flood summary LSAs into this NSSA area */, "area-range" arg ( /* Configure NSSA area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" ( /* Override the dynamic metric for this area-range */ c( arg, "metric-type" arg /* Set the metric type for the override metric */ ) ) ) ) ) ) ), "area-range" arg ( /* Configure area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" arg /* Override the dynamic metric for this area-range */ ) ), "network-summary-export" ( /* Export policy for Type 3 Summary LSAs */ policy_algebra /* Export policy for Type 3 Summary LSAs */ ), "network-summary-import" ( /* Import policy for Type 3 Summary LSAs */ policy_algebra /* Import policy for Type 3 Summary LSAs */ ), "inter-area-prefix-export" ( /* Export policy for Inter Area Prefix LSAs */ policy_algebra /* Export policy for Inter Area Prefix LSAs */ ), "inter-area-prefix-import" ( /* Import policy for Inter Area Prefix LSAs */ policy_algebra /* Import policy for Inter Area Prefix LSAs */ ), "authentication-type" ( /* Authentication type */ ("none" | "simple" | "md5") ), "virtual-link" ( /* Configure virtual links */ s( "neighbor-id" arg /* Router ID of a virtual neighbor */, "transit-area" arg /* Transit area in common with virtual neighbor */, c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ) ), "sham-link-remote" arg ( /* Configure parameters for remote sham link endpoint */ c( "metric" arg /* Sham link metric */, "ipsec-sa" arg /* IPSec security association name */, "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "interface" arg ( /* Include an interface in this area */ c( ("disable"), "interface-type" ( /* Type of interface */ ("nbma" | "p2mp" | "p2p" | "p2mp-over-lan") ), "post-convergence-lfa" ( /* Protect interface using post-convergence backup path */ c( "node-protection" ( /* Compute backup path assuming node failure */ c( "cost" arg /* Cost for node protection */ ) ) ) ), c( "link-protection" /* Protect interface from link faults only */, "node-link-protection" /* Protect interface from both link and node faults */ ), "no-eligible-backup" /* Not eligible to backup traffic from protected interfaces */, "no-eligible-remote-backup" /* Not eligible for Remote-LFA backup traffic from protected interfaces */, "passive" ( /* Do not run OSPF, but advertise it */ c( "traffic-engineering" ( /* Advertise TE link information */ c( "remote-node-id" ( /* Remote address of the link */ ipaddr /* Remote address of the link */ ), "remote-node-router-id" ( /* TE Router-ID of the remote node */ ipv4addr /* TE Router-ID of the remote node */ ) ) ) ) ), "secondary" /* Treat interface as secondary */, "own-router-lsa" /* Generate a separate router LSA for this interface */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ), "metric" arg /* Interface metric */, "te-metric" arg /* Traffic engineering metric */, "priority" arg /* Designated router priority */, "ldp-synchronization" ( /* Advertise maximum metric until LDP is operational */ ldp_sync_obj /* Advertise maximum metric until LDP is operational */ ), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ), "transmit-interval" arg /* OSPF packet transmit interval (milliseconds) */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "full-neighbors-only" /* Setup BFD sessions only to Full neighbors */ ) ), "dynamic-neighbors" /* Learn neighbors dynamically on a p2mp interface */, "no-advertise-adjacency-segment" /* Do not advertise an adjacency segment for this interface */, "neighbor" arg ( /* NBMA neighbor */ sc( "eligible" /* Eligible to be DR on an NBMA network */ ) ).as(:oneline), "poll-interval" arg /* Poll interval for NBMA interfaces */, "no-interface-state-traps" /* Do not send interface state change traps */ ) ), "no-source-packet-routing" /* Disable SPRING in this area */, "no-context-identifier-advertisement" /* Disable context identifier advertisments in this area */, "context-identifier" arg /* Configure context identifier in support of edge protection */, "label-switched-path" arg ( /* Configuration for advertisement of a label-switched path */ c( ("disable"), "metric" arg /* Interface metric */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "peer-interface" arg ( /* Configuration for peer interface */ c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */ ) ) ) ) ) end rule(:juniper_protocols_overlayd) do c( "traceoptions" ( /* Overlayd trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("socket" | "rtsock" | "config" | "all")) /* Tracing flag parameters */.as(:oneline) ) ) ) end rule(:juniper_protocols_pgm) do c( "traceoptions" ( /* PGM trace options */ c( "flag" enum(("init" | "show" | "route-socket" | "parse" | "state" | "packets" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ) ) end rule(:juniper_protocols_pim) do c( "family" ( /* Local address family */ c( "any" ( /* Default properties for all address families */ c( "disable" /* Disable all families */ ) ), "inet" ( /* IPv4 specific properties */ c( ("disable") ) ), "inet6" ( /* IPv6 specific properties */ c( ("disable") ) ) ) ), ("disable"), "nonstop-routing" ( /* Configure PIM nonstop-routing attributes */ c( ("disable") ) ), "traceoptions" ( /* Trace options for PIM */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("route" | "packets" | "hello" | "register" | "join" | "prune" | "graft" | "bootstrap" | "rp" | "autorp" | "assert" | "mdt" | "nsr-synchronization" | "bidirectional-df-election" | "mofrr" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */, "filter" ( /* Filter to apply to this flag */ pim_filter_obj /* Filter to apply to this flag */ ) ) ).as(:oneline) ) ), "dense-groups" ( /* Dense mode groups for sparse-dense mode */ c( "dynamic-reject" /* Reject dynamic autorp negative dense-mode prefixes learnt from network */, sc( ("reject" | "announce") ).as(:oneline) ) ), "vpn-tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ), "vpn-group-address" ( /* Group address for the VPN in provider space */ ipv4addr /* Group address for the VPN in provider space */ ), "tunnel-devices" ( /* Tunnel devices to be used for creating mt interfaces */ interface_device /* Tunnel devices to be used for creating mt interfaces */ ), "rpf-selection" ( /* Select RPF neighbor */ c( "group" arg ( /* IP prefix of multicast group */ c( "wildcard-source" ( /* Select RPF for (*,g) and unspecified (s,g) joins */ c( "next-hop" ( /* Next-hop address */ ipaddr /* Next-hop address */ ) ) ), "source" arg ( /* IP prefix of one or more multicast sources */ c( "next-hop" ( /* Next-hop address */ ipaddr /* Next-hop address */ ) ) ) ) ), "prefix-list" arg ( /* Multicast group prefix list */ c( "wildcard-source" ( /* Select RPF for (*,g) and unspecified (s,g) joins */ c( "next-hop" ( /* Next-hop address */ ipaddr /* Next-hop address */ ) ) ), "source" arg ( /* IP prefix of one or more multicast sources */ c( "next-hop" ( /* Next-hop address */ ipaddr /* Next-hop address */ ) ) ) ) ) ) ), "mvpn" ( /* PIM MVPN control-plane options */ c( "autodiscovery" ( /* PE router autodiscovery options for SSM MDTs */ c( "inet-mdt" /* MDT-SAFI PE autodiscovery for SSM MDTs */ ) ), "family" ( /* PIM MVPN address family */ c( "inet" ( /* IPv4 PIM MVPN specific properties */ c( "rosen-mvpn", "ngen-mvpn", "autodiscovery" ( /* PE router autodiscovery options for SSM MDTs */ c( "inet-mdt" /* MDT-SAFI PE autodiscovery for SSM MDTs */ ) ), "disable" /* Disable family IPv4 */ ) ), "inet6" ( /* IPv6 PIM MVPN specific properties */ c( "rosen-mvpn", "ngen-mvpn", "autodiscovery" ( /* PE router autodiscovery options for SSM MDTs */ c( "inet-mdt" /* MDT-SAFI PE autodiscovery for SSM MDTs */ ) ), "disable" /* Disable family IPv6 */ ) ) ) ) ) ), "rib-group" ( /* Routing table group */ rib_group_type /* Routing table group */ ), "import" ( /* PIM sparse import join policy */ policy_algebra /* PIM sparse import join policy */ ), "export" ( /* PIM sparse export join policy */ policy_algebra /* PIM sparse export join policy */ ), "mldp-inband-signalling" ( c( "policy" ( /* PIM MLDP join translation filter policy */ policy_algebra /* PIM MLDP join translation filter policy */ ) ) ), "rpf-vector" ( /* RPF vector TLV */ c( "policy" ( /* RPF vector TLV include policy */ policy_algebra /* RPF vector TLV include policy */ ) ) ), "assert-timeout" arg /* Set assert timeout */, "assert-robust-count" arg /* Number of assert messages an assert winner sends in one cycle */, "join-prune-timeout" arg /* Set join/prune timeout */, "spt-threshold" ( /* Set shortest-path-tree threshold policy */ c( "infinity" ( /* Apply policy to always remain on shared tree */ policy_algebra /* Apply policy to always remain on shared tree */ ) ) ), "sglimit" ( /* Set limit on number of (S,G) states */ c( "family" enum(("inet" | "inet6")) ( /* Protocol family */ c( "maximum" arg /* Maximum limit above which additional entries are not accepted */, "threshold" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between successive log messages */ ) ), "maximum" arg /* Maximum limit above which additional entries are not accepted */, "threshold" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between successive log messages */ ) ), "rp" ( /* Router's rendezvous point properties */ c( "bootstrap-priority" arg /* Eligibility to be the bootstrap router (IPv4 only) */, "bootstrap-import" ( /* Bootstrap import policy (IPv4 only) */ policy_algebra /* Bootstrap import policy (IPv4 only) */ ), "bootstrap-export" ( /* Bootstrap export policy (IPv4 only) */ policy_algebra /* Bootstrap export policy (IPv4 only) */ ), "bootstrap" ( /* Bootstrap properties */ c( "family" ( /* Bootstrap address family */ c( "inet" ( /* IPv4 bootstrap properties */ pim_bootstrap_options_type /* IPv4 bootstrap properties */ ), "inet6" ( /* IPv6 bootstrap properties */ pim_bootstrap_options_type /* IPv6 bootstrap properties */ ) ) ) ) ), "register-limit" ( /* Set limit on incoming registers that create (S,G) state */ c( "family" enum(("inet" | "inet6")) ( /* Protocol family */ c( "maximum" arg /* Maximum limit above which additional entries are not accepted */, "threshold" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between successive log messages */ ) ), "maximum" arg /* Maximum limit above which additional entries are not accepted */, "threshold" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between successive log messages */ ) ), "group-rp-mapping" ( /* Group-rp-mapping */ c( "family" enum(("inet" | "inet6")) ( /* Protocol family */ c( "maximum" arg /* Maximum limit above which additional entries are not accepted */, "threshold" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between successive log messages */ ) ), "maximum" arg /* Maximum limit above which additional entries are not accepted */, "threshold" arg /* Percentage of maximum at which to start generating warnings */, "log-interval" arg /* Time between successive log messages */ ) ), "rp-register-policy" ( /* RP policy applied to incoming register messages */ policy_algebra /* RP policy applied to incoming register messages */ ), "dr-register-policy" ( /* DR policy applied to outgoing register messages */ policy_algebra /* DR policy applied to outgoing register messages */ ), "local" ( /* Router's local RP properties */ c( "address" ( /* Local RP address (IPv4 only) */ ipv4addr /* Local RP address (IPv4 only) */ ), ("disable"), "priority" arg /* Router's priority for becoming an RP (IPv4 only) */, "hold-time" arg /* How long neighbor considers this router to be up, in seconds (IPv4 only) */, "group-ranges" arg /* Group address range for which this router can be an RP (IPv4 only) */, "override" /* Static RP mapping will take precedence over dynamic */, "family" ( /* Local RP address family */ c( "inet" ( /* IPv4 local RP properties */ c( "address" ( /* Local RP address */ ipv4addr /* Local RP address */ ), ("disable"), "priority" arg /* Router's priority for becoming an RP */, "hold-time" arg /* How long neighbor considers this router to be up, in seconds */, "group-ranges" arg /* Group address range for which this router can be an RP */, "override" /* Static RP mapping will take precedence over dynamic */, "anycast-pim" ( /* Attributes for IPv4 anycast PIM */ c( "rp-set" ( /* Rendezvous points belonging to anycast RP set */ c( "address" arg ( /* IPv4 address of one or more remote anycast RPs */ c( "forward-msdp-sa" /* Forward SAs learned from MSDP to this RP */ ) ) ) ), "local-address" ( /* Local address for replicating register messages to other RPs */ ipaddr /* Local address for replicating register messages to other RPs */ ) ) ) ) ), "inet6" ( /* IPv6 local RP properties */ c( "address" ( /* Local RP address */ ipv6addr /* Local RP address */ ), ("disable"), "priority" arg /* Router's priority for becoming an RP */, "hold-time" arg /* How long neighbor considers this router to be up, in seconds */, "group-ranges" arg /* Group address range for which this router can be an RP */, "override" /* Static RP mapping will take precedence over dynamic */, "anycast-pim" ( /* Attributes for IPv6 anycast PIM */ c( "rp-set" ( /* Rendezvous points belonging to anycast RP set */ c( "address" arg /* IPv6 address of one or more remote anycast RPs */ ) ), "local-address" ( /* Local address for replicating register messages to other RPs */ ipv6addr /* Local address for replicating register messages to other RPs */ ) ) ) ) ) ) ) ) ), "embedded-rp" ( /* Set embedded-RP mode (IPv6 only) */ c( "group-ranges" ( /* Group address range of RP */ pim_rp_group_range_type /* Group address range of RP */ ), "maximum-rps" arg /* Maximum number of embedded RPs */ ) ), "auto-rp" ( /* Set auto-RP mode (IPv4 only) */ c( ("discovery" | "announce" | "mapping"), "mapping-agent-election" /* Consider higher-addressed mapping agents as authoritative */, "no-mapping-agent-election" /* Don't consider higher-addressed mapping agents as authoritative */ ) ), "static" ( /* Configure static PIM RPs */ c( "address" arg ( /* RP address */ c( "version" arg /* PIM version of RP */, "group-ranges" ( /* Group address range of RP */ pim_rp_group_range_type /* Group address range of RP */ ), "override" /* Static RP mapping will take precedence over dynamic */ ) ) ) ), "bidirectional" /* Configure PIM bidirectional-mode RPs */, "register-probe-time" arg /* Register probe time */ ) ), "passive" /* Configure PIM protocol in passive mode */, "interface" ("$junos-interface-name" | arg) ( /* PIM interface options */ c( "family" ( /* Local address family */ c( "any" ( /* Default properties for all families */ c( "disable" /* Disable all families */ ) ), "inet" ( /* IPv4 specific properties */ c( "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ) ) ), "mcae-mac-synchronize" /* Mclag mac synchronization */, ("disable") ) ), "inet6" ( /* IPv6 specific properties */ c( "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ) ) ), ("disable") ) ) ) ), ("disable"), "bidirectional" /* PIM bidirectional mode properties */, "mode" ( /* Mode of interface */ ("dense" | "sparse" | "sparse-dense" | "bidirectional-sparse" | "bidirectional-sparse-dense") ), "priority" arg /* Hello option DR priority */, "stickydr" /* Make DR sticky */, "version" arg /* Force PIM version */, "hello-interval" arg /* Hello interval */, "neighbor-policy" ( /* PIM neighbor policy applied to incoming hello messages */ policy_algebra /* PIM neighbor policy applied to incoming hello messages */ ), "accept-remote-source" /* Accept traffic from remote source */, "dual-dr" ( /* Configure PIM Dual DR */ c( "enhanced" /* Enable enhanced PIM Dual DR */ ) ), "distributed-dr" /* PIM Distributed DR */, "reset-tracking-bit" /* Clear tracking-bit in PIM Hello LAN Prune Delay Option */, "propagation-delay" arg /* Propagation delay value */, "override-interval" arg /* Override interval value */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options (ipv4 only) */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ) ) ) ) ), "mdt" ( /* Configure multicast data tunnel parameters */ c( "threshold" ( /* Threshold for creation of multicast tunnels */ c( "group" arg ( /* IP prefix of multicast group */ c( "source" arg ( /* IP prefix of one or more multicast sources */ c( "rate" arg /* Data threshold to create new tunnel */ ) ) ) ) ) ), "data-mdt-reuse" /* Allow multiple customer streams to be transmitted over one data tunnel */, "tunnel-limit" arg /* Maximum multicast data tunnels */, "group-range" ( /* Group address range for multicast data tunnels */ ipprefix /* Group address range for multicast data tunnels */ ) ) ), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "restart-duration" arg /* Maximum time for graceful restart to finish (seconds) */, "no-bidirectional-mode" /* Disable PIM graceful restart for bidirectional mode */, "restart-complete-duration" arg /* Maximum time for graceful restart to complete (seconds) */ ) ), "join-load-balance" ( /* Configure PIM join load balancing */ c( "automatic" /* Enable automatic PIM join load balancing */ ) ), "standby-path-creation-delay" arg /* Amount of time to wait before creating standby path */, "idle-standby-path-switchover-delay" arg /* Amount of time to wait before switching over to idle standby path */, "dr-election-on-p2p" /* Enable DR election on Point-to-Point Interfaces */, "no-wildcard-register-stop" /* Disable sending of wildcard register stop message */, "nexthop-hold-time" arg /* Nexthop hold time in milliseconds */, "mpls-internet-multicast" /* Enable support for Internet Multicast over MPLS */, "join-make-before-break" ( /* Enable PIM Join Make-Before-Break during RPF neighbor change */ c( ("disable") ) ), "reset-tracking-bit" /* Clear tracking-bit in PIM Hello LAN Prune Delay Option */, "propagation-delay" arg /* Propagation delay value */, "override-interval" arg /* Override interval value */, "default-vpn-source" ( /* Let all VRFs use master loopback address for mt interfaces */ c( "interface-name" ( /* Master loopback interface name */ interface_unit /* Master loopback interface name */ ) ) ), "static" ( /* Static PIM Join */ c( "distributed" /* Distributed all PIM Joins */, "group" arg ( /* IP multicast group address */ c( "distributed" /* Distributed static group */, "source" arg ( /* IP multicast source address */ c( "distributed" /* Distributed static source */, "no-upstream-join" /* Prevent sending PIM join */ ) ) ) ) ) ) ) end rule(:juniper_protocols_protection_group) do c( "ethernet-aps" ( /* Ethernet APS configuration */ juniper_protocols_protection_group_eaps /* Ethernet APS configuration */ ), "traceoptions" ( /* Tracing options for debugging protocol operation */ erp_trace_options /* Tracing options for debugging protocol operation */ ), "restore-interval" arg /* Wait to restore interval */, "guard-interval" arg /* Guard timer interval in 10ms steps */, "hold-interval" arg /* Hold off timer interval in 100ms steps */, "ethernet-ring" ( /* Ethernet ring */ juniper_protocols_protection_group_ethernet_ring /* Ethernet ring */ ) ) end rule(:erp_trace_options) do c( "flag" enum(("events" | "pdu" | "timers" | "state-machine" | "periodic-packet-management" | "config" | "normal" | "debug" | "all")) /* Tracing parameters */.as(:oneline), "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ) ) end rule(:juniper_protocols_protection_group_eaps) do c( juniper_protocols_protection_group_eaps_profile ) end rule(:juniper_protocols_protection_group_eaps_profile) do arg.as(:arg) ( c( "protocol" ( /* Protocol value */ ("ccm" | "G.8031") ), "revert-time" arg /* Reversion time in minutes, 0 would mean no reversion */, "hold-time" arg /* Hold time in seconds */, "local-request" ( /* Local APS request */ ("lockout") ) ) ) end rule(:juniper_protocols_protection_group_ethernet_ring) do arg.as(:arg) ( c( "node-id" ( /* Node ID of the protection group, by default bridge's MAC */ mac_unicast /* Node ID of the protection group, by default bridge's MAC */ ), "ring-protection-link-owner" /* Ring protection link owner flag, one ring should have only one node as a ring protection link owner */, "level" arg /* MPG Level value for R-APS PDU */, "restore-interval" arg /* Wait to restore interval */, "guard-interval" arg /* Guard timer interval in 10ms */, "hold-interval" arg /* Hold off timer interval in 100ms steps */, "non-revertive" /* Non-revertive mode of operation */, "wait-to-block-interval" arg /* Wait to block interval */, "major-ring-name" arg /* Name of major-ring to which this sub-ring node attached */, "propagate-tc" /* Enable Topology Change Propagation to major-ring from the sub-ring */, "compatibility-version" arg /* G.8032 compatibility version */, "ring-id" arg /* Ethernet Ring ID of protection group */, "non-vc-mode" /* Node is operating in non virtual channel mode */, "dot1p-priority" arg /* IEEE 802.1p priority of transmitted R-APS */, "east-interface" ( /* East interface configuration */ erp_interface /* East interface configuration */ ), "west-interface" ( /* West interface configuration */ erp_interface /* West interface configuration */ ), "control-vlan" arg /* Dedicated VLAN identifier - VLAN id or VLAN name */, "data-channel" ( /* Ring instance data channel */ erp_data_channel /* Ring instance data channel */ ) ) ) end rule(:erp_data_channel) do c( "vlan" arg /* VLAN ID or VLAN ID range [1..4094] */ ) end rule(:erp_interface) do c( "control-channel" ( /* Control channel of ring port */ c( "vlan" arg /* Dedicated VLAN identifier */, interface_name ) ), "ring-protection-link-end" /* Port is connecting to ring protection link */, "interface-none" /* Port is not used */ ) end rule(:juniper_protocols_rip) do c( "traceoptions" ( /* Trace options for RIP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("auth" | "error" | "expiration" | "holddown" | "packets" | "request" | "trigger" | "update" | "nsr-synchronization" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */, "filter" ( /* Filter to apply to this flag */ rip_filter_obj /* Filter to apply to this flag */ ) ) ).as(:oneline) ) ), "rib-group" ( /* Routing table group for importing RIP routes */ rib_group_inet_type /* Routing table group for importing RIP routes */ ), "metric-in" arg /* Metric value to add to incoming routes */, "send" ( /* Configure RIP send options */ sc( c( "broadcast" /* Broadcast RIPv2 packets (RIPv1 compatible) */, "multicast" /* Multicast RIPv2 packets */, "none" /* Do not send RIP updates */, "version-1" /* Broadcast RIPv1 packets */ ) ) ).as(:oneline), "receive" ( /* Configure RIP receive options */ sc( c( "both" /* Accept both RIPv1 and RIPv2 packets */, "none" /* Do not receive RIP packets */, "version-1" /* Accept RIPv1 packets only */, "version-2" /* Accept only RIPv2 packets */ ) ) ).as(:oneline), "check-zero" /* Check reserved fields on incoming RIPv2 packets */, "no-check-zero" /* Don't check reserved fields on incoming RIPv2 packets */, "message-size" arg /* Number of route entries per update message */, "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "holddown" arg /* Hold-down time */, "route-timeout" arg /* Delay before routes time out */, "update-interval" arg /* Interval between regular route updates */, "authentication-type" ( /* Authentication type */ ("none" | "simple" | "md5") ), "authentication-key" ( /* Authentication key (password) */ unreadable /* Authentication key (password) */ ), "group" arg ( /* Instance configuration */ c( "route-timeout" arg /* Delay before routes time out */, "update-interval" arg /* Interval between regular route updates */, "preference" arg /* Preference of routes learned by this group */, "metric-out" arg /* Default metric of exported routes */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "demand-circuit" /* Enable demand circuit on this interface */, "max-retrans-time" arg /* Maximum time to re-transmit a message in demand-circuit */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ) ) ), "neighbor" arg ( /* Neighbor configuration */ c( "route-timeout" arg /* Delay before routes time out */, "update-interval" arg /* Interval between regular route updates */, "interface-type" ( /* Interface type for the neighbor */ ("p2mp") ), "dynamic-peers" /* Learn peers dynamically on a p2mp interface */, "peer" arg /* P2MP peer */.as(:oneline), "metric-in" arg /* Metric value to add to incoming routes */, "send" ( /* Configure RIP send options */ sc( c( "broadcast" /* Broadcast RIPv2 packets (RIPv1 compatible) */, "multicast" /* Multicast RIPv2 packets */, "none" /* Do not send RIP updates */, "version-1" /* Broadcast RIPv1 packets */ ) ) ).as(:oneline), "receive" ( /* Configure RIP receive options */ sc( c( "both" /* Accept both RIPv1 and RIPv2 packets */, "none" /* Do not receive RIP packets */, "version-1" /* Accept RIPv1 packets only */, "version-2" /* Accept only RIPv2 packets */ ) ) ).as(:oneline), "demand-circuit" /* Enable demand circuit on this interface */, "max-retrans-time" arg /* Maximum time to re-transmit a msg in demand-circuit */, "check-zero" /* Check reserved fields on incoming RIPv1 packets */, "no-check-zero" /* Don't check reserved fields on incoming RIPv1 packets */, "any-sender" /* Disable strict checks on sender address */, "message-size" arg /* Number of route entries per update message */, "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "authentication-type" ( /* Authentication type */ ("none" | "simple" | "md5") ), "authentication-key" ( /* Authentication key (password) */ unreadable /* Authentication key (password) */ ), "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ) ) ) ) ) ) ), "graceful-restart" ( /* RIP graceful restart options */ c( ("disable"), "restart-time" arg /* Time after which RIP is declared out of restart */ ) ) ) end rule(:juniper_protocols_ripng) do c( "traceoptions" ( /* Trace options for RIPng */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "expiration" | "holddown" | "packets" | "request" | "trigger" | "update" | "nsr-synchronization" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "metric-in" arg /* Metric value to add to incoming routes */, "send" ( /* Configure RIPng send options */ sc( c( "none" /* Do not send RIPng updates */ ) ) ).as(:oneline), "receive" ( /* Configure RIPng receive options */ sc( c( "none" /* Do not receive RIPng packets */ ) ) ).as(:oneline), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "holddown" arg /* Hold-down time */, "route-timeout" arg /* Delay before routes time out */, "update-interval" arg /* Interval between regular route updates */, "group" arg ( /* Instance configuration */ c( "route-timeout" arg /* Delay before routes time out */, "update-interval" arg /* Interval between regular route updates */, "preference" arg /* Preference of routes learned by this group */, "metric-out" arg /* Default metric of exported routes */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "neighbor" arg ( /* Neighbor configuration */ c( "route-timeout" arg /* Delay before routes time out */, "update-interval" arg /* Interval between regular route updates */, "metric-in" arg /* Metric value to add to incoming routes */, "send" ( /* Configure RIPng send options */ sc( c( "none" /* Do not send RIPng updates */ ) ) ).as(:oneline), "receive" ( /* Configure RIPng receive options */ sc( c( "none" /* Do not receive RIPng packets */ ) ) ).as(:oneline), "import" ( /* Import policy */ policy_algebra /* Import policy */ ) ) ) ) ), "graceful-restart" ( /* RIPng graceful restart options */ c( ("disable"), "restart-time" arg /* Time after which RIPng is declared out of restart */ ) ) ) end rule(:juniper_protocols_router_discovery) do c( ("disable"), "traceoptions" ( /* Trace options for router discovery */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) /* Tracing parameters */.as(:oneline) ) ), "interface" arg ( /* Interfaces on which to configure router discovery */ c( "max-advertisement-interval" arg /* Maximum time before sending advertisements */, "min-advertisement-interval" arg /* Minimum time before sending advertisements */, "lifetime" arg /* How long addresses in advertisements are valid */ ) ), "address" arg ( /* IP addresses to include in advertisements */ c( "advertise" /* Advertise the IP address in advertisements */, "ignore" /* Do not advertise the IP address in advertisements */, "broadcast" /* Include IP address only in broadcast advertisements */, "multicast" /* Include IP address only in multicast advertisements */, "ineligible" /* IP address can never become a default router */, "priority" arg /* Preference of the address to become a default router */ ) ) ) end rule(:juniper_protocols_rsvp) do c( ("disable"), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "helper-disable" /* Disable graceful restart helper capability */, "maximum-helper-restart-time" arg /* Maximum wait time from down event to neighbor dead */, "maximum-helper-recovery-time" arg /* Maximum time restarting neighbor states are kept */ ) ), "tunnel-services" ( /* Use tunnel services for P2MP LSP ultimate-hop popping */ c( "devices" ( /* Tunnel services devices to use for P2MP LSPs */ interface_device /* Tunnel services devices to use for P2MP LSPs */ ) ) ), "no-p2mp-sublsp" /* Disable P2MP sub-LSP object generation */, "no-node-id-subobject" /* Do not include the node-id sub-object in the RRO */, "no-interface-hello" /* Disble interface Hellos on all RSVP interfaces */, "pop-and-forward" ( /* RSVP pop-and-forward specific global parameters */ c( "application-label" ( /* Number of application labels under the RSVP transport */ c( "depth" arg /* Application label depth */ ) ) ) ), "hello-acknowledgements" /* Acknowledge Hellos on RSVP interfaces not having sessions */, "no-hello-acknowledgements" /* Do not ack Hellos on RSVP interfaces not having sessions */, "node-hello" ( /* Enable node-ID based Hellos on all RSVP interfaces */ sc( "hello-interval" arg /* Hello interval */ ) ).as(:oneline), "no-node-hello" /* Disable node-ID based Hellos on the router */, "allow-bidirectional" /* Enable bidirectional support in RSVP */, "local-reversion" /* Enable local reversion at this Point of Local Repair */, "no-local-reversion" /* Disable local reversion at this Point of Local Repair */, "fast-reroute" ( /* One-to-one fast-reroute protection mechanism */ c( "optimize-timer" arg /* Frequency of reoptimization for fast-reroute detour */ ) ), "load-balance" ( /* Per-packet load-balancing algorithm */ c( "bandwidth" /* Per-packet load balancing proportional to LSP bandwidth */ ) ), "traceoptions" ( /* Trace options for RSVP */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("io-event" | "io-packets" | "packets" | "path" | "resv" | "pathtear" | "resvtear" | "state" | "error" | "route" | "lmp" | "event" | "nsr-synchronization" | "lsp-prefix" | "enhanced-frr" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "refresh-time" arg /* Refresh time in seconds */, "keep-multiplier" arg /* Keep multiplier */, "graceful-deletion-timeout" arg /* Time to complete graceful deletion signaling */, "setup-protection" /* Enable setup protection */, "cross-credibility-cspf" /* Compute CSPF paths spanning protocols for bypass LSP, detour LSP and loose hop expansion */, "preemption" ( /* Set RSVP session preemption attributes */ c( c( "disabled" /* No RSVP session preemption */, "normal" /* Run RSVP session preemption to accommodate new sessions */, "aggressive" /* Run RSVP session preemption whenever necessary */ ), "soft-preemption" ( /* Options for establishing new path before tearing down a preempted LSP */ c( "cleanup-timer" arg /* Time a soft-preempted LSP will be maintained */ ) ) ) ), "authentication-key" ( /* Authentication password */ unreadable /* Authentication password */ ), "associated-bidirectional-lsp" ( /* Set associated bidirectional LSP attributes */ c( "single-sided-provisioning" /* Enable unidirectional reverse LSP setup for single sided provisioned forward LSP */ ) ), "no-enhanced-frr-bypass" /* Disable enhanced facility backup FRR */, "interface" arg ( /* RSVP interface options */ c( ("disable"), "authentication-key" ( /* Authentication password */ unreadable /* Authentication password */ ), "aggregate" /* Permit refresh reduction extensions on the interface */, "no-aggregate" /* Don't permit refresh reduction extensions on the interface */, "reliable" /* Permit reliable message delivery on the interface */, "no-reliable" /* Don't permit reliable message delivery on the interface */, "hello-interval" arg /* Hello interval */, "subscription" ( /* Link bandwidth percentage for RSVP reservation */ subscription_type /* Link bandwidth percentage for RSVP reservation */ ), "bandwidth" arg /* Available bandwidth for the interface units bps */, "update-threshold" arg /* Percentage change in reserved bandwidth to trigger IGP update */, "update-threshold-max-reservable" ( /* Change in non-rsvp bandwidth to trigger IGP update */ c( arg /* Change in non-rsvp bandwidth to trigger IGP update units bps */, "percent" arg /* Percentage change in max-reservable bandwidth to trigger IGP update */ ) ), "link-protection" ( /* Protect traffic with a label-stacked LSP */ c( ("disable"), "bandwidth" ( /* Bandwidth for each bypass */ bandwidth_type /* Bandwidth for each bypass */ ), "max-bypasses" arg /* Max number of bypasses permitted for protecting this interface */, "subscription" arg /* Percent of bandwidth guaranteed when admitting protected LSPs into bypasses */, "no-node-protection" /* Disallow node protection on this interface */, "optimize-timer" arg /* Interval between bypass reoptimizations */, "class-of-service" arg /* Class of service for the bypass LSP */, "hop-limit" arg /* Maximum allowed router hops for bypass */, "no-cspf" /* Disable automatic path computation */, "exclude-srlg" /* Exclude SRLG links */, "priority" ( /* Preemption priorities for the bypass LSP */ c( arg, arg ) ), "path" arg ( /* Explicit route of bypass path */ sc( c( "loose" /* Next hop might not be adjacent */, "strict" /* Next hop must be adjacent */ ) ) ).as(:oneline), "admin-group" ( /* Administrative group policy */ admin_group_include_exclude /* Administrative group policy */ ), "bypass" arg ( /* Bypass with specific constraints */ c( "to" ( /* Address of egress router */ ipv4addr /* Address of egress router */ ), "bandwidth" ( /* Bandwidth for each bypass */ bandwidth_type /* Bandwidth for each bypass */ ), "description" arg /* Text description of bypass */, "priority" ( /* Preemption priorities for bypass */ c( arg, arg ) ), "class-of-service" arg /* Class of service for the bypass LSP */, "hop-limit" arg /* Maximum allowed router hops for bypass */, "no-cspf" /* Disable automatic path computation */, "exclude-srlg" /* Exclude SRLG links */, "path" arg ( /* Explicit route of bypass path */ sc( c( "loose" /* Next hop might not be adjacent */, "strict" /* Next hop must be adjacent */ ) ) ).as(:oneline), "admin-group" ( /* Administrative group policy */ admin_group_include_exclude /* Administrative group policy */ ) ) ) ) ) ) ), "peer-interface" arg ( /* Configuration for peer interface */ c( ("disable"), "authentication-key" ( /* Authentication password */ unreadable /* Authentication password */ ), "aggregate" /* Permit refresh reduction extensions on the interface */, "no-aggregate" /* Don't permit refresh reduction extensions on the interface */, "reliable" /* Permit reliable message delivery on the interface */, "no-reliable" /* Don't permit reliable message delivery on the interface */, "hello-interval" arg /* Hello interval */, "dynamic-bidirectional-transport" ( /* Enable dynamic setup of bidirectional packet LSP for transporting non-packet GMPLS LSP */ c( "template" arg /* Template for the dynamic bidirectional packet LSP */ ) ) ) ), "lsp-set" arg ( /* Configuration for lsp set */ c( ("disable"), "match-criteria" ( /* Match criteria for this lsp set */ lsp_set_match_type /* Match criteria for this lsp set */ ), "traceoptions" ( /* Trace options for this lsp set */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("io-event" | "io-packets" | "packets" | "path" | "resv" | "pathtear" | "resvtear" | "state" | "error" | "route" | "lmp" | "event" | "nsr-synchronization" | "lsp-prefix" | "enhanced-frr" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ) ) ) ) end rule(:juniper_protocols_stp) do c( ("disable"), "bpdu-destination-mac-address" ( /* Destination MAC address in the spanning tree BPDUs */ ("provider-bridge-group") ), "bridge-priority" arg /* Priority of the bridge (in increments of 4k - 0,4k,8k,..60k) */, "backup-bridge-priority" arg /* Priority of the bridge (in increments of 4k - 4k,8k,..60k) */, "max-age" arg /* Maximum age of received protocol bpdu */, "hello-time" arg /* Time interval between configuration BPDUs */, "forward-delay" arg /* Time spent in listening or learning state */, "system-identifier" ( /* Sytem identifier to represent this node */ mac_unicast /* Sytem identifier to represent this node */ ), "traceoptions" ( /* Tracing options for debugging protocol operation */ stp_trace_options /* Tracing options for debugging protocol operation */ ), "vpls-flush-on-topology-change" /* Enable VPLS MAC flush on root protected CE interface receving topology change */, "priority-hold-time" arg /* Hold time before switching to primary priority when core domain becomes up */, "system-id" ( /* System ID to IP mapping */ system_id_ip_map /* System ID to IP mapping */ ), "interface" ( /* Interface options */ stp_interface /* Interface options */ ), "extended-system-id" arg /* Extended system identifier */, "force-version" ( /* Force protocol version */ ("stp") ), "bpdu-block-on-edge" /* Block BPDU on all interfaces configured as edge (BPDU Protect) */ ) end rule(:juniper_protocols_vni_options) do c( "vni" arg ( /* Per-vni options */ c( "vrf-target" ( /* VRF target community configuration */ c( "export" arg /* Target community to use when marking routes on export */, arg /* Target community */ ) ) ) ) ) end rule(:juniper_protocols_vstp) do c( ("disable"), "force-version" ( /* Force protocol version */ ("stp") ), "bpdu-block-on-edge" /* Block BPDU on all interfaces configured as edge (BPDU Protect) */, "vpls-flush-on-topology-change" /* Enable VPLS MAC flush on root protected CE interface receving topology change */, "priority-hold-time" arg /* Hold time before switching to primary priority when core domain becomes up */, "system-id" ( /* System ID to IP mapping */ system_id_ip_map /* System ID to IP mapping */ ), "interface" ( /* Interface options */ stp_interface /* Interface options */ ), "vlan" (arg | "all") ( /* VLAN spanning tree options */ c( "bridge-priority" arg /* Priority of the bridge (in increments of 4k - 0,4k,8k,..60k) */, "backup-bridge-priority" arg /* Priority of the bridge (in increments of 4k - 4k,8k,..60k) */, "max-age" arg /* Maximum age of received protocol bpdu */, "hello-time" arg /* Time interval between configuration BPDUs */, "forward-delay" arg /* Time spent in listening or learning state */, "system-identifier" ( /* Sytem identifier to represent this node */ mac_unicast /* Sytem identifier to represent this node */ ), "traceoptions" ( /* Tracing options for debugging protocol operation */ stp_trace_options /* Tracing options for debugging protocol operation */ ), "interface" ( /* Interface options */ stp_interface /* Interface options */ ) ) ), "vlan-group" ( /* Spanning tree options for group of VLANs */ c( "group" arg ( /* Name if VLAN group */ c( "vlan" arg /* VLAN ID or VLAN ID range [1..4094] */, "bridge-priority" arg /* Priority of the bridge (in increments of 4k - 0,4k,8k,..60k) */, "backup-bridge-priority" arg /* Priority of the bridge (in increments of 4k - 4k,8k,..60k) */, "max-age" arg /* Maximum age of received protocol bpdu */, "hello-time" arg /* Time interval between configuration BPDUs */, "forward-delay" arg /* Time spent in listening or learning state */, "system-identifier" ( /* Sytem identifier to represent this node */ mac_unicast /* Sytem identifier to represent this node */ ), "traceoptions" ( /* Tracing options for debugging protocol operation */ stp_trace_options /* Tracing options for debugging protocol operation */ ), "interface" ( /* Interface options */ stp_interface /* Interface options */ ) ) ) ) ) ) end rule(:juniper_routing_instance) do arg.as(:arg) ( c( "description" arg /* Text description of routing instance */, "vlan-model" ( /* Subscriber vlan-model in L2Wholesale framework */ ("one-to-one") ), "vtep-source-interface" ( /* Source layer-3 IFL for VXLAN */ sc( interface_unit, c( "inet" /* IPv4 source */, "inet6" /* IPv6 source */ ) ) ).as(:oneline), "vtep-remote-interface" ( /* Remote VTEP interface */ c( "remote-ip" arg ( /* Remote VTEP IP address */ c( "dynamic-profile" arg /* Define associate dynamic profile */ ) ), "default" ( /* To all remote vtep interface */ c( "dynamic-profile" arg /* Define associate dynamic profile */ ) ) ) ), "remote-vtep-list" ( /* Configure static remote VXLAN tunnel endpoints */ ipaddr /* Configure static remote VXLAN tunnel endpoints */ ), "remote-vtep-v6-list" ( /* Configurate static ipv6 remote VXLAN tunnel endpoints */ ipv6addr /* Configurate static ipv6 remote VXLAN tunnel endpoints */ ), "instance-role" ( /* Primary role of L2Backhaul-vpn router */ ("access" | "nni") ), "instance-type" ( /* Type of routing instance */ ("forwarding" | "vrf" | "no-forwarding" | "l2vpn" | "vpls" | "virtual-switch" | "l2backhaul-vpn" | "virtual-router" | "layer2-control" | "mpls-internet-multicast" | "evpn" | "mpls-forwarding" | "evpn-vpws") ), c( "no-vrf-propagate-ttl" /* Disable TTL propagation from IP to MPLS (on push) and MPLS to IP (on pop) */, "vrf-propagate-ttl" /* Enable TTL propagation from IP to MPLS (on push) and MPLS to IP (on pop) */ ), "egress-protection" ( /* Egress instance protection */ c( "protector" /* Enable Edge Protector functionality for this VPN */, "context-identifier" ( /* Context identifier */ c( ipv4addr /* IP address */ ) ) ) ), c( "vlan-id" ( /* IEEE 802.1q VLAN identifier for bridging domain */ ("all" | "none" | "inner-all" | arg) ), "vlan-tags" ( /* IEEE 802.1q VLAN tags for bridging domain */ sc( "outer" arg /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */, "inner" arg /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ) ).as(:oneline) ), "system" ( /* System parameters */ c( "services" ( /* System services */ c( "dhcp-local-server" ( /* Dynamic Host Configuration Protocol server configuration */ jdhcp_local_server_type /* Dynamic Host Configuration Protocol server configuration */ ), "dhcp-proxy-client" ( /* Dynamic Host Configuration Protocol Proxy client configuration */ jdhcp_proxy_client_type /* Dynamic Host Configuration Protocol Proxy client configuration */ ), "static-subscribers" ( /* Static Subscriber Client configuration */ jsscd_static_subscribers_type /* Static Subscriber Client configuration */ ) ) ) ) ), "access" ( /* Network access configuration */ c( "address-assignment" ( /* Address assignment configuration */ address_assignment_type /* Address assignment configuration */ ), "address-protection" /* Initiate Duplicate Address Protection */ ) ), "access-profile" ( /* Access profile for this instance */ sc( arg /* Profile name */ ) ).as(:oneline), "interface" ("$junos-interface-name" | arg) ( /* Interface name for this routing instance */ c( c( "any" /* Interface used for both unicast and multicast traffic */, "unicast" /* Interface used for unicast traffic only */, "multicast" /* Interface used for multicast traffic only */ ), "primary" /* Preferred multicast vt interface for the routing-instance */, "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ) ) ), "routing-interface" ( /* Routing interface name for this routing-instance */ interface_unit /* Routing interface name for this routing-instance */ ), "vxlan" ( c( "ovsdb-managed" /* Managed remotely via VXLAN OVSDB Controller */, "vni" arg /* VXLAN identifier */, "multicast-group" ( /* Multicast group registered for VXLAN segment */ ipv4addr /* Multicast group registered for VXLAN segment */ ), "multicast-v6-group" ( /* Multicast IPv6 group registered for VXLAN segment */ ipv6addr /* Multicast IPv6 group registered for VXLAN segment */ ), "encapsulate-inner-vlan" /* Retain inner VLAN in the packet */, "decapsulate-accept-inner-vlan" /* Accept VXLAN packets with inner VLAN */, "unreachable-vtep-aging-timer" arg /* Unreachable VXLAN tunnel endpoint removal timer */, "ingress-node-replication" /* Enable ingress node replication */ ) ), "l3-interface" ( /* L3 interface name for this routing-instance */ interface_unit /* L3 interface name for this routing-instance */ ), "no-local-switching" /* Disable local switching within CE-facing interfaces */, "no-normalization" /* Disable vlan id normalization for interfaces */, "qualified-bum-pruning-mode" /* Enable BUM pruning for VPLS instance */, "no-irb-layer-2-copy" /* Disable transmission of layer-2 copy of packets of irb routing-interface */, "route-distinguisher" ( /* Route distinguisher for this instance */ sc( arg /* Number in (16 bit:32 bit) or (32 bit 'L':16 bit) or (IP address:16 bit) format */ ) ).as(:oneline), "l2vpn-id" ( /* Layer-2 vpn-id for this instance */ c( arg /* L2VPN ID community for FEC129 VPLS/VPWS with BGP auto-discovery */ ) ), "provider-tunnel" ( /* Provider tunnel configuration */ c( c( "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */, "ingress-replication" ( /* Ingress Replication Tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "pim-asm" ( /* PIM-SM provider tunnel */ c( "group-address" ( /* PIM-SM provider tunnel group address */ ipv4addr /* PIM-SM provider tunnel group address */ ), "family" ( /* PIM-SM provider tunnel address family */ c( "inet" ( /* IPv4 PIM-SM provider tunnel */ c( "group-address" ( /* PIM-SM provider tunnel group address for IPV4 */ ipv4addr /* PIM-SM provider tunnel group address for IPV4 */ ), "tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ) ) ), "inet6" ( /* IPv6 PIM-SM provider tunnel */ c( "group-address" ( /* PIM-SM provider tunnel group address for IPV6 */ ipv4addr /* PIM-SM provider tunnel group address for IPV6 */ ), "tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ) ) ) ) ) ) ), "pim-ssm" ( /* PIM-SSM provider tunnel */ c( "group-address" ( /* PIM-SSM provider tunnel group address */ ipv4addr /* PIM-SSM provider tunnel group address */ ), "family" ( /* PIM-SSM provider tunnel address family */ c( "inet" ( /* IPv4 PIM-SSM provider tunnel */ c( "group-address" ( /* PIM-SSM provider tunnel group address for IPV4 */ ipv4addr /* PIM-SSM provider tunnel group address for IPV4 */ ), "tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ) ) ), "inet6" ( /* IPv6 PIM-SSM provider tunnel */ c( "group-address" ( /* PIM-SSM provider tunnel group address for IPV6 */ ipv4addr /* PIM-SSM provider tunnel group address for IPV6 */ ), "tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ) ) ) ) ) ) ) ), "inter-region" ( /* Inter-region segmented tunnels */ c( c( "template" arg /* Use inter-region segmentation template */, "no-inter-region-segmentation" /* Do not participate in inter-region segmentation */ ) ) ), "inter-region-segmented" ( /* Inter-Region Segmented LSP triggered by fan-out factor only */ c( "fan-out" arg /* Number of remote Leaf-AD routes */ ) ), "selective" ( /* Selective tunnels */ c( "tunnel-limit" arg /* Maximum number of selective tunnels */, "leaf-tunnel-limit-inet" arg /* Maximum number of selective leaf tunnels for v4 */, "leaf-tunnel-limit-inet6" arg /* Maximum number of selective leaf tunnels for v6 */, "wildcard-group-inet" ( /* IPv4 wilcard group matching any group address */ c( "wildcard-source" ( /* Use Selective-Tunnel for wildcard-source (*,G) joins */ c( "threshold-rate" arg /* Data threshold to create new tunnel */, c( "ingress-replication" ( /* Ingress Replication Tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */, "pim-ssm" ( /* PIM-SSM provider tunnel */ c( "group-range" ( /* PIM-SSM provider tunnel group range */ ipv4prefix /* PIM-SSM provider tunnel group range */ ) ) ) ), "inter-region-segmented" ( /* Inter-Region Segmented LSP triggered by fan-out factor only */ c( "fan-out" arg /* Number of remote Leaf-AD routes */ ) ) ) ) ) ), "wildcard-group-inet6" ( /* IPv6 wilcard group matching any group address */ c( "wildcard-source" ( /* Use Selective-Tunnel for wildcard-source (*,G) joins */ c( "threshold-rate" arg /* Data threshold to create new tunnel */, c( "ingress-replication" ( /* Ingress Replication Tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */, "pim-ssm" ( /* PIM-SSM provider tunnel */ c( "group-range" ( /* PIM-SSM provider tunnel group range */ ipv4prefix /* PIM-SSM provider tunnel group range */ ) ) ) ), "inter-region-segmented" ( /* Inter-Region Segmented LSP triggered by fan-out factor only */ c( "fan-out" arg /* Number of remote Leaf-AD routes */ ) ) ) ) ) ), "group" arg ( /* IP prefix of multicast group */ c( "wildcard-source" ( /* Use Selective-Tunnel for wildcard-source (*,G) joins */ c( "threshold-rate" arg /* Data threshold to create new tunnel */, c( "ingress-replication" ( /* Ingress Replication Tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */, "pim-ssm" ( /* PIM-SSM provider tunnel */ c( "group-range" ( /* PIM-SSM provider tunnel group range */ ipv4prefix /* PIM-SSM provider tunnel group range */ ) ) ) ), "inter-region-segmented" ( /* Inter-Region Segmented LSP triggered by threshold rate and/or fan-out */ c( "threshold" arg /* Data threshold rate to trigger segmentation */, "fan-out" arg /* Number of remote Leaf-AD routes */ ) ) ) ), "source" arg ( /* IP prefix of one or more multicast sources */ c( c( "ingress-replication" ( /* Ingress Replication Tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "pim-ssm" ( /* PIM-SSM provider tunnel */ c( "group-range" ( /* PIM-SSM provider tunnel group range */ ipv4prefix /* PIM-SSM provider tunnel group range */ ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */ ), "threshold-rate" arg /* Data threshold to create new tunnel */, "inter-region-segmented" ( /* Inter-Region Segmented LSP triggered by threshold rate and/or fan-out */ c( "threshold" arg /* Data threshold rate to trigger segmentation */, "fan-out" arg /* Number of remote Leaf-AD routes */ ) ) ) ) ) ) ) ), "mdt" ( /* Data MDT tunnels for PIM MVPN */ c( "threshold" ( /* Threshold for creation of multicast tunnels */ c( "group" arg ( /* IP prefix of multicast group */ c( "source" arg ( /* IP prefix of one or more multicast sources */ c( "rate" arg /* Data threshold to create new tunnel */ ) ) ) ) ) ), "data-mdt-reuse" /* Allow multiple customer streams to be transmitted over one data tunnel */, "tunnel-limit" arg /* Maximum multicast data tunnels */, "group-range" ( /* Group address range for multicast data tunnels */ ipprefix /* Group address range for multicast data tunnels */ ) ) ), "family" ( c( "inet" ( c( c( "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */, "ingress-replication" ( /* Ingress Replication Tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "pim-asm" ( /* PIM-SM provider tunnel */ c( "group-address" ( /* PIM-SM provider tunnel group address */ ipv4addr /* PIM-SM provider tunnel group address */ ), "tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ) ) ), "pim-ssm" ( /* PIM-SSM provider tunnel */ c( "group-address" ( /* PIM-SSM provider tunnel group address */ ipv4addr /* PIM-SSM provider tunnel group address */ ), "tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ) ) ) ), "mdt" ( /* IPv4 Data MDT tunnels for PIM MVPN */ c( "threshold" ( /* Threshold for creation of multicast tunnels */ c( "group" arg ( /* IP prefix of multicast group */ c( "source" arg ( /* IP prefix of one or more multicast sources */ c( "rate" arg /* Data threshold to create new tunnel */ ) ) ) ) ) ), "data-mdt-reuse" /* Allow multiple customer streams to be transmitted over one data tunnel */, "tunnel-limit" arg /* Maximum multicast data tunnels */, "group-range" ( /* Group address range for multicast data tunnels */ ipprefix /* Group address range for multicast data tunnels */ ) ) ) ) ), "inet6" ( c( c( "rsvp-te" ( /* RSVP-TE point-to-multipoint LSP for flooding */ c( c( "static-lsp" arg /* Name of point-to-multipoint LSP */, "label-switched-path-template" ( /* Template for dynamic point-to-multipoint LSP parameters */ c( c( arg /* Name of point-to-multipoint LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ), "ldp-p2mp" /* LDP point-to-multipoint LSP for flooding */, "ingress-replication" ( /* Ingress Replication Tunnel */ c( "create-new-ucast-tunnel" /* Create new unicast tunnel for ingress replication */, "label-switched-path" ( /* Point-to-point LSP unicast tunnel */ c( "label-switched-path-template" ( /* Template for dynamic point-to-point LSP parameters */ c( c( arg /* Name of point-to-point LSP template */, "default-template" /* Use default parameters */ ) ) ) ) ) ) ), "pim-asm" ( /* PIM-SM provider tunnel */ c( "group-address" ( /* PIM-SM provider tunnel group address */ ipv4addr /* PIM-SM provider tunnel group address */ ), "tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ) ) ), "pim-ssm" ( /* PIM-SSM provider tunnel */ c( "group-address" ( /* PIM-SSM provider tunnel group address */ ipv4addr /* PIM-SSM provider tunnel group address */ ), "tunnel-source" ( /* Source address for the provider space mGRE tunnel */ ipv4addr /* Source address for the provider space mGRE tunnel */ ) ) ) ), "mdt" ( /* IPv6 Data MDT tunnels for PIM MVPN */ c( "threshold" ( /* Threshold for creation of multicast tunnels */ c( "group" arg ( /* IP prefix of multicast group */ c( "source" arg ( /* IP prefix of one or more multicast sources */ c( "rate" arg /* Data threshold to create new tunnel */ ) ) ) ) ) ), "data-mdt-reuse" /* Allow multiple customer streams to be transmitted over one data tunnel */, "tunnel-limit" arg /* Maximum multicast data tunnels */, "group-range" ( /* Group address range for multicast data tunnels */ ipprefix /* Group address range for multicast data tunnels */ ) ) ) ) ) ) ) ) ), "vrf-import" ( /* Import policy for VRF instance RIBs */ policy_algebra /* Import policy for VRF instance RIBs */ ), "vrf-export" ( /* Export policy for VRF instance RIBs */ policy_algebra /* Export policy for VRF instance RIBs */ ), "vrf-target" ( /* VRF target community configuration */ c( arg /* Target community to use in import and export */, "import" arg /* Target community to use when filtering on import */, "export" arg /* Target community to use when marking routes on export */, "auto" /* Auto derive import and export target community from BGP AS & L2 */ ) ), "no-vrf-advertise" /* Don't advertise this instance to remote PEs */, "connector-id-advertise" /* Advertise connector-id attribute */, "vrf-advertise-selective" ( /* Override no-vrf-advertise knob for the specified address family */ c( "family" ( /* Protocol family to be selectively advertised */ c( "inet-mvpn" /* IPv4 MVPN Address Family */, "inet6-mvpn" /* IPv6 MVPN Address Family */ ) ) ) ), "vrf-table-label" ( /* Advertise a single VPN label for all routes in the VRF */ sc( "static" arg /* Specify label value to be used */, "source-class-usage" /* Enable source class usage */ ) ).as(:oneline), "routing-options" ( /* Protocol-independent routing option configuration */ juniper_routing_options /* Protocol-independent routing option configuration */ ), "forwarding-options" ( /* Forwarding options configuration */ juniper_forwarding_options /* Forwarding options configuration */ ), "multicast-snooping-options" ( /* Multicast snooping option configuration */ juniper_multicast_snooping_options /* Multicast snooping option configuration */ ), "igmp-snooping-options" ( /* IGMP snooping option configuration */ juniper_igmp_snooping_options /* IGMP snooping option configuration */ ), "mld-snooping-options" ( /* MLD snooping option configuration */ juniper_mld_snooping_options /* MLD snooping option configuration */ ), "protocols" ( /* Routing protocol configuration */ c( "bgp" ( /* BGP options */ juniper_protocols_bgp /* BGP options */ ), "mpls" ( /* MPLS configuration */ juniper_protocols_mpls /* MPLS configuration */ ), "rsvp" ( /* RSVP configuration */ juniper_protocols_rsvp /* RSVP configuration */ ), "ospf" ( /* OSPF configuration */ juniper_protocols_ospf /* OSPF configuration */ ), "ospf3" ( /* OSPF3 configuration */ c( "realm" ("ipv6-unicast" | "ipv6-multicast" | "ipv4-unicast" | "ipv4-multicast") ( /* OSPFv3 realm configuration */ c( ("disable"), "traceoptions" ( /* Trace options for OSPF */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("spf" | "error" | "event" | "packet-dump" | "flooding" | "lsa-analysis" | "packets" | "hello" | "database-description" | "lsa-request" | "lsa-update" | "lsa-ack" | "ldp-synchronization" | "on-demand" | "nsr-synchronization" | "graceful-restart" | "restart-signaling" | "backup-spf" | "source-packet-routing" | "post-convergence-lfa" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology parameters */ c( "disable" /* Disable this topology */, "topology-id" arg /* Topology identifier */, "overload" /* Set the overload mode (repel transit traffic) */, "rib-group" arg /* Routing table group for importing routes */, "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */ ) ), "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */, "rib-group" arg /* Routing table group for importing OSPF routes */, "job-stats" /* Collect job statistics */, "overload" ( /* Set the overload mode (repel transit traffic) */ c( "timeout" arg /* Time after which overload mode is reset */, "allow-route-leaking" /* Allow routes to be leaked when overload is configured */, "stub-network" /* Advertise Stub Network with maximum metric */, "intra-area-prefix" /* Advertise Intra Area Prefix with maximum metric */, "as-external" /* Advertise As External with maximum usable metric */ ) ), "database-protection" ( /* Configure database protection attributes */ c( "maximum-lsa" arg /* Maximum allowed non self-generated LSAs */, "warning-only" /* Emit only a warning when LSA maximum limit is exceeded */, "warning-threshold" arg /* Percentage of LSA maximum above which to trigger warning */, "ignore-count" arg /* Maximum number of times to go into ignore state */, "ignore-time" arg /* Time to stay in ignore state and ignore all neighbors */, "reset-time" arg /* Time after which the ignore count gets reset to zero */ ) ), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "restart-duration" arg /* Time for all neighbors to become full */, "notify-duration" arg /* Time to send all max-aged grace LSAs */, "helper-disable" ( /* Disable graceful restart helper capability */ c( c( "standard" /* Disable helper-mode for rfc3623 based GR */, "restart-signaling" /* Disable helper mode for restart-signaling */, "both" /* Disable helper mode for both the types of GR */ ) ) ), "no-strict-lsa-checking" /* Do not abort graceful helper mode upon LSA changes */ ) ), "traffic-engineering" ( /* Configure traffic engineering attributes */ c( "no-topology" /* Disable dissemination of TE link-state topology information */, "multicast-rpf-routes" /* Install routes for multicast RPF checks into inet.2 */, "igp-topology" /* Download IGP topology into TED */, "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "shortcuts" ( /* Use label-switched paths as next hops, if possible */ c( "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "lsp-metric-into-summary" /* Advertise LSP metric into summary LSAs */ ) ), "advertise-unnumbered-interfaces" /* Advertise unnumbered interfaces */, "credibility-protocol-preference" /* TED protocol credibility follows protocol preference */ ) ), "route-type-community" ( /* Specify BGP extended community value to encode OSPF route type */ ("iana" | "vendor") ), "domain-id" ( /* Configure domain ID */ sc( c( arg /* Domain ID */, "disable" /* Disable domain ID */ ) ) ).as(:oneline), c( "domain-vpn-tag" arg /* Domain VPN tag for external LSA */, "no-domain-vpn-tag" /* Disable domain VPN tag */ ), "preference" arg /* Preference of internal routes */, "external-preference" arg /* Preference of external routes */, "labeled-preference" arg /* Preference of labeled routes */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy (for external routes or setting priority) */ policy_algebra /* Import policy (for external routes or setting priority) */ ), "reference-bandwidth" arg /* Bandwidth for calculating metric defaults */, "lsa-refresh-interval" arg /* LSA refresh interval (minutes) */, "spf-delay" arg /* Time to wait before running an SPF */, "no-rfc-1583" /* Disable RFC1583 compatibility */, "source-packet-routing" ( /* Enable source packet routing (SPRING) */ c( "node-segment" ( /* Enable support for Node segments in SPRING */ c( "ipv4-index" arg /* Set ipv4 node segment index */, "index-range" arg /* Set range of node segment indices allowed */ ) ), "mapping-server" arg /* Mapping server name */, "install-prefix-sid-for-best-route" /* For best route install a exact prefix sid route */ ) ), "forwarding-address-to-broadcast" /* Set forwarding address in Type 5 LSA in broadcast network */, c( "no-nssa-abr" /* Disable full NSSA functionality at ABR */ ), "sham-link" ( /* Configure parameters for sham links */ c( "local" ( /* Local sham link endpoint address */ ipaddr /* Local sham link endpoint address */ ), "no-advertise-local" /* Don't advertise local sham link endpoint as stub in router LSA */ ) ), "area" arg ( /* Configure an OSPF area */ c( c( "stub" ( /* Configure a stub area */ sc( "default-metric" arg /* Metric for the default route in this stub area */, "summaries" /* Flood summary LSAs into this stub area */, "no-summaries" /* Don't flood summary LSAs into this stub area */ ) ).as(:oneline), "nssa" ( /* Configure a not-so-stubby area */ c( "default-lsa" ( /* Configure a default LSA */ c( "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "type-7" /* Flood type 7 default LSA if no-summaries is configured */ ) ), "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "summaries" /* Flood summary LSAs into this NSSA area */, "no-summaries" /* Don't flood summary LSAs into this NSSA area */, "area-range" arg ( /* Configure NSSA area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" ( /* Override the dynamic metric for this area-range */ c( arg, "metric-type" arg /* Set the metric type for the override metric */ ) ) ) ) ) ) ), "area-range" arg ( /* Configure area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" arg /* Override the dynamic metric for this area-range */ ) ), "network-summary-export" ( /* Export policy for Type 3 Summary LSAs */ policy_algebra /* Export policy for Type 3 Summary LSAs */ ), "network-summary-import" ( /* Import policy for Type 3 Summary LSAs */ policy_algebra /* Import policy for Type 3 Summary LSAs */ ), "inter-area-prefix-export" ( /* Export policy for Inter Area Prefix LSAs */ policy_algebra /* Export policy for Inter Area Prefix LSAs */ ), "inter-area-prefix-import" ( /* Import policy for Inter Area Prefix LSAs */ policy_algebra /* Import policy for Inter Area Prefix LSAs */ ), "authentication-type" ( /* Authentication type */ ("none" | "simple" | "md5") ), "virtual-link" ( /* Configure virtual links */ s( "neighbor-id" arg /* Router ID of a virtual neighbor */, "transit-area" arg /* Transit area in common with virtual neighbor */, c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ) ), "sham-link-remote" arg ( /* Configure parameters for remote sham link endpoint */ c( "metric" arg /* Sham link metric */, "ipsec-sa" arg /* IPSec security association name */, "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "interface" arg ( /* Include an interface in this area */ c( ("disable"), "interface-type" ( /* Type of interface */ ("nbma" | "p2mp" | "p2p" | "p2mp-over-lan") ), "post-convergence-lfa" ( /* Protect interface using post-convergence backup path */ c( "node-protection" ( /* Compute backup path assuming node failure */ c( "cost" arg /* Cost for node protection */ ) ) ) ), c( "link-protection" /* Protect interface from link faults only */, "node-link-protection" /* Protect interface from both link and node faults */ ), "no-eligible-backup" /* Not eligible to backup traffic from protected interfaces */, "no-eligible-remote-backup" /* Not eligible for Remote-LFA backup traffic from protected interfaces */, "passive" ( /* Do not run OSPF, but advertise it */ c( "traffic-engineering" ( /* Advertise TE link information */ c( "remote-node-id" ( /* Remote address of the link */ ipaddr /* Remote address of the link */ ), "remote-node-router-id" ( /* TE Router-ID of the remote node */ ipv4addr /* TE Router-ID of the remote node */ ) ) ) ) ), "secondary" /* Treat interface as secondary */, "own-router-lsa" /* Generate a separate router LSA for this interface */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ), "metric" arg /* Interface metric */, "te-metric" arg /* Traffic engineering metric */, "priority" arg /* Designated router priority */, "ldp-synchronization" ( /* Advertise maximum metric until LDP is operational */ ldp_sync_obj /* Advertise maximum metric until LDP is operational */ ), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ), "transmit-interval" arg /* OSPF packet transmit interval (milliseconds) */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "full-neighbors-only" /* Setup BFD sessions only to Full neighbors */ ) ), "dynamic-neighbors" /* Learn neighbors dynamically on a p2mp interface */, "no-advertise-adjacency-segment" /* Do not advertise an adjacency segment for this interface */, "neighbor" arg ( /* NBMA neighbor */ sc( "eligible" /* Eligible to be DR on an NBMA network */ ) ).as(:oneline), "poll-interval" arg /* Poll interval for NBMA interfaces */, "no-interface-state-traps" /* Do not send interface state change traps */ ) ), "no-source-packet-routing" /* Disable SPRING in this area */, "no-context-identifier-advertisement" /* Disable context identifier advertisments in this area */, "context-identifier" arg /* Configure context identifier in support of edge protection */, "label-switched-path" arg ( /* Configuration for advertisement of a label-switched path */ c( ("disable"), "metric" arg /* Interface metric */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "peer-interface" arg ( /* Configuration for peer interface */ c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */ ) ) ) ) ) ), ("disable"), "traceoptions" ( /* Trace options for OSPF */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("spf" | "error" | "event" | "packet-dump" | "flooding" | "lsa-analysis" | "packets" | "hello" | "database-description" | "lsa-request" | "lsa-update" | "lsa-ack" | "ldp-synchronization" | "on-demand" | "nsr-synchronization" | "graceful-restart" | "restart-signaling" | "backup-spf" | "source-packet-routing" | "post-convergence-lfa" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology parameters */ c( "disable" /* Disable this topology */, "topology-id" arg /* Topology identifier */, "overload" /* Set the overload mode (repel transit traffic) */, "rib-group" arg /* Routing table group for importing routes */, "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */ ) ), "spf-options" ( /* Configure options for SPF */ c( "delay" arg /* Time to wait before running an SPF */, "holddown" arg /* Time to hold down before running an SPF */, "rapid-runs" arg /* Number of maximum rapid SPF runs before holddown */, "no-ignore-our-externals" /* Do not ignore self-generated external and NSSA LSAs */ ) ), "backup-spf-options" ( /* Configure options for backup SPF */ c( "disable" /* Do not run backup SPF */, "no-install" /* Do not install backup nexthops into the RIB */, "downstream-paths-only" /* Use only downstream backup paths */, "remote-backup-calculation" ( /* Calculate Remote LFA backup nexthops */ c( "pq-nodes-nearest-to-source" ( /* PQ nodes selection based upon nearest to source */ c( "percent" arg /* Selection percentage for nearest to source */ ) ) ) ), "use-post-convergence-lfa" ( /* Calculate post-convergence backup paths */ c( "maximum-labels" arg /* Maximum number of labels installed for post-convergence paths */, "maximum-backup-paths" arg /* Maximum number of equal-cost post-convergence paths installed */ ) ), "per-prefix-calculation" ( /* Calculate backup nexthops for non-best prefix originators */ c( "stubs" /* Per prefix calculation for stubs only */, "summary" /* Per prefix calculation for summary originators only */, "externals" /* Per prefix calculation for externals */, "all" /* Per prefix calculation for all */ ) ), "node-link-degradation" /* Degrade to link protection when nodelink protection not available */, "use-source-packet-routing" /* Use spring backup paths for inet.0 routes */ ) ), "prefix-export-limit" arg /* Maximum number of prefixes that can be exported */, "rib-group" arg /* Routing table group for importing OSPF routes */, "job-stats" /* Collect job statistics */, "overload" ( /* Set the overload mode (repel transit traffic) */ c( "timeout" arg /* Time after which overload mode is reset */, "allow-route-leaking" /* Allow routes to be leaked when overload is configured */, "stub-network" /* Advertise Stub Network with maximum metric */, "intra-area-prefix" /* Advertise Intra Area Prefix with maximum metric */, "as-external" /* Advertise As External with maximum usable metric */ ) ), "database-protection" ( /* Configure database protection attributes */ c( "maximum-lsa" arg /* Maximum allowed non self-generated LSAs */, "warning-only" /* Emit only a warning when LSA maximum limit is exceeded */, "warning-threshold" arg /* Percentage of LSA maximum above which to trigger warning */, "ignore-count" arg /* Maximum number of times to go into ignore state */, "ignore-time" arg /* Time to stay in ignore state and ignore all neighbors */, "reset-time" arg /* Time after which the ignore count gets reset to zero */ ) ), "graceful-restart" ( /* Configure graceful restart attributes */ c( ("disable"), "restart-duration" arg /* Time for all neighbors to become full */, "notify-duration" arg /* Time to send all max-aged grace LSAs */, "helper-disable" ( /* Disable graceful restart helper capability */ c( c( "standard" /* Disable helper-mode for rfc3623 based GR */, "restart-signaling" /* Disable helper mode for restart-signaling */, "both" /* Disable helper mode for both the types of GR */ ) ) ), "no-strict-lsa-checking" /* Do not abort graceful helper mode upon LSA changes */ ) ), "traffic-engineering" ( /* Configure traffic engineering attributes */ c( "no-topology" /* Disable dissemination of TE link-state topology information */, "multicast-rpf-routes" /* Install routes for multicast RPF checks into inet.2 */, "igp-topology" /* Download IGP topology into TED */, "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "shortcuts" ( /* Use label-switched paths as next hops, if possible */ c( "ignore-lsp-metrics" /* Ignore label-switched path metrics when doing shortcuts */, "lsp-metric-into-summary" /* Advertise LSP metric into summary LSAs */ ) ), "advertise-unnumbered-interfaces" /* Advertise unnumbered interfaces */, "credibility-protocol-preference" /* TED protocol credibility follows protocol preference */ ) ), "route-type-community" ( /* Specify BGP extended community value to encode OSPF route type */ ("iana" | "vendor") ), "domain-id" ( /* Configure domain ID */ sc( c( arg /* Domain ID */, "disable" /* Disable domain ID */ ) ) ).as(:oneline), c( "domain-vpn-tag" arg /* Domain VPN tag for external LSA */, "no-domain-vpn-tag" /* Disable domain VPN tag */ ), "preference" arg /* Preference of internal routes */, "external-preference" arg /* Preference of external routes */, "labeled-preference" arg /* Preference of labeled routes */, "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "import" ( /* Import policy (for external routes or setting priority) */ policy_algebra /* Import policy (for external routes or setting priority) */ ), "reference-bandwidth" arg /* Bandwidth for calculating metric defaults */, "lsa-refresh-interval" arg /* LSA refresh interval (minutes) */, "spf-delay" arg /* Time to wait before running an SPF */, "no-rfc-1583" /* Disable RFC1583 compatibility */, "source-packet-routing" ( /* Enable source packet routing (SPRING) */ c( "node-segment" ( /* Enable support for Node segments in SPRING */ c( "ipv4-index" arg /* Set ipv4 node segment index */, "index-range" arg /* Set range of node segment indices allowed */ ) ), "mapping-server" arg /* Mapping server name */, "install-prefix-sid-for-best-route" /* For best route install a exact prefix sid route */ ) ), "forwarding-address-to-broadcast" /* Set forwarding address in Type 5 LSA in broadcast network */, c( "no-nssa-abr" /* Disable full NSSA functionality at ABR */ ), "sham-link" ( /* Configure parameters for sham links */ c( "local" ( /* Local sham link endpoint address */ ipaddr /* Local sham link endpoint address */ ), "no-advertise-local" /* Don't advertise local sham link endpoint as stub in router LSA */ ) ), "area" arg ( /* Configure an OSPF area */ c( c( "stub" ( /* Configure a stub area */ sc( "default-metric" arg /* Metric for the default route in this stub area */, "summaries" /* Flood summary LSAs into this stub area */, "no-summaries" /* Don't flood summary LSAs into this stub area */ ) ).as(:oneline), "nssa" ( /* Configure a not-so-stubby area */ c( "default-lsa" ( /* Configure a default LSA */ c( "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "type-7" /* Flood type 7 default LSA if no-summaries is configured */ ) ), "default-metric" arg /* Metric for the default route in this area */, "metric-type" arg /* External metric type for the default type 7 LSA */, "summaries" /* Flood summary LSAs into this NSSA area */, "no-summaries" /* Don't flood summary LSAs into this NSSA area */, "area-range" arg ( /* Configure NSSA area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" ( /* Override the dynamic metric for this area-range */ c( arg, "metric-type" arg /* Set the metric type for the override metric */ ) ) ) ) ) ) ), "area-range" arg ( /* Configure area ranges */ c( "restrict" /* Restrict advertisement of this area range */, "exact" /* Enforce exact match for advertisement of this area range */, "override-metric" arg /* Override the dynamic metric for this area-range */ ) ), "network-summary-export" ( /* Export policy for Type 3 Summary LSAs */ policy_algebra /* Export policy for Type 3 Summary LSAs */ ), "network-summary-import" ( /* Import policy for Type 3 Summary LSAs */ policy_algebra /* Import policy for Type 3 Summary LSAs */ ), "inter-area-prefix-export" ( /* Export policy for Inter Area Prefix LSAs */ policy_algebra /* Export policy for Inter Area Prefix LSAs */ ), "inter-area-prefix-import" ( /* Import policy for Inter Area Prefix LSAs */ policy_algebra /* Import policy for Inter Area Prefix LSAs */ ), "authentication-type" ( /* Authentication type */ ("none" | "simple" | "md5") ), "virtual-link" ( /* Configure virtual links */ s( "neighbor-id" arg /* Router ID of a virtual neighbor */, "transit-area" arg /* Transit area in common with virtual neighbor */, c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ) ), "sham-link-remote" arg ( /* Configure parameters for remote sham link endpoint */ c( "metric" arg /* Sham link metric */, "ipsec-sa" arg /* IPSec security association name */, "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "interface" arg ( /* Include an interface in this area */ c( ("disable"), "interface-type" ( /* Type of interface */ ("nbma" | "p2mp" | "p2p" | "p2mp-over-lan") ), "post-convergence-lfa" ( /* Protect interface using post-convergence backup path */ c( "node-protection" ( /* Compute backup path assuming node failure */ c( "cost" arg /* Cost for node protection */ ) ) ) ), c( "link-protection" /* Protect interface from link faults only */, "node-link-protection" /* Protect interface from both link and node faults */ ), "no-eligible-backup" /* Not eligible to backup traffic from protected interfaces */, "no-eligible-remote-backup" /* Not eligible for Remote-LFA backup traffic from protected interfaces */, "passive" ( /* Do not run OSPF, but advertise it */ c( "traffic-engineering" ( /* Advertise TE link information */ c( "remote-node-id" ( /* Remote address of the link */ ipaddr /* Remote address of the link */ ), "remote-node-router-id" ( /* TE Router-ID of the remote node */ ipv4addr /* TE Router-ID of the remote node */ ) ) ) ) ), "secondary" /* Treat interface as secondary */, "own-router-lsa" /* Generate a separate router LSA for this interface */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ), "metric" arg /* Interface metric */, "te-metric" arg /* Traffic engineering metric */, "priority" arg /* Designated router priority */, "ldp-synchronization" ( /* Advertise maximum metric until LDP is operational */ ldp_sync_obj /* Advertise maximum metric until LDP is operational */ ), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */, "ipsec-sa" arg /* IPSec security association name */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ), "transmit-interval" arg /* OSPF packet transmit interval (milliseconds) */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "full-neighbors-only" /* Setup BFD sessions only to Full neighbors */ ) ), "dynamic-neighbors" /* Learn neighbors dynamically on a p2mp interface */, "no-advertise-adjacency-segment" /* Do not advertise an adjacency segment for this interface */, "neighbor" arg ( /* NBMA neighbor */ sc( "eligible" /* Eligible to be DR on an NBMA network */ ) ).as(:oneline), "poll-interval" arg /* Poll interval for NBMA interfaces */, "no-interface-state-traps" /* Do not send interface state change traps */ ) ), "no-source-packet-routing" /* Disable SPRING in this area */, "no-context-identifier-advertisement" /* Disable context identifier advertisments in this area */, "context-identifier" arg /* Configure context identifier in support of edge protection */, "label-switched-path" arg ( /* Configuration for advertisement of a label-switched path */ c( ("disable"), "metric" arg /* Interface metric */, "topology" ("default" | "ipv4-multicast" | arg) ( /* Topology specific attributes */ c( "disable" /* Disable this topology */, "metric" arg /* Topology metric */, "bandwidth-based-metrics" ( /* Configure bandwidth based metrics */ c( "bandwidth" arg ( /* Bandwidth threshold */ sc( "metric" arg /* Metric associated with specified bandwidth */ ) ).as(:oneline) ) ) ) ) ) ), "peer-interface" arg ( /* Configuration for peer interface */ c( ("disable"), "retransmit-interval" arg /* Retransmission interval (seconds) */, "transit-delay" arg /* Transit delay (seconds) */, "hello-interval" arg /* Hello interval (seconds) */, "dead-interval" arg /* Dead interval (seconds) */, "mtu" arg /* Maximum OSPF packet size */, c( "authentication" ( juniper_ospf_authentication ), "authentication-key" ( /* Authentication key */ sc( unreadable /* Authentication key value */, "key-id" arg /* Key ID for MD5 authentication */ ) ).as(:oneline) ), "demand-circuit" /* Interface functions as a demand circuit */, "flood-reduction" /* Enable flood reduction */, "no-neighbor-down-notification" /* Don't inform other protocols about neighbor down events */ ) ) ) ) ) ), "rip" ( /* RIP options */ juniper_protocols_rip /* RIP options */ ), "ripng" ( /* RIPng options */ juniper_protocols_ripng /* RIPng options */ ), "isis" ( /* IS-IS configuration */ juniper_protocols_isis /* IS-IS configuration */ ), "esis" ( /* ES-IS configuration */ juniper_protocols_esis /* ES-IS configuration */ ), "l2vpn" ( /* Layer 2 VPN configuration */ juniper_protocols_l2vpn /* Layer 2 VPN configuration */ ), "vpls" ( /* VPLS configuration */ juniper_protocols_l2vpn /* VPLS configuration */ ), "evpn" ( /* EVPN configuration */ juniper_protocols_l2vpn /* EVPN configuration */ ), "pim" ( /* PIM configuration */ juniper_protocols_pim /* PIM configuration */ ), "amt" ( /* AMT relay configuration */ juniper_protocols_amt /* AMT relay configuration */ ), "ldp" ( /* LDP configuration */ juniper_protocols_ldp /* LDP configuration */ ), "router-discovery" ( /* ICMP router discovery options */ juniper_protocols_router_discovery /* ICMP router discovery options */ ), "msdp" ( /* MSDP configuration */ juniper_protocols_msdp /* MSDP configuration */ ), "mvpn" ( /* BGP-MVPN configuration */ juniper_protocols_mvpn /* BGP-MVPN configuration */ ), "igmp-snooping" ( /* IGMP snooping configuration */ juniper_ri_protocols_igmp_snooping /* IGMP snooping configuration */ ), "mld-snooping" ( /* MLD snooping configuration */ juniper_ri_protocols_mld_snooping /* MLD snooping configuration */ ), "pim-snooping" ( /* PIM snooping configuration */ juniper_protocols_pim_snooping /* PIM snooping configuration */ ), "rstp" ( /* RSTP configuration */ juniper_protocols_stp /* RSTP configuration */ ), "mstp" ( /* MSTP configuration */ juniper_protocols_mstp /* MSTP configuration */ ), "vstp" ( /* VSTP configuration */ juniper_protocols_vstp /* VSTP configuration */ ), "mvrp" ( /* MVRP configuration */ juniper_protocols_mvrp /* MVRP configuration */ ) ) ), "bridge-domains" /* Bridge domain configuration */, "switch-options" ( /* L2 options for routing-instance of type virtual-switch */ juniper_routing_instance_switch_options /* L2 options for routing-instance of type virtual-switch */ ), "pbb-options" ( /* Provider backbone bridging options for routing-instance */ juniper_routing_instance_pbb_options /* Provider backbone bridging options for routing-instance */ ), "service-groups" ( /* Service group configuration for routing-instance */ juniper_routing_instance_service_groups /* Service group configuration for routing-instance */ ), "layer3-domain-identifier" arg /* Layer3 domain identifier */, "l2-domain-id-for-l3" arg /* Layer2 domain identifier for L3 */, "vlans" ( /* VLAN configuration */ c( vlan_types /* Virtual LAN */ ) ) ) ) end rule(:juniper_igmp_snooping_options) do c( "use-p2mp-lsp" /* P2MP will be used to forward traffic instead of PW */, "snoop-pseudowires" /* VPLS PE would send traffic selectively to PE's having interest */ ) end rule(:juniper_mld_snooping_options) do c( "use-p2mp-lsp" /* P2MP will be used to forward traffic instead of PW */, "snoop-pseudowires" /* VPLS PE would send traffic selectively to PE's having interest */ ) end rule(:juniper_protocols_l2vpn) do c( "traceoptions" ( /* Trace options for Layer 2 VPNs */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "topology" | "nlri" | "connections" | "automatic-site" | "oam" | "mac-database" | "nsr" | "egress-protection" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), c( "control-word" /* Add control word to the Layer 2 encapsulation */, "no-control-word" /* Disables control word on the Layer 2 encapsulation */ ), "site-range" arg /* Maximum site identifier in this VPLS domain */, "bum-hashing" /* Enable BUM hashing feature in the instance */, "enable-mac-move-action" /* Enable VPLS loop prevention feature in the instance */, "mac-pinning" /* Enable MAC pinning */, "label-block-size" ( /* Label block size for this VPLS instance */ ("2" | "4" | "8" | "16") ), "mac-table-size" ( /* Size of MAC address forwarding table */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop") ) ) ), "mac-ip-table-size" ( /* Size of MAC+IP bindings table */ c( arg ) ), "interface-mac-limit" ( /* Maximum MAC address learned per interface */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "interface-mac-ip-limit" ( /* Maximum MAC+IP bindings learned per interface */ c( arg ) ), "mac-notification" ( /* MAC notification options */ c( "notification-interval" arg /* Interval for sending MAC notifications */ ) ), "mac-table-aging-time" arg /* Delay for discarding MAC address if no updates are received */, "no-mac-learning" /* Disable dynamic MAC address learning */, "no-normalization" /* Disable vlan id normalization for interfaces */, "mac-statistics" /* Enable MAC address statistics */, "mib" ( /* Snmp mib options */ c( "dot1q-mib" ( /* Dot1q MIB configuration options */ c( "port-list" ( /* Port list for staticegressports and staticuntaggedports MIB */ ("bit-map" | "string") ) ) ) ) ), "static-rvtep-mac" ( /* Configure Static MAC and remote VxLAN tunnel endpoint entries */ c( "mac" ( /* Unicast MAC address */ s( arg, "remote-vtep" arg /* Configure static remote VXLAN tunnel endpoints */ ) ).as(:oneline) ) ), "interface" arg ( /* Interface that connect this site to the VPN */ c( "interface-mac-limit" ( /* Maximum number of MAC addresses learned on the interface */ c( arg, "disable" /* Disable interface for interface-mac-limit */, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "vpws-service-id" ( /* Service-id for EVPN VPWS routing instance */ c( "local" arg /* Local EVPN VPWS service id */, "remote" arg /* Remote EVPN VPWS service id */ ) ), "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ), "action-priority" arg /* Blocking priority of this interface on mac move detection */, "remote-site-id" arg /* Site identifier associated with this interface */, "target-attachment-identifier" arg /* FEC 129 VPWS target attachment identifier */, "flow-label-transmit" /* Advertise capability to push Flow Label in transmit direction to remote PE */, "flow-label-receive" /* Advertise capability to push Flow Label in receive direction to remote PE */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "mtu" arg /* MTU to be advertised to the remote end */, "ignore-mtu-mismatch" /* Allow different MTU values on local and remote end */, c( "control-word" /* Adds control-word to the Layer 2 encapsulation */, "no-control-word" /* Disables control-word to the Layer 2 encapsulation */ ), "pseudowire-status-tlv" /* Send pseudowire status TLV */, "oam" /* OAM Configuration for VPN */, "community" arg /* Community associated with this interface */, "static-mac" arg ( /* Static MAC addresses assigned to this interface */ c( "vlan-id" arg /* VLAN ID of learning VLAN */ ) ), "interface-mac-ip-limit" ( /* Maximum number of MAC+IP bindings learned on the interface */ c( arg ) ), "no-mac-learning" /* Disable dynamic MAC address learning */, "mac-pinning" /* Enable MAC pinning */, "description" arg /* Text description */, "persistent-learning" /* Enable persistent MAC learning on this interface */ ) ), c( "tunnel-services" ( /* Use tunnel services for this VPLS instance */ c( "devices" ( /* Tunnel services devices to use for this VPLS instance */ interface_device /* Tunnel services devices to use for this VPLS instance */ ), "primary" ( /* Primary tunnel services device to use for VPLS instance */ interface_device /* Primary tunnel services device to use for VPLS instance */ ) ) ), "no-tunnel-services" /* Do not use tunnel services for this VPLS instance */ ), "site" arg ( /* Sites connected to this provider equipment */ c( c( "site-identifier" arg /* Layer 2 VPN or VPLS site identifier (unique in the VPN) */, "automatic-site-id" ( /* Enable automatic assignment of site identifier */ c( "startup-wait-time" arg /* Time to wait at startup before claming a site identifier (seconds) */, "new-site-wait-time" arg /* Time to wait before claiming a site identifier */, "collision-detect-time" arg /* Time to wait for detecting a collision */, "reclaim-wait-time" ( /* Time to wait for reclaiming a site identifier */ sc( "minimum" arg /* Minimum wait time */, "maximum" arg /* Maximum wait time */ ) ).as(:oneline) ) ) ), "source-attachment-identifier" arg /* FEC 129 VPWS source attachment identifier */, "flow-label-transmit" /* Advertise capability to push Flow Label in transmit direction to remote PE */, "flow-label-receive" /* Advertise capability to push Flow Label in receive direction to remote PE */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, c( "control-word" /* Adds control-word to the Layer 2 encapsulation */, "no-control-word" /* Disables control-word to the Layer 2 encapsulation */ ), "pseudowire-status-tlv" /* Send pseudowire status TLV */, "oam" /* OAM Configuration for VPN */, "community" arg /* Community associated with this site */, "multi-homing" ( /* Enable multi-homing functionality for this site */ c( "hold-time" arg /* Enable multi-homing non-designated forwarder hold time (seconds) */ ) ), "mac-pinning" /* Enable MAC pinning */, "site-preference" ( /* Layer 2 VPN or VPLS site preference */ ("primary" | "backup" | arg) ), "hot-standby" /* Keep backup pseudowire in continuous standby mode and ready for traffic forwarding */, "mtu" arg /* MTU to be advertised to the remote end */, "ignore-mtu-mismatch" /* Allow different MTU values on local and remote end */, "mesh-group" arg /* Mesh-groups that are part of this site */, "active-interface" ( /* Configure interface to designate as active */ sc( c( "any" /* One configured interface is designated active at random */, "primary" ( /* Interface to designate as active if it is operational */ interface_name /* Interface to designate as active if it is operational */ ) ) ) ).as(:oneline), "best-site" /* Activates best-site functionality for this instance */, "interface" arg ( /* Interface that connect this site to the VPN */ c( "interface-mac-limit" ( /* Maximum number of MAC addresses learned on the interface */ c( arg, "disable" /* Disable interface for interface-mac-limit */, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "vpws-service-id" ( /* Service-id for EVPN VPWS routing instance */ c( "local" arg /* Local EVPN VPWS service id */, "remote" arg /* Remote EVPN VPWS service id */ ) ), "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ), "action-priority" arg /* Blocking priority of this interface on mac move detection */, "remote-site-id" arg /* Site identifier associated with this interface */, "target-attachment-identifier" arg /* FEC 129 VPWS target attachment identifier */, "flow-label-transmit" /* Advertise capability to push Flow Label in transmit direction to remote PE */, "flow-label-receive" /* Advertise capability to push Flow Label in receive direction to remote PE */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "mtu" arg /* MTU to be advertised to the remote end */, "ignore-mtu-mismatch" /* Allow different MTU values on local and remote end */, c( "control-word" /* Adds control-word to the Layer 2 encapsulation */, "no-control-word" /* Disables control-word to the Layer 2 encapsulation */ ), "pseudowire-status-tlv" /* Send pseudowire status TLV */, "oam" /* OAM Configuration for VPN */, "community" arg /* Community associated with this interface */, "static-mac" arg ( /* Static MAC addresses assigned to this interface */ c( "vlan-id" arg /* VLAN ID of learning VLAN */ ) ), "interface-mac-ip-limit" ( /* Maximum number of MAC+IP bindings learned on the interface */ c( arg ) ), "no-mac-learning" /* Disable dynamic MAC address learning */, "mac-pinning" /* Enable MAC pinning */, "description" arg /* Text description */, "persistent-learning" /* Enable persistent MAC learning on this interface */ ) ) ) ), "community" arg /* Community associated with this VPLS instance */, "vpls-id" arg /* Identifier for this VPLS instance */, "mtu" arg /* MTU to be advertised to the remote end */, "ignore-mtu-mismatch" /* Allow different MTU values on local and remote end */, "mac-flush" ( /* Enables mac-flush processing */ c( "any-interface" /* Send mac-flush when any AC interface goes down */, "any-spoke" /* Send mac-flush when any spoke pseudo wire goes down */, "propagate" /* Propagate mac-flush to the core */ ) ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "pseudowire-status-tlv" /* Send pseudowire status TLV */, "neighbor" arg ( /* Neighbor for this VPLS instance */ c( "static" ( /* Configuration of static vpls */ c( "incoming-label" arg /* VPLS incoming static label [1000000 - 1048575] or [29696 - 41983] */, "outgoing-label" arg /* VPLS outgoing static label */ ) ), "associate-profile" /* Associate profile options for dynamic IFL */, "psn-tunnel-endpoint" ( /* Endpoint of the transport tunnel on the remote PE */ ipv4addr /* Endpoint of the transport tunnel on the remote PE */ ), "community" arg /* Community associated with this neighbor */, "mac-pinning" /* Enable MAC pinning */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("ethernet-vlan" | "ethernet") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "pseudowire-status-tlv" ( /* Send pseudowire status TLV */ c( "hot-standby-vc-on" /* Activate pseudowire upon arrival of 'hot-standby' status TLV message */ ) ), "switchover-delay" arg /* Pseudowire switchover delay */, "revert-time" ( /* Enable pseudowire redundancy reversion (seconds) */ sc( arg, "maximum" arg /* Maximum reversion interval to add over revert-time delay */ ) ).as(:oneline), "connection-protection" /* End-2-end protection via OAM failure detection */, "backup-neighbor" arg ( /* Configuration of redundant l2circuit */ c( "static" ( /* Configuration of static vpls */ c( "incoming-label" arg /* VPLS incoming static label [1000000 - 1048575] or [29696 - 41983] */, "outgoing-label" arg /* VPLS outgoing static label */ ) ), "community" arg /* Community associated with this Layer 2 circuit */, "psn-tunnel-endpoint" ( /* Endpoint of the transport tunnel on the remote PE */ ipv4addr /* Endpoint of the transport tunnel on the remote PE */ ), "standby" /* Keep backup pseudowire in continuous standby */, "hot-standby" /* Keep backup pseudowire in continuous standby mode and ready for traffic forwarding */ ) ), "oam" /* OAM Configuration for VPN */ ) ), "flow-label-transmit" /* Advertise capability to push Flow Label in transmit direction to remote PE */, "flow-label-receive" /* Advertise capability to pop Flow Label in receive direction to remote PE */, "flow-label-transmit-static" /* Push Flow Label on PW packets sent to remote PE */, "flow-label-receive-static" /* Pop Flow Label from PW packets received from remote PE */, "associate-profile" /* Associate profile options for dynamic IFL */, "mesh-group" arg ( /* Mesh-group under this VPLS instance */ c( "associate-profile" /* Associate profile options for dynamic IFL */, c( "peer-as" ( /* Autonomous system of the peer */ c( "all" /* Include peers from all autonomous systems */ ) ) ), "vpls-id" arg /* LDP VPLS Identifier for this mesh-group */, "vrf-import" /* Import policy for VPLS instance mesh-group */, "vrf-export" /* Export policy for VPLS instance mesh-group */, "vrf-target" /* VPLS mesh-group target community configuration */, "mac-flush" /* Enables mac-flush processing */, "local-switching" /* Allow local-switching within interfaces in this mesh-group */, "neighbor" /* Neighbor belonging to this mesh-group */, "interface" arg /* Interfaces belonging to this flood group */, "route-distinguisher" /* Route distinguisher for this mesh-group */.as(:oneline) ) ), "connectivity-type" ( /* Specify type of interface sufficient to bring vpls connection up */ ("ce" | "irb" | "permanent") ), "import-labeled-routes" arg /* Import ingress label route to instance.mpls.0 from mpls.0 */.as(:oneline), "oam" /* OAM Configuration for VPN */, "multi-homing" ( /* Multi-homing configuration for FEC129 VPLS */ c( "peer-active" /* Keep CE interfaces in up state when all BGP peers go down */, "site" arg ( /* Sites connected to this provider equipment */ c( "identifier" arg /* Layer 2 VPN or VPLS multi-homing identifier */, "preference" ( /* Layer 2 VPN or VPLS multi-homing preference */ ("primary" | "backup" | arg) ), "active-interface" ( /* Configure interface to designate as active */ c( c( "any" /* One configured interface is designated active at random */, "primary" ( /* Interface to designate as active if it is operational */ interface_name /* Interface to designate as active if it is operational */ ) ) ) ), "interface" arg ( /* Interface that connects this site to the VPN */ c( "preference" arg /* Layer 2 VPN or VPLS multi-homing preference for the interface */ ) ), "peer-active" /* Keep CE interfaces in up state when all BGP peers go down */ ) ) ) ), "evi-options" ( /* EVI options */ juniper_protocols_evi_options /* EVI options */ ), "p2mp-bud-support" /* Enable EVPN to act as P2MP transit and egress PE (bud) */, "pbb-evpn-core" /* Configure PBB EVPN core */, "label-allocation" ( /* Label allocation policy */ ("per-instance") ), "designated-forwarder-election-hold-time" arg /* Time to wait before electing a DF(seconds) */, "evpn-etree" /* Evpn etree mode */, "igmp-id" arg /* EVPN IGMP Identifier value */, "designated-forwarder-preference-least" /* Use least preference in DF election */, "encapsulation" arg /* Encapsulation type for EVPN */, c( "extended-vlan-list" arg /* List of VLAN identifiers that are to be EVPN extended */, "extended-vni-list" /* List of VNI identifiers (1..16777214) or all, that are to be EVPN extended */, "extended-isid-list" arg /* Configure list of isids or all for extending to PBB EVPN */ ), "mclag" /* EVPN with MC-LAG support */, "vni-options" ( /* VNI options */ c( "vni" arg ( /* Per-vni options */ c( "vrf-target" ( /* VRF target community configuration */ c( "export" arg /* Target community to use when marking routes on export */, arg /* Target community */ ) ) ) ) ) ), "ip-prefix-routes" /* Advertise IP prefixes through EVPN */, "multicast-mode" arg /* Multicast mode for EVPN */, "vrf-target" ( /* VRF target community configuration */ c( arg /* Target community to use in import and export */ ) ), "default-gateway" arg /* Default gateway mode */, "no-arp-suppression" /* Disable suppression of ARP/NDP for EVPN */, "duplicate-mac-detection" /* Duplicate MAC detection settings */, c( "flexible-cross-connect-vlan-aware" /* Enable EVPN flexible cross-connect VLAN aware Service */, "flexible-cross-connect-vlan-unaware" /* Enable EVPN flexible cross-connect VLAN unaware Service */ ), "auto-service-id" /* Enable auto-derivation of VPWS service instance identifier */, "hot-standby-on" /* Activate evpn vpws upon becoming DF */, "group" arg ( /* Enable EVPN flexible cross-connect VLAN unaware Service */ c( "esi" ( /* ESI configuration to group vlan unaware cross connects */ c( esi /* ESI value for grouping of vlan unaware cross connects */ ) ), "interface" arg /* Name of the interface part of vlan unaware fxc */, "service-id" ( /* Service-id for vlan unaware cross connects for EVPN VPWS */ c( "local" arg /* Local service id for vlan unaware service */, "remote" arg /* Remote service id for vlan unaware service */ ) ) ) ) ) end rule(:juniper_protocols_evi_options) do c( "isid" arg ( /* Per-evi options */ c( "vrf-target" ( /* VRF target community configuration */ c( arg /* Target community */ ) ) ) ) ) end rule(:juniper_protocols_pim_snooping) do c( "traceoptions" ( /* Trace options for PIM Snooping */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "hello" | "join" | "prune" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "no-dr-flood" /* Disable default flooding of multicast data on the PIM designated router port */, "vlan" arg ( /* Vlan options */ c( "no-dr-flood" /* Disable default flooding of multicast data on the PIM DR port */ ) ) ) end rule(:juniper_ri_protocols_igmp_snooping) do c( "traceoptions" ( /* Trace options for IGMP Snooping */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "l2-querier" ( /* Enable L2 querier mode */ c( "source-address" ( /* Source IP address to use for L2 querier */ ipv4addr /* Source IP address to use for L2 querier */ ) ) ), "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "learn-pim-router" /* Learn PIM router interfaces from PIM hellos */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ), "irb" /* Proxy IGMP reports to IRB */ ) ), "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ), "qualified-vlan" arg ( /* VLAN options for qualified-learning */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ) ) ), "vlan" arg ( /* Vlan options */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ), "qualified-vlan" arg ( /* VLAN options for qualified-learning */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv4addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for IGMP */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ) ) ) ) ) ) end rule(:juniper_ri_protocols_mld_snooping) do c( "traceoptions" ( /* Trace options for MLD Snooping */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "query" | "report" | "leave" | "group" | "client-notification" | "host-notification" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv6addr /* Source IP address to use for proxy */ ), "irb" /* Proxy IGMP reports to IRB */ ) ), "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ), "qualified-vlan" arg ( /* VLAN options for qualified-learning */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv6addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ) ) ), "vlan" arg ( /* Vlan options */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv6addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ), "qualified-vlan" arg ( /* VLAN options for qualified-learning */ c( "query-interval" arg /* When to send host query messages */, "query-response-interval" arg /* How long to wait for a host query response */, "query-last-member-interval" arg /* When to send group query messages */, "robust-count" arg /* Expected packet loss on a subnet */, "immediate-leave" /* Enable immediate group leave on interfaces */, "proxy" ( /* Enable proxy mode */ c( "source-address" ( /* Source IP address to use for proxy */ ipv6addr /* Source IP address to use for proxy */ ) ) ), "interface" arg ( /* Interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */, "host-only-interface" /* Enable interfaces to be treated as host-side interfaces */, "group-limit" arg /* Maximum number of (source,group) per interface */, "static" ( /* Static group or source membership */ c( "group" arg ( /* IP multicast group address */ c( "source" arg /* IP multicast source address */ ) ) ) ) ) ), "pseudowire-remote-address" arg ( /* Pseudowire interface options for MLD */ c( "multicast-router-interface" /* Enabling multicast-router-interface on the interface */, "immediate-leave" /* Enable immediate group leave on interfaces */ ) ) ) ) ) ) ) end rule(:juniper_routing_instance_pbb_options) do c( "peer-instance" arg /* Set the peer-pbbn routing instance */, "vlan-id" arg ( /* Set B-VLAN to ISID mapping */ sc( "isid-list" arg /* Configure ISID(Valid Range:256..16777214) for the B-VLAN */ ) ).as(:oneline), "default-bvlan" arg /* Default B-VLAN for all un-mapped ISIDs */ ) end rule(:juniper_routing_instance_service_groups) do arg.as(:arg) ( c( "service-type" ( /* Service type as ethernet LAN or point-to-point */ ("eline" | "elan") ), "pbb-service-options" ( /* Provider backbone instance service options */ c( "isid" arg ( /* ISID to S-VLAN configuration */ sc( c( "vlan-id-list" arg /* List of S-VLANs */, "interface" ( /* Point to point interface name */ interface_name /* Point to point interface name */ ) ) ) ).as(:oneline), "default-isid" arg /* Default ISID for all un-mapped S-VLANs */, "mac-address" ( /* Unicast or multicast mac address */ mac_addr /* Unicast or multicast mac address */ ), "source-bmac" ( /* Unicast Source B Mac address */ mac_addr /* Unicast Source B Mac address */ ) ) ) ) ) end rule(:juniper_routing_instance_switch_options) do c( "mac-table-size" ( /* Size of MAC address forwarding table */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop") ) ) ), "mac-ip-table-size" ( /* Size of MAC+IP bindings table */ c( arg ) ), "interface-mac-limit" ( /* Maximum MAC address learned per interface */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "interface-mac-ip-limit" ( /* Maximum MAC+IP bindings learned per interface */ c( arg ) ), "mac-notification" ( /* MAC notification options */ c( "notification-interval" arg /* Interval for sending MAC notifications */ ) ), "mac-table-aging-time" arg /* Delay for discarding MAC address if no updates are received */, "no-mac-learning" /* Disable dynamic MAC address learning */, "no-normalization" /* Disable vlan id normalization for interfaces */, "mac-statistics" /* Enable MAC address statistics */, "mib" ( /* Snmp mib options */ c( "dot1q-mib" ( /* Dot1q MIB configuration options */ c( "port-list" ( /* Port list for staticegressports and staticuntaggedports MIB */ ("bit-map" | "string") ) ) ) ) ), "static-rvtep-mac" ( /* Configure Static MAC and remote VxLAN tunnel endpoint entries */ c( "mac" ( /* Unicast MAC address */ s( arg, "remote-vtep" arg /* Configure static remote VXLAN tunnel endpoints */ ) ).as(:oneline) ) ), "service-id" arg /* Service ID required if multi-chassis AE is part of a bridge-domain */, "ovsdb-managed" /* All vxlan bridge domains in routing instance are remote managed */, "interface" arg ( /* Interface that connect this site to the VPN */ c( "interface-mac-limit" ( /* Maximum number of MAC addresses learned on the interface */ c( arg, "disable" /* Disable interface for interface-mac-limit */, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "vpws-service-id" ( /* Service-id for EVPN VPWS routing instance */ c( "local" arg /* Local EVPN VPWS service id */, "remote" arg /* Remote EVPN VPWS service id */ ) ), "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ), "action-priority" arg /* Blocking priority of this interface on mac move detection */, "remote-site-id" arg /* Site identifier associated with this interface */, "target-attachment-identifier" arg /* FEC 129 VPWS target attachment identifier */, "flow-label-transmit" /* Advertise capability to push Flow Label in transmit direction to remote PE */, "flow-label-receive" /* Advertise capability to push Flow Label in receive direction to remote PE */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "mtu" arg /* MTU to be advertised to the remote end */, "ignore-mtu-mismatch" /* Allow different MTU values on local and remote end */, c( "control-word" /* Adds control-word to the Layer 2 encapsulation */, "no-control-word" /* Disables control-word to the Layer 2 encapsulation */ ), "pseudowire-status-tlv" /* Send pseudowire status TLV */, "oam" /* OAM Configuration for VPN */, "community" arg /* Community associated with this interface */, "static-mac" arg ( /* Static MAC addresses assigned to this interface */ c( "vlan-id" arg /* VLAN ID of learning VLAN */ ) ), "interface-mac-ip-limit" ( /* Maximum number of MAC+IP bindings learned on the interface */ c( arg ) ), "no-mac-learning" /* Disable dynamic MAC address learning */, "mac-pinning" /* Enable MAC pinning */, "description" arg /* Text description */, "persistent-learning" /* Enable persistent MAC learning on this interface */ ) ), "voip" ( /* Voice-over-IP configuration */ c( "interface" (arg | "access-ports") ( /* Enable voice over IP on this port */ c( "vlan" arg /* VLAN for voice over IP */, "forwarding-class" arg /* Forwarding class */ ) ) ) ), "unknown-unicast-forwarding" ( /* Set interface for forwarding of unknown unicast packets */ c( "vlan" arg ( /* VLAN for the unknown unicast packets */ c( "interface" ( /* Interface to send unknown unicast packets for the VLAN */ interface_name /* Interface to send unknown unicast packets for the VLAN */ ) ) ) ) ), "authentication-whitelist" /* MAC authentication-whitelist configuration needed to bypass Authentication */, "traceoptions" ( /* Layer 2 trace options for this routing instance */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "routing-socket" | "interface-device" | "interface-logical" | "interface-family" | "bridging-domain" | "bridge-interface" | "learning-domain" | "ipc" | "mac-learning" | "initialization" | "flood-next-hop" | "irb" | "vpls-ping" | "vpls-loop-prev" | "storm-control" | "unknown-unicast-forwarding" | "vxlan" | "all")) /* Type of operation or event to include in trace */.as(:oneline) ) ) ) end rule(:juniper_routing_options) do c( "med-igp-update-interval" arg /* Delay (in minutes) in updating MED IGP for bgp groups with 'delay-med-update' */, "bmp" ( /* BGP Monitoring Protocol (BMP) configuration */ c( "authentication-key" arg /* MD5 authentication key */, "authentication-algorithm" ( /* Authentication algorithm name */ ("md5" | "hmac-sha-1-96" | "aes-128-cmac-96") ), "authentication-key-chain" arg /* Key chain name */, "hold-down" ( sc( arg, "flaps" arg /* Number of flaps before damping */, "period" arg /* Time period for flaps */ ) ).as(:oneline), "initiation-message" arg /* User string sent with the initiation message */, "local-address" ( /* Address of local end of BMP session */ ipaddr /* Address of local end of BMP session */ ), "local-port" arg /* Local port for listening */, "connection-mode" ( /* Specify active or passive */ ("active" | "passive") ), "priority" ( /* Relative dispatch priority */ ("low" | "medium" | "high") ), "monitor" ( /* Enable/Disable monitoring */ ("enable" | "disable") ), "route-monitoring" ( /* Control route monitoring settings */ c( "none" /* Do not send route montoring messages */, "pre-policy" ( /* Send pre policy route montoring messages */ sc( "exclude-non-feasible" /* Exclude looped routes, etc */ ) ).as(:oneline), "post-policy" ( /* Send post policy route montoring messages */ sc( "exclude-non-eligible" /* Exclude unresolved routes, etc. */ ) ).as(:oneline) ) ), "station-address" ( /* Address/name of monitoring station */ ipaddr /* Address/name of monitoring station */ ), "routing-instance" ( /* Routing-instance through which BMP station is reachable */ ("default" | arg) ), "station-port" arg /* Port of monitoring station */, "statistics-timeout" arg /* Statistics message timer, 15-65535, or 0 for no messages */, "traceoptions" ( /* Trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "up" | "down" | "statistics" | "route-monitoring" | "event" | "error" | "write" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Trace flag information */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "station" arg ( /* Define a BMP station */ c( "authentication-key" arg /* MD5 authentication key */, "authentication-algorithm" ( /* Authentication algorithm name */ ("md5" | "hmac-sha-1-96" | "aes-128-cmac-96") ), "authentication-key-chain" arg /* Key chain name */, "hold-down" ( sc( arg, "flaps" arg /* Number of flaps before damping */, "period" arg /* Time period for flaps */ ) ).as(:oneline), "initiation-message" arg /* User string sent with the initiation message */, "local-address" ( /* Address of local end of BMP session */ ipaddr /* Address of local end of BMP session */ ), "local-port" arg /* Local port for listening */, "connection-mode" ( /* Specify active or passive */ ("active" | "passive") ), "priority" ( /* Relative dispatch priority */ ("low" | "medium" | "high") ), "monitor" ( /* Enable/Disable monitoring */ ("enable" | "disable") ), "route-monitoring" ( /* Control route monitoring settings */ c( "none" /* Do not send route montoring messages */, "pre-policy" ( /* Send pre policy route montoring messages */ sc( "exclude-non-feasible" /* Exclude looped routes, etc */ ) ).as(:oneline), "post-policy" ( /* Send post policy route montoring messages */ sc( "exclude-non-eligible" /* Exclude unresolved routes, etc. */ ) ).as(:oneline) ) ), "station-address" ( /* Address/name of monitoring station */ ipaddr /* Address/name of monitoring station */ ), "routing-instance" ( /* Routing-instance through which BMP station is reachable */ ("default" | arg) ), "station-port" arg /* Port of monitoring station */, "statistics-timeout" arg /* Statistics message timer, 15-65535, or 0 for no messages */, "traceoptions" ( /* Trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("packets" | "up" | "down" | "statistics" | "route-monitoring" | "event" | "error" | "write" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Trace flag information */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ) ) ) ) ), "bgp-orf-cisco-mode" /* Using BGP ORF capability code 130 and Prefix ORF type 128 */, "ppm" ( /* Set periodic packet management properties */ c( "delegate-processing" /* Enable distribution of PPM sessions */, "no-delegate-processing" /* Disable PPM sessions distribution */, "inline-processing-enable" /* Enable PPM session inline distribution */, "inline-ae-processing-enable" /* Enable PPM session inline distribution on AE */, "redistribution-timer" arg /* Time to wait after switchover before starting timers */ ) ), "no-bfd-triggered-local-repair" /* Disable bfd triggered local repair */, "source-routing" ( /* Source-routing options */ c( "ip" /* Enable IP Source Routing */, "ipv6" /* Enable Type 0 RouteHeader processing */ ) ), "l3vpn-composite-nexthop" /* Enable composite nexthop for l3vpn */, "auto-bandwidth" ( /* Auto bandwidth */ c( "template" arg ( /* Auto bandwidth template */ c( "adjust-interval" arg /* Adjust interval */, "adjust-threshold" arg /* Percentage threshhold */, "statistic-collection-interval" arg /* Collection interval */, "auto-bandwidth-subscription" arg /* Percentage threshhold for subscription */ ) ), "traceoptions" ( /* Trace options for sr stats */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("all" | "timer" | "state")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ) ) ), "srlg" arg ( /* SRLG configuration */ c( "srlg-value" arg /* Group id */, "srlg-cost" arg /* Cost value */ ) ), "admin-groups-extended-range" ( /* Extended administrative groups range */ c( "minimum" arg /* Minimum value of the range for extended administrative groups */, "maximum" arg /* Maximum value of the range for extended administrative groups */ ) ), "admin-groups-extended" arg ( /* Extended administrative groups */ c( "group-value" arg /* Group id */ ) ), "enable-sensors" /* Enable Sensor for MX/PTX/QFX/EX */, "lsp-telemetry" /* Turn on Jvision LSP telemetry */, "source-packet-routing" ( /* Source packet routing (SPRING) */ c( "mapping-server-entry" arg ( /* Mapping server entry */ c( "prefix-segment" arg ( /* Prefix segment */ c( "index" arg /* Prefix segment index */ ) ), "prefix-segment-range" arg ( /* Prefix segment range */ c( "start-prefix" ( /* Start prefix */ ipprefix /* Start prefix */ ), "start-index" arg /* Start index */, "size" arg /* Size of prefix segment range */ ) ) ) ) ) ), "traceoptions" ( /* Global routing protocol trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "trace-events" ( /* Trace events configuration */ c( "logging" arg ( /* Logging trace events */ sc( "disable" /* Disable these trace events */, "memtrace" /* Memtrace logging */ ) ).as(:oneline) ) ), "flag" enum(("parse" | "regex-parse" | "config-internal" | "nsr-synchronization" | "condition-manager" | "graceful-restart" | "session" | "hfrr-fsm" | "hfrr-route" | "statistics-id-group" | "route-record" | "jvision-lsp" | "dyn-nh-template" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "options" ( /* Miscellaneous options */ c( "no-send" /* Listen only; do not send protocol packets */, "no-resolve" /* Do not use DNS name resolution */, "syslog" ( /* Set system logging level */ c( "level" ( /* Logging level */ sc( "emergency" /* Emergency level */, "alert" /* Alert level */, "critical" /* Critical level */, "error" /* Error level */, "warning" /* Warning level */, "notice" /* Notice level */, "info" /* Informational level */, "debug" /* Debugging level */ ) ).as(:oneline), "upto" ( /* Log up to a particular logging level */ ("emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug") ) ) ), "mark" arg /* Periodically mark the trace file */ ) ), "graceful-restart" ( /* Graceful or hitless routing restart options */ c( ("disable"), "restart-duration" arg /* Maximum time for which router is in graceful restart */ ) ), "warm-standby" /* Enable warm-standby */, "nonstop-routing" /* Enable nonstop routing */, "nonstop-routing-options" /* Nonstop routing options */, "nsr-phantom-holdtime" arg /* Set NSR phantom route hold time */, "interface-routes" ( /* Define routing table groups for interface routes */ c( "rib-group" ( /* Routing table group */ rib_group_type /* Routing table group */ ), "family" enum(("inet" | "inet6")) ( /* Address family */ c( "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "export" ( /* Control exportability of local routes */ c( "point-to-point" /* Make point-to-point routes exportable */, "lan" /* Make LAN routes exportable */ ) ) ) ) ) ), "loopback-strict-disable" /* Completely disable lo0 host prefix when in admin-down state */, "rib" arg ( /* Routing table options */ c( "static" ( /* Static routes */ c( "rib-group" arg /* Routing table group */, "defaults" ( /* Global route options */ c( "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "route" arg ( /* Static route */ c( c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "reject" /* Drop packets to destination; send ICMP unreachables */, "discard" /* Drop packets to destination; send no ICMP unreachables */, "receive" /* Install a receive route for the destination */, "next-table" arg /* Next hop to another table */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "lsp-next-hop" ( /* LSP next hop */ lsp_nh_obj /* LSP next hop */ ), "static-lsp-next-hop" ( /* Static LSP next hop */ lsp_nh_obj /* Static LSP next hop */ ), "p2mp-lsp-next-hop" ( /* Point-to-multipoint LSP next hop */ lsp_nh_obj /* Point-to-multipoint LSP next hop */ ), "p2mp-ldp-next-hop" ( /* Point-to-multipoint LDP LSP next hop */ p2mp_ldp_lsp_nh_obj /* Point-to-multipoint LDP LSP next hop */ ), "backup-pe-group" arg /* Multicast source redundancy group */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ), "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "static-route" ( /* Static route Status */ sc( "bfd-admin-down" ( /* Static route State on BFD ADMIN DOWN */ ("active" | "passive") ) ) ).as(:oneline), "iso-route" arg ( /* ISO family static route */ c( c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "reject" /* Drop packets to destination; send ICMP unreachables */, "discard" /* Drop packets to destination; send no ICMP unreachables */, "receive" /* Install a receive route for the destination */, "next-table" arg /* Next hop to another table */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "lsp-next-hop" ( /* LSP next hop */ lsp_nh_obj /* LSP next hop */ ), "static-lsp-next-hop" ( /* Static LSP next hop */ lsp_nh_obj /* Static LSP next hop */ ), "p2mp-lsp-next-hop" ( /* Point-to-multipoint LSP next hop */ lsp_nh_obj /* Point-to-multipoint LSP next hop */ ), "p2mp-ldp-next-hop" ( /* Point-to-multipoint LDP LSP next hop */ p2mp_ldp_lsp_nh_obj /* Point-to-multipoint LDP LSP next hop */ ), "backup-pe-group" arg /* Multicast source redundancy group */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ), "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "route-target-filter" arg ( /* Route-target-filter route */ c( "neighbor" ( /* BGP peers for filter */ ipaddr /* BGP peers for filter */ ), "group" arg /* BGP groups for filter */, "local" /* Locally originated filter */ ) ) ) ), "martians" ( /* Invalid routes */ martian_type /* Invalid routes */ ), "aggregate" ( /* Coalesced routes */ rib_aggregate_type /* Coalesced routes */ ), "generate" ( /* Route of last resort */ rib_aggregate_type /* Route of last resort */ ), c( "maximum-routes" ( /* Maximum number of routes */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline), "maximum-paths" ( /* Maximum number of paths */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline) ), "maximum-prefixes" ( /* Maximum number of prefixes */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline), "multipath" ( /* Protocol-independent load balancing */ c( "vpn-unequal-cost" ( /* Include VPN routes with unequal IGP metrics */ sc( "equal-external-internal" /* Include external and internal VPN routes */ ) ).as(:oneline), "as-path-compare" /* Compare AS path sequences in addition to AS path length */ ) ), "protect" ( /* Protocol-independent protection */ sc( "core" /* Protect against unreachability to service-edge router */ ) ).as(:oneline), "label" ( /* Label processing */ c( "allocation" ( /* Label allocation policy */ policy_algebra /* Label allocation policy */ ), "substitution" ( /* Label substitution policy */ policy_algebra /* Label substitution policy */ ) ) ), "access" ( /* Access routes */ c( "route" arg ( /* Access route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "metric" arg /* Metric value */, "preference" arg /* Preference value */, "tag" arg /* Tag string */, "tag2" arg /* Tag2 string */ ) ) ) ), "access-internal" ( /* Access-internal routes */ c( "route" arg ( /* Access-internal route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ) ) ) ) ), "bgp-static" ( /* Routes for BGP static advertisements */ c( "route" arg ( /* BGP-static route */ c( "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ) ) ), "flow" ( /* Locally defined flow routing information */ c( "validation" ( /* Flow route validation options */ flow_validation /* Flow route validation options */ ), "route" ( /* Flow route */ flow_route_inet6 /* Flow route */ ), "interface-group" ( /* Interface-group for applying flow-spec filter */ flow_interface_group /* Interface-group for applying flow-spec filter */ ) ) ) ) ), "static" ( /* Static routes */ c( "rib-group" arg /* Routing table group */, "defaults" ( /* Global route options */ c( "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "route" arg ( /* Static route */ c( c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "reject" /* Drop packets to destination; send ICMP unreachables */, "discard" /* Drop packets to destination; send no ICMP unreachables */, "receive" /* Install a receive route for the destination */, "next-table" arg /* Next hop to another table */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "lsp-next-hop" ( /* LSP next hop */ lsp_nh_obj /* LSP next hop */ ), "static-lsp-next-hop" ( /* Static LSP next hop */ lsp_nh_obj /* Static LSP next hop */ ), "p2mp-lsp-next-hop" ( /* Point-to-multipoint LSP next hop */ lsp_nh_obj /* Point-to-multipoint LSP next hop */ ), "p2mp-ldp-next-hop" ( /* Point-to-multipoint LDP LSP next hop */ p2mp_ldp_lsp_nh_obj /* Point-to-multipoint LDP LSP next hop */ ), "backup-pe-group" arg /* Multicast source redundancy group */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ), "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "static-route" ( /* Static route Status */ sc( "bfd-admin-down" ( /* Static route State on BFD ADMIN DOWN */ ("active" | "passive") ) ) ).as(:oneline), "iso-route" arg ( /* ISO family static route */ c( c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "reject" /* Drop packets to destination; send ICMP unreachables */, "discard" /* Drop packets to destination; send no ICMP unreachables */, "receive" /* Install a receive route for the destination */, "next-table" arg /* Next hop to another table */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "lsp-next-hop" ( /* LSP next hop */ lsp_nh_obj /* LSP next hop */ ), "static-lsp-next-hop" ( /* Static LSP next hop */ lsp_nh_obj /* Static LSP next hop */ ), "p2mp-lsp-next-hop" ( /* Point-to-multipoint LSP next hop */ lsp_nh_obj /* Point-to-multipoint LSP next hop */ ), "p2mp-ldp-next-hop" ( /* Point-to-multipoint LDP LSP next hop */ p2mp_ldp_lsp_nh_obj /* Point-to-multipoint LDP LSP next hop */ ), "backup-pe-group" arg /* Multicast source redundancy group */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ), "retain" /* Always keep route in forwarding table */, "no-retain" /* Don't always keep route in forwarding table */, "install" /* Install route into forwarding table */, "no-install" /* Don't install route into forwarding table */, "readvertise" /* Mark route as eligible to be readvertised */, "no-readvertise" /* Don't mark route as eligible to be readvertised */, "resolve" /* Allow resolution of indirectly connected next hops */, "no-resolve" /* Don't allow resolution of indirectly connected next hops */, "longest-match" /* Always use longest prefix match to resolve next hops */, "no-longest-match" /* Don't always use longest prefix match to resolve next hops */, c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ), "route-target-filter" arg ( /* Route-target-filter route */ c( "neighbor" ( /* BGP peers for filter */ ipaddr /* BGP peers for filter */ ), "group" arg /* BGP groups for filter */, "local" /* Locally originated filter */ ) ) ) ), "martians" ( /* Invalid routes */ martian_type /* Invalid routes */ ), "aggregate" ( /* Coalesced routes */ rib_aggregate_type /* Coalesced routes */ ), "generate" ( /* Route of last resort */ rib_aggregate_type /* Route of last resort */ ), c( "maximum-routes" ( /* Maximum number of routes */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline), "maximum-paths" ( /* Maximum number of paths */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline) ), "maximum-prefixes" ( /* Maximum number of prefixes */ sc( arg, c( "threshold" arg /* Percentage of limit at which to start generating warnings */, "log-only" /* Generate warning messages only */ ), "log-interval" arg /* Minimum interval between log messages */ ) ).as(:oneline), "multipath" ( /* Protocol-independent load balancing */ c( "vpn-unequal-cost" ( /* Include VPN routes with unequal IGP metrics */ sc( "equal-external-internal" /* Include external and internal VPN routes */ ) ).as(:oneline), "as-path-compare" /* Compare AS path sequences in addition to AS path length */ ) ), "protect" ( /* Protocol-independent protection */ sc( "core" /* Protect against unreachability to service-edge router */ ) ).as(:oneline), "label" ( /* Label processing */ c( "allocation" ( /* Label allocation policy */ policy_algebra /* Label allocation policy */ ), "substitution" ( /* Label substitution policy */ policy_algebra /* Label substitution policy */ ) ) ), "access" ( /* Access routes */ c( "route" arg ( /* Access route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ), "metric" arg /* Metric value */, "preference" arg /* Preference value */, "tag" arg /* Tag string */, "tag2" arg /* Tag2 string */ ) ) ) ), "access-internal" ( /* Access-internal routes */ c( "route" arg ( /* Access-internal route */ c( "next-hop" ( /* Next hop to destination */ ipaddr_or_interface /* Next hop to destination */ ), "qualified-next-hop" ( /* Next hop with qualifiers */ qualified_nh_obj /* Next hop with qualifiers */ ) ) ) ) ), "bgp-static" ( /* Routes for BGP static advertisements */ c( "route" arg ( /* BGP-static route */ c( "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ) ) ) ) ), "flow" ( /* Locally defined flow routing information */ c( "validation" ( /* Flow route validation options */ flow_validation /* Flow route validation options */ ), "route" ( /* Flow route */ flow_route_inet /* Flow route */ ), "interface-group" ( /* Interface-group for applying flow-spec filter */ flow_interface_group /* Interface-group for applying flow-spec filter */ ), "firewall-install-disable" /* Disable installing flowspec firewall filters in dfwd */, "term-order" ( /* Term evaluation order for flow routes */ ("legacy" | "standard") ) ) ), "rib-groups" ( /* Group of routing tables */ rpd_rib_group_type /* Group of routing tables */ ), "route-record" /* Enable route recording */, "localized-fib" /* Localize vrf routing-instance routes to specific FPC hardware */, "router-id" ( /* Router identifier */ ipv4addr /* Router identifier */ ), "route-distinguisher-id" ( /* Identifier used in route distinguishers for routing instances */ ipv4addr /* Identifier used in route distinguishers for routing instances */ ), "autonomous-system" ( /* Autonomous system number */ sc( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, "loops" arg /* Maximum number of times this AS can be in an AS path */, "asdot-notation" /* Use AS-Dot notation to display true 4 byte AS numbers */, "independent-domain" ( /* Independent autonomous-system domain from master instance */ sc( "no-attrset" /* Do not tunnel ce bgp attributes across provider network */ ) ).as(:oneline) ) ).as(:oneline), "confederation" ( /* Confederation autonomous system number */ sc( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, "members" arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */ ) ).as(:oneline), "interface" arg ( /* Direct/Host route FRR protection */ c( "arp-prefix-limit" arg /* Max ARP/Host FRR routes allowed */, "supplementary-blackout-timer" arg /* ARP plimit blackout timer = kernel ARP timeout + supplementary-blackout-timer minutes. */, c( "link-protection" /* Protect interface from link faults only */ ) ) ), "host-fast-reroute" ( /* Host Fast Re-route global values. Applies to all host FRR profiles. */ c( "global-arp-prefix-limit" arg /* Max ARP/Host FRR routes allowed per protected IFL */, "global-supplementary-blackout-timer" arg /* ARP plimit global blackout timer = kernel ARP timeout + global-supplementary-blackout-timer minutes. */ ) ), "forwarding-table" ( forwarding_table_type ), "resolution" ( /* Route next-hop resolution options */ c( "tracefilter" ( /* Filter policy */ policy_algebra /* Filter policy */ ), "traceoptions" ( /* Trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("event" | "flash" | "kernel" | "indirect" | "task" | "igp-frr" | "igp-frr-extensive" | "tunnel" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "rib" arg ( /* Routing table resolution options */ c( "resolution-family" arg /* Family of resultion tree */, "resolution-ribs" arg /* Routing tables to use for default routing table family resolution */, "inet-resolution-ribs" arg /* Routing tables to use for ipv4 family protocol-next-hop resolution */, "inet6-resolution-ribs" arg /* Routing tables to use for ipv6 family protocol-next-hop resolution */, "iso-resolution-ribs" arg /* Routing tables to use for iso family protocol-next-hop resolution */, "import" ( /* Import policy */ policy_algebra /* Import policy */ ), "inet-import" ( /* Import policy for IPV4 family resolution tree */ policy_algebra /* Import policy for IPV4 family resolution tree */ ), "inet6-import" ( /* Import policy for IPV6 family resolution tree */ policy_algebra /* Import policy for IPV6 family resolution tree */ ), "iso-import" ( /* Import policy for ISO family resolution tree */ policy_algebra /* Import policy for ISO family resolution tree */ ), "inetcolor-import" ( /* Import policy for INETCOLOR family resolution tree */ policy_algebra /* Import policy for INETCOLOR family resolution tree */ ), "inet6color-import" ( /* Import policy for INET6COLOR family resolution tree */ policy_algebra /* Import policy for INET6COLOR family resolution tree */ ) ) ) ) ), "multicast" ( /* Global multicast options */ c( "traceoptions" ( /* Global multicast trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("parse" | "config-internal" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "rpf" arg, "scope" arg ( /* Multicast address scope */ c( "prefix" ( /* Administratively scoped address */ ipprefix /* Administratively scoped address */ ), "interface" ( /* Interface on which to configure scoping */ interface_name /* Interface on which to configure scoping */ ) ) ), "scope-policy" ( /* Scoping policy */ policy_algebra /* Scoping policy */ ), "flow-map" arg ( /* Multicast flow map configuration */ c( "policy" ( /* Policy for matched flows */ policy_algebra /* Policy for matched flows */ ), "bandwidth" ( /* Bandwidth properties for matched flows */ sc( arg /* Static or default bandwidth for the matched flows */, "adaptive" /* Auto-sense bandwidth for matched flows */ ) ).as(:oneline), "redundant-sources" ( /* Redundant source addresses */ ipaddr /* Redundant source addresses */ ), "forwarding-cache" ( /* Forwarding cache properties for matched flows */ c( "timeout" ( /* Timeout properties for matched flows */ sc( c( arg, "never" ( /* Forwarding cache entries never time out */ c( "non-discard-entry-only" /* Apply only to non-discard entries */ ) ) ) ) ).as(:oneline) ) ) ) ), "resolve-filter" ( /* Multicast resolve policy filter */ policy_algebra /* Multicast resolve policy filter */ ), "ssm-groups" ( /* Source-specific multicast group ranges */ ipprefix /* Source-specific multicast group ranges */ ), "asm-override-ssm" /* Allow ASM state for SSM group ranges */, "rpf-check-policy" ( /* Disable RPF check for a source group pair */ policy_algebra /* Disable RPF check for a source group pair */ ), "pim-to-igmp-proxy" ( /* PIM-to-IGMP proxy */ c( "upstream-interface" ( /* Upstream interface list */ interface_name /* Upstream interface list */ ) ) ), "pim-to-mld-proxy" ( /* PIM-to-MLD proxy */ c( "upstream-interface" ( /* Upstream interface list */ interface_name /* Upstream interface list */ ) ) ), "forwarding-cache" ( /* Multicast forwarding cache */ c( "allow-maximum" /* Allow maximum of global and family level threshold values for suppress and reuse */, "family" enum(("inet" | "inet6")) ( /* Protocol family */ c( "threshold" ( /* Multicast forwarding cache suppress threshold */ c( "suppress" arg /* Suppress threshold */, "reuse" arg /* Reuse threshold */, "mvpn-rpt-suppress" arg /* MVPN RP tree entry suppress threshold */, "mvpn-rpt-reuse" arg /* MVPN RP tree entry reuse threshold */, "log-warning" arg /* Percentage at which to start generating warnings */ ) ) ) ), "threshold" ( /* Threshold */ c( "suppress" arg /* Suppress threshold */, "reuse" arg /* Reuse threshold */, "mvpn-rpt-suppress" arg /* MVPN RP tree entry suppress threshold */, "mvpn-rpt-reuse" arg /* MVPN RP tree entry reuse threshold */, "log-warning" arg /* Percentage at which to start generating warnings */ ) ), "timeout" arg /* Forwarding cache entry timeout in minutes */ ) ), "interface" ( /* Multicast interface options */ multicast_interface_options_type /* Multicast interface options */ ), "ssm-map" arg ( /* SSM map definitions */ c( "policy" ( /* Policy for matching group */ policy_algebra /* Policy for matching group */ ), "source" ( /* One or more source addresses */ ipaddr /* One or more source addresses */ ) ) ), "stream-protection" /* Multicast only Fast Re-Route */, "backup-pe-group" arg ( /* Backup PE group definitions */ c( "backups" ( /* One or more IP addresses */ ipaddr /* One or more IP addresses */ ), "local-address" ( /* Address to be used as local-address for this group */ ipaddr /* Address to be used as local-address for this group */ ) ) ), "omit-wildcard-address" /* Omit wildcard source/group fields in SPMSI AD NLRI */, "local-address" ( /* Local address for PIM and MVPN sessions */ ipv4addr /* Local address for PIM and MVPN sessions */ ) ) ), "instance-import" ( /* Import policy for instance RIBs */ policy_algebra /* Import policy for instance RIBs */ ), "instance-export" ( /* Export policy for instance RIBs */ policy_algebra /* Export policy for instance RIBs */ ), "auto-export" ( /* Export routes between routing instances */ c( ("disable"), "traceoptions" ( /* Trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("export" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "family" ( c( "inet" ( /* IPv4 parameters */ export_af_obj /* IPv4 parameters */ ), "inet6" ( /* IPv6 parameters */ export_af_obj /* IPv6 parameters */ ), "iso" ( /* ISO parameters */ export_af_obj /* ISO parameters */ ) ) ) ) ), "dynamic-tunnels" /* Dynamic tunnel definitions */, "logical-system-mux" ( /* Logical system control daemon information */ c( "traceoptions" ( /* Trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("debug" | "parse" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ) ) ), "programmable-rpd" ( /* RPD Server module management options */ programmable_rpd_type /* RPD Server module management options */ ), "topologies" ( /* Define routing topologies */ c( "family" enum(("inet" | "inet6")) ( /* Address family */ c( "topology" arg /* Topology information */ ) ) ) ), "backup-selection" ( /* Backup selection options */ c( "destination" arg ( /* IP/IPv6 prefix for which backup selection policy is configured */ c( "interface" arg ( /* Primary nexthop interface for which backup selection policy is configured */ c( "admin-group" ( /* Administrative group policies for backup-selection */ c( "exclude" arg /* Do not use interface if any admin group available */, "include-all" arg /* Use interface if admin groups available entirely */, "include-any" arg /* Use interface if any admin group is available */, "preference" arg /* Administrative groups in descending preference order */ ) ), "srlg" ( /* Evaluate Shared Risk Link Group(SRLG) characteristics for backup selection */ ("loose" | "strict") ), "protection-type" ( /* Type of protection to be considered */ ("link" | "node" | "node-link") ), "downstream-paths-only" /* Choose only the downstream nodes for backup */, "bandwidth-greater-equal-primary" /* Use backup nexthop only if bandwidth is >= bandwidth of primary nexthop */, "backup-neighbor" ( /* Backup Neighbor ID based policies for backup selection */ c( "exclude" ( /* List of backup neighbors to be excluded */ ipv4addr /* List of backup neighbors to be excluded */ ), "preference" ( /* List of backup neighbors in descending order preference */ ipv4addr /* List of backup neighbors in descending order preference */ ) ) ), "node" ( /* Node ID based policies for backup selection */ c( "exclude" ( /* List of nodes to be excluded */ ipv4addr /* List of nodes to be excluded */ ), "preference" ( /* List of nodes in the descending order of preference */ ipv4addr /* List of nodes in the descending order of preference */ ) ) ), "node-tag" ( /* Node tag policies */ c( "exclude" arg /* The set of node tags to be excluded */, "preference" arg /* The set of node tags in the descending order of preference */ ) ), "root-metric" ( /* Root metric */ ("lowest" | "highest") ), "dest-metric" ( /* Destination metric */ ("lowest" | "highest") ), "metric-order" ( /* Metric evaluation order */ ("root" | "dest") ), "evaluation-order" ( /* Interface policy criteria evaluation order */ ("admin-group" | "srlg" | "bandwidth" | "protection-type" | "backup-neighbor" | "node" | "node-tag" | "metric") ) ) ) ) ) ) ), "fate-sharing" ( /* Fate-sharing links or nodes database */ c( "group" arg ( /* Group of objects sharing common characteristics */ c( "cost" arg /* Cost value */, "use-for-post-convergence-lfa" /* Use this fate-sharing group as a constraint for post-convergence-lfa */, "from" ( fate_sharing_links ) ) ) ) ), "validation" ( /* Define Route validation */ c( "traceoptions" ( /* Trace options for route validation */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "packets" | "keepalive" | "update" | "nsr-synchronization" | "state" | "policy" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "notification-rib" arg /* Define routing tables that get notified upon validation state change */, "group" arg ( /* Define a group of sessions */ c( "max-sessions" arg /* Maximum connected session in this group */, "session" arg ( /* Configure a session */ c( "traceoptions" ( /* Trace options for route validation */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("error" | "packets" | "keepalive" | "update" | "state" | "task" | "timer" | "all")) ( /* Tracing parameters */ sc( "send" /* Trace transmitted packets */, "receive" /* Trace received packets */, "detail" /* Trace detailed information */, "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "refresh-time" arg /* Interval between keepalive packet transmissions */, "hold-time" arg /* Time after which the session is declared down. */, "record-lifetime" arg /* Lifetime of route validation records */, "preference" arg /* Preference for session establishment */, "port" arg /* Portnumber to connect */, "local-address" ( ipaddr ) ) ) ) ), "static" ( /* Define static route validation record */ c( "record" arg ( /* Static route validation record */ c( "maximum-length" arg ( c( "origin-autonomous-system" arg ( c( "validation-state" ( /* Validation state for route validation record */ ("invalid" | "valid") ) ) ) ) ) ) ) ) ) ) ) ) end rule(:export_af_obj) do c( ("disable"), "unicast" ( /* Unicast routing information */ export_subaf_obj /* Unicast routing information */ ), "multicast" ( /* Multicast routing information */ export_subaf_obj /* Multicast routing information */ ), "flow" ( /* Flow routing information */ export_subaf_obj /* Flow routing information */ ) ) end rule(:export_subaf_obj) do c( ("disable"), "rib-group" arg /* Auxiliary rib-group of additional RIBs to consider */ ) end rule(:fate_sharing_links) do arg.as(:arg) ( c( "to" ( /* Point-to-point links */ ipv4addr /* Point-to-point links */ ) ) ).as(:oneline) end rule(:flow_route_inet) do arg.as(:arg) ( c( "no-install" /* Don't install firewall filter in forwarding */, "match" ( /* Flow definition */ flow_route_qualifier_inet /* Flow definition */ ), "then" ( /* Actions to take for this flow */ flow_route_op /* Actions to take for this flow */ ) ) ) end rule(:flow_route_qualifier_inet) do c( "protocol" ( /* IP protocol value */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "tcp-flags" ( /* TCP flags */ ("fin" | "syn" | "rst" | "push" | "ack" | "urgent" | arg) ), "packet-length" ( /* Packet length (0-65535) */ policy_algebra /* Packet length (0-65535) */ ), "dscp" ( /* Differentiated Services (DiffServ) code point (DSCP) (0-63) */ policy_algebra /* Differentiated Services (DiffServ) code point (DSCP) (0-63) */ ), "fragment" ( ("dont-fragment" | "not-a-fragment" | "is-fragment" | "first-fragment" | "last-fragment") ), "destination" ( /* Destination prefix for this traffic flow */ ipv4prefix /* Destination prefix for this traffic flow */ ), "source" ( /* Source prefix for this traffic flow */ ipv4prefix /* Source prefix for this traffic flow */ ), "icmp-code" ( /* ICMP message code */ ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp-type" ( /* ICMP message type */ ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ) ) end rule(:forwarding_table_type) do c( "remnant-holdtime" arg /* Time to hold inherited routes from FIB */, "krt-nexthop-ack-timeout" arg /* Kernel nexthop ack timeout interval */, "consistency-checking" ( /* RIB/FIB consistency checking */ c( ("enable" | "disable"), "period" arg /* Periodicity of scan in seconds */, "threshold" arg /* Mismatch threshold until complaint */ ) ), "export" ( /* Export policy */ policy_algebra /* Export policy */ ), "dynamic-list-next-hop" /* Dynamic next-hop mode for EVPN */, "ecmp-fast-reroute" /* Enable fast reroute for ECMP next hops */, "no-ecmp-fast-reroute" /* Don't enable fast reroute for ECMP next hops */, "indirect-next-hop" /* Install indirect next hops in Packet Forwarding Engine */, "no-indirect-next-hop" /* Don't install indirect next hops in Packet Forwarding Engine */, "indirect-next-hop-change-acknowledgements" /* Request acknowledgements for Indirect next hop changes */, "no-indirect-next-hop-change-acknowledgements" /* Don't request acknowledgements for Indirect next hop changes */, "rib" arg.as(:oneline), "unicast-reverse-path" ( /* Unicast reverse path (RP) verification */ ("active-paths" | "feasible-paths") ), "ip-tunnel-rpf-check" ( /* IP tunnel Reverse Path Forwarding Check */ c( "mode" ( ("strict" | "loose") ), "fail-filter" arg /* Fail filter name for RPF check(family inet|inet6|any) */ ) ), "transit-lsp-statistics-from-route" /* Enable LSP statistics collection from the route */, "chained-composite-next-hop" /* Next-hop chaining mode */ ) end rule(:juniper_sampling_options) do c( ("disable"), "traceoptions" ( /* Traffic sampling trace options */ sampling_traceoptions_type /* Traffic sampling trace options */ ), "sample-once" /* Sample the packet for active-monitoring only once */, "pre-rewrite-tos" /* Sample the packet retaining tos value before normalization */, "input" ( /* Traffic Sampling data acquisition */ sampling_input_type /* Traffic Sampling data acquisition */ ), "output" ( /* Traffic sampling data disposition */ sampling_output_type /* Traffic sampling data disposition */ ), "family" ( /* Address family of packets to sample */ c( "inet" ( /* Sample IPv4 packets */ c( ("disable"), "input" ( /* Settings for sampling of input packets */ sampling_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Traffic sampling data disposition */ sampling_instance_inet_global_output_type /* Traffic sampling data disposition */ ) ) ), "inet6" ( /* Sample IPv6 packets */ c( ("disable"), "input" ( /* Settings for sampling of input packets */ sampling_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Traffic sampling data disposition */ sampling_family_inet6_output_type /* Traffic sampling data disposition */ ) ) ), "mpls" /* Sample mpls packets */ ) ), "instance" arg ( /* Instance of sampling parameters */ c( ("disable"), "input" ( /* Traffic Sampling data acquisition */ sampling_instance_input_type /* Traffic Sampling data acquisition */ ), "family" ( /* Address family of packets to sample */ c( "inet" ( /* Sample IPv4 packets */ c( ("disable"), "input" ( /* Settings for sampling of input packets */ sampling_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Traffic sampling data disposition */ sampling_instance_inet_output_type /* Traffic sampling data disposition */ ) ) ), "inet6" ( /* Sample IPv6 packets */ c( ("disable"), "input" ( /* Settings for sampling of input packets */ sampling_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Traffic sampling data disposition */ sampling_instance_inet6_output_type /* Traffic sampling data disposition */ ) ) ), "mpls" ( /* Sample mpls packets */ c( ("disable"), "input" ( /* Settings for sampling of input packets */ sampling_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Traffic sampling data disposition */ sampling_instance_mpls_output_type /* Traffic sampling data disposition */ ) ) ), "vpls" ( /* Sample vpls packets */ c( ("disable"), "input" ( /* Settings for sampling of input packets */ sampling_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Traffic sampling data disposition */ sampling_instance_vpls_output_type /* Traffic sampling data disposition */ ) ) ), "bridge" ( /* Sample bridge packets */ c( ("disable"), "input" ( /* Settings for sampling of input packets */ sampling_family_input_type /* Settings for sampling of input packets */ ), "output" ( /* Traffic sampling data disposition */ sampling_instance_bridge_output_type /* Traffic sampling data disposition */ ) ) ) ) ) ) ), "jflow-service" ( /* Jflow service configuration */ c( "traceoptions" ( /* Jflow service trace options */ jflow_service_traceoptions /* Jflow service trace options */ ) ) ), "route-record" ( /* Sampling route record configuration */ c( "traceoptions" ( /* Sampling route record trace options */ route_record_traceoptions /* Sampling route record trace options */ ) ) ) ) end rule(:jflow_service_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("parse" | "rtsock" | "sm" | "all")) /* Area of jflow-service to enable debuging output */.as(:oneline) ) end rule(:juniper_services_captive_portal) do c( "authentication-profile-name" arg /* Access profile name to use for authentication */, "traceoptions" ( /* Trace options for CAPTIVE PORTAL */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("dot1x-debug" | "parse" | "esw-if" | "config-internal" | "normal" | "general" | "state" | "task" | "timer" | "all" | "dot1x-ipc" | "dot1x-event")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) ), "interface" ("all" | arg) ( /* Captive Portal interface specific options */ c( "supplicant" ( /* Set supplicant mode for this interface */ ("single" | "single-secure" | "multiple") ), "retries" arg /* Number of retries after which port is placed into wait state */, "quiet-period" arg /* Time to wait after an authentication failure */, "server-timeout" arg /* Authentication server timeout interval */, "session-expiry" arg /* Session Expiry Timeout */, "user-keepalive" arg /* Session keepalive after mac-flush */ ) ), "secure-authentication" ( /* Set secure authentication using encrypted HTTPS or insecure authentication using plain-text HTTP */ ("http" | "https") ), "custom-options" ( /* Captive Portal html user interface customization options */ c( "header-logo" arg /* Path to logo image file */, "header-bgcolor" arg /* Background color of the html header in hex html format */, "header-text-color" arg /* Text color of the html header in hex html format */, "header-message" arg /* Message to be displayed in the html header */, "banner-message" arg /* Terms and Conditions of usage message */, "form-header-message" arg /* Message to be displayed in the login form header */, "form-header-bgcolor" arg /* Background color of the login form header in hex html format */, "form-header-text-color" arg /* Text color of the login form header in hex html format */, "form-submit-label" arg /* Label to be displayed for the login form submit button */, "form-reset-label" arg /* Label to be displayed for the login form reset button */, "footer-message" arg /* Message to be displayed in the html footer */, "footer-bgcolor" arg /* Background color of the html footer in hex html format */, "footer-text-color" arg /* Text color of the footer in hex html format */, "post-authentication-url" arg /* Post authentication redirection URL */ ) ) ) end rule(:juniper_system) do c( "commit" ( /* Configuration commit management */ c( "server" ( /* Commit server (batch commit) */ c( "maximum-aggregate-pool" arg /* Maximum number of transactions to aggregate */, "maximum-entries" arg /* Maximum number of transactions allowed in queue */, "commit-interval" arg /* Number of seconds between commits */, "retry-attempts" arg /* Retry attempts for commit failure due to db lock error */, "retry-interval" arg /* Retry interval in seconds for commit failure */, "days-to-keep-error-logs" arg /* Number of day to keep error log entries */, "redirect-completion-status" arg /* Redirect Async commit status to server configured here */, "commit-schedule-profile" arg ( /* Scheduling profile for asynchronous low priority commits */ c( "start-time" arg /* Time when the schedule starts processing low priority jobs (hh:mm) */, "end-time" arg /* Time when the schedule stops processing low priority jobs (hh:mm) */, "interruptible" /* Allow the low priority jobs to be interrupted during the schedule */, "load-average" ( /* Max load average of system at which schedule starts (last 1 min) */ unsigned_float /* Max load average of system at which schedule starts (last 1 min) */ ) ) ), "traceoptions" ( /* Trace options for commit server */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "microsecond-stamp" /* Timestamp with microsecond granularity */ ) ).as(:oneline), "flag" enum(("all" | "commit-server" | "batch" | "configuration")) /* Tracing parameters */.as(:oneline) ) ) ) ), "notification" /* Notify applications upon commit complete */, "fast-synchronize" /* Parallelized commit synchronizing multiple routing-engines */, "synchronize" /* Synchronize commit on both Routing Engines by default */, "peers-synchronize" /* Synchronize commit on remote peers by default */, "delta-export" /* Export only delta configuration during commit */, "peers" ( /* Commit peers-synchronize details */ peers_type /* Commit peers-synchronize details */ ), "commit-synchronize-server" ( /* Commit synchronize server configuration */ c( "traceoptions" ( /* Traceoptions for commit synchronize server */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "microsecond-stamp" /* Timestamp with microsecond granularity */ ) ).as(:oneline), "flag" enum(("ephemeral-commit" | "operational-command" | "debug" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ), "persist-groups-inheritance" /* Build configuration groups inheritance path */ ) ), "configuration-database" ( /* Configuration database parameters */ c( "ephemeral" ( /* Configure ephemeral database */ c( "instance" arg /* Configure ephemeral instances */, "ignore-ephemeral-default" /* Ignore ephemeral default database */, "allow-commit-synchronize-with-gres" /* Allow ephemeral commit synchronize with GRES */ ) ), "virtual-memory-mapping" ( /* Virtual memory mapping configuration */ c( "process" arg ( /* Per process configuration */ c( "fixed-size" arg /* Fixed memory mapped size in kilobytes */, "page-pooling-size" arg /* Page pooling memory mapped size in kilobytes */, "page-leak-debug" /* Page leak detection */ ) ), "process-set" ( /* Set of processes using page pool */ c( "subscriber-management" ( /* Subscriber management processes will use page pooling */ c( "fixed-size" arg /* Fixed memory mapped size */, "page-pooling-size" arg /* Page pooling memory mapped size */ ) ) ) ) ) ), "extend-size" /* Extend configuration database upto 1.5G */, "resize" ( /* Resize configuration database */ c( "database-size-on-disk" arg /* Minimum configuration database size on disk */, "database-size-diff" arg /* Difference between database size and actual usage */ ) ), "max-db-size" arg /* Max database size */ ) ), "login" ( /* Names, login classes, and passwords for users */ c( "retry-options" ( /* Configure password retry options */ c( "tries-before-disconnect" arg /* Number of times user is allowed to try password */, "backoff-threshold" arg /* Number of password failures before delay is introduced */, "backoff-factor" arg /* Delay factor after 'backoff-threshold' password failures */, "minimum-time" arg /* Minimum total connection time if all attempts fail */, "maximum-time" arg /* Maximum time the connection will remain for user to enter username and password */, "lockout-period" arg /* Amount of time user account is locked after 'tries-before-disconnect' failures */ ) ), "idle-timeout" arg /* Maximum idle time before logout */, "class" ( /* Login class */ login_class_object /* Login class */ ), "user" ( /* Username */ login_user_object /* Username */ ), "password" ( /* Password configuration */ c( "minimum-character-changes" arg /* Minimum number of character changes between old and new passwords */, "minimum-reuse" arg /* Minimum number of old passwords which should not be same as the new password */, "minimum-length" arg /* Minimum password length for all users */, "maximum-length" arg /* Maximum password length for all users */, "change-type" ( /* Password change type */ ("character-sets" | "set-transitions") ), "minimum-changes" arg /* Minimum number of changes in password */, "minimum-numerics" arg /* Minimum number of numeric class characters in password */, "minimum-upper-cases" arg /* Minimum number of upper-case class characters in password */, "minimum-lower-cases" arg /* Minimum number of lower-case class characters in password */, "minimum-punctuations" arg /* Minimum number of punctuation class characters in password */, "format" ( /* Encryption method to use for password */ ("sha1" | "sha256" | "sha512" | "md5" | "des") ) ) ), "deny-sources" ( /* Sources from which logins are denied */ c( "address" ( /* IPv4/IPv6 addresses, prefix length optional, or hostnames */ ipprefix_optional /* IPv4/IPv6 addresses, prefix length optional, or hostnames */ ) ) ), "announcement" arg /* System announcement message (displayed after login) */, "message" arg /* System login message */ ) ), "root-authentication" ( /* Authentication information for the root login */ authentication_object /* Authentication information for the root login */ ), "autoinstallation" ( /* Autoinstallation configuration */ c( "continue-network-mode" /* Autoinstallation continue network mode */, "interfaces" arg ( /* Interfaces to perform autoinstallation */ c( "bootp" /* Enable BOOTP/DHCP during autoinstallation */, "rarp" /* Enable RARP during autoinstallation */, "slarp" /* Enable SLARP during autoinstallation */ ) ), "configuration-servers" arg ( /* Servers to retrieve configuration files from */ sc( "password" ( /* Password for authentication with the configuration server */ unreadable /* Password for authentication with the configuration server */ ) ) ).as(:oneline), "usb" /* USB Autoinstallation process */ ) ), "host-name" arg /* Hostname for this router */, "auto-snapshot" /* Enable auto-snapshot when boots from alternate slice */, "unattended-boot" /* Enable Unattended Boot mode */, "jdos" /* Enable Juniper Diagnostics Operating System */, "dgasp-int" /* Enable Dying Gasp Interrupt */, "dgasp-usb" /* Enable USB reset in Dying Gasp Interrupt */, "domain-name" arg /* Domain name for this router */, "domain-search" arg /* List of domain names to search */, "no-hidden-commands" /* Deny hidden commands for all users except root */, "backup-router" ( /* IPv4 router to use while booting */ sc( ipv4addr /* Address of router to use while booting */, "destination" ( /* Destination network reachable through the router */ ipv4prefix /* Destination network reachable through the router */ ) ) ).as(:oneline), "inet6-backup-router" ( /* IPv6 router to use while booting */ sc( "destination" ( /* Destination network reachable through the router */ ipv6prefix /* Destination network reachable through the router */ ), ipv6addr /* Address of router to use while booting */ ) ).as(:oneline), "time-zone" arg /* Time zone name or POSIX-compliant time zone string */, "use-imported-time-zones" /* Use locally generated time-zone database */, "regex-additive-logic" /* Set regex-additive-logic */, "switchover-on-routing-crash" /* On failure, switch mastership to other Routing Engine */, "default-address-selection" /* Use system address for locally originated traffic */, "ndcpp-compliant" /* Enable NDcPP compliance */, "nd-maxmcast-solicit" arg /* Set Maximum multicast solicit */, "nd-maxucast-retry" arg /* Set Maximum unicast retry count */, "nd-retransmit-timer" arg /* Set retransmit timer */, "nd-system-cache-limit" arg /* Set max system cache size for IPv6 nexthops */, "arp-system-cache-limit" arg /* Set max system cache size for ARP nexthops */, "no-neighbor-learn" /* Disable neighbor address learning */, "no-multicast-echo" /* Disable ICMP echo on multicast addresses */, "no-redirects" /* Disable ICMP redirects */, "no-redirects-ipv6" /* Disable IPV6 ICMP redirects */, "nd-override-preferred-src" /* Do not use preferred source address for unnumbered interface as the source of NA/NS */, "no-ping-record-route" /* Do not insert IP address in ping replies */, "no-ping-time-stamp" /* Do not insert time stamp in ping replies */, "dump-device" ( /* Device to record memory snapshots on operating system failure */ (arg | "boot-device" | "usb" | "compact-flash" | "removable-compact-flash") ), "arp" ( /* ARP settings */ c( "aging-timer" arg /* Change the ARP aging time value */, "interfaces" ( /* Logical interface on which to specify ARP aging timer */ c( arp_interface_type ) ), "passive-learning" /* ARP passive learning */, "purging" /* ARP purging when link goes down */, "gratuitous-arp-on-ifup" /* Gratuitous ARP announcement on interface up */, "gratuitous-arp-delay" arg /* Delay gratuitous ARP request */, "non-subscriber-no-reply" /* Do not reply to ARP requests from non-subscribers */ ) ), "personality-file-list-of-directories" arg /* List of Optional directories for personality-tarball of device */, "saved-core-files" arg /* Number of saved core files per executable */, "saved-core-context" /* Save context information for core files */, "no-saved-core-context" /* Don't save context information for core files */, "kernel-replication" ( /* Kernel replication */ c( "system-reboot" arg /* Reboot standby routing engine */, "no-syscall-trace" /* Disable syscall trace script capture */, "no-multithreading" /* Disable kernel-replication multithreading */ ) ), "mirror-flash-on-disk" /* Mirror contents of the flash drive onto hard drive */, "icmp-rate-limit" ( /* Rate-limiting parameters for ICMP messages */ sc( "packet-rate" arg /* ICMP rate-limiting packets earned per second */, "bucket-size" arg /* ICMP rate-limiting maximum bucket size */ ) ).as(:oneline), "tcp-ack-rst-syn" /* Send ACKs for in-window RSTs and SYN packets on TCP connections */, "management-instance" /* Enable Management VRF Instance */, "demux-options" ( /* Tunable options for demux link local address generation */ c( "use-underlying-interface-mac" /* Use underlying interface MAC for link local address */ ) ), "internet-options" ( /* Tunable options for Internet operation */ c( "icmpv4-rate-limit" ( /* Rate-limiting parameters for ICMPv4 messages */ sc( "packet-rate" arg /* ICMP rate-limiting packets earned per second */, "bucket-size" arg /* ICMP rate-limiting maximum bucket size */ ) ).as(:oneline), "icmpv6-rate-limit" ( /* Rate-limiting parameters for ICMPv6 messages */ sc( "packet-rate" arg /* ICMPv6 rate-limiting packets earned per second */, "bucket-size" arg /* ICMPv6 rate-limiting maximum bucket size */ ) ).as(:oneline), "path-mtu-discovery" /* Enable Path MTU discovery on TCP connections */, "no-path-mtu-discovery" /* Don't enable Path MTU discovery on TCP connections */, "gre-path-mtu-discovery" /* Enable path MTU discovery for GRE tunnels */, "no-gre-path-mtu-discovery" /* Don't enable path MTU discovery for GRE tunnels */, "ipip-path-mtu-discovery" /* Enable path MTU discovery for IP-IP tunnels */, "no-ipip-path-mtu-discovery" /* Don't enable path MTU discovery for IP-IP tunnels */, "source-port" ( /* Source port selection parameters */ c( "upper-limit" arg /* Specify upper limit of source port selection range */ ) ), "source-quench" /* React to incoming ICMP Source Quench messages */, "no-source-quench" /* Don't react to incoming ICMP Source Quench messages */, "tcp-mss" arg /* Maximum value of TCP MSS for IPV4 traffic */, "tcp-drop-synfin-set" /* Drop TCP packets that have both SYN and FIN flags */, "no-tcp-rfc1323" /* Disable RFC 1323 TCP extensions */, "no-tcp-rfc1323-paws" /* Disable RFC 1323 Protection Against Wrapped Sequence Number extension */, "ipv6-reject-zero-hop-limit" /* Enable dropping IPv6 packets with zero hop-limit */, "no-ipv6-reject-zero-hop-limit" /* Don't enable dropping IPv6 packets with zero hop-limit */, "ipv6-duplicate-addr-detection-transmits" arg /* IPv6 Duplicate address detection transmits */, "ipv6-path-mtu-discovery" /* Enable IPv6 Path MTU discovery */, "no-ipv6-path-mtu-discovery" /* Don't enable IPv6 Path MTU discovery */, "ipv6-path-mtu-discovery-timeout" arg /* IPv6 Path MTU Discovery timeout */, "no-tcp-reset" ( /* Do not send RST TCP packet for packets sent to non-listening ports */ ("drop-tcp-with-syn-only" | "drop-all-tcp") ) ) ), "authentication-order" ( ("radius" | "tacplus" | "password") ), "location" ( /* Location of the system, in various forms */ location_type /* Location of the system, in various forms */ ), "ports" ( /* Craft interface RS-232 ports */ c( "console" ( /* Console port */ tty_port_object /* Console port */ ), "auxiliary" ( /* Auxiliary port */ tty_port_object /* Auxiliary port */ ) ) ), "diag-port-authentication" ( /* Authentication for the diagnostic port */ c( "plain-text-password-value" arg /* Plain text password */, "encrypted-password" arg /* Encrypted password string */ ) ), "pic-console-authentication" ( /* Authentication for the console port on PICs */ c( "plain-text-password-value" arg /* Plain text password */, "encrypted-password" arg /* Encrypted password string */ ) ), "boot-loader-authentication" /* Authentication for the boot loader */, "name-server" ( /* DNS name servers */ nameserver_object /* DNS name servers */ ), "radius-server" ( /* RADIUS server configuration */ radius_server_object /* RADIUS server configuration */ ), "dynamic-profile-options" ( /* Dynamic profile options */ dynamic_profile_option_object /* Dynamic profile options */ ), "tacplus-server" ( /* TACACS+ server configuration */ tacplus_server_object /* TACACS+ server configuration */ ), "radius-options" ( /* RADIUS options */ c( "password-protocol" ( /* Specify password protocol used in RADIUS packets */ ("mschap-v2") ), "enhanced-accounting" /* Include authentication method, remote port and user-privileges in 'login' accounting */, "attributes" ( /* Configure RADIUS attributes */ c( "nas-ip-address" ( /* Value of NAS-IP-Address in outgoing RADIUS packets */ ipaddr /* Value of NAS-IP-Address in outgoing RADIUS packets */ ) ) ) ) ), "tacplus-options" ( /* TACACS+ options */ c( "service-name" arg /* TACACS+ service name */, "authorization-time-interval" arg /* TACACS+ authorization refresh time interval */, "strict-authorization" /* Deny login if authorization request fails */, "no-strict-authorization" /* Don't deny login if authorization request fails */, c( "no-cmd-attribute-value" /* In start/stop requests, set 'cmd' attribute value to empty string */, "exclude-cmd-attribute" /* In start/stop requests, do not include 'cmd' attribute */ ), "enhanced-accounting" /* Include authentication method, remote port and user-privileges in 'login' accounting */, "timestamp-and-timezone" /* In start/stop accounting packets, include 'start-time', 'stop-time' and 'timezone' attributes */ ) ), "accounting" ( /* System accounting configuration */ c( "events" ( /* Events to be logged */ ("login" | "change-log" | "interactive-commands") ), "enhanced-avs-max" arg /* No. of AV pairs each of which can store a max of 250 Bytes */, "traceoptions" ( /* Trace options for system accounting */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ) ).as(:oneline), "flag" enum(("all" | "events" | "config" | "radius" | "tacplus")) /* Tracing parameters */.as(:oneline) ) ), "destination" ( /* Destination for system accounting records */ c( "radius" ( /* Configure RADIUS accounting */ c( "server" ( /* RADIUS accounting server configuration */ radius_server_object /* RADIUS accounting server configuration */ ) ) ), "tacplus" ( /* Send TACACS+ accounting records */ c( "server" ( /* TACACS+ server configuration */ tacplus_server_object /* TACACS+ server configuration */ ) ) ) ) ) ) ), "allow-v4mapped-packets" /* Allow processing for packets with V4 mapped address */, "allow-6pe-traceroute" /* Allow IPv4-mapped v6 address in tag icmp6 TTL expired packet */, "allow-6vpe-traceroute-src-select" /* Select best src addr for icmp6 ttl expiry error in case 6vpe */, "donot-disable-ip6op-ondad" /* Do not disable IP operation on interface, if DAD fails on EUI-64 link local address */, "scripts" ( /* Scripting mechanisms */ scripts_type /* Scripting mechanisms */ ), "schema" ( /* System schema */ c( "openconfig" ( /* Openconfig schema options */ c( "unhide" /* Unhide openconfig from CLI */ ) ) ) ), "static-host-mapping" arg ( /* Static hostname database mapping */ c( "inet" ( /* IP address */ ipv4addr /* IP address */ ), "inet6" ( /* IPv6 address */ ipv6addr /* IPv6 address */ ), "sysid" ( /* ISO/IS-IS system identifier */ sysid /* ISO/IS-IS system identifier */ ), "alias" arg /* Hostname alias */ ) ), "services" ( /* System services */ c( "finger" ( /* Allow finger requests from remote systems */ c( "connection-limit" arg /* Maximum number of allowed connections */, "rate-limit" arg /* Maximum number of connections per minute */ ) ), "ftp" ( /* Allow FTP file transfers */ c( "connection-limit" arg /* Maximum number of allowed connections */, "rate-limit" arg /* Maximum number of connections per minute */, "authentication-order" ( ("radius" | "tacplus" | "password") ) ) ), "ssh" ( /* Allow ssh access */ c( "authentication-order" ( ("radius" | "tacplus" | "password") ), "root-login" ( /* Configure root access via ssh */ ("allow" | "deny" | "deny-password") ), "no-passwords" /* Disables ssh password based authentication */, "no-public-keys" /* Disables ssh public key based authentication */, c( "tcp-forwarding" /* Allow forwarding TCP connections via SSH */, "no-tcp-forwarding" /* Do not allow forwarding TCP connections via SSH */ ), "protocol-version" ( /* Specify ssh protocol versions supported */ ("v1" | "v2") ), "max-sessions-per-connection" arg /* Maximum number of sessions per single SSH connection */, "max-pre-authentication-packets" arg /* Maximum number of pre-authentication SSH packets per single SSH connection */, "ciphers" ( /* Specify the ciphers allowed for protocol version 2 */ ("3des-cbc" | "aes128-cbc" | "aes192-cbc" | "aes256-cbc" | "aes128-ctr" | "aes192-ctr" | "aes256-ctr" | "aes128-gcm@openssh.com" | "aes256-gcm@openssh.com" | "chacha20-poly1305@openssh.com" | "arcfour128" | "arcfour256" | "arcfour" | "blowfish-cbc" | "cast128-cbc") ), "macs" ( /* Message Authentication Code algorithms allowed (SSHv2) */ ("hmac-md5" | "hmac-md5-etm@openssh.com" | "hmac-sha1" | "hmac-sha1-etm@openssh.com" | "umac-64@openssh.com" | "umac-128@openssh.com" | "umac-64-etm@openssh.com" | "umac-128-etm@openssh.com" | "hmac-sha2-256" | "hmac-sha2-256-etm@openssh.com" | "hmac-sha2-256-96" | "hmac-sha2-512" | "hmac-sha2-512-etm@openssh.com" | "hmac-sha2-512-96" | "hmac-ripemd160" | "hmac-ripemd160-etm@openssh.com" | "hmac-sha1-96" | "hmac-sha1-96-etm@openssh.com" | "hmac-md5-96" | "hmac-md5-96-etm@openssh.com") ), "key-exchange" ( /* Specify ssh key-exchange for Diffie-Hellman keys */ ("curve25519-sha256" | "ecdh-sha2-nistp256" | "ecdh-sha2-nistp384" | "ecdh-sha2-nistp521" | "group-exchange-sha2" | "group-exchange-sha1" | "dh-group14-sha1" | "dh-group1-sha1") ), "client-alive-count-max" arg /* Threshold of missing client-alive responses that triggers a disconnect */, "client-alive-interval" arg /* Frequency of client-alive requests */, "hostkey-algorithm" ( /* Specify permissible SSH host-key algorithms */ c( c( "no-ssh-dss" /* Disallow generation of 1024-bit DSA host-key */, "ssh-dss" ( /* Allow generation of 1024-bit DSA host-key */ c( c( "allow" /* Allow generation of 1024-bit DSA host-key */, "deny" /* Disallow generation of 1024-bit DSA host-key */ ) ) ) ), c( "no-ssh-rsa" /* Disallow generation of RSA host-key */, "ssh-rsa" ( /* Allow generation of RSA host-key */ c( c( "allow" /* Allow generation of RSA host-key */, "deny" /* Disallow generation of RSA host-key */ ) ) ) ), c( "no-ssh-ecdsa" /* Disallow generation of ECDSA host-key */, "ssh-ecdsa" ( /* Allow generation of ECDSA host-key */ c( c( "allow" /* Allow generation of ECDSA host-key */, "deny" /* Disallow generation of ECDSA host-key */ ) ) ) ), c( "no-ssh-ed25519" /* Disallow generation of ED25519 host-key */, "ssh-ed25519" /* Allow generation of ED25519 host-key */ ) ) ), "fingerprint-hash" ( /* Configure hash algorithm used when displaying key fingerprints */ ("sha2-256" | "md5") ), "authorized-keys-command" arg /* Specifies a command string to be used to look up the user's public keys */, "authorized-keys-command-user" arg /* Specifies the user under whose account the authorized-keys-command is run */, "rekey" ( /* Limits before session keys are renegotiated */ c( "data-limit" arg /* Data limit before renegotiating session keys */, "time-limit" arg /* Time limit before renegotiating session keys */ ) ), "port" arg /* Port number to accept incoming connections */, "log-key-changes" /* Log changes to authorized keys to syslog */, "connection-limit" arg /* Maximum number of allowed connections */, "rate-limit" arg /* Maximum number of connections per minute */ ) ), "telnet" ( /* Allow telnet login */ c( "connection-limit" arg /* Maximum number of allowed connections */, "rate-limit" arg /* Maximum number of connections per minute */, "authentication-order" ( ("radius" | "tacplus" | "password") ) ) ), "xnm-clear-text" ( /* Allow clear text-based JUNOScript connections */ c( "connection-limit" arg /* Maximum number of allowed connections */, "rate-limit" arg /* Maximum number of connections per minute */ ) ), "xnm-ssl" ( /* Allow SSL-based JUNOScript connections */ c( "local-certificate" arg /* Name of local X.509 certificate to use */, "ssl-renegotiation" /* Allow SSL renegotiation */, "no-ssl-renegotiation" /* Don't allow SSL renegotiation */, "connection-limit" arg /* Maximum number of allowed connections */, "rate-limit" arg /* Maximum number of connections per minute */ ) ), "extension-service" ( /* Enable JUNOS extension services */ c( "request-response" ( /* Allow request-response API execution */ c( "grpc" ( /* Grpc server configuration */ c( c( "ssl" ( /* SSL based API connection settings */ c( "address" ( /* Address to listen for incoming connections */ ipaddr /* Address to listen for incoming connections */ ), "port" arg /* Port number to accept incoming connections */, "local-certificate" arg /* Name of local X.509 certificate to use */, "mutual-authentication" ( /* Enable TLS mutual authentication */ c( "certificate-authority" arg /* Certificate authority profile */, "client-certificate-request" ( /* Specify requirements for client certificate */ ("no-certificate" | "request-certificate" | "request-certificate-and-verify" | "require-certificate" | "require-certificate-and-verify") ) ) ) ) ) ), "max-connections" arg /* Maximum number of connections */ ) ) ) ), "notification" ( /* Enable Notification Services */ c( "port" arg /* Port number to accept incoming connections */, "max-connections" arg /* Maximum number of connections */, "broker-socket-send-buffer-size" arg /* Socket send buffer size for the broker to publish the messages */, "allow-clients" ( /* Client IPs from which notifications are allowed */ c( "address" ( /* IPv4/IPv6 addresses, prefix length optional, or hostnames */ ipprefix_optional /* IPv4/IPv6 addresses, prefix length optional, or hostnames */ ) ) ) ) ), "traceoptions" ( /* Trace options for JSD */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("timer" | "timeouts" | "routing-socket" | "general" | "config" | "grpc" | "notification" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ), "netconf" ( /* Allow NETCONF connections */ c( "ssh" ( /* Allow NETCONF over SSH */ c( "connection-limit" arg /* Maximum number of allowed connections */, "rate-limit" arg /* Maximum number of connections per minute */, "port" arg /* Service port number */ ) ), "rfc-compliant" /* Make the NETCONF sessions compliant to RFC 4741 */, "yang-compliant" /* Make the NETCONF sessions compliant to yang schemas */, "yang-modules" ( /* Tweak settings for YANG modules served on this device */ c( "device-specific" /* Serve YANG modules specific to this device */, "emit-extensions" /* Enable serving of Junos YANG extension modules */ ) ), "traceoptions" ( /* NETCONF trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "incoming" | "outgoing" | "debug")) /* Tracing parameters */.as(:oneline), "on-demand" /* Enable on-demand tracing */ ) ) ) ), "tftp-server" ( /* Enable TFTP file transfers */ c( "connection-limit" arg /* Maximum number of allowed connections */, "rate-limit" arg /* Maximum number of connections per minute */ ) ), "flow-tap-dtcp" /* Configure DTCP-based Flow-tap service */, "dtcp-only" /* Allow subscriber DTCP based lawful intercept only */, "reverse" ( /* Allow connections to device connected to the AUX port */ c( "telnet" ( /* Allow reverse telnet connections (over AUX port) */ c( "port" arg /* Port number to accept reverse telnet connections */ ) ), "ssh" ( /* Allow reverse SSH connections (over AUX port) */ c( "port" arg /* Port number to accept reverse SSH connections */ ) ) ) ), "dns" ( /* Enable Name server */ c( "max-cache-ttl" arg /* Max TTL for cached responses */, "max-ncache-ttl" arg /* Max TTL for cached negative responses */, "traceoptions" ( /* DNS server trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ) ).as(:oneline), "debug-level" arg /* Debug level */, "category" ("default" | "general" | "database" | "security" | "config" | "resolver" | "xfer-in" | "xfer-out" | "notify" | "client" | "unmatched" | "network" | "update" | "update-security" | "queries" | "dispatch" | "dnssec" | "lame-servers" | "delegation-only" | "edns-disabled") /* Logging category */.as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("ddns" | "config" | "ui" | "rtsock" | "all" | "trace")) /* Area of NAMED demon to enable debugging output */.as(:oneline) ) ), "forwarders" arg /* Server IPs to DNS query will be forwarded */, "dnssec" ( /* Configure DNSSEC */ c( "disable" /* Disable DNSSEC */, "trusted-keys" ( /* Trusted keys */ c( "key" arg /* Trusted key */ ) ), "dlv" ( /* Configure DLV (DNS Lookaside Validation) */ s( "domain" arg /* Name of the domain */, "trusted-anchor" arg /* Trusted DLV anchor */ ) ).as(:oneline), "secure-domains" arg /* Domains for which only signed responses are accepted */ ) ), "dns-proxy" ( /* Configure DNS proxy server */ c( "propogate-setting" ( /* Use dhcp/pppoe propogated name-server as forwarders for DNS proxy */ ("enable" | "disable") ), "interface" arg /* Configure interface for DNS proxy */, "default-domain" arg ( /* Configure domain for split DNS */ c( "forwarders" arg /* Server IP for forwarding DNS query */ ) ), "cache" arg ( /* Configure DNS proxy static cache entries */ sc( "inet" ( /* Host's IPv4 address */ ipaddr /* Host's IPv4 address */ ) ) ).as(:oneline), "view" arg ( /* Configure view for split DNS */ c( "match-clients" arg /* Interface IP to DNS query will be handled */, "domain" arg ( /* Configure domain for split DNS */ c( "forward-only" /* The server will only forward queries */, "forwarders" arg /* Server IP for forwarding DNS query */ ) ) ) ) ) ) ) ), "service-deployment" ( /* Configuration for Service Deployment (SDXD) management application */ c( "local-certificate" arg /* Name of local X.509 certificate to use */, "source-address" ( /* Local IPv4 address to be used as source address for traffic to SDX */ ipv4addr /* Local IPv4 address to be used as source address for traffic to SDX */ ), "servers" arg ( /* Service deployment system configuration */ c( "port" arg /* TCP port of SDX server */, "user" arg /* Username used by SDX when logging into the router */, "security-options" ( /* Specify mechanism to secure the connection */ c( c( "tls" /* Use TLS for transport layer security */, "ssl3" /* Use SSLv3 for transport layer security */ ) ) ) ) ), "traceoptions" ( /* Service deployment daemon trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("beep" | "profile" | "application" | "io" | "all")) /* Tracing options */.as(:oneline) ) ) ) ), "outbound-ssh" ( /* Initiate outbound SSH connection */ c( "traceoptions" ( /* Outbound SSH trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "connectivity" | "all")) /* Tracing parameters */.as(:oneline) ) ), "client" arg ( /* Define a device initiated SSH connection */ c( "disable-ssh-security-settings" /* Disable ssh security parameter defined under [system services ssh] */, "device-id" arg /* Unique ID used by client to identify this device */, "secret" ( /* Shared secret between client and this device */ unreadable /* Shared secret between client and this device */ ), "keep-alive" ( c( "retry" arg /* Maximum number of connection attempts */, "timeout" arg /* Timeout value for conection attempts */ ) ), "reconnect-strategy" ( /* Strategy used to reconnect to a server */ ("sticky" | "in-order") ), "services" ( /* The subsystem(s) that can be invoked */ ("netconf") ), c( "port" arg /* Client port to connect to */, "retry" arg /* Maximum number of connection attempts */, "timeout" arg /* Timeout value for conection attempts */ ) ) ) ) ), "rest" ( /* Allow RPC execution over HTTP(S) connection */ c( "http" ( /* Unencrypted HTTP connection settings */ c( "port" arg /* Port number to accept HTTP connections */, "addresses" ( /* List of addresses to listen for incoming connections */ ipv4addr /* List of addresses to listen for incoming connections */ ) ) ), "https" ( /* Encrypted HTTPS connections */ c( "port" arg /* Port number to accept HTTPS connections */, "addresses" ( /* List of addresses to listen for incoming connections */ ipv4addr /* List of addresses to listen for incoming connections */ ), "server-certificate" arg /* Local certificate identifier */, "cipher-list" ( /* List of allowed cipher suites in order of preference */ ("rsa-with-rc4-128-md5" | "rsa-with-rc4-128-sha" | "rsa-with-3des-ede-cbc-sha" | "dhe-rsa-with-3des-ede-cbc-sha" | "rsa-with-aes-128-cbc-sha" | "dhe-rsa-with-aes-128-cbc-sha" | "rsa-with-aes-256-cbc-sha" | "dhe-rsa-with-aes-256-cbc-sha" | "ecdhe-rsa-with-rc4-128-sha" | "ecdhe-rsa-with-3des-ede-cbc-sha" | "ecdhe-rsa-with-aes-128-cbc-sha" | "ecdhe-rsa-with-aes-256-cbc-sha" | "rsa-with-aes-128-cbc-sha256" | "rsa-with-aes-256-cbc-sha256" | "dhe-rsa-with-aes-128-cbc-sha256" | "dhe-rsa-with-aes-256-cbc-sha256" | "rsa-with-aes-128-gcm-sha256" | "rsa-with-aes-256-gcm-sha384" | "dhe-rsa-with-aes-128-gcm-sha256" | "dhe-rsa-with-aes-256-gcm-sha384" | "ecdhe-rsa-with-aes-128-cbc-sha256" | "ecdhe-rsa-with-aes-256-cbc-sha384" | "ecdhe-rsa-with-aes-128-gcm-sha256" | "ecdhe-rsa-with-aes-256-gcm-sha384") ), "mutual-authentication" ( /* Enable TLS mutual authentication */ c( "certificate-authority" arg /* Certificate authority profile */ ) ) ) ), "control" ( /* Control of the rest-api process */ c( "allowed-sources" ( /* List of allowed source IP addresses */ ipv4addr /* List of allowed source IP addresses */ ), "connection-limit" arg /* Maximum number of simultaneous connections */ ) ), "traceoptions" ( /* Trace options for rest-api service */ c( "flag" ( /* Area to enable tracing */ ("lighttpd" | "juise" | "all") ) ) ), "enable-explorer" /* Enable REST API explorer tool */ ) ), "netproxy" /* Netproxy configuration */, "subscriber-management-helper" ( /* Subscriber management helper configuration */ smihelperd_type /* Subscriber management helper configuration */ ), "dhcp-local-server" ( /* Dynamic Host Configuration Protocol server configuration */ jdhcp_local_server_type /* Dynamic Host Configuration Protocol server configuration */ ), "dhcp-proxy-client" ( /* Dynamic Host Configuration Protocol Proxy client configuration */ jdhcp_proxy_client_type /* Dynamic Host Configuration Protocol Proxy client configuration */ ), "database-replication" ( /* Database replication configuration */ bdbrepd_type /* Database replication configuration */ ), "web-management" ( /* Web management configuration */ c( "traceoptions" ( /* Web management trace options */ httpd_traceoptions_type /* Web management trace options */ ), "management-url" arg /* URL path for web management access */, "http" ( /* Unencrypted HTTP connection settings */ c( "port" arg /* TCP port for incoming HTTP connections */, "interface" ( /* Interfaces that accept HTTP access */ interface_name /* Interfaces that accept HTTP access */ ) ) ), "https" ( /* Encrypted HTTPS connections */ c( "port" arg /* TCP port for incoming HTTPS connections */, c( "local-certificate" arg /* X.509 certificate to use (from configuration) */, "pki-local-certificate" arg /* X.509 certificate to use (from PKI local store) */, "system-generated-certificate" /* X.509 certificate generated automatically by system */ ), "interface" ( /* Interfaces that accept HTTPS access */ interface_name /* Interfaces that accept HTTPS access */ ) ) ), "control" ( /* Control of the web management process */ c( "max-threads" arg /* Maximum simultaneous threads to handle requests */ ) ), "session" ( /* Session parameters */ c( "idle-timeout" arg /* Default timeout of web-management sessions */, "session-limit" arg /* Maximum number of web-management sessions to allow */ ) ) ) ), "static-subscribers" ( /* Static Subscriber Client configuration */ jsscd_static_subscribers_type /* Static Subscriber Client configuration */ ), "subscriber-management" ( /* Subscriber management configuration */ smid_type /* Subscriber management configuration */ ), "resource-monitor" ( /* Resource monitor configuration */ resource_monitor_type /* Resource monitor configuration */ ), "extensible-subscriber-services" ( /* Extensible Subscriber Services Configuration */ c( "maximum-subscribers" ( /* Maximum number of subscribers */ c( arg ) ), "commit-interval" ( /* Script configuration commit interval */ c( arg ) ), "flat-file-accounting-interval" ( /* Flat file accounting collection interval */ c( arg ) ), "flat-file-rollover-interval" ( /* Flat file accounting rollover interval */ c( arg ) ), "logical-interface-unit-range" ( /* Logical interface unit range */ c( "low" arg /* Lower limit of logical interface unit range */, "high" arg /* Upper limit of logical interface unit range */ ) ), "dictionary" ( /* Dictionary Information */ c( filename /* Complete path with dictionary name */ ) ), "flat-file-accounting-format" ( /* Flat file accounting format */ c( c( "ipdr" /* IPDR format */, "csv" /* CSV format */ ) ) ), "access-profile" ( /* Access profile reference */ c( arg ) ), "flat-file-profile" arg /* Flat file profile name */ ) ), "dhcp" ( /* Configure DHCP server */ c( "maximum-lease-time" ( /* Maximum lease time advertised to clients */ ("infinite" | arg) ), "default-lease-time" ( /* Default lease time advertised to clients */ ("infinite" | arg) ), "domain-name" arg /* Domain name advertised to clients */, "name-server" arg /* Domain name servers available to the client */, "domain-search" arg /* Domain search list used to resolve hostnames */, "wins-server" arg /* NetBIOS name servers */, "router" arg /* Routers advertised to clients */, "boot-file" arg /* Boot filename advertised to clients */, "boot-server" arg /* Boot server advertised to clients */, "next-server" ( /* Next server that clients need to contact */ ipv4addr /* Next server that clients need to contact */ ), "server-identifier" ( /* DHCP server identifier advertised to clients */ ipv4addr /* DHCP server identifier advertised to clients */ ), "option" arg ( /* DHCP option */ sc( c( "flag" ( /* Boolean flag value */ ("true" | "false" | "on" | "off") ), "byte" arg /* Unsigned 8-bit value */, "short" arg /* Signed 16-bit numeric value */, "unsigned-short" arg /* Unsigned 16-bit numeric value */, "integer" arg /* Signed 32-bit numeric value */, "unsigned-integer" arg /* Unsigned 32-bit numeric value */, "string" arg /* Character string value */, "ip-address" ( /* IP address value */ ipv4addr /* IP address value */ ), "array" ( /* Array of values */ c( c( "flag" ( /* Array of boolean flag values */ ("true" | "false" | "on" | "off") ), "byte" arg /* Array of unsigned 8-bit values */, "short" arg /* Array of signed 16-bit numeric values */, "unsigned-short" arg /* Array of 16-bit numeric values */, "integer" arg /* Array of signed 32-bit numeric values */, "unsigned-integer" arg /* Array of unsigned 32-bit numeric values */, "string" arg /* Array of character string values */, "ip-address" ( /* Array of IP address values */ ipv4addr /* Array of IP address values */ ) ) ) ), "byte-stream" arg /* Stream of unsigned 8-bit values within quotes */ ) ) ).as(:oneline), "sip-server" ( /* SIP servers to clients */ c( "name" arg /* Names of SIP servers */, "address" arg /* IP addresses of SIP servers */ ) ), "traceoptions" ( /* DHCP server trace options */ dhcp_traceoptions_type /* DHCP server trace options */ ), "pool" arg ( /* DHCP address pool */ c( "address-range" ( /* Range of addresses to choose from */ sc( "low" ( /* Lowest address in the range */ ipv4addr /* Lowest address in the range */ ), "high" ( /* Highest address in the range */ ipv4addr /* Highest address in the range */ ) ) ).as(:oneline), "exclude-address" arg /* Address to exclude from pool */, "maximum-lease-time" ( /* Maximum lease time advertised to clients */ ("infinite" | arg) ), "default-lease-time" ( /* Default lease time advertised to clients */ ("infinite" | arg) ), "domain-name" arg /* Domain name advertised to clients */, "name-server" arg /* Domain name servers available to the client */, "domain-search" arg /* Domain search list used to resolve hostnames */, "wins-server" arg /* NetBIOS name servers */, "router" arg /* Routers advertised to clients */, "boot-file" arg /* Boot filename advertised to clients */, "boot-server" arg /* Boot server advertised to clients */, "next-server" ( /* Next server that clients need to contact */ ipv4addr /* Next server that clients need to contact */ ), "server-identifier" ( /* DHCP server identifier advertised to clients */ ipv4addr /* DHCP server identifier advertised to clients */ ), "option" arg ( /* DHCP option */ sc( c( "flag" ( /* Boolean flag value */ ("true" | "false" | "on" | "off") ), "byte" arg /* Unsigned 8-bit value */, "short" arg /* Signed 16-bit numeric value */, "unsigned-short" arg /* Unsigned 16-bit numeric value */, "integer" arg /* Signed 32-bit numeric value */, "unsigned-integer" arg /* Unsigned 32-bit numeric value */, "string" arg /* Character string value */, "ip-address" ( /* IP address value */ ipv4addr /* IP address value */ ), "array" ( /* Array of values */ c( c( "flag" ( /* Array of boolean flag values */ ("true" | "false" | "on" | "off") ), "byte" arg /* Array of unsigned 8-bit values */, "short" arg /* Array of signed 16-bit numeric values */, "unsigned-short" arg /* Array of 16-bit numeric values */, "integer" arg /* Array of signed 32-bit numeric values */, "unsigned-integer" arg /* Array of unsigned 32-bit numeric values */, "string" arg /* Array of character string values */, "ip-address" ( /* Array of IP address values */ ipv4addr /* Array of IP address values */ ) ) ) ), "byte-stream" arg /* Stream of unsigned 8-bit values within quotes */ ) ) ).as(:oneline), "sip-server" ( /* SIP servers to clients */ c( "name" arg /* Names of SIP servers */, "address" arg /* IP addresses of SIP servers */ ) ), "propagate-settings" arg /* Interface name for propagating TCP/IP settings to pool */, "propagate-ppp-settings" ( /* PPP interface name for propagating DNS/WINS settings to pool */ interface_name /* PPP interface name for propagating DNS/WINS settings to pool */ ) ) ), "static-binding" arg ( /* DHCP client's hardware address */ c( "fixed-address" arg /* Possible IP addresses to assign to host */, "host-name" arg /* Hostname for this client */, "client-identifier" ( /* Client identifier option */ sc( c( "ascii" arg /* Client identifier as an ASCII string */, "hexadecimal" arg /* Client identifier as a hexadecimal string */ ) ) ).as(:oneline), "domain-name" arg /* Domain name advertised to clients */, "name-server" arg /* Domain name servers available to the client */, "domain-search" arg /* Domain search list used to resolve hostnames */, "wins-server" arg /* NetBIOS name servers */, "router" arg /* Routers advertised to clients */, "boot-file" arg /* Boot filename advertised to clients */, "boot-server" arg /* Boot server advertised to clients */, "next-server" ( /* Next server that clients need to contact */ ipv4addr /* Next server that clients need to contact */ ), "server-identifier" ( /* DHCP server identifier advertised to clients */ ipv4addr /* DHCP server identifier advertised to clients */ ), "option" arg ( /* DHCP option */ sc( c( "flag" ( /* Boolean flag value */ ("true" | "false" | "on" | "off") ), "byte" arg /* Unsigned 8-bit value */, "short" arg /* Signed 16-bit numeric value */, "unsigned-short" arg /* Unsigned 16-bit numeric value */, "integer" arg /* Signed 32-bit numeric value */, "unsigned-integer" arg /* Unsigned 32-bit numeric value */, "string" arg /* Character string value */, "ip-address" ( /* IP address value */ ipv4addr /* IP address value */ ), "array" ( /* Array of values */ c( c( "flag" ( /* Array of boolean flag values */ ("true" | "false" | "on" | "off") ), "byte" arg /* Array of unsigned 8-bit values */, "short" arg /* Array of signed 16-bit numeric values */, "unsigned-short" arg /* Array of 16-bit numeric values */, "integer" arg /* Array of signed 32-bit numeric values */, "unsigned-integer" arg /* Array of unsigned 32-bit numeric values */, "string" arg /* Array of character string values */, "ip-address" ( /* Array of IP address values */ ipv4addr /* Array of IP address values */ ) ) ) ), "byte-stream" arg /* Stream of unsigned 8-bit values within quotes */ ) ) ).as(:oneline), "sip-server" ( /* SIP servers to clients */ c( "name" arg /* Names of SIP servers */, "address" arg /* IP addresses of SIP servers */ ) ) ) ), "propagate-settings" arg /* Interface name for propagating TCP/IP settings to pool */, "propagate-ppp-settings" ( /* PPP interface name for propagating DNS/WINS settings globally */ interface_name /* PPP interface name for propagating DNS/WINS settings globally */ ) ) ), "dynamic-dns" ( /* Configure DNS dynamic dns */ c( "client" arg ( /* Configure DNS dynamic dns clients */ c( "server" ( /* Dynamic DNS server - members.dyndns.org or ddo.jp */ ("dyndns" | "ddo") ), "agent" arg /* Dynamic DNS agent name */, "username" arg /* Dynamic DNS server username */, "password" ( /* Dynamic DNS server password */ unreadable /* Dynamic DNS server password */ ), "interface" ( /* Interface name */ interface_name /* Interface name */ ) ) ) ) ), "webapi" ( /* Webapi configuration */ c( "user" ( /* User name */ c( arg, "password" arg /* Password string */ ) ), "client" arg /* Address of permitted HTTP/HTTPS request originator */.as(:oneline), "http" ( /* Unencrypted HTTP connection settings */ c( "port" arg /* TCP port for incoming HTTP connections */ ) ), "https" ( /* Encrypted HTTPS connection settings */ c( "port" arg /* TCP port for incoming HTTPS connections */, "default-certificate" /* X.509 certificate generated by system */, "pki-local-certificate" arg /* X.509 certificate to use (from PKI local store) */, "certificate" arg /* X.509 certificate to use (from local file system) */, "certificate-key" arg /* X.509 certificate key to use (from local file system) */ ) ), "debug-log" ( /* Debug log for webapi daemon */ c( arg ) ), "debug-level" ( /* Debug level for webapi daemon */ c( c( "emerg" /* Match emergence messages */, "alert" /* Match alert messages */, "crit" /* Match critical messages */, "error" /* Match error messages */, "warn" /* Match warning messages */, "notice" /* Match notice messages */, "info" /* Match informational messages */ ) ) ) ) ), "transport" /* Transport configuration */ ) ), "syslog" ( /* System logging facility */ c( "archive" ( /* Archive file information */ archive_object /* Archive file information */ ), "user" arg ( /* Notify a user of the event */ c( syslog_object.as(:oneline), "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ), "allow-duplicates" /* Do not suppress the repeated message */, "match-strings" arg /* Matching string(s) for lines to be logged */ ) ), "host" ("other-routing-engine" | "scc-master" | "sfc0-master" | arg) ( /* Host to be notified */ c( syslog_object.as(:oneline), "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ), "allow-duplicates" /* Do not suppress the repeated message */, "port" arg /* Port number */, "facility-override" ( /* Alternate facility for logging to remote host */ ("authorization" | "daemon" | "ftp" | "kernel" | "user" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7") ), "log-prefix" arg /* Prefix for all logging to this host */, "source-address" ( /* Use specified address as source address */ ipaddr /* Use specified address as source address */ ), "explicit-priority" /* Include priority and facility in messages */, "exclude-hostname" /* Exclude hostname field in messages */, "match-strings" arg /* Matching string(s) for lines to be logged */, "structured-data" ( /* Log system message in structured format */ c( c( "brief" /* Omit English-language text from end of logged message */ ) ) ) ) ), "allow-duplicates" /* Do not suppress the repeated message for all targets */, "file" arg ( /* File in which to log data */ c( syslog_object.as(:oneline), "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ), "allow-duplicates" /* Do not suppress the repeated message */, "archive" ( /* Archive file information */ archive_object /* Archive file information */ ), "explicit-priority" /* Include priority and facility in messages */, "match-strings" arg /* Matching string(s) for lines to be logged */, "structured-data" ( /* Log system message in structured format */ c( c( "brief" /* Omit English-language text from end of logged message */ ) ) ) ) ), "console" enum(("any" | "authorization" | "daemon" | "ftp" | "ntp" | "security" | "kernel" | "user" | "dfc" | "external" | "firewall" | "pfe" | "conflict-log" | "change-log" | "interactive-commands")) ( /* Console logging */ sc( c( "any" /* All levels */, "emergency" /* Panic conditions */, "alert" /* Conditions that should be corrected immediately */, "critical" /* Critical conditions */, "error" /* Error conditions */, "warning" /* Warning messages */, "notice" /* Conditions that should be handled specially */, "info" /* Informational messages */, "none" /* No messages */ ) ) ).as(:oneline), "time-format" ( /* Additional information to include in system log timestamp */ sc( "year" /* Include year in timestamp */, "millisecond" /* Include milliseconds in timestamp */ ) ).as(:oneline), "source-address" ( /* Use specified address as source address */ ipaddr /* Use specified address as source address */ ), "log-rotate-frequency" arg /* Rotate log frequency */, "server" ( /* Enable syslog server */ c( "routing-instances" ("all" | "default" | arg) ( /* Enable/disable syslog server in routing-instances */ c( "disable" /* Disable syslog server in this routing instance */ ) ) ) ) ) ), "tracing" ( /* System wide option for remote tracing */ sc( "destination-override" ( /* Override tracing destination */ sc( "syslog" ( /* Send trace messages to remote syslog server */ sc( "host" ( /* IPv4 address of remote syslog server */ ipv4addr /* IPv4 address of remote syslog server */ ) ) ).as(:oneline) ) ).as(:oneline) ) ).as(:oneline), "encrypt-configuration-files" /* Encrypt the router configuration files */, "compress-configuration-files" /* Compress the router configuration files */, "no-compress-configuration-files" /* Don't compress the router configuration files */, "max-configurations-on-flash" arg /* Number of configuration files stored on flash */, "max-configuration-rollbacks" arg /* Number of rollback configuration files */, "archival" ( /* System archival management */ c( "configuration" ( /* Automatic configuration uploads to host(s) */ c( c( "transfer-interval" arg /* Frequency at which file transfer happens */, "transfer-on-commit" /* Transfer after each commit */ ), "archive-sites" arg ( /* List of archive destinations */ sc( "password" ( /* Password for login into the archive site */ unreadable /* Password for login into the archive site */ ) ) ).as(:oneline) ) ) ) ), "extensions" ( /* Configuration for extensions to JUNOS */ c( "providers" arg ( c( "license-type" arg ( sc( "deployment-scope" arg ) ).as(:oneline) ) ), "extension-service" ( /* Enable JUNOS extension service */ c( "application" ( /* JUNOS extension service application */ c( "refresh" /* Refresh all operation scripts from their source */, "refresh-from" arg /* Refresh all operation scripts from a given base URL */, "file" ( /* Configuration for each extension-service application */ jet_scripts_file_type /* Configuration for each extension-service application */ ), "traceoptions" ( /* Trace options for extension-service applications */ script_traceoptions /* Trace options for extension-service applications */ ), "max-datasize" arg /* Maximum data segment size for apps execution */ ) ) ) ), "resource-limits" ( /* Process resource limits */ c( "process" arg ( c( "resources" ( /* Resource limits */ resources_type /* Resource limits */ ) ) ), "package" arg ( c( "resources" ( /* Resource limits */ resources_type /* Resource limits */ ) ) ) ) ) ) ), "license" ( /* License information for the router */ license_object /* License information for the router */ ), "proxy" ( /* Proxy information for the router */ proxy_object /* Proxy information for the router */ ), "fips" ( /* FIPS configuration */ c( "chassis" ( /* FIPS chassis boundary configuration */ c( "level" arg /* FIPS chassis level configuration */ ) ), "level" arg /* FIPS 140 level */, "self-test" ( /* Configure FIPS self-test execution */ c( "after-key-generation" ( /* FIPS self-test after cryptographic key generation */ ("enable" | "disable") ), "periodic" ( /* Configure periodic FIPS self-test */ c( "start-time" arg /* Time when the periodic FIPS self-tests are to be executed (hh:mm) */, "day-of-month" arg /* Day of the month when FIPS self-tests are to be executed */, "month" arg /* The month when FIPS self-tests are to be executed */, "day-of-week" arg /* Day of the week when the FIPS self-tests are to be executed (where 1 - Monday, 7 - Sunday) */ ) ) ) ) ) ), "rng" ( /* Configure system CSPRNG */ c( c( "fortuna" /* Fortuna */, "hmac-drbg" /* HMAC DRBG, NIST SP800-90A */ ) ) ), "export-format" ( /* Setting the properties related to exporting the data */ c( "json" ( /* Set the type of JSON format */ c( c( "verbose" /* All the objects will be emitted as JSON arrays */, "ietf" /* JSON format will be emitted as per ietf draft */ ) ) ), "state-data" ( /* Setting the properties with respect to state data */ c( "json" ( /* Set the type of JSON format for state data rendering */ c( c( "compact" /* Display JSON in compact format */ ) ) ) ) ) ) ), "health-monitor" ( /* Kernel health monitoring system */ c( "ifstate-clients" ( /* Configure health monitor for ifstate clients on ifstate consumption */ c( "peer-stuck" ( /* PFE/RE/Smart PIC peers ifstate consumption */ c( "threshold-level" ( /* Threshold level to categorize peers as stuck */ ("low" | "medium" | "high") ), "action" ( /* Set an action on stuck peers */ ("alarm" | "alarm-with-cores" | "restart") ) ) ), "non-peer-stuck" ( /* Non-peer clients(daemons) on ifstate consumption */ c( "threshold-level" ( /* Threshold level to categorize non-peer ifstate clients as stuck */ ("low" | "medium" | "high") ), "action" ( /* Set an action on stuck non-peer ifstate clients */ ("alarm" | "alarm-with-cores" | "restart") ) ) ), "all-clients-stuck" ( /* All ifstate clients on ifstate consumption */ c( "threshold-level" ( /* Threshold level to categorize all ifsate clients as stuck */ ("low" | "medium" | "high") ), "action" ( /* Set an action on all stuck ifstate clients */ ("alarm" | "alarm-with-cores" | "restart") ) ) ) ) ) ) ), "packet-forwarding-options" /* Packet Forwarding engine options */, "auto-configuration" ( c( "traceoptions" ( /* Autoconfiguration trace options */ autoconf_traceoptions_type /* Autoconfiguration trace options */ ) ) ), "processes" ( /* Process control */ c( "routing" ( /* Routing process */ sc( ("disable"), "failover" ( /* How to handle failure of routing process */ ("other-routing-engine" | "alternate-media") ), c( "force-32-bit" /* Always use 32-bit mode */, "force-64-bit" /* Always use 64-bit mode */, "auto-64-bit" /* Use 64-bit mode if RE memory is sufficient */ ) ) ).as(:oneline), "software-forwarding" /* Software forwarding process */.as(:oneline), "packet-forwarding-engine" /* Packet forwarding engine process */.as(:oneline), "chassis-control" ( /* Chassis control process */ sc( ("disable"), "failover" arg /* How to handle failure of chassis control process */ ) ).as(:oneline), "service-pics" ( /* Service PICs process */ sc( ("disable"), "failover" ( /* How to handle failure of service PICs process */ ("other-routing-engine" | "alternate-media") ) ) ).as(:oneline), "ntp" ( /* Network time process */ sc( ("disable"), "failover" ( /* How to handle failure of network time process */ ("other-routing-engine" | "alternate-media") ) ) ).as(:oneline), "watchdog" ( /* Watchdog timer */ sc( ("enable" | "disable"), "timeout" arg /* Watchdog timer value */ ) ).as(:oneline), "process-monitor" ( /* Process health monitor process */ c( ("disable"), "traceoptions" ( /* Process health monitor trace options */ pmond_traceoptions_type /* Process health monitor trace options */ ) ) ), "resource-cleanup" ( /* Resource cleanup process */ c( ("disable"), "traceoptions" ( /* Resource cleanup process trace options */ res_cleanupd_traceoptions_type /* Resource cleanup process trace options */ ) ) ), "routing-socket-proxy" ( /* Routing socket proxy process */ sc( ("disable"), "failover" ( /* How to handle failure of routing socket proxy process */ ("other-routing-engine" | "alternate-media") ) ) ).as(:oneline), "web-management" ( /* Web management process */ sc( ("disable"), "failover" ( /* How to handle failure of web management process */ ("other-routing-engine" | "alternate-media") ) ) ).as(:oneline), "named-service" ( /* DNS server process */ c( ("disable"), "failover" ( /* How to handle failure of dns server process */ ("other-routing-engine" | "alternate-media") ) ) ), "cfm" ( /* Ethernet OAM connectivity fault management process */ sc( ("disable") ) ).as(:oneline), "general-authentication-service" ( /* General authentication service process */ c( ("disable"), "traceoptions" ( /* General authentication service trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "filter" ( /* Filter to control trace messages */ c( "user" /* Filter by user name */ ) ), "flag" enum(("configuration" | "framework" | "radius" | "local-authentication" | "ldap" | "address-assignment" | "jsrc" | "gx-plus" | "session-db" | "profile-db" | "lib-stats" | "user-access" | "nasreq" | "ocs-backup" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ), "smg-service" /* Enhanced session management process */, "bbe-mib-daemon" /* Enhanced Session Management MIB Daemon process */, "bbe-stats-daemon" /* Enhanced Session Management Statistics Daemon process */, "dhcp-service" ( /* Dynamic Host Configuration Protocol general configuration */ c( ("disable"), "failover" ( /* How to handle failure of dhcp service process */ ("other-routing-engine" | "alternate-media") ), "persistent-storage" ( /* DHCP persistent storage configuration parameters */ c( arg, "backup-interval" arg /* Number of hours after which backup file will be created */ ) ), "traceoptions" ( /* Trace options for DHCP */ jdhcp_traceoptions_level_type /* Trace options for DHCP */ ), "interface-traceoptions" ( /* Interface trace options for DHCP */ jdhcp_interface_traceoptions_level_type /* Interface trace options for DHCP */ ), "dhcp-snooping-file" ( /* DHCP snooping persistence file, write-interval and timeout */ c( filename /* Location of DHCP snooping entries file */, "write-interval" arg /* Time interval for writing DHCP snooping entries */ ) ), "dhcpv6-snooping-file" ( /* DHCPv6 snooping persistence file and write-interval timeout */ c( filename /* Location of DHCPv6 snooping entries file */, "write-interval" arg /* Time interval in seconds for writing DHCPv6 snooping entries */ ) ), "ltv-syslog-interval" ( /* Lease time violation syslog interval */ c( arg ) ), "accept-max-tcp-connections" arg /* Max TCP connections served globally at a time */, "request-max-tcp-connections" arg /* Max TCP connections requested globally at a time */ ) ), "diameter-service" ( /* Diameter process */ c( ("disable"), "traceoptions" /* Diameter service trace options */ ) ), "mac-validation" /* Process mac validation process */, "sbc-configuration-process" ( /* SBC configuration process */ c( ("disable"), "failover" ( /* How to handle failure of SBC configuration process */ ("other-routing-engine" | "alternate-media") ), "traceoptions" ( /* SBC configuration process trace options */ sbc_traceoptions /* SBC configuration process trace options */ ) ) ), "sdk-service" ( /* SDK Service Daemon */ c( ("disable"), "traceoptions" ( /* SDK Service Daemon trace options */ ssd_traceoptions_type /* SDK Service Daemon trace options */ ) ) ), "aaad" ( /* AAAD process */ c( ("disable"), "traceoptions" ( /* AAA trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("send" | "send-detail" | "receive" | "receive-detail" | "timeout" | "state" | "all")) /* Tracing parameters */.as(:oneline), "peer" arg /* Trace packet sent to or received from the peer[s] */ ) ) ) ), "app-engine-virtual-machine-management-service" ( /* App-engine Virtual Machine Management */ c( ("disable"), "traceoptions" ( /* App-engine virtual machine management trace options */ sdk_vmmd_traceoptions_type /* App-engine virtual machine management trace options */ ) ) ), "app-engine-management-service" ( /* App-engine Management Daemon */ c( ("disable"), "traceoptions" ( /* App-engine management daemon trace options */ sdk_mgmtd_traceoptions_type /* App-engine management daemon trace options */ ) ) ), "datapath-trace-service" ( /* Datapath Trace process */ c( ("disable"), "traceoptions" ( /* DATAPATH Trace process trace options */ datapath_traced_traceoptions_type /* DATAPATH Trace process trace options */ ) ) ), "send" ( /* Secure Neighbor Discovery Protocol process */ sc( ("disable") ) ).as(:oneline), "static-subscribers" ( /* Static subscribers process */ c( ("disable"), "traceoptions" /* Trace options for Static Subscriber Client */ ) ), "extensible-subscriber-services" ( /* Extensible Subscriber Services Manager Daemon */ c( ("disable"), "traceoptions" /* Trace options for Extensible Subscriber Services Daemon */ ) ), "kernel-offload-service" /* Kernel offload Service */, daemon_process, "video-monitoring" ( /* Video Monitoring Process */ sc( ("disable"), "traceoptions" ( /* Trace options for VMOND */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline) ) ) ) ).as(:oneline), "remote-device-management" ( /* Remote device management daemon */ c( ("disable"), "traceoptions" /* Trace options for Remote Device Management Daemon */ ) ), "dialer-services" ( /* Dial-Out On Demand process */ c( ("disable"), "traceoptions" ( /* Trace options for dialer services */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("config" | "kernel" | "route" | "interface" | "error" | "memory" | "all")) /* One or more message or event types to include in trace */.as(:oneline) ) ) ) ), "isdn-signaling" ( /* ISDN process */ c( ("disable"), "traceoptions" ( /* Trace options for ISDN signaling process */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("daemon" | "stack" | "all")) /* One or more event types to include in trace */.as(:oneline) ) ), "reject-incoming" /* Reject incoming ISDN calls */ ) ), "telephony-gateway-module" /* Telephony gateway module process */, "wireless-wan-service" ( /* Wireless WAN service process */ c( ("disable"), "traceoptions" ( /* Trace options for wireless WAN process */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("config" | "debug" | "sdk-api" | "memory" | "fpc-ipc" | "snmp" | "all")) /* Events or messages to include in the trace output */.as(:oneline) ) ) ) ), "wireless-lan-service" ( /* Wireless LAN service process */ c( ("disable"), "traceoptions" ( /* Trace options for wireless LAN process */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("status" | "config" | "keepalive" | "licensing" | "all")) /* Events or messages to include in the trace output */.as(:oneline) ) ) ) ), "network-security" ( /* Network security process */ sc( ("disable") ) ).as(:oneline), "firewall-authentication-service" ( /* Firewall authentication service process */ sc( ("disable") ) ).as(:oneline), "jsrp-service" ( /* Juniper stateful redundancy process */ sc( ("disable") ) ).as(:oneline), "wan-acceleration" ( /* WAN acceleration (WX) process */ c( ("disable"), "traceoptions" ( /* Trace options for WAN acceleration process */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "ssam" | "memory" | "fpc-ipc" | "fpc-ipc-heart-beat" | "wx-login" | "all")) /* Events or messages to include in the trace output */.as(:oneline) ) ) ) ), "smtpd-service" ( /* SMTP mail client service process */ sc( ("disable") ) ).as(:oneline), "logical-system-service" ( /* Logical system process */ c( ("disable"), "traceoptions" ( /* Logical system trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "all")) /* Events or messages to include in the trace output */.as(:oneline) ) ) ) ), "system-health-management" ( /* System Health Management */ c( ("disable") ) ), "system-log-vital" ( /* System Log Vital */ c( ("disable") ) ), "sysctlrelayd" ( /* Sysctl Relaying Engine */ c( ("disable") ) ) ) ), "ddos-protection" /* Configure DDOS process */, "ntp" ( /* Network Time Protocol services */ c( "boot-server" ( /* Server to query during boot sequence */ ipaddr /* Server to query during boot sequence */ ), "interval-range" ( /* Set the minpoll and maxpoll interval range */ sc( arg ) ).as(:oneline), "authentication-key" arg ( /* Authentication key information */ sc( "type" ( /* Authentication key type */ ("md5" | "des" | "sha1" | "sha256") ), "value" ( /* Authentication key value */ unreadable /* Authentication key value */ ) ) ).as(:oneline), "peer" arg ( /* Peer parameters */ sc( "key" arg /* Authentication key */, "version" arg /* NTP version to use */, "prefer" /* Prefer this peer_serv */ ) ).as(:oneline), "server" arg ( /* Server parameters */ sc( "key" arg /* Authentication key */, "version" arg /* NTP version to use */, "prefer" /* Prefer this peer_serv */, "routing-instance" arg /* Routing instance through which server is reachable */ ) ).as(:oneline), "broadcast" arg ( /* Broadcast parameters */ sc( "routing-instance-name" arg /* Routing intance name in which interface has address in broadcast subnet */, "key" arg /* Authentication key */, "version" arg /* NTP version to use */, "ttl" arg /* TTL value to transmit */ ) ).as(:oneline), "broadcast-client" /* Listen to broadcast NTP */, "multicast-client" ( /* Listen to multicast NTP */ sc( ipaddr /* Multicast address to listen to */ ) ).as(:oneline), "trusted-key" arg /* List of trusted authentication keys */, "threshold" ( /* Set the maximum threshold(sec) allowed for NTP adjustment */ sc( arg, "action" ( /* Select actions for NTP abnormal adjustment */ ("accept" | "reject") ) ) ).as(:oneline), "source-address" arg ( /* Source-Address parameters */ sc( "routing-instance" arg /* Routing intance name in which source address is defined */ ) ).as(:oneline) ) ), "master-password" ( /* Master password for $8$ password-encryption */ c( "iteration-count" arg /* Define PBKDF2 iteration count */, "pseudorandom-function" ( /* Define PBKDF2 PRF */ ("hmac-sha2-256" | "hmac-sha1" | "hmac-sha2-512") ) ) ), "log-vital" ( /* Log vital configuration */ c( "interval" arg /* Log vital sample interval */, "files" arg /* Log vital keeps files of only recent days */, "storage-limit" arg /* Log vital storage limit percentage */, "file-size" arg /* Log vital dump file size */, "add" arg ( /* Log vital add in OID */ c( "comment" ( /* Comment of the OID */ c( arg ) ) ) ), "group" ( /* Log vital group configuration */ c( "operating" /* Collect operating information */, "idp" /* Collect IDP information */, "storage" /* Collect storage information of /var/log/ */, "cluster-counter" /* Collect Cluster Counter information */, "screen" arg /* Collect screen counter for the zone */, "spu" arg /* Collect information for the SPU(all/fwdd/nodex.fpcy.picz) */ ) ) ) ), "security-profile" ( /* Security profile for logical-systems */ c( "resources" ( c( "cpu-control" /* Enable CPU utilization control */, "cpu-control-target" arg /* Targeted CPU utilization allowed for the whole system */ ) ), profile_type ) ) ) end rule(:archive_object) do c( "size" arg /* Size of files to be archived */, "files" arg /* Number of files to be archived */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "binary-data" /* Mark file as if it contains binary data */, "no-binary-data" /* Don't mark file as if it contains binary data */, "transfer-interval" arg /* Frequency at which to transfer files to archive sites */, "start-time" ( /* Start time for file transmission (yyyy-mm-dd.hh:mm) */ time /* Start time for file transmission (yyyy-mm-dd.hh:mm) */ ), "archive-sites" arg ( sc( "password" ( /* Password for login into the archive site */ unreadable /* Password for login into the archive site */ ), "routing-instance" arg /* Routing instance */ ) ).as(:oneline) ).as(:oneline) end rule(:authentication_object) do c( "plain-text-password-value" arg /* Plain text password */, "encrypted-password" arg /* Encrypted password string */, "no-public-keys" /* Disables ssh public key based authentication */, "ssh-rsa" arg ( /* Secure shell (ssh) RSA public key string */ sc( "from" arg /* Pattern-list of allowed hosts */ ) ).as(:oneline), "ssh-dsa" arg ( /* Secure shell (ssh) DSA public key string */ sc( "from" arg /* Pattern-list of allowed hosts */ ) ).as(:oneline), "ssh-ecdsa" arg ( /* Secure shell (ssh) ECDSA public key string */ sc( "from" arg /* Pattern-list of allowed hosts */ ) ).as(:oneline), "ssh-ed25519" arg ( /* Secure shell (ssh) ED25519 public key string */ sc( "from" arg /* Pattern-list of allowed hosts */ ) ).as(:oneline) ) end rule(:autoconf_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "interfaces" | "io" | "rtsock" | "ui" | "auth" | "all")) /* Area of autoconfiguration to enable debugging output */.as(:oneline) ) end rule(:bdbrepd_type) do c( "traceoptions" ( /* Database replication trace options */ bdbrepd_traceoptions_type /* Database replication trace options */ ) ) end rule(:bdbrepd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("database" | "mirror" | "replication" | "ui" | "general" | "session-db" | "server" | "all")) /* Database replication operations to include in debugging trace */.as(:oneline) ) end rule(:daemon_process) do arg.as(:arg) ( c( ("disable"), "failover" arg /* How to handle failure of parameter */, "command" arg /* Path to binary for process */ ) ).as(:oneline) end rule(:datapath_traced_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("datapath-traced-infrastructure" | "datapath-traced-server" | "client-management" | "all")) /* Area of DATAPATH Trace process to enable debugging output */.as(:oneline) ) end rule(:dhcp_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("binding" | "config" | "conflict" | "event" | "ifdb" | "io" | "lease" | "main" | "misc" | "option" | "packet" | "pool" | "protocol" | "relay" | "rtsock" | "scope" | "signal" | "trace" | "ui" | "all" | "client")) /* Area of DHCP server process to enable debugging output */.as(:oneline) ) end rule(:dynamic_profile_option_object) do c( "versioning" /* Enable dynamic profile versioning */ ) end rule(:httpd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "mgd" | "webauth" | "dynamic-vpn" | "init" | "all")) /* Area of HTTPD process to enable debugging output */.as(:oneline) ) end rule(:jdhcp_interface_traceoptions_level_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("state" | "packet" | "flow" | "packet-option" | "dhcpv6-state" | "dhcpv6-packet" | "dhcpv6-packet-option" | "all")) /* Interface trace categories */.as(:oneline) ) end rule(:jdhcp_traceoptions_level_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("state" | "packet" | "flow" | "packet-option" | "dhcpv6-state" | "dhcpv6-packet" | "dhcpv6-packet-option" | "all" | "database" | "persistent" | "lockout-db" | "interface" | "rtsock" | "flow-notify" | "io" | "ha" | "ui" | "general" | "fwd" | "rpd" | "auth" | "profile" | "session-db" | "performance" | "statistics" | "dhcpv6-io" | "dhcpv6-rpd" | "dhcpv6-session-db" | "dhcpv6-general" | "liveness-detection" | "security-persistence" | "mclag" | "ra-guard")) /* DHCP operations to include in debugging trace */.as(:oneline) ) end rule(:jet_scripts_file_type) do arg.as(:arg) ( c( "checksum" ( /* Checksum of this script */ c( "sha-256" arg /* SHA-256 checksum of this script */ ) ), "arguments" arg /* Command line arguments to JET application */, "daemonize" /* Runs application as daemon */, "respawn-on-normal-exit" /* Respawn application on normal exit */, "username" arg /* User under whose privileges extension service will execute */, "source" arg /* URL of source for this script */, "routing-instance" arg /* Routing instance */, "refresh" /* Refresh all operation scripts from their source */, "refresh-from" arg /* Refresh all operation scripts from a given base URL */ ) ) end rule(:juniper_tenant) do arg.as(:arg) ( c( "routing-instances" ( /* Routing instance configuration */ c( juniper_routing_instance ) ), "security" ( /* Security configuration */ c( "alarms" ( /* Configure security alarms */ c( "audible" ( /* Beep when new security alarms arrive */ c( "continuous" /* Keep beeping until all security alarms have been cleared */ ) ), "potential-violation" ( /* Configure potential security violations */ c( "authentication" arg /* Raise alarm for specified number of authentication failures */, "cryptographic-self-test" /* Raise alarm for cryptographic self test failures */, "decryption-failures" ( /* No. of decryption failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 1000] */ ) ), "encryption-failures" ( /* No. of encryption failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 1000] */ ) ), "ike-phase1-failures" ( /* No. of IKE Phase-1 failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 20] */ ) ), "ike-phase2-failures" ( /* No. of IKE Phase-2 failures before which an alarm needs to be raised */ c( "threshold" arg /* Threshold value [default is 20] */ ) ), "key-generation-self-test" /* Raise alarm for key generation self test failures */, "non-cryptographic-self-test" /* Raise alarm for non-cryptographic self test failures */, "policy" ( /* Raise alarm for flow policy violations */ c( "source-ip" ( /* Configure source address type of policy violation */ c( "threshold" arg /* Number of source IP address matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total source IP address number that can be done policy violation check concurrently */ ) ), "destination-ip" ( /* Configure destination address type of policy violation */ c( "threshold" arg /* Number of destination IP address matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total destination IP address number that can be done policy violation check concurrently */ ) ), "application" ( /* Configure application type of policy violation */ c( "threshold" arg /* Number of application matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total application number that can be done policy violation check concurrently */ ) ), "policy-match" ( /* Configure policy type of policy violation */ c( "threshold" arg /* Number of policy matches to raise alarm */, "duration" arg /* Time window matches must occur within */, "size" arg /* Total concurrent number of policy check violations */ ) ) ) ), "replay-attacks" ( /* No. of Replay attacks before which an alarm needs to be raised */ c( "threshold" arg /* Replay threshold value */ ) ), "security-log-percent-full" arg /* Raise alarm when security log exceeds this percent capacity */, "idp" /* Raise alarm for idp attack */ ) ) ) ), "log" ( /* Configure security log */ c( "exclude" arg ( /* List of security log criteria to exclude from the audit log */ c( "destination-address" ( /* Destination address */ ipaddr /* Destination address */ ), "destination-port" arg /* Destination port */, "event-id" arg /* Event ID filter */, "failure" /* Event was a failure */, "interface-name" arg /* Name of interface */, "policy-name" arg /* Policy name filter */, "process" arg /* Process that generated the event */, "protocol" arg /* Protocol filter */, "source-address" ( /* Source address */ ipaddr /* Source address */ ), "source-port" arg /* Source port */, "success" /* Event was successful */, "username" arg /* Username filter */ ) ), "limit" arg /* Limit number of security log entries to keep in memory */, "cache" ( /* Cache security log events in the audit log buffer */ c( "exclude" arg ( /* List of security log criteria to exclude from the audit log */ c( "destination-address" ( /* Destination address */ ipaddr /* Destination address */ ), "destination-port" arg /* Destination port */, "event-id" arg /* Event ID filter */, "failure" /* Event was a failure */, "interface-name" arg /* Name of interface */, "policy-name" arg /* Policy name filter */, "process" arg /* Process that generated the event */, "protocol" arg /* Protocol filter */, "source-address" ( /* Source address */ ipaddr /* Source address */ ), "source-port" arg /* Source port */, "success" /* Event was successful */, "username" arg /* Username filter */ ) ), "limit" arg /* Limit number of security log entries to keep in memory */ ) ), "disable" /* Disable security logging for the device */, "utc-timestamp" /* Use UTC time for security log timestamps */, "mode" ( /* Controls how security logs are processed and exported */ ("stream" | "event") ), "event-rate" arg /* Control plane event rate */, "format" ( /* Set security log format for the device */ ("syslog" | "sd-syslog" | "binary") ), "rate-cap" arg /* Data plane event rate */, "max-database-record" arg /* Maximum records in database */, "report" /* Set security log report settings */, c( "source-address" ( /* Source ip address used when exporting security logs */ ipaddr /* Source ip address used when exporting security logs */ ), "source-interface" ( /* Source interface used when exporting security logs */ interface_name /* Source interface used when exporting security logs */ ) ), "transport" ( /* Set security log transport settings */ c( "tcp-connections" arg /* Set tcp connection number per-stream */, "protocol" ( /* Set security log transport protocol for the device */ ("udp" | "tcp" | "tls") ), "tls-profile" arg /* TLS profile */ ) ), "facility-override" ( /* Alternate facility for logging to remote host */ ("authorization" | "daemon" | "ftp" | "kernel" | "user" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7") ), "stream" arg ( /* Set security log stream settings */ c( "severity" ( /* Severity threshold for security logs */ ("emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug") ), "format" ( /* Specify the log stream format */ ("syslog" | "sd-syslog" | "welf" | "binary") ), "category" enum(("all" | "content-security" | "fw-auth" | "screen" | "alg" | "nat" | "flow" | "sctp" | "gtp" | "ipsec" | "idp" | "rtlog" | "pst-ds-lite" | "appqos" | "secintel" | "aamw")) /* Selects the type of events that may be logged */, "filter" enum(("threat-attack")) /* Selects the filter to filter the logs to be logged */, "host" ( /* Destination to send security logs to */ host_object /* Destination to send security logs to */ ), "rate-limit" ( /* Rate-limit for security logs */ c( arg ) ), "file" ( /* Security log file options for logs in local file */ c( "localfilename" arg /* Name of local log file */, "size" arg /* Maximum size of local log file in megabytes */, "rotation" arg /* Maximum number of rotate files */, "allow-duplicates" /* To disable log consolidation */ ) ) ) ), "file" ( /* Security log file options for logs in binary format */ c( "filename" arg /* Name of binary log file */, "size" arg /* Maximum size of binary log file in megabytes */, "path" arg /* Path to binary log files */, "files" arg /* Maximum number of binary log files */ ) ), "traceoptions" ( /* Security log daemon trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("source" | "configuration" | "all" | "report" | "hpl")) /* List of things to include in trace */.as(:oneline) ) ) ) ), "certificates" ( /* X.509 certificate configuration */ c( "local" ( /* Local X.509 certificate configuration */ certificate_object /* Local X.509 certificate configuration */ ), "path-length" arg /* Maximum certificate path length */, "maximum-certificates" arg /* Maximum number of certificates to cache */, "cache-size" arg /* Maximum size of certificate cache */, "cache-timeout-negative" arg /* Time in seconds to cache negative responses */, "enrollment-retry" arg /* Number of retry attempts for an enrollment request */, "certification-authority" arg ( /* CA X.509 certificate configuration */ c( "ca-name" arg /* CA name */, "file" arg /* File to read certificate from */, "crl" arg /* File to read crl from */, "enrollment-url" arg /* URL */, "ldap-url" arg /* URL */, "encoding" ( /* Encoding to use for certificate or CRL on disk */ ("binary" | "pem") ) ) ) ) ), "authentication-key-chains" ( /* Authentication key chain configuration */ security_authentication_key_chains /* Authentication key chain configuration */ ), "ssh-known-hosts" ( /* SSH known host list */ c( "host" arg ( /* SSH known host entry */ c( "rsa1-key" arg /* Base64 encoded RSA key (protocol version 1) */, "rsa-key" arg /* Base64 encoded RSA key */, "dsa-key" arg /* Base64 encoded DSA key */, "ecdsa-key" arg /* Base64 encoded ECDSA key */, "ecdsa-sha2-nistp256-key" arg /* Base64 encoded ECDSA-SHA2-NIST256 key */, "ecdsa-sha2-nistp384-key" arg /* Base64 encoded ECDSA-SHA2-NIST384 key */, "ecdsa-sha2-nistp521-key" arg /* Base64 encoded ECDSA-SHA2-NIST521 key */, "ed25519-key" arg /* Base64 encoded ED25519 key */ ) ) ) ), "key-protection" /* Common-Criteria key-protection configuration */, "pki" ( /* PKI service configuration */ security_pki /* PKI service configuration */ ), "ike" ( /* IKE configuration */ security_ike /* IKE configuration */ ), "ipsec" ( /* IPSec configuration */ security_ipsec_vpn /* IPSec configuration */ ), "group-vpn" ( /* Group VPN configuration */ security_group_vpn /* Group VPN configuration */ ), "ipsec-policy" ( /* IPSec policy configuration */ security_ipsec_policies /* IPSec policy configuration */ ), "idp" ( /* Configure IDP */ c( "idp-policy" ( /* Configure IDP policy */ idp_policy_type /* Configure IDP policy */ ), "active-policy" arg /* Set active policy */, "default-policy" arg /* Set active policy */, "custom-attack" ( /* Configure custom attacks */ custom_attack_type /* Configure custom attacks */ ), "custom-attack-group" ( /* Configure custom attack groups */ custom_attack_group_type /* Configure custom attack groups */ ), "dynamic-attack-group" ( /* Configure dynamic attack groups */ dynamic_attack_group_type /* Configure dynamic attack groups */ ), "traceoptions" ( /* Trace options for idp services */ idpd_traceoptions_type /* Trace options for idp services */ ), "security-package" ( /* Security package options */ c( "url" arg /* URL of Security package download */, "source-address" ( /* Source address to be used for sending download request */ ipv4addr /* Source address to be used for sending download request */ ), "proxy-profile" arg /* Proxy profile of security package download */, "install" ( /* Configure install command */ c( "ignore-version-check" /* Skip version check when attack database gets installed */ ) ), "automatic" ( /* Scheduled download and update */ c( "start-time" ( /* Start time (YYYY-MM-DD.HH:MM:SS) */ time /* Start time (YYYY-MM-DD.HH:MM:SS) */ ), "interval" arg /* Interval */, "download-timeout" arg /* Maximum time for download to complete */, ("enable") ) ) ) ), "sensor-configuration" ( /* IDP Sensor Configuration */ c( "log" ( /* IDP Log Configuration */ c( "cache-size" arg /* Log cache size */, "suppression" ( /* Log suppression */ c( ("disable"), "include-destination-address" /* Include destination address while performing a log suppression */, "no-include-destination-address" /* Don't include destination address while performing a log suppression */, "start-log" arg /* Suppression start log */, "max-logs-operate" arg /* Maximum logs can be operate on */, "max-time-report" arg /* Time after suppressed logs will be reported */ ) ) ) ), "packet-log" ( /* IDP Packetlog Configuration */ c( "total-memory" arg /* Total memory unit(%) */, "max-sessions" arg /* Max num of sessions in unit(%) */, "threshold-logging-interval" arg /* Interval of logs for max limit session/memory reached in minutes */, "source-address" ( /* Source IP address used to transport packetlog to a host */ ipv4addr /* Source IP address used to transport packetlog to a host */ ), "host" ( /* Destination host to send packetlog to */ c( ipv4addr /* IP address */, "port" arg /* UDP port number */ ) ) ) ), "application-identification" ( /* Application identification */ c( ("disable"), "application-system-cache" /* Application system cache */, "no-application-system-cache" /* Don't application system cache */, "max-tcp-session-packet-memory" arg /* Max TCP session memory */, "max-udp-session-packet-memory" arg /* Max UDP session memory */, "max-sessions" arg /* Max sessions that can run AI at the same time */, "max-packet-memory" arg /* Max packet memory */, "max-packet-memory-ratio" arg /* Max packet memory ratio */, "max-reass-packet-memory-ratio" arg /* Max reass packet memory ratio */, "application-system-cache-timeout" arg /* Application system cache timeout */ ) ), "flow" ( /* Flow configuration */ c( "log-errors" /* Flow log errors */, "no-log-errors" /* Don't flow log errors */, "reset-on-policy" /* Flow reset-on-policy */, "no-reset-on-policy" /* Don't flow reset-on-policy */, "allow-icmp-without-flow" /* Allow icmp without flow */, "no-allow-icmp-without-flow" /* Don't allow icmp without flow */, "hash-table-size" arg /* Flow hash table size */, "reject-timeout" arg /* Flow reject timeout */, "max-timers-poll-ticks" arg /* Maximum timers poll ticks */, "fifo-max-size" arg /* Maximum fifo size */, "udp-anticipated-timeout" arg /* Maximum udp anticipated timeout */, "allow-nonsyn-connection" /* Allow TCP non-syn connection */, "drop-on-limit" /* Drop connections on exceeding resource limits */, "drop-on-failover" /* Drop traffic on HA failover sessions */, "drop-if-no-policy-loaded" /* Drop all traffic till IDP policy gets loaded */, "max-sessions-offset" arg /* Maximum session offset limit percentage */, "min-objcache-limit-lt" arg /* Memory lower threshold limit percentage */, "min-objcache-limit-ut" arg /* Memory upper threshold limit percentage */, "session-steering" /* Session steering for session anticipation */, "idp-bypass-cpu-usg-overload" /* Enable IDP bypass of sessions/packets on CPU usage overload */, "idp-bypass-cpu-threshold" arg /* Threshold of CPU usage in percentage for IDP bypass */, "idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */ ) ), "re-assembler" ( /* Re-assembler configuration */ c( "drop-on-syn-in-window" /* Drop session when SYN is seen in the window */, "no-drop-on-syn-in-window" /* Don't drop session when SYN is seen in the window */, "ignore-memory-overflow" /* Ignore memory overflow */, "no-ignore-memory-overflow" /* Don't ignore memory overflow */, "ignore-reassembly-memory-overflow" /* Ignore packet reassembly memory overflow */, "no-ignore-reassembly-memory-overflow" /* Don't ignore packet reassembly memory overflow */, "ignore-reassembly-overflow" /* Ignore global reassembly overflow */, "max-packet-mem" arg /* Maximum packet memory */, "max-flow-mem" arg /* Maximum flow memory */, "max-packet-mem-ratio" arg /* Maximum packet memory ratio */, "action-on-reassembly-failure" ( /* Select the action on reassembly failures */ ("ignore" | "drop" | "drop-session") ), "tcp-error-logging" /* Enable logging on tcp errors */, "no-tcp-error-logging" /* Don't enable logging on tcp errors */, "max-synacks-queued" arg /* Maximum syn-acks queued with different SEQ numbers */, "force-tcp-window-checks" /* Force TCP window checks if uni-directional policy is configured */, "no-force-tcp-window-checks" /* Don't force TCP window checks if uni-directional policy is configured */ ) ), "ips" ( /* Ips configuration */ c( "process-override" /* Process override */, "no-process-override" /* Don't process override */, "detect-shellcode" /* Detect shellcode */, "no-detect-shellcode" /* Don't detect shellcode */, "process-ignore-s2c" /* Process ignore s2c */, "no-process-ignore-s2c" /* Don't process ignore s2c */, "ignore-regular-expression" /* Ignore regular expression */, "no-ignore-regular-expression" /* Don't ignore regular expression */, "process-port" arg /* Process port */, "fifo-max-size" arg /* Maximum fifo size */, "log-supercede-min" arg /* Minimum log supercede */, "content-decompression-max-memory-kb" arg /* Maximum memory usage in kilo bytes */, "content-decompression-max-ratio" arg /* Maximum decompression ratio supported */, "session-pkt-depth" arg /* Session pkt scanning depth */ ) ), "global" ( /* Global configuration */ c( "enable-packet-pool" /* Enable packet pool */, "no-enable-packet-pool" /* Don't enable packet pool */, "enable-all-qmodules" /* Enable all qmodules */, "no-enable-all-qmodules" /* Don't enable all qmodules */, "policy-lookup-cache" /* Policy lookup cache */, "no-policy-lookup-cache" /* Don't policy lookup cache */, "memory-limit-percent" arg /* Memory limit percentage */ ) ), "detector" ( /* Detector Configuration */ c( "protocol-name" ( /* Apropriate help string */ proto_object /* Apropriate help string */ ) ) ), "ssl-inspection" ( /* SSL inspection */ c( "sessions" arg /* Number of SSL sessions to inspect */, "session-id-cache-timeout" arg /* Timeout value for SSL session ID cache */, "maximum-cache-size" arg /* Maximum SSL session ID cache size */, "cache-prune-chunk-size" arg /* Number of cache entries to delete when pruning SSL session ID cache */, "key-protection" /* Enable SSL key protection */ ) ), "disable-low-memory-handling" /* Do not abort IDP operations under low memory condition */, "high-availability" ( /* High availability configuration */ c( "no-policy-cold-synchronization" /* Disable policy cold synchronization */ ) ), "security-configuration" ( /* IDP security configuration */ c( "protection-mode" ( /* Enable security protection mode */ ("datacenter" | "datacenter-full" | "perimeter" | "perimeter-full") ) ) ) ) ), "max-sessions" arg /* Max number of IDP sessions */, "logical-system" ( /* Configure max IDP sessions for the logial system */ logical_system_type /* Configure max IDP sessions for the logial system */ ), "processes" /* Configure IDP Processes */ ) ), "address-book" ( /* Security address book */ named_address_book_type /* Security address book */ ), "alg" ( /* Configure ALG security options */ alg_object /* Configure ALG security options */ ), "application-firewall" ( /* Configure application-firewall rule-sets */ c( "traceoptions" ( /* Rule-sets Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "profile" arg ( /* Configure application-firewall profile */ c( "block-message" ( /* Block message settings */ c( "type" ( /* Type of block message desired */ c( c( "custom-text" ( /* Custom defined block message */ c( "content" arg /* Content of custom-text */ ) ), "custom-redirect-url" ( /* Custom redirect URL server */ c( "content" arg /* URL of block message */ ) ) ) ) ) ) ) ) ), "rule-sets" arg ( /* Configure application-firewall rule-sets */ c( "rule" ( /* Rule */ appfw_rule_type /* Rule */ ), "default-rule" ( /* Specify default rule for a rule-set */ c( c( "permit" /* Permit packets */, "deny" ( /* Deny packets */ c( "block-message" /* Block message */ ) ), "reject" ( /* Reject packets */ c( "block-message" /* Block message */ ) ) ) ) ), "profile" arg /* Profile for block message */ ) ), "nested-application" ( /* Configure nested application dynamic lookup */ c( "dynamic-lookup" ( /* Configure dynamic lookup */ c( "enable" /* Enable dynamic lookup */ ) ) ) ) ) ), "application-tracking" ( /* Application tracking configuration */ c( "disable" /* Disable Application tracking */, c( "first-update-interval" arg /* Interval when the first update message is sent */, "first-update" /* Generate Application tracking initial message when a session is created */ ), "session-update-interval" arg /* Frequency in which Application tracking update messages are generated */ ) ), "utm" ( /* Content security service configuration */ c( "traceoptions" ( /* Trace options for utm */ utm_traceoptions /* Trace options for utm */ ), "application-proxy" ( /* Application proxy settings */ c( "traceoptions" ( /* Trace options for application proxy */ utm_apppxy_traceoptions /* Trace options for application proxy */ ) ) ), "ipc" ( /* IPC settings */ c( "traceoptions" ( /* Trace options for IPC */ utm_ipc_traceoptions /* Trace options for IPC */ ) ) ), "custom-objects" ( /* Custom-objects settings */ c( "category-package" ( /* Category package download and install options */ c( "url" arg /* HTTPS URL of category package download */, "proxy-profile" arg /* Proxy profile */, "routing-instance" arg /* Routing instance name */, "automatic" ( /* Scheduled download and install */ c( "start-time" ( /* Start time (YYYY-MM-DD.HH:MM:SS) */ time /* Start time (YYYY-MM-DD.HH:MM:SS) */ ), "interval" arg /* Interval in hours */, "enable" /* Enable automatic download and install */ ) ) ) ), "mime-pattern" ( /* Configure mime-list object */ mime_list_type /* Configure mime-list object */ ), "filename-extension" ( /* Configure extension-list object */ extension_list_type /* Configure extension-list object */ ), "url-pattern" ( /* Configure url-list object */ url_list_type /* Configure url-list object */ ), "custom-url-category" ( /* Configure category-list object */ category_list_type /* Configure category-list object */ ), "protocol-command" ( /* Configure command-list object */ command_list_type /* Configure command-list object */ ), "custom-message" ( /* Configure custom-message object */ custom_message_type /* Configure custom-message object */ ) ) ), "default-configuration" ( /* Global default UTM configurations */ c( "anti-virus" ( /* Configure anti-virus feature */ default_anti_virus_feature /* Configure anti-virus feature */ ), "web-filtering" ( /* Configure web-filtering feature */ default_webfilter_feature /* Configure web-filtering feature */ ), "anti-spam" ( /* Configure anti-spam feature */ default_anti_spam_feature /* Configure anti-spam feature */ ), "content-filtering" ( /* Configure content filtering feature */ default_content_filtering_feature /* Configure content filtering feature */ ) ) ), "feature-profile" ( /* Feature-profile settings */ c( "anti-virus" ( /* Configure anti-virus feature */ anti_virus_feature /* Configure anti-virus feature */ ), "web-filtering" ( /* Configure web-filtering feature */ webfilter_feature /* Configure web-filtering feature */ ), "anti-spam" ( /* Configure anti-spam feature */ anti_spam_feature /* Configure anti-spam feature */ ), "content-filtering" ( /* Configure content filtering feature */ content_filtering_feature /* Configure content filtering feature */ ) ) ), "utm-policy" ( /* Configure profile */ profile_setting /* Configure profile */ ) ) ), "dynamic-address" ( /* Configure security dynamic address */ c( "traceoptions" ( /* Security dynamic address tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "control" | "ipc" | "ip-entry" | "file-retrieval" | "lookup" | "all")) /* Tracing parameters */.as(:oneline) ) ), "feed-server" arg ( /* Security dynamic address feed-server */ c( "description" arg /* Text description of feed-server */, "hostname" arg /* Hostname or IP address of feed-server */, "update-interval" arg /* Interval to retrieve update */, "hold-interval" arg /* Time to keep IP entry when update failed */, "feed-name" arg ( /* Feed name in feed-server */ c( "description" arg /* Text description of feed in feed-server */, "path" arg /* Path of feed, appended to feed-server to form a complete URL */, "update-interval" arg /* Interval to retrieve update */, "hold-interval" arg /* Time to keep IP entry when update failed */ ) ) ) ), "address-name" arg ( /* Security dynamic address name */ c( "description" arg /* Text description of dynamic address */, "profile" ( /* Information to categorize feed data into this dynamic address */ c( "feed-name" arg /* Name of feed in feed-server for this dynamic address */, "category" arg ( /* Name of category */ c( "feed" arg /* Name of feed under category */, "property" arg ( /* Property to match */ c( c( "string" arg /* Value type is strings */ ) ) ) ) ) ) ) ) ) ) ), "dynamic-vpn" /* Configure dynamic VPN */, "dynamic-application" ( /* Configure dynamic-application */ c( "traceoptions" ( /* Dynamic application tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "profile" arg ( /* Configure application-firewall profile */ c( "redirect-message" ( /* Redirect message settings */ c( "type" ( /* Type of redirect message desired */ c( c( "custom-text" ( /* Custom defined text block message */ c( "content" arg /* Content of custom-text */ ) ), "redirect-url" ( /* Custom redirect URL server */ c( "content" arg /* URL of block message */ ) ) ) ) ) ) ) ) ) ) ), "softwires" ( /* Configure softwire feature */ softwires_object /* Configure softwire feature */ ), "forwarding-options" ( /* Security-forwarding-options configuration */ c( "family" ( /* Security forwarding-options for family */ c( "inet6" ( /* Family IPv6 */ c( "mode" ( /* Forwarding mode */ ("packet-based" | "flow-based" | "drop") ) ) ), "mpls" ( /* Family MPLS */ c( "mode" ( /* Forwarding mode */ ("packet-based") ) ) ), "iso" ( /* Family ISO */ c( "mode" ( /* Forwarding mode */ ("packet-based") ) ) ) ) ), "mirror-filter" ( /* Security mirror filters */ mirror_filter_type /* Security mirror filters */ ), "secure-wire" ( /* Secure-wire cross connections */ secure_wire_type /* Secure-wire cross connections */ ) ) ), "advanced-services" /* Advanced services configuration */, "flow" ( /* FLOW configuration */ c( "enhanced-routing-mode" /* Enable enhanced route scaling */, "traceoptions" ( /* Trace options for flow services */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "basic-datapath" | "high-availability" | "host-traffic" | "fragmentation" | "multicast" | "route" | "session" | "session-scan" | "tcp-basic" | "tunnel")) /* Events and other information to include in trace output */.as(:oneline), "rate-limit" arg /* Limit the incoming rate of trace messages */, "packet-filter" ( /* Flow packet debug filters */ flow_filter_type /* Flow packet debug filters */ ), "trace-level" ( /* FLow trace level */ c( c( "error" /* Error messages */, "brief" /* Brief messages */, "detail" /* Detail messages */ ) ) ) ) ), "pending-sess-queue-length" ( /* Maximum queued length per pending session */ ("normal" | "moderate" | "high") ), "enable-reroute-uniform-link-check" ( /* Enable reroute check with uniform link */ c( "nat" /* Enable NAT check */ ) ), "allow-dns-reply" /* Allow unmatched incoming DNS reply packet */, "route-change-timeout" arg /* Timeout value for route change to nonexistent route */, "syn-flood-protection-mode" ( /* TCP SYN flood protection mode */ ("syn-cookie" | "syn-proxy") ), "allow-embedded-icmp" /* Allow embedded ICMP packets not matching a session to pass through */, "mcast-buffer-enhance" /* Allow to hold more packets during multicast session creation */, "allow-reverse-ecmp" /* Allow reverse ECMP route lookup */, "sync-icmp-session" /* Allow icmp sessions to sync to peer node */, "ipsec-performance-acceleration" /* Accelerate the IPSec traffic performance */, "aging" ( /* Aging configuration */ c( "early-ageout" arg /* Delay before device declares session invalid */, "low-watermark" arg /* Percentage of session-table capacity at which aggressive aging-out ends */, "high-watermark" arg /* Percentage of session-table capacity at which aggressive aging-out starts */ ) ), "ethernet-switching" ( /* Ethernet-switching configuration for flow */ c( "block-non-ip-all" /* Block all non-IP and non-ARP traffic including broadcast/multicast */, "bypass-non-ip-unicast" /* Allow all non-IP (including unicast) traffic */, "no-packet-flooding" ( /* Stop IP flooding, send ARP/ICMP to trigger MAC learning */ c( "no-trace-route" /* Don't send ICMP to trigger MAC learning */ ) ), "bpdu-vlan-flooding" /* Set 802.1D BPDU flooding based on VLAN */ ) ), "tcp-mss" ( /* TCP maximum segment size configuration */ c( "all-tcp" ( /* Enable MSS override for all packets */ c( "mss" arg /* MSS value */ ) ), "ipsec-vpn" ( /* Enable MSS override for all packets entering IPSec tunnel */ c( "mss" arg /* MSS value */ ) ), "gre-in" ( /* Enable MSS override for all GRE packets coming out of an IPSec tunnel */ c( "mss" arg /* MSS value */ ) ), "gre-out" ( /* Enable MSS override for all GRE packets entering an IPsec tunnel */ c( "mss" arg /* MSS value */ ) ) ) ), "tcp-session" ( /* Transmission Control Protocol session configuration */ c( "rst-invalidate-session" /* Immediately end session on receipt of reset (RST) segment */, "fin-invalidate-session" /* Immediately end session on receipt of fin (FIN) segment */, "rst-sequence-check" /* Check sequence number in reset (RST) segment */, "no-syn-check" /* Disable creation-time SYN-flag check */, "strict-syn-check" /* Enable strict syn check */, "no-syn-check-in-tunnel" /* Disable creation-time SYN-flag check for tunnel packets */, "no-sequence-check" /* Disable sequence-number checking */, "tcp-initial-timeout" arg /* Timeout for TCP session when initialization fails */, "maximum-window" ( /* Maximum TCP proxy scaled receive window, default 256K bytes */ ("64K" | "128K" | "256K" | "512K" | "1M") ), "time-wait-state" ( /* Session timeout value in time-wait state, default 150 seconds */ c( c( "session-ageout" /* Allow session to ageout using service based timeout values */, "session-timeout" arg /* Configure session timeout value for time-wait state */ ), "apply-to-half-close-state" /* Apply time-wait-state timeout to half-close state */ ) ) ) ), "force-ip-reassembly" /* Force to reassemble ip fragments */, "preserve-incoming-fragment-size" /* Preserve incoming fragment size for egress MTU */, "advanced-options" ( /* Flow config advanced options */ c( "drop-matching-reserved-ip-address" /* Drop matching reserved source IP address */, "drop-matching-link-local-address" /* Drop matching link local address */, "reverse-route-packet-mode-vr" /* Allow reverse route lookup with packet mode vr */ ) ), "load-distribution" ( /* Flow config SPU load distribution */ c( "session-affinity" /* SPU load distribution based on the service anchor SPU */ ) ), "packet-log" ( /* Configure flow packet log */ c( "enable" /* Enable log for dropped packet */, "throttle-interval" arg /* Interval should be configured as a power of two */, "packet-filter" ( /* Configure packet log filter */ flow_filter_type /* Configure packet log filter */ ) ) ), "power-mode-ipsec" /* Enable power mode ipsec processing */ ) ), "firewall-authentication" ( /* Firewall authentication parameters */ c( "traceoptions" ( /* Data-plane firewall authentication tracing options */ c( "flag" enum(("authentication" | "proxy" | "all")) ( /* Events to include in trace output */ sc( c( "terse" /* Include terse amount of output in trace */, "detail" /* Include detailed amount of output in trace */, "extensive" /* Include extensive amount of output in trace */ ) ) ).as(:oneline) ) ) ) ), "screen" ( /* Configure screen feature */ c( "trap" ( /* Configure trap interval */ sc( "interval" arg /* Trap interval */ ) ).as(:oneline), "ids-option" ( /* Configure ids-option */ ids_option_type /* Configure ids-option */ ), "traceoptions" ( /* Trace options for Network Security Screen */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "all")) /* Tracing parameters */.as(:oneline) ) ), "white-list" ( /* Set of IP addresses for white list */ ids_wlist_type /* Set of IP addresses for white list */ ) ) ), "nat" ( /* Configure Network Address Translation */ nat_object /* Configure Network Address Translation */ ), "forwarding-process" ( /* Configure security forwarding-process options */ c( "enhanced-services-mode" /* Enable enhanced application services mode */, "application-services" ( /* Configure application service options */ c( "maximize-alg-sessions" /* Maximize ALG session capacity */, "maximize-persistent-nat-capacity" /* Increase persistent NAT capacity by reducing maximum flow sessions */, "maximize-cp-sessions" /* Maximize CP session capacity */, "session-distribution-mode" arg /* Session distribution mode */, "enable-gtpu-distribution" /* Enable GTP-U distribution */, "packet-ordering-mode" arg /* Packet ordering mode */, "maximize-idp-sessions" /* Run security services in dedicated processes to maximize IDP session capacity */ ) ) ) ), "policies" ( /* Configure Network Security Policies */ policy_object_type /* Configure Network Security Policies */ ), "tcp-encap" ( /* Configure TCP Encapsulation. */ c( "traceoptions" ( /* Trace options for TCP encapsulation service */ ragw_traceoptions /* Trace options for TCP encapsulation service */ ), "profile" arg ( /* Configure profile. */ c( "ssl-profile" arg /* SSL Termination profile */, "log" /* Enable logging for remote-access */ ) ), "global-options" ( /* Global settings for TCP encapsulation */ c( "enable-tunnel-tracking" /* Track ESP tunnels */ ) ) ) ), "resource-manager" ( /* Configure resource manager security options */ c( "traceoptions" ( /* Traceoptions for resource manager */ c( "flag" enum(("client" | "group" | "resource" | "gate" | "session" | "chassis cluster" | "messaging" | "service pinhole" | "error" | "all")) ( /* Resource manager objects and events to include in trace */ sc( c( "terse" /* Set trace verbosity level to terse */, "detail" /* Set trace verbosity level to detail */, "extensive" /* Set trace verbosity level to extensive */ ) ) ).as(:oneline) ) ) ) ), "analysis" ( /* Configure security analysis */ c( "no-report" /* Stops security analysis reporting */ ) ), "traceoptions" ( /* Network security daemon tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "compilation" | "all")) /* Tracing parameters */.as(:oneline), "rate-limit" arg /* Limit the incoming rate of trace messages */ ) ), "datapath-debug" ( /* Datapath debug options */ c( "traceoptions" ( /* End to end debug trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline) ) ), "capture-file" ( /* Packet capture options */ sc( arg /* Capture file name */, "format" ( /* Capture file format */ ("pcap") ), "size" arg /* Maximum file size */, "files" arg /* Maximum number of files */, "world-readable" /* Allow any user to read packet-capture files */, "no-world-readable" /* Don't allow any user to read packet-capture files */ ) ).as(:oneline), "maximum-capture-size" arg /* Max packet capture length */, "action-profile" ( /* Action profile definitions */ e2e_action_profile /* Action profile definitions */ ), "packet-filter" ( /* Packet filter configuration */ end_to_end_debug_filter /* Packet filter configuration */ ) ) ), "user-identification" ( /* Configure user-identification */ c( "traceoptions" ( /* User-identification Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all")) /* Tracing parameters */.as(:oneline) ) ), "authentication-source" ( /* Configure user-identification authentication-source */ authentication_source_type /* Configure user-identification authentication-source */ ) ) ), "zones" ( /* Zone configuration */ c( "functional-zone" ( /* Functional zone */ c( "management" ( /* Host for out of band management interfaces */ c( "interfaces" ( /* Interfaces that are part of this zone */ zone_interface_list_type /* Interfaces that are part of this zone */ ), "screen" arg /* Name of ids option object applied to the zone */, "host-inbound-traffic" ( /* Allowed system services & protocols */ zone_host_inbound_traffic_t /* Allowed system services & protocols */ ), "description" arg /* Text description of zone */ ) ) ) ), "security-zone" ( /* Security zones */ security_zone_type /* Security zones */ ) ) ), "advance-policy-based-routing" ( /* Configure Network Security APBR Policies */ c( "traceoptions" ( /* Advance policy based routing tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "lookup" | "compilation" | "ipc" | "all")) /* Tracing parameters */.as(:oneline) ) ), "tunables" ( /* Configure advance policy based routing tunables */ c( "max-route-change" arg /* Maximum route change */, "drop-on-zone-mismatch" /* Drop session if zone mismatches */, "enable-logging" /* Enable AppTrack logging */ ) ), "profile" arg ( /* Configure advance-policy-based-routing profile */ c( "rule" ( /* Specify an advance policy based routing rule */ apbr_rule_type /* Specify an advance policy based routing rule */ ) ) ), "active-probe-params" arg ( /* Active probe's settings */ c( "settings" ( /* Settings */ appqoe_probe_params /* Settings */ ) ) ), "metrics-profile" arg ( /* Configure metric profiles */ c( "sla-threshold" ( /* Configure SLA metric threshold */ appqoe_sla_metric_profile /* Configure SLA metric threshold */ ) ) ), "overlay-path" arg ( /* List of overlay paths */ c( "tunnel-path" ( /* Tunnel start & end ip addresses */ appqoe_probe_path /* Tunnel start & end ip addresses */ ), "probe-path" ( /* Probe start & end ip addresses */ appqoe_probe_path /* Probe start & end ip addresses */ ) ) ), "destination-path-group" arg ( /* Group of tunnels to a particular destination */ c( "probe-routing-instance" ( /* Set routing instance for the probe-path */ c( arg /* Name of routing instance */ ) ), "overlay-path" arg /* List of paths */ ) ), "sla-options" ( /* Global SLA options */ c( "local-route-switch" ( /* Enable/disable Automatic local route switching */ c( c( "enabled" /* Enable */, "disabled" /* Disable */ ) ) ), "log-type" ( /* Choose the logging mechanism */ c( c( "syslog" /* Choose syslog */ ) ) ), "max-passive-probe-limit" ( /* Set max passive probe limits */ c( "number-of-probes" ( /* Number of passive probes to be sent */ c( arg ) ), "interval" ( /* Interval within which to send */ c( arg ) ) ) ) ) ), "sla-rule" arg ( /* Create SLA rule */ c( "switch-idle-time" ( /* Idle timeout period where no SLA violation will be detected once path switch has happened */ c( arg ) ), "metrics-profile" ( /* Set metrics profile for the SLA */ c( arg /* Metrics Profile name */ ) ), "active-probe-params" ( /* Set Probe params for the overlay-path */ c( arg /* Probe parameter's name */ ) ), "passive-probe-params" ( /* Passive probe settings */ c( "sampling-percentage" ( /* Mininmum percentage of Sessions to be evaluated for the application */ c( arg ) ), "violation-count" ( /* Number of SLA violations within sampling period to be considered as a violation. */ c( arg ) ), "sampling-period" ( /* Time period in which the sampling is done */ c( arg ) ), "sla-export-factor" ( /* Enabled sampling window based SLA exporting */ c( arg ) ), "type" ( /* Choose type of SLA measurement */ c( c( "book-ended" /* Choose custom method of probing within WAN link */ ) ) ), "sampling-frequency" ( /* Sampling frequency settings */ c( "interval" ( /* Time based sampling interval */ c( arg ) ), "ratio" ( /* 1:N based sampling ratio */ c( arg ) ) ) ) ) ) ) ), "policy" arg ( /* Define a policy context from this zone */ c( "policy" ( /* Define security policy in specified zone-to-zone direction */ sla_policy_type /* Define security policy in specified zone-to-zone direction */ ) ) ) ) ), "gprs" ( /* GPRS configuration */ c( "gtp" ( /* GPRS tunneling protocol configuration */ c( "profile" arg ( /* Configure GTP Profile */ c( "min-message-length" arg /* Minimum message length, from 0 to 65535 */, "max-message-length" arg /* Maximum message length, from 1 to 65535 */, "timeout" arg /* Tunnel idle timeout */, "rate-limit" arg /* Limit messages per second */, "log" ( /* GPRS tunneling protocol logs */ c( "forwarded" ( /* Log passed good packets */ ("basic" | "detail") ), "state-invalid" ( /* Dropped by state-inspection or sanity failure */ ("basic" | "detail") ), "prohibited" ( /* Dropped for type/length/version filtering */ ("basic" | "detail") ), "gtp-u" enum(("all" | "dropped")) /* Logs for gtp-u */, "rate-limited" ( /* Dropped for rate-limit */ c( c( "basic" /* Basic logs */, "detail" /* Detailed logs */ ), "frequency-number" arg /* Logging frequency over threshold, set by rate-limit */ ) ) ) ), "remove-ie" ( /* Remove information elements */ c( "version" enum(("v1")) ( /* GTP version */ c( "release" enum(("R6" | "R7" | "R8" | "R9")) /* Remove information elements by release */, "number" ( /* Remove information elements by number */ c( arg ) ) ) ) ) ), "path-rate-limit" ( /* Limit control messages based on IP pairs */ c( "message-type" enum(("create-req" | "delete-req" | "echo-req" | "other")) ( /* Specific group of control messages */ c( "drop-threshold" ( /* Set drop threshold for path rate limiting */ c( "forward" arg /* Limit messages of forward direction */, "reverse" arg /* Limit messages of reverse direction */ ) ), "alarm-threshold" ( /* Set alarm threshold for path rate limiting */ c( "forward" arg /* Limit messages of forward direction */, "reverse" arg /* Limit messages of reverse direction */ ) ) ) ) ) ), "drop" ( /* Drop certain type of messages */ c( "aa-create-pdp" ( /* Create AA pdp request/response message */ c( c( "0" /* Version 0 */ ) ) ), "aa-delete-pdp" ( /* Delete AA pdp request/response message */ c( c( "0" /* Version 0 */ ) ) ), "bearer-resource" ( /* Bearer resource command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "change-notification" ( /* Change notification request/response message */ c( c( "2" /* Version 2 */ ) ) ), "config-transfer" ( /* Configuration transfer message */ c( c( "2" /* Version 2 */ ) ) ), "context" ( /* Context request/response/ack message */ c( c( "2" /* Version 2 */ ) ) ), "create-bearer" ( /* Create bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-data-forwarding" ( /* Create indirect data forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-pdp" ( /* Create pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "create-session" ( /* Create session request/response message */ c( c( "2" /* Version 2 */ ) ) ), "create-tnl-forwarding" ( /* Create forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "cs-paging" ( /* CS paging indication message */ c( c( "2" /* Version 2 */ ) ) ), "data-record" ( /* Data record request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "delete-bearer" ( /* Delete bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-command" ( /* Delete bearer command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "delete-data-forwarding" ( /* Delete indirect data forwarding tunnel request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-pdn" ( /* Delete PDN connection set request/response message */ c( c( "2" /* Version 2 */ ) ) ), "delete-pdp" ( /* Delete pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "delete-session" ( /* Delete session request/response message */ c( c( "2" /* Version 2 */ ) ) ), "detach" ( /* Detach notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "downlink-notification" ( /* Downlink data notification/ack/failure message */ c( c( "2" /* Version 2 */ ) ) ), "echo" ( /* Echo request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "error-indication" ( /* Error indication message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "failure-report" ( /* Failure report request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "fwd-access" ( /* Forward access context notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "fwd-relocation" ( /* Forward relocation request/response/comp/comp-ack message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "fwd-srns-context" ( /* Forward SRNS context/context-ack message */ c( c( "1" /* Version 1 */ ) ) ), "g-pdu" ( /* G-PDU (user PDU) message/T-PDU */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "identification" ( /* Identification request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-start" ( /* MBMS session start request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-stop" ( /* MBMS session stop request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "mbms-session-update" ( /* MBMS session update request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "modify-bearer" ( /* Modify bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "modify-command" ( /* Modify bearer command/failure message */ c( c( "2" /* Version 2 */ ) ) ), "node-alive" ( /* Node alive request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "note-ms-present" ( /* Note MS GPRS present request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "pdu-notification" ( /* PDU notification requst/response/reject/reject-response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "ran-info" ( /* RAN info relay message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "redirection" ( /* Redirection request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "release-access" ( /* Release access-bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "relocation-cancel" ( /* Relocation cancel request/response message */ c( c( "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ), "resume" ( /* Resume notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "send-route" ( /* Send route info request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "sgsn-context" ( /* SGSN context request/response/ack message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "stop-paging" ( /* Stop paging indication message */ c( c( "2" /* Version 2 */ ) ) ), "supported-extension" ( /* Supported extension headers notification message */ c( c( "1" /* Version 1 */ ) ) ), "suspend" ( /* Suspend notification/ack message */ c( c( "2" /* Version 2 */ ) ) ), "trace-session" ( /* Trace session activation/deactivation message */ c( c( "2" /* Version 2 */ ) ) ), "update-bearer" ( /* Update bearer request/response message */ c( c( "2" /* Version 2 */ ) ) ), "update-pdn" ( /* Update PDN connection set request/response message */ c( c( "2" /* Version 2 */ ) ) ), "update-pdp" ( /* Update pdp request/response message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "all" /* All versions */ ) ) ), "ver-not-supported" ( /* Version not supported message */ c( c( "0" /* Version 0 */, "1" /* Version 1 */, "2" /* Version 2 */, "all" /* All versions */ ) ) ) ) ), "apn" arg ( /* GTP Access Point Name (APN) filter */ c( "imsi-prefix" arg ( /* Specific filter prefix digits for International Mobile Subscriber Identification(IMSI) */ c( "action" ( /* Configure GTP profile APN action */ c( c( "pass" /* Pass all selection modes for this APN */, "drop" /* Drop all selection modes for this APN */, "selection" ( /* Allowed selection modes for this APN */ c( "ms" /* Mobile Station selection mode */, "net" /* Network selection mode */, "vrf" /* Subscriber verified mode */ ) ) ) ) ) ) ) ) ), "restart-path" ( /* Restart GTP paths */ ("echo" | "create" | "all") ), "seq-number-validated" /* Validate G-PDU sequence number */, "gtp-in-gtp-denied" /* Deny nested GTP */, "u-tunnel-validated" /* Validate GTP-u tunnel */, "end-user-address-validated" /* Validate end user address */, "req-timeout" arg /* Request message timeout, default timeout value 5 seconds */, "handover-on-roaming-intf" /* Enable tunnel setup by Handover messages on roaming interface */, "handover-group" ( /* SGSN handover group configuration */ c( arg ) ) ) ), "traceoptions" ( /* Trace options for GPRS tunneling protocol */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "parser" | "chassis-cluster" | "gsn" | "jmpi" | "tnl" | "req" | "path" | "all")) /* Tracing parameters */.as(:oneline), "trace-level" ( /* GTP trace level */ c( c( "error" /* Match error conditions */, "warning" /* Match warning messages */, "notice" /* Match conditions that should be handled specially */, "info" /* Match informational messages */, "verbose" /* Match verbose messages */ ) ) ) ) ), "handover-group" arg ( /* Set handover group */ c( "address-book" arg ( /* Set addreess book */ c( "address-set" ( /* Set address set */ c( arg ) ) ) ) ) ), "handover-default" ( /* Set handover default deny */ c( "deny" /* Handover default deny */ ) ) ) ), "sctp" ( /* GPRS stream control transmission protocol configuration */ c( "profile" arg ( /* Configure stream transmission protocol */ c( "nat-only" /* Only do payload IPs translation for SCTP packet */, "association-timeout" arg /* SCTP association timeout length, in minutes */, "handshake-timeout" arg /* SCTP handshake timeout, in seconds */, "drop" ( /* Disallowed SCTP payload message */ c( "m3ua-service" enum(("sccp" | "tup" | "isup")) /* MTP level 3 (MTP3) user adaptation layer service */.as(:oneline), "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "all" | arg)) /* SCTP payload protocol identifier */.as(:oneline) ) ), "permit" ( /* Permit SCTP payload message */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "all" | arg)) /* SCTP payload protocol identifier */.as(:oneline) ) ), "limit" ( /* Packet limits */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "others" | arg)) ( /* Payload Rate limit */ sc( "rate" arg /* Rate limit */ ) ).as(:oneline), "address" arg ( /* Rate limit for a list of IP addresses */ c( "payload-protocol" enum(("reserved" | "iua" | "m2ua" | "m3ua" | "sua" | "m2pa" | "v5ua" | "h248" | "bicc" | "tali" | "dua" | "asap" | "enrp" | "h323" | "qipc" | "simco" | "ddp-segment" | "ddp-stream" | "s1ap" | "x2ap" | "diameter-sctp" | "diameter-dtls" | "others" | arg)) ( /* Payload Rate limit */ sc( "rate" arg /* Rate limit */ ) ).as(:oneline) ) ), "rate" ( /* Rate limit */ c( "sccp" arg /* Global SCCP messages rate limit */, "ssp" arg /* Global SSP messages rate limit */, "sst" arg /* Global SST messages rate limit */, "address" arg ( /* Rate limit for a list of IP addresses */ c( "sccp" arg /* SCCP messages rate limit */, "ssp" arg /* SSP messages rate limit */, "sst" arg /* SST messages rate limit */ ) ) ) ) ) ) ) ), "multichunk-inspection" ( /* Configure for SCTP multi chunks inspection */ c( c( "disable" /* Set multichunk inspection flag to disable */ ) ) ), "nullpdu" ( /* Configure for SCTP NULLPDU protocol value */ c( "protocol" ( /* SCTP NULLPDU payload protocol identifier */ c( c( "ID-0x0000" /* Set 0x0000 to be NULLPDU ID value */, "ID-0xFFFF" /* Set 0xFFFF to be NULLPDU ID value */ ) ) ) ) ), "log" enum(("configuration" | "rate-limit" | "association" | "data-message-drop" | "control-message-drop" | "control-message-all")) /* GPRS stream control transmission protocol logs */.as(:oneline), "traceoptions" ( /* Trace options for GPRS stream control transmission protocol */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "detail" | "flow" | "parser" | "chassis-cluster" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ) ) ), "ngfw" ( /* Next generation unified L4/L7 firewall */ c( "default-profile" ( /* Unified L4/L7 firewall default profile configuration */ c( "ssl-proxy" ( /* SSL proxy services */ c( "profile-name" arg /* Specify SSL proxy service profile name */ ) ), "application-traffic-control" ( /* Application traffic control services */ jsf_application_traffic_control_rule_set_type /* Application traffic control services */ ) ) ) ) ), "macsec" ( /* MAC Security configuration */ security_macsec /* MAC Security configuration */ ) ) ), "applications" ( /* Define applications by protocol characteristics */ c( "application" ( /* Define an application */ application_object /* Define an application */ ), "application-set" ( /* Define an application set */ application_set_object /* Define an application set */ ) ) ), "schedulers" ( /* Security scheduler */ c( "scheduler" ( /* Scheduler configuration */ scheduler_object_type /* Scheduler configuration */ ) ) ), "access" ( c( "firewall-authentication" ( /* Type of firewall authentication */ c( "pass-through" ( /* Pass-through firewall authentication settings */ c( "default-profile" arg /* Name of profile to use if not specified in policy */, "ftp" ( /* FTP banners */ banner_object /* FTP banners */ ), "telnet" ( /* Telnet banners */ banner_object /* Telnet banners */ ), "http" ( /* HTTP banners */ banner_object /* HTTP banners */ ) ) ), "web-authentication" ( /* Web-authentication settings */ c( "default-profile" arg /* Name of profile to use for web-authentication */, "banner" ( c( "success" arg /* The message that will be displayed on successful login */ ) ), "timeout" arg /* Web-authentication timeout value in seconds */ ) ), "traceoptions" ( /* Firewall authentication tracing options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "setup" | "authentication" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) ) ) ) ) ) end rule(:juniper_unified_edge_cos_options) do c( "classifier-profiles" arg ( /* Classifier tables for mobile subscribers (UMTS/EPS) */ c( "description" arg /* Text description of classifier profile */, "qos-class-identifier" arg ( /* QCI mapping to forwarding class and loss priority */ sc( "forwarding-class" arg /* Forwarding class */, "loss-priority" ( /* Loss priority value */ ("low" | "high") ) ) ).as(:oneline) ) ), "gbr-bandwidth-pools" arg ( /* GBR bandwith pools configuration */ c( "maximum-bandwidth" arg /* Bandwidth for pool */, "downgrade-gtp-v1-gbr-bearers" /* Downgrade GTPv1 GBR bearer traffic class to background traffic class */ ) ), "resource-threshold-profiles" arg ( /* Resource threshold profiles */ c( "description" arg /* Text description of resource threshold profile */, "bearers-load" ( /* Number of bearers load configurations */ c( "low" ( /* Low threshold configuration */ c( "percentage" arg /* Low threshold */, "priority-level" arg /* Priority level - default 10 */ ) ), "high" ( /* High threshold configuration */ c( "percentage" arg /* High threshold */, "priority-level" arg /* Priority level - default 5 */ ) ) ) ), "memory" ( /* Memory load configurations */ c( "low" ( /* Low threshold configuration */ c( "percentage" arg /* Low threshold */, "priority-level" arg /* Priority level - default 10 */ ) ), "high" ( /* High threshold configuration */ c( "percentage" arg /* High threshold */, "priority-level" arg /* Priority level - default 5 */ ) ) ) ), "cpu" ( /* CPU load configurations */ c( "low" ( /* Low threshold configuration */ c( "percentage" arg /* Low threshold */, "priority-level" arg /* Priority level - default 10 */ ) ), "high" ( /* High threshold configuration */ c( "percentage" arg /* High threshold */, "priority-level" arg /* Priority level - default 5 */ ) ) ) ) ) ), "cos-policy-profiles" arg ( /* QoS policy profile */ c( "description" arg /* Text description of cos policy */, "default-bearer-qci" ( /* Default bearer qci value */ sc( arg, "upgrade" /* Override qci value */, "reject" /* Reject calls with numerially lower qci */ ) ).as(:oneline), "allocation-retention-priority" ( /* ARP local policy */ sc( arg, "reject" /* Reject calls with higher priority value */ ) ).as(:oneline), "aggregated-qos-control" ( /* Aggregated qos control policy */ c( "maximum-bit-rate-uplink" ( /* Maximum bit rate uplink */ sc( arg, "upgrade" /* Override maximum-bit-rate uplink value */, "reject" /* Reject calls with higher uplink maximum-bit-rate */ ) ).as(:oneline), "maximum-bit-rate-downlink" ( /* Maximum bit rate downlink */ sc( arg, "upgrade" /* Override maximum-bit-rate downlink value */, "reject" /* Reject calls with higher downlink maximum-bit-rate */ ) ).as(:oneline) ) ), "pdp-qos-control" ( /* PDP qos control */ c( "maximum-bit-rate-uplink" ( /* Maximum bit rate uplink */ sc( arg, "upgrade" /* Override maximum-bit-rate uplink value */, "reject" /* Reject calls with higher uplink maximum-bit-rate */ ) ).as(:oneline), "maximum-bit-rate-downlink" ( /* Maximum bit rate downlink */ sc( arg, "upgrade" /* Override maximum-bit-rate downlink value */, "reject" /* Reject calls with higher downlink maximum-bit-rate */ ) ).as(:oneline), "guaranteed-bit-rate-uplink" ( /* Guaranteed bit rate uplink */ sc( arg, "upgrade" /* Override guaranteed-bit-rate uplink value */, "reject" /* Reject calls with higher uplink guaranteed-bit-rate */ ) ).as(:oneline), "guaranteed-bit-rate-downlink" ( /* Guaranteed bit rate downlink */ sc( arg, "upgrade" /* Override guaranteed-bit-rate downlink value */, "reject" /* Reject calls with higher downlink guaranteed-bit-rate */ ) ).as(:oneline), "qci" arg ( /* PDP qos control per qci */ c( "maximum-bit-rate-uplink" ( /* Maximum bit rate uplink */ sc( arg, "upgrade" /* Override maximum-bit-rate uplink value */, "reject" /* Reject calls with higher uplink maximum-bit-rate */ ) ).as(:oneline), "maximum-bit-rate-downlink" ( /* Maximum bit rate downlink */ sc( arg, "upgrade" /* Override maximum-bit-rate downlink value */, "reject" /* Reject calls with higher downlink maximum-bit-rate */ ) ).as(:oneline) ) ) ) ), "policer-action" ( /* Policer actions */ c( "non-gbr-bearer" ( /* Policer actions for non gbr bearers */ c( "violate-action" ( /* PDP policer violate action */ ("set-loss-priority-high" | "transmit") ) ) ), "gbr-bearer" ( /* Policer actions for gbr bearers */ c( "exceed-action" ( /* PDP policer exceed action */ ("drop" | "transmit") ), "violate-action" ( /* PDP policer violate action */ ("set-loss-priority-high" | "transmit") ) ) ) ) ) ) ) ) end rule(:juniper_accounting_options) do c( "selective-aggregate-interface-stats" /* Toggle selective aggregate interface statistics collection */.as(:oneline), "periodic-refresh" ( /* Toggle periodic statistics collection */ sc( ("disable") ) ).as(:oneline), "file" arg ( /* Accounting data file configuration */ c( "nonpersistent" /* File does not persist across reboot */, "size" arg /* Maximum accounting data file size */, "files" arg /* Maximum number of files for this profile */, "transfer-interval" arg /* Frequency at which to transfer files to archive sites */, "start-time" ( /* Start time for file transmission (yyyy-mm-dd.hh:mm) */ time /* Start time for file transmission (yyyy-mm-dd.hh:mm) */ ), "compress" /* Transfer file in compressed format */, "backup-on-failure" ( /* Backup on transfer failure */ c( c( "master-only" /* Backup on master only */, "master-and-slave" /* Backup on both master and slave */ ) ) ), "push-backup-to-master" /* Push backup files to master RE */, "archive-sites" arg ( /* List of archive destinations */ sc( "password" ( /* Password for login into the archive site */ unreadable /* Password for login into the archive site */ ) ) ).as(:oneline) ) ), "interface-profile" arg ( /* Interface profile for accounting data */ c( "file" arg /* Name of file for accounting data */, "interval" arg /* Polling interval */, "fields" ( /* Statistics to log to file */ c( "input-bytes" /* Input bytes */, "output-bytes" /* Output bytes */, "input-packets" /* Input packets */, "output-packets" /* Output packets */, "input-errors" /* Generic input error packets */, "output-errors" /* Generic output error packets */, "input-multicast" /* Input packets arriving by multicast */, "output-multicast" /* Output packets sent by multicast */, "input-unicast" /* Input unicast packets */, "output-unicast" /* Output unicast packets */, "unsupported-protocol" /* Packets for unsupported protocol */, "rpf-check-bytes" /* Bytes failing IPv4 reverse-path-forwarding check */, "rpf-check-packets" /* Packets failing IPv4 reverse-path-forwarding check */, "rpf-check6-bytes" /* Bytes failing IPv6 reverse-path-forwarding check */, "rpf-check6-packets" /* Packets failing IPv6 reverse-path-forwarding check */ ) ) ) ), "filter-profile" arg ( /* Filter profile for accounting data */ c( "file" arg /* Name of file for accounting data */, "interval" arg /* Polling interval */, "counters" ( /* Name of counter */ counter_object /* Name of counter */ ) ) ), "class-usage-profile" arg ( /* Class usage profile for accounting data */ c( "file" arg /* Name of file for accounting data */, "interval" arg /* Polling interval */, c( "destination-classes" ( /* Name of destination class */ dest_class_name_object /* Name of destination class */ ), "source-classes" ( /* Name of source class */ source_class_name_object /* Name of source class */ ) ) ) ), "routing-engine-profile" arg ( /* Routing Engine profile for accounting data */ c( "file" arg /* Name of file for accounting data */, "interval" arg /* Polling interval */, "fields" ( /* Information to log to file */ c( "host-name" /* Hostname for this router */, "date" /* Date */, "time-of-day" /* Time of day */, "uptime" /* Time since last reboot */, "cpu-load-1" /* Average system load over last 1 minute */, "cpu-load-5" /* Average system load over last 5 minutes */, "cpu-load-15" /* Average system load over last 15 minutes */, "memory-usage" /* Instantaneous active memory usage */, "total-cpu-usage" /* Total CPU usage percentage */ ) ) ) ), "mib-profile" arg ( /* MIB profile for accounting data */ c( "file" arg /* Name of file for accounting data */, "interval" arg /* Polling interval */, "operation" ( /* SNMP operation */ ("get" | "get-next" | "walk") ), "object-names" ( /* Names of MIB objects */ mib_variable_name_object /* Names of MIB objects */ ) ) ), "flat-file-profile" arg ( /* Flat file profile for accounting data */ c( "file" arg /* Name of file for accounting data */, "interval" arg /* Polling interval */, "schema-version" arg /* Name of the schema */, "fields" ( /* Statistics to log to file */ c( "all-fields" /* All parameters */, "service-accounting" /* Service accounting for filters */, "general-param" ( /* General interface parameters */ c( "all-fields" /* All general interface parameters */, "timestamp" /* Timestamp */, "accounting-type" /* Accounting status type */, "descr" /* Description */, "routing-instances" /* Routing Instances where interface belongs */, "nas-port-id" /* NAS port id */, "line-id" /* Line id */, "vlan-id" /* Vlan-id */, "logical-interface" /* Logical-Interface */, "physical-interface" /* Physical Interface name */, "user-name" /* User name of the subscriber */ ) ), "overall-packet" ( /* Overall packet statistics */ c( "all-fields" /* All overall packet statistics */, "input-bytes" /* Input bytes */, "input-packets" /* Input packets */, "input-v6-bytes" /* Input IPV6 bytes */, "input-v6-packets" /* Input IPV6 packets */, "output-bytes" /* Output bytes */, "output-packets" /* Output packets */, "output-v6-bytes" /* Output IPV6 bytes */, "output-v6-packets" /* Output IPV6 packets */, "input-errors" /* Total input errors */, "output-errors" /* Total output errors */, "input-discards" /* Total input discards */ ) ), "l2-stats" ( /* Layer2 statistics */ c( "all-fields" /* All Layer2 statistics */, "input-mcast-bytes" /* L2 multicast bytes from input side */, "input-mcast-packets" /* L2 multicast packets from input side */ ) ), "ingress-stats" ( /* Ingress queue statistics */ c( "all-fields" /* All ingress queue statistics */, "queue-id" /* Queue ID */, "input-packets" /* Total input packets on the queue */, "input-bytes" /* Total input bytes on the queue */, "output-packets" /* Total output packet on the queue */, "output-bytes" /* Total output bytes on the queue */, "drop-packets" /* Ingress queue dropped packets */ ) ), "egress-stats" ( /* Egress queue statistics */ c( "all-fields" /* All egress queue statistics */, "queue-id" /* Queue ID */, "input-packets" /* Total input packets on the queue */, "input-bytes" /* Total input bytes on the queue */, "output-packets" /* Total output packet on the queue */, "output-bytes" /* Total output bytes on the queue */, "tail-drop-packets" /* Egress queue tail dropped packets */, "red-drop-packets" /* Egress queue red dropped packets */, "red-drop-bytes" /* Egress queue red drop bytes */ ) ) ) ), "format" ( /* Flat file accounting format */ c( c( "ipdr" /* IPDR format */, "csv" /* CSV format */ ) ) ) ) ), "cleanup-interval" ( /* Backup files cleanup interval */ c( "interval" arg /* Cleanup interval in days */ ) ) ) end rule(:counter_object) do arg.as(:arg).as(:oneline) end rule(:dest_class_name_object) do arg.as(:arg).as(:oneline) end rule(:junos_hash_key) do c( "family" ( /* Protocol family */ c( "fcoe" ( /* FCoE protocol family */ c( "ethernet-interfaces" /* FCoE hash-key configuration on ethernet interfaces */, "fabric-interfaces" /* FCoE hash-key configuration on fabric interfaces */, "oxid" arg /* Originator Exchange ID */ ) ), "inet" ( /* IPv4 protocol family */ c( "layer-3" ( /* Include Layer 3 (IP) data in the hash key */ c( "destination-address" /* Include IP destination address in the hash key */ ) ), "layer-4" ( /* Include Layer 4 (TCP or UDP) data in the hash key */ c( "gtp-tunnel-endpoint-identifier" /* Include GTP TEID in the hash key */ ) ), "session-id" /* Include session ID in the hash key */, "symmetric-hash" /* Create symmetric hash-key with source & destination ports */ ) ), "inet6" /* IPv6 protocol family */, "mpls" ( /* MPLS protocol family */ c( c( "label-1" /* Include the first MPLS label in the hash key */, "all-labels" /* Include all MPLS labels in hash key */, "no-labels" /* Exclude all MPLS labels from hash key */, "bottom-label-1" /* Include the first MPLS label from bottom-of-stack in the hash key */ ), "label-2" /* Include the second MPLS label in the hash key */, "label-3" /* Include the third MPLS label in the hash key */, "bottom-label-2" /* Include the second MPLS label from bottom-of-stack in the hash key */, "bottom-label-3" /* Include the third MPLS label from bottom-of-stack in the hash key */, "no-label-1-exp" /* Omit EXP bits of first MPLS label from the hash key */, "payload" ( /* Include payload data in the hash key */ c( "ether-pseudowire" /* Load-balance IP over ethernet PW */, "ip" ( /* Include IPv4 or IPv6 payload data in the hash key */ c( c( c( "layer-3-only" /* Include only layer-3 IP information */, "enable" /* Include layer3/4 IP payload in the hash key */, "disable" /* Exclude layer3/4 IP payload in the hash key */ ), "port-data" ( c( "source-msb" /* Include the most significant byte of the source port */, "source-lsb" /* Include the least significant byte of the source port */, "destination-msb" /* Include the most significant byte of the destination port */, "destination-lsb" /* Include the least significant byte of the destination port */ ) ) ) ) ) ) ) ) ), "multiservice" ( /* Multiservice protocol family */ c( "source-mac" /* Include source MAC address in hash key */, "destination-mac" /* Include destination MAC address in hash key */, "label-1" /* Include the first MPLS label in the hash key */, "label-2" /* Include the second MPLS label in the hash key */, "payload" /* Include payload data in the hash key */, "symmetric-hash" /* Create a/symmetric hash-key with any attributes */ ) ) ) ) ) end rule(:keepalives_type) do c( "interval" arg /* Keepalive period */, "up-count" arg /* Keepalive received to bring link up */, "down-count" arg /* Keepalive missed to bring link down */ ).as(:oneline) end rule(:layer2_pm_family_output_type) do c( c( "interface" ( /* Interface through which to send sampled traffic */ interface_name /* Interface through which to send sampled traffic */ ), "next-hop-group" arg /* Next-hop-group through which to send port-mirror traffic */, "routing-instance" ( /* Routing instances */ layer2_pm_output_routing_instance_type /* Routing instances */ ), "vlan" ( /* Outgoing VLAN for mirrored packets */ pm_rspan_vlan /* Outgoing VLAN for mirrored packets */ ), "bridge-domain" ( /* Outgoing bridge-domain for mirrored packets */ pm_rspan_bridge_domain /* Outgoing bridge-domain for mirrored packets */ ) ), "no-filter-check" /* Do not check for filters on port-mirroring interface */ ) end rule(:layer2_pm_output_routing_instance_type) do arg.as(:arg) ( c( "vlan" ( /* Outgoing VLAN for mirrored packets */ pm_rspan_vlan /* Outgoing VLAN for mirrored packets */ ), "bridge-domain" ( /* Outgoing bridge-domain for mirrored packets */ pm_rspan_bridge_domain /* Outgoing bridge-domain for mirrored packets */ ) ) ) end rule(:ldap_server_object) do arg.as(:arg) ( c( "port" arg /* LDAP server port number */, "source-address" ( /* Use specified address as source address */ ipv4addr /* Use specified address as source address */ ), "routing-instance" arg /* Use specified routing instance */, "retry" arg /* Number of times to resend requests */, "timeout" arg /* Delay before resending unacknowledged request */, "tls-type" ( ("start-tls") ), "tls-timeout" arg /* Limit on tls handshake time */, "tls-min-version" ( ("v1.1" | "v1.2") ), "no-tls-certificate-check" /* Do not validate peer certificate */, "tls-peer-name" arg /* Expected peer fdqn */ ) ) end rule(:ldp_sync_obj) do c( ("disable"), "hold-time" arg /* Time during which maximum metric is advertised */ ) end rule(:ldp_filter_obj) do c( "match-on" ( /* Argument on which to match */ ("fec" | "address") ), "policy" ( /* Filter policy */ policy_algebra /* Filter policy */ ) ).as(:oneline) end rule(:license_object) do c( "autoupdate" ( /* Autoupdate license keys from license servers */ c( "url" arg ( /* URL of a license server */ sc( "password" ( /* Password of URL for a license server */ unreadable /* Password of URL for a license server */ ) ) ).as(:oneline) ) ), "renew" ( /* License renew lead time and checking interval */ sc( "before-expiration" arg /* License renew lead time before expiration in days */, "interval" arg /* License checking interval in hours */ ) ).as(:oneline), "traceoptions" ( /* Trace options for licenses */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all" | "events" | "config")) /* Tracing parameters */.as(:oneline) ) ), "keys" ( /* License keys */ c( "key" arg /* License key */ ) ) ) end rule(:lmp_control_channel_type) do arg.as(:arg) ( c( "remote-address" ( /* Control channel remote address */ ipaddr /* Control channel remote address */ ) ) ) end rule(:localauth_subscriber_object) do arg.as(:arg) ( c( "password" arg /* Password for the subscriber */, "framed-ip-address" ( /* IP address to assign to the subscriber */ ipv4addr /* IP address to assign to the subscriber */ ), "framed-pool" arg /* Pool name to assign an IP address to the subscriber */, "delegated-pool" arg /* Pool name to assign an IPv6 delegated prefix to the subscriber */, "framed-ipv6-pool" arg /* Pool name to assign an IPv6 address or NDRA prefix to the subscriber */, c( "target-routing-instance" ( /* Routing instance to be assigned to the subscriber */ ("default" | arg) ), "target-logical-system" ( /* Logical system to be assigned to the subscriber */ c( arg /* Logical system name */, "target-routing-instance" ( /* Routing instance */ ("default" | arg) ) ) ) ) ) ) end rule(:location_type) do c( "country-code" arg /* Two-letter country code */, "postal-code" arg /* Zip code or postal code */, "npa-nxx" arg /* First six digits of phone number (area code plus exchange) */, "latitude" arg /* Latitude in degree format */, "longitude" arg /* Longitude in degree format */, "altitude" arg /* Feet above (or below) sea level */, "lata" arg /* Local access transport area */, "vcoord" arg /* Bellcore vertical coordinate */, "hcoord" arg /* Bellcore horizontal coordinate */, "building" arg /* Building name */, "floor" arg /* Floor of the building */, "rack" arg /* Rack number */, "lcc" arg ( /* Line-card chassis location */ c( "floor" arg /* Floor of the building */, "rack" arg /* Rack number */ ) ) ) end rule(:logical_system_type) do arg.as(:arg) ( c( "max-sessions" arg /* Max number of IDP sessions */ ) ) end rule(:login_class_object) do arg.as(:arg) ( c( "allowed-days" ( /* Day(s) of week when access is allowed. */ ("sunday" | "monday" | "tuesday" | "wednesday" | "thursday" | "friday" | "saturday") ), "access-start" ( /* Start time for remote access (hh:mm) */ date /* Start time for remote access (hh:mm) */ ), "access-end" ( /* End time for remote access (hh:mm) */ date /* End time for remote access (hh:mm) */ ), "idle-timeout" arg /* Maximum idle time before logout */, "logical-system" arg /* Logical system associated with login */, "tenant" arg /* Tenant associated with this login */, "login-alarms" /* Display system alarms when logging in */, "login-script" arg /* Execute this login-script when logging in */, "login-tip" /* Display tip when logging in */, "permissions" arg, "allow-commands" ( /* Regular expression for commands to allow explicitly */ regular_expression /* Regular expression for commands to allow explicitly */ ), "deny-commands" ( /* Regular expression for commands to deny explicitly */ regular_expression /* Regular expression for commands to deny explicitly */ ), "allow-configuration" ( /* Regular expression for configure to allow explicitly */ regular_expression /* Regular expression for configure to allow explicitly */ ), "deny-configuration" ( /* Regular expression for configure to deny explicitly */ regular_expression /* Regular expression for configure to deny explicitly */ ), "allow-commands-regexps" arg /* Object path regular expressions to allow commands */, "deny-commands-regexps" arg /* Object path regular expressions to deny commands */, "allow-configuration-regexps" arg /* Object path regular expressions to allow */, "deny-configuration-regexps" arg /* Object path regular expressions to deny */, "configuration-breadcrumbs" /* Enable breadcrumbs during display of configuration */, "confirm-commands" arg ( /* List of commands to be confirmed explicitly */ c( arg /* Message to be displayed during confirmation */ ) ), c( "allow-hidden-commands" /* Allow all hidden commands to be executed */, "no-hidden-commands" ( /* Deny all hidden commands with exemptions */ c( "except" arg /* Specify the list of hidden command to be exempted */ ) ) ), "cli" ( c( "prompt" arg /* Cli prompt name for this class */ ) ), "security-role" ( /* Common Criteria security role */ ("audit-administrator" | "crypto-administrator" | "ids-administrator" | "security-administrator") ), "satellite" arg /* Login access to satellite devices */ ) ) end rule(:login_object) do arg.as(:arg) ( c( "password" ( /* Default sender password for user authentication */ unreadable /* Default sender password for user authentication */ ) ) ) end rule(:login_user_object) do arg.as(:arg) ( c( "full-name" arg /* Full name */, "cli" ( c( "prompt" arg /* Cli prompt name for this user */ ) ), "uid" arg /* User identifier (uid) */, "class" arg /* Login class */, "authentication" ( /* Authentication method */ authentication_object /* Authentication method */ ) ) ) end rule(:lr_interfaces_type) do arg.as(:arg) ( c( "unit" enum(("$junos-underlying-interface-unit" | "$junos-interface-unit" | arg)) ( /* Logical interface */ c( "policer-overhead" ( /* Policer overhead adjustment for this unit */ c( arg, "ingress" arg /* Ingress value in bytes */, "egress" arg /* Egress value in bytes */ ) ), "alias" arg /* Interface alias */, "enhanced-convergence" /* Optimize convergence time for L3 */, "proxy-macip-advertisement" /* Proxy advertisement of type 2 MAC+IP route for EVPN */, "virtual-gateway-accept-data" /* Accept packets destined for virtual gateway address */, "peer-psd" ( /* Peer psd */ sc( arg /* Peer psd name */ ) ).as(:oneline), "peer-interface" ( /* Peer interface */ c( interface_unit /* Peer interface name */ ) ), "interface-shared-with" ( /* Specify which PSD owns this logical interface */ c( arg /* Name of protected system domain (psd[1-31], ex. psd2) */ ) ), ("disable"), "passive-monitor-mode" /* Use interface to tap packets from another router */, "per-session-scheduler" /* Enable per-session queuing on an IQ2 interface */, "account-layer2-overhead" /* Account layer2 overhead in IFL byte statistics */, "forwarding-class-accounting" /* Configure Forwarding-class-accounting parameters for IFL */, "clear-dont-fragment-bit" /* Clear DF bit in packet (AS PIC and J-series only as well as MIF) */, "packet-inject-enable" /* Enable packet inject functionality on this IFL */, "reassemble-packets" /* Do reassembly of fragmented tunnel packets */, "services-options" /* Services interface-specific options */, "rpm" /* Enable RPM service on this interface */, "description" arg /* Text description of interface */, "metadata" arg /* Text metadata attached to interface */, "dial-options" /* Dial options */, "actual-transit-statistics" /* Actual transit statistics */, "demux-source" ( enum(("inet" | "inet6")) ), "demux-destination" ( enum(("inet" | "inet6")) ), "demux" /* Demux based on source or destination address */, "encapsulation" ( /* Logical link-layer encapsulation */ ("atm-nlpid" | "atm-cisco-nlpid" | "atm-snap" | "atm-vc-mux" | "atm-ccc-vc-mux" | "atm-tcc-vc-mux" | "atm-tcc-snap" | "atm-ccc-cell-relay" | "vlan-vci-ccc" | "ether-over-atm-llc" | "ether-vpls-over-atm-llc" | "ppp-over-ether-over-atm-llc" | "ppp-over-ether" | "atm-ppp-vc-mux" | "atm-ppp-llc" | "atm-mlppp-llc" | "frame-relay-ppp" | "frame-relay-ccc" | "frame-relay" | "frame-relay-tcc" | "frame-relay-ether-type" | "frame-relay-ether-type-tcc" | "ether-vpls-fr" | "vlan-ccc" | "ethernet-ccc" | "vlan-vpls" | "vlan-bridge" | "dix" | "ethernet" | "ethernet-vpls" | "ethernet-bridge" | "vlan" | "vlan-tcc" | "multilink-ppp" | "multilink-frame-relay-end-to-end" | "ppp-ccc") ), "gre" /* Allow GRE packets */, "mtu" arg /* Maximum transmission unit packet size */, c( "point-to-point" /* Point-to-point connection */, "multipoint" /* Multipoint connection */ ), "bandwidth" arg /* Logical unit bandwidth (informational only) */, "global-layer2-domainid" arg /* Global Layer-2 Identifier for this interface */, "radio-router" ( /* Parameters for dynamic link cost management */ dynamic_ifbw_parms_type /* Parameters for dynamic link cost management */ ), "traps" /* Enable SNMP notifications on state changes */, "no-traps" /* Don't enable SNMP notifications on state changes */, "routing-services" /* Enable routing services */, "no-routing-services" /* Don't enable routing services */, "arp-resp" ( /* Knob to control ARP response on the interface, default is restricted */ sc( c( "unrestricted" /* Enable unrestricted ARP respone on the interface */, "restricted" /* Enable restricted proxy ARP response on the interface */ ) ) ).as(:oneline), "proxy-arp" ( /* Enable proxy ARP on the interface, default is unrestricted */ sc( c( "unrestricted" /* Enable unrestricted proxy ARP on the interface */, "restricted" /* Enable restricted proxy ARP on the interface */ ) ) ).as(:oneline), c( "vlan-id" ( /* Virtual LAN identifier value for 802.1q VLAN tags */ ("none" | arg) ), "vlan-id-range" arg /* Virtual LAN identifier range of form vid1-vid2 */, "inner-vlan-id-swap-ranges" arg /* Inner vlan-id swap range(s) of form vid1-vid2 for dynamic L2 VLANs */, "vlan-id-list" arg /* List of VLAN identifiers */, "vlan-tag" arg /* IEEE 802.1q tag list for VLAN tagged frames */, "vlan-tags" ( /* IEEE 802.1q tags */ sc( "outer" ( /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ("$junos-stacked-vlan-id" | "$junos-vlan-id" | arg) ), c( "inner" ( /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ("$junos-vlan-id" | arg) ), "inner-range" arg /* [tpid.]vid1-vid2, tpid format is 0xNNNN and is optional */, "inner-list" arg /* List of VLAN identifiers */ ) ) ).as(:oneline) ), "deep-vlan-qualified-learning" arg /* Enable qualified MAC-address learning on the specified vlan tag */, "native-inner-vlan-id" arg /* Native virtual LAN identifier for singly tagged frames */, "inner-vlan-id-range" /* Inner vlan-id range start end */.as(:oneline), "accept-source-mac" ( /* Remote media access control address to/from which to accept traffic */ c( "mac-address" ( /* Remote MAC address */ mac_list /* Remote MAC address */ ) ) ), "input-vlan-map" ( /* VLAN map operation on input */ vlan_map /* VLAN map operation on input */ ), "output-vlan-map" ( /* VLAN map operation on output */ vlan_map /* VLAN map operation on output */ ), "swap-by-poppush" /* Pop original vlan tag and then push a new vlan tag */, "receive-lsp" arg /* Name of incoming label-switched path */, "transmit-lsp" arg /* Name of outgoing label-switched path */, "dlci" arg /* Frame Relay data-link control identifier */, "multicast-dlci" arg /* Frame Relay data-link control identifier for multicast packets */, c( "vci" ( /* ATM point-to-point virtual circuit identifier ([vpi.]vci) */ atm_vci /* ATM point-to-point virtual circuit identifier ([vpi.]vci) */ ), "allow-any-vci" /* Allow all VCIs to open in atm-ccc-cell-relay mode */, "vpi" arg /* ATM point-to-point virtual path identifier (vpi) */, "trunk-id" arg /* ATM trunk identifier */ ), "no-vpivci-swapping" /* Do not swap VPI/VCI for Cell Relay */, c( "psn-vci" ( /* PSN VCI */ atm_vci /* PSN VCI */ ), "psn-vpi" arg /* PSN VPI */ ), "atm-l2circuit-mode" ( /* Select ATM Layer 2 circuit transport mode */ sc( c( "cell" /* ATM Layer 2 circuit cell mode */, "aal5" /* ATM Layer 2 circuit AAL5 mode */ ) ) ).as(:oneline), "vci-range" ( /* ATM VCI range start end */ sc( "start" arg /* ATM VCI range's start value */, "end" arg /* ATM VCI range's end value */ ) ).as(:oneline), "trunk-bandwidth" arg /* ATM trunk bandwidth */, "multicast-vci" ( /* ATM virtual circuit identifier for multicast packets */ atm_vci /* ATM virtual circuit identifier for multicast packets */ ), "shaping" ( /* Virtual circuit traffic-shaping options */ dcd_shaping_config /* Virtual circuit traffic-shaping options */ ), "oam-period" ( /* OAM cell period */ sc( c( arg, "disable" /* Disable F5 OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* OAM virtual circuit liveness parameters */ c( "up-count" arg /* Number of OAM cells to consider VC up */, "down-count" arg /* Number of OAM cells to consider VC down */ ) ), "ppp-options" ( /* Point-to-Point Protocol interface-specific options */ ppp_options_type /* Point-to-Point Protocol interface-specific options */ ), "pppoe-options" ( /* PPP over Ethernet interface-specific options */ pppoe_options_type /* PPP over Ethernet interface-specific options */ ), "pppoe-underlying-options" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ), "advisory-options" ( /* Interface-specific recommendations */ advisory_options_type /* Interface-specific recommendations */ ), "auto-configure" ( /* Auto configuration */ auto_configure_vlan_type /* Auto configuration */ ), "demux-options" ( /* IP demux interface-specific options */ demux_options_type /* IP demux interface-specific options */ ), "targeted-distribution" /* Interface participates in targeted-distribution */, "targeted-options" /* Targeting specific options */, c( "keepalives" ( /* Send or demand keepalive messages */ keepalives_type /* Send or demand keepalive messages */ ).as(:oneline), "no-keepalives" /* Do not send or demand keepalive messages */ ), "inverse-arp" /* Enable inverse ARP */, "transmit-weight" arg /* ATM2 transmit weight for VC under VP tunnel */, "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline), "cell-bundle-size" arg /* L2 circuit cell bundle size */, "cell-bundle-timeout" arg /* L2 circuit cell bundle timeout */, "plp-to-clp" /* Enable ATM2 PLP to CLP copy */, "atm-scheduler-map" arg /* Assign ATM2 CoS scheduling map */, "mrru" arg /* Maximum received reconstructed unit */, "short-sequence" /* Short sequence number header format (MLPPP only) */, "fragment-threshold" arg /* Fragmentation threshold */, "drop-timeout" arg /* Drop timeout */, "disable-mlppp-inner-ppp-pfc" /* Disable compression for inner PPP header in MLPPP payload */, "minimum-links" arg /* Minimum number of links to sustain the bundle */, "multilink-max-classes" arg /* Number of multilink classes */, "compression" ( /* Various packet header compressions */ c( "rtp" ( /* Compress and decompress RTP */ c( "f-max-period" arg /* Maximum number of compressed packets between transmission of full headers */, "queues" ( /* Queue holding RTP packets. Default is queue 1 */ ("q0" | "q1" | "q2" | "q3") ), "port" ( /* UDP destination ports reserved for RTP packets */ sc( "minimum" arg, "maximum" arg ) ).as(:oneline), "maximum-contexts" ( /* Maximum number of simultaneous RTP contexts */ sc( arg ) ).as(:oneline) ) ) ) ), "interleave-fragments" /* Interleave long packets with high priority ones */, "link-layer-overhead" ( /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ unsigned_float /* Link layer bit stuffing overhead (0.0 .. 50.0 percent) */ ), "accounting-profile" arg /* Accounting profile name */, "peer-unit" arg /* Peer unit number */, "tunnel" ( /* Tunnel parameters */ c( "encapsulation" ( /* Encapsulation over tunnel */ c( "vxlan-gpe" ( c( "source" ( c( "address" ( /* Interface address prefix */ ipv4addr /* Interface address prefix */ ), "interface" ( /* Name of the interface */ interface_name /* Name of the interface */ ) ) ), "destination" ( c( "address" ( /* Interface address prefix */ ipv4addr /* Interface address prefix */ ) ) ), "tunnel-endpoint" ( /* Tunnel end point type */ ("vxlan") ), "destination-udp-port" arg /* Value to write to the destination-udp-port field */, "vni" arg /* Value to write to the vni field */ ) ) ) ), "source" ( /* Tunnel source */ ipaddr /* Tunnel source */ ), "destination" ( /* Tunnel destination */ ipaddr /* Tunnel destination */ ), "key" arg /* Tunnel key */, "backup-destination" ( /* Backup tunnel destination */ ipaddr /* Backup tunnel destination */ ), c( "allow-fragmentation" /* Do not set DF bit on packets */, "do-not-fragment" /* Set DF bit on packets */ ), "ttl" arg /* Time to live */, "traffic-class" arg /* TOS/Traffic class field of IP-header */, "flow-label" arg /* Flow label field of IP6-header */, "path-mtu-discovery" /* Enable path MTU discovery for tunnels */, "no-path-mtu-discovery" /* Don't enable path MTU discovery for tunnels */, "routing-instance" ( /* Routing instance to which tunnel ends belong */ c( "destination" arg /* Routing instance of tunnel destination */ ) ) ) ), "compression-device" ( /* Logical interface used for compression */ interface_unit /* Logical interface used for compression */ ), "atm-policer" /* ATM policing for logical interface */, "layer2-policer" /* Layer2 policing for logical interface */, "filter" /* Filters to apply to all families configured under this logical interface */, "multi-chassis-protection" ( /* Inter-Chassis protection configuration */ multi_chassis_protection_group_ifl /* Inter-Chassis protection configuration */ ), "statistics" /* Enable statistics collection in PFE */, "esi" /* ESI configuration of logical interface */, "virtual-gateway-esi" /* ESI configuration of virtual gateway */, "service" ( /* Service operations */ c( "pcef" arg ( /* PCEF configuration */ c( "activate-all" /* Activate all rules and rulebases in the pcef profile */, "activate" arg /* Name of pcef profile rule or rulebase to activate */ ) ) ) ), "generate-eui64" /* To generate Link Local EUI-64 addresses */, "no-generate-eui64" /* Don't to generate Link Local EUI-64 addresses */, "family" ( /* Protocol family */ c( "inet" ( /* IPv4 parameters */ c( "dhcp" ( /* Dynamic Host Configuration Protocol client configuration */ dhcp_client_type /* Dynamic Host Configuration Protocol client configuration */ ), "targeted-broadcast" ( /* Directed broadcast */ c( c( "forward-and-send-to-re" /* Allow packets to be forwarded and sent to re */, "forward-only" /* Allow packets only to be forwarded */ ) ) ), "destination-class-usage" /* Enable destination class usage on this interface */, "transit-options-packets" /* Transit IP options packets (don't send to Routing Engine) */, "transit-ttl-exceeded" /* Transit IP TTL-exceeded packets (don't send to Routing Engine) */, "receive-options-packets" /* Receive IP options packets (don't send to Routing Engine) */, "receive-ttl-exceeded" /* Receive IP TTL-exceeded packets (don't send to Routing Engine) */, "accounting" ( /* Configure interface-based accounting options */ c( "source-class-usage" ( /* Enable source class usage on this interface */ c( "input" /* Specify this interface for source-class-usage input */, "output" /* Specify this interface for source-class-usage output */ ) ), "destination-class-usage" /* Enable destination class usage on this interface */ ) ), "mac-validate" arg /* Validate source MAC address */, "rpf-check" ( /* Enable reverse-path-forwarding checks on this interface */ c( "fail-filter" arg /* Name of filter applied to packets failing RPF check */, "mode" ( /* Mode for reverse path forwarding */ sc( "loose" /* Reverse-path-forwarding loose mode */ ) ).as(:oneline) ) ), "mtu" arg /* Protocol family maximum transmission unit */, "arp-max-cache" arg /* Max interface ARP nexthop cache size */, "arp-new-hold-limit" arg /* Max no. of new unresolved nexthops */, "tcp-mss" arg /* Protocol family tcp maximum segment size */, "no-redirects" /* Do not redirect traffic */, "no-neighbor-learn" /* Disable neighbor address learning on interface */, "unconditional-src-learn" /* Glean from arp packets even when source cannot be validated */, "multicast-only" /* Allow only multicast traffic (tunnels only) */, "primary" /* Candidate for primary interface in system */, "ipsec-sa" arg /* Name of security association */, "allow-filter-on-re" /* Enable kernel filter on network ports */, "demux-source" /* Demux based on source prefix */, "demux-destination" /* Demux based on destination prefix */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "iq-policing-filter" /* Protocol family ingress-queuing-policing-filter */.as(:oneline), "simple-filter" ( /* Filter for doing multifield classification */ c( "input" arg /* Name of simple filter applied to received packets */ ) ), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "arp" arg /* Name of policer applied to received ARP packets */, "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" ( /* Interface sampling */ c( "input" /* Sample all packets input on this interface */, "output" /* Sample all packets output on this interface */ ) ), "service" ( /* Service operations */ c( "input" ( /* Service sets to consider for received packets */ c( "service-set" arg ( /* Service set to consider for received packets */ c( "service-filter" arg /* Name of service filter */ ) ), "post-service-filter" arg /* Post-service filter to apply to received packets */ ) ), "output" ( /* Service sets to consider for transmitted packets */ c( "service-set" arg ( /* Service set to consider for transmitted packets */ c( "service-filter" arg /* Name of service filter */ ) ) ) ) ) ), "next-hop-tunnel" arg ( /* One or more next-hop tunnel tables */ c( "ipsec-vpn" arg /* Name of IPSec VPN */ ) ), "address" arg ( /* Interface address/destination prefix */ c( "destination" ( /* Destination address */ ipv4addr /* Destination address */ ), "destination-profile" arg /* Profile to use for destination address */, "broadcast" ( /* Broadcast address */ ipv4addr /* Broadcast address */ ), "primary" /* Candidate for primary address in system */, "preferred" /* Preferred address on interface */, "master-only" /* Master management IP address for router */, "multipoint-destination" arg ( /* Multipoint NBMA destination */ c( c( "dlci" arg /* Frame Relay data-link control identifier */, "vci" ( /* ATM virtual circuit identifier ([vpi.]vci) */ atm_vci /* ATM virtual circuit identifier ([vpi.]vci) */ ) ), "shaping" ( /* Virtual circuit traffic-shaping options */ dcd_shaping_config /* Virtual circuit traffic-shaping options */ ), "oam-period" ( /* OAM cell period */ sc( c( arg, "disable" /* Disable OAM loopback */.as(:oneline) ) ) ).as(:oneline), "oam-liveness" ( /* OAM virtual circuit liveness parameters */ c( "up-count" arg /* Number of OAM cells to consider VC up */, "down-count" arg /* Number of OAM cells to consider VC down */ ) ), "inverse-arp" /* Enable inverse ARP reply messages */, "transmit-weight" arg /* ATM2 transmit weight for VC under VP tunnel */, "epd-threshold" ( /* Early packet discard threshold for ATM2 */ epd_threshold_config /* Early packet discard threshold for ATM2 */ ).as(:oneline) ) ), "arp" arg ( /* Static Address Resolution Protocol entries */ sc( "l2-interface" ( /* Layer 2 interface name for ARP entry */ interface_name /* Layer 2 interface name for ARP entry */ ), c( "mac" ( /* MAC address */ mac_unicast /* MAC address */ ), "multicast-mac" ( /* Multicast MAC address */ mac_multicast /* Multicast MAC address */ ) ), "publish" /* Reply to ARP requests for this entry */ ) ).as(:oneline), "web-authentication" ( /* Parameters for web-based firewall-user authentication */ c( "http" /* Enable authentication via HTTP */, "https" /* Enable authentication via HTTPS */, "redirect-to-https" /* Web authentication redirect to HTTPS */ ) ), "vrrp-group" ( /* VRRP group */ vrrp_group /* VRRP group */ ), "virtual-gateway-address" ( /* Virtual Gateway IP address */ ipv4addr /* Virtual Gateway IP address */ ) ) ), "unnumbered-address" ( /* Unnumbered interface address/destination prefix */ sc( interface_unit /* Interface from which to take local address */, "preferred-source-address" ( /* Preferred address on the donor interface */ ("$junos-preferred-source-address" | arg) ), "destination" ( /* Destination address */ ipv4addr /* Destination address */ ), "destination-profile" arg /* Profile to use for destination address */ ) ).as(:oneline), "location-pool-address" /* Location-based IP address pool */, "negotiate-address" /* Negotiate address with remote */ ) ), "iso" ( /* OSI ISO protocol parameters */ c( "address" arg /* Interface address */, "mtu" arg /* Protocol family maximum transmission unit */ ) ), "inet6" ( /* IPv6 protocol parameters */ c( "dhcpv6-client" ( /* Dynamic Host Configuration Protocol DHCPv6 client configuration */ c( "client-type" ( /* DHCPv6 client type */ ("stateful" | "autoconfig") ), "client-ia-type" enum(("ia-na" | "ia-pd")) /* DHCPv6 client identity association type */, "rapid-commit" /* Option is used to signal the use of the two message exchange for address assignment */, "prefix-delegating" ( /* Prefix delegating parameters */ c( "preferred-prefix-length" arg /* Client preferred prefix length */, "sub-prefix-length" arg /* The sub prefix length for LAN interfaces */ ) ), "client-identifier" ( /* DHCP Server identifies a client by client-identifier value */ sc( "duid-type" ( /* DUID identifying a client */ ("duid-llt" | "vendor" | "duid-ll") ) ) ).as(:oneline), "req-option" enum(("dns-server" | "domain" | "ntp-server" | "time-zone" | "sip-server" | "sip-domain" | "nis-server" | "nis-domain" | "fqdn" | "vendor-spec")) /* DHCPV6 client requested option configuration */, "retransmission-attempt" arg /* Number of attempts to retransmit the DHCPV6 client protocol packet */, "no-dns-install" /* Not propagate DNS to kernel */, "update-router-advertisement" ( /* Dhcpv6 client update rpd for prefix delegation */ c( "interface" arg ( /* Interfaces on which to delegate prefix */ c( "managed-configuration" /* Set managed address configuration */, "no-managed-configuration" /* Don't set managed address configuration */, "other-stateful-configuration" /* Set other stateful configuration */, "no-other-stateful-configuration" /* Don't set other stateful configuration */, "max-advertisement-interval" arg /* Maximum advertisement interval */, "min-advertisement-interval" arg /* Minimum advertisement interval */, "enable-recursive-dns-server-option" /* Enables the recursive DNS server option */, "no-enable-recursive-dns-server-option" /* Don't enables the recursive DNS server option */ ) ) ) ), "update-server" /* Propagate TCP/IP settings to DHCP server */ ) ), "rpf-check" ( /* Enable reverse-path-forwarding checks on this interface */ c( "fail-filter" arg /* Name of filter applied to packets failing RPF check */, "mode" ( /* Mode for reverse path forwarding */ sc( "loose" /* Reverse-path-forwarding loose mode */ ) ).as(:oneline) ) ), "accounting" ( /* Interface-based accounting options */ c( "source-class-usage" ( c( "input" /* Interface for source-class-usage input */, "output" /* Interface for source-class-usage output */ ) ), "destination-class-usage" /* Enable destination class usage on this interface */ ) ), "mtu" arg /* Protocol family maximum transmission unit */, "tcp-mss" arg /* Protocol family tcp maximum segment size */, "nd6-stale-time" arg /* Stale time to reconfirm reachability with inet6 neighbour */, "no-neighbor-learn" /* Disable neighbor address learning on interface */, "slaac-enable" /* Enable slaac on management interface */, "ndp-proxy" ( /* Enable ndp proxy on interface */ c( "interface-restricted" /* Enable ndp interface proxy restricted to interface */ ) ), "dad-proxy" ( /* DAD proxy on interface */ c( "interface-restricted" /* Enable DAD interface proxy restricted to interface */ ) ), "nd6-max-cache" arg /* Max interface ND nexthop cache size */, "nd6-new-hold-limit" arg /* Max no. of new unresolved nexthops */, "no-redirects" /* Do not redirect traffic */, "allow-filter-on-re" /* Enable kernel filter on network ports */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" ( /* Interface sampling */ c( "input" /* Sample all packets input on this interface */, "output" /* Sample all packets output on this interface */ ) ), "service" ( /* Service operations */ c( "input" ( /* Service sets to consider for received packets */ c( "service-set" arg ( /* Service set to consider for received packets */ c( "service-filter" arg /* Name of service filter */ ) ), "post-service-filter" arg /* Post-service filter to apply to received packets */ ) ), "output" ( /* Service sets to consider for transmitted packets */ c( "service-set" arg ( /* Service set to consider for transmitted packets */ c( "service-filter" arg /* Name of service filter */ ) ) ) ) ) ), "address" arg ( /* Interface address or destination prefix */ c( "destination" ( /* Destination address */ ipv6addr /* Destination address */ ), "eui-64" /* Generate EUI-64 interface ID */, "primary" /* Candidate for primary address in system */, "preferred" /* Preferred address on interface */, "master-only" /* Master management IP address for router */, "ndp" arg ( /* Static Neighbor Discovery Protocol entries */ sc( "l2-interface" ( /* Layer 2 interface name for NDP entry */ interface_name /* Layer 2 interface name for NDP entry */ ), c( "mac" ( /* MAC address */ mac_unicast /* MAC address */ ), "multicast-mac" ( /* Multicast MAC address */ mac_multicast /* Multicast MAC address */ ) ), "publish" /* Reply to NDP requests for this entry */ ) ).as(:oneline), "vrrp-inet6-group" ( /* VRRP group */ vrrp_group /* VRRP group */ ), "web-authentication" ( /* Parameters for web-based firewall-user authentication */ c( "http" /* Enable authentication via HTTP */, "https" /* Enable authentication via HTTPS */, "redirect-to-https" /* Web authentication redirect to HTTPS */ ) ), "virtual-gateway-address" ( /* Virtual Gateway IP address */ ipv6addr /* Virtual Gateway IP address */ ), "subnet-router-anycast" /* Create a subnet roter anycast address for this address. */ ) ), "demux-source" /* Demux based on source prefix */, "demux-destination" /* Demux based on destination prefix */, "unnumbered-address" ( /* Unnumbered interface address/destination prefix */ sc( interface_unit /* Interface from which to take local address */, "preferred-source-address" ( /* Preferred address on the donor interface */ ("$junos-preferred-source-ipv6-address" | arg) ) ) ).as(:oneline), "dad-disable" /* Disable duplicate-address-detection */, "no-dad-disable" /* Don't disable duplicate-address-detection */, "negotiate-address" /* Negotiate address with remote */ ) ), "mpls" ( /* MPLS protocol parameters */ c( "mtu" arg /* Protocol family maximum transmission unit */, "maximum-labels" arg /* Protocol family maximum number of labels */, "filter" ( /* Packet filtering */ c( c( "input" arg /* Name of filter applied to received packets */, "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" arg /* Name of filter applied to transmitted packets */, "output-list" arg /* List of filter modules applied to transmitted packets */ ), "group" arg /* Interface group to which interface belongs */, "dialer" arg /* Name of filter applied on dialer */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "input-hierarchical-policer" arg /* Hierarchical policer for received packets */, "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ) ) ), "mlppp" ( /* Multilink PPP protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ ("$junos-bundle-interface-name" | arg) ), c( "service-interface" ( /* Services interface to use */ interface_device /* Services interface to use */ ), "service-device-pool" arg /* Service interface pool name to use */ ), "dynamic-profile" arg /* dynamic profile for interface to use */ ) ), "mlfr-end-to-end" ( /* Multilink Frame Relay end-to-end protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ interface_unit /* Logical interface name this link will join */ ) ) ), "mlfr-uni-nni" ( /* Multilink Frame Relay UNI NNI protocol parameters */ c( "bundle" ( /* Logical interface name this link will join */ interface_unit /* Logical interface name this link will join */ ) ) ), "ccc" ( /* Circuit cross-connect parameters */ c( "mtu" arg /* Protocol family maximum transmission unit */, "filter" ( /* Packet filtering */ c( c( "input" arg /* Name of filter applied to received packets */, "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" arg /* Name of filter applied to transmitted packets */, "output-list" arg /* List of filter modules applied to transmitted packets */ ), "group" arg /* Interface group to which interface belongs */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "translate-fecn-and-becn" /* Translate FECN and BECN bits */, c( "translate-discard-eligible" /* Translate DE bit */, "translate-plp-control-word-de" /* Translate PLP to/from Martini Control DE bit */ ), "keep-address-and-control" /* Don't strip PPP address and control bytes */ ) ), "tcc" ( /* Translational cross-connect parameters */ c( "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "proxy" ( c( "inet-address" ( /* Remote host address on non-Ethernet side of Ethernet TCC */ ipv4addr /* Remote host address on non-Ethernet side of Ethernet TCC */ ) ) ), "remote" ( c( "inet-address" ( /* Remote host address on Ethernet side of Ethernet TCC */ ipv4addr /* Remote host address on Ethernet side of Ethernet TCC */ ), "mac-address" ( /* Remote host MAC address on Ethernet side of Ethernet TCC */ mac_addr /* Remote host MAC address on Ethernet side of Ethernet TCC */ ) ) ), "protocols" /* Protocols supported on TCC interface */ ) ), "vpls" ( /* Virtual private LAN service parameters */ c( "core-facing" /* Interface is core facing */, "filter" ( /* Packet filtering */ c( c( "input" ( /* Filter to be applied to received packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "input-list" arg /* List of filter modules applied to received packets */ ), c( "output" ( /* Filter to be applied to transmitted packets */ sc( arg /* Name of the filter */, "shared-name" arg /* Filter shared-name of instances of interface-shared filter */, "precedence" arg /* Precedence of the filter */ ) ).as(:oneline), "output-list" arg /* List of filter modules applied to transmitted packets */ ), "adf" ( /* Ascend Data Filter definition */ c( "rule" arg /* Set of ADF rules */, "counter" /* Add a counter to each rule */, "input-precedence" arg /* Precedence of the input rules */, "not-mandatory" /* No errors will be reported if no rules are present */, "output-precedence" arg /* Precedence of the output rules */ ) ), "group" arg /* Group to which interface belongs */ ) ), "ingress-queuing-filter" /* Protocol family ingress-queuing-filter */.as(:oneline), "iq-policing-filter" /* Protocol family ingress-queuing-policing-filter */.as(:oneline), "policer" ( /* Interface policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ), "sampling" /* Interface sampling */ ) ), "bridge" /* Layer-2 bridging parameters */, "ethernet-switching" ( /* Ethernet switching parameters */ ethernet_switching_type /* Ethernet switching parameters */ ), "fibre-channel" ( /* Fibre channel switching parameters */ fibre_channel_type /* Fibre channel switching parameters */ ), "pppoe" ( /* PPP over Ethernet underlying interface-specific options */ pppoe_underlying_options_type /* PPP over Ethernet underlying interface-specific options */ ), "any" ( /* Parameters for 'any' family */ c( "filter" ( /* Layer 2 packet filtering */ c( "input" arg /* Name of filter applied to received packets */, "group" arg /* Group to which interface belongs */ ) ) ) ), "llc2" /* Enable Logical Link Control Type 2 */ ) ), "service-domain" ( /* Service domain to which interface belongs */ ("inside" | "outside") ), "copy-tos-to-outer-ip-header" /* Copy IP payload header's ToS field to GRE delivery header */, "copy-tos-to-outer-ip-header-transit" /* Copy IP ToS field to GRE header for transit packets */, "load-balancing-options" ( /* AMS subunit load balancing options */ c( "preferred-active" ( /* Preferred active Interface name */ interface_device /* Preferred active Interface name */ ), "disable-hash" /* Hash based distribution is not needed for this subunit */, "hash-keys" ( c( "ingress-key" ( /* Hash Key for the ingress direction */ enum(("source-ip" | "destination-ip" | "protocol" | "iif")) ), "egress-key" ( /* Hash Key for the egress direction */ enum(("source-ip" | "destination-ip" | "protocol" | "oif")) ), "ipv6-source-prefix-length" ( /* IPv6 source prefix length for hash computation */ ("56" | "64" | "96" | "128") ) ) ) ) ), "mac" ( /* Configure logical interface MAC address */ mac_unicast /* Configure logical interface MAC address */ ), "virtual-gateway-v4-mac" ( /* Configure virtual gateway IPV4 virtual MAC address */ mac_unicast /* Configure virtual gateway IPV4 virtual MAC address */ ), "virtual-gateway-v6-mac" ( /* Configure virtual gateway IPV6 virtual MAC address */ mac_unicast /* Configure virtual gateway IPV6 virtual MAC address */ ), "forwarding-options" /* Aggregated Ethernet interface forwarding-options */, "etree-ac-role" ( /* ETREE attachment circuit role */ ("root" | "leaf") ), "dialer-options" ( /* Dialer options */ c( "pool" arg /* Dialer pool */, "dial-string" arg /* String to dial out */, "incoming-map" ( /* Map incoming call to dialer */ c( c( "caller" arg /* Caller Id to be screened */.as(:oneline), "accept-all" /* Accept all incoming calls */ ) ) ), "callback" /* Call back on any incoming call to the dialer */, "callback-wait-period" arg /* Time to wait before calling back */, "redial-delay" arg /* Time to wait before redialing */, "idle-timeout" arg /* Delay before taking down the interface */, "watch-list" arg /* Dialer watch list */, "load-threshold" arg /* Load threshold for adding interfaces */, "load-interval" arg /* Interval used to calculate average load */, "activation-delay" arg /* Activation delay */, "deactivation-delay" arg /* Deactivation delay */, "initial-route-check" arg /* Delay to check primary after the router is up */, "always-on" /* Always keep on-line */ ) ), "backup-options" ( /* Backup interface configuration options */ c( "interface" ( /* Backup interface */ interface_name /* Backup interface */ ) ) ), "dynamic-call-admission-control" /* Dynamic call admission control configuration */ ) ) ) ) end rule(:lsp_set_match_type) do c( "lsp-name" arg /* LSP name that matches this string */, "lsp-regex" arg /* All LSPs that match this regular expression pattern */, "p2mp-name" arg /* P2MP names that match this string */, "p2mp-regex" arg /* P2MP names that match this regular expression pattern */, c( "egress" /* All LSPs for which this router is egress */, "ingress" /* All LSPs for which this router is ingress */, "transit" /* All LSPs for which this router is transit */ ) ) end rule(:lsp_nh_obj) do arg.as(:arg) ( c( "preference" arg /* Preference of LSP next hop */, "metric" arg /* Metric of LSP next hop */ ) ) end rule(:mac_addr_list_items) do arg.as(:arg) end rule(:mac_list) do arg.as(:arg) ( c( "policer" ( /* MAC policing */ c( "input" arg /* Name of policer applied to received packets */, "output" arg /* Name of policer applied to transmitted packets */ ) ) ) ) end rule(:martian_type) do s( arg, c( "exact" arg /* Exactly match the prefix length */, "longer" arg /* Mask is greater than the prefix length */, "orlonger" arg /* Mask is greater than or equal to the prefix length */, "upto" arg /* Mask falls between two prefix lengths */, "through" arg /* Route falls between two prefixes */, "prefix-length-range" arg /* Mask falls between two prefix lengths */ ), c( "allow" ) ).as(:oneline) end rule(:match_l2_flexible_mask) do c( "match-start" ( /* Start point to match in packet */ ("layer-2" | "layer-3" | "layer-4" | "payload") ), "byte-offset" arg /* Byte offset after the match start point */, "bit-offset" arg /* Bit offset after the (match-start + byte) offset */, "bit-length" arg /* Length of the data to be matched in bits, not needed for string input */, "mask-in-hex" arg /* Mask out bits in the packet data to be matched */, "prefix" arg /* Value data/string to be matched */, "flexible-mask-name" arg /* Select a flexible match from predefined template field */ ) end rule(:match_l2_flexible_range) do c( "match-start" ( /* Start point to match in packet */ ("layer-2" | "layer-3" | "layer-4" | "payload") ), "byte-offset" arg /* Byte offset after the match start point */, "bit-offset" arg /* Bit offset after the (match-start + byte) offset */, "bit-length" arg /* Length of the data to be matched in bits */, c( "range" arg /* Range of values to be matched */, "range-except" arg /* Range of values to be not matched */ ), "flexible-range-name" arg /* Select a flexible match from predefined template field */ ) end rule(:match_l3_flexible_mask) do c( "match-start" ( /* Start point to match in packet */ ("layer-3" | "layer-4" | "payload") ), "byte-offset" arg /* Byte offset after the match start point */, "bit-offset" arg /* Bit offset after the (match-start + byte) offset */, "bit-length" arg /* Length of the data to be matched in bits, not needed for string input */, "mask-in-hex" arg /* Mask out bits in the packet data to be matched */, "prefix" arg /* Value data/string to be matched */, "flexible-mask-name" arg /* Select a flexible match from predefined template field */ ) end rule(:match_l3_flexible_range) do c( "match-start" ( /* Start point to match in packet */ ("layer-3" | "layer-4" | "payload") ), "byte-offset" arg /* Byte offset after the match start point */, "bit-offset" arg /* Bit offset after the (match-start + byte) offset */, "bit-length" arg /* Length of the data to be matched in bits */, c( "range" arg /* Range of values to be matched */, "range-except" arg /* Range of values to be not matched */ ), "flexible-range-name" arg /* Select a flexible match from predefined template field */ ) end rule(:match_interface_object) do arg.as(:arg).as(:oneline) end rule(:match_interface_object_oam) do arg.as(:arg).as(:oneline) end rule(:match_interface_set_object) do arg.as(:arg).as(:oneline) end rule(:match_simple_dscp_value) do c( c( "af11" /* Assured forwarding class 1, low drop precedence */, "af12" /* Assured forwarding class 1, medium drop precedence */, "af13" /* Assured forwarding class 1, high drop precedence */, "af21" /* Assured forwarding class 2, low drop precedence */, "af22" /* Assured forwarding class 2, medium drop precedence */, "af23" /* Assured forwarding class 2, high drop precedence */, "af31" /* Assured forwarding class 3, low drop precedence */, "af32" /* Assured forwarding class 3, medium drop precedence */, "af33" /* Assured forwarding class 3, high drop precedence */, "af41" /* Assured forwarding class 4, low drop precedence */, "af42" /* Assured forwarding class 4, medium drop precedence */, "af43" /* Assured forwarding class 4, high drop precedence */, "ef" /* Expedited forwarding */, "cs0" /* Class selector 0 */, "cs1" /* Class selector 1 */, "cs2" /* Class selector 2 */, "cs3" /* Class selector 3 */, "cs4" /* Class selector 4 */, "cs5" /* Class selector 5 */, "cs6" /* Class selector 6 */, "cs7" /* Class selector 7 */, "be" /* Best effort (default) */, arg /* Range of values */ ) ) end rule(:match_simple_payload_protocol_value) do c( c( "icmp" /* Internet Control Message Protocol */, "igmp" /* Internet Group Management Protocol */, "ipip" /* IP in IP */, "tcp" /* Transmission Control Protocol */, "egp" /* Exterior gateway protocol */, "udp" /* User Datagram Protocol */, "rsvp" /* Resource Reservation Protocol */, "gre" /* Generic routing encapsulation */, "esp" /* IPSec Encapsulating Security Payload */, "ah" /* IP Security authentication header */, "icmp6" /* Internet Control Message Protocol Version 6 */, "ospf" /* Open Shortest Path First */, "pim" /* Protocol Independent Multicast */, "sctp" /* Stream Control Transmission Protocol */, "ipv6" /* IPv6 in IP */, "no-next-header" /* IPv6 no next header */, "vrrp" /* Virtual Router Redundancy Protocol */, arg /* Range of values */ ) ) end rule(:match_simple_port_value) do c( c( "ftp-data" /* FTP data */, "ftp" /* FTP */, "ssh" /* Secure shell */, "telnet" /* Telnet */, "smtp" /* Simple Mail Transfer Protocol */, "tacacs" /* TACACS or TACACS+ */, "tacacs-ds" /* TACACS-DS */, "domain" /* Domain Name System (DNS) */, "dhcp" /* Dynamic Host Configuration Protocol */, "bootps" /* Bootstrap protocol server */, "bootpc" /* Bootstrap protocol client */, "tftp" /* Trivial FTP */, "finger" /* Finger */, "http" /* Hypertext Transfer Protocol */, "kerberos-sec" /* Kerberos Security */, "pop3" /* Post Office Protocol 3 */, "sunrpc" /* Sun Microsystems remote procedure call */, "ident" /* Ident */, "nntp" /* Network News Transport Protocol */, "ntp" /* Network Time Protocol */, "netbios-ns" /* NetBIOS name service */, "netbios-dgm" /* NetBIOS DGM */, "netbios-ssn" /* NetBIOS session service */, "imap" /* Internet Message Access Protocol */, "snmp" /* Simple Network Management Protocol */, "snmptrap" /* SNMP traps */, "xdmcp" /* X Display Manager Control Protocol */, "bgp" /* Border Gateway Protocol */, "ldap" /* Lightweight Directory Access Protocol */, "mobileip-agent" /* Mobile IP agent */, "mobilip-mn" /* Mobile IP MN */, "msdp" /* Multicast Source Discovery Protocol */, "https" /* Secure HTTP */, "snpp" /* Simple paging protocol */, "biff" /* Biff/Comsat */, "exec" /* UNIX rexec */, "login" /* UNIX rlogin */, "who" /* UNIX rwho */, "cmd" /* UNIX rsh */, "syslog" /* System log */, "printer" /* Printer */, "talk" /* UNIX Talk */, "ntalk" /* New Talk */, "rip" /* Routing Information Protocol */, "timed" /* UNIX time daemon */, "klogin" /* Kerberos rlogin */, "kshell" /* Kerberos rsh */, "ldp" /* Label Distribution Protocol */, "krb-prop" /* Kerberos database propagation */, "krbupdate" /* Kerberos database update */, "kpasswd" /* Kerberos passwd */, "socks" /* Socks */, "afs" /* AFS */, "pptp" /* Point-to-Point Tunneling Protocol */, "radius" /* RADIUS authentication */, "radacct" /* RADIUS accounting */, "zephyr-srv" /* Zephyr server */, "zephyr-clt" /* Zephyr serv-hm connection */, "zephyr-hm" /* Zephyr hostmanager */, "nfsd" /* Network File System */, "eklogin" /* Encrypted Kerberos rlogin */, "ekshell" /* Encrypted Kerberos rsh */, "rkinit" /* Kerberos remote kinit */, "cvspserver" /* CVS pserver */, arg /* Range of values */ ) ) end rule(:match_simple_protocol_value) do c( c( "icmp" /* Internet Control Message Protocol */, "igmp" /* Internet Group Management Protocol */, "ipip" /* IP in IP */, "tcp" /* Transmission Control Protocol */, "egp" /* Exterior gateway protocol */, "udp" /* User Datagram Protocol */, "rsvp" /* Resource Reservation Protocol */, "gre" /* Generic routing encapsulation */, "esp" /* IPSec Encapsulating Security Payload */, "ah" /* IP Security authentication header */, "icmp6" /* Internet Control Message Protocol Version 6 */, "ospf" /* Open Shortest Path First */, "pim" /* Protocol Independent Multicast */, "sctp" /* Stream Control Transmission Protocol */, "dstopts" /* IPv6 destination options */, "routing" /* IPv6 routing header */, "fragment" /* IPv6 fragment header */, "hop-by-hop" /* IPv6 hop by hop options */, "ipv6" /* IPv6 in IP */, "no-next-header" /* IPv6 no next header */, "vrrp" /* Virtual Router Redundancy Protocol */, arg /* Range of values */ ) ) end rule(:metric_expression_type) do c( "metric" ( /* Parameters for metric attribute */ sc( "multiplier" ( /* Coefficient for metric attribute */ float /* Coefficient for metric attribute */ ), "offset" arg /* Offset for metric attribute */ ) ).as(:oneline), "metric2" ( /* Parameters for metric2 attribute */ sc( "multiplier" ( /* Coefficient for metric2 attribute */ float /* Coefficient for metric2 attribute */ ), "offset" arg /* Offset for metric2 attribute */ ) ).as(:oneline) ) end rule(:mib_variable_name_object) do arg.as(:arg).as(:oneline) end rule(:mime_list_type) do arg.as(:arg) ( c( "value" arg /* Configure MIME value */ ) ) end rule(:mirror_filter_type) do arg.as(:arg) ( c( "protocol" ( /* Match IP protocol type */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "source-prefix" ( /* Source IP address prefix */ ipprefix /* Source IP address prefix */ ), "destination-prefix" ( /* Destination IP address prefix */ ipprefix /* Destination IP address prefix */ ), "source-port" ( /* Match TCP/UDP source port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port" ( /* Match TCP/UDP destination port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "interface-in" ( /* Incoming Logical interface */ interface_name /* Incoming Logical interface */ ), "interface-out" ( /* Outgoing Logical interface */ interface_name /* Outgoing Logical interface */ ), "output" ( /* Configure output interface and MAC address */ c( "interface" ( /* Outgoing Logical interface */ interface_name /* Outgoing Logical interface */ ), "destination-mac" arg /* MAC address to match */ ) ) ) ) end rule(:monitor_threshold) do c( arg, arg ).as(:oneline) end rule(:monitoring_input_type) do c( "interface" arg ) end rule(:monitoring_output_type) do c( "export-format" ( /* Format for sending monitoring information */ ("cflowd-version-5") ), "destination-address" ( /* Address to which monitored packets will be sent */ ipv4addr /* Address to which monitored packets will be sent */ ), "destination-port" arg /* Port to which monitored packets will be sent */, "source-address" ( /* Address to use for generating monitored packets */ ipv4addr /* Address to use for generating monitored packets */ ), "flow-active-timeout" arg /* Interval after which an active flow is exported */, "flow-inactive-timeout" arg /* Interval of inactivity that marks a flow inactive */, "flow-export-destination" ( /* Destination for flow export */ ("collector-pic" | "cflowd-collector") ), "cflowd" ( /* Collector destination where flow records are sent */ cflowd_monitoring_type /* Collector destination where flow records are sent */ ), "interface" ( /* Interfaces used to send monitored information */ monitor_export_intf_type /* Interfaces used to send monitored information */ ) ) end rule(:cflowd_monitoring_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */ ) ) end rule(:monitor_export_intf_type) do arg.as(:arg) ( c( "engine-id" arg /* Identity (number) of this monitoring interface */, "engine-type" arg /* Type (number) of this monitoring interface */, "input-interface-index" arg /* Input interface index for records from this interface */, "output-interface-index" arg /* Output interface index for records from this interface */, "source-address" ( /* Address to use for generating monitored packets */ ipv4addr /* Address to use for generating monitored packets */ ) ) ) end rule(:mpls_dialer_filter) do arg.as(:arg) ( c( "accounting-profile" arg /* Accounting profile name */, "term" arg ( /* Define a firewall term */ c( "from" ( /* Define match criteria */ c( c( "exp" arg, "exp-except" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( "log" /* Log the packet */, "syslog" /* System log (syslog) information about the packet */, "sample" /* Sample the packet */, c( "note" /* Interested ISDN packet */, "ignore" /* Non-interested ISDN packet */ ) ) ) ) ) ) ) end rule(:mpls_filter) do arg.as(:arg) ( c( "accounting-profile" arg /* Accounting profile name */, "interface-specific" /* Defined counters are interface specific */, "physical-interface-filter" /* Filter is physical interface filter */, "instance-shared" /* Filter is routing-instance shared */, "term" arg ( /* Define a firewall term */ c( "filter" arg /* Filter to include */, "from" ( /* Define match criteria */ c( c( "interface-group" arg, "interface-group-except" arg ), "ip-version" /* Specify inner IP version */, "label" /* MPLS label bits */, c( "exp" arg, "exp-except" arg ), "interface" ( /* Match interface name */ match_interface_object /* Match interface name */ ), "interface-set" ( /* Match interface in set */ match_interface_set_object /* Match interface in set */ ), c( "forwarding-class" arg, "forwarding-class-except" arg ), c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), c( "flexible-match-mask" ( /* Match flexible mask */ match_mpls_flexible_mask /* Match flexible mask */ ) ), c( "flexible-match-range" ( /* Match flexible range */ match_mpls_flexible_range /* Match flexible range */ ) ), c( "policy-map" arg, "policy-map-except" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */, "three-color-policer" ( /* Police the packet using a three-color-policer */ c( c( "single-rate" arg /* Name of single-rate three-color policer to use to rate-limit traffic */, "single-packet-rate" arg /* Name of single-packet-rate three-color policer to use to rate-limit traffic */, "two-rate" arg /* Name of two-rate three-color policer to use to rate-limit traffic */, "two-packet-rate" arg /* Name of two-packet-rate three-color policer to use to rate-limit traffic */ ) ) ), "hierarchical-policer" arg /* Name of hierarchical policer to use to rate-limit traffic */ ), c( "clear-policy-map" /* Clear the policy marking */, "policy-map" arg /* Policy map action */ ), c( "traffic-class-count" arg /* Count the packet in the named traffic-class counter */, "count" arg /* Count the packet in the named counter */ ), "sample" /* Sample the packet */, "loss-priority" ( /* Classify packet to loss-priority */ ("low" | "high" | "medium-low" | "medium-high") ), "forwarding-class" arg /* Classify packet to forwarding class */, "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "packet-mode" /* Bypass flow mode for the packet */, c( "encapsulate" /* Send to a tunnel */.as(:oneline), "accept" /* Accept the packet */, "discard" /* Discard the packet */, "next" ( /* Continue to next term in a filter */ ("term") ) ) ) ), "template" /* Refer a template */ ) ) ) ) end rule(:match_mpls_flexible_mask) do c( "match-start" ( /* Start point to match in packet */ ("layer-3" | "payload") ), "byte-offset" arg /* Byte offset after the match start point */, "bit-offset" arg /* Bit offset after the (match-start + byte) offset */, "bit-length" arg /* Length of the data to be matched in bits, not needed for string input */, "mask-in-hex" arg /* Mask out bits in the packet data to be matched */, "prefix" arg /* Value data/string to be matched */, "flexible-mask-name" arg /* Select a flexible match from predefined template field */ ) end rule(:match_mpls_flexible_range) do c( "match-start" ( /* Start point to match in packet */ ("layer-3" | "payload") ), "byte-offset" arg /* Byte offset after the match start point */, "bit-offset" arg /* Bit offset after the (match-start + byte) offset */, "bit-length" arg /* Length of the data to be matched in bits */, c( "range" arg /* Range of values to be matched */, "range-except" arg /* Range of values to be not matched */ ), "flexible-range-name" arg /* Select a flexible match from predefined template field */ ) end rule(:mpls_ifd_options) do c( "pop-all-labels" ( /* Pop all MPLS labels off incoming packets */ c( "required-depth" ( /* Required label depth of packet to pop all labels */ ("all" | "1" | "2") ) ) ) ) end rule(:mpls_pm_family_output_type) do c( "server-profile" arg /* Server profile name */ ) end rule(:mpls_template) do arg.as(:arg) ( c( "attributes" ( /* Template attributes */ c( "exp" /* Match MPLS EXP bits */, "exp-except" /* Do not match MPLS EXP bits */, "flexible-match-mask" /* Match flexible mask */, "flexible-match-range" /* Match flexible range */, "forwarding-class" /* Match forwarding class */, "forwarding-class-except" /* Do not match forwarding class */, "interface" /* Match interface name */, "interface-group" /* Match interface group */, "interface-set" /* Match interface in set */, "loss-priority" /* Match Loss Priority */, "loss-priority-except" /* Do not match Loss Priority */, "label" /* MPLS label bits */ ) ) ) ) end rule(:mrp_trace_options) do c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("events" | "pdu" | "timers" | "state-machine" | "socket" | "error" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) end rule(:mstp_interface) do (arg | "all").as(:arg) ( c( "priority" arg /* Interface priority (in increments of 16 - 0,16,..240) */, "cost" arg /* Cost of the interface */, "mode" ( /* Interface mode (P2P or shared) */ ("point-to-point" | "shared") ), "edge" /* Port is an edge port */, "access-trunk" /* Send/Receive untagged RSTP BPDUs on this interface */, "bpdu-timeout-action" ( /* Define action on BPDU expiry (Loop Protect) */ c( "block" /* Block the interface */, "alarm" /* Generate an alarm */ ) ), "no-root-port" /* Do not allow the interface to become root (Root Protect) */, "disable" /* Disable Spanning Tree on port */ ) ) end rule(:multi_chassis_protection_group) do arg.as(:arg) ( c( "interface" arg /* Inter-Chassis protection link */ ) ) end rule(:multi_chassis_protection_group_ifl) do arg.as(:arg) ( c( "interface" arg /* Inter-Chassis protection link */ ) ) end rule(:multicast_interface_options_type) do arg.as(:arg) ( c( "maximum-bandwidth" ( /* Maximum multicast bandwidth for the interface */ sc( arg /* Maximum multicast bandwidth on the interface */ ) ).as(:oneline), ("enable" | "disable"), "reverse-oif-mapping" ( /* Enable reverse OIF mapping on the multicast interface */ c( "no-qos-adjust" /* Disable reverse OIF mapping QoS adjustment */ ) ), "subscriber-leave-timer" arg /* Timeout in seconds to credit back the bandwidth on the subscriber interface */, "no-qos-adjust" /* Disable QoS adjustment for this interface */ ) ) end rule(:named_address_book_type) do ("global" | arg).as(:arg) ( c( "description" arg /* Text description of address book */, "address" ( /* Define a security address */ address_type /* Define a security address */ ), "address-set" ( /* Define a security address set */ address_set_type /* Define a security address set */ ), "attach" ( /* Attach this address book to interface, zone or routing-instance */ c( "zone" arg /* Define a zone to be attached */ ) ) ) ) end rule(:address_set_type) do arg.as(:arg) ( c( "description" arg /* Text description of address set */, "address" arg /* Address to be included in this set */, "address-set" arg /* Define an address-set name */ ) ) end rule(:address_type) do arg.as(:arg) ( c( "description" arg /* Text description of address */, c( "dns-name" ( /* DNS address name */ dns_name_type /* DNS address name */ ), "wildcard-address" ( /* Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask */ wildcard_address_type /* Numeric IPv4 wildcard address with in the form of a.d.d.r/netmask */ ), "range-address" ( /* Address range */ range_address_type /* Address range */ ), ipprefix /* Numeric IPv4 or IPv6 address with prefix */ ) ) ) end rule(:dns_name_type) do arg.as(:arg) ( c( "ipv4-only" /* IPv4 dns address */, "ipv6-only" /* IPv6 dns address */ ) ) end rule(:nameserver_object) do arg.as(:arg) ( c( "routing-instance" arg /* Routing instance through which server is reachable */, "source-address" ( /* Source address for requests to this DNS server */ ipaddr /* Source address for requests to this DNS server */ ) ) ).as(:oneline) end rule(:nasreq_definition) do c( "partition" /* NASREQ partition definition */, "timeout" arg /* Time period that a NASREQ request waits on the transmit queue before failing */, "request-retry" arg /* Number of times to retry NASREQ request when DIAMETER fails with timeout. */, "max-outstanding-requests" arg /* Number of unanswered NASREQ requests sent to server */ ) end rule(:nat_object) do c( "source" ( /* Configure Source NAT */ ssg_source_nat_object /* Configure Source NAT */ ), "destination" ( /* Configure Destination NAT */ ssg_destination_nat_object /* Configure Destination NAT */ ), "static" ( /* Configure Static NAT */ ssg_static_nat_object /* Configure Static NAT */ ), "proxy-arp" ( /* Configure Proxy ARP */ ssg_proxy_arp_object /* Configure Proxy ARP */ ), "proxy-ndp" ( /* Configure Proxy NDP */ ssg_proxy_ndp_object /* Configure Proxy NDP */ ), "natv6v4" ( /* Configure NAT between IPv6 and IPv4 options */ c( "no-v6-frag-header" /* V6 packet does not always add fragment header when performing nat translation from v4 side to v6 side */ ) ), "allow-overlapping-pools" /* IP addresses of NAT pools can overlap with other pool */, "traceoptions" ( /* NAT trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "routing-socket" | "routing-protocol" | "all" | "source-nat-re" | "source-nat-rt" | "source-nat-pfe" | "destination-nat-re" | "destination-nat-rt" | "destination-nat-pfe" | "static-nat-re" | "static-nat-rt" | "static-nat-pfe" | "nat-svc-set-re")) ( /* Tracing parameters */ sc( "syslog" /* Write NAT flow traces to system log also */ ) ).as(:oneline) ) ), "pool" ( /* Define a NAT pool */ nat_pool_object /* Define a NAT pool */ ), "ipv6-multicast-interfaces" /* Enable IPv6 multicast filter for IPv6 NAT */, "allow-overlapping-nat-pools" /* Allow usage of overlapping and same nat pools in multiple service sets */, "rule" ( /* Define a NAT rule */ nat_rule_object /* Define a NAT rule */ ), "port-forwarding" ( /* Define a port-forwarding pool */ pf_mapping /* Define a port-forwarding pool */ ), "rule-set" /* Defines a set of NAT rules */ ) end rule(:nat_pool_object) do arg.as(:arg) ( c( "pgcp" /* NAT pool should be used exclusive by the pgcp service */, "address" arg /* Address or address prefix for NAT */, "interface" /* Interface for nat pool */.as(:oneline), "address-overload" /* Nat pool address overload with JunOS */, "address-range" ( /* Range of addresses for NAT */ s( "low" arg /* Lower limit of address range */, "high" arg /* Upper limit of address range */ ) ).as(:oneline), "port" ( /* Specify ports for NAT */ c( c( "automatic" ( c( c( "auto" /* Automatically choose ports */, "sequential" /* Allocate ports in sequence */, "random-allocation" /* Allocate ports randomly */ ) ) ), "range" ( /* Range of ports */ sc( "low" arg /* Lower limit of port range */, "high" arg /* Upper limit of port range */, "random-allocation" /* Allocate ports randomly */ ) ).as(:oneline) ), c( "secured-port-block-allocation" ( /* Secured Port block allocation */ sc( "block-size" arg /* Number of port per block. */, "max-blocks-per-address" arg /* Max block per address */, "active-block-timeout" arg /* Active block timeout */ ) ).as(:oneline), "deterministic-port-block-allocation" ( /* Deterministic Port Block Allocation */ sc( "block-size" arg /* Number of ports per block */, "include-boundary-addresses" /* Include network and broadcast in 'from' src-addresses */ ) ).as(:oneline) ), "preserve-parity" /* Allocate port with same parity as original port */, "preserve-range" /* Preserve privileged port range after NAT */ ) ), "address-allocation" ( /* Address allocation method for NAPT */ c( "round-robin" /* Round robin method of allocation */ ) ), "mapping-timeout" arg /* Address-pooling paired and endpoint-independent mapping timeout (120..86400) */, "flow-timeout" arg /* Default flow timeout for NAT flows */, "ei-mapping-timeout" arg /* Endpoint-independent mapping timeout (120..86400) */, "app-mapping-timeout" arg /* Address-pooling paired mapping timeout (120..86400) */, "limit-ports-per-address" arg /* Limit number of ports allocated per host (IP address) */, "snmp-trap-thresholds" ( /* Define snmp traps for service sets */ c( "address-port" ( /* Nat pool address and port usage trap threshold range */ sc( "low" arg /* Lower limit of pool trap threshold */, "high" arg /* Upper limit of pool trap threshold */ ) ).as(:oneline) ) ) ) ) end rule(:nat_rule_object) do arg.as(:arg) ( c( "match-direction" ( /* Direction for which the rule match is applied */ ("input" | "output" | "input-output") ), "term" arg ( /* Define a NAT term */ c( "nat-type" arg /* NAT type (symmetric/full-cone) */, "from" ( /* Define match criteria */ sfw_match_object /* Define match criteria */ ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "no-translation" /* Do not perform translation */ ), c( "port-forwarding-mappings" arg /* Port forwarding mappings */ ), "translated" ( /* Define translation parameters */ c( c( "source-pool" arg /* NAT pool for source translation */, "source-prefix" ( /* NAT prefix for source translation */ ipprefix_only /* NAT prefix for source translation */ ) ), "clat-prefix" ( /* Clat-prefix to be used for 464 translation type */ ipprefix_only /* Clat-prefix to be used for 464 translation type */ ), c( "destination-pool" arg /* NAT pool for destination translation */, "destination-prefix" ( /* NAT prefix for destination translation */ ipprefix_only /* NAT prefix for destination translation */ ) ), c( "dns-alg-pool" arg /* NAT pool for dns alg mappings */, "dns-alg-prefix" ( /* DNS ALG 96 bit prefix for mapping IPv4 addresses to IPv6 addresses */ ipprefix_only /* DNS ALG 96 bit prefix for mapping IPv4 addresses to IPv6 addresses */ ) ), c( "use-dns-map-for-destination-translation" /* Use dns alg address map for destination translation */ ), c( "overload-pool" arg /* NAT pool to be used when source pool is overloaded */, "overload-prefix" ( /* NAT prefix to be used when source pool is overloaded */ ipprefix_only /* NAT prefix to be used when source pool is overloaded */ ) ), "translation-type" ( /* Type of translation to perform */ c( "source" ( /* Type of source translation */ ("static" | "dynamic") ), "destination" ( /* Type of destination translation */ ("static") ), "basic-nat44" /* Static source address (IPv4 to IPv4) translation */, "dynamic-nat44" /* Dynamic source address only (IPv4 to IPv4) translation */, "napt-44" /* Source address (IPv4 to IPv4) and port translation */, "dnat-44" /* Static Destination address (IPv4 to IPv4) translation */, "stateful-nat64" /* Dynamic source address (IPv6 to IPv4) and prefix removal for destination address (IPv6 to IPv4)translation */, "stateful-nat464" /* Prefix removal for Src and Dest address (IPv6 to IPv4) translation */, "basic-nat-pt" /* NAT-PT (static source address (IPv6 to IPv4) and prefix removal for destination address (IPv6 to IPv4) translation) */, "napt-pt" /* NAT-PT (source address (IPv6 to IPv4) and source port and prefix removal for destination address (IPv6 to IPv4) translation) */, "basic-nat66" /* Static source address (IPv6 to IPv6) translation [same as basic-nat44 but for IPv6 address family] */, "nptv6" /* Stateless source address (IPv6 to IPv6) translation */, "napt-66" /* Source address (IPv6 to IPv6) and port translation [same as napt-44 but for IPv6 address family] */, "twice-napt-44" /* Source NAPT and destination static translation for IPv4 address family */, "twice-basic-nat-44" /* Source static and destination static translation for IPv4 address family */, "twice-dynamic-nat-44" /* Source dynamic and destination static translation for IPv4 address family */, "deterministic-napt44" /* Deterministic source NAPT for IPv4 family */, "deterministic-napt64" /* Deterministic source NAPT for IPv6 family */ ) ), "mapping-type" ( /* Source NAT mapping type */ ("endpoint-independent") ), "flow-type" arg /* Source NAT flow type */, "ignore-dst-nat-1to1-limitation" /* Ignore destination NAT 1:1 limitation */, "secure-nat-mapping" ( /* Mapping options for enhanced security */ c( "eif-flow-limit" arg /* Number of inbound flows to be allowed for a EIF mapping */, "mapping-refresh" ( /* Enable timer refresh option */ ("inbound" | "outbound" | "inbound-outbound") ), "flow-refresh" arg /* Enable timer refresh option */ ) ), "filtering-type" ( /* Source NAT filtering type */ c( "endpoint-independent" ( /* Endpoint independent filtering */ c( "prefix-list" arg ( /* One or more named lists of source prefixes to match */ sc( "except" /* Name of prefix list not to match against */ ) ).as(:oneline) ) ) ) ), "address-pooling" ( /* Address pooling behavior for source NAT */ ("paired") ) ) ), "syslog" /* System log information about the packet */ ) ) ) ) ) ) end rule(:next_hop_group_intf_type) do arg.as(:arg) ( c( "next-hop" ( /* Address of next hop through which to send sampled traffic */ next_hop_type /* Address of next hop through which to send sampled traffic */ ) ) ) end rule(:next_hop_subgroup_intf_type) do arg.as(:arg) ( c( "next-hop" ( /* Address of next hop through which to send sampled traffic */ next_hop_type /* Address of next hop through which to send sampled traffic */ ) ) ) end rule(:next_hop_type) do arg.as(:arg) end rule(:ocs_definition) do c( "partition" arg ( /* OCS partition configuration */ c( "alternative-partition-name" arg /* Alternative diameter partition */, "called-station-id" arg /* OCS called station id */, "backup" /* OCS Backup feature */, "charging-id" arg /* OCS charging id */, "destination-realm" arg /* OCS destination realm */, "destination-host" arg /* OCS destination host */, "diameter-instance" arg /* OCS diameter instance */, "draining" /* Set this PCRF partiton to draining state */, "draining-response-timeout" arg /* Final response timeout in draining mode */, "force-continue" /* Expect/force 'continue' as cc-failure-handling value */, "ggsn-address" ( /* Value of ggsn-address avp reported to ocs */ ipaddr /* Value of ggsn-address avp reported to ocs */ ), "ggsn-mcc-mnc" arg /* Value of 3gpp-ggsn-mcc-mnc avp reported to ocs */, "final-response-timeout" arg /* Final response timeout */, "max-outstanding-requests" arg /* Maximum number of outstanding requests */, "send-origin-state-id" /* Include origin-state-id avp */, "sftp-backup" /* Add sftp-backup options */, "user-name-include" ( /* Add user-name options */ c( "delimiter" arg /* Change delimiter/separator character */, "domain-name" arg /* Domain name */, "interface-name" /* Include interface-name */, "base-interface-name" /* Include base-interface-name */, "mac-address" /* Include MAC address */, "nas-port-id" /* Include nas-port-id */, "origin-host" /* Include origin-host */, "origin-realm" /* Include origin-host */, "user-prefix" arg /* Add user defined prefix */, "user-name" /* Include user-name */ ) ) ) ), "global" ( /* OCS global parameters */ c( "service-context-id" arg /* Service context-id for OCS */ ) ) ) end rule(:otn_options_type) do c( "laser-enable" /* Enable Laser */, "no-laser-enable" /* Don't enable Laser */, "is-ma" /* Link is enabled with alarms masked */, "no-is-ma" /* Don't link is enabled with alarms masked */, "line-loopback" /* Enable line loopback */, "no-line-loopback" /* Don't enable line loopback */, "local-loopback" /* Enable local host loopback */, "no-local-loopback" /* Don't enable local host loopback */, "prbs" /* Enable otn payload prbs */, "no-prbs" /* Don't enable otn payload prbs */, "odu-ttim-action-enable" /* Enable consequent action for ODU TTIM */, "no-odu-ttim-action-enable" /* Don't enable consequent action for ODU TTIM */, "otu-ttim-action-enable" /* Enable consequent action for OTU TTIM */, "no-otu-ttim-action-enable" /* Don't enable consequent action for OTU TTIM */, "transport-monitoring" /* Enable transport monitoring */, "no-transport-monitoring" /* Don't enable transport monitoring */, "odu-delay-management" ( /* Set odu delay management */ c( "monitor-end-point" /* Originate connection monitor end point */, "no-monitor-end-point" /* Don't originate connection monitor end point */, "start-measurement" /* Enable to start a dm measurement */, "no-start-measurement" /* Don't enable to start a dm measurement */, "bypass" /* Act as tandem passing dm value through node */, "no-bypass" /* Don't act as tandem passing dm value through node */, "number-of-frames" arg /* Number of consequent frames to declare dm done */, "remote-loop-enable" /* Enable remote DM loop on remote end */, "no-remote-loop-enable" /* Don't enable remote DM loop on remote end */ ) ), "signal-degrade" ( /* Signal degrade thresholds */ c( "interval" arg /* Time interval */, "ber-threshold-clear" arg /* Ber threshold for signal degrade clear (format: xe-n, example: 4.5e-3) */, "ber-threshold-signal-degrade" arg /* Ber threshold for signal-degrade (format: xe-n, example: 4.5e-3) */, "q-threshold-signal-degrade-clear" arg /* Q threshold for signal-degrade clear (e.g. 14.26) */, "q-threshold-signal-degrade" arg /* Q threshold for signal-degrade (e.g. 9.26) */ ) ), "odu-signal-degrade" ( /* Signal degrade thresholds for ODU */ c( "interval" arg /* Time interval */, "ber-threshold-clear" arg /* Ber th for sd clear (format: xe-n, example: 4.5e-3) */, "ber-threshold-signal-degrade" arg /* Ber th for sd (format: xe-n, example: 4.5e-3) */ ) ), "preemptive-fast-reroute" ( /* Preemptive fast reroute */ c( "odu-signal-degrade-monitor-enable" /* Enable ODU signal degrade monitoring */, "no-odu-signal-degrade-monitor-enable" /* Don't enable ODU signal degrade monitoring */, "odu-backward-frr-enable" /* Enable ODU backward frr insertion */, "no-odu-backward-frr-enable" /* Don't enable ODU backward frr insertion */, "signal-degrade-monitor-enable" /* Enable signal degrade monitoring */, "no-signal-degrade-monitor-enable" /* Don't enable signal degrade monitoring */, "backward-frr-enable" /* Enable backward frr insertion */, "no-backward-frr-enable" /* Don't enable backward frr insertion */ ) ), "fec" ( /* Forward Error Correction mode */ ("none" | "gfec" | "efec" | "gfec-sdfec" | "ufec" | "sdfec" | "hgfec" | "sdfec15") ), "insert-odu-oci" /* Force odu open connection indication */, "no-insert-odu-oci" /* Don't force odu open connection indication */, "insert-odu-lck" /* Force odu locked maintenance signal */, "no-insert-odu-lck" /* Don't force odu locked maintenance signal */, "rate" ( /* Optical Transmission Network mode */ ("pass-thru" | "fixed-stuff-bytes" | "no-fixed-stuff-bytes" | "oc192" | "otu3" | "otu4") ), "bytes" ( /* Set OTN header bytes */ c( "transmit-payload-type" arg /* Transmit payload type */ ) ), "tti" ( /* Trace Identifier */ c( "otu-dapi" arg /* OTU Destination Access Point Identifier */, "otu-sapi" arg /* OTU Source Access Point Identifier */, "otu-expected-receive-dapi" arg /* OTU Expected Receive Destination Access Point Identifier */, "otu-expected-receive-sapi" arg /* OTU Expected Receive Source Access Point Identifier */, "odu-dapi" arg /* ODU Destination Access Point Identifier */, "odu-sapi" arg /* ODU Source Access Point Identifier */, "odu-expected-receive-dapi" arg /* ODU Expected Receive Destination Access Point Identifier */, "odu-expected-receive-sapi" arg /* ODU Expected Receive Source Access Point Identifier */, "otu-dapi-first-byte-nul" /* Insert all-0s to first byte */, "no-otu-dapi-first-byte-nul" /* Don't insert all-0s to first byte */, "otu-sapi-first-byte-nul" /* Insert all-0s to first byte */, "no-otu-sapi-first-byte-nul" /* Don't insert all-0s to first byte */, "otu-expected-receive-dapi-first-byte-nul" /* Insert all-0s to first byte */, "no-otu-expected-receive-dapi-first-byte-nul" /* Don't insert all-0s to first byte */, "otu-expected-receive-sapi-first-byte-nul" /* Insert all-0s to first byte */, "no-otu-expected-receive-sapi-first-byte-nul" /* Don't insert all-0s to first byte */, "odu-dapi-first-byte-nul" /* Insert all-0s to first byte */, "no-odu-dapi-first-byte-nul" /* Don't insert all-0s to first byte */, "odu-sapi-first-byte-nul" /* Insert all-0s to first byte */, "no-odu-sapi-first-byte-nul" /* Don't insert all-0s to first byte */, "odu-expected-receive-dapi-first-byte-nul" /* Insert all-0s to first byte */, "no-odu-expected-receive-dapi-first-byte-nul" /* Don't insert all-0s to first byte */, "odu-expected-receive-sapi-first-byte-nul" /* Insert all-0s to first byte */, "no-odu-expected-receive-sapi-first-byte-nul" /* Don't insert all-0s to first byte */ ) ), "trigger" ( /* Defect triggers */ c( "oc-los" ( /* OC Loss Of Signal defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "oc-lof" ( /* OC Loss Of Frame defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "oc-lom" ( /* OC Loss Of Multiframe defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "oc-wavelength-lock" ( /* OC Wavelength Lock defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "oc-tsf" ( /* Oc tsf defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "otu-ais" ( /* OTU Alarm Indication Signal defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "otu-bdi" ( /* OTU Backward Defect Indication defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "otu-iae" ( /* OTU Incoming Alignment defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "otu-ttim" ( /* OTU Trail Trace Identifier Mismatch defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "otu-sd" ( /* OTU Signal Degrade defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "otu-fec-deg" ( /* OTU FEC Degrade defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "otu-fec-exe" ( /* OTU FEC Excessive Error defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "odu-ais" ( /* ODU Alarm Indication Signal defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "odu-bdi" ( /* ODU Backward Defect Indication defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "odu-iae" ( /* Odu iae defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "odu-bei" ( /* Odu backward error indication defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "odu-oci" ( /* ODU Open Connection Indication defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "odu-lck" ( /* ODU Locked defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "odu-ttim" ( /* ODU Trail Trace Identifier Mismatch defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "odu-sd" ( /* ODU Signal Degrade defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "opu-ptim" ( /* Payload Type Mismatch defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before clearing or raising the alarm for defect */ sc( "up" arg /* Delay before clearing the alarm when the defect is absent */, "down" arg /* Delay before raising the alarm when the defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline) ) ), "tca" ( /* TCA - threshold crossing alerts */ c( "otu-tca-es" ( /* OTU Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for OTU errored seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for OTU errored seconds in 24 hours */ ) ).as(:oneline), "otu-tca-ses" ( /* OTU Severely Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU severely errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU severely errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for OTU severely errored seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for OTU severely errored seconds in 24 hours */ ) ).as(:oneline), "otu-tca-uas" ( /* OTU Unavailable Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU unavailable seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU unavailable seconds threshold crossing alert */, "threshold" arg /* TCA threshold for OTU unavailable seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for OTU unavailable seconds in 24 hours */ ) ).as(:oneline), "otu-tca-bbe" ( /* OTU Background Block Error Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU BBE threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU BBE threshold crossing alert */, "threshold" arg /* TCA threshold for OTU BBE in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for OTU BBE in 24 hours */ ) ).as(:oneline), "otu-tca-es-fe" ( /* OTU far-end Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU far-end errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU far-end errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for OTU far-end errored seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for OTU far-end errored seconds in 24 hours */ ) ).as(:oneline), "otu-tca-ses-fe" ( /* OTU far-end Severely Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU far-end Unavailable Seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU far-end Unavailable Seconds threshold crossing alert */, "threshold" arg /* TCA threshold for OTU far-end severely errored seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for OTU far-end severely errored seconds in 24 hours */ ) ).as(:oneline), "otu-tca-uas-fe" ( /* OTU far-end Unavailable Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU far end unavailabe second threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU far end unavailabe second threshold crossing alert */, "threshold" arg /* TCA threshold for OTU far-end unavailable seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for OTU far-end unavailable seconds in 24 hours */ ) ).as(:oneline), "otu-tca-bbe-fe" ( /* OTU far-end Background Block Error (BEI) Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU BBE (BEI) threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU BBE (BEI) threshold crossing alert */, "threshold" arg /* TCA threshold for OTU far-end BBE (BEI) in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for OTU far-end BBE (BEI) in 24 hours */ ) ).as(:oneline), "odu-tca-es" ( /* ODU Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the ODU errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the ODU errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for ODU errored seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for ODU errored seconds in 24 hours */ ) ).as(:oneline), "odu-tca-ses" ( /* ODU Severely Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the ODU severely errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the ODU severely errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for ODU severely errored seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for ODU severely-errored seconds in 24 hours */ ) ).as(:oneline), "odu-tca-uas" ( /* ODU Unavailable Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the ODU unavailable seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the ODU unavailable seconds threshold crossing alert */, "threshold" arg /* TCA threshold for ODU unavailable seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for ODU unavailable seconds in 24 hours */ ) ).as(:oneline), "odu-tca-bbe" ( /* ODU Background Block Error Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the ODU BBE threshold crossing alert */, "no-enable-tca" /* Don't enable the ODU BBE threshold crossing alert */, "threshold" arg /* TCA threshold for ODU BBE in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for ODU backgrand block error in 24 hours */ ) ).as(:oneline), "odu-tca-es-fe" ( /* ODU far-end Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the ODU far-end errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the ODU far-end errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for ODU far-end errored seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for ODU far-end errored seconds in 24 hours */ ) ).as(:oneline), "odu-tca-ses-fe" ( /* ODU far-end Severely Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the ODU far-end Unavailable Seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the ODU far-end Unavailable Seconds threshold crossing alert */, "threshold" arg /* TCA threshold for ODU far-end severely errored seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for ODU severely-errored seconds in 24 hours */ ) ).as(:oneline), "odu-tca-uas-fe" ( /* ODU far-end Unavailable Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the ODU far end unavailabe second threshold crossing alert */, "no-enable-tca" /* Don't enable the ODU far end unavailabe second threshold crossing alert */, "threshold" arg /* TCA threshold for ODU far-end unavailable seconds in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for ODU far-end unavailable seconds in 24 hours */ ) ).as(:oneline), "odu-tca-bbe-fe" ( /* ODU far-end Background Block Error (BEI) Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the ODU BBE (BEI) threshold crossing alert */, "no-enable-tca" /* Don't enable the ODU BBE (BEI) threshold crossing alert */, "threshold" arg /* TCA threshold for ODU far-end BBE (BEI) in 15 minutes */, "threshold-24hrs" arg /* TCA threshold for ODU far-end backgrand block error in 24 hours */ ) ).as(:oneline), "otu-tca-fec-ber" ( /* OTU Errored Seconds Threshold crossing defect trigger */ sc( "enable-tca" /* Enable the OTU errored seconds threshold crossing alert */, "no-enable-tca" /* Don't enable the OTU errored seconds threshold crossing alert */, "threshold" arg /* TCA threshold for BER value in format: xe-n, x is an integer or decimal number, n = 0..9 */, "threshold-24hrs" arg /* TCA threshold for BER value in format: xe-n, x is an integer or decimal number, n = 0..9 */ ) ).as(:oneline) ) ) ) end rule(:override_local_server_type) do c( "interface-client-limit" arg /* Limit the number of clients allowed on an interface */, "no-arp" /* Disable DHCP ARP table population */, "bootp-support" /* Allow processing of bootp requests */, "client-discover-match" /* Use secondary match criteria for DISCOVER PDU */.as(:oneline), "delay-offer" ( /* Filter options for dhcp-server */ dhcpv4_filter_option /* Filter options for dhcp-server */ ), "process-inform" ( /* Process INFORM PDUs */ c( "pool" arg /* Pool name for family inet */ ) ), "include-option-82" ( /* Include option-82 in reply packets */ c( "nak" /* Include option-82 in NAK */, "forcerenew" /* Include option-82 in FORCERENEW */ ) ), "delete-binding-on-renegotiation" /* Delete binding on renegotiation */, "allow-no-end-option" /* Allow packets without end-of-option */, "asymmetric-lease-time" arg /* Use a reduced lease time for the client. In seconds */, "protocol-attributes" arg /* DHCPv4 attributes to use as defined under access protocol-attributes */, "dual-stack" arg /* Dual stack group to use */ ) end rule(:dhcpv4_filter_option) do c( "delay-time" arg /* Time delay between discover and offer */, "based-on" ( /* Option number */ c( "option-82" ( /* Option 82 */ c( "equals" ( /* Generic option equals */ server_v6_option_ascii_hex /* Generic option equals */ ), "not-equals" ( /* Generic option not equals */ server_v6_option_ascii_hex /* Generic option not equals */ ), "starts-with" ( /* Generic option starts-with */ server_v6_option_ascii_hex /* Generic option starts-with */ ) ) ), "option-60" ( /* Option 60 */ c( "equals" ( /* Generic option equals */ server_v6_option_ascii_hex /* Generic option equals */ ), "not-equals" ( /* Generic option not equals */ server_v6_option_ascii_hex /* Generic option not equals */ ), "starts-with" ( /* Generic option starts-with */ server_v6_option_ascii_hex /* Generic option starts-with */ ) ) ), "option-77" ( /* Option 77 */ c( "equals" ( /* Generic option equals */ server_v6_option_ascii_hex /* Generic option equals */ ), "not-equals" ( /* Generic option not equals */ server_v6_option_ascii_hex /* Generic option not equals */ ), "starts-with" ( /* Generic option starts-with */ server_v6_option_ascii_hex /* Generic option starts-with */ ) ) ) ) ) ) end rule(:override_type) do c( "allow-snooped-clients" /* Allow client creation from snooped PDUs */, "no-allow-snooped-clients" /* Don't allow client creation from snooped PDUs */, "allow-no-end-option" /* Allow packets without end-of-option */, "always-write-giaddr" /* Overwrite existing 'giaddr' field, when present */, "always-write-option-82" ( /* Overwrite existing value of option 82, when present */ write_option_82_type /* Overwrite existing value of option 82, when present */ ), "user-defined-option-82" arg /* Set user defined description for option-82 */, "layer2-unicast-replies" /* Do not broadcast client responses */, "trust-option-82" /* Trust options-82 option */, "delay-authentication" /* Delay subscriber authentication in DHCP protocol processing until request packet */, "disable-relay" /* Disable DHCP relay processing */, "no-bind-on-request" /* Do not bind if stray DHCP request is received */, "interface-client-limit" arg /* Limit the number of client allowed on an interface */, "no-arp" /* Disable DHCP ARP table population */, "bootp-support" /* Allows relay of bootp req and reply */, "dual-stack" arg /* Dual stack group to use. */, "client-discover-match" /* Use secondary match criteria for DISCOVER PDU */.as(:oneline), "proxy-mode" /* Put the relay in proxy mode */.as(:oneline), "asymmetric-lease-time" arg /* Use a reduced lease time for the client. In seconds */, "replace-ip-source-with" ( /* Replace IP source address in request and release packets */ sc( c( "giaddr" /* Replace IP source address with giaddr */ ) ) ).as(:oneline), "send-release-on-delete" /* Always send RELEASE to the server when a binding is deleted */, "apply-secondary-as-giaddr" /* Enable DHCP relay to use secondary gateway ip for relay interfaces */, "relay-source" ( /* Interface for relay source */ interface_name /* Interface for relay source */ ), "delete-binding-on-renegotiation" /* Delete binding on rengotiation */ ) end rule(:p2mp_ldp_lsp_nh_obj) do c( "root-address" arg ( /* Configure the root address of P2MP LSP */ c( "lsp-id" arg /* Configure the generic LSP identifier */, "group-address" arg ( /* IPv4/Ipv6 group address for mLDP LSP */ c( "source-address" arg /* IPv4/Ipv6 source address */ ) ) ) ) ) end rule(:packet_accounting_output_type) do c( "aggregate-export-interval" arg /* Interval of exporting aggregate accounting information */, "flow-inactive-timeout" arg /* Interval of inactivity that marks a flow inactive */, "flow-active-timeout" arg /* Interval after which an active flow is exported */, "cflowd" ( /* Cflowd collector where flow records are sent */ cflowd_packet_accounting_type /* Cflowd collector where flow records are sent */ ), "interface" ( /* Interfaces used to send monitored information */ packet_export_intf_type /* Interfaces used to send monitored information */ ) ) end rule(:cflowd_packet_accounting_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "version" ( /* Format of exported cflowd aggregates */ ("5" | "8") ), "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ) ) ) end rule(:packet_export_intf_type) do arg.as(:arg) ( c( "engine-id" arg /* Identity (number) of this accounting interface */, "engine-type" arg /* Type (number) of this accounting interface */, "source-address" ( /* Address to use for generating monitored packets */ ipaddr /* Address to use for generating monitored packets */ ), "export-port" ( /* Jflow export port configuration */ export_port_address_type /* Jflow export port configuration */ ) ) ) end rule(:export_port_address_type) do c( "address" ( /* Address to use for jflow export port */ ipv4prefix /* Address to use for jflow export port */ ), "gateway" ( /* Gateway address to reach jflow server */ ipv4addr /* Gateway address to reach jflow server */ ) ) end rule(:pccd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("pccd-main" | "pccd-config" | "pccd-core" | "pccd-ui" | "pccd-rpd" | "pccd-functions" | "all")) /* Area of PCCD to enable debugging output */.as(:oneline) ) end rule(:pcrf_definition) do c( "partition" arg ( /* PCRF partition configuration */ c( "accept-sdr" /* Accept service discovery requests */, "destination-realm" arg /* PCRF destination realm */, "destination-host" arg /* PCRF destination host */, "diameter-instance" arg /* PCRF diameter instance */, "draining" /* Set this PCRF partiton to draining state */, "draining-response-timeout" arg /* Logout response timeout in draining mode */, "ip-can-type" arg /* Value of IP-CAN-Type AVP for this PCRF partition */, "local-decision" ( /* Local decision configuration */ c( c( "grant" /* Grant user connection by default */, "deny" /* Deny user connection by default */ ), "timeout" arg /* Local decision timeout */ ) ), "logout-response-timeout" arg /* Logout response timeout */, "max-outstanding-requests" arg /* Maximum number of outstanding requests */, "report-local-rule" /* Report installed local rule to PCRF */, "report-resource-allocation" /* Report rule installation failuresto PCRF */, "report-successful-resource-allocation" /* Report rule installation successes to PCRF */, "send-dyn-subscription-indicator" /* Include Juniper-Dyn-Subscription-Indidicator into ccr-i */, "send-network-family-indicator" /* Include Juniper-Network-Family-Indidicator into ccr-i */, "send-origin-state-id" /* Include origin-state-id avp */, "subscription-id-type" arg /* Value of subscription-id-type AVP for this PCRF partition */, "subscription-id-data-include" ( /* Add subscription-id-data options */ c( "delimiter" arg /* Change delimiter/separator character */, "domain-name" arg /* Domain name */, "interface-name" /* Include interface-name */, "vlan-tags" /* Include interface vlan tags (svlan-vlan) */, "base-interface-name" /* Include base-interface-name */, "mac-address" /* Include MAC address */, "nas-port-id" /* Include nas-port-id */, "origin-host" /* Include origin-host */, "origin-realm" /* Include origin-host */, "user-prefix" arg /* Add user defined prefix */, "user-name" /* Include user-name */ ) ), "update-response-timeout" arg /* Update response timeout */ ) ), "global" ( /* PCRF global parameters */ c( "rule-param" arg ( /* Charging juniper-param avp configuraion */ c( "param-name" arg /* Name associatated with this juniper-param avp */, "log-name" arg /* Log-name associatated with this juniper-param avp */ ) ) ) ) ) end rule(:peers_type) do arg.as(:arg) ( c( "user" arg /* User name */, "authentication" ( /* Authentication string */ unreadable /* Authentication string */ ) ) ) end rule(:periodic_oam) do c( "mpls-tp-mode" ( /* MPLS-TP Mode, Do not use IP addressing for OAM */ c( "lsping-channel-type" ( /* Supported Control-channel types for MPLS-TP mode.... */ c( c( "ipv4" /* Use channel-type IPv4(0x0021), With IP-UDP encapsulation */, "on-demand-cv" /* Use channel-type On-Demand-CV(0x0025), Without IP-UDP encapsulation */ ) ) ) ) ), "bfd-port" ( /* Egress knob to select MHOP-BFD port for MPLS BFD */ c( "import" ( /* Import policy */ policy_algebra /* Import policy */ ) ) ), "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "failure-action" ( /* Action to take when BFD session goes down */ sc( c( "teardown" /* Teardown label switched path and resignal */, "make-before-break" ( /* Resignal the label switched path before teardown */ c( "teardown-timeout" arg /* Time to wait before teardown */ ) ) ) ) ).as(:oneline), "no-router-alert-option" /* Do not set Router-Alert options in IP header for MPLS-BFD */, "use-ip-ttl-1" /* Set TTL value to 1 in IP header for MPLS-BFD */ ) ), "performance-monitoring" ( /* Performance monitoring options */ c( "traceoptions" ( /* Trace options for PM */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("init" | "error" | "event" | "general" | "packet" | "timer" | "all")) /* Tracing parameters */.as(:oneline) ) ), "querier" ( /* Querier options */ c( "loss" ( /* Loss measurement options */ c( "traffic-class" enum(("tc-0" | "tc-1" | "tc-2" | "tc-3" | "tc-4" | "tc-5" | "tc-6" | "tc-7" | "all" | "none")) ( /* Traffic class specific options */ c( "query-interval" arg /* Minimum transmit interval */, "measurement-quantity" ( /* Loss measurement quantity */ ("bytes" | "packets") ), "average-sample-size" arg /* Number of samples used in average calculation */, "loss-threshold" arg /* Loss threshold value */, "loss-threshold-window" arg /* Number of samples for loss threshold calculation */ ) ) ) ), "delay" ( /* Delay measurement options */ c( "traffic-class" enum(("tc-0" | "tc-1" | "tc-2" | "tc-3" | "tc-4" | "tc-5" | "tc-6" | "tc-7" | "all")) ( /* Traffic class specific options */ c( "query-interval" arg /* Minimum transmit interval */, "padding-size" arg /* Size of padding */, "average-sample-size" arg /* Number of samples used in average calculation */, "twcd-delay-threshold" arg /* Two way channel delay threshold value */, "rtt-delay-threshold" arg /* Round trip delay threshold value */ ) ) ) ), "loss-delay" ( /* Combined loss-delay measurement options */ c( "traffic-class" enum(("tc-0" | "tc-1" | "tc-2" | "tc-3" | "tc-4" | "tc-5" | "tc-6" | "tc-7" | "all" | "none")) ( /* Traffic class specific options */ c( "query-interval" arg /* Minimum transmit interval */, "measurement-quantity" ( /* Loss measurement quantity */ ("bytes" | "packets") ), "padding-size" arg /* Size of padding */, "average-sample-size" arg /* Number of samples used in average calculation */, "loss-threshold" arg /* Loss threshold value */, "loss-threshold-window" arg /* Number of samples for loss threshold calculation */, "twcd-delay-threshold" arg /* Two way channel delay threshold value */, "rtt-delay-threshold" arg /* Round trip delay threshold value */ ) ) ) ) ) ), "responder" ( /* Responder options */ c( "loss" ( /* Loss measurement options */ c( "min-query-interval" arg /* Minimum query interval */ ) ), "delay" ( /* Delay measurement options */ c( "min-query-interval" arg /* Minimum query interval */ ) ) ) ) ) ), "lsp-ping-interval" arg /* Time interval between LSP ping messages */, "lsp-ping-multiplier" arg /* Number of ping reply missed before declaring BFD down */, "traceoptions" ( /* Trace options for MPLSOAM process */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "pipe" | "rpc-packet-details" | "database" | "network" | "traceroute" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) end rule(:pf_mapping) do arg.as(:arg) ( c( "destined-port" ( /* Port forwarding mappings */ s( arg, "translated-port" arg /* Translated port */ ) ).as(:oneline) ) ) end rule(:pim_bootstrap_options_type) do c( "priority" arg /* Eligibility to be the bootstrap router */, "import" ( /* Bootstrap import policy */ policy_algebra /* Bootstrap import policy */ ), "export" ( /* Bootstrap export policy */ policy_algebra /* Bootstrap export policy */ ) ) end rule(:pim_filter_obj) do c( "match-on" ( /* Argument on which to match */ ("prefix") ), "policy" ( /* Filter policy */ policy_algebra /* Filter policy */ ) ).as(:oneline) end rule(:pim_rp_group_range_type) do arg.as(:arg) ( c( "nexthop-hold-time" arg /* Nexthop hold time in milliseconds */ ) ) end rule(:pm_rspan_bridge_domain) do arg.as(:arg) end rule(:pm_rspan_vlan) do arg.as(:arg) ( c( "no-tag" /* Removes extra RSPAN tag from mirrored packets */ ) ) end rule(:pm_family_input_type) do c( "rate" arg /* Ratio of packets to be sampled (1 out of N) */, "run-length" arg /* Number of samples after initial trigger */, "maximum-packet-length" arg /* Maximum length of the mirrored packet */ ) end rule(:pmond_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("events" | "heartbeat" | "process-tracking" | "ui" | "all")) /* Area of process health monitor to enable debugging output */.as(:oneline) ) end rule(:policy_object_type) do c( "traceoptions" ( /* Network Security Policy Tracing Options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "routing-socket" | "compilation" | "ipc" | "rules" | "lookup" | "all")) /* Tracing parameters */.as(:oneline) ) ), "policy" ( /* Define a policy context from this zone */ s( arg, "to-zone-name" arg /* Destination zone */, c( "policy" ( /* Define security policy in specified zone-to-zone direction */ policy_type /* Define security policy in specified zone-to-zone direction */ ) ) ) ), "global" ( /* Define a global policy context */ c( "policy" ( /* Define security policy in global context */ policy_type /* Define security policy in global context */ ) ) ), "default-policy" ( /* Configure default action when no user-defined policy match */ c( c( "permit-all" /* Permit all traffic if no policy match */, "deny-all" /* Deny all traffic if no policy match */ ) ) ), "policy-rematch" ( /* Re-evaluate the policy when changed */ sc( "extensive" /* Perform policy extensive rematch */ ) ).as(:oneline), "policy-stats" ( /* Parameters for policy statistics */ c( "system-wide" ( /* Enable/Disable system-wide policy statistics */ ("enable" | "disable") ) ) ), "pre-id-default-policy" ( /* Configure default policy action before dynamic application is finally identified */ c( "then" ( /* Specify policy action to take when packet match criteria */ c( "log" ( /* Enable log */ log_type /* Enable log */ ), "session-timeout" ( /* Session timeout */ session_timeout_type /* Session timeout */ ) ) ) ) ), "stateful-firewall-rule" arg ( /* Define a stateful-firewall-rule */ c( "match-direction" ( /* Direction for which the rule match is applied */ ("input" | "output" | "input-output") ), "policy" ( /* Define a stateful-firewall policy */ policy_type /* Define a stateful-firewall policy */ ) ) ), "stateful-firewall-rule-set" arg ( /* Defines a set of stateful firewall rules */ c( "stateful-firewall-rule" arg /* Rule to be included in this stateful firewall rule set */ ) ) ) end rule(:log_type) do c( "session-init" /* Log at session init time */, "session-close" /* Log at session close time */ ) end rule(:policy_type) do arg.as(:arg) ( c( "description" arg /* Text description of policy */, "match" ( /* Specify security policy match-criteria */ c( c( "source-address" ( ("any" | "any-ipv4" | "any-ipv6" | arg) ) ), c( "destination-address" ( ("any" | "any-ipv4" | "any-ipv6" | arg) ) ), "source-address-excluded" /* Exclude source addresses */, "destination-address-excluded" /* Exclude destination addresses */, c( "application" ( (arg | "junos-defaults") ) ), c( "source-identity" ( ("any" | "authenticated-user" | "unauthenticated-user" | "unknown-user" | arg) ) ), c( "source-end-user-profile" ( /* Match source end user profile */ match_source_end_user_profile_value /* Match source end user profile */ ) ), c( "dynamic-application" ( (arg | "junos:UNKNOWN" | "junos:unassigned" | "any" | "none") ) ), c( "from-zone" ( ("any" | arg) ) ), c( "to-zone" ( ("any" | arg) ) ) ) ), "then" ( /* Specify policy action to take when packet match criteria */ c( c( "deny" /* Deny packets */, "reject" ( /* Reject packets */ c( "profile" arg /* Profile for redirect HTTP/S traffic */, "ssl-proxy" ( /* SSL proxy services */ c( "profile-name" arg /* Specify SSL proxy service profile name */ ) ) ) ), "permit" ( /* Permit packets */ c( "tunnel" ( /* Tunnel packets */ tunnel_type /* Tunnel packets */ ), "firewall-authentication" ( /* Enable authentication for this policy if permit or tunnel */ firewall_authentication_type /* Enable authentication for this policy if permit or tunnel */ ), "destination-address" ( /* Enable destination address translation */ destination_nat_enable_type /* Enable destination address translation */ ), "application-services" ( /* Application Services */ application_services_type /* Application Services */ ), "tcp-options" ( /* Transmission Control Protocol session configuration */ c( "syn-check-required" /* Enable per policy SYN-flag check */, "sequence-check-required" /* Enable per policy sequence-number checking */, "initial-tcp-mss" arg /* Override MSS value for initial direction */, "reverse-tcp-mss" arg /* Override MSS value for reverse direction */, "window-scale" /* Enable per policy window-scale */ ) ), "services-offload" /* Enable services offloading */ ) ) ), "log" ( /* Enable log */ log_type /* Enable log */ ), "count" ( /* Enable count */ count_type /* Enable count */ ) ) ), "scheduler-name" arg /* Name of scheduler */ ) ) end rule(:application_services_type) do c( "gprs-gtp-profile" arg /* Specify GPRS Tunneling Protocol profile name */, "gprs-sctp-profile" arg /* Specify GPRS stream control protocol profile name */, "idp" /* Intrusion detection and prevention */, "idp-policy" arg /* Specify idp policy name */, "ssl-proxy" ( /* SSL proxy services */ c( "profile-name" arg /* Specify SSL proxy service profile name */ ) ), "uac-policy" ( /* Enable unified access control enforcement of policy */ c( "captive-portal" arg ) ), "utm-policy" arg /* Specify utm policy name */, "icap-redirect" arg /* Specify icap redirect profile name */, "application-firewall" ( /* Application firewall services */ jsf_service_rule_set_type /* Application firewall services */ ), "application-traffic-control" ( /* Application traffic control services */ jsf_application_traffic_control_rule_set_type /* Application traffic control services */ ), c( "redirect-wx" /* Set WX redirection */, "reverse-redirect-wx" /* Set WX reverse redirection */ ), "security-intelligence-policy" arg /* Specify security-intelligence policy name */, "advanced-anti-malware-policy" arg /* Specify advanced-anti-malware policy name */ ) end rule(:count_type) do end rule(:destination_nat_enable_type) do c( c( "drop-translated" /* Drop the policy if NAT translated */, "drop-untranslated" /* Drop the policy if NAT untranslated */ ) ) end rule(:firewall_authentication_type) do c( c( "pass-through" ( /* Pass-through firewall authentication settings */ c( "access-profile" arg /* Specify access profile name */, "client-match" arg, "web-redirect" /* Redirect unauthenticated HTTP requests to the device's internal web server */, "web-redirect-to-https" /* Redirect unauthenticated HTTP requests to the device's internal HTTPS web server */, "ssl-termination-profile" arg /* Specify SSL termination profile used to the SSL offload */, "auth-only-browser" /* Authenticate only browser traffic */, "auth-user-agent" arg /* Authenticate HTTP traffic with specified user agent */ ) ), "web-authentication" ( /* Web-authentication settings */ c( "client-match" arg ) ), "user-firewall" ( /* User-firewall firewall authentication settings */ c( "access-profile" arg /* Specify access profile name */, "web-redirect" /* Redirect unauthenticated HTTP req to web server */, "web-redirect-to-https" /* Redirect unauthenticated HTTP req to HTTPS web server */, "ssl-termination-profile" arg /* Specify SSL termination profile used to the SSL offload */, "auth-only-browser" /* Authenticate only browser traffic */, "auth-user-agent" arg /* Authenticate HTTP traffic with specified user agent */, "domain" arg /* Specify domain name */ ) ) ), "push-to-identity-management" /* Push auth entry to identity management server */ ) end rule(:jsf_service_rule_set_type) do c( "rule-set" arg /* Service rule set name */ ) end rule(:match_source_end_user_profile_value) do c( arg /* Specify source-end-user-profile name from list to match */ ) end rule(:port_range) do arg.as(:arg) ( c( "maximum-port" arg /* Maximum port in the port range */ ) ).as(:oneline) end rule(:ppp_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("access" | "address-pool" | "auth" | "chap" | "pap" | "config" | "ifdb" | "lcp" | "memory" | "message" | "mlppp" | "ncp" | "ppp" | "radius" | "redundancy" | "rtsock" | "session" | "signal" | "timer" | "ui" | "ci" | "all")) /* Area of PPP process to enable debugging output */.as(:oneline) ) end rule(:ppp_options_type) do c( "dynamic-profile" arg /* Dynamic profile name */, "chap" ( /* Challenge Handshake Authentication Protocol options */ c( c( "access-profile" arg /* Profile containing client list and access parameters */, "default-chap-secret" ( /* Default CHAP secret to be used when no matching access profile exists */ unreadable /* Default CHAP secret to be used when no matching access profile exists */ ) ), "local-name" arg /* Name sent in CHAP-Challenge and CHAP-Response */, "no-rfc2486" /* RFC2486 compliance is not enforced */, "passive" /* Handle incoming CHAP requests only */, "challenge-length" /* CHAP challenge length */.as(:oneline) ) ), "pap" ( /* Password Authentication Protocol options */ c( c( "access-profile" arg /* Profile containing client list and access parameters */, "default-password" ( /* Default PAP password used in the absence of matching profile */ unreadable /* Default PAP password used in the absence of matching profile */ ) ), "local-name" arg /* Name sent in PAP request packet */, "no-rfc2486" /* RFC2486 compliance is not enforced */, "local-password" ( /* Password sent in PAP request packet */ unreadable /* Password sent in PAP request packet */ ), "passive" /* Do not handle PAP authentication requests */ ) ), "authentication" /* Order in which PPP authentication protocols are negotiated */, "compression" ( /* Set compression options */ sc( "acfc" /* Negotiate Address/Control field compression */, "pfc" /* Negotiate Protocol field compression */ ) ).as(:oneline), "lcp-restart-timer" arg /* LCP restart timer */, "ncp-restart-timer" arg /* NCP restart timer */, "no-termination-request" /* Don't send PPP termination requests */, "loopback-clear-timer" arg /* Loopback clear timer */, "lcp-max-conf-req" arg /* Maximum LCP Conf-Req to be sent, 0 means infinite */, "ncp-max-conf-req" arg /* Maximum NCP Conf-Req to be sent, 0 means infinite */, "on-demand-ip-address" /* Enable On-Demand IPv4 address allocation and de-allocation */, "aaa-options" arg /* Attach AAA options name to dynamic-profile */, "initiate-ncp" ( /* Enable server initiated NCP */ c( "ip" /* Enable server initiated IPNCP */, "ipv6" /* Enable server initiated IPv6NCP */, "dual-stack-passive" /* Disable server initiated IPNCP/IPv6NCP for dual-stack client */ ) ), "mru" arg /* The Maximum Receive Unit size in bytes */, "mtu" ( /* The Maximum Transfer Unit size in bytes */ ("use-lower-layer" | arg) ), "peer-ip-address-optional" /* Set Peer IP Address Optional in IP NCP Negotiations */, "ipcp-suggest-dns-option" /* Suggest peer to negotiate with DNS Addresses options */, "ignore-magic-number-mismatch" /* Ignore magic-number validation failure in LCP keepalive */, "local-authentication" ( /* Local Authentication Protocol options */ local_auth_type /* Local Authentication Protocol options */ ) ) end rule(:local_auth_type) do c( "password" arg /* Username password */, "username-include" ( /* Add username options */ c( "mac-address" /* Include MAC address */, "circuit-id" /* Include circuit-id */, "remote-id" /* Include remote-id */, "domain-name" arg /* Domain name */, "delimiter" arg /* Delimiter/separator character */ ) ) ) end rule(:pppoe_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("config" | "events" | "gres" | "init" | "interface-db" | "memory" | "protocol" | "rtsock" | "session-db" | "signal" | "state" | "stats" | "timer" | "ui" | "all")) /* Area of PPPoE process to enable debugging output */.as(:oneline), "filter" ( /* Trace filtering */ c( "aci" arg /* Regular expression to match ACI */, "ari" arg /* Regular expression to match ARI */, "service-name" arg /* Service name */, "underlying-interface" ( /* Underlying interface name */ ("$junos-underlying-interface" | arg) ), "user" /* Filter by user name */ ) ) ) end rule(:pppoe_options_type) do c( "underlying-interface" ( /* Underlying interface name */ ("$junos-underlying-interface" | arg) ), "idle-timeout" arg /* Time for which session can be idle (0 = forever) */, "access-concentrator" arg /* Name of the access concentrator (PPPoE server) */, "service-name" arg /* Service to be requested (from PPPoE server) */, "auto-reconnect" arg /* Time to reconnect after session terminates (0 = never) */, c( "server" /* PPPoE operates in server mode */, "client" /* PPPoE operates in client mode */ ), "ppp-max-payload" arg /* Specify the value of ppp-max-payload tag */ ) end rule(:pppoe_underlying_options_type) do c( "access-concentrator" arg /* Name of the access concentrator (PPPoE server) */, "direct-connect" /* Ignore received VS tags for PPPoE sessions */, "duplicate-protection" /* Disallow multiple PPPoE sessions to a single client */, "dynamic-profile" arg /* Attach dynamic-profile to interface */, "max-sessions" arg /* Maximum number of PPPoE sessions allowed on underlying interface */, "max-sessions-vsa-ignore" /* Ignore the max-sessions VSA */, "service-name-table" arg /* Attach Service Name Table to interface */, "short-cycle-protection" ( /* Enable short cycle protection on underlying interface */ c( "lockout-time-min" arg /* Minimum lockout time */, "lockout-time-max" arg /* Maximum lockout time */, "filter" arg /* Granularity of blocking filter */ ) ) ) end rule(:prefix_action) do arg.as(:arg) ( c( "policer" arg /* Police the packet using a set of named policer */, "count" /* Enable counters */, "filter-specific" /* Filter specific, else term specific */, "subnet-prefix-length" arg /* Prefix length for the total address range */, c( "source-prefix-length" arg /* Source prefix range */, "destination-prefix-length" arg /* Destination prefix range */ ) ) ) end rule(:prefix_list_items) do arg.as(:arg) end rule(:profile_radius_server_object) do arg.as(:arg) ( c( "port" arg /* RADIUS server authentication port number */, "preauthentication-port" arg /* RADIUS server preauthentication port number */, "accounting-port" arg /* Port number to which to send RADIUS accounting messages (L2TP only) */, "dynamic-request-port" arg /* RADIUS client dynamic request port number */, "secret" ( /* Shared secret with the RADIUS server */ unreadable /* Shared secret with the RADIUS server */ ), "preauthentication-secret" ( /* Shared secret with the RADIUS server */ unreadable /* Shared secret with the RADIUS server */ ), "timeout" arg /* Request timeout period */, "retry" arg /* Retry attempts */, "accounting-timeout" arg /* Accounting request timeout period */, "accounting-retry" arg /* Accounting retry attempts */, "max-outstanding-requests" arg /* Maximum requests in flight to server */, "source-address" ( /* Use specified address as source address */ ipaddr /* Use specified address as source address */ ), "routing-instance" arg /* Use specified routing instance */ ) ) end rule(:profile_setting) do arg.as(:arg) ( c( "anti-virus" ( /* UTM policy anti-virus profile */ c( "http-profile" arg /* Anti-virus profile */, "ftp" ( /* FTP profile */ c( "upload-profile" arg /* Anti-virus profile */, "download-profile" arg /* Anti-virus profile */ ) ), "smtp-profile" arg /* Anti-virus profile */, "pop3-profile" arg /* Anti-virus profile */, "imap-profile" arg /* Anti-virus profile */ ) ), "content-filtering" ( /* Content-filtering profile */ c( "http-profile" arg /* Content-filtering profile */, "ftp" ( /* FTP profile */ c( "upload-profile" arg /* Content-filtering FTP upload profile */, "download-profile" arg /* Content-filtering FTP download profile */ ) ), "smtp-profile" arg /* Content-filtering SMTP profile */, "pop3-profile" arg /* Content-filtering POP3 profile */, "imap-profile" arg /* Content-filtering IMAP profile */ ) ), "web-filtering" ( /* Web-filtering profile */ c( "http-profile" arg /* Web-filtering HTTP profile */ ) ), "anti-spam" ( /* Anti-spam profile */ c( "smtp-profile" arg /* Anti-spam profile */ ) ), "traffic-options" ( /* Traffic options */ c( "sessions-per-client" ( /* Sessions per client */ c( "limit" arg /* Sessions limit */, "over-limit" ( /* Over limit number */ ("log-and-permit" | "block") ) ) ) ) ) ) ) end rule(:profile_type) do arg.as(:arg) ( c( "appfw-rule-set" ( /* Application firewall rule-set quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "appfw-rule" ( /* Application firewall rule quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "appfw-profile" ( /* Application firewall profile quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "auth-entry" ( /* Firewall authentication quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "policy" ( /* Security policy quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "policy-with-count" ( /* Security policy with count quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "scheduler" ( /* Security scheduler quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "address-book" ( /* Security address book quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "zone" ( /* Security zone quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "flow-session" ( /* Security flow session quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "cpu" ( c( "reserved" arg /* CPU utilization quota (percent) of a logical system or tenant */ ) ), "flow-gate" ( /* Security flow gate quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-source-pool" ( /* Security nat src pool quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-destination-pool" ( /* Security nat dst pool quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-pat-address" ( /* Security nat IP address in src pool with PAT quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-nopat-address" ( /* Security nat IP address in src pool without PAT quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-pat-portnum" ( /* Security nat port num in source pool with PAT quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-source-rule" ( /* Security nat src rule quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-destination-rule" ( /* Security nat destination rule quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-static-rule" ( /* Security nat static rule quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-rule-referenced-prefix" ( /* Security NAT rule referenced IP-prefix quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-cone-binding" ( /* Security cone nat binding quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-port-ol-ipnumber" ( /* Security nat port overloading ip number quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "nat-interface-port-ol" ( /* Security nat interface port overloading quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "dslite-softwire-initiator" ( /* Security ds-lite softwire initiator number quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "security-log-stream-number" ( /* Security log stream number quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "icap-redirect-profile" ( /* ICAP redirect profile quota of a logical system or tenant */ c( "maximum" arg /* Maximum allowed quota */, "reserved" arg /* Reserved quota */ ) ), "idp-policy" arg /* Assign idp policy to logical systems in this profile */, "root-logical-system" /* Assign this security-profile to root logical system */, "logical-system" arg /* Assign the security-profile to logical-systems */, "tenant" arg /* Assign the security-profile to tenants */ ) ) end rule(:programmable_rpd_type) do c( "traceoptions" ( /* Trace options */ c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("client" | "japi" | "routing-interface" | "route" | "normal" | "general" | "state" | "policy" | "task" | "timer" | "all")) /* Tracing parameters */.as(:oneline) ) ), "purge-timeout" arg /* Purge timeout for all programmable-rpd clients in seconds */, "client" arg ( /* Programmable-rpd client options */ c( "interface-notification" arg /* Interfaces for notification */ ) ) ) end rule(:proto_object) do arg.as(:arg) ( c( "tunable-name" ( /* Protocol tunable name */ tunable_object /* Protocol tunable name */ ) ) ) end rule(:protocol_attribute_type) do arg.as(:arg) ( c( "dhcp" ( /* DHCPv4 configurable attributes */ dhcp_attribute_type /* DHCPv4 configurable attributes */ ), "dhcpv6" ( /* DHCPv6 configurable attributes */ dhcp_attribute_type /* DHCPv6 configurable attributes */ ) ) ) end rule(:proxy_object) do c( "server" arg /* URL or IP address of the proxy server host */, "port" arg /* Proxy server port */, "username" arg /* Username as configured in the proxy server */, "password" ( /* Password as configured in the proxy server */ unreadable /* Password as configured in the proxy server */ ) ) end rule(:proxy_profile_setting) do arg.as(:arg) ( c( "protocol" ( /* Protocol level proxy setting */ c( "http" ( /* HTTP proxy setting */ c( "host" arg /* Proxy server name or IP address */, "port" arg /* Proxy server port */ ) ) ) ) ) ) end rule(:qualified_nh_obj) do arg.as(:arg) ( c( "preference" arg /* Preference of qualified next hop */, "metric" arg /* Metric of qualified next hop */, "interface" ( /* Interface of qualified next hop */ interface_name /* Interface of qualified next hop */ ), "mac-address" ( /* Next-hop Mac Address */ mac_unicast /* Next-hop Mac Address */ ), "tag" arg /* Tag string */, "bfd-liveness-detection" ( /* Bidirectional Forwarding Detection (BFD) options */ c( "version" ( /* BFD protocol version number */ ("0" | "1" | "automatic") ), "minimum-interval" arg /* Minimum transmit and receive interval */, "minimum-transmit-interval" arg /* Minimum transmit interval */, "minimum-receive-interval" arg /* Minimum receive interval */, "multiplier" arg /* Detection time multiplier */, c( "no-adaptation" /* Disable adaptation */ ), "transmit-interval" ( /* Transmit-interval options */ c( "minimum-interval" arg /* Minimum transmit interval */, "threshold" arg /* High transmit interval triggering a trap */ ) ), "detection-time" ( /* Detection-time options */ c( "threshold" arg /* High detection-time triggering a trap */ ) ), "authentication" ( /* Authentication options */ c( "key-chain" arg /* Key chain name */, "algorithm" ( /* Algorithm name */ ("simple-password" | "keyed-md5" | "meticulous-keyed-md5" | "keyed-sha-1" | "meticulous-keyed-sha-1") ), "loose-check" /* Verify authentication only if authentication is negotiated */ ) ), "neighbor" ( /* BFD neighbor address */ ipaddr /* BFD neighbor address */ ), "local-address" ( /* BFD local address (for multihop only) */ ipaddr /* BFD local address (for multihop only) */ ), "holddown-interval" arg /* Time to hold the session-UP notification to the client */, "minimum-receive-ttl" arg /* Minimum receive TTL below which to drop */ ) ) ) ) end rule(:r2cp_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "event" | "interface" | "node" | "packet" | "rtsock" | "session" | "socket" | "timer" | "virtual-channel" | "all")) /* Area of R2CP process to enable debugging output */.as(:oneline) ) end rule(:radius_disconnect_object) do arg.as(:arg) ( c( "secret" ( /* Secret with which to authenticate RADIUS client sending disconnect requests */ unreadable /* Secret with which to authenticate RADIUS client sending disconnect requests */ ) ) ) end rule(:radius_server_object) do arg.as(:arg) ( c( "routing-instance" arg /* Routing instance */, "port" arg /* RADIUS server authentication port number */, "preauthentication-port" arg /* RADIUS server preauthentication port number */, "accounting-port" arg /* RADIUS server accounting port number */, "dynamic-request-port" arg /* RADIUS client dynamic request port number */, "secret" ( /* Shared secret with the RADIUS server */ unreadable /* Shared secret with the RADIUS server */ ), "preauthentication-secret" ( /* Shared secret with the RADIUS server */ unreadable /* Shared secret with the RADIUS server */ ), "timeout" arg /* Request timeout period */, "retry" arg /* Retry attempts */, "accounting-timeout" arg /* Accounting request timeout period */, "accounting-retry" arg /* Accounting retry attempts */, "max-outstanding-requests" arg /* Maximum requests in flight to server */, "source-address" ( /* Use specified address as source address */ ipaddr /* Use specified address as source address */ ) ) ) end rule(:radius_options_vlan_type) do c( "nas-port-options" arg ( /* Attach NAS Port options to VLAN/SVLAN ranges */ c( "nas-port-type" ( /* Configure NAS port type */ ("async" | "sync" | "isdn-sync" | "isdn-v120" | "isdn-v110" | "virtual" | "piafs" | "hdlc-clear-channel" | "x25" | "x75" | "g3-fax" | "sdsl" | "adsl-cap" | "adsl-dmt" | "idsl" | "ethernet" | "xdsl" | "cable" | "wireless" | "wireless-ieee80211" | "token-ring" | "fddi" | "wireless-cdma2000" | "wireless-umts" | "wireless-1x-ev" | "iapp" | arg) ), "nas-port-extended-format" ( /* Configure NAS port format */ c( "ae-width" arg /* Number of bits for the aggregated ethernet identifier field */, "slot" arg /* Value to write to the slot field */, "slot-width" arg /* Number of bits for the slot field */, "adapter" arg /* Value to write to the adapter field */, "adapter-width" arg /* Number of bits for the adapter field */, "port" arg /* Value to write to the port field */, "port-width" arg /* Number of bits for the port field */, "pw-width" arg /* Number of bits for the pseudo-wire field */, "stacked-vlan-width" arg /* Number of bits for the S-VLAN subinterface field */, "vlan-width" arg /* Number of bits for the VLAN subinterface field */, "stacked" /* Include the S-VLAN ID for subscribers on interfaces */, "vpi-width" arg /* Number of bits for the ATM VPI field */, "vci-width" arg /* Number of bits for the ATM VCI field */ ) ), "stacked-vlan-ranges" arg /* Configure interface based on stacked-vlan range */, "vlan-ranges" arg /* Configure interface based on vlan range */ ) ) ) end rule(:ragw_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("brief" | "detail" | "extensive" | "verbose") ), "flag" enum(("configuration" | "tunnel" | "session" | "all")) /* Tracing parameters */.as(:oneline) ) end rule(:range_address_type) do arg.as(:arg) ( c( "to" ( /* Port range upper limit */ c( ipv4addr /* Upper limit of address range */ ) ) ) ) end rule(:reconfigure_trigger_type) do c( "radius-disconnect" /* Trigger DHCP reconfigure by radius initiated disconnect */ ) end rule(:reconfigure_type) do c( "clear-on-abort" /* Delete client on reconfiguration abort */, "attempts" arg /* Number of reconfigure attempts before aborting */, "timeout" arg /* Initial timeout value for retry */, "token" arg /* Reconfigure token */, "trigger" ( /* DHCP reconfigure trigger */ reconfigure_trigger_type /* DHCP reconfigure trigger */ ), "support-option-pd-exclude" /* Request prefix exclude option in reconfigure message */ ) end rule(:relay_bulk_leasequery_v4_type) do c( "attempts" arg /* Number of retry attempts */, "timeout" arg /* Number of seconds */ ) end rule(:relay_bulk_leasequery_v6_type) do c( "attempts" arg /* Number of retry attempts */, "timeout" arg /* Number of seconds */, "trigger" ( /* Trigger for bulk leasequery */ sc( "automatic" /* Trigger automatically */ ) ).as(:oneline) ) end rule(:relay_leasequery_type) do c( "attempts" arg /* Number of retry attempts */, "timeout" arg /* Number of seconds */ ) end rule(:relay_option_60_type_group) do c( "vendor-option" ( /* Add vendor option */ c( "equals" ( /* Option 60 equals */ relay_option_60_match_group /* Option 60 equals */ ), "not-equals" ( /* Option 60 does not equal */ relay_option_60_match_group /* Option 60 does not equal */ ), "starts-with" ( /* Option 60 starts with */ relay_option_60_match_group /* Option 60 starts with */ ), c( "default-relay-server-group" arg /* Name of DHCP relay server group when match is not made */, "default-local-server-group" arg /* Name of DHCP local server group when match is not made */, "drop" /* Discard when a match is not made */, "forward-only" /* Forward without subscriber services when a match is not made */ ) ) ) ) end rule(:relay_option_60_match_group) do c( "ascii" arg ( /* ASCII string */ c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "local-server-group" arg /* Name of DHCP local server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) ), "hexadecimal" arg ( /* Hexadecimal string */ c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "local-server-group" arg /* Name of DHCP local server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) ) ) end rule(:relay_option_60_type_top) do c( "vendor-option" ( /* Add vendor option */ c( "equals" ( /* Option 60 equals */ relay_option_60_match_top /* Option 60 equals */ ), "not-equals" ( /* Option 60 does not equal */ relay_option_60_match_top /* Option 60 does not equal */ ), "starts-with" ( /* Option 60 starts with */ relay_option_60_match_top /* Option 60 starts with */ ), c( "default-relay-server-group" arg /* Name of DHCP relay server group when match is not made */, "default-local-server-group" arg /* Name of DHCP local server group when match is not made */, "drop" /* Discard when a match is not made */, "forward-only" /* Forward without subscriber services when a match is not made */ ) ) ) ) end rule(:relay_option_60_match_top) do c( "ascii" arg ( /* ASCII string */ c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "local-server-group" arg /* Name of DHCP local server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) ), "hexadecimal" arg ( /* Hexadecimal string */ c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "local-server-group" arg /* Name of DHCP local server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) ) ) end rule(:relay_option_82_type) do c( "circuit-id" ( /* Add circuit identifier */ c( "prefix" ( /* Add prefix to circuit/interface-id or remote-id */ c( "host-name" /* Add router host name to circuit / interface-id or remote-id */, "logical-system-name" /* Add logical system name to circuit / interface-id or remote-id */, "routing-instance-name" /* Add routing instance name to circuit / interface-id or remote-id */ ) ), "use-interface-description" ( /* Use interface description instead of circuit identifier */ ("logical" | "device") ), "use-vlan-id" /* Use VLAN id instead of name */, "no-vlan-interface-name" /* Not include vlan or interface name */, "include-irb-and-l2" /* Include IRB and L2 interface name */, "user-defined" /* Include user defined string */, "keep-incoming-circuit-id" /* Keep incoming circuit identifier */ ) ), "remote-id" ( /* Add remote identifier */ c( "prefix" ( /* Add prefix to circuit/interface-id or remote-id */ c( "host-name" /* Add router host name to circuit / interface-id or remote-id */, "logical-system-name" /* Add logical system name to circuit / interface-id or remote-id */, "routing-instance-name" /* Add routing instance name to circuit / interface-id or remote-id */ ) ), "use-interface-description" ( /* Use interface description instead of circuit identifier */ ("logical" | "device") ), "use-vlan-id" /* Use VLAN id instead of name */, "no-vlan-interface-name" /* Not include vlan or interface name */, "include-irb-and-l2" /* Include IRB and L2 interface name */, "keep-incoming-remote-id" /* Keep incoming remote identifier */, "use-string" arg /* Use raw string instead of the default remote id */ ) ), "server-id-override" /* Add link-selection and server-id sub-options on packets to server */, "vendor-specific" ( /* Add vendor-specific information */ jdhcp_vendor_specific_type /* Add vendor-specific information */ ).as(:oneline) ) end rule(:relay_v4_option_ascii_hex) do c( "ascii" arg ( /* ASCII string */ c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "local-server-group" arg /* Name of DHCP local server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) ), "hexadecimal" arg ( /* Hexadecimal string */ c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "local-server-group" arg /* Name of DHCP local server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) ) ) end rule(:relay_v6_option_ascii_hex) do c( "ascii" arg ( /* ASCII string */ c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) ), "hexadecimal" arg ( /* Hexadecimal string */ c( c( "relay-server-group" arg /* Name of DHCP relay server group when match is made */, "drop" /* Discard when a match is made */, "forward-only" /* Forward without subscriber services when a match is made */ ) ) ) ) end rule(:res_cleanupd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("events" | "gencfg" | "module" | "sysvsem" | "sysvshm" | "tracking" | "ui" | "all")) /* Area of resource cleanup process to enable debugging output */.as(:oneline) ) end rule(:resource_monitor_type) do c( "resource-category" enum(("jtree")) ( /* Resource category */ c( "resource-type" enum(("free-pages" | "free-dwords" | "contiguous-pages")) ( /* Resource type */ c( "low-watermark" arg /* Low watermark limit percentage */, "high-watermark" arg /* High watermark limit percentage */ ) ) ) ), "traceoptions" ( /* Resource monitor trace options */ resource_monitor_traceoptions_type /* Resource monitor trace options */ ), "no-throttle" /* Disable throttling of subscribers and services based on resource utilization */, "no-load-throttle" /* Disable throttling of subscribers and services based on PFE load */, "no-logging" /* Disable logging of warning or error messages resource levels exceeded */, "high-threshold" arg /* High threshold percentage for resource utilization */, "high-cos-queue-threshold" arg /* High threshold percentage for cos queue utilization per scheduler */, "free-heap-memory-watermark" arg /* Watermark percentage for ukern heap resource utilization */, "free-nh-memory-watermark" arg /* Watermark percentage for NH resource utilization */, "free-fw-memory-watermark" arg /* Watermark percentage for Filter / Firewall resource utilization */, "subscribers-limit" ( /* Limit number of subscribers allowed to login */ c( "client-type" enum(("pppoe" | "dhcp" | "l2tp" | "any")) ( /* Subscriber client type */ c( "chassis" ( /* Max subscriers allowed in chassis */ c( "limit" arg /* Number of subscribers allowed */ ) ), "fpc" ( /* Limiting subscriber on fpc */ rsmon_fpc_type /* Limiting subscriber on fpc */ ) ) ) ) ) ) end rule(:resource_monitor_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("all")) /* Resource monitor operations to include in debugging trace */.as(:oneline) ) end rule(:resources_type) do c( "cpu" ( c( "priority" arg /* Highest priority (nice level) process can run at */, "time" arg /* Maximum amount of CPU time that can be accumulated */ ) ), "memory" ( c( "data-size" arg /* Maximum size of the data segment */, "locked-in" arg /* Maximum bytes that can be locked into memory */, "resident-set-size" arg /* Maximum amount of private physical memory at any given moment */, "socket-buffers" arg /* Maximum amount of physical memory that may be dedicated to socket buffers */, "stack-size" arg /* Maximum size of the stack segment */ ) ), "file" ( c( "size" arg /* Maximum size of a file that can be created */, "open" arg /* Maximum number of simultaneous open files */, "core-size" arg /* Maximum size of a core file that can be created */ ) ) ) end rule(:rib_aggregate_type) do c( "defaults" ( /* Global route options */ c( "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ), "discard" /* Drop packets to destination; send no ICMP unreachables */, "next-table" arg /* Next hop to another table */, c( "brief" /* Include longest common sequences from contributing paths */, "full" /* Include all AS numbers from all contributing paths */ ), c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ) ) ), "route" arg ( /* Individual route options */ c( "policy" ( /* Policy filter */ policy_algebra /* Policy filter */ ), "metric" ( /* Metric value */ rib_static_metric_type /* Metric value */ ), "metric2" ( /* Metric value 2 */ rib_static_metric_type /* Metric value 2 */ ), "metric3" ( /* Metric value 3 */ rib_static_metric_type /* Metric value 3 */ ), "metric4" ( /* Metric value 4 */ rib_static_metric_type /* Metric value 4 */ ), "tag" ( /* Tag string */ rib_static_metric_type /* Tag string */ ), "tag2" ( /* Tag string 2 */ rib_static_metric_type /* Tag string 2 */ ), "preference" ( /* Preference value */ rib_static_metric_type /* Preference value */ ), "preference2" ( /* Preference value 2 */ rib_static_metric_type /* Preference value 2 */ ), "color" ( /* Color (preference) value */ rib_static_metric_type /* Color (preference) value */ ), "color2" ( /* Color (preference) value 2 */ rib_static_metric_type /* Color (preference) value 2 */ ), "community" ( /* BGP community identifier */ community /* BGP community identifier */ ), "as-path" ( /* Autonomous system path */ c( "path" arg /* Autonomous system path */, "origin" ( ("igp" | "egp" | "incomplete") ), "atomic-aggregate" /* Add ATOMIC_AGGREGATE path attribute to route */, "aggregator" ( /* Add AGGREGATOR path attribute to route */ c( arg /* Autonomous system number in plain number or 'higher 16bits'.'Lower 16 bits' (asdot notation) format */, ipv4addr /* Address of BGP system that formed the route */ ) ) ) ), "discard" /* Drop packets to destination; send no ICMP unreachables */, "next-table" arg /* Next hop to another table */, c( "brief" /* Include longest common sequences from contributing paths */, "full" /* Include all AS numbers from all contributing paths */ ), c( "active" /* Remove inactive route from forwarding table */, "passive" /* Retain inactive route in forwarding table */ ) ) ) ) end rule(:rib_group_inet_type) do c( arg /* Name of the routing table group */ ).as(:oneline) end rule(:rib_group_type) do c( arg /* Name of the IPv4 routing table group */, "inet" arg /* Name of the IPv4 routing table group */, "inet3" arg /* Name of the IPv4 inet.3 routing table group */, "inet6" arg /* Name of the IPv6 routing table group */, "inet63" arg /* Name of the IPv6 inet6.3 routing table group */ ) end rule(:rib_static_metric_type) do c( arg /* Metric value */, "type" arg /* Metric type */ ).as(:oneline) end rule(:rip_filter_obj) do c( "match-on" ( /* Argument on which to match */ ("prefix") ), "policy" ( /* Filter policy */ policy_algebra /* Filter policy */ ) ).as(:oneline) end rule(:rmopd_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("configuration" | "ipc" | "ppm" | "statistics" | "error" | "all")) /* Tracing parameters */.as(:oneline) ) end rule(:route_filter_list_items) do s( arg, c( "exact" arg /* Exactly match the prefix length */, "longer" arg /* Mask is greater than the prefix length */, "orlonger" arg /* Mask is greater than or equal to the prefix length */, "upto" arg /* Mask falls between two prefix lengths */, "through" arg /* Route falls between two prefixes */, "prefix-length-range" arg /* Mask falls between two prefix lengths */, "address-mask" arg /* Mask applied to prefix address */ ), c( "metric" ( /* Metric value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */, "igp" ( /* Track the IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "minimum-igp" ( /* Track the minimum IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "expression" ( /* Calculate value based on route metric and metric2 */ metric_expression_type /* Calculate value based on route metric and metric2 */ ), "aigp" /* Use aigp, if it exists, to set the IGP metric */ ) ) ), "metric2" ( /* Metric value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric3" ( /* Metric value 3 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric4" ( /* Metric value 4 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag" ( /* Tag string */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag2" ( /* Tag string 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference" ( /* Preference value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference2" ( /* Preference value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color" ( /* Color (preference) value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color2" ( /* Color (preference) value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "local-preference" ( /* Local preference associated with a route */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "priority" ( /* Set priority for route installation */ ("high" | "medium" | "low") ), "prefix-segment" ( /* Set prefix segment attributes */ sc( "index" arg /* Set prefix segment index */, "node-segment" /* Set node segment flag for this prefix segment */ ) ).as(:oneline), "label-allocation" ( /* Set label allocation mode */ ("per-table" | "per-nexthop" | "per-table-localize") ), "add-path" ( /* Set BGP add-path attributes */ sc( "send-count" arg /* Number of add-paths sent */ ) ).as(:oneline), "validation-state" ( /* Set validation-state of a route */ ("valid" | "invalid" | "unknown") ), "origin" ( /* BGP path origin */ ("igp" | "egp" | "incomplete") ), "aigp-originate" ( /* Originate a BGP AIGP attribute */ sc( "distance" arg /* AIGP distance */ ) ).as(:oneline), "aigp-adjust" ( /* Adjust a BGP AIGP attribute */ sc( c( "add", "subtract", "multiply", "divide" ), c( arg /* Adjustment value */, "distance-to-protocol-nexthop" /* Metric2 */ ) ) ).as(:oneline), "community" ( /* BGP community properties associated with a route */ s( c( "equal-literal" arg /* Set the BGP communities in the route */, "set" arg /* Set the BGP communities in the route */, "plus-literal" arg /* Add BGP communities to the route */, "add" arg /* Add BGP communities to the route */, "minus-literal" arg /* Remove BGP communities from the route */, "delete" arg /* Remove BGP communities from the route */ ), arg ) ).as(:oneline), "damping" arg /* Define BGP route flap damping parameters */, "aggregate-bandwidth" /* Advertise aggregate outbound link bandwidth */, "limit-bandwidth" arg /* Limit advertised aggregate outbound link bandwidth */, "no-entropy-label-capability" /* Don't advertise entropy label capability */, "as-path-prepend" arg /* Prepend AS numbers to an AS path (BGP only) */, "as-path-expand" ( /* Prepend AS numbers prior to adding local-as (BGP only) */ sc( c( "last-as" ( /* Prepend last AS */ sc( "count" arg /* Repeat count */ ) ).as(:oneline), arg /* AS path string */ ) ) ).as(:oneline), "next-hop" ( /* Set the address of the next-hop router */ sc( c( "self" /* Use a local address as the next-hop address */, "peer-address" /* Use the remote peer address as the next-hop address */, "reject" /* Use a reject next hop */, "discard" /* Use a discard next hop */, "next-table" arg /* Perform a forwarding lookup in the specified table */, ipaddr /* Next-hop address */ ) ) ).as(:oneline), "install-nexthop" ( /* Choose the next hop to be used for forwarding */ sc( "strict" /* Do not use any other available next hops */, c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ), "except" ( /* Do not choose to install matching next hops */ c( c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ) ) ) ) ).as(:oneline), "trace" /* Log matches to a trace file */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */, "nssa-only" /* Clear P-bit on lsa type 7 */ ) ), "load-balance" ( /* Type of load balancing in forwarding table */ sc( c( "per-packet" /* Load balance on a per-packet basis */, "random" /* Load balance using packet random spray */, "per-prefix" /* Load balance on a per-prefix basis */, "consistent-hash" /* Give a prefix consistent load-balancing */, "source-ip-only" /* Give a source based ip load-balancing */, "destination-ip-only" /* Give a destination based ip load-balancing */ ) ) ).as(:oneline), "no-route-localize" /* Force route install on all fib-remote PFEs */, "install-to-fib" /* Install route to fib */, "no-install-to-fib" /* Don't install route to fib */, "analyze" /* Send to registered controllers for analysis */, "class" arg /* Set class-of-service parameters */, "destination-class" arg /* Set destination class in forwarding table */, "source-class" arg /* Set source class in forwarding table */, "forwarding-class" arg /* Set source or destination class in forwarding table */, "map-to-interface" ( /* Set output logical interface */ sc( c( "self" /* Map the interface to itself */, interface_name /* Output logical interface */ ) ) ).as(:oneline), "ssm-source" ( /* List of Sources for SSM mapping */ ipaddr /* List of Sources for SSM mapping */ ), "p2mp-lsp-root" ( /* P2mp lsp root address */ c( "address" ( /* Ipv4 root address */ ipv4addr /* Ipv4 root address */ ) ) ), "cos-next-hop-map" arg /* Set CoS-based next-hop map in forwarding table */, "dynamic-tunnel-attributes" arg /* Choose the dynamic tunnel attributes used for forwarding */, "selected-mldp-egress" /* This node should act as egress node for MLDP inband signalling */, "mhop-bfd-port" /* Use port number 4784 for MPLS-BFD as per RFC5884 */, "no-backup" /* This prefix should not have backup */, "default-action" ( /* Set default policy action */ ("accept" | "reject") ), "next" ( /* Skip to next policy or term */ ("policy" | "term") ), c( "accept" /* Accept a route */, "reject" /* Reject a route */ ), "bgp-output-queue-priority" ( /* Set the BGP Update output queue priority. */ sc( c( "priority" arg /* Output queue priority; higher is better */, "expedited" /* Expedited queue; highest priority */ ) ) ).as(:oneline), "multipath-resolve" /* Use all paths for resolution over this prefix */ ) ) end rule(:route_record_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("parse" | "all")) /* Area of route-record to enable debuging output */.as(:oneline) ) end rule(:rpd_rib_group_type) do arg.as(:arg) ( c( "export-rib" arg /* Export routing table */, "import-rib" arg /* Import routing table */, "import-policy" ( /* Import policy */ policy_algebra /* Import policy */ ) ) ) end rule(:rsmon_fpc_type) do arg.as(:arg) ( c( "pic" ( /* Limiting subscriber on fpc */ rsmon_pic_type /* Limiting subscriber on fpc */ ), "limit" arg /* Number of subscribers allowed */ ) ) end rule(:rsmon_pic_type) do arg.as(:arg) ( c( "port" ( /* Limiting subscriber on port */ rsmon_port_type /* Limiting subscriber on port */ ), "limit" arg /* Number of subscribers allowed */ ) ) end rule(:rsmon_port_type) do arg.as(:arg) ( c( "limit" arg /* Number of subscribers allowed */ ) ) end rule(:rtf_prefix_list_items) do arg.as(:arg) end rule(:sampling_family_inet6_output_type) do c( "aggregate-export-interval" arg /* Interval of exporting aggregate accounting information */, "flow-inactive-timeout" arg /* Interval of inactivity that marks a flow inactive */, "flow-active-timeout" arg /* Interval after which an active flow is exported */, "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_sampling_inet6_sampling_type /* Configure sending traffic aggregates in cflowd format */ ), "interface" ( /* Interfaces used to send monitored information */ packet_export_intf_type /* Interfaces used to send monitored information */ ), "inline-jflow" ( /* Inline processing of sampled packets */ packet_export_inline /* Inline processing of sampled packets */ ), "extension-service" arg /* Define the customer specific sampling configuration */ ) end rule(:cflowd_sampling_inet6_sampling_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ), "local-dump" /* Dump cflowd records to log file before exporting */, "no-local-dump" /* Don't dump cflowd records to log file before exporting */, "source-address" ( /* Source IPv4 address for cflowd packets */ ipv4addr /* Source IPv4 address for cflowd packets */ ), "version9" ( /* Export data in version 9 format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ) ) ) end rule(:packet_export_inline) do c( "source-address" ( /* Address to use for generating monitored packets */ ipaddr /* Address to use for generating monitored packets */ ), "flow-export-rate" arg /* Flow export rate of monitored packets in kpps */ ) end rule(:sampling_family_input_type) do c( "rate" arg /* Ratio of packets to be sampled (1 out of N) */, "run-length" arg /* Number of samples after initial trigger */, "max-packets-per-second" arg /* Threshold of samples per second before dropping */, "maximum-packet-length" arg /* Maximum length of the sampled packet */ ) end rule(:sampling_input_type) do c( "rate" arg /* Ratio of packets to be sampled (1 out of N) */, "run-length" arg /* Number of samples after initial trigger */, "max-packets-per-second" arg /* Threshold of samples per second before dropping */, "maximum-packet-length" arg /* Maximum length of the sampled packet */, "family" ( /* Protocol family */ c( "inet" ( /* Sampling parameters for IPv4 */ c( "rate" arg /* Ratio of packets to be sampled (1 out of N) */, "run-length" arg /* Number of samples after initial trigger */, "max-packets-per-second" arg /* Threshold of samples per second before dropping */, "maximum-packet-length" arg /* Maximum length of the sampled packet */ ) ), "mpls" /* Sampling parameters for MPLS */, "inet6" /* Sampling parameters for IPv6 */ ) ) ) end rule(:sampling_instance_bridge_output_type) do c( "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_instance_bridge_sampling_type /* Configure sending traffic aggregates in cflowd format */ ), "inline-jflow" ( /* Inline processing of sampled packets */ packet_export_inline_instance /* Inline processing of sampled packets */ ) ) end rule(:cflowd_instance_bridge_sampling_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "version9" /* Export data in version 9 format */, "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ) ) ) end rule(:packet_export_inline_instance) do c( "source-address" ( /* Address to use for generating monitored packets */ ipaddr /* Address to use for generating monitored packets */ ), "flow-export-rate" arg /* Flow export rate of monitored packets in kpps */ ) end rule(:sampling_instance_inet6_output_type) do c( "aggregate-export-interval" arg /* Interval of exporting aggregate accounting information */, "flow-inactive-timeout" arg /* Interval of inactivity that marks a flow inactive */, "flow-active-timeout" arg /* Interval after which an active flow is exported */, "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_instance_inet6_sampling_type /* Configure sending traffic aggregates in cflowd format */ ), "interface" ( /* Interfaces used to send monitored information */ packet_export_intf_type /* Interfaces used to send monitored information */ ), "inline-jflow" ( /* Inline processing of sampled packets */ packet_export_inline_instance /* Inline processing of sampled packets */ ), "extension-service" arg /* Define the customer specific sampling configuration */ ) end rule(:cflowd_instance_inet6_sampling_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ), "local-dump" /* Dump cflowd records to log file before exporting */, "no-local-dump" /* Don't dump cflowd records to log file before exporting */, "source-address" ( /* Source IPv4 address for cflowd packets */ ipv4addr /* Source IPv4 address for cflowd packets */ ), "version9" ( /* Export data in version 9 format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ), "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ) ) ) end rule(:sampling_instance_inet_global_output_type) do c( "aggregate-export-interval" arg /* Interval of exporting aggregate accounting information */, "flow-inactive-timeout" arg /* Interval of inactivity that marks a flow inactive */, "flow-active-timeout" arg /* Interval after which an active flow is exported */, "file" ( /* Configure parameters for dumping sampled packets */ sc( ("disable"), "filename" arg /* Name of file to contain sampled packet dumps */, "files" arg /* Maximum number of sampled packet dump files */, "size" arg /* Maximum sample dump file size */, "world-readable" /* Allow any user to read the sampled dump */, "no-world-readable" /* Don't allow any user to read the sampled dump */, "stamp" /* Timestamp every packet in the dump */, "no-stamp" /* Don't timestamp every packet in the dump */ ) ).as(:oneline), "port-mirroring" ( /* Configure sending sampled traffic out through an interface */ inet_pm_family_output_type /* Configure sending sampled traffic out through an interface */ ), "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_sampling_inet_type /* Configure sending traffic aggregates in cflowd format */ ), "interface" ( /* Interfaces used to send monitored information */ packet_export_intf_type /* Interfaces used to send monitored information */ ), "inline-jflow" ( /* Inline processing of sampled packets */ packet_export_inline /* Inline processing of sampled packets */ ), "extension-service" arg /* Define the customer specific sampling configuration */ ) end rule(:cflowd_sampling_inet_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ), "local-dump" /* Dump cflowd records to log file before exporting */, "no-local-dump" /* Don't dump cflowd records to log file before exporting */, "source-address" ( /* Source IPv4 address for cflowd packets */ ipv4addr /* Source IPv4 address for cflowd packets */ ), "version9" ( /* Export data in version 9 format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ), "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ), "version" ( /* Format of exported cflowd aggregates */ ("5" | "8" | "500") ) ) ) end rule(:sampling_instance_inet_output_type) do c( "aggregate-export-interval" arg /* Interval of exporting aggregate accounting information */, "flow-inactive-timeout" arg /* Interval of inactivity that marks a flow inactive */, "flow-active-timeout" arg /* Interval after which an active flow is exported */, "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_instance_inet_sampling_type /* Configure sending traffic aggregates in cflowd format */ ), "interface" ( /* Interfaces used to send monitored information */ packet_export_intf_type /* Interfaces used to send monitored information */ ), "inline-jflow" ( /* Inline processing of sampled packets */ packet_export_inline_instance /* Inline processing of sampled packets */ ), "extension-service" arg /* Define the customer specific sampling configuration */ ) end rule(:cflowd_instance_inet_sampling_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ), "local-dump" /* Dump cflowd records to log file before exporting */, "no-local-dump" /* Don't dump cflowd records to log file before exporting */, "source-address" ( /* Source IPv4 address for cflowd packets */ ipv4addr /* Source IPv4 address for cflowd packets */ ), "version9" ( /* Export data in version 9 format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ), "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ), "version" ( /* Format of exported cflowd aggregates */ ("5" | "8") ) ) ) end rule(:sampling_instance_input_type) do c( "rate" arg /* Ratio of packets to be sampled (1 out of N) */, "run-length" arg /* Number of samples after initial trigger */, "max-packets-per-second" arg /* Threshold of samples per second before dropping */, "maximum-packet-length" arg /* Maximum length of the sampled packet */ ) end rule(:sampling_instance_mpls_output_type) do c( "aggregate-export-interval" arg /* Interval of exporting aggregate accounting information */, "flow-inactive-timeout" arg /* Interval of inactivity that marks a flow inactive */, "flow-active-timeout" arg /* Interval after which an active flow is exported */, "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_instance_mpls_sampling_type /* Configure sending traffic aggregates in cflowd format */ ), "interface" ( /* Interfaces used to send monitored information */ packet_export_intf_type /* Interfaces used to send monitored information */ ), "inline-jflow" ( /* Inline processing of sampled packets */ packet_export_inline_instance /* Inline processing of sampled packets */ ) ) end rule(:cflowd_instance_mpls_sampling_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ), "local-dump" /* Dump cflowd records to log file before exporting */, "no-local-dump" /* Don't dump cflowd records to log file before exporting */, "source-address" ( /* Source IPv4 address for cflowd packets */ ipv4addr /* Source IPv4 address for cflowd packets */ ), "version9" /* Export data in version 9 format */, "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ) ) ) end rule(:sampling_instance_vpls_output_type) do c( "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_instance_vpls_sampling_type /* Configure sending traffic aggregates in cflowd format */ ), "inline-jflow" ( /* Inline processing of sampled packets */ packet_export_inline_instance /* Inline processing of sampled packets */ ) ) end rule(:cflowd_instance_vpls_sampling_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "version9" /* Export data in version 9 format */, "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ) ) ) end rule(:sampling_output_type) do c( "aggregate-export-interval" arg /* Interval of exporting aggregate accounting information */, "flow-inactive-timeout" arg /* Interval of inactivity that marks a flow inactive */, "flow-active-timeout" arg /* Interval after which an active flow is exported */, "file" ( /* Configure parameters for dumping sampled packets */ sc( ("disable"), "filename" arg /* Name of file to contain sampled packet dumps */, "files" arg /* Maximum number of sampled packet dump files */, "size" arg /* Maximum sample dump file size */, "world-readable" /* Allow any user to read the sampled dump */, "no-world-readable" /* Don't allow any user to read the sampled dump */, "stamp" /* Timestamp every packet in the dump */, "no-stamp" /* Don't timestamp every packet in the dump */ ) ).as(:oneline), "port-mirroring" ( /* Configure sending sampled traffic out through an interface */ inet_pm_family_output_type /* Configure sending sampled traffic out through an interface */ ), "flow-server" ( /* Configure sending traffic aggregates in cflowd format */ cflowd_sampling_type /* Configure sending traffic aggregates in cflowd format */ ), "interface" ( /* Interfaces used to send monitored information */ packet_export_intf_type /* Interfaces used to send monitored information */ ), "inline-jflow" ( /* Inline processing of sampled packets */ packet_export_inline /* Inline processing of sampled packets */ ), "extension-service" arg /* Define the customer specific sampling configuration */ ) end rule(:cflowd_sampling_type) do arg.as(:arg) ( c( "port" arg /* UDP port number on host collecting cflowd packets */, "dscp" arg /* Numeric DSCP value in the range 0 to 63 */, "forwarding-class" arg /* Forwarding-class for exported jflow packets, applicable only for inline-jflow */, "routing-instance" arg /* Name of routing instance on which flow collector is reachable */, "autonomous-system-type" ( /* Type of autonomous system number to export */ ("origin" | "peer") ), "aggregation" ( /* Aggregations to perform for exported flows (version 8 only) */ aggregation_type /* Aggregations to perform for exported flows (version 8 only) */ ), "local-dump" /* Dump cflowd records to log file before exporting */, "no-local-dump" /* Don't dump cflowd records to log file before exporting */, "source-address" ( /* Source IPv4 address for cflowd packets */ ipv4addr /* Source IPv4 address for cflowd packets */ ), "version9" ( /* Export data in version 9 format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ), "version-ipfix" ( /* Export data in version ipfix format */ c( "template" ( /* Template configuration */ c( arg /* Template name */ ) ) ) ), "version" ( /* Format of exported cflowd aggregates */ ("5" | "8" | "500") ) ) ) end rule(:sampling_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline) ) end rule(:satellite_bridge_filter) do arg.as(:arg) ( c( "term" arg ( /* Define a firewall term */ c( "from" ( /* Define match criteria */ c( "source-mac-address" ( /* Match MAC source address */ firewall_mac_addr_object /* Match MAC source address */ ), "destination-mac-address" ( /* Match MAC destination address */ firewall_mac_addr_object /* Match MAC destination address */ ), "ip-source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "ip-destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), c( "ip-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ip-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "user-vlan-id" arg, "user-vlan-id-except" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "accept" /* Accept the packet */, "discard" /* Discard the packets */ ), "next-hop-group" arg /* Use specified next-hop group */ ) ) ) ) ) ) end rule(:satellite_policy_options) do c( "extended-ports-template" arg ( /* Extended ports template */ c( "pic" ( /* PIC attributes */ satellite_pic_type /* PIC attributes */ ) ) ), "port-group-alias" arg ( /* Port group alias */ c( "pic" arg ( /* Satellite PIC information */ c( "port" arg /* Port id or range or all */ ) ) ) ), "chassis-group-alias" arg ( /* Chassis group alias */ c( "prefer-primary" /* Primary mode chassis will be preferred */, "chassis-id" arg ( /* List of chassis-ids */ c( "mode" ( /* Mode Primary or Backup */ c( c( "primary" /* Primary Mode */, "backup" /* Backup Mode */ ) ) ), "core-interface" arg /* Core interface */ ) ) ) ), "extended-ports-policy" arg ( /* Define a extended-ports-policy */ c( "term" arg ( /* Policy term */ c( "from" ( /* Condition to match the satellite */ c( "product-model" arg /* Product Model Name */, "extended-ports-template" arg /* Apply extended ports template to satellite matching conditions defined in this term */ ) ) ) ) ) ), "candidate-uplink-port-policy" arg ( /* Define a candidate uplink-port policy */ c( "uplink-port-group" arg /* Uplink port group alias name */, "minimum-links" arg /* Minimum child links to keep extended-ports UP */, "holddown" arg /* Time to hold down after uplink failure */, "term" arg ( /* Policy term */ c( "from" ( /* Condition to match the satellite */ c( "product-model" arg /* Product Model Name */, "uplink-port-group" arg /* Uplink port group alias name */, "minimum-links" arg /* Minimum child links to keep extended-ports UP */, "holddown" arg /* Time to hold down after uplink failure */ ) ) ) ) ) ), "environment-monitoring-policy" arg ( /* Define a environment monitoring policy */ c( "alarm" ( /* Policy default alarm policy */ c( "linkdown" ( /* Policy default linkdown alarm */ ("ignore" | "red" | "yellow") ) ) ), "term" arg ( /* Policy term */ c( "from" ( /* Condition to match the satellite */ c( "product-model" arg /* Product Model Name */, "alarm" ( /* Term alarm policy */ c( "linkdown" ( /* Set linkdown alarm */ ("ignore" | "red" | "yellow") ) ) ) ) ) ) ) ) ), "forwarding-policy" arg ( /* Define forwarding policy for extended ports */ c( "port-group-extended" ( /* Define a extend port group mapping */ port_extend_type /* Define a extend port group mapping */ ), "term" arg ( /* Policy term */ c( "from" ( /* Condition to match the satellite */ c( "product-model" arg /* Product Model Name */, "port-group-extended" ( /* Define a extend port group mapping */ port_extend_type /* Define a extend port group mapping */ ) ) ) ) ) ) ) ) end rule(:port_extend_type) do arg.as(:arg) ( c( "filter" arg /* Assign a filter for uplink selection */, "port-group-uplink" ( /* Define a uplink port group mapping */ c( arg /* Uplink port group alias name used for uplink pinning mode */, "minimum-links" arg /* Minimum child links to keep extended-ports UP */, "holddown" arg /* Time to hold down after uplink failure */ ) ), "mirror-ingress" ( /* Define a ingress port mirror */ c( "port-group-mirror" arg /* Mirror port group alias name for local port mirroring */ ) ), "mirror-egress" ( /* Define a egress port mirror */ c( "port-group-mirror" arg /* Mirror port group alias name for local port mirroring */ ) ) ) ) end rule(:satellite_pic_type) do arg.as(:arg) ( c( "port" ( /* Port number */ satellite_pic_port_attr /* Port number */ ), "port-range" ( /* Physical ports to channelize */ s( arg, arg, c( "channel-speed" ( /* Port channel speed */ ("10g" | "disable-auto-speed-detection") ) ) ) ) ) ) end rule(:satellite_pic_port_attr) do arg.as(:arg) ( c( "channel-speed" ( /* Port channel speed */ ("10g" | "25g" | "50g" | "disable-auto-speed-detection") ) ) ) end rule(:sbc_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" ( /* Tracing parameters */ c( "configuration" ( /* Trace configuration events */ ("trace" | "debug" | "info" | "warning" | "error") ), "ipc" ( /* Trace IPC events */ ("trace" | "debug" | "info" | "warning" | "error") ), "device-monitor" ( /* Trace device monitor events */ ("trace" | "debug" | "info" | "warning" | "error") ), "ui" ( /* Trace ui events */ ("trace" | "debug" | "info" | "warning" | "error") ), "common" ( /* Trace common events */ ("trace" | "debug" | "info" | "warning" | "error") ), "memory-pool" ( /* Trace memory-pool events */ ("trace" | "debug" | "info" | "warning" | "error") ), "packet-capture" ( /* Trace packet capture events */ ("trace" | "debug" | "info" | "warning" | "error") ), "all" ( /* Minimal trace level for all components */ ("trace" | "debug" | "info" | "warning" | "error") ) ) ) ) end rule(:sbl_type) do c( "profile" arg ( /* SBL profile */ c( "sbl-default-server" /* Default SBL server */, "no-sbl-default-server" /* Don't default SBL server */, "spam-action" ( /* Anti-spam actions */ ("block" | "tag-header" | "tag-subject") ), "custom-tag-string" arg /* Custom tag string */, "address-whitelist" arg /* Anti-spam whitelist */, "address-blacklist" arg /* Anti-spam blacklist */ ) ) ) end rule(:scheduler_object_type) do arg.as(:arg) ( c( "description" arg /* Text description of scheduler */, "start-date" ( /* Start date and time ([YYYY-]MM-DD.hh:mm) */ s( arg, "stop-date" arg /* Stop date and time ([YYYY-]MM-DD.hh:mm) */ ) ), "daily" ( /* Everyday; can be overwritten by specific weekday */ daily_object /* Everyday; can be overwritten by specific weekday */ ), "sunday" ( /* Every Sunday */ daily_object /* Every Sunday */ ), "monday" ( /* Every Monday */ daily_object /* Every Monday */ ), "tuesday" ( /* Every Tuesday */ daily_object /* Every Tuesday */ ), "wednesday" ( /* Every Wednesday */ daily_object /* Every Wednesday */ ), "thursday" ( /* Every Thursday */ daily_object /* Every Thursday */ ), "friday" ( /* Every Friday */ daily_object /* Every Friday */ ), "saturday" ( /* Every Saturday */ daily_object /* Every Saturday */ ) ) ) end rule(:daily_object) do c( c( "start-time" ( /* Time range for day */ s( arg, "stop-time" arg /* Stop time for day (hh:mm) */ ) ), "exclude" /* Exclude day from week */, "all-day" /* Include complete day */ ) ) end rule(:script_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ) ).as(:oneline), "flag" enum(("all" | "events" | "input" | "offline" | "output" | "rpc" | "xslt")) /* Tracing parameters */.as(:oneline) ) end rule(:scripts_type) do c( "commit" ( /* Commit-time scripting mechanism */ c( "allow-transients" /* Allow loading of transient configuration changes */, "traceoptions" ( /* Trace options for commit scripts */ script_traceoptions /* Trace options for commit scripts */ ), "refresh" /* Refresh all operation scripts from their source */, "refresh-from" arg /* Refresh all operation scripts from a given base URL */, "max-datasize" arg /* Maximum data segment size for scripts execution */, "direct-access" /* Access the configuration directly from database */, "dampen" ( /* Dampen execution of commit scripts */ c( "dampen-options" ( /* Dampen options for commit scripts */ c( "cpu-factor" arg /* CPU factor at which to pause */, "line-interval" arg /* Line interval at which to pause */, "time-interval" arg /* Time to pause */ ) ) ) ), "file" ( /* Commit script file */ commit_scripts_file_type /* Commit script file */ ) ) ), "op" ( /* Operations scripting */ c( "refresh" /* Refresh all operation scripts from their source */, "refresh-from" arg /* Refresh all operation scripts from a given base URL */, "traceoptions" ( /* Trace options for operation scripts */ script_traceoptions /* Trace options for operation scripts */ ), "file" ( /* Configuration for each operation script */ op_scripts_file_type /* Configuration for each operation script */ ), "no-allow-url" /* Do not allow the remote execution of op scripts */, "allow-url-for-python" /* Allow the remote execution of Python op scripts */, "max-datasize" arg /* Maximum data segment size for scripts execution */, "dampen" ( /* Dampen execution of op scripts */ c( "dampen-options" ( /* Dampen options for op scripts */ c( "cpu-factor" arg /* CPU factor at which to pause */, "line-interval" arg /* Line interval at which to pause */, "time-interval" arg /* Time to pause */ ) ) ) ) ) ), "snmp" ( /* Snmp scripts */ c( "refresh" /* Refresh all snmp scripts from their source */, "refresh-from" arg /* Refresh all snmp scripts from a given base URL */, "file" ( /* Configuration for each snmp script */ snmp_scripts_file_type /* Configuration for each snmp script */ ), "traceoptions" ( /* Trace options for snmp scripts */ script_traceoptions /* Trace options for snmp scripts */ ), "max-datasize" arg /* Maximum data segment size for scripts execution */ ) ), "translation" ( /* Translation scripts */ c( "max-datasize" arg /* Maximum data segment size for translation scripts execution */ ) ), "load-scripts-from-flash" /* Load scripts from flash */, "language" ( /* Allow/Disallow Python scripts on-box */ ("python") ), "synchronize" /* Push all scripts to other RE on commit synchronize */ ) end rule(:commit_scripts_file_type) do arg.as(:arg) ( c( "optional" /* Allow commit to succeed if the script is missing */, "source" arg /* URL of source for this script */, "routing-instance" arg /* Routing instance */, "refresh" /* Refresh all operation scripts from their source */, "refresh-from" arg /* Refresh all operation scripts from a given base URL */, "checksum" ( /* Checksum of this script */ c( "sha-256" arg /* SHA-256 checksum of this script */ ) ) ) ) end rule(:op_scripts_file_type) do arg.as(:arg) ( c( "command" arg /* Command alias for the script file */, "dampen" ( /* Dampen execution of the script */ c( "dampen-options" ( /* Dampen options for the script */ c( "cpu-factor" arg /* CPU factor at which to pause */, "line-interval" arg /* Line interval at which to pause */, "time-interval" arg /* Time to pause */ ) ) ) ), "description" arg /* Description of the script */, "source" arg /* URL of source for this script */, "routing-instance" arg /* Routing instance */, "allow-commands" ( /* Regular expression for commands to allow explicitly */ regular_expression /* Regular expression for commands to allow explicitly */ ), "refresh" /* Refresh all operation scripts from their source */, "refresh-from" arg /* Refresh all operation scripts from a given base URL */, "arguments" arg ( /* Command line argument to the script */ c( "description" arg /* Description of the argument */ ) ), "checksum" ( /* Checksum of this script */ c( "sha-256" arg /* SHA-256 checksum of this script */ ) ) ) ) end rule(:sdk_mgmtd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("service-infrastructure" | "routing-instance" | "config-handling" | "command-handling" | "cli-show-commands" | "all")) /* Area of daemon to enable debugging output */.as(:oneline) ) end rule(:sdk_vmmd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("init" | "configuration" | "ccif" | "pxe" | "platform" | "heartbeat" | "routing-instances" | "snmp" | "miscellaneous" | "all")) /* Tracing parameters */.as(:oneline) ) end rule(:sec_object) do c( "security-name" arg /* Specify v3 security-name */, "context" arg /* Specify context name associated to this security-name */ ) end rule(:secintel_category_disable) do ("IPFilter" | "GeoIP" | "CC" | "JWAS" | "Blacklist" | "Whitelist" | "Infected-Hosts").as(:arg) ( c( "disable" /* To disable category for feed update */ ) ) end rule(:secintel_policy_setting) do arg.as(:arg) ( c( "description" arg /* Text description of policy */, c( arg /* Name of profile */ ) ) ) end rule(:secintel_profile_setting) do arg.as(:arg) ( c( "description" arg /* Text description of profile */, "category" arg /* Profile category name */, "rule" ( /* Profile rule name */ secintel_profile_rule /* Profile rule name */ ), "default-rule" ( /* Profile default rule */ c( "then" ( /* Profile default rule action */ c( "action" ( /* Security intelligence profile action */ c( c( "permit" /* Permit action */, "block" ( /* Block action */ c( c( "drop" /* Drop packet */, "close" ( /* Close session */ c( "http" ( /* Http content for block action */ c( c( "file" arg /* File name for http response to client */, "message" arg /* Block message to client */, "redirect-url" arg /* Redirect url to client */ ) ) ) ) ) ) ) ), "recommended" /* Recommended action from feed server */ ) ) ), "log" /* Log security intelligence block action */, "no-log" /* Don't log security intelligence block action */ ) ) ) ) ) ) end rule(:secintel_profile_rule) do arg.as(:arg) ( c( "match" ( /* Profile matching feed name and threat levels */ c( "feed-name" arg /* Profile matching feed name */, "threat-level" arg /* Profile matching threat levels, higher number is more severe */ ) ), "then" ( /* Profile action and log */ c( "action" ( /* Security intelligence profile action */ c( c( "permit" /* Permit action */, "block" ( /* Block action */ c( c( "drop" /* Drop packet */, "close" ( /* Close session */ c( "http" ( /* Http content for block action */ c( c( "file" arg /* File name for http response to client */, "message" arg /* Block message to client */, "redirect-url" arg /* Redirect url to client */ ) ) ) ) ) ) ) ), "recommended" /* Recommended action from feed server */ ) ) ), "log" /* Log security intelligence block action */ ) ) ) ) end rule(:secintel_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("all" | "blacklist" | "cc" | "infected-hosts" | "control" | "feed" | "ipc" | "infrastucture" | "jwas" | "plugin" | "whitelist")) /* Trace flags */.as(:oneline) ) end rule(:secure_wire_type) do arg.as(:arg) ( c( "interface" ( /* Secure-wire logical interface */ interface_unit /* Secure-wire logical interface */ ) ) ) end rule(:securid_server_object) do arg.as(:arg) ( c( "configuration-file" arg /* Path to the SecurID server configuration (sdconf.rec) file */ ) ) end rule(:security_authentication_key_chains) do c( "key-chain" arg ( /* Key chain configuration */ c( "description" arg /* Text description of this authentication-key-chain */, "tolerance" arg /* Clock skew tolerance */, "key" arg ( /* Authentication element configuration */ c( "secret" arg /* Authentication key */, "key-name" arg /* Key name in hexadecimal format used for macsec */, "start-time" ( /* Start time for key transmission (YYYY-MM-DD.HH:MM) */ time /* Start time for key transmission (YYYY-MM-DD.HH:MM) */ ), "algorithm" ( /* Authentication algorithm */ ("md5" | "hmac-sha-1") ), "options" ( /* Protocol's transmission encoding format */ ("basic" | "isis-enhanced") ) ) ) ) ) ) end rule(:security_dhcpv6_options_type) do c( "option-37" ( /* Configure DHCPv6 remote identifier option */ c( "prefix" ( /* Configure DHCPv6 remote identifier prefix */ c( "host-name" /* Prefix router host name to DHCPv6 remote identifier */, "logical-system-name" /* Prefix logical system name to DHCPv6 remote identifier */, "routing-instance-name" /* Prefix routing instance name to DHCPv6 remote identifier */, "vlan-name" /* Prefix vlan name to DHCPv6 remote identifier */, "vlan-id" /* Prefix vlan tag to DHCPv6 remote identifier */ ) ), "use-interface-mac" /* Add incoming interface's MAC address to DHCPv6 remote identifier */, "use-interface-index" ( /* Add interface index to DHCPv6 remote identifier */ ("logical" | "device") ), "use-interface-name" ( /* Add interface name to DHCPv6 remote identifier */ ("logical" | "device") ), "use-interface-description" ( /* Add interface description to DHCPv6 remote identifier */ ("logical" | "device") ), "use-string" arg /* Add custom string to DHCPv6 remote identifier */ ) ), "option-18" ( /* Configure DHCPv6 interface identifier option */ c( "prefix" ( /* Configure DHCPv6 interface identifier prefix */ c( "host-name" /* Prefix router host name to DHCPv6 interface identifier */, "logical-system-name" /* Prefix logical system name to DHCPv6 interface identifier */, "routing-instance-name" /* Prefix routing instance name to DHCPv6 interface identifier */, "vlan-name" /* Prefix vlan name to DHCPv6 interface identifier */, "vlan-id" /* Prefix vlan tag to DHCPv6 interface identifier */ ) ), "use-interface-mac" /* Add incoming interface's MAC address to DHCPv6 circuit identifier */, "use-interface-index" ( /* Add interface index to DHCPv6 interface identifier */ ("logical" | "device") ), "use-interface-name" ( /* Add interface name to DHCPv6 remote identifier */ ("logical" | "device") ), "use-interface-description" ( /* Add interface description to DHCPv6 interface identifier */ ("logical" | "device") ), "use-string" arg /* Add custom string to DHCPv6 interface identifier */ ) ), "option-16" ( /* Configure DHCPv6 vendor class identifier option. Overwrite if exists */ c( "use-string" arg /* Add custom string to DHCPv6 vendor identifier */ ) ), "option-79" /* Configure DHCPv6 client link layer address option */ ) end rule(:security_group_vpn) do c( "member" ( /* Group VPN member configuration */ gvpn_member /* Group VPN member configuration */ ), "server" ( /* Group VPN server configuration */ gvpn_server /* Group VPN server configuration */ ) ) end rule(:gvpn_member) do c( "ike" ( /* Group VPN IKE configuration */ gvpn_member_ike /* Group VPN IKE configuration */ ), "ipsec" ( /* Group VPN IPsec configuration */ gvpn_member_ipsec_vpn /* Group VPN IPsec configuration */ ) ) end rule(:gvpn_member_ike) do c( "traceoptions" ( /* Trace options for Group VPN Member */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("timer" | "routing-socket" | "parse" | "config" | "ike" | "policy-manager" | "general" | "database" | "certificates" | "snmp" | "thread" | "high-availability" | "next-hop-tunnels" | "all")) /* Tracing parameters */.as(:oneline), "gateway-filter" ( /* Set gateway filter for trace */ c( "local-address" ( /* Use an IP address to identify the local gateway */ ipv4addr /* Use an IP address to identify the local gateway */ ), "remote-address" ( /* Use an IP address to identify the remote gateway */ ipv4addr /* Use an IP address to identify the remote gateway */ ) ) ) ) ), "proposal" ( /* Define an IKE proposal */ gvpn_member_ike_proposal /* Define an IKE proposal */ ), "policy" ( /* Define an IKE policy */ gvpn_ike_policy /* Define an IKE policy */ ), "gateway" arg ( /* Define an IKE gateway */ c( "ike-policy" arg /* Name of the IKE policy */, "server-address" ( /* Server Addresses upto 4 */ ipv4addr /* Server Addresses upto 4 */ ), "local-identity" ( /* Set the local IKE identity */ sc( c( "inet" ( /* Use an IPv4 address */ c( ipv4addr /* The local IPv4 identity */ ) ), "hostname" ( /* Use a fully-qualified domain name */ c( arg /* The local hostname */ ) ), "user-at-hostname" ( /* Use an e-mail address */ c( arg /* The local user-FQDN */ ) ) ) ) ).as(:oneline), "remote-identity" ( /* Set the remote IKE identity */ sc( c( "inet" ( /* Use an IPv4 address */ c( ipv4addr /* The remote IPv4 identity */ ) ), "hostname" ( /* Use a fully-qualified domain name */ c( arg /* The remote hostname */ ) ), "user-at-hostname" ( /* Use an e-mail address */ c( arg /* The remote user-FQDN */ ) ) ) ) ).as(:oneline), "local-address" ( /* Local IPv4 address for group member */ ipv4addr /* Local IPv4 address for group member */ ), "routing-instance" arg /* Name of routing instance that hosts local address */ ) ) ) end rule(:gvpn_ike_policy) do arg.as(:arg) ( c( "mode" ( /* Define the IKE mode for Phase 1 */ ("main" | "aggressive") ), "description" arg /* Text description of IKE policy */, "proposals" arg, "pre-shared-key" ( /* Define a preshared key */ sc( c( "ascii-text" arg /* Format as text */, "hexadecimal" arg /* Format as hexadecimal */ ) ) ).as(:oneline) ) ) end rule(:gvpn_member_ike_proposal) do arg.as(:arg) ( c( "description" arg /* Text description of IKE proposal */, "authentication-method" ( /* Define authentication method */ ("pre-shared-keys") ), "dh-group" ( /* Define Diffie-Hellman group */ ("group14" | "group24") ), "authentication-algorithm" ( /* Define authentication algorithm */ ("sha-256" | "sha-384") ), "encryption-algorithm" ( /* Define encryption algorithm */ ("aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc") ), "lifetime-seconds" arg /* Lifetime, in seconds */ ) ) end rule(:gvpn_member_ipsec_vpn) do c( "vpn" ( /* Define an IPSec VPN */ ipsec_gvpn_member_template /* Define an IPSec VPN */ ) ) end rule(:gvpn_server) do c( "traceoptions" ( /* Trace options for Group VPN debug */ gvpn_server_traceoptions /* Trace options for Group VPN debug */ ), "ike" ( /* Group VPN IKE configuration */ gvpn_server_ike /* Group VPN IKE configuration */ ), "ipsec" ( /* Group VPN IPsec configuration */ gvpn_server_ipsec_vpn /* Group VPN IPsec configuration */ ), "group" ( /* Define a Group VPN group */ gvpn_server_group_template /* Define a Group VPN group */ ) ) end rule(:gvpn_server_group_template) do arg.as(:arg) ( c( "description" arg /* Text description of Group VPN group */, "group-id" arg /* Enable Group VPN by defining group id */, "member-threshold" arg /* Maximum number of members in this group */, "server-cluster" ( /* Enable server cluster for this group */ gvpn_server_cluster /* Enable server cluster for this group */ ), "ike-gateway" ( /* Name of the IKE gateway */ gvpn_server_ike_gateway /* Name of the IKE gateway */ ), "activation-time-delay" arg /* Configure delay in seconds for Group VPN key activation */, "anti-replay-time-window" arg /* Configure Anti Replay time in milliseconds */, "server-member-communication" ( /* Configure Server to Member communication parameters */ gvpn_server_member_communication /* Configure Server to Member communication parameters */ ), "ipsec-sa" ( /* Define a Group VPN group SA */ gvpn_server_group_ipsecsa /* Define a Group VPN group SA */ ) ) ) end rule(:gvpn_server_cluster) do c( "server-role" ( /* Primary or backup server */ ("root-server" | "sub-server") ), "ike-gateway" ( /* Name of the IKE gateway */ gvpn_server_ike_gateway_sc /* Name of the IKE gateway */ ), "retransmission-period" arg /* Configure retransmission period in seconds Default :10 */ ) end rule(:gvpn_server_group_ipsecsa) do arg.as(:arg) ( c( "proposal" arg /* Name of the IPsec proposal */, "match-policy" ( /* Configure a Group VPN group SA */ gvpn_server_group_ipsecsa_match /* Configure a Group VPN group SA */ ) ) ) end rule(:gvpn_server_group_ipsecsa_match) do arg.as(:arg) ( c( "source" ( /* Specify the source IP address to be matched (0.0.0.0/0 for any) */ ipv4prefix_mandatory /* Specify the source IP address to be matched (0.0.0.0/0 for any) */ ), "destination" ( /* Specify the destination IP address to be matched (0.0.0.0/0 for any) */ ipv4prefix_mandatory /* Specify the destination IP address to be matched (0.0.0.0/0 for any) */ ), "source-port" arg /* Specify the source port to be matched (0 for any) */, "destination-port" arg /* Specify the destination port to be matched (0 for any) */, "protocol" arg /* Specify the protocol number to be matched (0 for any) */ ) ) end rule(:gvpn_server_ike) do c( "proposal" ( /* Define an IKE proposal */ gvpn_server_ike_proposal /* Define an IKE proposal */ ), "policy" ( /* Define an IKE policy */ gvpn_ike_policy /* Define an IKE policy */ ), "gateway" arg ( /* Define an IKE gateway */ c( "ike-policy" arg /* Name of the IKE policy */, c( "address" arg /* IP address of peer */, "dynamic" ( /* Site to site peer with dynamic IP address */ c( c( "hostname" arg /* Use a fully-qualified domain name */, "inet" ( /* Use an IPV4 address to identify the dynamic peer */ ipv4addr /* Use an IPV4 address to identify the dynamic peer */ ), "user-at-hostname" arg /* Use an e-mail address */ ) ) ) ), "dead-peer-detection" ( /* Enable Dead Peer Detection between group-server-cluster servers */ c( c( "always-send" /* Send probes periodically regardless of incoming and outgoing data traffic */ ), "interval" arg /* The time between DPD probe messages Default :10 */, "threshold" arg /* Maximum number of DPD retransmissions Default :5 */ ) ), "local-identity" ( /* Set the local IKE identity */ sc( c( "inet" ( /* Use an IPv4 address */ c( ipv4addr /* The local IPv4 identity */ ) ), "hostname" ( /* Use a fully-qualified domain name */ c( arg /* The local hostname */ ) ), "user-at-hostname" ( /* Use an e-mail address */ c( arg /* The local user-FQDN */ ) ) ) ) ).as(:oneline), "remote-identity" ( /* Set the remote IKE identity */ sc( c( "inet" ( /* Use an IPv4 address */ c( ipv4addr /* The remote IPv4 identity */ ) ), "hostname" ( /* Use a fully-qualified domain name */ c( arg /* The remote hostname */ ) ), "user-at-hostname" ( /* Use an e-mail address */ c( arg /* The remote user-FQDN */ ) ) ) ) ).as(:oneline), "local-address" ( /* Local IP address for IKE negotiations */ ipaddr /* Local IP address for IKE negotiations */ ), "routing-instance" arg /* Name of routing instance that hosts local address */ ) ) ) end rule(:gvpn_server_ike_gateway) do arg.as(:arg) end rule(:gvpn_server_ike_gateway_sc) do arg.as(:arg) end rule(:gvpn_server_ike_proposal) do arg.as(:arg) ( c( "description" arg /* Text description of IKE proposal */, "authentication-method" ( /* Define authentication method */ ("pre-shared-keys") ), "authentication-algorithm" ( /* Define authentication algorithm */ ("sha-256" | "sha-384") ), "dh-group" ( /* Define Diffie-Hellman group */ ("group14" | "group24") ), "encryption-algorithm" ( /* Define encryption algorithm */ ("aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc") ) ) ) end rule(:gvpn_server_ipsec_vpn) do c( "proposal" ( /* Define an IPSec proposal */ gvpn_server_ipsec_proposal /* Define an IPSec proposal */ ) ) end rule(:gvpn_server_ipsec_proposal) do arg.as(:arg) ( c( "description" arg /* Text description of IPSec proposal */, "authentication-algorithm" ( /* Define authentication algorithm */ ("hmac-sha-256-128") ), "encryption-algorithm" ( /* Define encryption algorithm */ ("aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc") ), "lifetime-seconds" arg /* Lifetime, in seconds */ ) ) end rule(:gvpn_server_member_communication) do c( "communication-type" ( /* Define type of server member communication */ ("unicast") ), "lifetime-seconds" arg /* Configure lifetime in seconds */, "retransmission-period" arg /* Configure retransmission period in seconds */, "number-of-retransmission" arg /* Configure maximum number of retransmission attempts */, "heartbeat" arg /* Configure heartbeat period in seconds */, "encryption-algorithm" ( /* Define encryption algorithm */ ("aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc") ), "sig-hash-algorithm" ( /* Define sig-hash algorithm */ ("sha-256" | "sha-384") ), "certificate" arg /* Certificate identifier */ ) end rule(:gvpn_server_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("timer" | "routing-socket" | "parse" | "config" | "ike" | "policy-manager" | "general" | "database" | "certificates" | "snmp" | "thread" | "high-availability" | "next-hop-tunnels" | "all")) /* Tracing parameters for GKSD */.as(:oneline), "gateway-filter" ( /* Set gateway filter for trace */ c( "local-address" ( /* Use an IPV4 address to identify the local gateway */ ipv4addr /* Use an IPV4 address to identify the local gateway */ ), "remote-address" ( /* Use an IPV4 address to identify the remote gateway */ ipv4addr /* Use an IPV4 address to identify the remote gateway */ ) ) ) ) end rule(:ipsec_gvpn_member_template) do arg.as(:arg) ( c( "ike-gateway" arg /* Name of IKE gateway */, "group-vpn-external-interface" ( /* External interface for Group VPN */ interface_name /* External interface for Group VPN */ ), "group" arg /* Enable Group VPN by defining group id */, "heartbeat-threshold" arg /* Define heartbeat threshold for Group VPN */, "match-direction" arg /* Direction for which the rule match is applied */, "tunnel-mtu" arg /* Maximum transmit packet size */, "recovery-probe" /* Enable triggering recovery probe mechanism */, "df-bit" ( /* Specifies how to handle the Don't Fragment bit */ ("clear" | "set" | "copy") ), "fail-open" ( /* List of fail open rules */ ipsec_gvpn_fail_open_rule_object /* List of fail open rules */ ), "exclude" ( /* List of exclude rules */ ipsec_gvpn_exclude_rule_object /* List of exclude rules */ ) ) ) end rule(:ipsec_gvpn_exclude_rule_object) do c( "rule" ( /* Define exlude rules upto 10 */ ipsec_gvpn_rule_address_object /* Define exlude rules upto 10 */ ) ) end rule(:ipsec_gvpn_fail_open_rule_object) do c( "rule" ( /* Define fail open rules upto 10 */ ipsec_gvpn_rule_address_object /* Define fail open rules upto 10 */ ) ) end rule(:ipsec_gvpn_rule_address_object) do arg.as(:arg) ( c( "source-address" ( /* Match IP source address */ ipsec_gvpn_addr_object /* Match IP source address */ ), "destination-address" ( /* Match IP destination address */ ipsec_gvpn_addr_object /* Match IP destination address */ ), "application" arg /* Match application */ ) ) end rule(:ipsec_gvpn_addr_object) do c( ipv4prefix_only /* Prefix to match */ ) end rule(:security_ike) do c( "traceoptions" ( /* Trace options for IPSec key management */ security_traceoptions /* Trace options for IPSec key management */ ), "respond-bad-spi" ( /* Respond to IPSec packets with bad SPI values */ sc( arg ) ).as(:oneline), "proposal" ( /* Define an IKE proposal */ ike_proposal /* Define an IKE proposal */ ), "policy" ( /* Define an IKE policy */ ike_policy /* Define an IKE policy */ ), "gateway" arg ( /* Define an IKE gateway */ c( "ike-policy" arg /* Name of the IKE policy */, c( "address" ( /* Addresses or hostnames of peer:1 primary, upto 4 backups */ (arg) ), "dynamic" ( /* Site to site peer with dynamic IP address */ c( c( "distinguished-name" ( /* Use a distinguished name: */ c( "container" arg /* Specify the container string */, "wildcard" arg /* Specify the wildcard string */ ) ), "hostname" arg /* Use a fully-qualified domain name */, "inet" ( /* Use an IPV4 address to identify the dynamic peer */ ipv4addr /* Use an IPV4 address to identify the dynamic peer */ ), "inet6" ( /* Use an IPV6 address to identify the dynamic peer */ ipv6addr /* Use an IPV6 address to identify the dynamic peer */ ), "user-at-hostname" arg /* Use an e-mail address */ ), "connections-limit" arg /* Maximum number of users connected to gateway */, "ike-user-type" ( /* Type of the IKE ID */ ("group-ike-id" | "shared-ike-id") ), "reject-duplicate-connection" /* Reject new connection from duplicate IKE-id */ ) ) ), "dead-peer-detection" ( /* Enable Dead Peer Detection */ c( c( "optimized" /* Send probes only when there is outgoing and no incoming data traffic - RFC3706 (Default mode) */, "probe-idle-tunnel" /* Send probes same as in optimized mode and also when there is no outgoing & incoming data traffic */, "always-send" /* Send probes periodically regardless of incoming and outgoing data traffic */ ), "interval" arg /* The time between DPD probe messages Default :10 */, "threshold" arg /* Maximum number of DPD retransmissions Default :5 */ ) ), "no-nat-traversal" /* Disable IPSec NAT traversal */, "nat-keepalive" arg /* Interval at which to send NAT keepalives */, "local-identity" ( /* Set the local IKE identity */ sc( c( "inet" ( /* Use an IPv4 address */ c( ipv4addr /* The local IPv4 identity */ ) ), "inet6" ( /* Use an IPv6 address */ c( ipv6addr /* The local IPv6 identity */ ) ), "hostname" ( /* Use a fully-qualified domain name */ c( arg /* The local hostname */ ) ), "user-at-hostname" ( /* Use an e-mail address */ c( arg /* The local user-FQDN */ ) ), "distinguished-name" /* Use a distinguished name specified in local certificate */, "key-id" ( /* Key ID identification values in ASCII string */ c( arg ) ) ) ) ).as(:oneline), "remote-identity" ( /* Set the remote IKE identity */ sc( c( "inet" ( /* Use an IPv4 address */ c( ipv4addr /* The remote IPv4 identity */ ) ), "inet6" ( /* Use an IPv6 address */ c( ipv6addr /* The remote IPv6 identity */ ) ), "hostname" ( /* Use a fully-qualified domain name */ c( arg /* The remote hostname */ ) ), "user-at-hostname" ( /* Use an e-mail address */ c( arg /* The remote user-FQDN */ ) ), "distinguished-name" ( /* Use a distinguished name: */ c( "container" arg /* Specify the container string */, "wildcard" arg /* Specify the wildcard string */ ) ), "key-id" ( /* Key ID identification values in string */ c( arg ) ) ) ) ).as(:oneline), "external-interface" ( /* External interface for IKE negotiations */ interface_unit /* External interface for IKE negotiations */ ), "local-address" ( /* Local IP address for IKE negotiations */ ipaddr /* Local IP address for IKE negotiations */ ), "aaa" ( /* Use extended authentication */ c( "access-profile" arg /* Access profile that contains authentication information */, "client" ( /* AAA client info for authentication */ sc( "username" arg /* AAA client username with 1 to 128 characters */, "password" arg /* AAA client password with 1 to 128 characters */ ) ).as(:oneline) ) ), "xauth" ( /* Use extended authentication */ c( "access-profile" arg /* Access profile that contains authentication information */, "client" ( /* Xauth client info for authentication */ sc( "username" arg /* XAuth client username with 1 to 128 characters */, "password" arg /* XAuth client password with 1 to 128 characters */ ) ).as(:oneline) ) ), "general-ikeid" /* Accept peer IKE-ID in general */, "advpn" ( /* Enable Auto Discovery VPN */ advpn_suggester_partner /* Enable Auto Discovery VPN */ ), "version" ( /* Negotiate using either IKE v1 or IKE v2 protocol */ ("v1-only" | "v2-only") ), "fragmentation" ( /* IKEv2 fragmentation configuration */ c( "disable" /* Disable IKEv2 fragmentation */, "size" arg /* Default 576 bytes for ipv4 and 1280 bytes for ipv6 */ ) ), "tcp-encap-profile" arg /* Ike over tcp profile name */ ) ) ) end rule(:advpn_suggester_partner) do c( "suggester" ( /* Configure Shortcut Suggester parameters */ c( "disable" /* Disable Suggester capability */ ) ), "partner" ( /* Configure Shortcut Partner parameters */ c( "connection-limit" arg /* Maximum number of shortcut connections (default: varies per platform) */, "idle-time" arg /* The duration (in sec) after which shortcut is torn down (default: 300 sec) */, "idle-threshold" arg /* The packet rate below which shortcut is torn down (default: 5 packets/sec) */, "disable" /* Disable Partner capability */ ) ) ) end rule(:ike_policy) do arg.as(:arg) ( c( "mode" ( /* Define the IKE mode for Phase 1 */ ("main" | "aggressive") ), "reauth-frequency" arg /* Re-auth Peer after reauth-frequency times hard lifetime. (0-100) Default:0=Disabled */, "description" arg /* Text description of IKE policy */, "proposals" arg, "certificate" ( /* Certificate configuration */ c( "local-certificate" arg /* Local certificate identifier */, "trusted-ca" ( /* Specify the CA to use */ sc( c( arg /* Index of the preferred CA to use */, "use-all" /* Use all configured CAs */, "ca-profile" arg /* Name of the preferred CA to use */, "trusted-ca-group" arg /* Name of the preferred CA group to use */ ) ) ).as(:oneline), "peer-certificate-type" ( /* Preferred type of certificate from peer */ ("pkcs7" | "x509-signature") ), "policy-oids" arg /* Certificate policy object identifiers (maximum 5) */ ) ), "proposal-set" ( /* Types of default IKE proposal-set */ ("basic" | "compatible" | "standard" | "suiteb-gcm-128" | "suiteb-gcm-256") ), "pre-shared-key" ( /* Define a preshared key */ sc( c( "ascii-text" arg /* Format as text */, "hexadecimal" arg /* Format as hexadecimal */ ) ) ).as(:oneline) ) ) end rule(:ike_proposal) do arg.as(:arg) ( c( "description" arg /* Text description of IKE proposal */, "authentication-method" ( /* Define authentication method */ ("pre-shared-keys" | "rsa-signatures" | "dsa-signatures" | "ecdsa-signatures-256" | "ecdsa-signatures-384") ), "dh-group" ( /* Define Diffie-Hellman group */ ("group1" | "group2" | "group5" | "group14" | "group15" | "group16" | "group19" | "group20" | "group24") ), "authentication-algorithm" ( /* Define authentication algorithm */ ("md5" | "sha1" | "sha-256" | "sha-384") ), "encryption-algorithm" ( /* Define encryption algorithm */ ("des-cbc" | "3des-cbc" | "aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc" | "aes-128-gcm" | "aes-256-gcm") ), "lifetime-seconds" arg /* Lifetime, in seconds */ ) ) end rule(:security_ipsec_policies) do c( "from-zone" ( /* Define ipsec policy context */ security_ipsec_policy /* Define ipsec policy context */ ) ) end rule(:security_ipsec_policy) do s( arg, "to-zone" arg /* Outgoing zone */, c( "ipsec-group-vpn" arg /* Group VPN name */ ) ) end rule(:security_ipsec_vpn) do c( "internal" ( /* Define an IPSec SA for internal RE-RE communication */ c( "security-association" ( /* Define an IPsec security association */ ipsec_internal_sa /* Define an IPsec security association */ ) ) ), "traceoptions" ( /* Trace options for IPSec data-plane debug */ ipsec_traceoptions /* Trace options for IPSec data-plane debug */ ), "vpn-monitor-options" ( /* Global options for VPN liveliness monitoring */ ipsec_vpn_monitor /* Global options for VPN liveliness monitoring */ ), "proposal" ( /* Define an IPSec proposal */ ipsec_proposal /* Define an IPSec proposal */ ), "policy" ( /* Define an IPSec policy */ ipsec_policy /* Define an IPSec policy */ ), "vpn" ( /* Define an IPSec VPN */ ipsec_vpn_template /* Define an IPSec VPN */ ), "security-association" ( /* Define a manual control plane SA */ ipsec_sa /* Define a manual control plane SA */ ) ) end rule(:ipsec_internal_sa) do c( "manual" ( /* Define a manual security association */ c( "encryption" ( /* Define encryption parameters */ c( "algorithm" ( /* Define encryption algorithm */ ("3des-cbc") ), "ike-ha-link-encryption" ( /* Enable HA link encryption IKE internal messages */ ("enable") ), "key" ( /* Define an encryption key */ sc( c( "ascii-text" ( /* Format as text */ unreadable /* Format as text */ ) ) ) ).as(:oneline) ) ) ) ) ) end rule(:ipsec_policy) do arg.as(:arg) ( c( "description" arg /* Text description of IPSec policy */, "perfect-forward-secrecy" ( /* Define perfect forward secrecy */ c( "keys" ( /* Define Diffie-Hellman group */ ("group1" | "group2" | "group5" | "group14" | "group15" | "group16" | "group19" | "group20" | "group24") ) ) ), "proposals" arg, "proposal-set" ( /* Types of default IPSEC proposal-set */ ("basic" | "compatible" | "standard" | "suiteb-gcm-128" | "suiteb-gcm-256" | "prime-128" | "prime-256") ) ) ) end rule(:ipsec_proposal) do arg.as(:arg) ( c( "description" arg /* Text description of IPSec proposal */, "protocol" ( /* Define an IPSec protocol for the proposal */ ("ah" | "esp") ), "authentication-algorithm" ( /* Define authentication algorithm */ ("hmac-md5-96" | "hmac-sha1-96" | "hmac-sha-256-128" | "hmac-sha-256-96") ), "encryption-algorithm" ( /* Define encryption algorithm */ ("des-cbc" | "3des-cbc" | "aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc" | "aes-128-gcm" | "aes-192-gcm" | "aes-256-gcm") ), "lifetime-seconds" arg /* Lifetime, in seconds */, "lifetime-kilobytes" arg /* Lifetime, in kilobytes */ ) ) end rule(:ipsec_sa) do arg.as(:arg) ( c( "description" arg /* Text description of security association */, "mode" ( /* Define security association mode */ ("transport") ), c( "manual" ( /* Define a manual security association */ security_association_manual /* Define a manual security association */ ) ) ) ) end rule(:ipsec_traceoptions) do c( "flag" enum(("packet-processing" | "packet-drops" | "security-associations" | "next-hop-tunnel-binding" | "all")) /* Events to include in data-plane IPSec trace output */.as(:oneline) ) end rule(:ipsec_vpn_monitor) do c( "interval" arg /* Monitor interval in seconds */, "threshold" arg /* Number of consecutive failures to determine connectivity */ ) end rule(:ipsec_vpn_template) do arg.as(:arg) ( c( "bind-interface" ( /* Bind to tunnel interface (route-based VPN) */ interface_name /* Bind to tunnel interface (route-based VPN) */ ), "df-bit" ( /* Specifies how to handle the Don't Fragment bit */ ("clear" | "set" | "copy") ), "multi-sa" ( /* Negotiate multiple SAs based on configuration choice */ c( c( "forwarding-class" arg ) ) ), "copy-outer-dscp" /* Enable copying outer IP header DSCP and ECN to inner IP header */, "vpn-monitor" ( /* Monitor VPN liveliness */ ipsec_template_monitor /* Monitor VPN liveliness */ ), c( "manual" ( /* Define a manual security association */ c( "gateway" ( /* Define the IPSec peer */ hostname /* Define the IPSec peer */ ), "external-interface" ( /* External interface for the security association */ interface_unit /* External interface for the security association */ ), "protocol" ( /* Define an IPSec protocol for the security association */ ("ah" | "esp") ), "spi" arg /* Define security parameter index */, "authentication" ( /* Define authentication parameters */ c( "algorithm" ( /* Define authentication algorithm */ ("hmac-md5-96" | "hmac-sha1-96" | "hmac-sha-256-128" | "hmac-sha-256-96") ), "key" ( /* Define an authentication key */ sc( c( "ascii-text" arg /* Format as text */, "hexadecimal" arg /* Format as hexadecimal */ ) ) ).as(:oneline) ) ), "encryption" ( /* Define encryption parameters */ c( "algorithm" ( /* Define encryption algorithm */ ("des-cbc" | "3des-cbc" | "aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc" | "aes-128-gcm" | "aes-256-gcm") ), "key" ( /* Define an encryption key */ sc( c( "ascii-text" arg /* Format as text */, "hexadecimal" arg /* Format as hexadecimal */ ) ) ).as(:oneline) ) ) ) ), "ike" ( /* Define an IKE-keyed IPSec vpn */ c( "gateway" arg /* Name of remote gateway */, "idle-time" arg /* Idle time to delete SA */, "no-anti-replay" /* Disable the anti-replay check */, "proxy-identity" ( /* IPSec proxy-id to use in IKE negotiations */ ipsec_template_proxy_id /* IPSec proxy-id to use in IKE negotiations */ ), "ipsec-policy" arg /* Name of the IPSec policy */, "install-interval" arg /* Delay installation of rekeyed outbound SAs on initiator */ ) ) ), "traffic-selector" arg ( /* Traffic selector */ c( "local-ip" ( /* IP address of local traffic-selector */ ipprefix_mandatory /* IP address of local traffic-selector */ ), "remote-ip" ( /* IP address of remote traffic-selector */ ipprefix_mandatory /* IP address of remote traffic-selector */ ) ) ), "establish-tunnels" ( /* Define the criteria to establish tunnels */ ("immediately" | "on-traffic") ), "passive-mode-tunneling" /* No active IP packet checks before IPSec encapsulation */, "match-direction" arg /* Direction for which the rule match is applied */, "tunnel-mtu" arg /* Maximum transmit packet size */, "udp-encapsulate" ( /* UDP encapsulation of IPsec data traffic */ sc( "dest-port" arg /* UDP destination port */ ) ).as(:oneline) ) ) end rule(:ipsec_template_monitor) do c( "optimized" /* Optimize for scalability */, "source-interface" ( /* Source interface for monitor message */ interface_unit /* Source interface for monitor message */ ), "destination-ip" ( /* Destination IP addres for monitor message */ ipaddr /* Destination IP addres for monitor message */ ), "verify-path" ( /* Verify IPSec path using vpn-monitor before bring up st0 state */ c( "destination-ip" ( /* Destination IP addres for verify IPSec path */ ipaddr /* Destination IP addres for verify IPSec path */ ), "packet-size" arg /* Size of the packet */ ) ) ) end rule(:ipsec_template_proxy_id) do c( "local" ( /* Local IP address/prefix length */ ipprefix_mandatory /* Local IP address/prefix length */ ), "remote" ( /* Remote IP address/prefix length */ ipprefix_mandatory /* Remote IP address/prefix length */ ), "service" arg /* Name of serivce that passes through, any enables all services */ ) end rule(:security_association_manual) do c( "direction" enum(("bidirectional")) ( /* Define the direction of the security association */ c( "protocol" ( /* Define an IPSec protocol for the security association */ ("ah" | "esp") ), "spi" arg /* Define security parameter index */, "authentication" ( /* Define authentication parameters */ c( "algorithm" ( /* Define authentication algorithm */ ("hmac-md5-96" | "hmac-sha1-96") ), "key" ( /* Define an authentication key */ sc( c( "ascii-text" arg /* Format as text */, "hexadecimal" arg /* Format as hexadecimal */ ) ) ).as(:oneline) ) ), "encryption" ( /* Define encryption parameters */ c( "algorithm" ( /* Define encryption algorithm */ ("des-cbc" | "3des-cbc") ), "key" ( /* Define an encryption key */ sc( c( "ascii-text" arg /* Format as text */, "hexadecimal" arg /* Format as hexadecimal */ ) ) ).as(:oneline) ) ) ) ) ) end rule(:security_macsec) do c( "traceoptions" ( /* Tracing options for debugging protocol operation */ macsec_trace_options /* Tracing options for debugging protocol operation */ ), "connectivity-association" arg ( /* Configure connectivity association properties */ c( "cipher-suite" arg /* Cipher suite to be used for encryption */, "security-mode" ( /* Connectivity association mode */ ("dynamic" | "static-sak" | "static-cak") ), "secure-channel" /* Configure secure channel properties */, "mka" ( /* Configure MAC Security Key Agreement protocol properties */ c( "transmit-interval" arg /* Configure MKA periodic transmit interval */, "bounded-delay" /* Configure Bounded Hello Time */, "key-server-priority" arg /* Configure MKA key server priority */, "must-secure" /* Allow only secure dot1x traffic */, "should-secure" /* Configure fail open mode for MKA protocol */, "eapol-address" ( /* Configure EAPOL destination group address */ ("pae" | "provider-bridge" | "lldp-multicast") ) ) ), "replay-protect" ( /* Configure replay protection */ c( "replay-window-size" arg /* Configure replay protection window size */ ) ), "no-encryption" /* Disable encryption */, "offset" ( /* Confidentiality offset */ ("0" | "30" | "50") ), "include-sci" /* Include secure channel identifier in MAC Security PDU */, "pre-shared-key" ( /* Configure pre-shared connectivity association key */ c( "ckn" arg /* Connectivity association key name in hexadecimal format */, "cak" arg /* Connectivity association key in hexadecimal format (max_length = 64) */ ) ), "pre-shared-key-chain" arg /* Pre-shared key chain name for connectivity association */, "exclude-protocol" enum(("cdp" | "lldp" | "lacp")) /* Configure protocols to exclude from MAC Security */.as(:oneline) ) ), "interfaces" /* Interfaces on which macsec configuration is applied */, "cluster-control-port" arg ( /* Cluster control port on which macsec configuration is applied */ c( "connectivity-association" arg /* Connectivity association name */, "traceoptions" ( /* Tracing options of MKA protocol */ mka_trace_options /* Tracing options of MKA protocol */ ) ) ), "cluster-data-port" arg ( /* Cluster data port on which macsec configuration is applied */ c( "connectivity-association" arg /* Connectivity association name */, "traceoptions" ( /* Tracing options of MKA protocol */ mka_trace_options /* Tracing options of MKA protocol */ ) ) ) ) end rule(:macsec_trace_options) do c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("config" | "debug" | "normal" | "all")) /* Tracing parameters */.as(:oneline) ) end rule(:mka_trace_options) do c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("mka-packets" | "state" | "to-secy" | "keys" | "normal" | "all")) /* Tracing parameters */.as(:oneline) ) end rule(:security_model_access) do enum(("any" | "usm" | "v1" | "v2c")).as(:arg) ( c( "security-level" enum(("none" | "authentication" | "privacy")) ( /* Security level access configuration */ c( "context-match" ( /* Type of match to perform on context-prefix */ ("exact" | "prefix") ), "read-view" arg /* View used for read access */, "write-view" arg /* View used for write access */, "notify-view" arg /* View used to notifications */ ) ) ) ) end rule(:security_option_82_type) do c( "circuit-id" ( /* Configure DHCP option 82 circuit id */ c( "prefix" ( /* Configure DHCP option 82 circuit id prefix */ c( "host-name" /* Add router host name to DHCP option-82 circuit id */, "logical-system-name" /* Add logical system name to DHCP option-82 circuit id */, "routing-instance-name" /* Add routing instance name to DHCP option-82 circuit id */ ) ), "use-interface-description" ( /* Use interface description instead of circuit identifier */ ("logical" | "device") ), "use-vlan-id" /* Use VLAN id instead of name */ ) ), "remote-id" ( /* Configure DHCP option 82 remote id */ c( "host-name" /* Add router host name to DHCP option-82 remote id */, "use-interface-description" ( /* Use interface description instead of interface name */ ("logical" | "device") ), "use-string" arg /* Use raw string instead of the default remote id */, "mac" /* Add chassis MAC Address to DHCP option-82 remote id */ ) ), "vendor-id" ( /* Configure DHCP option 82 vendor id */ c( "use-string" arg /* Use raw string instead of the default vendor id */ ) ) ) end rule(:security_pki) do c( "ca-profile" arg ( /* Certificate authority profile configuration */ c( "ca-identity" arg /* Certificate authority identifier */, "source-address" ( /* Use specified address as source address */ ipaddr /* Use specified address as source address */ ), "proxy-profile" arg /* Use specified proxy server */, "routing-instance" arg /* Use specified routing instance */, "enrollment" ( /* Enrollment parameters for certificate authority */ c( "url" arg /* Enrollment URL of certificate authority */, "retry" arg /* Number of enrollment retry attempts before aborting */, "retry-interval" arg /* Interval in seconds between the enrollment retries */ ) ), "revocation-check" ( /* Method for checking certificate revocations */ c( c( "use-crl" /* Use CRL for revocation check */, "use-ocsp" /* Use OCSP for revocation check */, "disable" /* Disable revocation check */ ), "ocsp" ( /* Online Cerificate Status Protocol (OCSP) configuration */ c( "url" arg, "nonce-payload" ( /* Include Nonce payload in OCSP requests */ ("enable" | "disable") ), "disable-responder-revocation-check" /* Disable OCSP responder certificate revocation check */, "accept-unknown-status" /* Accept certificates with unknown status */, "connection-failure" ( /* Actions on failure to connect to OCSP Responder */ c( c( "fallback-crl" /* Use CRL for revocation check */, "disable" /* Disable OCSP check on connection failure */ ) ) ) ) ), "crl" ( /* Certificate revocation list configuration */ c( "disable" ( sc( "on-download-failure" /* Check revocation status with existing CRL file if present, otherwise skip. This feature must be enabled for manual CRL download. */ ) ).as(:oneline), "url" arg ( c( "password" ( /* Password for authentication with the server */ unreadable /* Password for authentication with the server */ ) ) ), "refresh-interval" arg /* CRL refresh interval */ ) ) ) ), "administrator" ( /* Administrator information */ c( "email-address" arg /* Administrator e-mail to which to send certificate requests */ ) ) ) ), "trusted-ca-group" arg ( /* Trusted Certificate Authority group configuration */ c( "ca-profiles" arg /* Name of the CA profiles (maximum 20) */ ) ), "auto-re-enrollment" ( /* Auto re-enroll of certificate */ c( "cmpv2" ( /* CMPv2 auto re-enrollment configuration */ c( "certificate-id" arg ( /* CMPv2 auto re-enrollment configuration for certificate-id */ c( "ca-profile-name" arg /* Name of certificate authority profile */, "re-enroll-trigger-time-percentage" arg /* Re-enrollment trigger time before expiration as percentage */, "re-generate-keypair" /* Generate new key-pair for auto-re-enrollment */ ) ) ) ), "scep" ( /* SCEP auto re-enrollment configuration */ c( "certificate-id" arg ( /* SCEP auto re-enrollment configuration for certificate-id */ c( "ca-profile-name" arg /* Name of certificate authority profile */, "re-generate-keypair" /* Generate new key-pair for auto-re-enrollment */, "re-enroll-trigger-time-percentage" arg /* Re-enrollment trigger time before expiration as percentage */, "challenge-password" ( /* Password used by CA for enrollment and revocation */ unreadable /* Password used by CA for enrollment and revocation */ ), "scep-encryption-algorithm" ( /* SCEP encryption algorithm */ c( c( "des" /* Use DES as SCEP encryption algorithm */, "des3" /* Use DES3 as SCEP encryption algorithm */ ) ) ), "scep-digest-algorithm" ( /* SCEP digest algorithm */ c( c( "md5" /* Use MD5 as SCEP digest algorithm */, "sha1" /* Use SHA1 as SCEP digest algorithm */ ) ) ) ) ) ) ), "certificate-id" arg ( /* Auto re-enrollment configuration for certificate-id */ c( "ca-profile-name" arg /* Name of certificate authority profile */, "re-generate-keypair" /* Generate new key-pair for auto-re-enrollment */, "re-enroll-trigger-time-percentage" arg /* Re-enrollment trigger time before expiration as percentage */, "challenge-password" ( /* Password used by CA for enrollment and revocation */ unreadable /* Password used by CA for enrollment and revocation */ ), "scep-encryption-algorithm" ( /* SCEP encryption algorithm */ c( c( "des" /* Use DES as SCEP encryption algorithm */, "des3" /* Use DES3 as SCEP encryption algorithm */ ) ) ), "scep-digest-algorithm" ( /* SCEP digest algorithm */ c( c( "md5" /* Use MD5 as SCEP digest algorithm */, "sha1" /* Use SHA1 as SCEP digest algorithm */ ) ) ), "validity-period" arg /* Certificate validity period in days from enrollment start date */ ) ) ) ), "traceoptions" ( /* PKI trace options */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("certificate-verification" | "online-crl-check" | "enrollment" | "all")) /* Tracing parameters */.as(:oneline) ) ) ) end rule(:security_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "rate-limit" arg /* Limit the incoming rate of trace messages */, "filter" /* Filter parameters for IKE traceoptions */, "flag" enum(("timer" | "routing-socket" | "parse" | "config" | "ike" | "policy-manager" | "general" | "database" | "certificates" | "snmp" | "thread" | "high-availability" | "next-hop-tunnels" | "all")) /* Tracing parameters for IKE */.as(:oneline) ) end rule(:security_zone_type) do arg.as(:arg) ( c( "description" arg /* Text description of zone */, "tcp-rst" /* Send RST for NON-SYN packet not matching TCP session */, "address-book" ( /* Address book entries */ address_book_type /* Address book entries */ ), "screen" arg /* Name of ids option object applied to the zone */, "host-inbound-traffic" ( /* Allowed system services & protocols */ zone_host_inbound_traffic_t /* Allowed system services & protocols */ ), "interfaces" ( /* Interfaces that are part of this zone */ zone_interface_list_type /* Interfaces that are part of this zone */ ), "application-tracking" /* Enable Application tracking support for this zone */, "source-identity-log" /* Show user and group info in session log for this zone */, "advance-policy-based-routing-profile" ( /* Enable Advance Policy Based Routing on this zone */ c( arg ) ), "enable-reverse-reroute" /* Enable Reverse route lookup when there is change in ingress interface */ ) ) end rule(:address_book_type) do c( "address" ( /* Define a security address */ address_type /* Define a security address */ ), "address-set" ( /* Define a security address set */ address_set_type /* Define a security address set */ ) ) end rule(:server) do c( "host" arg /* Server host IP address or string host name */, "port" arg /* Server port */, "routing-instance" arg /* Routing instance name */ ) end rule(:server_bulk_leasequery_type) do c( "max-connections" arg /* Max TCP connections allowed at a time */, "timeout" arg /* Timeout for blocked connection */, "max-empty-replies" arg /* Maximum number of empty replies for a connection */, "restricted-requestor" /* Allow bulk leasequery only from restricted requestors */ ) end rule(:server_connection_type) do c( "address" ( /* IP address */ ipaddr /* IP address */ ), "ca-certificate" arg /* Ca-certificate file name */, "client-id" arg /* Client ID for OAuth2 grant */, "client-secret" arg /* Client secret for OAuth2 grant */ ) end rule(:server_group_type) do c( c( arg /* IP Address of one or more DHCP servers */ ) ) end rule(:server_leasequery_type) do c( "restricted-requestor" /* Allow leasequery only from restricted requestors */ ) end rule(:server_match_action_choice) do c( c( "forward-only" /* Forward without subscriber services */, "create-relay-entry" /* Create relay entry and allow subscriber services */ ) ) end rule(:server_match_v6_ascii_hex) do c( "ascii" arg ( /* ASCII string */ c( c( "forward-only" /* Forward without subscriber services when a match is made */, "create-relay-entry" /* Create relay entry and allow subscriber services */ ) ) ), "hexadecimal" arg ( /* Hexadecimal string */ c( c( "forward-only" /* Forward without subscriber services when a match is made */, "create-relay-entry" /* Create relay entry and allow subscriber services */ ) ) ) ) end rule(:server_v6_option_ascii_hex) do c( "ascii" arg /* ASCII string */, "hexadecimal" arg /* Hexadecimal string */ ) end rule(:service_device_pool_object) do arg.as(:arg) ( c( "interface" arg /* Service device name */ ) ) end rule(:service_interface_pool_object) do arg.as(:arg) ( c( "interface" arg /* Service interface name */ ) ) end rule(:service_set_syslog_object) do c( "host" arg ( c( sc( c( "any" /* All levels */, "emergency" /* Panic conditions */, "alert" /* Conditions that should be corrected immediately */, "critical" /* Critical conditions */, "error" /* Error conditions */, "warning" /* Warning messages */, "notice" /* Conditions that should be handled specially */, "info" /* Informational messages */, "none" /* No messages */ ) ).as(:oneline), "facility-override" ( /* Alternate facility for logging to remote host */ ("authorization" | "daemon" | "ftp" | "kernel" | "user" | "local0" | "local1" | "local2" | "local3" | "local4" | "local5" | "local6" | "local7") ), "log-prefix" arg /* Prefix for all logging to this host */, "port" arg /* UDP port for syslogd on the host */, "class" ( /* Syslog messages classes */ c( "session-logs" ( /* Allow syslog messages for session events */ c( "open" /* Allow syslog messages for session open events */, "close" /* Allow syslog messages for session close events */ ) ), "packet-logs" /* Allow syslog messages for packet related events */, "stateful-firewall-logs" /* Allow syslog messages for stateful firewall events */, "alg-logs" /* Allow syslog messages for ALG events */, "nat-logs" ( /* Allow syslog messages for NAT events */ c( "deterministic-nat-configuration-log" /* Allow syslog messages for Determinisitic NAT config events */ ) ), "ids-logs" /* Allow syslog messages for IDS events */, "pcp-logs" ( /* PCP logs */ sc( "map" /* Allow syslog messages for PCP */, "debug" /* Allow PCP debug syslogs */ ) ).as(:oneline), "ha-logs" ( /* Stateful high availability logs */ c( "open-synchronized" /* Allow syslog message for session open events */, "close-synchronized" /* Allow syslog message for session close events */ ) ), "urlf-logs" /* Allow syslog messages for URLF events */ ) ), "source-address" ( /* Use specified address as source address */ ipv4addr /* Use specified address as source address */ ) ) ), "message-rate-limit" arg /* Maximum syslog messages per second allowed from this interface. Applies per member if set at aggregate level */ ) end rule(:session_timeout_type) do c( "tcp" arg /* Timeout value for tcp sessions */, "udp" arg /* Timeout value for udp sessions */, "ospf" arg /* Timeout value for ospf sessions */, "icmp" arg /* Timeout value for icmp sessions */, "icmp6" arg /* Timeout value for icmp6 sessions */, "others" arg /* Timeout value for other sessions */ ) end rule(:sfw_match_object) do c( "source-address" ( /* Match IP source address */ sfw_addr_object /* Match IP source address */ ), "destination-address" ( /* Match IP destination address */ sfw_addr_object /* Match IP destination address */ ), "destination-port" ( c( c( "range" ( /* Range of ports */ sc( "low" arg /* Lower limit of port range */, "high" arg /* Upper limit of port range */ ) ).as(:oneline) ) ) ), "source-address-range" ( /* Match IP source address range */ s( "low" arg /* Lower limit of address range */, "high" arg /* Upper limit of address range */, c( "except" /* Match address not in this prefix */ ) ) ).as(:oneline), "source-prefix-list" arg ( /* One or more named lists of source prefixes to match */ sc( "except" /* Name of prefix list not to match against */ ) ).as(:oneline), "destination-address-range" ( /* Match IP destination address range */ s( "low" arg /* Lower limit of address range */, "high" arg /* Upper limit of address range */, c( "except" /* Match address not in this prefix */ ) ) ).as(:oneline), "destination-prefix-list" arg ( /* One or more named lists of destination prefixes to match */ sc( "except" /* Name of prefix list not to match against */ ) ).as(:oneline), "applications" arg /* Match one or more applications */, "application-sets" arg /* Match one or more application sets */ ) end rule(:sfw_addr_object) do ("any-unicast" | "any-ipv4" | "any-ipv6" | arg).as(:arg) ( c( "except" /* Match address not in this prefix */ ) ).as(:oneline) end rule(:sla_policy_type) do arg.as(:arg) ( c( "description" arg /* Text description of policy */, "match" ( /* Specify sla policy match-criteria */ c( c( "source-address" ( ("any" | "any-ipv4" | "any-ipv6" | arg) ) ), c( "destination-address" ( ("any" | "any-ipv4" | "any-ipv6" | arg) ) ), "source-address-excluded" /* Exclude source addresses */, "destination-address-excluded" /* Exclude destination addresses */, c( "application" arg ) ) ), "then" ( /* Specify policy action to take when packet match criteria */ c( c( "application-services" ( /* Application Services */ sla_application_services_type /* Application Services */ ) ) ) ) ) ) end rule(:sla_application_services_type) do c( "advance-policy-based-routing-profile" arg /* Specify APBR profile name */ ) end rule(:smid_type) do c( "traceoptions" ( /* Subscriber management trace options */ smid_traceoptions_type /* Subscriber management trace options */ ), "maintain-subscriber" ( /* Options to maintain subscriber */ smid_maintain_subscriber_type /* Options to maintain subscriber */ ), "gres-route-flush-delay" /* Delay flushing routes after RE switchover */, "enforce-strict-scale-limit-license" /* Options to enforce strict scale limit license */, "overrides" ( /* Subscriber management configuration */ c( "no-unsolicited-ra" /* Disable all unsolicited router advertisement packets */, "interfaces" ( c( "family" ( c( "inet6" ( c( "layer2-liveness-detection" /* Enabled ipv6-nud liveness detection */ ) ), "inet" ( c( "layer2-liveness-detection" /* Enabled arp-ping liveness detection */ ) ) ) ) ) ), "shmlog" ( /* Subscriber management shmlog configuration */ c( "disable" /* Disable shmlogs */, "filtering" ( /* Subscriber management shmlog filtering */ c( "enable" /* Enable shmlog filtering */ ) ), "file" ( sc( arg, "size" arg /* Maximum file size */, "files" arg /* Maximum number of files */ ) ).as(:oneline), "log-name" (arg | "all") ( /* The log name(s) to override */ c( c( "none" /* Shmlog verbosity null */, "terse" /* Shmlog verbosity terse */, "brief" /* Shmlog verbosity brief */, "detail" /* Shmlog verbosity detail */, "extensive" /* Shmlog verbosity extensive */ ), c( "file-logging" /* Enable file write for the log(s) */, "no-file-logging" /* Disable file write for the log(s) */ ) ) ), "log-type" enum(("debug" | "info" | "notice")) ( /* The log type to override */ c( c( "none" /* Shmlog verbosity null */, "terse" /* Shmlog verbosity terse */, "brief" /* Shmlog verbosity brief */, "detail" /* Shmlog verbosity detail */, "extensive" /* Shmlog verbosity extensive */ ), c( "file-logging" /* Enable file write for the log(s) */, "no-file-logging" /* Disable file write for the log(s) */ ) ) ) ) ) ) ), "enable" /* Enable subscriber management features */ ) end rule(:smid_maintain_subscriber_type) do c( "interface-delete" /* Maintain subscriber on interface delete events */ ) end rule(:smid_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("database" | "ui" | "general" | "session-db" | "server" | "issu" | "all")) /* Subscriber management replication operations to include in debugging trace */.as(:oneline) ) end rule(:smihelperd_type) do c( "traceoptions" ( /* Subscriber management helper trace options */ smihelperd_traceoptions_type /* Subscriber management helper trace options */ ) ) end rule(:smihelperd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("sdb" | "general" | "ui" | "snmp" | "all")) /* Subscriber management replication operations to include in debugging trace */.as(:oneline) ) end rule(:smpl_analyzer_type) do arg.as(:arg) ( c( "input" ( /* Ports and VLANs to monitor */ smpl_analyzer_input_type /* Ports and VLANs to monitor */ ), "output" ( /* Outgoing port or VLAN for mirrored packets */ smpl_analyzer_output_type /* Outgoing port or VLAN for mirrored packets */ ) ) ) end rule(:smpl_analyzer_input_type) do c( "rate" arg /* Ratio of packets to be sampled (1 out of N) */, "maximum-packet-length" arg /* Maximum length of the mirrored packet */, "ingress" ( /* Ports and VLANs to monitor incoming traffic */ smpl_analyzer_ingress_type /* Ports and VLANs to monitor incoming traffic */ ), "egress" ( /* Ports and VLANs to monitor outgoing traffic */ smpl_analyzer_egress_type /* Ports and VLANs to monitor outgoing traffic */ ) ) end rule(:smpl_analyzer_egress_type) do c( "interface" ( /* Port to monitor outgoing traffic */ analyzer_egress_interface_type /* Port to monitor outgoing traffic */ ), "routing-instance" ( /* Routing instances */ analyzer_egress_routing_instance_type /* Routing instances */ ), "vlan" ( /* VLAN to monitor outgoing traffic */ analyzer_egress_vlan_type /* VLAN to monitor outgoing traffic */ ), "bridge-domain" ( /* Bridge-domain to monitor outgoing traffic */ analyzer_egress_bridge_domain_type /* Bridge-domain to monitor outgoing traffic */ ) ) end rule(:analyzer_egress_bridge_domain_type) do arg.as(:arg) end rule(:analyzer_egress_interface_type) do (arg | "all").as(:arg) end rule(:analyzer_egress_routing_instance_type) do arg.as(:arg) ( c( "vlan" ( /* VLAN to monitor outgoing traffic */ analyzer_egress_vlan_type /* VLAN to monitor outgoing traffic */ ), "bridge-domain" ( /* Bridge-domain to monitor outgoing traffic */ analyzer_egress_bridge_domain_type /* Bridge-domain to monitor outgoing traffic */ ) ) ) end rule(:analyzer_egress_vlan_type) do arg.as(:arg) end rule(:smpl_analyzer_ingress_type) do c( "interface" ( /* Port to monitor incoming traffic */ analyzer_ingress_interface_type /* Port to monitor incoming traffic */ ), "routing-instance" ( /* Routing instances */ analyzer_ingress_routing_instance_type /* Routing instances */ ), "vlan" ( /* VLAN to monitor incoming traffic */ analyzer_ingress_vlan_type /* VLAN to monitor incoming traffic */ ), "bridge-domain" ( /* Bridge-domain to monitor incoming traffic */ analyzer_ingress_bridge_domain_type /* Bridge-domain to monitor incoming traffic */ ) ) end rule(:analyzer_ingress_bridge_domain_type) do arg.as(:arg) end rule(:analyzer_ingress_interface_type) do (arg | "all").as(:arg) end rule(:analyzer_ingress_routing_instance_type) do arg.as(:arg) ( c( "vlan" ( /* VLAN to monitor incoming traffic */ analyzer_ingress_vlan_type /* VLAN to monitor incoming traffic */ ), "bridge-domain" ( /* Bridge-domain to monitor incoming traffic */ analyzer_ingress_bridge_domain_type /* Bridge-domain to monitor incoming traffic */ ) ) ) end rule(:analyzer_ingress_vlan_type) do arg.as(:arg) end rule(:smpl_analyzer_output_type) do c( c( "interface" ( /* Outgoing port for mirrored packets */ interface_name /* Outgoing port for mirrored packets */ ), "ip-address" ( /* ERSPAN Destination IP Address */ ipv4addr /* ERSPAN Destination IP Address */ ), "next-hop-group" arg /* Next-hop-group through which to send port-mirror traffic */, "routing-instance" ( /* Routing instances */ output_routing_instance_type /* Routing instances */ ), "vlan" ( /* Outgoing VLAN for mirrored packets */ pm_rspan_vlan /* Outgoing VLAN for mirrored packets */ ), "bridge-domain" ( /* Outgoing bridge-domain for mirrored packets */ pm_rspan_bridge_domain /* Outgoing bridge-domain for mirrored packets */ ) ) ) end rule(:output_routing_instance_type) do arg.as(:arg) ( c( "ip-address" ( /* ERSPAN Destination IP Address */ ipv4addr /* ERSPAN Destination IP Address */ ), "vlan" ( /* Outgoing VLAN for mirrored packets */ pm_rspan_vlan /* Outgoing VLAN for mirrored packets */ ), "bridge-domain" ( /* Outgoing bridge-domain for mirrored packets */ pm_rspan_bridge_domain /* Outgoing bridge-domain for mirrored packets */ ) ) ) end rule(:snmp_scripts_file_type) do arg.as(:arg) ( c( "oid" arg ( /* Oid implemented by this script */ c( "priority" arg /* Registration priority */ ) ), "source" arg /* URL of source for this script */, "routing-instance" arg /* Routing instance */, "python-script-user" arg /* Run the python snmp script with privileges of user */, "refresh" /* Refresh all snmp scripts from their source */, "refresh-from" arg /* Refresh all snmp scripts from a given base URL */, "checksum" ( /* Checksum of this script */ c( "sha-256" arg /* SHA-256 checksum of this script */ ) ) ) ) end rule(:softwires_object) do c( "softwire-name" ( /* Configure softwire object */ softwire_option_type /* Configure softwire object */ ), "traceoptions" ( /* Trace options for Network Security DS-Lite */ c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "flag" enum(("configuration" | "flow" | "all")) /* Tracing parameters */.as(:oneline) ) ), "rule-set" ( /* Define a softwire rule set */ sw_rule_set_object /* Define a softwire rule set */ ) ) end rule(:softwire_option_type) do arg.as(:arg) ( c( "softwire-concentrator" ( /* Concentrator address */ ipaddr /* Concentrator address */ ), "softwire-type" ( /* Softwire-type */ ("IPv4-in-IPv6" | "v6rd") ), "ipv4-prefix" ( /* 6rd customer edge IPV4 prefix */ ipv4prefix /* 6rd customer edge IPV4 prefix */ ), "v6rd-prefix" ( /* 6rd domain's IPV6 prefix */ ipv6prefix /* 6rd domain's IPV6 prefix */ ), "mtu-v4" arg /* MTU for the softwire tunnel */ ) ) end rule(:sonet_options_type) do c( "vtmapping" ( /* VT mapping mode */ ("klm" | "itu-t") ), "fcs" ( /* Frame checksum */ ("32" | "16") ), "path-trace" arg /* Path trace string */, "loopback" ( /* Loopback mode */ ("local" | "remote") ), "trigger" ( /* Defect triggers */ c( "lol" ( /* LOL defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "pll" ( /* PLL defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "lof" ( /* LOF defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "los" ( /* LOS defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "ais-l" ( /* AIS-L defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "rfi-l" ( /* RFI-L defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "ber-sd" ( /* BER-SD defect trigger */ c( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ), "ber-sf" ( /* BER-SF defect trigger */ c( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ), "ais-p" ( /* AIS-P defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "lop-p" ( /* LOP-P defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "rfi-p" ( /* RFI-P defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "uneq-p" ( /* UNEQ-P defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "plm-p" ( /* PLM-P defect trigger */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "locd" ( /* LOCD defect trigger (ATM only) */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline), "lcdp" ( /* LCD-P defect trigger (Ethernet WAN only) */ sc( c( "ignore" /* Ignore the defect */, "hold-time" ( /* Delay before marking interface up or down for defect */ sc( "up" arg /* Delay before marking interface up when defect is absent */, "down" arg /* Delay before marking interface down when defect occurs */ ) ).as(:oneline) ) ) ).as(:oneline) ) ), "aps" ( /* Automatic Protection Switching */ aps_type /* Automatic Protection Switching */ ), c( "payload-scrambler" ( /* Enable payload scrambling */ sc( arg ) ).as(:oneline), "no-payload-scrambler" /* Do not enable payload scrambling */ ), "z0-increment" /* Increment Z0 in SDH mode */, "no-z0-increment" /* Don't increment Z0 in SDH mode */, "loop-timing" /* Set loop timing for STM-1 */, "no-loop-timing" /* Don't set loop timing for STM-1 */, "bytes" ( /* Set SONET header bytes */ c( "e1-quiet" arg /* E1-quiet value */, "f1" arg /* F1 user value */, "f2" arg /* F2 user value */, "s1" arg /* S1/Z1 value (stratum clock by convention) */, "z3" arg /* Z3 user value */, "z4" arg /* Z4 user value */, "c2" arg /* C2 user value */ ) ), "rfc-2615" /* RFC 2615 compliance */, "aggregate" ( /* Join a SONET aggregate */ interface_device /* Join a SONET aggregate */ ), "mpls" ( /* MPLS options */ mpls_ifd_options /* MPLS options */ ) ) end rule(:sophos_fallback_settings) do c( "default" ( /* Default action */ ("permit" | "log-and-permit" | "block") ), "content-size" ( /* Fallback action for over content size */ ("permit" | "log-and-permit" | "block") ), "engine-not-ready" ( /* Fallback action for engine not ready */ ("permit" | "log-and-permit" | "block") ), "timeout" ( /* Fallback action for engine scan timeout */ ("permit" | "log-and-permit" | "block") ), "out-of-resources" ( /* Fallback action for out of resources */ ("permit" | "log-and-permit" | "block") ), "too-many-requests" ( /* Fallback action for requests exceed engine limit */ ("permit" | "log-and-permit" | "block") ) ) end rule(:sophos_scan_options) do c( "uri-check" /* Anti-virus uri-check */, "no-uri-check" /* Don't anti-virus uri-check */, "content-size-limit" arg /* Content size limit */, "timeout" arg /* Scan engine timeout */ ) end rule(:source_class_name_object) do arg.as(:arg).as(:oneline) end rule(:source_address_filter_list_items) do s( arg, c( "exact" arg /* Exactly match the prefix length */, "longer" arg /* Mask is greater than the prefix length */, "orlonger" arg /* Mask is greater than or equal to the prefix length */, "upto" arg /* Mask falls between two prefix lengths */, "through" arg /* Route falls between two prefixes */, "prefix-length-range" arg /* Mask falls between two prefix lengths */ ), c( "metric" ( /* Metric value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */, "igp" ( /* Track the IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "minimum-igp" ( /* Track the minimum IGP metric (BGP only) */ sc( arg /* Metric offset for MED */ ) ).as(:oneline), "expression" ( /* Calculate value based on route metric and metric2 */ metric_expression_type /* Calculate value based on route metric and metric2 */ ), "aigp" /* Use aigp, if it exists, to set the IGP metric */ ) ) ), "metric2" ( /* Metric value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric3" ( /* Metric value 3 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "metric4" ( /* Metric value 4 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag" ( /* Tag string */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "tag2" ( /* Tag string 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference" ( /* Preference value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "preference2" ( /* Preference value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color" ( /* Color (preference) value */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "color2" ( /* Color (preference) value 2 */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "local-preference" ( /* Local preference associated with a route */ c( c( arg, "add" arg /* Add constant to attribute */, "subtract" arg /* Subtract constant from attribute */ ) ) ), "priority" ( /* Set priority for route installation */ ("high" | "medium" | "low") ), "prefix-segment" ( /* Set prefix segment attributes */ sc( "index" arg /* Set prefix segment index */, "node-segment" /* Set node segment flag for this prefix segment */ ) ).as(:oneline), "label-allocation" ( /* Set label allocation mode */ ("per-table" | "per-nexthop" | "per-table-localize") ), "add-path" ( /* Set BGP add-path attributes */ sc( "send-count" arg /* Number of add-paths sent */ ) ).as(:oneline), "validation-state" ( /* Set validation-state of a route */ ("valid" | "invalid" | "unknown") ), "origin" ( /* BGP path origin */ ("igp" | "egp" | "incomplete") ), "aigp-originate" ( /* Originate a BGP AIGP attribute */ sc( "distance" arg /* AIGP distance */ ) ).as(:oneline), "aigp-adjust" ( /* Adjust a BGP AIGP attribute */ sc( c( "add", "subtract", "multiply", "divide" ), c( arg /* Adjustment value */, "distance-to-protocol-nexthop" /* Metric2 */ ) ) ).as(:oneline), "community" ( /* BGP community properties associated with a route */ s( c( "equal-literal" arg /* Set the BGP communities in the route */, "set" arg /* Set the BGP communities in the route */, "plus-literal" arg /* Add BGP communities to the route */, "add" arg /* Add BGP communities to the route */, "minus-literal" arg /* Remove BGP communities from the route */, "delete" arg /* Remove BGP communities from the route */ ), arg ) ).as(:oneline), "damping" arg /* Define BGP route flap damping parameters */, "aggregate-bandwidth" /* Advertise aggregate outbound link bandwidth */, "limit-bandwidth" arg /* Limit advertised aggregate outbound link bandwidth */, "no-entropy-label-capability" /* Don't advertise entropy label capability */, "as-path-prepend" arg /* Prepend AS numbers to an AS path (BGP only) */, "as-path-expand" ( /* Prepend AS numbers prior to adding local-as (BGP only) */ sc( c( "last-as" ( /* Prepend last AS */ sc( "count" arg /* Repeat count */ ) ).as(:oneline), arg /* AS path string */ ) ) ).as(:oneline), "next-hop" ( /* Set the address of the next-hop router */ sc( c( "self" /* Use a local address as the next-hop address */, "peer-address" /* Use the remote peer address as the next-hop address */, "reject" /* Use a reject next hop */, "discard" /* Use a discard next hop */, "next-table" arg /* Perform a forwarding lookup in the specified table */, ipaddr /* Next-hop address */ ) ) ).as(:oneline), "install-nexthop" ( /* Choose the next hop to be used for forwarding */ sc( "strict" /* Do not use any other available next hops */, c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ), "except" ( /* Do not choose to install matching next hops */ c( c( "lsp" arg /* Next-hop LSP name */, "lsp-regex" arg /* Next-hop LSP name regular expression */, "static-lsp" arg /* Next-hop static LSP name */, "static-lsp-regex" arg /* Next-hop static LSP name regular expression */ ) ) ) ) ).as(:oneline), "trace" /* Log matches to a trace file */, "external" ( /* External route */ c( "type" arg /* OSPF external metric type */, "nssa-only" /* Clear P-bit on lsa type 7 */ ) ), "load-balance" ( /* Type of load balancing in forwarding table */ sc( c( "per-packet" /* Load balance on a per-packet basis */, "random" /* Load balance using packet random spray */, "per-prefix" /* Load balance on a per-prefix basis */, "consistent-hash" /* Give a prefix consistent load-balancing */, "source-ip-only" /* Give a source based ip load-balancing */, "destination-ip-only" /* Give a destination based ip load-balancing */ ) ) ).as(:oneline), "no-route-localize" /* Force route install on all fib-remote PFEs */, "install-to-fib" /* Install route to fib */, "no-install-to-fib" /* Don't install route to fib */, "analyze" /* Send to registered controllers for analysis */, "class" arg /* Set class-of-service parameters */, "destination-class" arg /* Set destination class in forwarding table */, "source-class" arg /* Set source class in forwarding table */, "forwarding-class" arg /* Set source or destination class in forwarding table */, "map-to-interface" ( /* Set output logical interface */ sc( c( "self" /* Map the interface to itself */, interface_name /* Output logical interface */ ) ) ).as(:oneline), "ssm-source" ( /* List of Sources for SSM mapping */ ipaddr /* List of Sources for SSM mapping */ ), "p2mp-lsp-root" ( /* P2mp lsp root address */ c( "address" ( /* Ipv4 root address */ ipv4addr /* Ipv4 root address */ ) ) ), "cos-next-hop-map" arg /* Set CoS-based next-hop map in forwarding table */, "dynamic-tunnel-attributes" arg /* Choose the dynamic tunnel attributes used for forwarding */, "selected-mldp-egress" /* This node should act as egress node for MLDP inband signalling */, "mhop-bfd-port" /* Use port number 4784 for MPLS-BFD as per RFC5884 */, "no-backup" /* This prefix should not have backup */, "default-action" ( /* Set default policy action */ ("accept" | "reject") ), "next" ( /* Skip to next policy or term */ ("policy" | "term") ), c( "accept" /* Accept a route */, "reject" /* Reject a route */ ), "bgp-output-queue-priority" ( /* Set the BGP Update output queue priority. */ sc( c( "priority" arg /* Output queue priority; higher is better */, "expedited" /* Expedited queue; highest priority */ ) ) ).as(:oneline), "multipath-resolve" /* Use all paths for resolution over this prefix */ ) ) end rule(:ssd_traceoptions_type) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("infrastructure" | "server" | "routing-instance" | "client-management" | "interfaces-management" | "route-management" | "nexthop-management" | "firewall-management" | "nexthop-group-management" | "cli" | "cfg" | "all")) /* Area of sdk-service daemon to enable debugging output */.as(:oneline) ) end rule(:ssg_destination_nat_object) do c( "pool" arg ( /* Define a destination address pool */ c( "description" arg /* Text description of pool */, "routing-instance" ( /* Routing instance */ c( c( "default" /* Default routing-instance */, arg ) ) ), "address" ( /* Add address or address range to pool */ sc( c( "to" ( /* Upper limit of address range */ c( ipprefix /* IPv4 or IPv6 upper limit of address range */ ) ), "port" arg /* Specify the port value */ ), ipprefix /* IPv4 or IPv6 address or address range */ ) ).as(:oneline) ) ), "port-forwarding" arg ( /* Define a port-forwarding mapping pool */ c( "description" arg /* Text description of port forwarding mapping */, "destined-port" ( /* Port forwarding mappings */ s( arg, "translated-port" arg /* Translated port */ ) ).as(:oneline) ) ), "rule-set" arg ( /* Configurate a set of rules */ c( "description" arg /* Text description of rule set */, "from" ( /* Where is the traffic from */ sc( c( "routing-instance" ( /* Source routing instance list */ ("default" | arg) ), "zone" arg /* Source zone list */, "interface" ( /* Source interface list */ interface_name /* Source interface list */ ) ) ) ).as(:oneline), "rule" ( /* Destination NAT rule */ dest_nat_rule_object /* Destination NAT rule */ ), "match-direction" ( /* Match direction */ ("input" | "output") ) ) ) ) end rule(:dest_nat_rule_object) do arg.as(:arg) ( c( "description" arg /* Text description of rule */, "dest-nat-rule-match" ( /* Specify Destination NAT rule match criteria */ c( "source-address" ( /* Source address */ ipprefix /* Source address */ ), "source-address-name" arg /* Address/address-set from address book */, c( "destination-address" ( /* Destination address */ sc( ipprefix /* IPv4 or IPv6 destination address */ ) ).as(:oneline), "destination-address-name" ( /* Address from address book */ sc( arg ) ).as(:oneline) ), "destination-port" arg ( /* Destination port */ sc( "to" ( /* Port range upper limit */ c( arg /* Upper limit of port range */ ) ) ) ).as(:oneline), "protocol" ( /* IP Protocol */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "application" arg ) ), "then" ( /* Then action */ c( "destination-nat" ( /* Destination NAT action */ c( c( "off" /* No action */, "pool" ( /* Use Destination NAT pool */ c( arg ) ), "destination-prefix" ( /* Destination prefix to be used for NAT64 and 464 translation type */ ipprefix_only /* Destination prefix to be used for NAT64 and 464 translation type */ ) ), "port-forwarding-mappings" ( /* Use Destination NAT port forwarding mapping pool */ c( arg ) ), "rule-session-count-alarm" ( /* Config rule-session-count-alarm to destination rule */ nat_rule_session_count_alarm_object /* Config rule-session-count-alarm to destination rule */ ).as(:oneline) ) ) ) ) ) ) end rule(:nat_rule_session_count_alarm_object) do c( "raise-threshold" arg /* Raise threshold for rule session count alarm */, "clear-threshold" arg /* Clear threshold for session count hit alarm */ ).as(:oneline) end rule(:ssg_proxy_arp_object) do c( "interface" ( /* Interface with proxy arp configured */ ssg_interface_object /* Interface with proxy arp configured */ ) ) end rule(:ssg_interface_object) do arg.as(:arg) ( c( "address" arg ( /* Proxy ARP address */ sc( "to" ( /* Upper limit of address range */ c( ipv4prefix /* Upper limit of address range */ ) ) ) ).as(:oneline) ) ) end rule(:ssg_proxy_ndp_object) do c( "interface" ( /* Interface with proxy arp configured */ ssg_proxy_ndp_interface_object /* Interface with proxy arp configured */ ) ) end rule(:ssg_proxy_ndp_interface_object) do arg.as(:arg) ( c( "address" arg ( /* Proxy ndp address */ sc( "to" ( /* Upper limit of address range */ c( ipv6addr /* Upper limit of address range */ ) ) ) ).as(:oneline) ) ) end rule(:ssg_source_nat_object) do c( "pool" arg ( /* Define a source address pool */ c( "description" arg /* Text description of pool */, "routing-instance" ( /* Routing instance */ c( arg ) ), "address" arg ( /* Add address to pool */ sc( "to" ( /* Upper limit of address range */ c( ipprefix /* IPv4 or IPv6 upper limit of address range */ ) ) ) ).as(:oneline), "host-address-base" ( /* The base of host address */ sc( ipprefix /* IPv4 or IPv6 base address */ ) ).as(:oneline), "port" ( /* Config port attribute to pool */ c( c( "no-translation" /* Do not perform port translation */, "range" ( /* Port range */ c( arg, "to" ( /* Port range upper limit */ c( arg ) ), "twin-port" ( /* Twin port range */ c( arg, "to" ( /* Twin port range upper limit */ c( arg ) ) ) ) ) ) ), "port-overloading-factor" arg /* Port overloading factor for each IP */, "block-allocation" ( /* Port block allocation */ block_allocation_object /* Port block allocation */ ), "deterministic" ( /* Deterministic nat allocation */ deterministic_object /* Deterministic nat allocation */ ), "preserve-parity" /* Allocate port as the same parity as incoming port */, "preserve-range" /* Allocate port from the same port range as incoming port */, "automatic" ( /* Port assignment */ c( c( "random-allocation" /* Allocate port randomly */, "round-robin" /* Allocate port by round-robin */ ) ) ) ) ), "overflow-pool" ( /* Specify an overflow pool */ sc( c( arg, "interface" /* Allow interface pool to support overflow */ ) ) ).as(:oneline), "address-shared" /* Allow multiple hosts to share an externel address */, "address-pooling" ( /* Specify the address-pooling behavior */ sc( c( "paired" /* Allow address-pooling paired for a source pool with port translation */, "no-paired" /* Allow address-pooling no-paired for a source pool without port translation */ ) ) ).as(:oneline), "address-persistent" ( /* Specify the address-persistent behavior */ sc( "subscriber" ( /* Configure address persistent for subscriber */ sc( "ipv6-prefix-length" arg /* Ipv6 prefix length for address persistent */ ) ).as(:oneline) ) ).as(:oneline), "pool-utilization-alarm" ( /* Config pool-utilization-alarm to pool */ source_nat_pool_utilization_alarm_object /* Config pool-utilization-alarm to pool */ ).as(:oneline), "ei-mapping-timeout" arg /* Endpoint-independent mapping timeout */, "mapping-timeout" arg /* Address-pooling paired and endpoint-independent mapping timeout */, "limit-ports-per-host" arg /* Number of ports allocated per host */ ) ), "address-persistent" /* Allow source address to maintain same translation */, "session-persistence-scan" /* Allow source to maintain session when session scan */, "session-drop-hold-down" arg /* Session drop hold down time */, "pool-utilization-alarm" ( /* Configure pool utilization alarm */ source_nat_pool_utilization_alarm_object /* Configure pool utilization alarm */ ).as(:oneline), "port-randomization" ( /* Configure Source NAT port randomization */ sc( ("disable") ) ).as(:oneline), "port-round-robin" /* Configure Source NAT port randomization */.as(:oneline), "port-scaling-enlargement" /* Configure source port scaling to 2.4G only for NGSPC */, "pool-distribution" /* Configure Source pool distribution, the APPCP bottleneck of NAT CPS can be alleviated. */, "pool-default-port-range" ( /* Configure Source NAT default port range */ sc( arg, "to" ( /* Port range upper limit */ c( arg ) ) ) ).as(:oneline), "pool-default-twin-port-range" ( /* Configure Source NAT default twin port range */ sc( arg, "to" ( /* Twin port range upper limit */ c( arg ) ) ) ).as(:oneline), "interface" ( /* Configure interface port overloading for persistent NAT */ c( c( "port-overloading" ( /* Configure port overloading */ sc( "off" /* Turn off interface port over-loading */ ) ).as(:oneline), "port-overloading-factor" arg /* Port overloading factor for interface NAT */ ) ) ), "rule-set" arg ( /* Configurate a set of rules */ c( "description" arg /* Text description of rule set */, "from" ( /* Where is the traffic from */ sc( c( "routing-instance" ( /* Source routing instance list */ ("default" | arg) ), "zone" arg /* Source zone list */, "interface" ( /* Source interface list */ interface_name /* Source interface list */ ) ) ) ).as(:oneline), "to" ( /* Where is the traffic to */ sc( c( "routing-instance" ( /* Destination routing instance list */ ("default" | arg) ), "zone" arg /* Destination zone list */, "interface" ( /* Destination interface list */ interface_name /* Destination interface list */ ) ) ) ).as(:oneline), "rule" ( /* Source NAT rule */ src_nat_rule_object /* Source NAT rule */ ), "match-direction" ( /* Match direction */ ("input" | "output") ) ) ) ) end rule(:block_allocation_object) do c( "block-size" arg /* Block size */, "maximum-blocks-per-host" arg /* Maximum block number per host */, "active-block-timeout" arg /* Active block timeout interval */, "interim-logging-interval" arg /* Interim Logging interval */, "last-block-recycle-timeout" arg /* Last Block recycle timeout interval */, "log" ( /* Configure port block log */ sc( ("disable") ) ).as(:oneline) ) end rule(:deterministic_object) do c( "block-size" arg /* Block size */, "det-nat-configuration-log-interval" arg /* Deterministic nat configuration logging interval */, "host" ( /* Host address */ sc( "address" ( /* Host ip address */ ipprefix /* Host ip address */ ), "address-name" arg /* Host address/address-set from address book */ ) ).as(:oneline), "include-boundary-addresses" /* Include network and broadcast in 'match' source address */ ) end rule(:source_nat_pool_utilization_alarm_object) do c( "raise-threshold" arg /* Raise threshold for pool utilization alarm */, "clear-threshold" arg /* Clear threshold for pool utilization alarm */ ).as(:oneline) end rule(:src_nat_rule_object) do arg.as(:arg) ( c( "description" arg /* Text description of rule */, "src-nat-rule-match" ( /* Specify Source NAT rule match criteria */ c( "source-address" ( /* Source address */ ipprefix /* Source address */ ), "source-address-name" arg /* Address/address-set from address book */, "source-port" arg ( /* Source port */ sc( "to" ( /* Port range upper limit */ c( arg /* Upper limit of port range */ ) ) ) ).as(:oneline), "destination-address" ( /* Destination address */ ipprefix /* Destination address */ ), "destination-address-name" arg /* Address/address-set from address book */, "destination-port" arg ( /* Destination port */ sc( "to" ( /* Port range upper limit */ c( arg /* Upper limit of port range */ ) ) ) ).as(:oneline), "protocol" ( /* IP Protocol */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "application" arg ) ), "then" ( /* Then action */ c( "source-nat" ( /* Source NAT action */ c( c( "off" /* No action */, "pool" ( /* Use Source NAT pool */ c( arg, "persistent-nat" ( /* Persistent NAT info */ persistent_nat_object /* Persistent NAT info */ ) ) ), "interface" ( /* Use egress interface address */ c( "persistent-nat" ( /* Persistent NAT info */ persistent_nat_object /* Persistent NAT info */ ) ) ) ), "clat-prefix" ( /* An IPv6 prefix to be used for XLAT464 and prefix length can only be 32/40/48/56/64/96 */ ipprefix_only /* An IPv6 prefix to be used for XLAT464 and prefix length can only be 32/40/48/56/64/96 */ ), "rule-session-count-alarm" ( /* Config rule-session-count-alarm to source rule */ nat_rule_session_count_alarm_object /* Config rule-session-count-alarm to source rule */ ).as(:oneline), "mapping-type" ( /* Source nat mapping type */ sc( "endpoint-independent" /* Endpoint independent mapping */ ) ).as(:oneline), "secure-nat-mapping" ( /* Mapping options for enhanced security */ sc( "eif-flow-limit" arg /* Number of inbound flows to be allowed for a EIF mapping */, "mapping-refresh" ( /* Enable timer refresh option */ sc( c( "inbound" /* Enable timer refresh for inbound connections only */, "outbound" /* Enable timer refresh for outbound connections only */, "inbound-outbound" /* Enable timer refresh for inbound & outbound connections */ ) ) ).as(:oneline) ) ).as(:oneline), "filtering-type" ( /* Source NAT filtering type */ c( "endpoint-independent" ( /* Endpoint independent filtering */ c( "prefix-list" arg ( /* One or more named lists of source prefixes to match */ sc( "except" /* Name of prefix list not to match against */ ) ).as(:oneline) ) ) ) ) ) ) ) ) ) ) end rule(:persistent_nat_object) do c( "permit" ( /* Persistent NAT permit configure */ sc( c( "any-remote-host" /* Permit any remote host */, "target-host" /* Permit target host */, "target-host-port" /* Permit target host port */ ) ) ).as(:oneline), "address-mapping" /* Address-to-address mapping */, "inactivity-timeout" arg /* Inactivity timeout value */, "max-session-number" arg /* The maximum session number value */ ) end rule(:ssg_static_nat_object) do c( "rule-set" arg ( /* Configurate a set of rules */ c( "description" arg /* Text description of rule set */, "from" ( /* Where is the traffic from */ sc( c( "routing-instance" ( /* Source routing instance list */ ("default" | arg) ), "zone" arg /* Source zone list */, "interface" ( /* Source interface list */ interface_name /* Source interface list */ ) ) ) ).as(:oneline), "rule" ( /* Static NAT rule */ static_nat_rule_object /* Static NAT rule */ ) ) ) ) end rule(:ssl_initiation_config) do c( "profile" arg ( /* SSL client profile */ c( "enable-flow-tracing" /* Enable flow tracing for the profile */, "protocol-version" ( /* Protocol SSL version accepted */ ("all" | "ssl3" | "tls1" | "tls11" | "tls12") ), "preferred-ciphers" ( /* Select preferred ciphers */ ("strong" | "medium" | "weak" | "custom") ), "custom-ciphers" ( /* Custom cipher list */ ("rsa-with-rc4-128-md5" | "rsa-with-rc4-128-sha" | "rsa-with-des-cbc-sha" | "rsa-with-3des-ede-cbc-sha" | "rsa-with-aes-128-cbc-sha" | "rsa-with-aes-256-cbc-sha" | "rsa-export-with-rc4-40-md5" | "rsa-export-with-des40-cbc-sha" | "rsa-export1024-with-des-cbc-sha" | "rsa-export1024-with-rc4-56-md5" | "rsa-export1024-with-rc4-56-sha" | "rsa-with-null-md5" | "rsa-with-null-sha" | "rsa-with-aes-256-gcm-sha384" | "rsa-with-aes-256-cbc-sha256" | "rsa-with-aes-128-gcm-sha256" | "rsa-with-aes-128-cbc-sha256" | "ecdhe-rsa-with-aes-256-gcm-sha384" | "ecdhe-rsa-with-aes-256-cbc-sha" | "ecdhe-rsa-with-aes-256-cbc-sha384" | "ecdhe-rsa-with-3des-ede-cbc-sha" | "ecdhe-rsa-with-aes-128-gcm-sha256" | "ecdhe-rsa-with-aes-128-cbc-sha" | "ecdhe-rsa-with-aes-128-cbc-sha256" | "ecdhe-ecdsa-with-aes-256-gcm-sha384" | "ecdhe-ecdsa-with-aes-256-cbc-sha" | "ecdhe-ecdsa-with-aes-256-cbc-sha384" | "ecdhe-ecdsa-with-aes-128-gcm-sha256" | "ecdhe-ecdsa-with-aes-128-cbc-sha" | "ecdhe-ecdsa-with-aes-128-cbc-sha256" | "ecdhe-ecdsa-with-3des-ede-cbc-sha") ), "enable-session-cache" /* Enable SSL session cache */, "trusted-ca" ( /* List of trusted certificate authority profiles */ ("all" | arg) ), "client-certificate" arg /* Local certificate identifier */, "actions" ( /* Traffic related actions */ c( "ignore-server-auth-failure" /* Ignore server authentication failure */, "crl" ( /* Certificate Revocation actions. */ c( "disable" /* Disable CRL validation. */, "if-not-present" ( /* Action if CRL information is not present. */ ("allow" | "drop") ), "ignore-hold-instruction-code" /* Ignore 'Hold Instruction Code' present in the CRL entry. */ ) ) ) ) ) ) ) end rule(:ssl_proxy_config) do c( "global-config" ( /* Global proxy configuration */ c( "session-cache-timeout" arg /* Session cache timeout */, "disable-cert-cache" /* Disable proxy mode certificate cache */, "certificate-cache-timeout" arg /* Certificate cache timeout */, "invalidate-cache-on-crl-update" /* Invalidate certificate cache on crl update */ ) ), "profile" arg ( /* SSL Proxy profile */ c( "enable-flow-tracing" /* Enable flow tracing for the profile */, "preferred-ciphers" ( /* Select preferred ciphers */ ("strong" | "medium" | "weak" | "custom") ), "custom-ciphers" ( /* Custom cipher list */ ("rsa-with-rc4-128-md5" | "rsa-with-rc4-128-sha" | "rsa-with-des-cbc-sha" | "rsa-with-3des-ede-cbc-sha" | "rsa-with-aes-128-cbc-sha" | "rsa-with-aes-256-cbc-sha" | "rsa-export-with-rc4-40-md5" | "rsa-export-with-des40-cbc-sha" | "rsa-export1024-with-des-cbc-sha" | "rsa-export1024-with-rc4-56-md5" | "rsa-export1024-with-rc4-56-sha" | "rsa-with-aes-256-gcm-sha384" | "rsa-with-aes-256-cbc-sha256" | "rsa-with-aes-128-gcm-sha256" | "rsa-with-aes-128-cbc-sha256" | "ecdhe-rsa-with-aes-256-gcm-sha384" | "ecdhe-rsa-with-aes-256-cbc-sha" | "ecdhe-rsa-with-aes-256-cbc-sha384" | "ecdhe-rsa-with-3des-ede-cbc-sha" | "ecdhe-rsa-with-aes-128-gcm-sha256" | "ecdhe-rsa-with-aes-128-cbc-sha" | "ecdhe-rsa-with-aes-128-cbc-sha256" | "ecdhe-ecdsa-with-aes-256-gcm-sha384" | "ecdhe-ecdsa-with-aes-256-cbc-sha" | "ecdhe-ecdsa-with-aes-256-cbc-sha384" | "ecdhe-ecdsa-with-aes-128-gcm-sha256" | "ecdhe-ecdsa-with-aes-128-cbc-sha" | "ecdhe-ecdsa-with-aes-128-cbc-sha256" | "ecdhe-ecdsa-with-3des-ede-cbc-sha") ), "trusted-ca" ( /* List of trusted certificate authority profiles */ ("all" | arg) ), c( "root-ca" arg /* Root certificate for interdicting server certificates in proxy mode */, "server-certificate" arg /* Local certificate identifier */ ), "whitelist" arg /* Addresses exempted from SSL Proxy */, "whitelist-url-categories" arg, "actions" ( /* Logging and traffic related actions */ c( "ignore-server-auth-failure" /* Ignore server authentication failure */, "log" ( /* Logging actions */ c( "all" /* Log all events */, "sessions-dropped" /* Log only ssl session drop events */, "sessions-allowed" /* Log ssl session allow events after an error */, "sessions-ignored" /* Log session ignore events */, "sessions-whitelisted" /* Log ssl session whitelist events */, "errors" /* Log all error events */, "warning" /* Log all warning events */, "info" /* Log all information events */ ) ), "crl" ( /* Certificate Revocation actions. */ c( "disable" /* Disable CRL validation. */, "if-not-present" ( /* Action if CRL information is not present. */ ("allow" | "drop") ), "ignore-hold-instruction-code" /* Ignore 'Hold Instruction Code' present in the CRL entry. */ ) ), "renegotiation" ( /* Renegotiation options */ ("allow" | "allow-secure" | "drop") ), "disable-session-resumption" /* Disable session resumption */ ) ) ) ) ) end rule(:ssl_termination_config) do c( "profile" arg ( /* SSL server profile */ c( "enable-flow-tracing" /* Enable flow tracing for the profile */, "protocol-version" ( /* Protocol SSL version accepted */ ("all" | "ssl3" | "tls1" | "tls11" | "tls12") ), "preferred-ciphers" ( /* Select preferred ciphers */ ("strong" | "medium" | "weak" | "custom") ), "custom-ciphers" ( /* Custom cipher list */ ("rsa-with-rc4-128-md5" | "rsa-with-rc4-128-sha" | "rsa-with-des-cbc-sha" | "rsa-with-3des-ede-cbc-sha" | "rsa-with-aes-128-cbc-sha" | "rsa-with-aes-256-cbc-sha" | "rsa-export-with-rc4-40-md5" | "rsa-export-with-des40-cbc-sha" | "rsa-export1024-with-des-cbc-sha" | "rsa-export1024-with-rc4-56-md5" | "rsa-export1024-with-rc4-56-sha" | "rsa-with-null-md5" | "rsa-with-null-sha" | "rsa-with-aes-256-gcm-sha384" | "rsa-with-aes-256-cbc-sha256" | "rsa-with-aes-128-gcm-sha256" | "rsa-with-aes-128-cbc-sha256" | "ecdhe-rsa-with-aes-256-gcm-sha384" | "ecdhe-rsa-with-aes-256-cbc-sha" | "ecdhe-rsa-with-aes-256-cbc-sha384" | "ecdhe-rsa-with-3des-ede-cbc-sha" | "ecdhe-rsa-with-aes-128-gcm-sha256" | "ecdhe-rsa-with-aes-128-cbc-sha" | "ecdhe-rsa-with-aes-128-cbc-sha256" | "ecdhe-ecdsa-with-aes-256-gcm-sha384" | "ecdhe-ecdsa-with-aes-256-cbc-sha" | "ecdhe-ecdsa-with-aes-256-cbc-sha384" | "ecdhe-ecdsa-with-aes-128-gcm-sha256" | "ecdhe-ecdsa-with-aes-128-cbc-sha" | "ecdhe-ecdsa-with-aes-128-cbc-sha256" | "ecdhe-ecdsa-with-3des-ede-cbc-sha") ), "enable-session-cache" /* Enable SSL session cache */, "server-certificate" arg /* Local certificate identifier */ ) ) ) end rule(:ssl_traceoptions) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("brief" | "detail" | "extensive" | "verbose") ), "flag" enum(("cli-configuration" | "termination" | "initiation" | "proxy" | "selected-profile" | "all")) /* Tracing parameters */.as(:oneline) ) end rule(:static_nat_rule_object) do arg.as(:arg) ( c( "description" arg /* Text description of rule */, "static-nat-rule-match" ( /* Specify Static NAT rule match criteria */ c( "source-address" ( /* Source address */ ipprefix /* Source address */ ), "source-address-name" arg /* Address from address book */, "source-port" arg ( /* Source port */ sc( "to" ( /* Port range upper limit */ c( arg /* Upper limit of port range */ ) ) ) ).as(:oneline), c( "destination-address" ( /* Destination address */ sc( ipprefix /* IPv4 or IPv6 Destination address prefix */ ) ).as(:oneline), "destination-address-name" ( /* Address from address book */ sc( arg ) ).as(:oneline) ), "destination-port" ( /* Destination port */ sc( arg /* Port or lower limit of port range */, "to" ( /* Port range upper limit */ c( arg /* Upper limit of port range */ ) ) ) ).as(:oneline) ) ), "then" ( /* Then action */ c( "static-nat" ( /* Static NAT action */ c( c( "inet" ( /* Translated to IPv4 address */ c( "routing-instance" ( /* Routing instance */ ("default" | arg) ) ) ), "prefix" ( /* Address prefix */ c( "mapped-port" ( /* Mapped port */ static_nat_rule_mapped_port_object /* Mapped port */ ).as(:oneline), "routing-instance" ( /* Routing instance */ ("default" | arg) ), ipprefix /* IPv4 or IPv6 address prefix value */ ) ), "prefix-name" ( /* Address from address book */ c( arg, "mapped-port" ( /* Mapped port */ static_nat_rule_mapped_port_object /* Mapped port */ ).as(:oneline), "routing-instance" ( /* Routing instance */ ("default" | arg) ) ) ), "nptv6-prefix" ( /* NPTv6 address prefix, the longest prefix will be supported is /64 */ c( "routing-instance" ( /* Routing instance */ ("default" | arg) ), ipprefix /* IPv6 address prefix value, the longest prefix will be supported is /64 */ ) ), "nptv6-prefix-name" ( /* NPTv6 address from address book */ c( arg, "routing-instance" ( /* Routing instance */ ("default" | arg) ) ) ) ), "rule-session-count-alarm" ( /* Config rule-session-count-alarm to static rule */ nat_rule_session_count_alarm_object /* Config rule-session-count-alarm to static rule */ ).as(:oneline) ) ) ) ) ) ) end rule(:static_nat_rule_mapped_port_object) do c( arg /* Port or lower limit of port range */, "to" ( /* Port range upper limit */ c( arg /* Upper limit of port range */ ) ) ).as(:oneline) end rule(:stp_interface) do (arg | "all").as(:arg) ( c( "priority" arg /* Interface priority (in increments of 16 - 0,16,..240) */, "cost" arg /* Cost of the interface */, "mode" ( /* Interface mode (P2P or shared) */ ("point-to-point" | "shared") ), "edge" /* Port is an edge port */, "access-trunk" /* Send/Receive untagged RSTP BPDUs on this interface */, "bpdu-timeout-action" ( /* Define action on BPDU expiry (Loop Protect) */ c( "block" /* Block the interface */, "alarm" /* Generate an alarm */ ) ), "no-root-port" /* Do not allow the interface to become root (Root Protect) */, "disable" /* Disable Spanning Tree on port */ ) ) end rule(:stp_trace_options) do c( "file" ( /* Trace file options */ trace_file_type /* Trace file options */ ), "flag" enum(("events" | "bpdu" | "timers" | "port-information-state-machine" | "port-receive-state-machine" | "port-role-select-state-machine" | "port-role-transit-state-machine" | "port-state-transit-state-machine" | "port-migration-state-machine" | "port-transmit-state-machine" | "topology-change-state-machine" | "bridge-detection-state-machine" | "state-machine-variables" | "ppmd" | "all-failures" | "all")) ( /* Tracing parameters */ sc( "disable" /* Disable this trace flag */ ) ).as(:oneline) ) end rule(:subscription_type) do c( arg /* Link bandwidth percentage for RSVP reservation */, "ct0" arg /* Subscription percentage for traffic class 0 */, "ct1" arg /* Subscription percentage for traffic class 1 */, "ct2" arg /* Subscription percentage for traffic class 2 */, "ct3" arg /* Subscription percentage for traffic class 3 */ ) end rule(:sw_rule_set_object) do arg.as(:arg) ( c( "rule" arg ( /* Define a rule term */ c( "then" ( /* Action to take if the condition is matched */ c( c( "v6rd" arg /* Apply 6rd softwire */ ) ) ) ) ), "match-direction" ( /* Match direction */ ("input" | "output") ) ) ) end rule(:syslog_object) do enum(("any" | "authorization" | "daemon" | "ftp" | "ntp" | "security" | "kernel" | "user" | "dfc" | "external" | "firewall" | "pfe" | "conflict-log" | "change-log" | "interactive-commands")).as(:arg) ( c( c( "any" /* All levels */, "emergency" /* Panic conditions */, "alert" /* Conditions that should be corrected immediately */, "critical" /* Critical conditions */, "error" /* Error conditions */, "warning" /* Warning messages */, "notice" /* Conditions that should be handled specially */, "info" /* Informational messages */, "none" /* No messages */ ) ) ).as(:oneline) end rule(:system_id_ip_map) do arg.as(:arg) ( c( "ip-address" ( /* Peer ID (IP Address) */ ipv4prefix /* Peer ID (IP Address) */ ) ) ) end rule(:tacplus_server_object) do arg.as(:arg) ( c( "routing-instance" arg /* Routing instance */, "port" arg /* TACACS+ authentication server port number */, "secret" ( /* Shared secret with the authentication server */ unreadable /* Shared secret with the authentication server */ ), "timeout" arg /* Request timeout period */, "single-connection" /* Optimize TCP connection attempts */, "source-address" ( /* Use specified address as source address */ hostname /* Use specified address as source address */ ) ) ) end rule(:tdir_netmon_object) do c( "traceoptions" ( /* Net Monitoring trace options */ tdir_netmon_traceoptions_object /* Net Monitoring trace options */ ), "profile" ( /* Network monitoring probe profile configuration */ tdir_netmon_profile_object /* Network monitoring probe profile configuration */ ), "source-interface" ( /* Network monitoring probe sending interface */ tdir_netmon_src_iface /* Network monitoring probe sending interface */ ) ) end rule(:tdir_netmon_profile_object) do arg.as(:arg) ( c( c( "http" ( /* HTTP probe options */ tdir_http_probe_object /* HTTP probe options */ ), "icmp" /* ICMP probe options */, "tcp" ( /* TCP probe options */ tdir_tcp_probe_object /* TCP probe options */ ), "ssl-hello" ( /* SSL hello probe options */ tdir_ssl_hello_probe_object /* SSL hello probe options */ ), "custom" ( /* Custom probe options */ tdir_netmon_custom_probe_object /* Custom probe options */ ) ), "probe-interval" arg /* Probe interval */, "failure-retries" arg /* Probe failure retries */, "recovery-retries" arg /* Probe recovery retries */ ) ) end rule(:tdir_http_probe_object) do c( "port" arg /* Port number */, "url" arg /* URL name */, "method" ( /* HTTP method */ ("get" | "options") ), "hostname" arg /* Hostname */ ) end rule(:tdir_netmon_custom_probe_object) do c( "protocol" ( /* Custom protocol */ ("tcp" | "udp") ), "cmd" ( /* Custom probe command configuration */ tdir_netmon_custom_probe_command_object /* Custom probe command configuration */ ) ) end rule(:tdir_netmon_custom_probe_command_object) do arg.as(:arg) ( c( "port" arg /* Port number */, "default-real-service-status" ( /* Default status of real service */ ("down" | "up") ), "send" ( /* Send ASCII string or binary buffer */ tdir_netmon_custom_probe_send_object /* Send ASCII string or binary buffer */ ), "expect" ( /* Expect ASCII string or binary buffer */ tdir_netmon_custom_probe_expect_object /* Expect ASCII string or binary buffer */ ).as(:oneline) ) ) end rule(:tdir_netmon_custom_probe_expect_object) do c( c( "ascii" ( /* Expect ASCII string */ tdir_netmon_cust_probe_ascii_expect_obj /* Expect ASCII string */ ).as(:oneline), "binary" ( /* Expect binary buffer */ tdir_netmon_cust_probe_binary_expect_obj /* Expect binary buffer */ ).as(:oneline) ) ).as(:oneline) end rule(:tdir_netmon_cust_probe_ascii_expect_obj) do c( arg, "offset" ( /* Expect buffer offset */ tdir_netmon_cust_probe_expect_offset_obj /* Expect buffer offset */ ), "real-service-action" ( /* Action on expect match */ ("up" | "down") ) ).as(:oneline) end rule(:tdir_netmon_cust_probe_binary_expect_obj) do c( arg, "offset" ( /* Expect buffer offset */ tdir_netmon_cust_probe_expect_offset_obj /* Expect buffer offset */ ), "real-service-action" ( /* Action on expect match */ ("up" | "down") ) ).as(:oneline) end rule(:tdir_netmon_cust_probe_expect_offset_obj) do c( arg, "length" arg /* Expect buffer offset length */ ).as(:oneline) end rule(:tdir_netmon_custom_probe_send_object) do c( c( "ascii" arg /* Send ASCII string */, "binary" arg /* Send binary buffer */ ) ).as(:oneline) end rule(:tdir_netmon_src_iface) do arg.as(:arg) ( c( "family" ( /* Address family */ c( "inet" ( /* Address family IPv4 */ c( "address" ( /* Address family IPv4 address */ ipv4addr /* Address family IPv4 address */ ) ) ), "inet6" ( /* Address family IPv6 */ c( "address" ( /* Address family IPv6 address */ ipv6addr /* Address family IPv6 address */ ) ) ) ) ) ) ) end rule(:tdir_netmon_traceoptions_object) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("all-real-services" | "messages" | "probe" | "inter-thread" | "database" | "file-descriptor-queue" | "probe-infra" | "all")) /* Tracing flag parameters */.as(:oneline), "monitor" arg ( c( "group-name" arg /* Group name */, "real-services-name" arg /* Real service */ ) ) ) end rule(:tdir_service_load_balance_object) do c( "traceoptions" ( /* Traffic load balance trace options */ tdir_traceoptions_object /* Traffic load balance trace options */ ), "route-hold-timer" arg /* Route hold timer, when PIC is down */, "instance" ( /* Traffic load balance instance configuration */ tdir_slb_instance_object /* Traffic load balance instance configuration */ ) ) end rule(:tdir_slb_instance_object) do arg.as(:arg) ( c( "interface" ( /* Interface name */ interface_name /* Interface name */ ), "server-inet-bypass-filter" arg /* Server Implicit inet bypass filter reference */, "server-inet6-bypass-filter" arg /* Server Implicit inet6 bypass filter reference */, "client-interface" ( /* Client facing interface name */ interface_unit /* Client facing interface name */ ), "server-interface" ( /* Server facing interface name */ interface_unit /* Server facing interface name */ ), "client-vrf" arg /* Client-side VRF */, "server-vrf" arg /* Server-side VRF */, "group" ( /* Group configuration */ tdir_slb_group_object /* Group configuration */ ), "real-service" ( /* Real service configuration */ tdir_real_service_object /* Real service configuration */ ), "virtual-service" ( /* Virtual service configuration */ tdir_virtual_service_object /* Virtual service configuration */ ) ) ) end rule(:tdir_real_service_object) do arg.as(:arg) ( c( "address" ( /* IP address */ ipaddr /* IP address */ ), "admin-down" /* Set the real service to DOWN state */ ) ) end rule(:tdir_slb_group_object) do arg.as(:arg) ( c( "real-services" arg /* Real services group association */, "routing-instance" arg /* Routing instance name */, "health-check-interface-subunit" arg /* Subunit on which the health-check is to be initiated */, "network-monitoring-profile" arg /* Network monitoring profile name */, "real-service-rejoin-options" ( /* Real service rejoin options */ tdir_auto_rejoin_object /* Real service rejoin options */ ) ) ) end rule(:tdir_auto_rejoin_object) do c( "no-auto-rejoin" /* Disable real service auto-rejoin, when it comes up */ ) end rule(:tdir_ssl_hello_probe_object) do c( "port" arg /* Port number */, "version" ( /* SSL version */ ("2" | "3") ) ) end rule(:tdir_tcp_probe_object) do c( "port" arg /* Port number */ ) end rule(:tdir_traceoptions_object) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("normal" | "config" | "connect" | "health" | "parse" | "probe" | "route" | "snmp" | "statistics" | "system" | "operational-commands" | "filter" | "batch" | "all")) /* Tracing flag parameters */.as(:oneline), "monitor" arg ( c( "virtual-svc-name" arg /* Virtual service name */, "instance-name" arg /* Instance name */ ) ), "in-memory-tracing" ( sc( "max-lines" arg /* Number of max lines in memory tracing */ ) ).as(:oneline) ) end rule(:tdir_virtual_service_object) do arg.as(:arg) ( c( "mode" ( /* Virtual service mode */ ("layer2-direct-server-return" | "direct-server-return" | "translated") ), "address" ( /* IP address */ ipaddr /* IP address */ ), "route-metric" arg /* Route metric */, "rebalance-threshold" arg /* Rebalance threshold */, "routing-instance" arg /* Routing instance name */, "service" ( /* Listening service configuration */ tdir_virtual_service_svc_object /* Listening service configuration */ ), "server-interface" ( /* Server facing interface name */ interface_unit /* Server facing interface name */ ), "group" arg /* Group name */, "load-balance-method" ( /* Load balance method */ c( c( "hash" ( /* Load balance hash method */ c( "hash-key" ( /* Hash-key type */ tdir_virtual_service_lb_hash_method_obj /* Hash-key type */ ) ) ), "random" /* Load balance random method */ ) ) ) ) ) end rule(:tdir_virtual_service_lb_hash_method_obj) do c( "source-ip" /* Source-address based hashing */, "destination-ip" /* Destination-address based hashing */, "protocol" /* Protocol based hashing */ ) end rule(:tdir_virtual_service_svc_object) do arg.as(:arg) ( c( "virtual-port" arg /* Virtual port number */, "server-listening-port" arg /* Server listening port */, "protocol" arg /* Service transport portocol */, "include-real-server-ips-in-server-filter" /* Includes list of all real server ip address in server filter */ ) ) end rule(:te_class_object) do c( "traffic-class" ( /* Traffic class */ ("ct0" | "ct1" | "ct2" | "ct3") ), "priority" arg /* Preemption priority for this class */ ).as(:oneline) end rule(:term_object) do arg.as(:arg) ( c( "alg" ( /* Application Layer Gateway */ ("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp") ), "protocol" ( /* Match IP protocol type */ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg) ), "source-port" ( /* Match TCP/UDP source port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port" ( /* Match TCP/UDP destination port */ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "icmp-type" ( /* Match ICMP message type */ ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ), "icmp-code" ( /* Match ICMP message code */ ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp6-type" ( /* Match ICMP6 message type */ ("echo-request" | "echo-reply" | "destination-unreachable" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "packet-too-big" | "membership-query" | "membership-report" | "membership-termination" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | arg) ), "icmp6-code" ( /* Match ICMP6 message code */ ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg) ), "rpc-program-number" arg /* Match range of RPC program numbers */, "uuid" arg /* Match universal unique identifier for DCE RPC objects */, "inactivity-timeout" ( /* Application-specific inactivity timeout */ ("never" | arg) ) ) ).as(:oneline) end rule(:three_color_policer_type) do arg.as(:arg) ( c( "filter-specific" /* Three color policer is filter-specific */, "logical-interface-policer" /* Policer is logical interface policer */, "physical-interface-policer" /* Policer is physical interface policer */, "shared-bandwidth-policer" /* Share policer bandwidth among bundle links */, "action" ( /* Action for three-color policer */ c( "loss-priority" ( /* Loss priority for packet */ three_color_policer_action /* Loss priority for packet */ ).as(:oneline) ) ), c( "single-rate" ( /* Single-rate policer */ c( c( "color-blind" /* Color-blind mode */, "color-aware" /* Color-aware mode */ ), "committed-information-rate" arg /* Bandwidth allowed for committed traffic */, "committed-burst-size" arg /* Burst size allowed for committed traffic */, "excess-burst-size" arg /* Burst size allowed for excess traffic */ ) ), "single-packet-rate" /* Single-rate packet policer */, "two-rate" ( /* Two-rate policer */ c( c( "color-blind" /* Color-blind mode */, "color-aware" /* Color-aware mode */ ), "committed-information-rate" arg /* Bandwidth allowed for committed traffic */, "committed-burst-size" arg /* Burst size allowed for committed traffic */, "peak-information-rate" arg /* Bandwidth allowed for peak traffic */, "peak-burst-size" arg /* Burst size allowed for peak traffic */, "aggregate-policing" ( /* Configure Aggregate Policer */ c( "policer" arg ( /* Two-color policer to be used as aggregate */ c( "aggregate-sharing-mode" ( /* Hierarchical Metering model */ ("hybrid") ) ) ) ) ) ) ), "two-packet-rate" /* Two-rate packet policer */ ) ) ) end rule(:three_color_policer_action) do ("high").as(:arg) ( c( "then" ( /* Action to take if the rate limits are exceeded */ c( "discard" /* Discard the packet */ ) ) ) ).as(:oneline) end rule(:to_fabric_object) do c( "except" /* Match traffic switched locally and not going to fabric */ ) end rule(:trace_file_type) do c( arg, "replace" /* Replace trace file rather than appending to it */, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "no-stamp" /* Do not timestamp trace file */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */ ).as(:oneline) end rule(:tty_port_object) do c( "authentication-order" ( ("radius" | "tacplus" | "password") ), "log-out-on-disconnect" /* Log out the console session when cable is unplugged */, "port-type" arg /* Switch console between RJ45 and mini-USB */, "disable" /* Disable console */, "insecure" /* Disallow superuser access */, "speed" ( /* Speed of the port */ ("1200" | "2400" | "4800" | "9600" | "19200" | "38400" | "57600" | "115200") ), "type" ( /* Terminal type */ ("ansi" | "vt100" | "small-xterm" | "xterm") ), "silent-with-modem" /* Make the console silent if modem is connected and no call is present on the modem */ ) end rule(:tunable_object) do arg.as(:arg) ( c( "tunable-value" arg /* Protocol tunable value */ ) ) end rule(:tunnel_end_point) do arg.as(:arg) ( c( c( "ipv6" ( /* Enter an IPv6 tunnel */ c( "source-address" ( /* Tunnel source address */ ipv6addr /* Tunnel source address */ ), "destination-address" ( /* Tunnel destination address */ ipv6prefix /* Tunnel destination address */ ) ) ), "ipv4" ( /* Enter an IPv4 tunnel */ c( "source-address" ( /* Tunnel source address */ ipv4addr /* Tunnel source address */ ), "destination-address" ( /* Tunnel destination address */ ipv4prefix /* Tunnel destination address */ ) ) ) ), c( "gre" ( /* Tunnel is GRE */ c( "key" arg /* Key for authentication */ ) ), "gre-in-udp" ( /* Tunnel is GRE-in-UDP */ c( "source-port" arg /* UDP source port */, "destination-port" arg /* UDP destination port */, "key" arg /* GRE key for authentication */ ) ) ) ) ) end rule(:tunnel_type) do c( c( "ipsec-vpn" arg /* Enable VPN with name */, "ipsec-group-vpn" arg /* Enable dynamic IPSEC group with name */ ), "pair-policy" arg /* Policy in the reverse direction, to form a pair */ ) end rule(:twamp_authentication_key_chain) do arg.as(:arg) ( c( "key-id" arg ( /* Authentication element configuration */ c( "secret" arg /* Authentication key */ ) ) ) ) end rule(:url_list_type) do arg.as(:arg) ( c( "value" arg /* Configure value of url-list object */ ) ) end rule(:urlf_profile_object) do arg.as(:arg) ( c( "url-filter-database" arg /* Full path of the file */, "global-dns-filter-stats-log-timer" arg /* Global DNS filtering statistics log timer in minutes */, "dns-filter" ( /* DNS filter information */ dns_filter_object /* DNS filter information */ ), "url-filter-template" ( /* URL filter template */ urlf_template_object /* URL filter template */ ), "dns-filter-template" ( /* DNS filter template */ dnsf_template_object /* DNS filter template */ ) ) ) end rule(:dns_filter_object) do c( "database-file" arg /* Full path of the DNS filter database file */, "dns-server" ( /* One or more DNS servers addresses */ ipaddr /* One or more DNS servers addresses */ ), "hash-key" ( /* Define hash key for domains key */ sc( c( "ascii-text" arg /* Format as text */, "hexadecimal" arg /* Format as hexadecimal */ ) ) ).as(:oneline), "hash-method" ( /* Define authentication algorithm */ ("hmac-sha2-256") ), "statistics-log-timer" arg /* DNS log timer in minutes */, "dns-resp-ttl" arg /* TTL to be used in DNS response */, "wildcarding-level" arg /* Wildcarding level for exact match */ ) end rule(:dnsf_template_object) do arg.as(:arg) ( c( "dns-filter" ( /* DNS filter information */ dns_filter_object /* DNS filter information */ ), "client-interfaces" ( /* Client facing interfaces on which the dns filtering is applied */ interface_unit /* Client facing interfaces on which the dns filtering is applied */ ), "server-interfaces" ( /* Server facing interfaces to which traffic destined to */ interface_unit /* Server facing interfaces to which traffic destined to */ ), "client-routing-instance" ( /* Routing instance name */ (arg | "inet.0") ), "server-routing-instance" ( /* Routing instance name */ (arg | "inet.0") ), "term" arg ( /* Define a DNS filtering term */ c( "from" ( /* Define match criteria */ dnsf_match_object /* Define match criteria */ ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "dns-sinkhole" /* DNS sinkhole */ ) ) ) ) ) ) ) end rule(:dnsf_match_object) do c( "src-ip-prefix" ( /* Source IP Prefix list specification */ ipprefix /* Source IP Prefix list specification */ ) ) end rule(:urlf_template_object) do arg.as(:arg) ( c( "client-interfaces" ( /* Client facing interfaces on which the url filtering is applied */ interface_unit /* Client facing interfaces on which the url filtering is applied */ ), "server-interfaces" ( /* Server facing interfaces to which traffic destined to */ interface_unit /* Server facing interfaces to which traffic destined to */ ), "dns-source-interface" ( /* Interface on which the DNS queries are originated */ interface_unit /* Interface on which the DNS queries are originated */ ), "dns-routing-instance" ( /* Routing instance for DNS queries */ (arg | "inet.0") ), "routing-instance" ( /* Routing instance name */ (arg | "inet.0") ), "dns-server" ( /* One or more DNS servers addresses */ ipaddr /* One or more DNS servers addresses */ ), "dns-resolution-interval" arg /* DNS resolution timer in minutes */, "dns-retries" arg /* DNS resolution attempts */, "dns-resolution-rate" arg /* DNS resolution rate per chunk interval */, "url-filter-database" arg /* Full path of the file */, "disable-url-ip-filtering" /* Disable filtering of IPs belonging to blocklisted domains */, "term" arg ( /* Define a url filtering term */ c( "from" ( /* Define match criteria */ urlf_match_object /* Define match criteria */ ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "redirect-url" arg /* Redirect URL */, "custom-page" arg /* Custome page string */, "http-status-code" arg /* HTTP status code value */, "tcp-reset" /* TCP Reset */, "accept" /* Accept */ ) ) ) ) ) ) ) end rule(:urlf_match_object) do c( "src-ip-prefix" ( /* Source IP Prefix list specification */ ipprefix /* Source IP Prefix list specification */ ), "dest-ports" arg /* Destination port list specification */ ) end rule(:urlf_traceoptions_object) do c( "no-remote-trace" /* Disable remote tracing */, "file" ( /* Trace file information */ sc( arg, "size" arg /* Maximum trace file size */, "files" arg /* Maximum number of trace files */, "world-readable" /* Allow any user to read the log file */, "no-world-readable" /* Don't allow any user to read the log file */, "match" ( /* Regular expression for lines to be logged */ regular_expression /* Regular expression for lines to be logged */ ) ) ).as(:oneline), "level" ( /* Level of debugging output */ ("error" | "warning" | "notice" | "info" | "verbose" | "all") ), "flag" enum(("normal" | "config" | "dns" | "timer" | "connect" | "parse" | "statistics" | "system" | "operational-commands" | "filter" | "gencfg" | "routing" | "snmp" | "all")) /* Tracing flag parameters */.as(:oneline) ) end rule(:user_group_mapping_type) do c( "ldap" ( /* LDAP */ c( "authentication-algorithm" ( /* Authentication-algorithm */ ("simple") ), "ssl" /* SSL */, "base" arg /* Base distinguished name */, "user" ( /* User name */ c( arg, "password" arg /* Password string */ ) ), "address" arg ( /* Address of LDAP server */ c( "port" arg /* LDAP port */ ) ) ) ) ) end rule(:utm_apppxy_traceoptions) do c( "flag" enum(("abort" | "application-objects" | "utm-realtime" | "anti-virus" | "basic" | "buffer" | "detail" | "ftp-data" | "ftp-control" | "http" | "imap" | "memory" | "parser" | "pfe" | "pop3" | "queue" | "smtp" | "tcp" | "timer" | "connection-rating" | "mime" | "regex-engine" | "sophos-anti-virus" | "all")) /* Tracing parameters for utm application proxy */.as(:oneline) ) end rule(:utm_ipc_traceoptions) do c( "flag" enum(("basic" | "detail" | "connection-manager" | "connection-status" | "pfe" | "utm-realtime" | "all")) /* Traceoptions for utm IPC flag */.as(:oneline) ) end rule(:utm_traceoptions) do c( "flag" enum(("cli" | "daemon" | "ipc" | "pfe" | "all")) /* Tracing UTM information */.as(:oneline) ) end rule(:v3_user_config) do arg.as(:arg) ( c( c( "authentication-md5" ( /* Configure MD5 authentication */ auth_object /* Configure MD5 authentication */ ), "authentication-sha" ( /* Configure SHA authentication */ auth_object /* Configure SHA authentication */ ), "authentication-none" /* Set no authentication for the user */ ), c( "privacy-des" ( /* Configure DES privacy */ priv_object /* Configure DES privacy */ ), "privacy-3des" ( /* Configure Triple DES privacy */ priv_object /* Configure Triple DES privacy */ ), "privacy-aes128" ( /* Configure AES128 privacy */ priv_object /* Configure AES128 privacy */ ), "privacy-none" /* Set no privacy for the user */ ) ) ) end rule(:auth_object) do c( "authentication-password" arg /* User's authentication password */, "authentication-key" ( /* Encrypted key used for user authentication */ unreadable /* Encrypted key used for user authentication */ ) ) end rule(:priv_object) do c( "privacy-password" arg /* User's privacy password */, "privacy-key" ( /* Encrypted key used for user privacy */ unreadable /* Encrypted key used for user privacy */ ) ) end rule(:v6_relay_option_interface_id_type) do c( "prefix" ( /* Add prefix to circuit/interface-id or remote-id */ c( "host-name" /* Add router host name to circuit / interface-id or remote-id */, "logical-system-name" /* Add logical system name to circuit / interface-id or remote-id */, "routing-instance-name" /* Add routing instance name to circuit / interface-id or remote-id */ ) ), "use-interface-description" ( /* Use interface description instead of circuit identifier */ ("logical" | "device") ), "use-vlan-id" /* Use VLAN id instead of name */, "no-vlan-interface-name" /* Not include vlan or interface name */, "include-irb-and-l2" /* Include IRB and L2 interface name */, "use-option-82" ( /* Use option-82 circuit-id for interface-id */ v6_relay_option_cid_rid_action /* Use option-82 circuit-id for interface-id */ ), "keep-incoming-interface-id" ( /* Keep incoming interface identifier */ v6_relay_option_cid_rid_action /* Keep incoming interface identifier */ ) ) end rule(:v6_relay_option_cid_rid_action) do c( "strict" /* Drop packet if id not present */ ) end rule(:v6_relay_option_remote_id_type) do c( "prefix" ( /* Add prefix to circuit/interface-id or remote-id */ c( "host-name" /* Add router host name to circuit / interface-id or remote-id */, "logical-system-name" /* Add logical system name to circuit / interface-id or remote-id */, "routing-instance-name" /* Add routing instance name to circuit / interface-id or remote-id */ ) ), "use-interface-description" ( /* Use interface description instead of circuit identifier */ ("logical" | "device") ), "use-vlan-id" /* Use VLAN id instead of name */, "no-vlan-interface-name" /* Not include vlan or interface name */, "include-irb-and-l2" /* Include IRB and L2 interface name */, "use-option-82" ( /* Use option-82 remote-id for v6 remote-id */ v6_relay_option_cid_rid_action /* Use option-82 remote-id for v6 remote-id */ ), "keep-incoming-remote-id" /* Keep incoming remote identifier */ ) end rule(:v6_server_group_type) do c( c( arg /* IP Address of one or more DHCP servers */ ) ) end rule(:vendor_object) do arg.as(:arg) ( c( "product-name" arg /* Values for product field */ ) ) end rule(:version_ipfix_template) do arg.as(:arg) ( c( "flow-active-timeout" arg /* Interval after which active flow is exported */, "flow-inactive-timeout" arg /* Period of inactivity that marks a flow inactive */, "template-id" arg /* Template id */, "option-template-id" arg /* Options template id */, "observation-domain-id" arg /* Observation Domain Id */, "nexthop-learning" ( /* Nexthop learning parameter. Valid ONLY for INLINE-JFLOW */ c( ("enable" | "disable") ) ), "template-refresh-rate" ( /* Template refresh rate */ c( "packets" arg /* In number of packets */, "seconds" arg /* In number of seconds */ ) ), "option-refresh-rate" ( /* Option template refresh rate */ c( "packets" arg /* In number of packets */, "seconds" arg /* In number of seconds */ ) ), c( "ipv4-template" /* IPv4 template configuration */, "ipv6-template" /* IPv6 template configuration */, "vpls-template" /* VPLS template configuration */, "bridge-template" /* BRIDGE template configuration */, "mpls-template" /* MPLS template configuration */, "mpls-ipv4-template" /* MPLS IPV4 template configuration */ ), "tunnel-observation" ( /* Tunnel observation */ c( "mpls-over-udp" /* Mpls-over-udp */, "ipv4" /* IPv4 */, "ipv6" /* IPv6 */ ) ), "flow-key" ( /* Flow key for the template. Valid ONLY for INLINE-JFLOW */ c( "flow-direction" /* Include flow direction */, "vlan-id" /* Include vlan ID */, "output-interface" /* Include output interface */ ) ) ) ) end rule(:version9_template) do arg.as(:arg) ( c( "flow-active-timeout" arg /* Interval after which active flow is exported */, "flow-inactive-timeout" arg /* Period of inactivity that marks a flow inactive */, "template-id" arg /* Template id */, "option-template-id" arg /* Options template id */, "source-id" arg /* Source Id */, "nexthop-learning" ( /* Nexthop learning parameter. Valid ONLY for INLINE-JFLOW */ c( ("enable" | "disable") ) ), "template-refresh-rate" ( /* Template refresh rate */ c( "packets" arg /* In number of packets */, "seconds" arg /* In number of seconds */ ) ), "option-refresh-rate" ( /* Option template refresh rate */ c( "packets" arg /* In number of packets */, "seconds" arg /* In number of seconds */ ) ), c( "mpls-ipv4-template" /* MPLS-IPv4 template configuration */, "mpls-template" /* MPLS template configuration */, "ipv6-template" ( /* IPv6 template configuration */ c( "export-extension" ( /* IPv6 template configuration with extra fields added to the template */ c( c( "flow-dir" /* Applicationid field type */, "app-id" /* Applicationid field type */ ) ) ), "nexthop-options" /* Additional information retrieved from nexthop */ ) ), "peer-as-billing-template" /* Peer AS billing template configuration */, "ipv4-template" ( /* IPv4 template configuration */ c( "export-extension" ( /* IPv4 template configuration with extra fields added to the template */ c( c( "flow-dir" /* Applicationid field type */, "app-id" /* Applicationid field type */ ) ) ), "nexthop-options" /* Additional information retrieved from nexthop */ ) ), "vpls-template" /* VPLS template configuration */, "bridge-template" /* BRIDGE template configuration */ ), "tunnel-observation" ( /* Tunnel observation */ c( "mpls-over-udp" /* Mpls-over-udp */, "ipv4" /* IPv4 */, "ipv6" /* IPv6 */ ) ), "flow-key" ( /* Flow key for the template. Valid ONLY for INLINE-JFLOW */ c( "flow-direction" /* Include flow direction */, "vlan-id" /* Include vlan ID */, "output-interface" /* Include output interface */ ) ) ) ) end rule(:vlan_policy) do (arg | "all").as(:arg) ( c( "policy" ( /* Attach policy */ c( arg /* Router Advertisement Guard policy name */, c( "stateful" /* Stateful router advertisement guard */, "stateless" /* Stateless router advertisement guard */ ) ) ) ) ) end rule(:vlan_types) do arg.as(:arg) ( c( "description" arg /* Text description of VLANs */, c( "vlan-id" ( /* IEEE 802.1q VLAN identifier for VLAN */ ("all" | "none" | arg) ), "vlan-id-list" arg /* Create VLAN for each of the vlan-id specified in the vlan-id-list */, "vlan-tags" ( /* IEEE 802.1q VLAN tags for VLANs */ sc( "outer" arg /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */, "inner" arg /* [tpid.]vlan-id, tpid format is 0xNNNN and is optional */ ) ).as(:oneline) ), "interface" ("$junos-interface-name" | arg) /* Interface name for this VLAN */, "l3-interface" ( /* L3 interface name for this vlans */ interface_unit /* L3 interface name for this vlans */ ), "no-local-switching" /* Disable local switching within CE-facing interfaces */, "forwarding-options" ( /* Forwarding options configuration */ juniper_ethernet_switching_forwarding_options /* Forwarding options configuration */ ), "multicast-snooping-options" ( /* Multicast snooping option configuration */ juniper_multicast_snooping_options /* Multicast snooping option configuration */ ), "switch-options" ( /* VLANs switch-options configuration */ juniper_protocols_vlan /* VLANs switch-options configuration */ ), "domain-type" arg /* Type of VLANs SVLAN/DVLAN */, "no-irb-layer-2-copy" /* Disable transmission of layer-2 copy of packets of IRB routing-interface */, "service-id" arg /* Service id required if VLAN is of type MC-AE, and vlan-id all or vlan-id none or vlan-tags is configured */, "domain-id" arg /* Domain-id for auto derived Route Target */, "mcae-mac-synchronize" /* Enable IRB MAC synchronization in this VLAN */, "no-arp-suppression" /* Disable suppression of ARP/NDP for EVPN */, "mcae-mac-flush" /* Enable IRB MAC flush in a/s mode for this VLAN on MCAE link up */, "private-vlan" arg /* Type of secondary vlan for private vlan */, "isolated-vlan" arg /* VLAN id or name */, "community-vlans" /* List of VLAN id or name */, "vxlan" ) ) end rule(:juniper_ethernet_switching_forwarding_options) do c( "filter" ( /* Filtering for ethernet switching forwarding table */ c( "input" arg /* Name of input filter to apply for forwarded packets */, "output" arg /* Name of output filter to apply for forwarded packets */ ) ), "flood" ( /* Filtering for ethernet switching flood table */ c( "input" arg /* Name of input filter to apply for ethernet switching flood packets */ ) ), "dhcp-relay" ( /* Dynamic Host Configuration Protocol relay configuration */ jdhcp_relay_type /* Dynamic Host Configuration Protocol relay configuration */ ), "dhcp-security" ( /* DHCP access security configuration */ jdhcp_security_type /* DHCP access security configuration */ ), "fip-security" ( /* FCoE Initiation Protocol security configuration */ fip_security_type /* FCoE Initiation Protocol security configuration */ ) ) end rule(:fip_security_type) do c( "interface" arg ( /* Configure access port security for this interface */ c( "fcoe-trusted" /* Make this interface trusted for FCoE */, "no-fcoe-trusted" /* Don't make this interface trusted for FCoE */ ) ), "fc-map" arg /* FCoE MAC address prefix */, "examine-vn2vf" /* Enable FIP snooping on this VLAN */, "examine-vn2vn" /* Enable VN2VN FIP snooping on this VLAN */ ) end rule(:juniper_protocols_vlan) do c( "mac-table-size" ( /* Size of MAC address forwarding table */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop") ) ) ), "mac-ip-table-size" ( /* Size of MAC+IP bindings table */ c( arg ) ), "interface-mac-limit" ( /* Maximum MAC address learned per interface */ c( arg, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "interface-mac-ip-limit" ( /* Maximum number of MAC+IP bindings learned on the interface */ c( arg ) ), "mac-move-limit" /* Number of MAC movements allowed on this VLAN */, "mac-table-aging-time" arg /* Delay for discarding MAC address if no updates are received */, "no-mac-learning" /* Disable dynamic MAC address learning */, "mac-statistics" /* Enable MAC address statistics */, "static-rvtep-mac" ( /* Configure Static MAC and remote VxLAN tunnel endpoint entries */ c( "mac" ( /* Unicast MAC address */ s( arg, "remote-vtep" arg /* Configure static remote VXLAN tunnel endpoints */ ) ).as(:oneline) ) ), "interface" arg ( /* Interface that connect this site to the VPN */ c( "interface-mac-limit" ( /* Maximum number of MAC addresses learned on the interface */ c( arg, "disable" /* Disable interface for interface-mac-limit */, "packet-action" ( /* Action when MAC limit is reached */ ("none" | "drop" | "log" | "shutdown" | "drop-and-log") ) ) ), "vpws-service-id" ( /* Service-id for EVPN VPWS routing instance */ c( "local" arg /* Local EVPN VPWS service id */, "remote" arg /* Remote EVPN VPWS service id */ ) ), "protect-interface" ( /* Name of protect interface */ interface_name /* Name of protect interface */ ), "action-priority" arg /* Blocking priority of this interface on mac move detection */, "remote-site-id" arg /* Site identifier associated with this interface */, "target-attachment-identifier" arg /* FEC 129 VPWS target attachment identifier */, "flow-label-transmit" /* Advertise capability to push Flow Label in transmit direction to remote PE */, "flow-label-receive" /* Advertise capability to push Flow Label in receive direction to remote PE */, "encapsulation-type" ( /* Encapsulation type for VPN */ ("atm-aal5" | "atm-cell" | "atm-cell-port-mode" | "atm-cell-vp-mode" | "atm-cell-vc-mode" | "frame-relay" | "ppp" | "cisco-hdlc" | "ethernet-vlan" | "ethernet" | "interworking" | "frame-relay-port-mode" | "satop-t1" | "satop-e1" | "satop-t3" | "satop-e3" | "cesop") ), "ignore-encapsulation-mismatch" /* Allow different encapsulation types on local and remote end */, "mtu" arg /* MTU to be advertised to the remote end */, "ignore-mtu-mismatch" /* Allow different MTU values on local and remote end */, c( "control-word" /* Adds control-word to the Layer 2 encapsulation */, "no-control-word" /* Disables control-word to the Layer 2 encapsulation */ ), "pseudowire-status-tlv" /* Send pseudowire status TLV */, "oam" /* OAM Configuration for VPN */, "community" arg /* Community associated with this interface */, "static-mac" arg ( /* Static MAC addresses assigned to this interface */ c( "vlan-id" arg /* VLAN ID of learning VLAN */ ) ), "interface-mac-ip-limit" ( /* Maximum number of MAC+IP bindings learned on the interface */ c( arg ) ), "no-mac-learning" /* Disable dynamic MAC address learning */, "mac-pinning" /* Enable MAC pinning */, "description" arg /* Text description */, "persistent-learning" /* Enable persistent MAC learning on this interface */ ) ) ) end rule(:vlan_map) do c( c( "push" /* Push a VLAN tag */, "swap" /* Swap a VLAN tag */, "pop" /* Pop a VLAN tag */, "push-push" /* Push two VLAN tags */, "swap-push" /* Swap VLAN tag and push a new VLAN tag */, "swap-swap" /* Swap both outer and inner VLAN tags */, "pop-swap" /* Pop outer VLAN tag and swap inner VLAN tag */, "pop-pop" /* Pop both outer and inner VLAN tags */ ), "tag-protocol-id" arg /* IEEE 802.1q Tag Protocol Identifier to rewrite */, "inner-tag-protocol-id" ( /* IEEE 802.1q Tag Protocol ID to rewrite for inner tag */ ("$junos-inner-vlan-tag-protocol-id" | arg) ), "vlan-id" ( /* VLAN ID to rewrite */ ("$junos-vlan-map-id" | arg) ), "inner-vlan-id" ( /* VLAN ID to rewrite for inner tag */ ("$junos-inner-vlan-map-id" | arg) ) ) end rule(:vpls_filter) do arg.as(:arg) ( c( "accounting-profile" arg /* Accounting profile name */, "interface-specific" /* Defined counters are interface specific */, "physical-interface-filter" /* Filter is physical interface filter */, "instance-shared" /* Filter is routing-instance shared */, "term" arg ( /* Define a firewall term */ c( "filter" arg /* Filter to include */, "from" ( /* Define match criteria */ c( c( "interface-group" arg, "interface-group-except" arg ), c( "ether-type" ( ("ipv4" | "ipv6" | "arp" | "appletalk" | "sna" | "aarp" | "ppp" | "mpls-unicast" | "mpls-multicast" | "pppoe-discovery" | "pppoe-session" | "oam" | "fcoe" | "fip" | "vlan" | arg) ), "ether-type-except" ( ("ipv4" | "ipv6" | "arp" | "appletalk" | "sna" | "aarp" | "ppp" | "mpls-unicast" | "mpls-multicast" | "pppoe-discovery" | "pppoe-session" | "oam" | "fcoe" | "fip" | "vlan" | arg) ) ), c( "vlan-ether-type" ( ("ipv4" | "ipv6" | "arp" | "appletalk" | "sna" | "aarp" | "ppp" | "mpls-unicast" | "mpls-multicast" | "pppoe-discovery" | "pppoe-session" | "oam" | "fcoe" | "fip" | "vlan" | arg) ), "vlan-ether-type-except" ( ("ipv4" | "ipv6" | "arp" | "appletalk" | "sna" | "aarp" | "ppp" | "mpls-unicast" | "mpls-multicast" | "pppoe-discovery" | "pppoe-session" | "oam" | "fcoe" | "fip" | "vlan" | arg) ) ), "destination-mac-address" ( /* Destination MAC address */ firewall_mac_addr_object /* Destination MAC address */ ), "source-mac-address" ( /* Source MAC address */ firewall_mac_addr_object /* Source MAC address */ ), c( "forwarding-class" arg, "forwarding-class-except" arg ), c( "loss-priority" ( ("low" | "high" | "medium-low" | "medium-high") ), "loss-priority-except" ( ("low" | "high" | "medium-low" | "medium-high") ) ), c( "learn-vlan-id" arg, "learn-vlan-id-except" arg ), c( "learn-vlan-1p-priority" arg, "learn-vlan-1p-priority-except" arg ), c( "user-vlan-id" arg, "user-vlan-id-except" arg ), c( "user-vlan-1p-priority" arg, "user-vlan-1p-priority-except" arg ), c( "learn-vlan-dei" arg, "learn-vlan-dei-except" arg ), c( "traffic-type" ( ("broadcast" | "multicast" | "unknown-unicast" | "known-unicast") ), "traffic-type-except" ( ("broadcast" | "multicast" | "unknown-unicast" | "known-unicast") ) ), "ip-source-address" ( /* Match IP source address */ firewall_addr_object /* Match IP source address */ ), "ip-destination-address" ( /* Match IP destination address */ firewall_addr_object /* Match IP destination address */ ), "ip-address" ( /* Match IP source or destination address */ firewall_addr_object /* Match IP source or destination address */ ), c( "ip-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ip-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "dscp" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "dscp-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), c( "ip-precedence" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ), "ip-precedence-except" ( ("net-control" | "internet-control" | "critical-ecp" | "flash-override" | "flash" | "immediate" | "priority" | "routine" | arg) ) ), c( "source-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "source-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "destination-port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "destination-port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), c( "port" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ), "port-except" ( ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg) ) ), "tcp-flags" arg /* Match TCP flags */, c( "icmp-type" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ), "icmp-type-except" ( ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg) ) ), c( "icmp-code" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ), "icmp-code-except" ( ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg) ) ), "interface" ( /* Match interface name */ match_interface_object /* Match interface name */ ), "interface-set" ( /* Match interface in set */ match_interface_set_object /* Match interface in set */ ), "source-prefix-list" ( /* Match IP source prefixes in named list */ firewall_prefix_list /* Match IP source prefixes in named list */ ), "destination-prefix-list" ( /* Match IP destination prefixes in named list */ firewall_prefix_list /* Match IP destination prefixes in named list */ ), "prefix-list" ( /* Match IP source or destination prefixes in named list */ firewall_prefix_list /* Match IP source or destination prefixes in named list */ ), "ipv6-destination-address" ( /* Match IPv6 destination address */ firewall_addr6_object /* Match IPv6 destination address */ ), "ipv6-source-address" ( /* Match IPv6 source address */ firewall_addr6_object /* Match IPv6 source address */ ), "ipv6-address" ( /* Match IPv6 address */ firewall_addr6_object /* Match IPv6 address */ ), c( "ipv6-next-header" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ipv6-next-header-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "dstopts" | "routing" | "fragment" | "hop-by-hop" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ipv6-payload-protocol" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ), "ipv6-payload-protocol-except" ( ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | "ipv6" | "no-next-header" | "vrrp" | arg) ) ), c( "ipv6-traffic-class" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ), "ipv6-traffic-class-except" ( ("af11" | "af12" | "af13" | "af21" | "af22" | "af23" | "af31" | "af32" | "af33" | "af41" | "af42" | "af43" | "ef" | "cs0" | "cs1" | "cs2" | "cs3" | "cs4" | "cs5" | "cs6" | "cs7" | "be" | arg) ) ), "ipv6-source-prefix-list" ( /* Match IPV6 source prefixes in named list */ firewall_prefix_list /* Match IPV6 source prefixes in named list */ ), "ipv6-destination-prefix-list" ( /* Match IPV6 destination prefixes in named list */ firewall_prefix_list /* Match IPV6 destination prefixes in named list */ ), "ipv6-prefix-list" ( /* Match IP source or destination prefixes in named list */ firewall_prefix_list /* Match IP source or destination prefixes in named list */ ), c( "flexible-match-mask" ( /* Match flexible mask */ match_l2_flexible_mask /* Match flexible mask */ ) ), c( "flexible-match-range" ( /* Match flexible range */ match_l2_flexible_range /* Match flexible range */ ) ), c( "policy-map" arg, "policy-map-except" arg ) ) ), "then" ( /* Action to take if the 'from' condition is matched */ c( c( "policer" arg /* Name of policer to use to rate-limit traffic */, "three-color-policer" ( /* Police the packet using a three-color-policer */ c( c( "single-rate" arg /* Name of single-rate three-color policer to use to rate-limit traffic */, "single-packet-rate" arg /* Name of single-packet-rate three-color policer to use to rate-limit traffic */, "two-rate" arg /* Name of two-rate three-color policer to use to rate-limit traffic */, "two-packet-rate" arg /* Name of two-packet-rate three-color policer to use to rate-limit traffic */ ) ) ), "hierarchical-policer" arg /* Name of hierarchical policer to use to rate-limit traffic */ ), c( "clear-policy-map" /* Clear the policy marking */, "policy-map" arg /* Policy map action */ ), "count" arg /* Count the packet in the named counter */, "loss-priority" ( /* Packet's loss priority */ ("low" | "high" | "medium-low" | "medium-high") ), "forwarding-class" arg /* Classify packet to forwarding class */, c( "accept" /* Accept the packet */, "discard" /* Discard the packet */, "next" ( /* Continue to next term in a filter */ ("term") ) ), "port-mirror-instance" arg /* Port-mirror the packet to specified instance */, "port-mirror" /* Port-mirror the packet */, "next-hop-group" arg /* Use specified next-hop group */, "sample" /* Sample the packet */, "log" /* Log the packet */, "syslog" /* System log (syslog) information about the packet */ ) ) ) ) ) ) end rule(:vrrp_group) do arg.as(:arg) ( c( c( "virtual-address" ( /* One or more virtual IPv4 addresses */ ipv4addr /* One or more virtual IPv4 addresses */ ), "virtual-inet6-address" ( /* One or more virtual inet6 addresses */ ipv6addr /* One or more virtual inet6 addresses */ ) ), "virtual-link-local-address" ( /* Virtual link-local addresses */ ipv6addr /* Virtual link-local addresses */ ), "priority" arg /* Virtual router election priority */, "preferred" /* Preferred group on subnet */, c( "advertise-interval" arg /* Advertisement interval */, "fast-interval" arg /* Fast advertisement interval */, "inet6-advertise-interval" arg /* Inet6 advertisement interval */ ), c( "preempt" ( /* Allow preemption */ c( "hold-time" arg /* Preemption hold time */ ) ), "no-preempt" /* Don't allow preemption */ ), c( "accept-data" /* Accept packets destined for virtual IP address */, "no-accept-data" /* Don't accept packets destined for virtual IP address */ ), "authentication-type" ( /* Authentication type */ ("md5" | "simple") ), "authentication-key" ( /* Authentication key */ unreadable /* Authentication key */ ), "track" ( /* Interfaces to track for VRRP group */ c( "priority-hold-time" arg /* Priority hold time */, "interface" arg ( /* Interface to track in VRRP group */ c( "bandwidth-threshold" arg ( /* Track bandwidth of interface */ sc( "priority-cost" arg /* Value subtracted from priority when bandwidth is below threshold */ ) ).as(:oneline), "priority-cost" arg /* Value to subtract from priority when interface is down */ ) ), "route" ( /* Route to track in VRRP group */ s( arg, "routing-instance" arg /* Routing instance to which route belongs, or 'default' */, c( "priority-cost" arg /* Value to subtract from priority when route is down */ ) ) ).as(:oneline) ) ), "vrrp-inherit-from" ( /* VRRP group to follow for this VRRP group */ c( "active-interface" ( /* Interface name of VRRP active group */ interface_unit /* Interface name of VRRP active group */ ), "active-group" arg /* Identifier for VRRP active group */ ) ), "advertisements-threshold" arg /* Number of vrrp advertisements missed before declaring master down */ ) ) end rule(:web_filtering_block_message) do c( "type" ( /* Type of block message desired */ ("custom-redirect-url") ), "url" arg /* URL of block message */ ) end rule(:web_filtering_fallback_setting) do c( "default" ( /* Fallback default settings */ ("log-and-permit" | "block") ), "server-connectivity" ( /* Fallback action when device cannot connect to server */ ("log-and-permit" | "block") ), "timeout" ( /* Fallback action when connection to server timeout */ ("log-and-permit" | "block") ), "too-many-requests" ( /* Fallback action when requests exceed the limit of engine */ ("log-and-permit" | "block") ) ) end rule(:web_filtering_quarantine_message) do c( "type" ( /* Type of quarantine message desired */ ("custom-redirect-url") ), "url" arg /* URL of quarantine message */ ) end rule(:web_filtering_traceoptions) do c( "flag" enum(("basic" | "session-manager" | "heartbeat" | "packet" | "profile" | "requests" | "response" | "socket" | "timer" | "ipc" | "cache" | "enhanced" | "all")) /* Trace options for web-filtering feature trace flag */.as(:oneline) ) end rule(:webfilter_feature) do c( "surf-control-integrated" ( /* Configure web-filtering surf-control integrated engine */ surf_control_integrated_type /* Configure web-filtering surf-control integrated engine */ ), "websense-redirect" ( /* Configure web-filtering websense redirect engine */ websense_type /* Configure web-filtering websense redirect engine */ ), "juniper-local" ( /* Configure web-filtering juniper local engine */ juniper_local_type /* Configure web-filtering juniper local engine */ ), "juniper-enhanced" ( /* Configure web-filtering juniper enhanced engine */ juniper_enhanced_type /* Configure web-filtering juniper enhanced engine */ ) ) end rule(:juniper_enhanced_type) do c( "profile" arg ( /* Juniper enhanced profile */ c( "base-filter" arg /* Juniper base filter */, "category" ( /* Juniper enhanced category */ juniper_enhanced_category_type /* Juniper enhanced category */ ), "site-reputation-action" ( /* Juniper enhanced site reputation action */ juniper_enhanced_site_reputation_setting /* Juniper enhanced site reputation action */ ), "default" ( /* Juniper enhanced profile default */ ("permit" | "block" | "log-and-permit" | "quarantine") ), "custom-block-message" arg /* Juniper enhanced custom block message sent to HTTP client */, "quarantine-custom-message" arg /* Juniper enhanced quarantine custom message */, "fallback-settings" ( /* Juniper enhanced fallback settings */ web_filtering_fallback_setting /* Juniper enhanced fallback settings */ ), "timeout" arg /* Juniper enhanced timeout */, "no-safe-search" /* Do not perform safe-search for Juniper enhanced protocol */, "block-message" ( /* Juniper enhanced block message settings */ web_filtering_block_message /* Juniper enhanced block message settings */ ), "quarantine-message" ( /* Juniper enhanced quarantine message settings */ web_filtering_quarantine_message /* Juniper enhanced quarantine message settings */ ) ) ) ) end rule(:juniper_local_type) do c( "profile" arg ( /* Juniper local profile */ c( "default" ( /* Juniper local profile default */ ("permit" | "block" | "log-and-permit") ), "category" ( /* Custom category */ custom_category_type /* Custom category */ ), "custom-block-message" arg /* Juniper local custom block message */, "quarantine-custom-message" arg /* Juniper local quarantine custom message */, "block-message" ( /* Juniper local block message settings */ web_filtering_block_message /* Juniper local block message settings */ ), "quarantine-message" ( /* Juniper local quarantine message settings */ web_filtering_quarantine_message /* Juniper local quarantine message settings */ ), "fallback-settings" ( /* Juniper local fallback settings */ web_filtering_fallback_setting /* Juniper local fallback settings */ ), "timeout" arg /* Juniper local timeout */ ) ) ) end rule(:surf_control_integrated_type) do c( "cache" ( c( "timeout" arg /* Surf control integrated cache timeout */, "size" arg /* Surf control integrated cache size */ ) ), "server" ( /* Surf control server */ server /* Surf control server */ ), "profile" arg ( /* Surf control integrated profile */ c( "category" ( /* Surf control integrated category */ surf_control_integrated_category_type /* Surf control integrated category */ ), "default" ( /* Surf control integrated profile default */ ("permit" | "block" | "log-and-permit") ), "custom-block-message" arg /* Surf control integrated custom block message */, "fallback-settings" ( /* Surf control integrated fallback settings */ web_filtering_fallback_setting /* Surf control integrated fallback settings */ ), "timeout" arg /* Surf control integrated timeout */ ) ) ) end rule(:surf_control_integrated_category_type) do arg.as(:arg) ( c( "action" ( /* Surf control integrated category type action */ ("permit" | "block" | "log-and-permit") ) ) ) end rule(:websense_type) do c( "profile" arg ( /* Websense redirect profile */ c( "server" ( /* Websense redirect server */ server /* Websense redirect server */ ), "category" ( /* Custom category */ custom_category_type /* Custom category */ ), "custom-block-message" arg /* Websense redirect custom block message */, "quarantine-custom-message" arg /* Websense redirect quarantine custom message */, "block-message" ( /* Websense redirect block message settings */ web_filtering_block_message /* Websense redirect block message settings */ ), "quarantine-message" ( /* Websense redirect quarantine message settings */ web_filtering_quarantine_message /* Websense redirect quarantine message settings */ ), "fallback-settings" ( /* Websense redirect fallback settings */ web_filtering_fallback_setting /* Websense redirect fallback settings */ ), "timeout" arg /* Websense redirect timeout */, "sockets" arg /* Websense redirect sockets number */, "account" arg /* Websense redirect account */ ) ) ) end rule(:wildcard_address_type) do arg.as(:arg) end rule(:write_option_82_type) do end rule(:zone_interface_list_type) do arg.as(:arg) ( c( "host-inbound-traffic" ( interface_host_inbound_traffic_t ) ) ) end rule(:interface_host_inbound_traffic_t) do c( "system-services" ( /* Type of incoming system-service traffic to accept */ interface_system_services_object_type /* Type of incoming system-service traffic to accept */ ), "protocols" ( /* Protocol type of incoming traffic to accept */ host_inbound_protocols_object_type /* Protocol type of incoming traffic to accept */ ) ) end rule(:host_inbound_protocols_object_type) do enum(("all" | "bfd" | "bgp" | "dvmrp" | "igmp" | "ldp" | "msdp" | "ndp" | "nhrp" | "ospf" | "ospf3" | "pgm" | "pim" | "rip" | "ripng" | "router-discovery" | "rsvp" | "sap" | "vrrp")).as(:arg) ( c( "except" /* Protocol type of incoming traffic to disallow */ ) ) end rule(:interface_system_services_object_type) do enum(("all" | "bootp" | "dhcp" | "dhcpv6" | "dns" | "finger" | "ftp" | "ident-reset" | "http" | "https" | "ike" | "netconf" | "ping" | "rlogin" | "reverse-telnet" | "reverse-ssh" | "rpm" | "rsh" | "snmp" | "snmp-trap" | "ssh" | "telnet" | "traceroute" | "xnm-ssl" | "xnm-clear-text" | "tftp" | "lsping" | "ntp" | "sip" | "r2cp" | "webapi-clear-text" | "webapi-ssl" | "tcp-encap" | "appqoe" | "any-service")).as(:arg) ( c( "except" /* Type of incoming system-service traffic to disallow */ ) ) end rule(:zone_host_inbound_traffic_t) do c( "system-services" ( /* Type of incoming system-service traffic to accept */ zone_system_services_object_type /* Type of incoming system-service traffic to accept */ ), "protocols" ( /* Protocol type of incoming traffic to accept */ host_inbound_protocols_object_type /* Protocol type of incoming traffic to accept */ ) ) end rule(:zone_system_services_object_type) do enum(("all" | "bootp" | "dhcp" | "dhcpv6" | "dns" | "finger" | "ftp" | "ident-reset" | "http" | "https" | "ike" | "netconf" | "ping" | "rlogin" | "reverse-telnet" | "reverse-ssh" | "rpm" | "rsh" | "snmp" | "snmp-trap" | "ssh" | "telnet" | "traceroute" | "xnm-ssl" | "xnm-clear-text" | "tftp" | "lsping" | "ntp" | "sip" | "r2cp" | "webapi-clear-text" | "webapi-ssl" | "tcp-encap" | "appqoe" | "any-service")).as(:arg) ( c( "except" /* Type of incoming system-service traffic to disallow */ ) ) end