FireBrick FB2500 V0.07.005 documentation

FireBrick FB2500 configuration documentation. Copyright © 2008-11 FireBrick Ltd.

Top level config

The top level config element contains all of the FireBrick configuration data.

config: Attributes
AttributeTypeDescriptionDefault
timestampdateTimeConfig store time
patchintegerInternal use, for s/w updates that change config syntax
config: Elements
ElementTypeInstancesDescription
systemsystemOptionalSystem settings
useruserOptional, unlimitedAdmin users
syslogsyslogOptionalSyslog controls
loglogOptional, up to 100Log target controls (TODO)
servicesservicesOptionalGeneral system services
ethernetethernetOptional, unlimitedPhysical port controls
portportdefOptional, up to 5Port grouping and naming
interfaceinterfaceOptional, up to 8192Config ethernet port/vlan and subnets
ppppppoeOptional, up to 10PPPoE client settings
routeroute (network-base)Optional, unlimitedStatic routes
networknetwork (network-base)Optional, unlimitedList of locally originated networks
loopbackloopback (network-base)Optional, unlimitedList of extra local addresses
bgpbgpOptional, up to 10BGP config
cqmcqmOptionalConstant Quality Monitoring config
l2tpl2tpOptionalL2TP settings
fb105fb105Optional, up to 256FB105 tunnel settings
pingpingOptional, up to 100Base ping graph settings
profileprofileOptional, unlimitedControl profiles
shapershaper (shaper-general)Optional, unlimitedNamed traffic shapers
ip-groupip-groupOptional, unlimitedNamed IP groups
route-overrideroute-overrideOptional, unlimitedRouting override rules
rule-setrule-setOptional, unlimitedFirewall/mapping rules

Firewall load sharing

Firewall actions for load sharing

session-share: Attributes
AttributeTypeDescriptionDefault
weightpositiveIntegerWeighting of load share1
set-source-ipIPAddrNew source IP
set-source-portunsignedShortNew source port
set-natbooleanChanged source IP and port to local for NAT
set-target-ipIPAddrNew target IP
set-target-portunsignedShortNew target port
set-graphstringGraph name for shaping/logging
set-gatewayIPAddrNew gateway
set-tableroutetable 0-99Set new routing table
profilestringProfile name

Firewall rules

Firewall rule

session-rule: Attributes
AttributeTypeDescriptionDefault
namestringName
source-ipList of IPNameRangeIP ranges for source IP check
source-portList of PortRangeSource port(s)
source-interfaceList of stringSource interface(s)
target-ipList of IPNameRangeIP ranges for target IP check
target-portList of PortRangeTarget port(s)
target-interfaceList of stringTarget interface(s)
protocolList of unsignedByteProtocol(s)
ipList of IPNameRangeIP ranges for either IP check
interfaceList of stringSource or target interface(s)
set-source-ipIPAddrNew source IP
set-source-portunsignedShortNew source port
set-natbooleanChanged source IP and port to local for NAT
set-target-ipIPAddrNew target IP
set-target-portunsignedShortNew target port
set-graphstringGraph name for shaping/logging
set-gatewayIPAddrNew gateway
set-tableroutetable 0-99Set new routing table
set-initial-time-outdurationInitial time-out
set-ongoing-time-outdurationOngoing time-out
logbooleanLog this session
actionfirewall-actionIf drop/reject then rule checking now and set to drop/reject
Also works as drop, which is deprecated		Finish this rule-set and continue to next
profilestringProfile name
commentstringComment
session-rule: Elements
ElementTypeInstancesDescription
sharesession-shareOptional, unlimitedLoad shared actions

Firewall/mapping rule set

Firewallling rule set with entry crteria and default actions

rule-set: Attributes
AttributeTypeDescriptionDefault
namestringName
tableroutetable 0-99Applicable routing table0
source-ipList of IPNameRangeIP ranges for source IP check
source-portList of PortRangeSource port(s)
source-interfaceList of stringSource interface(s)
target-ipList of IPNameRangeIP ranges for target IP check
target-portList of PortRangeTarget port(s)
target-interfaceList of stringTarget interface(s)
protocolList of unsignedByteProtocol(s)
ipList of IPNameRangeIP ranges for either IP check
interfaceList of stringSource or target interface(s)
logbooleanLog this session
no-match-actionfirewall-actionDefault if no rule matches
Also works as drop, which is deprecated
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
rule-set: Elements
ElementTypeInstancesDescription
rulesession-ruleOptional, unlimitedIndividual rules, first match applies
ip-groupip-groupOptional, unlimitedNamed IP groups

Route override load sharing

Route override setting for load sharing

session-route-share: Attributes
AttributeTypeDescriptionDefault
weightpositiveIntegerWeighting of load share1
set-gatewayIPAddrNew gateway
set-natbooleanChanged source IP and port to local for NAT
set-graphstringGraph name for shaping/logging
profilestringProfile name

Routing override rule

Routing override rule

session-route-rule: Attributes
AttributeTypeDescriptionDefault
namestringName
source-ipList of IPNameRangeIP ranges for source IP check
source-portList of PortRangeSource port(s)
source-interfaceList of stringSource interface(s)
target-ipList of IPNameRangeIP ranges for target IP check
target-portList of PortRangeTarget port(s)
target-interfaceList of stringTarget interface(s)
protocolList of unsignedByteProtocol(s)
set-gatewayIPAddrNew gateway
set-natbooleanChanged source IP and port to local for NAT
set-graphstringGraph name for shaping/logging
profilestringProfile name
commentstringComment
session-route-rule: Elements
ElementTypeInstancesDescription
sharesession-route-shareOptional, unlimitedLoad shared actions

Routing override rules

Routing override rules

route-override: Attributes
AttributeTypeDescriptionDefault
namestringName
tableroutetable 0-99Applicable routing table0
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
route-override: Elements
ElementTypeInstancesDescription
rulesession-route-ruleOptional, unlimitedIndividual rules, first match applies

IP Group

Named IP group

ip-group: Attributes
AttributeTypeDescriptionDefault
namestringNameNot optional
ipList of IPRangeOne or more IP ranges or IP/len
usersList of stringInclude IP of logged in web users
sourcestringSource of data, used in automated config management
commentstringComment

Traffic shaper override based on profile

Settings for a named traffic shaper

shaper-override: Attributes
AttributeTypeDescriptionDefault
txunsignedIntEgress rate limit/target
Also works as egress, which is deprecated
tx-minunsignedIntEgress rate limit min
Also works as egress-min, which is deprecated
tx-maxunsignedIntEgress rate limit max
Also works as egress-max, which is deprecated
tx-stepunsignedIntEgress rate adjust step
Also works as egress-step, which is deprecated
tx-intervaldurationEgress rate adjust interval
Also works as egress-interval, which is deprecated		PT1H
rxunsignedIntIngress rate limit
Also works as ingress, which is deprecated
rx-minunsignedIntIngress rate limit min
Also works as ingress-mi, which is deprecated
rx-maxunsignedIntIngress rate limit max
Also works as ingress-max, which is deprecated
rx-stepunsignedIntIngress rate adjust step
Also works as ingress-step, which is deprecated
rx-intervaldurationIngress rate adjust interval
Also works as ingress-interval, which is deprecated		PT1H
sourcestringSource of data, used in automated config management
commentstringComment
profilestringProfile nameNot optional

Traffic shaper

Settings for a named traffic shaper

shaper: Attributes
AttributeTypeDescriptionDefault
txunsignedIntEgress rate limit/target
Also works as egress, which is deprecated
tx-minunsignedIntEgress rate limit min
Also works as egress-min, which is deprecated
tx-maxunsignedIntEgress rate limit max
Also works as egress-max, which is deprecated
tx-stepunsignedIntEgress rate adjust step
Also works as egress-step, which is deprecated
tx-intervaldurationEgress rate adjust interval
Also works as egress-interval, which is deprecated		PT1H
rxunsignedIntIngress rate limit
Also works as ingress, which is deprecated
rx-minunsignedIntIngress rate limit min
Also works as ingress-mi, which is deprecated
rx-maxunsignedIntIngress rate limit max
Also works as ingress-max, which is deprecated
rx-stepunsignedIntIngress rate adjust step
Also works as ingress-step, which is deprecated
rx-intervaldurationIngress rate adjust interval
Also works as ingress-interval, which is deprecated		PT1H
sourcestringSource of data, used in automated config management
commentstringComment
namestringGraph nameNot optional
shaper: Elements
ElementTypeInstancesDescription
overrideshaper-override (shaper-general)Optional, unlimitedProfile specific variations on main settings

Control profile ping test

Ping targets

profile-ping: Attributes
AttributeTypeDescriptionDefault
ipIPAddrTarget IPNot optional
ttlunsignedByteTime to live / Hop limit
flowunsignedShortFlow label (IPv6)
source-ipIPAddrSource IP
Also works as source, which is deprecated
gatewayIPAddrPing via specific gateway

Control profile time range

Time range test in profiles

profile-time: Attributes
AttributeTypeDescriptionDefault
daysSet of dayWhich days of week apply, default all
starttimeStart time
stoptimeEnd time

Control profile by specific date/time range

Time range test in profiles

profile-date: Attributes
AttributeTypeDescriptionDefault
startdateTimeStart date/time
stopdateTimeEnd date/time

Control profile

General control profile. If 'set' is set, then profile is overridden manually, else... If 'or' references an active profile this profile is active, else... If all tests pass or are not specified then this profile is active.

Profile is active
profile: Attributes
AttributeTypeDescriptionDefault
namestringProfile nameNot optional
logbooleanLog state changestrue
intervaldurationTest frequency1
timeoutdurationTime before timeout (i.e. how long test has been failing for)10
recoverdurationTime before recover (i.e. how long test has been passing for)1
vrrpList of stringVRRP state (and of these is master)
fb105List of stringFB105 tunnel state (any of these active)
pppList of stringPPP link state (any of these are up)
routeList of IPAddrIPs, all of which must be routable to pass
setbooleanManual override, ignore all tests
andList of stringTest: other profiles all active
notstringTest: another profile is not active
orList of stringActive if any of these other profiles active
tableroutetable 0-99Routing table for ping/route
sourcestringSource of data, used in automated config management
commentstringComment
profile: Elements
ElementTypeInstancesDescription
dateprofile-dateOptional, unlimitedSpecific date/time ranges
timeprofile-timeOptional, unlimitedTime ranges
pingprofile-pingOptionalPing test
Profile is active

Ping/graph definition

Base ping config - additional ping targets set via web API or other means

ping: Attributes
AttributeTypeDescriptionDefault
namestringName
graphstringGraph name
ipIPAddrFar end IPNot optional
tableroutetable 0-99Routing table number for sending syslogs0
slowbooleanSlow polling
sourcestringSource of data, used in automated config management
commentstringComment

FB105 routes

Routes for prefixes that are sent to the FB105 tunnel when up

fb105-route: Attributes
AttributeTypeDescriptionDefault
namestringName
tableroutetable 0-99Routing table number0
localprefunsignedIntLocalpref of network4294967295
as-pathList of up to 10 unsignedIntCustom AS path as if network received
profilestringProfile name
bgpbgpmodeBGP announce mode for routes
sourcestringSource of data, used in automated config management
commentstringComment
ipList of IPPrefixOne or more network prefixesNot optional

FB105 tunnel definition

FB105 tunnel definition

Tunnel is up
fb105: Attributes
AttributeTypeDescriptionDefault
local-idunsignedByteUnique local end tunnel ID
Also works as id, which is deprecated		Not optional
remote-idunsignedByteUnique remote end tunnel IDNot optional
setunsignedByteSet ID for reorder ID tagging
mtuunsignedShortMTU for wrapped packets1500
namestringName
tableroutetable 0-99Routing table number for tunnel wrappers0
payload-tableroutetable 0-99Routing table number for payload trafficSame as table
graphstringGraph name
ipIP4AddrFar end IPdynamic tunnel
local-ipIP4AddrForce specific local end IP
internal-ipIP4AddrInternal IP for traffic originated and sent down tunnellocal-ip
routesList of IPPrefixRoutes when link up
localprefunsignedIntLocalpref for route4294967295
bgpbgpmodeBGP announce mode for routes
secretSecretShared secret for tunnelUnsigned
sign-allbooleanAll packets must be signed, not just keepalivesfalse
fast-udpbooleanDo not re-order UDP packetstrue
keep-alivebooleanConstantly send keep alive packetstrue if ip set
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSStrue
speedunsignedIntEgress rate limit used to load balance
Also works as egress, which is deprecated		no shaping
logbooleanLog information and state changestrue
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
fb105: Elements
ElementTypeInstancesDescription
routefb105-route (network-base)Optional, unlimitedRoutes to apply to tunnel when up
Tunnel is up

RADIUS accounting server settings

Server settings for RADIUS Accounting for L2TP

radius-acct: Attributes
AttributeTypeDescriptionDefault
namestringName
secretSecretShared secret for RADIUS requestsNot optional
tableroutetable 0-99Routing table number
ipList of IPAddrOne or more IPs of RADIUS servers (picked at random)Not optional
relay-nas-ipbooleanPass remote L2TP endpoint as NAS IP
fail-countunsignedIntHow many failures in a row before blacklisting20
fail-timedurationHow long to blacklist before retrying (secs)120
attemptsunsignedIntHow many concurrent requests to this server before trying next200
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
timeoutdurationMin retry timeout on RADIUS requests20
portunsignedShortAccounting UDP port1813

RADIUS authentication server settings

Server settings for RADIUS Authentication for L2TP

radius-auth: Attributes
AttributeTypeDescriptionDefault
namestringName
secretSecretShared secret for RADIUS requestsNot optional
tableroutetable 0-99Routing table number
ipList of IPAddrOne or more IPs of RADIUS servers (picked at random)Not optional
relay-nas-ipbooleanPass remote L2TP endpoint as NAS IP
fail-countunsignedIntHow many failures in a row before blacklisting20
fail-timedurationHow long to blacklist before retrying (secs)120
attemptsunsignedIntHow many concurrent requests to this server before trying next200
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
timeoutdurationMin retry timeout on RADIUS requests5
portunsignedShortAuthentication UDP port1812

Relay and local authentication rules for L2TP

Rules for relaying L2TP or local authentication

l2tp-relay: Attributes
AttributeTypeDescriptionDefault
namestringName
graphstringGraph name
user-nameList of stringOne or more patterns to match user-name
passwordSecretPassword check
calling-station-idList of stringOne or more patterns to match calling-station-id
called-station-idList of stringOne or more patterns to match called-station-id
remote-ipIP4AddrRemote end PPP IPv4 (local auth)
localprefunsignedIntLocalpref for remote-ip/routes4294967295
routesList of IPPrefixAdditional routes when link up (local auth)
relay-ipList of IPAddrTarget IP(s) for L2TP connection
Also works as target-ip, which is deprecated
relay-secretSecretShared secret for L2TP connection
Also works as target-secret, which is deprecated
relay-hostnamestringHostname for L2TP connection
Also works as target-hostname, which is deprecated
testList of IPAddrList of IPs that must have routing for this target to be valid (deprecated)
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment

L2TP settings for incoming L2TP connections

L2TP tunnel settings for incoming L2TP connections

l2tp-incoming: Attributes
AttributeTypeDescriptionDefault
namestringName
hostnamestringHostname quoted on incoming tunnel
secretSecretShared secret
graphstringGraph name
tableroutetable 0-99Routing table number for L2TP session
testList of IPAddrList of IPs to which routing must exist else tunnel dropped (deprecated)
payload-tableroutetable 0-99Routing table number for payload traffic
bgpbgpmodeBGP announce mode for routes
allowList of IPNameRangeList of IP ranges from which connects can be made
mtuunsignedShortDefault MTU for sessions in this tunnel
ipv6epIP4AddrLocal end IPv4 for IPv6 tunnels
pppipIP4AddrLocal end PPP IPv4
pppdns1IP4AddrPPP DNS1 IPv4 default
pppdns2IP4AddrPPP DNS2 IPv4 default
dhcpv6dnsList of IP6AddrList of IPv6 DNS servers
dos-limitunsignedIntPer second per session tx packet drop limit for DOS protection10000
speedunsignedIntDefault egress rate limit
Also works as tx-speed, which is deprecated
hdlcbooleanSend HDLC header (FF03) on all PPP framestrue
slow-pollbooleanReduce poll rate (deprecated)false
lcp-rateunsignedByteLCP interval (seconds)1
lcp-timeoutunsignedByteLCP timeout (seconds)10
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSSfalse
lcp-mru-fixbooleanRestart LCP if RAS negotiated MRU is too highfalse
require-platformbooleanAll sessions require a platform RADIUS firstfalse
icmp-pppbooleanUse PPP endpoint for ICMPfalse
dampingbooleanApply damping to sessions if limiting on shaperfalse
shutdownbooleanRefuse all new sessions or tunnelsfalse
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
l2tp-incoming: Elements
ElementTypeInstancesDescription
matchl2tp-relayOptional, unlimitedRules for relaying inbound connections to outbound

L2TP settings

L2TP settings list the incoming and outgoing L2TP connections allowed

l2tp: Attributes
AttributeTypeDescriptionDefault
accounting-intervaldurationPeriodic interim accounting interval3600
l2tp: Elements
ElementTypeInstancesDescription
incomingl2tp-incomingOptional, unlimitedIncoming L2TP connections
authenticationradius-auth (radius)Optional, unlimitedRADIUS authentication server settings
accountingradius-acct (radius)Optional, unlimitedRADIUS accounting server settings

Constant Quality Monitoring settings

Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.

cqm: Attributes
AttributeTypeDescriptionDefault
secretSecretSecret for MD5 coded URLs
headingstringHeading of graph
subheadingstringSubheading of graph
text1stringText line 1
text2stringText line 2
text3stringText line 3
text4stringText line 4
backgroundColourBackground colourwhite
graticuleColourGraticule colourgrey
axisColourAxis colourblack
label-failstringLabel for seconds (%) failedFail
label-dampstringLabel for % shaper dampingDamp%
failColourColour for failed (dropped) secondsred
label-sentstringLabel for seconds polledSent
sentColourColour for polled seconds#ff8
label-offstringLabel for off line secondsOff
offColourColour for off line seconds#c8f
label-minstringLabel for minimum latencyMin
minColourColour for minimum latencyblue
label-avestringLabel for average latencyAve
aveColourColour for average latency#0cc
label-maxstringLabel for maximum latencyMax
maxColourColour for maximum latencygreen
label-txstringLabel for Tx traffic level
Also works as label-down, which is deprecated		Tx
txColourColour for Tx traffic level
Also works as down, which is deprecated		#080
label-rxstringLabel for Rx traffic level
Also works as label-up, which is deprecated		Rx
rxColourColour for Rx traffic level
Also works as up, which is deprecated		#800
textColourColour for textblack
outsideColourColour for outer bordertransparent
fblogoColourColour for logo#c00
label-latencystringLabel for latencyLatency
label-shaperstringLabel for shaperShaper
label-pollstringLabel for pollsPolls
label-trafficstringLabel for traffic levelTraffic (bit/s)
label-timestringLabel for timeTime
label-scorestringLabel for scoreScore
label-periodstringLabel for periodPeriod
timeformatstringTime format%Y-%m-%d %H:%M:%S
hourformatstringHour format%H
dateformatstringDate format%Y-%m-%d
dayformatstringDay format%a
keyunsignedBytePixels space for key90
leftunsignedBytePixels space left of main graph0
rightunsignedBytePixels space right of main graph50
topunsignedBytePixels space at top of graph4
bottomunsignedBytePixels space at bottom of graph11
fail-level1unsignedByteLoss level 13
fail-score1unsignedByteScore for on/above level 1100
fail-level2unsignedByteLoss level 250
fail-score2unsignedByteScore for on/above level 2200
latency-level1unsignedIntLatency level 1 (ns)100000000
latency-score1unsignedByteScore for on/above level 110
latency-level2unsignedIntLatency level 2 (ns)500000000
latency-score2unsignedByteScore for on/above level 220
latency-usageunsignedIntUsage below which latency is not expected128000
latency-levelunsignedIntLatency level not expected on low usage100000000
latency-scoreunsignedByteScore for high latency and low usage200
fail-usageunsignedIntUsage below which fail is not expected128000
fail-levelunsignedIntFail level not expected on low usage1
fail-scoreunsignedByteScore for fail and low usage200

Individual mapping/filtering rule

An individual rule for BGP mapping/filtering

bgprule: Attributes
AttributeTypeDescriptionDefault
namestringName
dropbooleanDo not import/export this prefixfalse
detagList of CommunityList of community tags to remove
tagList of CommunityList of community tags to add
localprefunsignedIntSet localpref100
medunsignedIntSet MED
sourcestringSource of data, used in automated config management
commentstringComment
prefixList of IPFilterPrefixes that this rule applies to

Mapping and filtering rules of BGP prefixes

This defines the rules for mapping and filtering of prefixes to/from a BGP peer.

bgpmap: Attributes
AttributeTypeDescriptionDefault
namestringName
dropbooleanDo not import/export this prefixfalse
detagList of CommunityList of community tags to remove
tagList of CommunityList of community tags to add
localprefunsignedIntSet localpref100
medunsignedIntSet MED
sourcestringSource of data, used in automated config management
commentstringComment
prefixList of IPFilterDrop all that are not in this prefix list
bgpmap: Elements
ElementTypeInstancesDescription
matchbgprule (bgpruleaction)Optional, unlimitedList rules, in order of checking

BGP peer definitions

The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers.

bgppeer: Attributes
AttributeTypeDescriptionDefault
namestringName
typepeertypeType of neighbour (affects some defaults)normal
ipList of IPAddrOne or more IPs of neighbours (omit to allow incoming)
asunsignedIntPeer AS
md5SecretMD5 signing secret
ttl-securityunsignedByteEnable RFC5082 TTL security for specified number of hops (set to 1 for adjacent router) and set both ends
holdtimeunsignedIntHold time30
timer-openwaitunsignedIntTime to wait for OPEN on connection10
timer-retryunsignedIntTime to retry the neighbour10
timer-idleunsignedIntIdle time after error60
capability-mpe-ipv4booleanIf supporting MPE for IPv4true
capability-mpe-ipv6booleanIf supporting MPE for IPv6true
capability-as4booleanIf supporting AS4true
capability-graceful-restartbooleanIf supporting Graceful Restarttrue
capability-route-refreshbooleanIf supporting Route Refreshtrue
same-ip-typebooleanOnly accept/send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peerstrue
next-hop-selfbooleanForce us as next hop outboundfalse
allow-own-asbooleanAllow our AS inbound
add-own-asbooleanAdd our AS on exported routes
in-softbooleanMark received routes as soft
no-fibbooleanDon't include received routes in packet forwarding
allow-only-their-asbooleanOnly accept routes that are solely the peers AS
allow-exportbooleanIgnore no-export community and export anyway
drop-defaultbooleanIgnore default route receivedfalse
send-defaultbooleanSend a default route to this peerfalse
send-no-routesbooleanDon't send any normal routesfalse
ignore-bad-optional-partialbooleanIgnore routes with a regognised badly formed optional that is flagged partialtrue
shutdownbooleanShutdown this neighbour
logbooleanLog inbound route updates
padunsignedBytePad our AS by this many
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
max-prefixbgp-prefix-limit 1-1000Limit prefixes (IPv4+IPv6)10000
bgppeer: Elements
ElementTypeInstancesDescription
importbgpmap (bgpruleaction)Optional, unlimitedMapping and filtering rules of accepting prefixes from peer
exportbgpmap (bgpruleaction)Optional, unlimitedMapping and filtering rules of announcing prefixes to peer

Overall BGP settings

The BGP element defines general BGP settings and a list of peer definitions for the individual BGP peers.

bgp: Attributes
AttributeTypeDescriptionDefault
namestringName
tableroutetable 0-99Routing table number0
asunsignedIntOur AS
idIP4AddrOur router ID
cluster-idIP4AddrOur cluster ID
sourcestringSource of data, used in automated config management
commentstringComment
bgp: Elements
ElementTypeInstancesDescription
peerbgppeer (bgppeer-base)Optional, up to 50List of peers/neighbours

Locally originated networks

Loopback addresses define local IP addresses

loopback: Attributes
AttributeTypeDescriptionDefault
namestringName
tableroutetable 0-99Routing table number0
localprefunsignedIntLocalpref of network4294967295
as-pathList of up to 10 unsignedIntCustom AS path as if network received
profilestringProfile name
bgpbgpmodeBGP announce mode for routes
sourcestringSource of data, used in automated config management
commentstringComment
ipList of IPAddrOne or more local network addressesNot optional

Locally originated networks

Network settings define prefixes which are to be announced by some routing protocol but do not actually have a routing entry.

network: Attributes
AttributeTypeDescriptionDefault
namestringName
tableroutetable 0-99Routing table number0
localprefunsignedIntLocalpref of network4294967295
as-pathList of up to 10 unsignedIntCustom AS path as if network received
profilestringProfile name
bgpbgpmodeBGP announce mode for routes
sourcestringSource of data, used in automated config management
commentstringComment
ipList of IPPrefixOne or more local network prefixesNot optional

Static routes

Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.

route: Attributes
AttributeTypeDescriptionDefault
namestringName
tableroutetable 0-99Routing table number0
localprefunsignedIntLocalpref of network4294967295
as-pathList of up to 10 unsignedIntCustom AS path as if network received
profilestringProfile name
bgpbgpmodeBGP announce mode for routes
sourcestringSource of data, used in automated config management
commentstringComment
speedunsignedIntEgress rate limit
graphstringGraph name
ipList of IPPrefixOne or more local network prefixesNot optional
gatewayList of IPAddrOne or more target gateway IPs

PPP routes

Routes that apply when link is up

ppp-route: Attributes
AttributeTypeDescriptionDefault
namestringName
tableroutetable 0-99Routing table number0
localprefunsignedIntLocalpref of network4294967295
as-pathList of up to 10 unsignedIntCustom AS path as if network received
profilestringProfile name
bgpbgpmodeBGP announce mode for routes
sourcestringSource of data, used in automated config management
commentstringComment
ipList of IPPrefixOne or more local network prefixesNot optional

PPPoE client settings

PPPoE client endpoint settings

PPP is up
pppoe: Attributes
AttributeTypeDescriptionDefault
namestringName
portstringPhysical port number, or port group name
Also works as ports, which is deprecated		0
Internal port group ID
Our MAC offset
vlanvlan 0-4095VLAN ID (0=untagged)0
servicestringService nameAny service
ac-namestringAccess concentrator nameAny a/c name
usernamestringUser name
passwordSecretUser password
mtuunsignedShortMTU for link1492
speedunsignedIntDefault egress rate limit
tcp-mss-fixbooleanAdjust MSS option in TCP SYN to fix session MSStrue
slow-pollbooleanReduce LCP poll rate and timeout by factor of 16 (deprecated)false
lcp-rateunsignedByteLCP interval (seconds)10
lcp-timeoutunsignedByteLCP timeout (seconds)61
routesList of IPPrefixRoutes when link upDefault gateway
localprefunsignedIntLocalpref for route4294967295
bgpbgpmodeBGP announce mode for routes
tableroutetable 0-99Routing table number for payloadFrom interface
localIP4AddrLocal IPv4 address
remoteIP4AddrRemote IPv4 address
graphstringGraph name
logbooleanLog PPP negotiation and state change
modepppoe-modePPPoE server/client modeclient
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
pppoe: Elements
ElementTypeInstancesDescription
routeppp-route (network-base)Optional, unlimitedRoutes to apply when ppp link is up
PPP is up
Internal port group ID
Our MAC offset

DHCP server attributes

Additional DHCP server attributes (IP)

dhcp-attr-ip: Attributes
AttributeTypeDescriptionDefault
namestringName
idunsignedByteAttribute type codeNot optional
valueIP4AddrValueNot optional
forcebooleanSend even if not requested
commentstringComment

DHCP server attributes

Additional DHCP server attributes (number)

dhcp-attr-number: Attributes
AttributeTypeDescriptionDefault
namestringName
idunsignedByteAttribute type codeNot optional
valueunsignedIntValueNot optional
forcebooleanSend even if not requested
commentstringComment

DHCP server attributes

Additional DHCP server attributes (string)

dhcp-attr-string: Attributes
AttributeTypeDescriptionDefault
namestringName
idunsignedByteAttribute type codeNot optional
valuestringValueNot optional
forcebooleanSend even if not requested
commentstringComment

DHCP server attributes

Additional DHCP server attributes (hex)

dhcp-attr-hex: Attributes
AttributeTypeDescriptionDefault
namestringName
idunsignedByteAttribute type codeNot optional
valuehexBinaryValueNot optional
forcebooleanSend even if not requested
commentstringComment

DHCP server settings

Settings for DHCP server

dhcps: Attributes
AttributeTypeDescriptionDefault
namestringName
ipList of IP4RangeAddress pool0.0.0.0/0
macList of up to 12 macprefix (hexBinary)Partial or full MAC addresses
client-namestringClient name match
classstringCLass match
gatewayList of IP4AddrGatewayOur IP
dnsList of IP4AddrDNS resolversOur IP
timeList of IP4AddrTime serverOur IP
ntpList of IP4AddrNTP serverFrom system settings
syslogList of IP4AddrSyslog serverFrom system settings
domainstringDNS domainFrom system settings
bootIP4AddrNext/boot server
boot-filestringBoot filename
leasedurationLease lengthPT2H
forcebooleanSend all options ever if not requested
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
dhcps: Elements
ElementTypeInstancesDescription
senddhcp-attr-hexOptional, unlimitedAdditional attributes to send
send-stringdhcp-attr-stringOptional, unlimitedAdditional string attributes to send
send-numberdhcp-attr-numberOptional, unlimitedAdditional numeric attributes to send
send-ipdhcp-attr-ipOptional, unlimitedAdditional IP attributes to send

VRRP settings

VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority.

Profile is active
vrrp: Attributes
AttributeTypeDescriptionDefault
namestringName
ipList of IP4AddrOne or more IP addresses to annouceNot optional
vridunsignedByteVRIDNot optional
priorityunsignedByteNormal priority100
intervalunsignedByteTransit interval (sec)1
preemptbooleanWhether pre-empt allowedtrue
testList of IPAddrList of IPs to which routing must exist else low priority (deprecated)
low-priorityunsignedByteLower priority applicable until routing established1
delayunsignedIntDelay after routing established before priority returns to normal10
use-vmacbooleanWhether to use the special VMAC or use normal MACfalse
answer-pingbooleanWhether to answer PING to VRRP IPs when mastertrue
log-errorsbooleanLog errorsfalse
logbooleanLog state changestrue
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
Profile is active

Subnet settings

Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.

subnet: Attributes
AttributeTypeDescriptionDefault
namestringName
ipList of IPSubnetOne or more IP/lenAutomatic by DHCP
gatewayList of IPAddrOne or more gateways to install
raramodeIf to announce IPv6 RA for this subnetfalse
ra-maxra-max 4-1800Max RA send interval600
ra-minra-min 3-1350Min RA send interval
ra-manageddhcpv6controlRA 'M' (managed) flag
ra-otherdhcpv6controlRA 'O' (other) flag
ra-profilestringProfile, if inactive then forces low priority RA
ra-mtuunsignedShortMTU to use on RAAs subnet
ra-dnsList of IP6AddrList of recursive DNS servers in route announcements
Also works as rdnss, which is deprecated
localprefunsignedIntLocalpref for subnet4294967295
bgpbgpmodeBGP announce mode for routes
mtuunsignedShortMTU for subnet
ttlunsignedByteTTL for originating traffic via subnet64
arp-timeoutunsignedShortMax lifetime on ARP and ND60
broadcastbooleanIf broadcast address allowedfalse
proxy-arpbooleanAnswer ARP/ND by proxy if we have routingfalse
natbooleanShort cut to set nat default mode on all IPv4 traffic from subnet (can be overridden by firewall rules)false
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment

Physical/VLAN interface settings

The interface definition relates to a specific physical port and VLAN. It includes subnets and VRRP that apply to that interface.

interface: Attributes
AttributeTypeDescriptionDefault
namestringName
portstringPhysical port number, or port group name
Also works as ports, which is deprecated		1
Internal port group ID
vlanvlan 0-4095VLAN ID (0=untagged)0
graphstringGraph name
mtuunsignedShortMTU for this interface1500
ra-clientbooleanAccept IPv6 RA and create auto config subnets and routes
Also works as ra, which is deprecated		true
tableroutetable 0-99Routing table applicable0
pingIPAddrPing address to add loss/latency to graph for interface
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
interface: Elements
ElementTypeInstancesDescription
subnetsubnetOptional, unlimitedDefine subnet
vrrpvrrpOptional, unlimitedDefine VRRP settings
dhcpdhcpsOptional, unlimitedDHCP server settings
Internal port group ID

Port grouping and naming

Port grouping and naming

portdef: Attributes
AttributeTypeDescriptionDefault
namestringName
portsSet of portPhysical port(s)
Also works as port, which is deprecated		Not optional
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment

Physical port controls

Physical port attributes

ethernet: Attributes
AttributeTypeDescriptionDefault
portportPhysical portNot optional
autonegbooleanPerform link auto-negotiationtrue
shutdownbooleanPower down this portfalse
crossoverCrossoverPort crossover configurationauto
speedLinkSpeedSpeed setting for this portauto
duplexLinkDuplexDuplex setting for this portauto
flowLinkFlowFlow control settingnone
clockingLinkClockGigabit clock settingprefer-master
yellowLinkLEDYellow LED settingTx
greenLinkLEDGreen LED settingLink/Activity

Matching rules for platform RADIUS

Rules for matching RADIUS requests

platform-radius-match: Attributes
AttributeTypeDescriptionDefault
namestringName
target-ipList of IPAddrTarget IP(s) for L2TP connection
target-secretSecretShared secret for L2TP connection
target-hostnamestringHostname for L2TP connection
relay-ipList of IPAddrAddress to copy RADIUS request
relay-portunsignedShortAuthentication UDP port for copy RADIUS request1812
relay-tableroutetable 0-99Routing table number for copy of RADIUS request
nsn-conditionalbooleanOnly send NSN settings if username is not same as calling station id
nsn-tunnel-user-auth-methodunsignedIntAdditional response for GGSN usage
nsn-tunnel-override-usernameunsignedByteAdditional response for GGSN usage
tunnel-client-returnbooleanReturn tunnel client as radius IP
tunnel-assignment-idstringTunnel Assignment ID to send
classstringClass field to send
dummy-ipbooleanSend dummy framed IP responsetrue
taggedbooleanTag all attributes that can be
testList of IPAddrList of IPs that must have routing for this target to be valid (deprecated)
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
user-nameList of stringOne or more patterns to match user-name
calling-station-idList of stringOne or more patterns to match calling-station-id
called-station-idList of stringOne or more patterns to match called-station-id

Platform RADIUS definition

Platform RADIUS server and proxy definitions

platform-radius: Attributes
AttributeTypeDescriptionDefault
namestringName
target-ipList of IPAddrTarget IP(s) for L2TP connection
target-secretSecretShared secret for L2TP connection
target-hostnamestringHostname for L2TP connection
relay-ipList of IPAddrAddress to copy RADIUS request
relay-portunsignedShortAuthentication UDP port for copy RADIUS request1812
relay-tableroutetable 0-99Routing table number for copy of RADIUS request
nsn-conditionalbooleanOnly send NSN settings if username is not same as calling station id
nsn-tunnel-user-auth-methodunsignedIntAdditional response for GGSN usage
nsn-tunnel-override-usernameunsignedByteAdditional response for GGSN usage
tunnel-client-returnbooleanReturn tunnel client as radius IP
tunnel-assignment-idstringTunnel Assignment ID to send
classstringClass field to send
dummy-ipbooleanSend dummy framed IP responsetrue
taggedbooleanTag all attributes that can be
testList of IPAddrList of IPs that must have routing for this target to be valid (deprecated)
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
portunsignedShortAuthentication UDP port1812
acct-portunsignedShortAccounting UDP port1813
secretSecretShared secret for RADIUS requests (needed for replies)
platform-radius: Elements
ElementTypeInstancesDescription
matchplatform-radius-match (platform-radius-target)Optional, unlimitedMatching rules for specific responses

DNS service settings

Web management pages

dns-service: Attributes
AttributeTypeDescriptionDefault
tableroutetable 0-99Routing table number0
allowList of IPNameRangeList of IP ranges from which service can be accessed
logbooleanLogtrue
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
domainstringOur domain
resolversList of IPAddrRecursive DNS resolvers to use

HTTP service settings

Web management pages

http-service: Attributes
AttributeTypeDescriptionDefault
tableroutetable 0-99Routing table number0
allowList of IPNameRangeList of IP ranges from which service can be accessed
logbooleanLogtrue
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
portunsignedShortService port80
trustedList of IPNameRangeList of IP ranges from which trusted access is allowed

Telnet service settings

Telnet control interface

telnet-service: Attributes
AttributeTypeDescriptionDefault
tableroutetable 0-99Routing table number0
allowList of IPNameRangeList of IP ranges from which service can be accessed
logbooleanLogtrue
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
portunsignedShortService port23

NTP service settings

The NTP settings define how the system clock is set, from what servers, and controls for dalylight saving (summer time). The defaults are those that apply to the EU

ntp-service: Attributes
AttributeTypeDescriptionDefault
tableroutetable 0-99Routing table number0
allowList of IPNameRangeList of IP ranges from which service can be accessed
logbooleanLogtrue
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
timeserverList of IPNameAddrList of time servers (IP or hostname) from which time may be set by ntp
tz1-namestringTimezone 1 nameGMT
tz1-offsetdurationTimezone 1 offset from UTC00:00:00
tz12-monthmonthTimezone 1 to 2 monthMar
tz12-datedatenum 1-31Timezone 1 to 2 earliest date in month25
tz12-daydayTimezone 1 to 2 day of week of changeSun
tz12-timedurationTimezone 1 to 2 local time of change01:00:00
tz2-namestringTimezone 2 nameBST
tz2-offsetdurationTimezone 2 offset from UTC01:00:00
tz21-monthmonthTimezone 2 to 1 monthOct
tz21-datedatenum 1-31Timezone 2 to 1 earliest date in month25
tz21-daydayTimezone 2 to 1 day of week of changeSun
tz21-timedurationTimezone 2 to 1 local time of change02:00:00

SNMP service settings

The SNMP service has general service settings and also specific attributes for SNMP such as community

snmp-service: Attributes
AttributeTypeDescriptionDefault
tableroutetable 0-99Routing table number0
allowList of IPNameRangeList of IP ranges from which service can be accessed
logbooleanLogtrue
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
portunsignedShortService port161
communitystringCommunity stringpublic

System services

System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.

services: Elements
ElementTypeInstancesDescription
snmpsnmp-service (service)OptionalSNMP server settings
ntpntp-service (service)OptionalNTP client settings (server not implimented yet)
telnettelnet-service (service)OptionalTelnet server settings
httphttp-service (service)OptionalHTTP server settings
dnsdns-service (service)OptionalDNS service settings
platform-radiusplatform-radius (platform-radius-target)OptionalPlatform RADIUS server/proxy settings

Log target controls

Defines a named logging target

log: Attributes
AttributeTypeDescriptionDefault
namestringLog target nameNot optional
Log ID
sourcestringSource of data, used in automated config management
commentstringComment
Log ID

Syslog settings

Syslog settings specify where logging is to be sent using syslog.

syslog: Attributes
AttributeTypeDescriptionDefault
serverIPAddrServer IP addressNot optional
portunsignedShortServer port514
severitysyslog-severityLog events that are this severe or moreNOTICE
facilitysyslog-facilityFacility for logLOCAL0
tableroutetable 0-99Routing table number for sending syslogs0
logbooleanLog one second debug statstrue

Admin users

User names, passwords and abilities for admin users

user: Attributes
AttributeTypeDescriptionDefault
nameusername (string)User nameNot optional
Last IP used (starts 0 for IP4)
Login expiry
full-namestringFull name
passwordPasswordUser password
timeoutdurationLogin idle timeoutPT5M
configconfig-accessConfig access levelfull
leveluser-levelLogin levelADMIN
otpstringOTP serial number
allowList of IPNameRangeRestrict logins to be from specific IP addresses
profilestringProfile name
sourcestringSource of data, used in automated config management
commentstringComment
Last IP used (starts 0 for IP4) Login expiry

System settings

The system settings are the top level attributes of the system which apply globally.

system: Attributes
AttributeTypeDescriptionDefault
namestringSystem hostname
sw-update-profilestringProfile name for when to load new s/w
contactstringContact name
locationstringLocation description
introstringHome page text
fast-rebootbooleanDebug - causes fast reboot on new code load
dos-limitunsignedIntInterrupt DoS packet limit, leave at default1000
dos-delayunsignedIntInterrupt DoS restoration counter, leave at default2
sw-updateautoloadtypeLoad new software automaticallyfactory
nat64IP6PrefixIPv6 NAT6/4 mapping prefix
nat64-sourceIP4AddrIPv6 NAT6/4 return IPv4
sourcestringSource of data, used in automated config management
commentstringComment

Firewall action

TagDescription
continueContinue rule-set checking
acceptAllow but no more rule-set checking
rejectEnd all rule checking now and set to send ICMP reject
dropEnd all rule checking now and set to drop
trueSame as drop, deprecated (deprecated)

BGP peer type

Peer type controls many of the defaults for a peer setting. It allows typical settings to be defined with one attribute that reflects the type of peer.

TagDescription
normalNormal BGP operation
transitEBGP Mark received as no-export
peerEBGP Mark received as no-export, only accept peer AS
customerEBGP Allow export as if confederate, only accept peer AS
internalIBGP allowing own AS
reflectorIBGP allowing own AS and working in route reflector mode
confederateEBGP confederate
ixpInternet exchange point peer on route server

Type of PPPoE connection

TagDescription
clientNormal PPPoE client connects to access controller
bras-l2tpPPPoE server mode linked to L2TP operation

BGP announcement mode

BGP mode defines the default advertisement mode for prefixes, based on well-known community tags

TagDescription
falseNot included in BGP at all
no-advertiseNot included in BGP, not advertised at all
no-exportNot normally exported from local AS/confederation
local-asNot exported from local AS
no-peerExported with no-peer community tag
trueExported as normal with no special tags added

Control for RA and DHCPv6 bits

TagDescription
falseDon't set bit or answer on DHCPv6
trueSet bit but do not answer on DHCPv6
dhcpv6Set bit and do answer on DHCPv6

IPv6 route announce level

IPv6 route announcement mode and level

TagDescription
falseDo not announce
lowAnnounce as low priority
mediumAnnounce as medium priority
highAnnounce as high priority
trueAnnounce as default (medium) priority

LED settings

TagDescription
Link/ActivityOn when link up; blink when Tx or Rx activity
Link1000/ActivityOn when link up at 1G; blink when Tx or Rx activity
Link100/ActivityOn when link up at 100M; blink when Tx or Rx activity
Link10/ActivityOn when link up at 10M; blink when Tx or Rx activity
Link100-1000/ActivityOn when link up at 100M or 1G; blink when Tx or Rx activity
Link10-1000/ActivityOn when link up at 10M or 1G; blink when Tx or Rx activity
Link10-100/ActivityOn when link up at 10M or 100M; blink when Tx or Rx activity
Duplex/CollisionOn when full-duplex; blink when half-duplex and collisions detected
CollisionBlink when collisions detected
TxBlink when Tx activity
RxBlink when Rx activity
OffPermanently off
OnPermanently on
LinkOn when link up
Link1000On when link up at 1G
Link100On when link up at 100M
Link10On when link up at 10M
Link100-1000On when link up at 100M or 1G
Link10-1000On when link up at 10M or 1G
Link10-100On when link up at 10M or 100M
DuplexOn when full-duplex

Physical port Gigabit clock master/slave setting

TagDescription
prefer-masterMaster status negotiated; preference for master
prefer-slaveMaster status negotiated; preference for slave
force-masterMaster status forced
force-slaveSlave status forced

Physical port flow control setting

TagDescription
noneNo flow control
symmetricCan support two-way flow control
send-pausesCan send pauses but does not support pause reception
anyCan receive pauses and may send pauses if required

Physical port duplex setting

TagDescription
halfHalf-duplex
fullFull-duplex
autoDuplex determined by autonegotiation

Physical port speed

TagDescription
10M10Mbit/sec
100M100Mbit/sec
1G1Gbit/sec
autoSpeed determined by autonegotiation

Crossover configuration

Physical port crossover configuration.

TagDescription
autoCrossover is determined automatically
MDIForce no crossover

Physical port

TagDescription
1Port 1
2Port 2
3Port 3
4Port 4

Day name (3 letter)

TagDescription
SunSunday
MonMonday
TueTuesday
WedWednesday
ThuThursday
FriFriday
SatSaturday

Month name (3 letter)

TagDescription
JanJanuary
FebFebruary
MarMarch
AprApril
MayMay
JunJune
JulJuly
AugAugust
SepSeptember
OctOctober
NovNovember
DecDecember

Syslog facility

Syslog facility, usually used to control which log file the syslog is written to.

TagDescription
KERNKernel messages
USERUser level messges
MAILMail system
DAEMONSystem Daemons
AUTHSecurity/auth
SYSLOGInternal to syslogd
LPRPrinter
NEWSNews
UUCPUUCP
CRONCron deamon
AUTHPRIVprivate security/auth
FTPFile transfer
12Unused
13Unused
14Unused
15Unused
LOCAL0Local 0
LOCAL1Local 1
LOCAL2Local 2
LOCAL3Local 3
LOCAL4Local 4
LOCAL5Local 5
LOCAL6Local 6
LOCAL7Local 7

Syslog severity

Log severity - different loggable events log at different levels.

TagDescription
EMERGSystem is unstable
ALERTAction must be taken immediately
CRIT Critical conditions
ERRError conditions
WARNINGWarning conditions
NOTICENormal but significant events
INFOInformational
DEBUGDebug level messages
NO-LOGGINGNo logging

User login level

User login level - commands available are restricted according to assigned level.

TagDescription
NOBODYUnknown or not logged in user
GUESTGuest user
USERNormal unprivileged user
ADMINSystem administrator
DEBUGSystem debugger

Type of access user has to config

TagDescription
noneNo access unless explicitly listed
viewView only access (no passwords)
readRead only access (with passwords)
fullFull view and edit access

Type of s/w auto load

TagDescription
falseDo no auto load
factoryLoad factory releases
betaLoad beta test releases
alphaLoad test releases

Basic types

TypeDescription
ses-id[unsignedShort] Local session ID (1-100)
tun-id[unsignedShort] Local tunnel ID (1-10)
cug[unsignedShort] CUG ID (1-32767)
dates[datenum] Set of dates
routetableset[routetable] Set of routetables
prefix4list[IP4Prefix] List of IPv4 Prefixes
userlist[username] List of user names
protolist[unsignedByte] List of IP protocols
portlist[PortRange] List of protocol port ranges
iprangelist[IPRange] List of IPranges
bgp-prefix-limit[unsignedInt] Maximum prefixes accepted on BGP session (1-1000)
filterlist[IPFilter] List of IP Prefix filters
communitylist[Community] List of BGP communities
prefixlist[IPPrefix] List of IP Prefixes
unsignedIntList[unsignedInt] List of integers
aslist[unsignedIntList] List of AS numbers
vlan[unsignedShort] VLAN ID (0=untagged) (0-4095)
macprefix[hexBinary] MAC prefix
macprefixlist[macprefix] List of strings
ip4rangelist[IP4Range] List of IP4ranges
ip4list[IP4Addr] List of IPv4 addresses
ip6list[IP6Addr] List of IPv6 addresses
ra-min[unsignedShort] Route announcement min interval (seconds) (3-1350)
ra-max[unsignedShort] Route announcement max interval (seconds) (4-1800)
subnetlist[IPSubnet] List of subnets
stringlist[string] List of strings
iplist[IPAddr] List of IP addresses
datenum[unsignedByte] Day number in month (1-31)
ipnamelist[IPNameAddr] List of IP addresses or domain names
routetable[unsignedByte] Route table number (0-99)
ipnamerangelist[IPNameRange] List of IPranges or ip groups
username[string] Login name
SecretSecret/passphrase
Colour#rgb #rrggbb #rgba #rrggbbaa colour
PortRangexxx-xxx port range
Communityxxx:xxx community
PasswordPassword
IPFilterRoute filter
IPSubnetIP address / bitlen
IP6PrefixIPv6 address / bitlen
IP4PrefixIPv4 address / bitlen
IP4RangeIPv4 address / bitlen or range
IPNameRangeIP address / bitlen or range or name
IPRangeIP address / bitlen or range
IPPrefixIP address / bitlen
IP6AddrIPv6 address
IP4AddrIPv4 address
IPNameAddrIP address or name
IPAddrIP address
timeHH:MM:SS time
dateTimeYYYY-MM-DDTHH:MM:SS date/time
durationPeriod
booleanBoolean
unsignedByteunsigned byte integer (0-255)
unsignedShortunsigned short integer (0-65535)
unsignedIntunsigned integer (0-4294967295)
positiveIntegerpositive integer (1-4294967295)
integerinteger (-2147483648-2147483647)
hexBinaryhex coded binary data
stringtext string