Nokia 7750 SR usa TiMOS-B (MD-CLI). Difere do classic CLI:
[/path]\nA:user@hostname#environment no more (classic). Usar environment console paging falseedit-config exclusive → comandos → commit → quit-config/opt/homebrew/bin/python3.13 op.py --device NOKIA-SP4-001 run "show version"
/opt/homebrew/bin/python3.13 op.py --device NOKIA-SP4-001 run "show router bgp summary"
/opt/homebrew/bin/python3.13 op.py --device NOKIA-SP4-001 run "show router interface"
Tipo no devices.yaml: nokia-sros
show version
show chassis
show router bgp summary
show router bgp neighbor <IP>
show router bgp neighbor <IP> detail # Import/Export policy, contadores, capabilities
show router bgp routes ipv4
show router bgp routes flowspec-ipv4 # FlowSpec — testar sintaxe
show router bgp routes 10.0.0.0/24 detail
ATENÇÃO: retorna todos os paths (de todos os peers). Para identificar de qual peer veio cada path, verificar o campo From e Interface Name na saída.
Filtros por peer NÃO funcionam no MD-CLI:
show router bgp routes 10.0.0.0/24 peer X.X.X.X detail ← ERRO: "Unknown element - 'peer'"
show router bgp neighbor X.X.X.X received-routes 10.0.0.0/24 ← ERRO: "Unknown element - '10.0.0.0/24'"
Workaround: usar show router bgp routes <prefix/len> detail e filtrar pelo campo From na saída.
show router bgp neighbor <IP> detail # mostra "Import Policy" e "Export Policy"
admin show configuration | match <string> post-lines 20
Retorna a partir da linha que contém <string> + N linhas abaixo. Usar para encontrar policy-statements, groups, etc.
display current-configuration interface)admin show configuration | match "NOME-INTERFACE" post-lines 15
Não existe admin show configuration router "Base" interface "X" — retorna erro. Usar o match com nome da interface.
show router interface
show port
show lag
show router route-table
show router route-table protocol bgp
show router route-table <prefix/len>
show router bgp routes flow-ipv4 # rotas FlowSpec recebidas (sintaxe correta)
show router bgp routes flow-ipv4 hunt # detalhe completo de cada rota (peer, community, flags)
show filter ip fSpec-0 # entradas FlowSpec traduzidas em filtro hardware
show filter ip fSpec-0 entry <N> # entry específica (ver Ing. Matches para hit counter)
show filter ip 10 # parent filter (Deepfield) — ver associação e estrutura
show filter ip 10 association # quais interfaces têm o filtro aplicado
show filter ip 10 detail # todas as entries do filtro (inclui embedded)
FlowSpec peer DEADPOOL: 172.16.255.242 (Wanguard, AS53013)
flow-ipv4 true configurado no grupo DEADPOOLu*>i (usado/válido/best)Problema: FlowSpec instalado no BGP mas regras NÃO aplicadas ao tráfego.
Arquitetura de filtros no Nokia:
Filter 10 (deepfield-parent-v4) ← aplicado em INGRESS de todas as interfaces
└─ Filter 1000 (deepfield-mitigation-v4) offset=10 → entries 11, 12, 13... [NETCONF/Deepfield]
└─ fSpec-0 (BGP FlowSpec/Wanguard) entries 26, 53, 80... 471 [NÃO aparece no filter 10]
Root cause: entries do fSpec-0 não são injetadas no chain de avaliação do filter 10.
O filter 10 avalia entries 11-209 do Deepfield → Def. Action: Forward → fSpec-0 nunca é avaliado.
Evidências:
show filter ip fSpec-0 entry 471: entry existe, Primary Action: Drop, Ing. Matches: 0show filter ip 10 detail: só mostra entries do filter 1000 (Deepfield), nenhuma do fSpec-0Root cause confirmado (2026-03-26):
A configuração de embed no filter 10 contém APENAS o Deepfield:
embed {
filter "deepfield-mitigation-v4" offset 10
filter "deepfield-mitigation-v6" offset 10
}
O fSpec-0 não está no embed → nunca é avaliado → FlowSpec não tem efeito no tráfego.
Como funciona embedding:
offset 10 → Deepfield entries nas posições 11, 12, 13... (filter 1000 entry N = posição 10+N)Def. Action: Forward do filter 10Fix necessário:
Adicionar fSpec-0 ao embed do filter 10 com offset < 10:
edit-config exclusive
/configure filter ip-filter "deepfield-parent-v4"
embed filter "fSpec-0" offset 1
commit
quit-config
ATENÇÃO: Verificar se Nokia TiMOS-B-25.3.R1 permite embed manual de fSpec-0 (filter gerado automaticamente pelo BGP). Alternativa: flowspec-policy no router Base. Consultar docs Nokia antes de aplicar.
edit-config exclusive
# comandos aqui
commit
quit-config
| Campo | Valor |
|---|---|
| Hostname | BRSPBREES4RTAUFN13 |
| IP | 10.230.16.77 |
| Usuário | dafranco |
| Senha | pkq@HKN8abd-zat4fzq |
| Plataforma | Nokia 7750 SR-1 |
| Software | TiMOS-B-25.3.R1 |
| AS | 52468 (Ufinet) |
| Router-ID | 172.17.39.100 |
| Loopback | 10.230.1.102/32 |
| Localização | Equinix SP4, São Paulo |
| Uptime | ~111 dias (verificado 2026-03-24) |
| Uplink físico | LAG (lag-10) com sub-interfaces por VLAN |
| Peer | Descrição | AS | Estado |
|---|---|---|---|
| 198.18.201.13 | Upstream-ORC001 (scrubber) | 52468 | Established 106d |
| 198.18.202.13 | Upstream-ORC002 (scrubber) | 52468 | Established 106d |
| 198.18.203.29 | Upstream-ORC003 (scrubber) | 52468 | Established 106d |
| 198.51.100.130 | Downstream-BRE008 | 52468 | Established 104d |
| 198.51.100.134 | Downstream-BRE011 | 52468 | Established 105d |
| 172.16.255.242 | AS53013 (BLACKHEART/Wixnet) | 53013 | Established 5d — 6 FlowIPv4 |
| 172.22.0.10 | Deepfield (telemetria) | 52468 | Established 5d |
| 8.243.155.225 | Upstream-CIRION | 3356 | Active (BGP down — por design) |
| 100.110.115.78 | Upstream-ALGAR | 16735 | Active (BGP down — por design) |
| 185.100.112.50 | Upstream-SPARKLE | 6762 | Active (BGP down — por design) |
| 187.16.216.253 | Upstream-IX.SP | 26162 | Active (BGP down) |
| 187.16.216.254 | Upstream-IX.SP | 26162 | Connect |
| 199.100.13.161 | Upstream-COGENT | 174 | Connect (BGP down — por design) |
| 216.6.93.77 | Upstream-TATA | 6453 | Connect 35d |
| 34.39.203.16 | Deepfield (telemetria) | 52468 | Active |
Internet → Upstreams físicos → ORC Scrubbers → Nokia SR (iBGP AS52468)
(198.18.201-203.x) ↓
Downstream BRE008/BRE011
| Interface | IP | Descrição | Estado |
|---|---|---|---|
| system | 172.17.39.100/32 | Router-ID | Up/Down |
| LoopBack555 | 10.230.1.102/32 | Loopback | Up/Down |
| ALGAR | 100.110.115.77/29 | Transit ALGAR (lag-10:2590) | Up/Up |
| CIRION | 8.243.155.226/30 | Transit CIRION (lag-10:3549) | Up/Up |
| COGENT | 199.100.13.163/29 | Transit COGENT (lag-10:209) | Up/Up |
| SPARKLE | 185.100.112.51/31 | Transit SPARKLE (lag-10:1013) | Up/Up |
| TATA | 216.6.93.78/30 | Transit TATA (lag-10:2967) | Up/Up |
| ORC001 | 198.18.201.14/30 | Scrubber ORC001 (lag-10:1087) | Up/Down |
| ORC002 | 198.18.202.14/30 | Scrubber ORC002 (lag-10:1088) | Up/Down |
| ORC003 | 198.18.203.30/30 | Scrubber ORC003 (lag-10:1089) | Up/Down |
| BRE008 | 198.51.100.129/30 | Downstream BRE008 (lag-10:1085) | Up/Down |
| BRE011 | 198.51.100.133/30 | Downstream BRE011 (lag-10:1086) | Up/Down |
| DEADPOOL | 172.16.255.245/28 | Link Wanguard/BLACKHEART | Up/Down |
| IX.SP.IPV4 | 187.16.221.95/20 | IX.SP IPv4 (lag-10:2244) | Up/Down |
| ORC001-RETORNO | 198.51.100.6/30 | Retorno tráfego limpo ORC001 | Up/Down |
Nota:
Up/Down= IPv4 up, IPv6 down (coluna Opr v4/v6). Interfaces físicas Ok.
IX.SP.IPV4 (187.16.221.95/20): interface Up/Down, BGP Active há 109d → sessão IX.SP não estabelecidaTATA (6453): Connect há 35d → sessão recentemente resetada/reconfiguradaflowspec-entryÚltima atualização: 2026-03-24