Auto-Generated Configuration
During every commit, the SSR platform automatically generates certain configuration elements based on the current topology and feature configuration. Manual edits to auto-generated elements are lost on the next commit unless you take explicit ownership first.
This document covers what gets generated, what triggers it, and how to prevent or customize it.
The PCLI automatically presents the correct override command for each element. Use override-generated when it appears, or generated false when it does not.
How To Identify Auto-Generated Elements
Any element that the system auto-generates carries generated true in the configuration. You can inspect this field in the PCLI to determine whether an element is system-managed or user-provisioned. For a complete list of all auto-generated element types and their override methods, see the Quick Reference at the end of this page.
Taking Ownership of Auto-Generated Elements
Recommended: The create config autogenerated Single-Commit Workflow
The most practical approach uses the create config autogenerated command to avoid a two-commit cycle:
admin@conductor> create config autogenerated
This runs the same generation logic as commit but stages the results into the candidate configuration without committing. You can then review, override, and customize elements before committing once.
Workflow:
- Configure your triggers (neighborhoods, conductor-address, BGP neighbors, etc.).
- Run
create config autogenerated— auto-generated elements appear in the candidate. - Enter config editing mode and navigate to elements you want to customize.
- Override those elements (see below).
- Make your modifications.
- Commit once — overridden elements are preserved and the system skips regenerating them.
If the underlying changes (e.g., new neighborhoods, new conductor addresses) trigger configuration updates, re-run create config autogenerated to preview newly generated elements before committing.
Overriding Most Auto-Generated Elements
For elements generated by the Peer Topology builder, conductor services, BGP, DHCP relay, PIM, or MSDP, set generated to false in the PCLI:
config
authority
router <router>
service-route <auto-generated-route>
generated false
exit
exit
exit
exit
Overriding Plugin and DHCP Server Elements
For elements generated by plugins, DHCP server (KNI), port-forwarding, or software-update, use the override-generated command:
*admin@conductor# config
*admin@conductor (config)# authority
*admin@conductor (authority)# router <router>
*admin@conductor (router)# node <node>
*admin@conductor (node)# device-interface <kni-interface>
*admin@conductor (device-interface)# override-generated true
Are you sure you want to make '<kni-interface>' persistent?
It will no longer be auto-generated. [y/N]:
To revert any override and re-enable auto-generation, run override-generated false (or set generated to true for other elements). On the next commit the element will be regenerated.
Pre-Provisioning Elements
If you create an element with the same name that auto-generation would use before generation runs, the system detects it and skips generation. The manually created element has generated set to false by default, so it is treated as user-provisioned.
This works for adjacencies, service-routes, and services.
Auto-Generated Configuration Reference
User-Facing Configuration
This section covers auto-generated configuration that you typically interact with and may need to customize or override.
Peer Topology Builder
The Peer Topology builder automatically establishes the inter-router topology and distributes service reachability information across peer routers, enabling dynamic topology discovery and service mesh capabilities without manual configuration. It generates two related sets of elements: The peer and adjacency objects that form the inter-router topology, and the peer-type service-route objects that distribute service reachability across that topology.
Peers and Adjacencies
| Field | Description |
|---|---|
| Trigger | neighborhood configured on a forwarding network-interface. |
| What is generated | peer objects between routers sharing the same neighborhood; adjacency objects on both sides. |
Conditions for generation:
- The network-interface must have
forwardingset totrue(default) and at least one neighborhood entry. - Topology matching:
mesh↔mesh/hub/spoke;hub↔spoke/mesh;spoke↔hub/mesh. peer-connectivitymust not beoutbound-onlyon both sides.inter-router-securitymust be set on any interface with a neighborhood.
| Method | Scope | Effect |
|---|---|---|
| Remove neighborhood from the interface | Per-interface | No adjacencies generated for that interface |
Set peer-connectivity to outbound-only on both sides | Per-adjacency pair | Prevents that specific adjacency |
Set generated to false on an adjacency or peer | Per-element | Takes ownership of that element |
| Pre-provision the adjacency before commit | Per-element | System detects it and skips generation |
There is no global toggle. If neighborhoods are configured, peers and adjacencies will be generated unless overridden per-element.
Service-routes
| Field | Description |
|---|---|
| Trigger | A router has a non-peer service-route for a shared service, and peer routers exist. |
| What is generated | Peer-type service-route objects on remote routers pointing back to the source. |
Conditions for generation:
- Service has
share-service-routesset totrue(default). - Source router has at least one non-peer service-route (e.g., next-hop) for the service.
- Service
application-typeisgeneric. - Service
applies-toallows the peer router. - Authority is not using a Peer Topology repository.
| Method | Scope | Effect |
|---|---|---|
Set share-service-routes to false | Per-service | Prevents Peer Topology builder route generation for that service |
Configure applies-to restrictions | Per-service | Limits which routers receive generated routes |
Set generated to false on a service-route | Per-element | Takes ownership of that route |
| Pre-provision a service-route with the same name | Per-element | System skips generation for that route |
Conductor Services
The Conductor Services subsystem provides automatic connectivity from managed routers back to the conductor system, enabling centralized configuration, monitoring, and software updates. Generation is unconditional when any conductor-address is configured. There is no way to fully disable this category, but there are customization options and per-element overrides:
| Field | Description |
|---|---|
| Trigger | conductor-address is configured on the authority. |
| What is generated | Conductor reachability service, service-policy, service-route, and related tenant objects. |
| Method | Level | Effect |
|---|---|---|
management-service-generation > service-route-type | Authority or Router | Choose paths-as-next-hop (default) or paths-as-service-route |
management-service-generation > service-policy | Authority or Router | Use a custom service-policy instead of the auto-generated one |
management-service-generation > proxy | Router only | Enable/disable proxy of public-to-private conductor addresses |
Set generated to false on a conductor service or route | Per-element | Takes ownership of that element |
Management Over Forwarding Interface (MOFI) Services
The MOFI builder automatically provisions management services for various network management and operational functions, enabling these services to be delivered over forwarding interfaces (data plane) when management interfaces are not available. This provides management connectivity through active data paths.
| Field | Description |
|---|---|
| Trigger | A network-interface configured with management: true on a forwarding interface. |
| What is generated | Services and service-routes for NTP, DNS, SNMP, Syslog, IPFIX, HTTP-HTTPS (package updates), and Audit functions. |
The builder generates services for the following management traffic types:
| Service Type | Purpose |
|---|---|
| NTP | Network Time Protocol for clock synchronization |
| DNS | Domain Name System for name resolution |
| SNMP | Simple Network Management Protocol for device management |
| Syslog | System logging for centralized log collection |
| IPFIX | IP Flow Information Export for flow telemetry |
| HTTP-HTTPS | Software package downloads for system updates |
| Audit | Audit event forwarding for compliance logging |
| Method | Scope | Effect |
|---|---|---|
Remove management: true from the interface | Per-interface | Prevents MOFI service generation for that interface |
| Disable management services in authority config | Authority | Prevents generation globally (if supported) |
Set generated to false on a MOFI service or route | Per-element | Takes ownership of that element |
MOFI services are generated with the lowest priority to ensure they don't override user-configured services with the same names. Pre-provisioning a service with the same name before generation will prevent the auto-generated version from being created.
BGP Services and Service-Routes
The BGP subsystem automatically establishes reachability to BGP peers, enabling dynamic routing protocol operation and network convergence without manual service definition.
| Field | Description |
|---|---|
| Trigger | BGP neighbor transport configuration |
| What is generated | BGP peering service and service-route objects for BGP neighbor reachability |
| Method | Scope | Effect |
|---|---|---|
Set bgp-service-generation > disabled | Per-BGP-neighbor | Fully prevents generation for that neighbor |
Set bgp-service-generation > service-policy | Per-BGP-neighbor | Override the generated service-policy |
Set bgp-service-generation > security-policy | Per-BGP-neighbor | Override the generated security policy |
Set bgp-service-generation > route-reflector-client-mesh | Authority | Generate service-route mesh for route reflector clients |
Set generated to false on a BGP service | Per-element | Takes ownership of that service |
You can fully disable BGP service generation on a per-neighbor basis using the disabled option.
DHCP Server KNI Device-Interfaces
The DHCP server subsystem automatically provisions kernel network interfaces required for DHCP server operation, handling the internal networking plumbing transparently.
| Field | Description |
|---|---|
| Trigger | host-service of type dhcp-server configured on a network-interface |
| What is generated | KNI device-interface objects for DHCP server operation |
| Setting | Level | Effect |
|---|---|---|
dhcp-server-generated-address-pool | Authority (application-identification) | Changes the address pool for generated KNI interfaces (default: 169.254.130.0/24). |
override-generated true on the KNI interface | Per-element | Takes ownership of that element. |
There is no flag to fully disable DHCP KNI generation. Remove the dhcp-server host-service to prevent generation.
DHCP Relay Services and Routes
The DHCP relay subsystem automatically provisions the DHCP relay service and reachability paths to DHCP servers, enabling DHCP client support on networks without a local DHCP server.
| Field | Description |
|---|---|
| Trigger | DHCP relay agent configured on a network-interface |
| What is generated | DHCP relay service and service-route objects |
| Method | Scope | Effect |
|---|---|---|
| Remove DHCP relay configuration | Per-interface | Prevents generation |
Set generated to false on the service or route | Per-element | Takes ownership of that element |
Application Identification (App-ID) Services
The App-ID subsystem automatically creates granular service categories for application identification, allowing fine-grained traffic classification and policy enforcement without manual service creation.
| Field | Description |
|---|---|
| Trigger | generate-categories set to true on a service |
| What is generated | Category-based child service objects under the parent service |
| Method | Scope | Effect |
|---|---|---|
Set generate-categories to false (default) | Per-service | Prevents category-based child service generation |
Set application-identification to disabled | Per-service | Disables app-id entirely for that service |
The default is false (disabled). Category services are only generated when explicitly opted-in.
PIM Multicast Services and Routes
The PIM subsystem automatically establishes reachability for Protocol Independent Multicast (PIM) control traffic, enabling multicast routing operation across the network.
| Field | Description |
|---|---|
| Trigger | PIM routing configured on a router |
| What is generated | PIM multicast service and service-route objects |
No independent disable flag. Remove the PIM configuration to prevent generation. Set generated to false per-element to take ownership.
MSDP Services and Routes
The MSDP subsystem automatically provisions Multicast Source Discovery Protocol (MSDP) peering connectivity, enabling inter-domain multicast source discovery and reachability.
| Field | Description |
|---|---|
| Trigger | MSDP routing configured |
| What is generated | MSDP peering service and service-route objects |
No independent disable flag. Remove the MSDP configuration to prevent generation. Set generated to false per-element to take ownership.
Plugin-Generated Elements
Plugins extend the platform by automatically generating plugin-specific services, routes, and configuration elements as needed.
| Field | Description |
|---|---|
| Trigger | Varies by plugin. |
| What is generated | Plugin-specific services, routes, and other configuration. |
Use override-generated true on any plugin-generated element to take ownership.
Infrastructure and System Configuration
This section covers auto-generated configuration managed by the platform for internal operations. Most users do not need to interact with or override these settings.
Software Update Proxy
The software update subsystem automatically configures internal proxy settings for software updates on managed routers, ensuring seamless update delivery without manual configuration. This is a hidden, internally managed setting. It is unconditionally set when managed routers exist. There is no opt-out mechanism and no override is available.
Secure Conductor Onboarding (SCO)
The SCO subsystem automatically manages the secure onboarding mode for routers and configures pre-shared keys (PSK) required for secure conductor communication. This enables secure, automated onboarding of managed routers without manual key management.
| Field | Description |
|---|---|
| Trigger | Routers with system/secure-conductor-onboarding/mode configured |
| What is generated | SCO operating mode (EXCLUSIVE or DISABLED) and pre-shared keys for routers |
| Method | Scope | Effect |
|---|---|---|
Set secure-conductor-onboarding > mode to disabled | Per-router | Disables SCO for that router |
Set secure-conductor-onboarding > mode to exclusive | Per-router | Enables SCO and triggers PSK generation |
SCO operates at the system level and is automatically managed based on the configured operating mode. PSKs are only generated when SCO is enabled and are required for the conductor to authenticate the router.
Resource Groups
The Resource Groups subsystem automatically associates configuration resources (routers, services, tenants, security profiles, etc.) with role-based access control (RBAC) resource groups. This enables policy enforcement for resource group-scoped access controls without manual resource enumeration.
| Field | Description |
|---|---|
| Trigger | Configuration resources exist in the authority; roles define resource groups. |
| What is generated | Resource entries in roles linking to configuration objects. |
Supported resource types include:
- Network elements (routers, districts).
- Services and traffic policies (services, service-classes, traffic-profiles).
- Security and access (tenants, security profiles, LDAP servers).
- Operational configuration (alarm shelves, performance profiles, DSCP maps, IPFIX collectors).
- Extensibility (STEP repos, PCLI aliases, session-types).
| Method | Scope | Effect |
|---|---|---|
| Pre-provision resources with specific names | Per-resource | System detects them and skips auto-generation |
Set generated to false on a resource entry | Per-element | Takes ownership of that resource entry |
Resource groups are generated with lowest priority; user-provisioned resources with matching names prevent auto-generation. This enables administrators to define custom resource mappings when needed.
Alarm Shelving
The alarm shelving subsystem automatically manages alarm suppression (shelving) based on internal platform logic, suppressing non-critical alarms during expected operational conditions.
| Field | Description |
|---|---|
| Trigger | Internal alarm shelving logic |
| What is generated | Alarm shelf entries |
Set generated to false per-element to take ownership.
Internal Tenants
The platform automatically provisions internal logical containers (tenants) for services and features that require tenant isolation without burdening users with these internal details.
| Field | Description |
|---|---|
| Trigger | Conductor services, BGP, or other internal features are active. |
| What is generated | Internal tenants such as _internal_, _bgp_speaker_. |
These tenants are required for the platform to function. Setting generated to false is technically possible but not recommended — it may impact platform functionality.
Auto-Generated IDs
The platform automatically assigns unique identifiers to configuration elements when not explicitly provided, ensuring all config elements have required IDs without manual assignment. This is a fundamental platform requirement. It cannot be disabled or overridden.
Protection Mechanisms in Detail
This section provides deeper technical detail on how the two mechanisms interact. Most users can rely on the guidance above — the PCLI shows the correct command automatically.
The generated Leaf
Every auto-generated element has a generated boolean:
generated true— element is collected for removal during commit and regeneratedgenerated false— element is skipped during both removal and regeneration
The Authority Metadata Tracking List
A hidden list at authority > generated tracks elements created by certain subsystems. Each entry has a persistent flag:
persistent false(default) — the element's path is collected for removalpersistent true— the path is retained and NOT collected for removal
Interaction Matrix
| State | Removed? | Regenerated? | Assessment |
|---|---|---|---|
generated true, no metadata. | Yes (leaf) | Yes | Normal leaf-only behavior |
generated false, no metadata. | No | No | Safe — fully protected |
generated true, metadata persistent false. | Yes (both paths) | Yes | Normal metadata-tracked behavior |
generated false, metadata persistent false. | Yes (metadata) | May be | Unsafe — metadata removal still deletes it |
generated false, metadata persistent true. | No | No | Safe — what override-generated true sets |
generated true, metadata persistent true. | Yes (leaf) | Yes | Unsafe — leaf removal still deletes it |
PCLI Visibility
The generated leaf and override-generated command are mutually exclusive in the PCLI:
- If a metadata entry exists →
generatedleaf is hidden;override-generatedis shown. - If no metadata entry exists →
generatedleaf is visible;override-generatedis hidden.
Import/Export Behavior
The export config and import config PCLI commands save and restore the full configuration to/from a GZIP-compressed XML file on disk (stored in /etc/128technology/config-exports/).
Auto-generated state is fully preserved during export and import. This means:
- All auto-generated elements and their override state survive a round-trip export/import.
- The configuration behaves identically after import — the same PCLI commands are available and override protections remain in effect.
- Elements not yet overridden will still be regenerated on the next commit after import.
- Elements previously overridden remain protected.
Quick Reference
User-Facing Configuration
| Element | Dedicated Disable Option | Per-Element Override |
|---|---|---|
| Peer Topology builder service-routes. | share-service-routes false | generated false |
| Peer Topology builder peers/adjacencies. | Remove neighborhood | generated false |
| Conductor services | No (customization knobs only) | generated false |
| MOFI services (NTP, DNS, SNMP, etc.). | Remove management: true from interface | generated false |
| BGP services | bgp-service-generation > disabled | generated false |
| DHCP relay services. | Remove relay config | generated false |
| DHCP server KNI interfaces. | Remove dhcp-server host-service | override-generated true |
| App-ID category services. | generate-categories false (default) | generated false |
| PIM/MSDP services | Remove routing config | generated false |
| Plugin-generated elements | Varies by plugin | override-generated true |
Infrastructure and System Configuration
| Element | Dedicated Disable Option | Per-Element Override |
|---|---|---|
| Secure Conductor Onboarding (SCO) | Set mode to disabled | Not typically overridden |
| Resource Groups | Pre-provision resources | generated false |
| Internal tenants | No | generated false (not recommended) |
| Software-update proxy | No | Not available |
| Auto-generated IDs | No | Not available |